[SECURITY]

Cybercriminals have transformed DDoS attacks into a polished, commercialized service complete with pricing tiers, customer support, and reseller programs. The DDoS-as-a-Service market has evolved from basic tools into sophisticated attack platforms.

Microsoft faced backlash after threatening a security researcher with criminal investigation, reigniting debate over software vulnerability disclosure practices and corporate responsibility.

Google is deploying Device Bound Session Credentials (DBSC) to all Chrome users, a security feature designed to prevent account takeovers by protecting session cookies from theft.

Dutch authorities have dismantled a major botnet comprising 17 million infected devices and seized over 200 servers hosting the operation at a local provider.

California's Attorney General Rob Bonta filed a lawsuit against 23andMe following a 2023 data breach that compromised genetic and personal information belonging to 7 million users. The stolen data was subsequently sold on the dark web.

A North Carolina man was sentenced to over 10 years in prison for selling personal information of more than 7 million elderly Americans to Jamaican scam operators.

Connected vehicles gather detailed information about driver behavior, location, and habits. The practice is expanding as automakers integrate more sensors and connectivity features.

Hackers stole personal information from 4.9 million Charter Communications accounts in an April breach. The ShinyHunters extortion gang claimed responsibility for the attack.

GitHub has suspended a security researcher's account after they published proof-of-concept exploits for Windows zero-day vulnerabilities. The researcher claims the ban is retaliation for exposing flaws Microsoft failed to address.

California's attorney general filed suit against genetic testing company 23andMe on Thursday, alleging it failed to adequately protect user data in a 2023 breach affecting approximately 7 million people across the United States.

The US government disclosed that military personnel were targeted using location data obtained through the advertising industry. A senator has called for treating the ad tech sector as a national security threat.

Hackers are conducting phishing attacks to steal Signal users' secret recovery keys, which grant access to encrypted message backups stored online.

Carnival Corporation acknowledged a data breach affecting nearly 6 million people, with the ShinyHunters extortion gang claiming responsibility in April 2026. The incident marks a significant security failure for the world's largest cruise line operator.

Security researchers discovered a public data leak at Pay Tel, a prison telephone service provider, exposing over 300,000 callers' driver's licenses and inmate communications. The company secured the data after the vulnerability was identified.

Attackers are leveraging an authentication bypass vulnerability in FortiClient Enterprise Management Server to distribute EKZ, a previously unknown credential-stealing malware.

The US military knew for years that adversaries could track troops through unprotected location data on their phones, but failed to implement available fixes. Now hostile forces are actively exploiting this vulnerability during active warfare.

An unpatched zero-day vulnerability in Gogs self-hosted Git service allows attackers to execute arbitrary code on exposed instances. The flaw poses immediate risk to internet-facing deployments.

California's civil rights agency prevailed in court as a judge rejected Tesla's motion to dismiss a racial discrimination lawsuit. The case is now set for trial in July.

A lawsuit has challenged the Department of Homeland Security's plan to create a vast DNA database for tracking ICE critics. The case alleges DHS intended to integrate DNA collection into its immigration enforcement surveillance systems.

A critical vulnerability called BadHost in the open-source Starlette Python framework has exposed millions of AI agents and tools worldwide to potential authorization breaches. The flaw affects FastAPI, which relies on Starlette as its foundation.

Researchers have discovered that websites can measure solid-state drive activity through the browser using JavaScript, creating a new privacy vulnerability for visitors.

Federal prosecutors charged Google employee Michele Spagnuolo with fraud after he allegedly used confidential internal data to win $1.2 million on Polymarket prediction bets related to search trends in 2025.

The head of the UK's GCHQ intelligence agency has warned that allied nations face a shrinking timeframe to counter escalating cyber threats from China and Russia, as Moscow intensifies daily hybrid warfare operations.

Threat actors are distributing cryptojacking malware targeting high-performance systems through a coordinated campaign that exploits SEO poisoning and manipulates AI chatbot recommendations.

Researchers have dismantled the Glassworm botnet's command-and-control infrastructure after targeting developers in supply-chain attacks. The operation exploited Solana blockchain transactions and BitTorrent DHT networks for resilient communications.

A critical authentication bypass vulnerability (CVE-2026-48710) affects Starlette, a popular Python web framework. The flaw allows attackers to bypass host-header validation through crafted requests.

China's police forces are retrofitting millions of aging surveillance cameras with AI-powered computer vision and language models. The upgrades enable automatic detection of crowds, suspicious behavior, and unauthorized access without manual review.

Dutch National Police arrested a 35-year-old man suspected of hacking AFC Ajax Amsterdam earlier this year. The suspect remains in custody as authorities investigate the breach.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch a critical vulnerability in the LiteSpeed cPanel plugin within four days. The flaw is currently being exploited in active attacks.

The FBI has alerted U.S. law firms that the Silent Ransom Group (SRG) is conducting physical break-ins to steal data, marking a shift toward on-site extortion tactics.

China is modernizing its decade-old domestic surveillance infrastructure with AI-enabled cameras and advanced software, according to sources and documents reviewed by the Financial Times. Local police forces are deploying more powerful tracking systems across the country.

Payment processor Stripe faces criticism for allegedly making it easy for customers to exploit its chargeback dispute system. The platform's dispute resolution process reportedly favors fraudulent claims filed as legitimate customer complaints.

India is conducting vulnerability assessments of its financial and government applications against Anthropic's next-generation Mythos AI model, according to officials familiar with the testing program.

Taiwan prosecutors are investigating three individuals suspected of smuggling at least one shipment of Nvidia AI chips to China by routing them through Japan, according to people familiar with the matter.

A third-party website processing UK visa applications exposed thousands of applicants' passports and selfies online. The company has not fixed the breach and instead sent legal threats to researchers who discovered it.

Zscaler reported third-quarter revenue of $850.5M, exceeding estimates by $15.1M with 25% year-over-year growth. The cybersecurity firm's stock dropped over 18% after hours following a fourth-quarter revenue forecast below analyst expectations.

Attackers have weaponized a critical zero-day vulnerability in KnowledgeDeliver learning management systems to deploy Godzilla web shells. The exploit grants unauthorized remote access to affected servers.

An FBI agent demonstrated how straightforward it is to identify people distributing non-consensual AI-generated pornography, citing a case where a saved Instagram post led directly to an offender's account.

A critical vulnerability dubbed "BadHost" has been discovered in Starlette, an open source Python package downloaded 325 million times weekly, potentially exposing millions of AI agents to attack.

The FTC has settled with Cox, MindSift, and 1010 Digital Works over allegations they falsely claimed they could use smartphone microphones to spy on users for ad targeting purposes.

BNP Paribas is partnering with French AI startup Mistral AI to prepare for cybersecurity threats posed by advanced AI models like Anthropic's Mythos.

Charter Communications acknowledged a data breach after the ShinyHunters extortion group threatened to release stolen information. The group demanded ransom in exchange for not publishing the data.

An unidentified group stole and released the NSA's most sophisticated hacking tools, a breach whose consequences continue to reshape corporate cybersecurity strategy today.

Iranian government-backed hackers breached the Los Angeles transit system in a cyberattack that took weeks to recover from, according to an Israeli cybersecurity firm. The attackers operated under the fake hacktivist persona Ababil of Minab.

An audit of 2.5 million biomedical papers reveals fabricated references have surged more than twelvefold since 2023, likely driven by language model use. The fake citations are nearly impossible to detect and threaten the integrity of clinical guidelines.

Microsoft has identified a new issue in Windows Server 2016 where domain controller lookups fail following installation of the KB5087537 May 2026 security update. The bug affects system authentication and network connectivity.

The U.S. Cybersecurity and Infrastructure Security Agency has issued a mandate requiring federal agencies to patch an actively exploited SQL injection vulnerability in Drupal by Wednesday evening.

Hackers stole personal information from over 183,000 people after breaching 7-Eleven systems in April. The ShinyHunters extortion gang is behind the attack, according to breach notification service Have I Been Pwned.

The Pentagon's botched blacklisting of Alibaba and Baidu in February reveals deep divisions within the Trump administration over China strategy. The incident underscores inconsistent approaches to Beijing across different government agencies.

Yoti's age verification service shares facial photographs and device fingerprints with third-party companies, raising privacy concerns for users seeking age-gated content access.

A vulnerability in Microsoft Copilot Cowork allows unauthorized file exfiltration. The issue enables attackers to access and extract sensitive documents from the collaboration platform.

U.S. prosecutors revealed that a ransomware gang accessed Russian government databases, enabling its leaders to evade taxes and military service while fueling corruption within the Russian state.

Mexican drug cartels are leveraging TikTok to recruit members and spread propaganda, using coded language to evade platform moderation, according to researchers.

A new webinar examines why network incidents escalate despite adequate monitoring systems. The focus shifts from detection gaps to coordination failures across IT teams and tools.

Mullvad has begun deploying a mitigation for a vulnerability affecting VPN exit IP servers. The rollout addresses a security issue that could expose user traffic under certain conditions.

California is moving to exempt Linux from its age-verification requirements after significant backlash from the open-source community. The amendment, proposed by the original law's author, addresses concerns that the mandate would be impractical for operating systems.

The FTC settled charges against Cox Media, MindSift, and 1010 Digital Works for falsely claiming they could secretly listen to users through phones and smart devices to target ads. The companies had no actual capability to conduct such surveillance.

Iranian threat actor Nimbus Manticore has resurfaced using AI-assisted malware development and SEO poisoning techniques to target companies, according to Check Point Research. The IRGC-affiliated group escalated operations during recent US-Iran tensions.

Hackers and scammers are frustrated by AI-generated content flooding underground forums where they coordinate cyberattacks and illegal activities. The deluge of low-quality "AI slop" is cluttering platforms critical to criminal operations.

As attackers deploy AI tools to discover and exploit software vulnerabilities faster, security teams are forced to adopt similar technologies to keep pace. The acceleration is fundamentally reshaping how bugs are hunted and patched.

The U.S. Customs and Border Protection agency has issued Directive 3340-049B, establishing procedures for searching electronic devices at borders. The updated guidelines clarify when and how agents can access phones, laptops, and other digital equipment.

A newly disclosed vulnerability in container technology allows attackers to bypass security controls in rootless container environments through improper file copying mechanisms. CVE-2026-31431 affects container systems that rely on copy operations without proper privilege validation.

A critical SQL injection vulnerability in Ghost CMS is being actively exploited to deploy malicious JavaScript in a widespread ClickFix campaign. The flaw, tracked as CVE-2026-26980, allows attackers to inject code that triggers fake tech support scams.

The Department of Homeland Security demanded Google surrender location and activity data on a Canadian citizen who criticized ICE operations online. The man, who hasn't entered the US in over a decade, was targeted using an obscure trade statute from the Great Depression era.

Security researchers warn that hackers are increasingly targeting the conversational traits and behavioral patterns of AI chatbots to manipulate systems and extract sensitive information.

Attackers compromised Laravel Lang localization packages to distribute credential-stealing malware through Composer. The supply chain attack exploited GitHub version tags to reach developers.

Oura, the Finnish smart ring maker, acknowledged receiving government requests for user data but has not disclosed how many demands it receives or complies with.

Major tech companies now offer dedicated security modes to protect users from targeted spyware attacks. Here's how to enable them on your devices.

Italian authorities have dismantled CINEMAGOAL, a piracy application that illegally distributed authentication codes for Netflix, Disney+, Spotify, and other streaming services.

American technology companies have provided US Senate officials with the names of Dutch regulatory representatives. The disclosure raises questions about coordination between US lawmakers and foreign regulatory bodies.

Chinese networking company TP-Link has captured over 60% of the US consumer router market, up from 10% in 2019, while facing mounting national security concerns from US policymakers.

Anthropic has released an initial update on Project Glasswing, revealing that its Mythos tool has identified more than 10,000 vulnerabilities for partners, many classified as high or critical severity.

Apple has published a blueprint for formally verifying its CoreCrypto library, a foundational cryptographic component used across its platforms. The approach aims to mathematically prove the correctness of critical cryptographic operations.

Italy's Guardia di Finanza dismantled a major piracy operation distributing paid content through the Cinemagoal app. The network charged users €40-€130 annually for unauthorized access to Netflix, Sky, and other premium services.

FOIA lawsuit documents reveal that hackers behind the 2020 SolarWinds breach potentially accessed every treasury.gov email address for over three months, from July 6 to October 12, 2020.

The Based Apparel website linked to FBI Director Kash Patel has been identified hosting a ClickFix malware attack, attempting to trick visitors into installing malicious software.

The website for Kash Patel's clothing brand went offline following reports that hackers compromised the platform. Users on X reported the site was being used to distribute malware to visitors.

Four Russian satellites have maneuvered into close proximity with an ICEYE radar satellite, demonstrating a capability rarely seen in routine orbital operations. The positioning raises questions about Russia's space domain awareness and on-orbit servicing intentions.

The Cybersecurity and Infrastructure Security Agency is managing a significant data leak while facing congressional scrutiny over the incident. Lawmakers have begun requesting detailed information about the breach's scope and response.

Iran's record internet shutdown is widening the divide between the country's military and civilian government, as security forces use the blackout to extend their authority over daily life amid US tensions.

A massive data breach at South Korea's Coupang, a U.S.-listed company, has triggered competing claims between both nations over investigative authority, testing Washington's commitment to protecting its tech companies abroad.

A marketer claiming it could tap into devices for ad targeting will pay $880,000 to settle enforcement action. Two additional marketing companies will each pay $25,000.

Meta and Snapchat have blocked accounts of Saudi Arabian dissidents following orders from Saudi authorities, making their content invisible within the kingdom. The move affects US-based and Canada/UK-based activists critical of Saudi human rights practices.

Police have successfully intercepted traffic from a VPN service used by criminals, seized its domains, and arrested its operator. The operation highlights growing law enforcement capabilities against encrypted communications.

Dutch financial crime investigators arrested two men and confiscated 800 servers from a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns.

Two former executives of a call-tracking company pleaded guilty to concealing a multi-year tech support fraud operation that targeted victims globally.

Drupal has issued an urgent warning that hackers are actively exploiting a critical SQL injection vulnerability disclosed earlier this week. The flaw poses severe risk to affected installations.

Ubiquiti has released security updates addressing three maximum severity vulnerabilities in UniFi OS that can be exploited remotely without authentication. The flaws affect the company's network management platform.

Trump Mobile acknowledged exposing customers' personal data, including phone numbers and home addresses, through a third-party platform vulnerability. The company is currently evaluating notification requirements.

Palantir Technologies held a hackathon to develop user-auditing tools for its software platform, including systems used by U.S. Immigration and Customs Enforcement. The effort addresses ongoing employee concerns about the company's work with the agency.

Texas Attorney General Ken Paxton filed a lawsuit against Meta, claiming WhatsApp falsely markets its messaging service as secure while maintaining the ability to access encrypted messages.

TeamPCP, a threat actor group, has claimed responsibility for breaching GitHub repositories and is linked to at least 20 waves of supply chain attacks affecting over 500 software projects globally.

Maryland has become the first U.S. state to prohibit surveillance pricing—the practice of using personal data to charge different prices to different customers. The law restricts retailers from employing facial recognition, purchase history, and other tracking methods to set individualized prices.

Amazon, Facebook, and the FBI have access to a shared intelligence platform designed for coordinated information sharing. The private network enables real-time data exchange between corporate and federal law enforcement entities.

Hackers are actively exploiting authentication bypass vulnerabilities in Qinglong, an open-source task scheduling tool, to deploy cryptominers on developer servers. The attacks target two separate RCE flaws in the platform.

Three companies will pay nearly $1 million to settle FTC charges over selling fake "Active Listening" technology they claimed monitored phones for targeted advertising. The agency found the tech didn't work—it was simply overpriced email lists.

Canadian authorities arrested a 23-year-old Ottawa man Wednesday on suspicion of building and operating Kimwolf, an IoT botnet that infected millions of devices. The suspect faces charges in both countries for launching massive DDoS attacks, doxing, and swatting campaigns over the past six months.

Europol has shut down a VPN service that provided anonymity to approximately two dozen ransomware groups. The agency notified identified users they have been exposed.

London Mayor Sadiq Khan has blocked a £50m contract between Scotland Yard and US tech firm Palantir, citing procurement rule violations. The deal would have deployed Palantir's AI technology to automate intelligence analysis in criminal investigations.

A new study found that workplace monitoring software used by hundreds of thousands of companies shares employee data with Meta, Google, and data brokers. All nine bossware services examined in the research transmitted personal information beyond employers.