We had sex in a Chinese hotel, then found we had been broadcast to thousands
A BBC investigation reveals the widespread existence of spy-cam porn in Chinese hotels, where unsuspecting guests are secretly filmed and their intimate moments broadcast and sold online. One couple, Eric and Emily, discovered their own sexual encounter in a Shenzhen hotel was captured and distributed on platforms like Telegram, causing them significant distress and trauma.
An Illinois man has pleaded guilty to hacking hundreds of Snapchat accounts to steal nude photos, facing decades in prison for charges including aggravated identity theft and wire fraud. He accessed at least 59 women’s accounts, sold the images online, and offered his hacking services for a fee.
Claude AI finds 500 high-severity software vulnerabilities | CSO Online
Anthropic’s new Claude Opus 4.6 has identified 500 high-severity software vulnerabilities in open-source projects during a trial, with humans verifying the findings before reporting them to developers. This demonstrates the growing capability of AI language models in software security and bug hunting.
The European Commission has notified TikTok of potential violations of the Digital Services Act, citing addictive design features like infinite scroll and autoplay that may harm users, especially minors. If found guilty, TikTok could face a fine of up to 6% of its global annual turnover, with the Commission suggesting changes to the platform’s core design and parental controls.
French lawmakers’ personal data leak: hack or doxxing?
In February 2026, personal data of French deputies was leaked online, but an investigation ruled out a hacking of the National Assembly’s databases, suggesting instead a case of doxxing through the aggregation of publicly available information. The incident highlights the vulnerability of public figures and the need to distinguish between transparency and overexposure, prompting legal action and a call for responsible online behavior.
Spain’s Ministry of Science shuts down systems after breach claims
Spain’s Ministry of Science has partially shut down its IT systems due to a technical incident, impacting services for citizens and companies. A threat actor claims to have breached the ministry, leaking data samples and alleging exploitation of an Insecure Direct Object Reference (IDOR) vulnerability.
South Korean e-commerce giant Coupang has confirmed that the personal data of an additional 165,000 users was compromised, bringing the total affected accounts to approximately 33.8 million. This breach, initially reported in November, involved stolen names, phone numbers, and delivery addresses, but not payment details or login credentials.
A study revealed that nearly 5 million web servers are exposing Git metadata, with over 250,000 leaking deployment credentials through .git/config files. This widespread vulnerability allows attackers to reconstruct source code, steal secrets, and gain unauthorized access.
Substack data breach leaks users’ email addresses and phone numbers | CSO Online
Substack has experienced a data breach where email addresses and phone numbers of some users were exposed due to a system vulnerability exploited in October 2025. The company has since fixed the issue and is investigating, assuring users that passwords and financial information were not compromised.
Tech giants like Google and Microsoft are increasingly partnering with social media influencers to promote their artificial intelligence services, offering substantial compensation for these collaborations. Companies such as OpenAI, Anthropic, and Meta are also engaging creators to post sponsored content across platforms like Facebook, Instagram, YouTube, and LinkedIn, with payouts reaching hundreds of thousands of dollars. AI companies have significantly boosted their advertising expenditures, with generative AI platforms spending over $1 billion on digital ads in the U.S. in 2025, a 126% increase from the previous year. Microsoft and Google have reportedly paid creators between $400,000 and $600,000 for multi-month partnerships. Influencer marketing has become a key battleground in the AI boom, with companies seeking authentic ways to connect with users. Anthropic, in particular, has been aggressive in creator marketing, hiring dedicated staff and inking deals with influencers like Megan Lieu, who highlights AI and tech. Some creators, however, are declining AI brand deals due to ethical, environmental, or creative concerns, fearing backlash from audiences who are increasingly skeptical of AI. Content creator Jack Lepiarz, for instance, has turned down significant offers, stating he cannot support technology that may make it harder for people to earn a living. The backlash appears strongest for AI tools that generate images or video, perceived by many creators as a direct threat to their artistic work.
Marco Stealer, a newly discovered information stealer first observed in June 2025, is designed to exfiltrate sensitive data including browser information, cryptocurrency wallet details, and files from cloud services like Dropbox and Google Drive. It employs sophisticated anti-analysis techniques, such as string encryption and the termination of security tools, to evade detection. The malware utilizes HTTP for command-and-control (C2) communication, with all messages encrypted using 256-bit AES. Marco Stealer collects system information, including hardware IDs and operating system versions, and uses named pipes for inter-component communication. It actively checks for and terminates analysis tools like Wireshark and x64dbg. The stealer also gathers IP geolocation data and builds a profile of the victim’s machine, encrypting all collected data before transmission to C2 servers, with the exception of screenshots which are exfiltrated in plaintext. It specifically targets browser data using embedded DLLs and executables, and extracts cryptocurrency wallet data from browser extensions. Marco Stealer also harvests clipboard content and recursively searches for sensitive files across various local directories and cloud storage locations. Despite law enforcement actions against similar malware, the market for information stealers remains active, posing a continuous threat to corporate environments. Zscaler’s Cloud Sandbox has successfully detected this campaign, with its security platform identifying indicators related to Marco Stealer.
The cybercriminal group Stan Ghouls, also known as Bloody Wolf, has been actively conducting targeted attacks since at least 2023, primarily focusing on organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan. Their main targets include the manufacturing, finance, and IT sectors. Stan Ghouls employs sophisticated, customized attack campaigns, utilizing a unique toolkit that includes Java-based malware loaders and a dynamic infrastructure. Recently, a campaign targeting Uzbekistan identified approximately 50 victims, with about 10 devices in Russia also affected, and a few others in neighboring countries, likely as collateral damage. The group’s attack vector typically involves spear-phishing emails with malicious PDF attachments, often written in the local language of the target country. Historically, they used the STRRAT remote access Trojan (RAT), but have since shifted to misusing legitimate software like NetSupport for maintaining control over infected systems. Evidence suggests Stan Ghouls may have expanded their arsenal to include IoT-focused malware, with the discovery of Mirai malware files on a domain associated with their previous campaigns. While their primary motive appears to be financial gain due to their focus on financial institutions, cyberespionage cannot be ruled out. The group consistently refreshes its infrastructure, registering new domains for each campaign, and has shown the capacity to manage a significant number of infected devices simultaneously.
Cisco Talos has uncovered DKnife, a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. This framework, in use since at least 2019, performs deep-packet inspection, manipulates network traffic, and delivers malware through routers and edge devices. DKnife targets a wide range of devices, including PCs, mobile devices, and IoT devices, by hijacking binary downloads and Android application updates to deliver backdoors like ShadowPad and DarkNimbus. Evidence, including code references and language used in configuration files, strongly suggests that China-nexus threat actors operate DKnife, with a primary focus on Chinese-speaking users. The framework exhibits a link to the WizardNet backdoor campaign, indicating a shared development or operational lineage with other AitM frameworks like Spellbinder. DKnife’s capabilities include DNS hijacking, disrupting antivirus traffic, and extensive user activity monitoring, collecting data on messaging, shopping, news consumption, and more. It also features credential harvesting for Chinese email services and hosts phishing pages. The framework’s seven components work in concert to achieve its malicious objectives, from deep packet inspection to establishing P2P communication channels. Routers and edge devices remain critical targets for advanced threats like DKnife, emphasizing the need for continuous monitoring of this infrastructure.
A large-scale phishing campaign has been uncovered, where attackers are exploiting legitimate Software-as-a-Service (SaaS) platforms to deliver phone-based scam lures. This campaign generated approximately 133,260 phishing emails, impacting 20,049 organizations, with the United States being the most targeted region. The attackers are not compromising the platforms themselves but are misusing native functionalities to create emails that appear authentic, leveraging the trust and reputation of well-known brands like Microsoft, Zoom, Amazon, PayPal, YouTube, and Malwarebytes. This trend signifies a strategic shift by attackers to bypass traditional detection methods by using trusted cloud workflows and focusing on phone-based lures, which circumvent URL analysis and sandboxing. Three primary methods of abuse were observed: misuse of legitimate SaaS email generation and redistribution, abuse of Microsoft notification workflows across various products, and exploitation of Amazon Business invitation features. The campaign’s scale and concentration in recent months highlight its effectiveness and scalability as a low-friction, high-return-on-investment strategy. The education and enterprise sectors are noted as being at elevated risk due to high notification volumes and established trust in these platforms. The report concludes that defenders must adapt their strategies, as authenticated, well-branded emails from trusted sources are no longer inherently safe and require contextual analysis to detect abuse.
OpenAI has launched GPT-5.3-Codex, a new agentic coding model that unifies frontier code performance with professional reasoning, running 25% faster and capable of handling broad computer tasks beyond just coding. It excels in benchmarks like SWE-Bench Pro and Terminal-Bench 2.0, and demonstrates strong computer-use capabilities in OSWorld-Verified, while also matching previous models on professional knowledge tasks in GDPval.
Silent Push has identified over 10,000 infected IPs linked to the SystemBC botnet, a malware family that converts compromised systems into proxies and has historically been used to deploy ransomware. Infections are globally distributed, with a notable presence in the United States, and have been found within sensitive government infrastructure.
Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
A large-scale web traffic hijacking campaign has been uncovered, exploiting malicious NGINX configurations to redirect user traffic through attacker-controlled servers. This campaign primarily targets Asian TLDs, Chinese hosting infrastructure like Baota Panel, and government/educational domains, utilizing shell scripts to inject compromised configurations into NGINX.
AWS intruder pulled off AI-assisted cloud break-in in 8 mins • The Register
An AWS cloud environment was compromised in under 10 minutes using AI to automate reconnaissance, privilege escalation, and code writing, leading to the attacker gaining administrative privileges. The intrusion involved stealing credentials from public S3 buckets and abusing Lambda functions, with evidence suggesting AI hallucinations in the attacker’s actions, including LLMjacking of Amazon Bedrock models.
AWS intruder pulled off AI-assisted cloud break-in in 8 mins • The Register
An AWS cloud environment was compromised in under 10 minutes using AI to automate reconnaissance, privilege escalation, and code writing, leading to the attacker gaining administrative privileges. The intrusion involved stealing credentials from public S3 buckets and abusing Lambda functions, with evidence suggesting AI hallucinations in the attacker’s actions, including LLMjacking of Amazon Bedrock models.
Hackers publish personal information stolen during Harvard, UPenn data breaches | TechCrunch
The hacking group ShinyHunters has published over 1 million personal records from Harvard University and the University of Pennsylvania (UPenn), which they claim to have stolen during recent data breaches. The group published the data on their leak site after the universities allegedly refused to pay a ransom.
The cybercrime group ShinyHunters has claimed responsibility for the Penn email hack, leaking thousands of additional internal files after the university allegedly refused to pay a ransom. These leaked documents include University donor records and information on Donald Trump and his family, amidst ongoing class-action lawsuits against Penn for the October 2025 data breach.
Critical n8n flaws disclosed along with public exploits
Critical n8n flaws (CVE-2026-25049) have been disclosed, allowing authenticated users to achieve remote code execution and gain complete control of the host server by bypassing sanitization mechanisms. Users are advised to update to the latest version (1.123.17 and 2.5.2) and rotate credentials to mitigate these vulnerabilities.
From credentials to cloud admin in 8 minutes: AI supercharges AWS attack chain | CSO Online
A recent attack demonstrated how AI-assisted attackers can weaponize exposed AWS credentials and permissive roles to gain full administrative control in under eight minutes. The attackers exploited a public S3 bucket containing credentials, escalated privileges through a Lambda function, moved laterally across multiple principals, and abused cloud resources for GPU workloads, highlighting the drastically reduced attack lifecycle due to AI automation.
Foxit PDF Editor Vulnerabilities Let Attackers Execute Arbitrary JavaScript
Critical cross-site scripting (XSS) vulnerabilities, CVE-2026-1591 and CVE-2026-1592, in Foxit PDF Editor Cloud allow attackers to execute arbitrary JavaScript code by exploiting insecure handling of file attachments and layer names. Foxit has released security patches, with automatic updates for the Cloud version and desktop users advised to update manually.
Hackers Exploiting React Native’s Metro Server in the Wild to Attack Developers
Hackers are actively exploiting a critical remote code execution vulnerability (CVE-2025-11953) in React Native’s Metro Development Server to deliver malware on Windows and Linux systems. The vulnerability, dubbed Metro4Shell, stems from an OS command injection flaw in the /open-url endpoint and has a critical CVSS score of 9.8, yet exploitation is occurring before widespread public awareness.