CySecurity News - Latest Information Security and Hacking Incidents: Cloud

Cloud Cyber Security Data Breach Harvesting Internet Sugar Mill

Hackers Attack Sugar Mill, Force Operations and Harvesting Shutdown

Australia’s second-biggest sugar producer, Mackay Sugar, is looking into a cyberattack that impacted parts of its operations and temporarily stopped sugarcane harvesting.

The incident caused the stoppage of milling activities at two of the firm’s facilities while authorities and experts tried to assess the disruption of the attack.

In a recent statement, Mackay Sugar acknowledged the cyberattacks and disruption impacting few of its operations.

The immediate priorities are ensuring staff safety, continuing business operations safely, and safeguarding operational systems. “Our immediate focus is the safety of our people, protecting operational systems, and maintaining business continuity,” it said.

About risk assessment

Mackey Sugar is also working with authorities to inspect the incident and recover impacted systems safety.

The incident directly impacted production operations. Local media reports have hinted that the company was compelled to close down its Racecourse and Farleigh sugar mills, two key facilities based in Queensland’s Mackay area. This caused the growers to stop harvesting sugarcane until notified.

The impact on production

The group also verified that the Farleigh and Racecourse mills' cane hauling and sugar milling operations had been halted. Shortly after both facilities started their yearly sugarcane crushing season, there was an interruption.

Although many growers in the area have been impacted by the closure, producers in the Marian district have not been immediately impacted. The district's third mill for Mackay Sugar is not expected to start up until next week, according to a report from Australia's ABC News.

While recovery efforts continue, the sugar producer said it has put in place temporary measures and interim procedures to support critical business operations and minimize operational impact.

Mitigation processes

According to the company, "interim procedures are in place to support critical business functions and minimize disruption where possible."

Additionally, the company stressed that throughout the event, it is staying in touch with growers, staff, and business partners.

"We will continue to provide updates as more information becomes available and are in direct communication with our employees, growers, and key partners," Mackay Sugar stated.

About recovery

Mackay Sugar acknowledged the anxiety brought on by the disruption and reaffirmed that company takes cybersecurity duties seriously.

"We take extremely seriously our obligation to safeguard our information, operations, and systems. We will give timely updates as we complete our inquiry, and we apologize for any inconvenience or uncertainty this incident may have caused," the business stated.

Cyber Security: Six Cyber Threats to Look Out for in 2026



 

Technology

AI Cloud Data Deepfakes Phishing Technology

Cyber Security: Six Cyber Threats to Look Out for in 2026

With industries being digitized, cybercrime is also advancing. This year, besides being opportunistic, threats have also become highly targeted, intelligent, and automated.

The data comes from UK Government’s Cyber Security Breaches Survey 2025, which hints that 43% of businesses and 30% of charities listed an attack or a cyber breach or attack in the past 12 months. That’s a surprising 61,000 charities and 612,000 businesses impacted.

Despite the data, businesses can lower their risk of cyber threats. But it is important to understand these key risks to stay safe and prepare for the next danger.

Six rising common cyber threats

1. Deepfakes: Deepfakes have shifted from niche technology to a major threat. Hackers nowadays use AI-generated audio and media to mimic organization staff. This can be risky in procurement or finance, where hackers push staff to send funds, share personal data, or approve finances, where the hackers pose as business leaders.

2. Supply-chain attacks: Instead of targeting organizations directly, hackers are targeting third-party vendors to get access to various firms at once via supply-chain attacks. The attack tactic abuses trust and internal security sometimes may not address all the threats in the supply chain. One hacked vendor can prompt a domino effect throughout hundreds of businesses.

3. AI-powered phishing hacks: Phishing is one of the most common attacks in the past 12 months, and the tactic has changed significantly over the years. Most of the phishing attacks today are supported by AI tools and hackers are copying internal comms.

4. Credential stuffing attack: Weak passwords are the biggest reasons for hacks these days. In such attacks, hackers use stolen login credentials from past hacks and test them automatically across distinct platforms.

5. IoT and device flaws: As IoT is increasing, the hack surface also widens. Many devices such as sensors, cameras and industrial machinery still have limitations. Hackers abuse these flaws to access larger corporate networks. Traditional cyber security methods tend to ignore these flaws, and this has resulted in a significant risk.

6. Cloud errors: A simple thing such as exposed storage bucket or false access setting can expose sensitive data publicly accessible. These cases don’t get hacked as the information is unprotected. Currently, cloud storage environments are advanced, and building robust configuration hygiene has become a top critical priority.

Experts Reveal the DDoS Under Ground Market



 

Internet

AI Cloud Cyber Attacks DDoS Internet

Experts Reveal the DDoS Under Ground Market

Attack tactic

What happens in a typical Distributed Denial-of-Service (DDoS) attack. A website that suddenly stops? Time out of a login page? Not being able to reach an online service when you need it the most? These causes are not internal, and are attributed to DDoS attacks.

Cloudflare reported stopping a 7.3 Tb/s attack last year and said it addressed a 31.4 Tb/s attack in its Q4 2025 DDoS report. According to Microsoft, Azure also blocked a 15.72 Tb/s attack last year in October. The activity was linked to the Aisuru botnet.

Darkweb market selling and buying the service

For all these instances, dark web actors are fighting over the same buyers with pitches. Flare experts analyzed dark web operations and detailed API access, reseller options, botnet-based capacity, monthly plans, Cloudflare bypass claims, and game-server tactics.

A comparative analysis of the DDoS-related dark web operations from the first five months of 2023 and the first five months of 2026 demonstrate how rapidly that offer has evolved. Scripts, tutorials, leaked tools, and sporadic forum posts used to be more common, but these days they are more typically provided as recurring products that are simpler to purchase and use.

What is a DDoS attack?

A DDoS attack tries to crowd an application, network, server, or website with traffic from various servers at one time. Few attacks are aimed at network capacity, while the remaining emphasize on application layer resources like APIs and login pages. The aim is to dismantle any service or activity and make it unavailable, expensive to use, or unstable.

What is DDoS-as-a-service?

DDoS-as-a-service removes the barrier even further, a hacker can choose a victim, pay for accessing a web panel, select timeline, and depend on another person’s botnet, third-party attack infrastructure, or proxy network.

About the attack

A hosting company that employs Magic Transit to protect their IP network and is a Cloudflare user was the target of the attack. According to Cloudflare’s recent DDoS threat assessment, DDoS attacks are increasingly targeting hosting providers and vital Internet infrastructure.

An assault campaign from January and February of 2025 that launched over 13.5 million DDoS attacks on Cloudflare's hosting providers and infrastructure was detailed by the experts on their blog.

WhatsApp to Roll Out Username Feature, No Mobile Number Required



 

AI Cloud Instagram Messaging Technology Telegram WhatsApp

WhatsApp to Roll Out Username Feature, No Mobile Number Required

WhatsApp will launch a new feature where users can opt for usernames and connect with others without putting mobile numbers. The feature is similar to the famous messaging app Telegram and also Instagram. The new update will allow users to share a unique username instead of their contact number for chats.

About feature development

“WhatsApp has worked to ensure that the username experience is stable and secure. For this reason, the rollout of usernames is taking a significant amount of time. Over the years, the code of the app has been extensively updated to make sure all existing features are fully compatible with usernames. So WhatsApp focused on testing and refining the feature carefully before making it widely available. It seems that WhatsApp is set to roll out the username feature to users as part of a phased rollout strategy over the coming months,” Whatsapp said in its blog.

Users will still have the option to continue using WhatsApp as usual if they so choose. Phone numbers will still be linked to accounts for login and recovery purposes, but each account will support a single username that can be changed at a later time without impacting chats or account activity.

How to setup

Soon, both Android and iPhone users of WhatsApp will be able to create usernames straight from the app's Settings menu. Users must visit their profile settings, select the Username option when it appears, and pick a distinctive handle for their account in order to set one up. Before the chosen username can be kept, WhatsApp will automatically check if it is legitimate and accessible.

Safety first

In order to avoid confusion and abuse, the site is also implementing strict guidelines for usernames. Usernames can only contain letters, digits, periods, underscores, and at least one letter; they must be between three and thirty-five characters long. Some formats will not be accepted, such as usernames that start with "www," finish in domain-style extensions, or have repeated periods.

What about user privacy?

By enabling users to communicate without disclosing their phone numbers, the function aims to increase privacy. Once enabled, users can speak with buyers, sellers, community organizations, or new connections using their usernames rather than their personal mobile numbers. Only the selected handle—rather than the associated phone number—will be visible to those who contact you using the username.

With a wider deployment anticipated later in 2026, WhatsApp has already begun testing usernames with a small number of iOS and Android users. According to the firm, usernames will continue to be optional, so users can continue to use WhatsApp with just their phone numbers if they so choose. Even once usernames are implemented, phone numbers will still be used for account sign-ins, verification, and recovery.

FROST Attack: Websites Can Now Spy on Users Via SSDs



 

Surveillance

AI Cloud Data FROST Internet Privacy Spying Surveillance

FROST Attack: Websites Can Now Spy on Users Via SSDs

Websites have always tried to spy on user activity through browsing histories, mouse clicks and keystrokes, and device fingerprints. Even Yandex and Meta were caught spying on users recently.

Hackers exploiting SSDs

These days, hackers are exploiting SSDs to spy on user activity. Known as Fingerprinting Remotely using OPFS-based SSD Timing or FROST, the technique lets hackers spy on other websites a visitor is viewing and what other applications are open on a user device.

In a research paper, the authors explained the exploit tactic. Hackers exploit a side channel, creating a type of leak that results from data caches or electromagnetic emanations. By computing the physical manifestations, hackers can decode encoded traffic and hack other confidential information.

Sites spying on user activity

The exploit that FROST used was called a contention side channel, which calculates the communication of other processes all using a given resource. By measuring input-output (I/O) time of SSD operations that a visitor uses, the experts found out websites opened in different tabs and browsers; even the applications that were opened on the user device. FROST doesn’t need any communication from the visitor but only requires opening the site hosting the exploit.

The attack tactic

According to the researchers, “Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications.” They also said that “companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.”

The impact

The authors also noted that, "while these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

About the exploit

The attack is different to older contention-side channel attacks on SSDs. FROST runs only in the browser and uses JavaScript that communicated with OPFS (origing private file system), a dedicated storage space that is kept for a particular site to rune codes needed to do a given task. Sites can make one with zero communication required by the user.

“The attacker continuously measures SSD contention by performing random reads from a large OPFS file. SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model,” said the researchers.

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells



 

Phishing

AI Bug Cloud Cyber Attacks Data KnowledgeDeliver Phishing

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells

Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration,” said Bleeping Computer, throughout all KnowledgeDeliver consumer deployments.

Deserialization of ViewState

Hackers found the stolen machine key and used it in ViewState deserialization campaigns to sign infected ViewState payloads and launch remote code execution (RCE) at the OS level.

In 2025, Mandiant responded to a campaign on a KnowledgeDeliver server and said that in the beginning, the bug was abused as a zero-day to deploy a compromised script into the web platform.

Attack tactic

The compromise was also possible as threat actors used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the experts said.

According to Mandiant, “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”

Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor.

The encrypted payload used a key “that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant report said.

Similar attacks in 2025

In August last year, experts from ASEC also disclosed that Godzilla was planted in ASP.NET environments in ViewState deserialization attacks against firms in the finance industry.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Hackers targeting unsecured machines

In recent years, threat actors are increasingly exploiting unsafe machine keys in Viewstate deserialization attacks against web platforms for a few products.

Threat actors utilized a hardcoded machine key in March of last year to create a malicious payload that gave them access to Gladinet CenterStack's secure file-sharing servers.

After obtaining the machine key to generate signed malicious ViewState payloads, hackers gained access to 85 Microsoft SharePoint systems in July 2025.

Additionally, state-sponsored actors utilized ViewState deserialization assaults to install WeepSteel, a spying tool that revealed the ASP.NET machine key on Sitecore servers.

Media Regulators Call Out Youtube, TikTok for Ignoring Child Safety



 

YouTube

Cloud Data Instagram Meta Roblox Technology TikTok YouTube

Media Regulators Call Out Youtube, TikTok for Ignoring Child Safety

According to a report by Ofcom, YouTube and TikTok have failed to implement steps to safeguard British children from harmful online content. Data suggests widespread exposure to underage kids on these platforms.

TikTok, YouTube ignoring child safety

Ofcom media regulators said none of the company made any serious efforts to make recommendations feeds/explore pages safer, despite proof that these platforms are the main entry point through which underage kids face harm.

Platforms not safe enough

Ofcom said the platforms are “not safe enough”. The report comes after Ofcom’s call for stricter action on children’s online safety, saying Roblox, meta, and Snap had each complied to stronger anti-grooming actions.

TikTok said it was quite disappointing that Ofcom didn’t acknowledge its safety measures, whereas Youtube said it worked with child safety researchers to give industry grade, age-appropriate experiences for children.

About the Ofcom report

Ofcom’s latest report explains how five large social media and video platforms responded to its call for safety measures. The report said that, "Notably, TikTok and YouTube failed to commit to any significant changes to reduce harmful content being served to children, maintaining their feeds are already safe for children.” Ofcom added, "Our wealth of evidence, published today, suggests they are still not safe enough."

What did YouTube and TikTok say?

Responding to the criticism, YouTube and TikTok said that safety measures already existed. YouTube’s short-form video timer allowed parents to control scrolling time for Shorts feed, whereas TikTok stopped direct messaging (DM) for under-16 children.

Governments have taken measures to address online child safety. UK PM Keir Starmer has urged social media platforms to take greater responsibility. Britain is discussing tighter restrictions, this includes a potential ban on under-16 children that use social media, inspired from Australia's landmark decision that tackled addictive design features.

According to social media analyst Matt Navarra, the report has shown a shift in how we perceive online harm as a “product problem.” Earlier, the debate was, “did the platform remove harmful content quickly enough?' - the new one has shifted towards, 'why did the platform show it to a child in the first place?”

What does the data say?

Ofcom reported that 73% of 11-17 year olds were exposed to malicious content for four weeks, primarily through recommendation feeds. TikTok was the most cited, followed by YouTube, Instagram and Snapchat. Experts stress that YouTube and TikTok said their existing platforms were adequate, but media regulators have found their feeds to be unsafe.

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program



 

Bugs Cloud Data Meta Technology WhatsApp

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program

Meta recently released a security advisory in May revealing two bugs in WhatsApp were found through its bug bounty program. But these bugs were patched and were not exploited in the wild by the threat actors. Both bugs are now patched.

About two bugs

The first bug is tracked as CVE-2026-23863, a Windows specific problem. This bug was maliciously crafted with hidden “NUL BYTES” hidden within the filename, to trick WhatsApp into showing it as one filetype such as an authorized PDF while pretending to be running as an executable once opened. Meta fixed this patch in April on both platforms.

The second vulnerability, tracked as CVE-2026-23866 impacted both android and iOS users. The attack tactic involved partial authorization of AI rich response texts for Instagram Reels shared within Whatsapp. A threat actor could possible launch another user’s device to access media content through an arbitrary URL, such as launching OS level custom URL scheme handles. This flaw was patched in April on both platforms.

Severity

The two bugs were given medium severity by researchers. WhatsApp has verified that no bug was abused.

Both were rated medium severity, and WhatsApp confirmed there's no evidence either was actually abused.

The impact

These kind of reporting get sidelined by glossy and infamous threat. For instance the recent SMS pumpoing attacks increasing phone bills, or phishing campaigns that used messaging apps as entry points, and lastly the attack on educational institutes that compromised Canvas and Instructure, leaking hundreds of GBs of data.

But Whatsapp did a good job in finding and fixing the flaw before cybercriminals could exploit them and cause harm. The bug bounty program of WhatsApp has been going on for fifteen yesr, and the recent patches show it it is still reliable.

What should users do?

Simple advice: always keep your phones and app updated.

There has never been a better moment to use secure communications services like WhatsApp or Signal. The truth is that Meta does a great job of keeping the app and its users safe and secure, despite some security concerns of its own, such as the recently reported phishing attempts using the encrypted messenger as part of the exploit chain and a spyware threat targeting iOS users.

9-Year-Old Linux bug Found by Researchers, Could Leak Data



 

Data Leak

AI Bug Management Cloud Cyber Security Data Data Leak

9-Year-Old Linux bug Found by Researchers, Could Leak Data

Experts have revealed details of a bug in the Linux kernel that stayed unnoticed for nine years. The flaw is tracked as CVE-2026-46333 (CVSS score: 5.5).

Improper bug management

The incident is improper privilege management that could have allowed threat actors to reveal sensitive data as unprivileged local users and launch arbitrary commands on default installs such as Ubuntu, Debian, and Fedora. Its alias is aka ssh-keysign-pwn.

Vulnerability existed since 2016

Cybersecurity firm Qualys found the flaw. Since November 2016, the problem has been present in mainstream Linux (v4.10-rc1).

Distribution updates and upstream patches are already accessible. There are publicly available working exploits, thus administrators should install vendor kernel upgrades right away, Qualys said.

Privilege compromise tactic

TRU discovered a small window in which a privileged process that is dropping its credentials can still be accessed through ptrace-family operations, despite the fact that its dumpable flag should have blocked that path, during ongoing study into Linux kernel privilege boundaries.

Qualys also added that an attacker can obtain open file descriptors and authenticated inter-process channels from a dying privileged process and utilize them under their own uid by combining this window with the pidfd_getfd() syscall (introduced in v5.6-rc1, January 2020)

What is successful exploit?

Successful bug exploit can allow a local threat actor to reveal /etc/shadow and ho'st private keys under /etc/ssh/*_key, and deploy arbitrary commands as root via four distinct hacks attacking ssh-keysign, accounts-daemon, chage, and pkexec.

PoC exploit

The bug reveal is a proof-of-concept (PoC) exploit for the bug. It was released recently, and soon after, a public kernel surfaced. CVE-2026-46333 is the latest security bug revealed in Linux after Dirty Frag, Fragnesia, and Copy Fail in recent months.

How to stay safe

Experts have advised to use the latest kernel update released by Linux distributions. If users are unable to do it immediately, temporary patchwork includes raising "kernel.yama.ptrace_scope" to 2.

Qualys added, "On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes,” Qualys said.

Incident impact

The incident happened after the release of a PoC for a local privilege exploit known as PinTheft that lets local hackers get access to root privileges on Arch Linux systems. The hack requires the Reliable Datagram Sockets (RDS) module to be deployed on the victim system, readable SUID-root-binary, io_ring enabling, and x86_64 support for the given payload.

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility



 

Instructure

AI Canvas Cloud Data Breach Data Leak data security Instructure

Data Leak: Instructure, Canvas Allegedly Hacked, ShinyHunters Claim Responsibility

Instructure, a cloud-based LMS Canvas company was hit by a massive data attack. Ransomware gang ShinyHunters claimed responsibility for the attack, saying that it had stolen data related to 280 million students, teachers, and school staff.

100s of GBs data leaked

The data breach accounts for hundreds of gigabytes, possibly leaking Canvas users’ email ids, private messages, and names.

Instructure revealed in May that it was hit by a data breach. The Canvas incidents of 8,809 universities, educational platforms, schools were impacted by the attack. ShinyHunters said that the numbers range between tens of thousands to several millions per institution.

It is concerning that a lot of K-12 students’ data has been leaked. If your child has been affected by the data breach, Malware Bytes can help in what to do next and how to stay safe.

Canvas compromised

Various students who tried using Canvas after the cyberattack received the message from ShinyHunters blackmailing to leak the data if Instructure did not contact the hackers by May 12. Canvas was shut down offline for various students following the incident, but it is now available for most users.

GTA 6, Studio Rockstar were blackmailed too

ShinyHunters has been killing it this year, with only high profile targets in its track records. The group asked for a ransom from GTA 6 (a video game) Studio Rockstar in April. But in reality, it was a hoax demand as the hackers did not have anything important/worthy to leak.

Nvidea Geforce allegedly hacked

But recently, the group allegedly claimed responsibility for the Nvidea’s GeForce Now breach, claiming to have “pulled their entire database straight from the backend."

Shiny hunters all over the place

In the Canvas incident, ShinyHunters allegedly stole user records through exposrting features inside the platform. This consists of DAP queries, APIs, and provisioning reports, according to Bleeping Computers. “The unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” Instructure said.

It also added that it “revoked privileged credentials and access tokens, deployed platform-wide protections, rotated certain internal keys, restricted token creation pathways, and added monitoring across our platforms."

The impact

Instructure also “engaged a third-party forensic firm and notified law enforcement. Beyond the immediate response, we're hardening administrative access, token management, permissions, monitoring, and related workflows. The investigation may inform further improvements.”

However, it might be too little, too late—parents are unlikely to overlook the possibility of disclosing their children's information. The much bigger problem, though, is the disastrous harm ShinyHunters has caused to Canvas's operations and reputation, as malware historian vx-underground stated on X.

GitHub Token Exposure at Grafana Triggered Codebase Theft Incident



 

Supply Chain Security

API Token Exposure Cloud Cyber Extortion Cyber Threats DevSecOps Security GitHub Token Leak Grafana Breach Supply Chain Security

GitHub Token Exposure at Grafana Triggered Codebase Theft Incident

Following the acquisition of a privileged GitHub token tied to Grafana Labs' development environment, a threat actor quickly escalated the initial credential exposure into a significant source code security incident. It was possible for the attacker to gain access to the company's private GitHub infrastructure, extract internal code repositories, and then attempt to extort payment from the organization via unauthorized access.

In addition to revoked credentials quickly, Gloria Labs launched an internal forensic investigation to determine the origin of the exposure and limit further risks. In spite of the fact that the breach resulted in access to sensitive development assets, the company announced that investigators found no evidence of data compromise, disruption of operations, or unauthorized access to user environments as a result of the breach.

Grafana’s widespread use in modern observability environments has drawn significant attention across the cybersecurity community due to the platform’s widespread role in monitoring infrastructure, cloud workloads, applications, and telemetry systems through centralized dashboards and analytics. The incident has attracted significant attention across the cybersecurity community.

In the course of the investigation, Grafana Labs disclosed that after detecting unauthorized activity, its security team initiated an immediate forensic response, eventually tracing the source of credential exposure and revoking the compromised access token in order to prevent further intrusion. Additionally, additional defensive controls were implemented across the company's development environment as part of its efforts to contain and harden the environment.

Afterwards, the threat actor attempted to extort the organization by requesting payment in exchange for delaying publication of the stolen data, according to the disclosure. Grafana, however, chose not to engage in ransom negotiations, aligning its response with Federal Bureau of Investigation guidance, which has consistently emphasized that paying extortion demands does not ensure data recovery nor prevent future misuse of stolen information.

A number of federal authorities have warned against ransom payments, stating that they rarely ensure suppression of stolen data and often contribute to additional criminal activity targeting technology providers and enterprise platforms.

The exact timeline of the attack or the length of time the attacker was permitted access to Grafana Labs' GitHub environment have not been disclosed, as only that the incident has recently been discovered. It is also noteworthy that the company did not explicitly attribute the intrusion to a specific threat actor.

However, various cyber threat intelligence reports, including Halcyon and Fortinet FortiGuard Labs assessments, have linked claims surrounding the incident with CoinbaseCartel, a collective of data extortionists. It has been noted that the group is an emerging extortion-focused operation that emerged in late 2025 and has operational overlap with criminal ecosystems such as ShinyHunters, Scattered Spider, and LAPSUS$ based on public statements released by Grafana.

According to the company's public statements, investigators believe that the intrusion occurred due to the compromise of privileged authentication tokens used in Grafana's development process. As a result, these tokens are frequently used to authenticate automated processes, integrations, and development workflows without requiring repeated manual logins. Although highly beneficial to operational efficiency, exposed tokens can also serve as high-value attack vectors when given broad permissions.

In this case, Grafana Labs' GitHub environment was compromised as a result of a compromised token that allowed the attacker access to private source code repositories within Grafana Labs. Despite the company's assertion that no customer information, user environments, or operational systems were compromised, the exposure of proprietary source code remains a significant security concern within software supply chain environments.

Although Grafana stated that customer environments were not affected, unauthorized access to proprietary source codes remains a serious concern, as attackers have the capability of analyzing internal architecture, configurations, or development logic to identify vulnerabilities that may later be used to conduct targeted attacks or other supply chain risks.

Grafana is widely deployed observability technology, and therefore the security of its development infrastructure is of particular importance. Attacks against software vendors may result in downstream risks affecting customers, cloud deployments, as well as broader enterprise environments linked by modern DevOps and observability pipelines. Upon tracking the threat intelligence associated with the incident, it has been determined that the operators behind the claimed attack are primarily engaged in data theft and extortion operations rather than conventional ransomware operations that encrypt files.

Over 170 victims have been linked to the group across sectors such as healthcare, transportation, manufacturing, and technology, reflecting the growing trend toward cyber-attacks that focus on data theft and extortion. There has been no public announcement by Grafana Labs regarding which repositories or internal projects were accessed during the breach, indicating that there is no clear understanding of the scope of the material that was downloaded. Grafana Labs has not disclosed which repositories were accessed during the breach.

In addition to Grafana Cloud, Grafana's managed cloud monitoring platform is widely used across enterprise environments for observing observability. In addition to the disclosure, cyber attacks aimed at extortionating software vendors and cloud service providers are also becoming increasingly aggressive. Following threats of leaking large volumes of data supposedly associated with schools and universities across the United States, Instructure reportedly agreed to negotiate with threat actors connected to ShinyHunters following an alleged agreement to negotiate.

Grafana Labs' decision to reject the extortion demand reflects a growing industry debate concerning ransomware economics, incident response strategies, and the long-term consequences of compensating cybercriminals. A company statement in accordance with advice issued by the Federal Bureau of Investigation stated that paying attackers would not guarantee the suppression of the stolen material nor eliminate the possibility of future abuse, resale, or repeated extortion attempts.

The company notes that organizations have no assurance that the stolen information will actually be removed after payment, which makes ransom negotiations risky and uncertain from an operational perspective. The incident emphasizes the high value of authentication tokens, API credentials, and machine-level secrets within enterprise environments, in addition to the breach itself.

In order to reduce the risk of token-based intrusions and software supply chain attacks, security teams are increasingly recommending implementing measures such as short-lived credentials, least privilege access, credential rotation, and multi-factor authentication. They also recommend continuous monitoring of repositories and continuous delivery pipelines.

The enterprise attack surface has been increasingly centered around GitHub repositories, package distribution systems, internal build pipelines, and cloud-based engineering environments, which require security controls comparable to those protecting production infrastructure. Grafana Labs has gained attention for its relatively transparent disclosure approach despite the seriousness of the intrusion.

A statement from the company outlined the compromise, clarified what investigators believe remains unaffected, disclosed the attempted extortion component, and indicated that further details may become apparent as the forensic investigation proceeds. At present, the known impact appears to be limited to unauthorised access and download of internal source code repositories, with no evidence suggesting that customer environments, operational systems, or personal information has been compromised.

Grafana remains closely monitored across the cybersecurity community, as it is widely used throughout production observability stacks and cloud-native enterprise environments around the world. Despite Grafana Labs' assurance that customer systems and personal data were not affected, the incident highlights the increasing importance of securing development infrastructure, access credentials, and cloud-connected engineering environments against increasing sophistication in extortion-focused threats.

4 Key Areas in 2026 for Organisation Safety Against Advanced AI Threats



 

Technology

agentic AI AI ChatGPT Cloud GenAI Internet Technology

4 Key Areas in 2026 for Organisation Safety Against Advanced AI Threats

2026 has not been a kind year to cybersecurity, as organizations and industries globally have been hit by ruthless cyberattacks.

2026 and cybersecurity

Cybersecurity entered 2026 under stress to deploy AI tech while building foundations for a quantum future. Cybersecurity experts have to defend against advanced AI and hybrid attacks while facing talent scarcity, a rapidly shifting threat scenario, and rising operational challenges.

It is the first time that hackers have access to the same advanced enterprise-level tech that security experts are using to defend their digital assets.

Is the convergence good or bad?

Organizations are in need of the transformational advantage that Quantum computing promises, however, it also risks affecting the cryptographic infrastructure that protects today’s digital world. Worse, cyber attackers are getting together and outbeating experts.

Like experts, threat actors don’t mind playing the long game either, they gain initial access and stay hidden inside systems for longer periods of time. When the right opportunity arrives, they move laterally and hack important data that can affect operations, cause financial damage, and tarnish reputations.

So, what are these four key areas that businesses and users need to address or stay safe from?

1. System and skills problem

As per the ICS2 2025 report, 69% respondents suffered multiple cybersecurity breaches due to skill gaps. This is due to various factors such as budget constraints, misalignment in academia, and high enterprise demand.

2. Bug management shift to active exposure reduction

Hackers use GenAI to advance their attacks, scaling, and escape security experts. This reactive cycle delays response times, and gives just basic protection. What businesses need today is Continuous Threat Exposure Management (CTEM) approach that offers real-time visibility before flaws can be exploited. But the success depends on AI-based risk prioritization.

3. Advanced deepfake protection is the need of the hour

Reliability is the new attack vector. Deepfakes have plagued every digital aspect of human life. Traditional measures fail to address content due to AI, therefore AI-based protection is needed. Adaptive deepfake systems can address identity workflows and respond immediately to threats, flagging malicious activity and capturing attacks with detailed metadata for research and audit work.

4. Post-quantum protection

Quantum computing is making strides in applicability; if sufficiently advanced, the systems can break public-key cryptographic systems in ransomware attacks such as RSA, where hackers extort millions. Hackers are already using the “harvest now, decrypt later” approach, stealing coded data with no promise of returning it.

Thus, the National Institute of Standards and Technology (NIST) have advised to adopt post-quantum cryptography (PQC) and tracking quantum-vulnerable assets.

New ChatGPT Settings Will Improve User Privacy and Data Training



 

User Safety

AI ChatGPT Cloud Data GenAI Internet Tech Technology User Safety

New ChatGPT Settings Will Improve User Privacy and Data Training

Almost everyone has used ChatGPT now. Sometimes we share our personal information and files with the Chatbot.

Do not feed your personal info to AI bots

To be safe, users should avoid feeding personal data to the AI, as it can be misused, and there are thousands of cases now. Users at the receiver end can not do much except using multifactor authentication, and creating a strong password and using two-factor authentication. But users can be happy now that a new feature is available to individual ChatGPT users.

What is Advanced Account Security

The new feature is called Advanced Account Security, it aims to provide better security to your account and protect your data. The option is aimed for security-minded users like journalists, politicians, activists, and researchers.

With better security, Advanced Account Security provides four setting standards. The first one requires using a passkey or physical security key to log in. The second one requires better tactics to recover an account besides SMS or email authorization. In the third setting, our active session with an AI chatbot is limited to restrict its exposure. The fourth setting protects your chats from AI misuse.

About new safety settings

1. Use passkeys to avoid unauthorized access. Advanced Account Security asks for signing in with a passkey. Users can set up either one or both, but will also have to create two authentication methods.

2. Two-factor authentication for securing your account will help in recovering lost data. However, SMS and Email authentication are vulnerable to attacks. Advanced Account Security disables these two methods, so users are sometimes helpless.

3. Try to shorten your login sessions. Longer sessions are more exposed to malware or cyberattacks.

4. Turn off AI training. ChatGPT uses your conversations for AI training and learns to be human. But this capability is a risk to user privacy.

Enterprise support soon

Advanced Account Security protects users in Codex if they use it to make and fine tune their code. Currently, this feature is only available to paid and free ChatGPT users with their personal accounts. However, OpenAI has said it is planning to expand it to the enterprise public.

Advanced Account Security also protects you in Codex if you use it to develop and fine-tune your own code. For now, the feature is available to free and paid ChatGPT users with their own accounts. But OpenAI said it expects to expand it to the enterprise crowd.

GlassWorm Malware Campaign Attacks Developer IDEs, Steals Data



 

malware

AI Cloud Data GlassWorm Internet malware

GlassWorm Malware Campaign Attacks Developer IDEs, Steals Data

About GlassWorm campaign

Cybersecurity experts have discovered another incident of the ongoing GlassWorm campaign, which uses a new Zig dropper that's built to secretly compromise all integrated development environments (IDEs) on a developer's system.

The tactic was found in an Open VSX extension called "specstudio.code-wakatime-activity-tracker”, which disguised as WakaTime, a famous tool that calculates the time programmes spend with the IDE. The extension can not be downloaded now.

Attack tactic

In previous attacks, GlassWorm used the same native compiled code in extensions. Instead of using the binary as the payload directly, it is deployed as a covert indirection for the visible GlassWorm dropper. It can secretly compromise all other IDEs that may be present in your device.

The recently discovered Microsoft Visual Studio Code (VS Code) extension is a replica (almost).

The extension installs a universal Mach-O binary called "mac.node," if the system is running Apple macOS, and a binary called "win.node" for Windows computers.

Execution

These Zig-written compiled shared libraries that load straight into Node's runtime and run outside of the JavaScript sandbox with complete operating system-level access are Node.js native addons.

Finding every IDE on the system that supports VS Code extensions is the binary's main objective once it has been loaded. This includes forks like VSCodium, Positron, and other AI-powered coding tools like Cursor and Windsurf, in addition to Microsoft VS Code and VS Code Insiders.

Malicious code installation

Once this is achieved, the binary installs an infected VS Code extension (.VSIX) from a hacker-owned GitHub account. The extension, known as “floktokbok.autoimport”, imitates “steoates.autoimport”, an authentic extension with over 5 million downloads on the office Visual Studio Marketplace.

After that, the installed .VSIX file is written to a secondary path and secretly deployed into each IDE via editor's CLI installer.

In the second-stage, VS Code extension works as a dropper that escapes deployment on Russian devices, interacts with the Solana blockchain, gets personal data, and deploys a remote access trojan (RAT). In the final stage, RAT installs a data-stealing Google Chrome extension.

“The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump,” cybersecurity firm aikido reported.

Microsoft Releases AI Upgrades, Launches Copilot Cowork to Early Access Customers



 

Technology

Claude Cloud Copilot Data GenAI Microsoft Technology

Microsoft Releases AI Upgrades, Launches Copilot Cowork to Early Access Customers

In an effort to enhance its AI offering and increase adoption, Microsoft (MSFT.O) recently introduced new features in its Copilot research assistant that would enable users to employ various AI models concurrently within the same workflow.

Instead of relying on a single model, Copilot's Researcher agent can now pull outputs from both OpenAI's GPT and Anthropic's Claude models for each response, thanks to a new feature called "Critique."

According to Microsoft, Claude will check the quality and correctness of the response before GPT provides it to the user. In the future, the business hopes to make that workflow bidirectional so that GPT may also evaluate Claude's writings.

"Having different models from different vendors in Copilot is highly attractive - but we're taking this to the next level, where customers actually get the benefits of the models working together," Nicole Herskowitz, VP of Copilot and Microsoft, said to Reuters.

The multi-model strategy will assist in increasing productivity and quality for customers by accelerating user workflow, controlling AI hallucinations, which occur when systems give incorrect information, and producing more dependable outputs.

Additionally, Microsoft is introducing a feature called "Council" that will let users compare results from various AI models side by side. The updates coincide with Microsoft expanding access to its new Copilot Cowork agentic AI tool for members of its "Frontier" program, which gives users early access to some of its most recent AI innovations.

According to Jared Spataro, Microsoft's AI-at-Work efforts leader, “We work only in a cloud environment, and we work only on behalf of the user. So you know exactly what information it (Copilot Cowork) has access to.”

On Monday, the company's stock increased by almost 1%. However, as investor confidence in AI declines, the stock is poised for its worst quarter since the global financial crisis of 2008, with a nearly 25% decline.

Microsoft capitalized on the increasing demand for autonomous AI agents earlier this month by releasing Copilot Cowork, a solution based on Anthropic's popular Claude Cowork product, in testing mode.

In the face of fierce competition from rivals like Google (GOOGL.O), the new tab Gemini, and autonomous agents like Claude Cowork, the Windows manufacturer has been rushing to enhance its Copilot assistant to promote greater usage.

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea



 

South Korea

Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea

GitHub attacked by state-sponsored hackers

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea.

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background.

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers.

Successful exploit scenario

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security.

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported.

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host.

Campaign history

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak.

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin.

China-based TA416 Targets European Businesses via Phishing Campaigns



 

phishing

AI Cloud Data malware phishing

China-based TA416 Targets European Businesses via Phishing Campaigns

Chinese state-sponsored attacks

A China-based hacker is targeting European government and diplomatic entities; the attack started in mid-2025, after a two-year period of no targeting in the region. The campaign has been linked to TA416; the activities coincide with DarkPeony, Red Lich, RedDelta, SmugX, Vertigo Panda, and UNC6384.

According to Proofpoint, “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."

Multiple attack campaigns

Additionally, TA416 organized multiple campaigns against the government and diplomatic organizations in the Middle East after the US-Iran conflict in February 2026. The attack aimed to gather regional intelligence regarding the conflict.

TA416 also has a history of technical overlaps with a different group, Mustang Panda (UNK_SteadySplit, CerenaKeeper, and Red Ishtar). The two gangs are listed as Hive0154, Twill Typhoon, Earth Preta, Temp.HEX, Stately Taurus, and HoneyMyte.

TA416’s attacks use PlugX variants. The Mustang Panda group continually installed tools like COOLCLIENT, TONESHELL, and PUBLOAD. One common thing is using DLL side-loading to install malware.

Attack tactic

TA416’s latest campaigns against European entities are pushing a mix of web bug and malware deployment operations, while threat actors use freemail sender accounts to do spying and install the PlugX backdoor through harmful archives via Google Drive, Microsoft Azure Blob Storage, and exploited SharePoint incidents. The PlugX malware campaigns were recently found by Arctic Wolf and StrikeReady in October 2025.

According to Proofpoint, “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target.”

The TA416 attacks in December last year leveraged third-party Microsoft Entra ID cloud apps to start redirecting to the download of harmful archives. Phishing emails in this campaign link to Microsoft’s authentic OAuth authorization. Once opened, resends the user to the hacker-controlled domain and installs PlugX.

According to experts, "When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it."

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data



 

Internet

AI Cloud Cyber Attacks Data Internet

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data

Credential-stealing operation

A massive credential-harvesting campaign was found abusing the React2Shell flaw as an initial infection vector to steal database credentials, shell command history, Amazon Web Services (AWS) secrets, GitHub, Stripe API keys.

Cisco Talos has linked the campaign to a threat cluster tracked as UAT-10608. At least 766 hosts around multiple geographic regions and cloud providers have been exploited as part of the operation.

About the attack vector

According to experts, “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, which are then posted to its command-and-control (C2). The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.”

Who are the victims?

The campaign targets Next.js instances that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a severe flaw in React Server Components and Next.js App Router that could enable remote code execution for access, and then deploy the NEXUS Listener collection framework.

This is achieved by a dropper that continues to play a multi-phase harvesting script that stores various details from the victim system.

SSH private keys and authorized_keys

JSON-parsed keys and authorized_keys

Kubernetes service account tokens

Environment variables

API keys

Docker container configurations

Running processes

IAM role-associated temporary credentials

Attack motive

The victims and the indiscriminate targeting pattern are consistent with automated scanning. The key thing in the framework is an application (password-protected) that makes all stolen data public to the user through a geographical user interface that has search functions to browse through the information. The present Nexus Listener version is V3, meaning the tool has gone through significant changes.

Talos managed to get data from an unknown NEXUS Listener incident. It had API keys linked with Stripe, AI platforms such as Anthropic, OpenAI, and NVIDIA NIM, communication services such as Brevo and SendGrid, webhook secrets, Telegram bot tokens, GitLab, and GitHub tokens, app secrets, and database connection strings.

Experts Warn About AI-assisted Malwares Used For Extortion



 

Technology

AI AI Malware Cloud Data Hive Technology

Experts Warn About AI-assisted Malwares Used For Extortion

AI-based Slopoly malware

Cybersecurity experts have disclosed info about a suspected AI-based malware named “Slopoly” used by threat actor Hive0163 for financial motives.

IBM X-Force researcher Golo Mühr said, “Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” according to the Hacker News.

Hive0163 malware campaign

Hive0163's attacks are motivated by extortion via large-scale data theft and ransomware. The gang is linked with various malicious tools like Interlock RAT, NodeSnake, Interlock ransomware, and Junk fiction loader.

In a ransomware incident found in early 2026, the gang was found installing Slopoly during the post-exploit phase to build access to gain persistent access to the compromised server.

Slopoly’s detection can be tracked back to PowerShell script that may be installed in the “C:\ProgramData\Microsoft\Windows\Runtime” folder via a builder. Persistence is made via a scheduled task called “Runtime Broker”.

Experts believe that that malware was made with an LLM as it contains extensive comments, accurately named variables, error handling, and logging.

There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables.

The comments also describe the script as a "Polymorphic C2 Persistence Client," indicating that it's part of a command-and-control (C2) framework.

According to Mühr, “The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution. The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

The PowerShell script works as a backdoor comprising system details to a C2 server. There has been a rise in AI-assisted malware in recent times. Slopoly, PromptSpy, and VoidLink show how hackers are using the tool to speed up malware creation and expand their operations.

IBM X-Force says the “introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint. It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.”

Perplexity's Comet AI Browser Tricked Into Phishing Scam Within Four Minutes



 

Technology

agentic browser AI Cloud Comet Internet Perplexity Technology

Perplexity's Comet AI Browser Tricked Into Phishing Scam Within Four Minutes

Agentic browser at risk

Agentic web browsers that use AI tools to autonomously do tasks across various websites for a user could be trained and fooled into phishing attacks. Hackers exploit the AI browsers’ tendency to assert their actions and deploy them against the same model to remove security checks.

According to security expert Shaked Chen, “The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, 'narrating' is quite an understatement - It blabbers, and way too much!,” the Hacker News reported. Agentic Blabbering is an AI browser that displays what it sees, thinks, and plans to do next, and what it deems safe or a threat.

Tricking the browsers

By hacking the traffic between the AI services on the vendor’s servers and putting it as input to a Generative Adversarial Network (GAN), it made Perplexity’s Comet AI browser fall prey to a phishing attack within four minutes.

The research is based on established tactics such as Scamlexity and VibeScamming, which revealed that vibe-coding platforms and AI browsers can be coerced into generating scam pages and performing malicious tasks via prompt injection.

Attack tactic

There is a change in the attack surface as a result of the AI agent managing the tasks without frequent human oversight, meaning that a scammer no longer has to trick a user. Instead, it seeks to deceive the AI model itself.

Chen said, “If you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal.” Chen added that the “scam evolves until the AI Browser reliably walks into the trap another AI set for it."

End goal?

The aim is to make a “scamming machine” that improves and recreates a phishing page until the agentic browser accepts the commands and carries out the hacker’s command, like putting the victim’s passwords on a malicious web page built for refund scams.

Guardio is concerned about the development, saying that, “This reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact.”

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

About risk assessment

The impact on production

Mitigation processes

About recovery

Six rising common cyber threats

Attack tactic

Darkweb market selling and buying the service

What is a DDoS attack?

What is DDoS-as-a-service?

About the attack

About feature development

How to setup

Safety first

What about user privacy?

Hackers exploiting SSDs

Sites spying on user activity

The attack tactic

The impact

About the exploit

Deserialization of ViewState

Attack tactic

Similar attacks in 2025

Hackers targeting unsecured machines

TikTok, YouTube ignoring child safety

Platforms not safe enough

About the Ofcom report

What did YouTube and TikTok say?

What does the data say?

About two bugs

Severity

The impact

What should users do?

Improper bug management

Vulnerability existed since 2016

Privilege compromise tactic

What is successful exploit?

PoC exploit

How to stay safe

Incident impact

100s of GBs data leaked

Canvas compromised

GTA 6, Studio Rockstar were blackmailed too

Nvidea Geforce allegedly hacked

Shiny hunters all over the place

The impact

2026 and cybersecurity

Is the convergence good or bad?

1. System and skills problem

2. Bug management shift to active exposure reduction

3. Advanced deepfake protection is the need of the hour

4. Post-quantum protection

Do not feed your personal info to AI bots

What is Advanced Account Security

About new safety settings

Enterprise support soon

About GlassWorm campaign

Attack tactic

Execution

Malicious code installation

GitHub attacked by state-sponsored hackers

Payload execution

Successful exploit scenario

Campaign history

Chinese state-sponsored attacks

Multiple attack campaigns

Attack tactic

Credential-stealing operation

About the attack vector