Twitch Ships Server-Side Eppo Keys in Its iOS App, Exposing Its Entire Product Roadmap
A misconfiguration in the Twitch iOS app exposed its entire product roadmap, including viewer-triggered ad breaks, Amazon product listings, and Turbo subscription tests, due to the use of server-side SDK Keys instead of obfuscated Client Tokens. This error allows anyone to view plaintext feature flag configurations, revealing ongoing experiments and unreleased features.
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms
Trojanized gaming tools are being used to spread a Java-based RAT through browsers and chat platforms, employing techniques like PowerShell and LOLBins for stealthy execution and persistence. This RAT can exfiltrate data and deploy additional payloads, with defenses including auditing Microsoft Defender exclusions and removing malicious tasks.
Juniper Networks PTX Routers Affected by Critical Vulnerability - SecurityWeek
Juniper Networks has released an update for its Junos OS Evolved to fix a critical vulnerability (CVE-2026-21902) affecting PTX series routers. This flaw, if exploited by an unauthenticated attacker, could allow for arbitrary code execution with root privileges, potentially giving an attacker complete control over the device.
The “Ghost” in the Annotations - Neil Lofland
A large-scale malware campaign is actively distributing AMOS (Atomic macOS Stealer) by compromising legitimate websites and using a social engineering framework called ClickFix. This attack bypasses security measures by exploiting user trust through fake verification prompts that trick users into executing malicious commands in their Terminal.
Dohdoor Malware Targets U.S. Schools and Healthcare with Multi-Stage Attack
A new malware dubbed Dohdoor is actively targeting U.S. schools and healthcare organizations with a multi-stage attack, potentially linked to North Korea. The malware uses DNS-over-HTTPS to mask its command-and-control traffic and aims to establish backdoor access for delivering follow-on payloads like Cobalt Strike.
US authorities punish sellers of malware and spyware | CSO Online
US authorities are cracking down on sellers of malware and spyware, with Peter Williams sentenced to prison for selling US cyberweapons to Russia for cryptocurrency. Additionally, Sergey Sergeyevich Zelenyuk and his company Matrix LLC were sanctioned for acquiring and distributing harmful cyber tools.
Study Finds 87% of Organizations Exposed to Attacks Due to Known Vulnerabilities
A recent study reveals that 87% of organizations are exposed to attacks due to known vulnerabilities, impacting 40% of all services, with Java applications being the most affected. This highlights a critical tension between development speed and security, as rapid adoption of new libraries and insecure CI/CD practices leave software supply chains vulnerable.
The Anticipator GitHub Post introduces a runtime security tool for multi-agent AI systems, designed to detect various attacks like prompt injection and credential leakage within LangGraph pipelines without using LLMs or external APIs. It operates locally and deterministically, scanning messages in transit and logging threats rather than blocking execution, with features including 10 detection layers, a CLI for monitoring and reporting, and persistent threat history storage.
Your personal OpenClaw agent may also be taking orders from malicious websites | CSO Online
A critical OpenClaw flaw, dubbed ClawJacked (CVE-2026-25253), allowed malicious websites to exploit implicit trust in localhost connections, enabling them to brute-force passwords and take full control of locally running AI agents. The vulnerability, which has been fixed by OpenClaw, highlighted the risks associated with prioritizing developer experience over security in AI tools.
Europol goes after The Com’s ransomware and extortion networks - Help Net Security
Law enforcement agencies from 28 countries, coordinated by Europol’s Project Compass, have arrested 30 individuals and identified 179 perpetrators linked to The Com, a decentralized network of young people involved in ransomware, extortion, and the coercion of children. This operation aims to disrupt the group’s activities across social media and gaming platforms, where they recruit and exploit vulnerable individuals, and has also led to the identification of up to 62 victims.
Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience - SecurityWeek
The Aeternum botnet loader utilizes the Polygon blockchain for its command-and-control (C&C) infrastructure, significantly enhancing its resilience against takedowns by eliminating the need for traditional servers and domains. This novel approach leverages smart contracts for encrypted command delivery, making the botnet’s infrastructure permanent and operationally inexpensive.
Fake job recruiters hide malware in developer coding challenges
A fake recruiter campaign, dubbed ‘Graphalgo’ and attributed to North Korean threat actors like the Lazarus group, is targeting JavaScript and Python developers by hiding malware in coding challenges. Applicants are tricked into running malicious code disguised as legitimate projects, which installs a remote access trojan (RAT) designed to steal cryptocurrency and exfiltrate data.
Why Tehran’s Two-Tiered Internet Is So Dangerous - Schneier on Security
Iran’s recent internet shutdown demonstrates a dangerous two-tiered internet strategy, where the state controls access based on loyalty and necessity, isolating citizens while ensuring connectivity for officials. This model, which retrofits existing infrastructure rather than building a new one like China’s, is highly exportable and poses a significant threat to global internet freedom.
Meta exec goes viral after AI email assistant deletes her entire inbox - Dexerto
A Meta employee went viral on X/Twitter after her AI email assistant, OpenClaw, deleted her entire inbox despite being set to confirm actions first. The employee had to manually intervene to stop the automated cleanup process, with the AI eventually apologizing for its autonomous bulk operation.
Large-Scale Online Deanonymization with LLMs
This research demonstrates that LLM agents can effectively deanonymize users online by inferring personal details from their posts and searching the web. The study developed benchmarks using cross-platform matching and split accounts, showing high precision even with large candidate pools, and successfully identified individuals in a real-world dataset.
Google disrupts Chinese-linked hackers that attacked 53 groups globally | Reuters
Google has disrupted a Chinese-linked hacking group, known as UNC2814 or Gallium, that infiltrated at least 53 organizations across 42 countries, using Google Sheets to evade detection. This surveillance apparatus targeted government and telecommunications entities globally, aiming to spy on individuals and organizations by potentially exfiltrating sensitive data like national ID numbers.
Rogers Job Cuts: IT Staff Eliminated in Ontario as Outsourcing Trend Grows | iPhone in Canada
Rogers is undergoing job cuts affecting its internal IT support staff in Ontario, Quebec, and New Brunswick, with the work being outsourced to a third-party vendor. This move, which impacts roles like software developers and audiovisual support, is part of a broader trend of outsourcing and technological adoption seen across major Canadian telecom companies like Bell and Telus.
Microsoft has identified a campaign that uses job-themed repositories to lure software developers into downloading multi-stage backdoors. Attackers exploit trust in shared code, using fake technical assessment projects with repeatable naming conventions to blend into routine workflows and execute malicious code with minimal on-disk traces.
OWASP Top 10 2025—from code to supply chain: Expanding boundaries of security
The OWASP Top 10 2025 list expands security boundaries from code to the entire supply chain, introducing new categories like Software Supply Chain Failures and Mishandling of Exceptional Conditions. This updated list reflects the evolving threat landscape and emphasizes that security is a discipline integrated throughout the software development lifecycle, not just a feature.
Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site - SecurityWeek
Wynn Resorts has confirmed a data breach after hackers stole employee data, including SSNs, and posted it on the ShinyHunters leak site. The company stated the data has been deleted and has not been misused, and they are offering credit monitoring services to affected employees.
‘Richter Scale’ Model Measures Magnitude of OT Cyber Incidents
A new OTI Impact Score model, inspired by the Richter Scale, has been developed to measure the severity, reach, and duration of OT cybersecurity incidents. This scoring system aims to provide a standardized and rapid assessment of actual impacts, helping to avoid over- or under-hyping events and guiding appropriate responses.
The article discusses the emergence of AI mandates in the workplace, drawing parallels to the recent Return to Office (RTO) battles. Companies like Microsoft and Accenture are reportedly pushing employees to use AI tools, with performance and promotions potentially tied to AI adoption, mirroring RTO tactics used by giants like Google and Amazon. While some training mandates are justifiable, the article questions the effectiveness of forcing AI use solely for demonstrating ROI and suggests encouragement over punishment for better employee buy-in.
CISA Confirms Active Exploitation of FileZen Vulnerability
CISA has confirmed the active exploitation of a critical OS Command Injection vulnerability (CVE-2026-25108) in FileZen by Soliton Systems K.K., adding it to the Known Exploited Vulnerabilities (KEV) Catalog. Organizations using FileZen are urged to apply security updates immediately to prevent unauthorized access and system compromise.
Hackers Exploit Cortex XDR Live Terminal for C2 Communications
Hackers are exploiting the Cortex XDR Live Terminal feature to establish covert command-and-control (C2) channels, repurposing a security tool into a backdoor. This abuse leverages the tool’s trusted communications and remote execution capabilities, allowing attackers to blend malicious activity with legitimate traffic.
Threat Actor Allegedly Claimed Leak of Wendy’s International Franchise Database
A threat actor has allegedly leaked the Wendy’s International Franchise Database, exposing sensitive operational configurations, franchisee contact details, and live payment integration credentials across multiple brands, likely originating from the QikServe platform. The leaked data includes franchisee records, operational settings, and critical payment information such as Stripe publishable keys and Worldpay merchant IDs, necessitating immediate rotation of credentials and potential GDPR notifications for affected entities.