Latest cybersecurity threats, data breaches, hacking incidents, security vulnerabilities, ransomware attacks, and expert guidance on digital security.
For the second time in weeks, Microsoft packages were compromised with credential-stealing code, with 73 packages flagged as malicious on GitHub. The malicious packages were triggered when developers opened them in AI coding agents. GitHub disabled the packages citing a violation of terms of service. Microsoft did not acknowledge the possibility of infection until Monday, stating they were investigating.
Meta is filing a federal US court contempt order against Israeli spyware firm NSO Group for violating a permanent injunction by targeting WhatsApp users with new spear phishing attempts. WhatsApp disrupted the campaign and found no evidence that targets' devices were compromised.
Anthropic's Mythos Preview can generate working exploits for newly disclosed software vulnerabilities in hours instead of weeks. In tests, it produced a proof-of-concept exploit for a Windows kernel bug in 31 minutes and created 8 exploits for Firefox security patches.
Microsoft temporarily removed dozens of open source GitHub repositories after hackers injected password-stealing malware into the code. The malware targeted AI developers using tools like Claude Code and VS Code. Microsoft notified a small number of affected customers.
Starting July 1, 2026, Australian telecoms will label scam texts as 'unverified' if the sender ID is unregistered. The move follows 153 million scam texts blocked in 2025 and over A$2 billion lost to scams. Small businesses are urged to register their sender IDs to avoid being flagged.
Ransomware criminals exploited a Check Point VPN zero-day vulnerability for a month before a fix was released. The vulnerability allowed unauthorized access to networks. A patch is now available.
CB Financial Services disclosed a cybersecurity incident where an employee uploaded customer data including names, Social Security numbers and dates of birth into an unauthorized AI tool. The bank said it contacted the vendor in time to prevent the data from being used for AI training. The disclosure may be the first SEC filing citing 'unauthorized artificial intelligence.'
This commentary argues that Apple Intelligence's on-device AI is vulnerable to prompt injection attacks, citing research showing a 76% success rate in manipulating the model. It contends that users should be concerned because such attacks could occur without physical device access, and advises readers to understand the risks and adjust settings to lower their exposure.
Australian and Thai police released a script used by scammers impersonating the Australian Federal Police to steal bank details. The script, found in a Cambodian compound, instructs scammers to claim victims' identities were used in money laundering and demand regular updates to coerce compliance.
North Korean actors sent over 250 unsolicited fake job offers to developers over six weeks, aiming to steal credentials and cryptocurrency. The offers appeared too good to be true, likely using social engineering tactics.