Cyber Security
Blog
Triple Extortion Ransomware: How It Works and How to Stop It
Triple extortion ransomware attacks combine encryption, data theft, and DDoS pressure to coerce payment from multiple angles. This guide explains the full attack lifecycle, real-world ...
Application Security
Chrome 149 Patches 28 Flaws, Including 12 Use-After-Free Bugs
Google's Chrome 149 security update patches 28 vulnerabilities, roughly 12 use-after-free bugs, a memory corruption class tied to drive-by code execution.
Application Security
OpenClaw AI Agent Hijacked via Malicious vCard Injection
Researchers showed OpenClaw AI agents can be hijacked through vCards with embedded instructions, enabling attacker code execution and sensitive data leakage.
Cybersecurity
Kyushu Electric Loses Drive With Data on 10.9M Customers
Kyushu Electric Power lost a physical storage device containing personal records on 10.9 million customers, exceeding its active customer base of 8 million.
Cybersecurity
Anthropic Disputes Jailbreak Claim Against Claude Fable 5
Anthropic disputed a researcher jailbreak claim against Claude Fable 5, arguing the technique does not constitute a bypass of the model's safety classifiers.
Application Security
Six Proto6 Flaws in protobuf.js Enable Node.js RCE
Six Proto6 vulnerabilities in protobuf.js enable remote code execution and denial-of-service against Node.js apps via malicious schemas or crafted payloads.
Application Security
npm v12 Disables Auto-Run Scripts to Cut Supply Chain Risk
npm v12 will disable install scripts by default, requiring an explicit allowlist and closing the primary vector used by Miasma and Shai-Hulud attackers.
Cybersecurity
Anthropic Releases Guardrail-Free Mythos 5 to Security Researchers
Anthropic released Claude Mythos 5 with safety guardrails intentionally removed to vetted security researchers alongside the public Claude Fable 5 launch.
Cybersecurity
Novo Nordisk Discloses Breach of Clinical Trials Patient Data
Novo Nordisk disclosed a breach of clinical trials patient data, triggering GDPR, GCP, and clinical research regulatory obligations across global operations.
Cybersecurity
Europol Dismantles AudiA6 Crypto Laundering Service
Europol dismantled AudiA6, a cryptocurrency laundering service that processed over $380 million in ransomware extortion proceeds for criminal networks.
Application Security
Three LangGraph Flaws Chain to Remote Code Execution
Three patched LangGraph vulnerabilities chain from SQL injection to remote code execution on self-hosted AI agent framework deployments, researchers disclosed.
Cybersecurity
OnyxC2 Stealer Targets 200+ Apps for $250 Per Month
OnyxC2, a new MaaS information stealer priced at $250 per month, targets 200-plus applications using DLL sideloading and encryption to evade detection.
Cybersecurity
Maine AG Portal Abused to Post Fabricated Breach Notices
Threat actors filed fraudulent breach notices through Maine's AG portal, publishing false disclosures on a government site; VRChat denied the fabricated claim.
Application Security
Fortinet FortiSandbox CVE-2026-25089 Allows Unauthenticated RCE
Fortinet patched CVE-2026-25089, a CVSS 9.1 OS command injection in FortiSandbox's Web UI exploitable by unauthenticated attackers via crafted HTTP requests.
Application Security
OpenSSL Patches 16 Flaws Including Heap Use-After-Free RCE Risk
OpenSSL released 16 security fixes, led by CVE-2026-45447, a HIGH severity heap use-after-free in PKCS7_verify() that may enable RCE via crafted S/MIME messages.
Cybersecurity
Akira Claims Industrial Finisher, NJ Country Club, Architecture Firm
Akira ransomware posted three US victims on June 9: Spray Equipment with 26GB of W-2 records and engineering drawings, Rockaway River Country Club, and SMPC ...
Cybersecurity
Chaos Ransomware Lists Airespring as Iranian False-Flag History Looms
Chaos ransomware listed US telecom provider Airespring on its leak site. Rapid7 documented Chaos as a MuddyWater Iranian APT false-flag tool, complicating attribution.
Application Security
Shai-Hulud Hades Wave Poisons 29 Bioinformatics PyPI Packages
The Shai-Hulud Hades variant targeted ~29 bioinformatics and ML PyPI packages in a second wave, introducing a loader-payload split and bringing the campaign past 100 ...
Application Security
Oracle PeopleSoft CVE-2026-35273: ShinyHunters Breaches 100+ Orgs
Oracle issued emergency mitigations for CVE-2026-35273, an RCE flaw in PeopleSoft, after ShinyHunters breached 300 instances across more than 100 organizations.
Cybersecurity
Nottingham University Breach Exposes Data on 454,600 Students
ShinyHunters posted 40GB of stolen data on 454,600 University of Nottingham students, exposing passport numbers, disability data, and credit card details.
Application Security
Chrome 149 Patches 28 Flaws, Including 12 Use-After-Free Bugs
Cybersecurity
Kyushu Electric Loses Drive With Data on 10.9M Customers
TOP CYBERSECURITY HEADLINES
Application Security
Six Proto6 Flaws in protobuf.js Enable Node.js RCE
Application Security
npm v12 Disables Auto-Run Scripts to Cut Supply Chain Risk
This Week’s Security Spotlight
Application Security
SAP Patches CVSS 9.9 SAML Flaw and ABAP Memory Corruption
Application Security
Veeam CVE-2026-44963 Exposes Backup Servers to Low-Privilege RCE
Application Security
Claude Opus Finds 4-Year Zcash Flaw Enabling Silent Coin Forgery
Trending
Daily Briefing Newsletter
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Featured Videos
Podcasts
Cyber Security News
- All
- Application Security
- Blog
- CVE Vulnerability Alerts
- Cybersecurity
- Cybersecurity Newsletter
- Data Security
- Endpoint Security
- Identity and Access Management
- Information Security
- Network Security
- News
- Phishing
- Podcasts
- Product Reviews
- Ransomware
- Ransomware Victims
- Resources
- Security Spotlight
- Sponsored
- Threat Actors
- Threat Actors
- Threat Detection Tools
Kyushu Electric Loses Drive With Data on 10.9M Customers
Kyushu Electric Power lost a physical storage device containing personal records on 10.9 million customers, exceeding its active customer base of 8 million.
Anthropic Disputes Jailbreak Claim Against Claude Fable 5
Anthropic disputed a researcher jailbreak claim against Claude Fable 5, arguing the technique does not constitute a bypass of the model's safety classifiers.
Six Proto6 Flaws in protobuf.js Enable Node.js RCE
Six Proto6 vulnerabilities in protobuf.js enable remote code execution and denial-of-service against Node.js apps via malicious schemas or crafted payloads.
npm v12 Disables Auto-Run Scripts to Cut Supply Chain Risk
npm v12 will disable install scripts by default, requiring an explicit allowlist and closing the primary vector used by Miasma and Shai-Hulud attackers.
Anthropic Releases Guardrail-Free Mythos 5 to Security Researchers
Anthropic released Claude Mythos 5 with safety guardrails intentionally removed to vetted security researchers alongside the public Claude Fable 5 launch.
Novo Nordisk Discloses Breach of Clinical Trials Patient Data
Novo Nordisk disclosed a breach of clinical trials patient data, triggering GDPR, GCP, and clinical research regulatory obligations across global operations.
Europol Dismantles AudiA6 Crypto Laundering Service
Europol dismantled AudiA6, a cryptocurrency laundering service that processed over $380 million in ransomware extortion proceeds for criminal networks.
Three LangGraph Flaws Chain to Remote Code Execution
Three patched LangGraph vulnerabilities chain from SQL injection to remote code execution on self-hosted AI agent framework deployments, researchers disclosed.
OnyxC2 Stealer Targets 200+ Apps for $250 Per Month
OnyxC2, a new MaaS information stealer priced at $250 per month, targets 200-plus applications using DLL sideloading and encryption to evade detection.
Maine AG Portal Abused to Post Fabricated Breach Notices
Threat actors filed fraudulent breach notices through Maine's AG portal, publishing false disclosures on a government site; VRChat denied the fabricated claim.
Fortinet FortiSandbox CVE-2026-25089 Allows Unauthenticated RCE
Fortinet patched CVE-2026-25089, a CVSS 9.1 OS command injection in FortiSandbox's Web UI exploitable by unauthenticated attackers via crafted HTTP requests.
OpenSSL Patches 16 Flaws Including Heap Use-After-Free RCE Risk
OpenSSL released 16 security fixes, led by CVE-2026-45447, a HIGH severity heap use-after-free in PKCS7_verify() that may enable RCE via crafted S/MIME messages.
Akira Claims Industrial Finisher, NJ Country Club, Architecture Firm
Akira ransomware posted three US victims on June 9: Spray Equipment with 26GB of W-2 records and engineering drawings, Rockaway River Country Club, and SMPC ...
Chaos Ransomware Lists Airespring as Iranian False-Flag History Looms
Chaos ransomware listed US telecom provider Airespring on its leak site. Rapid7 documented Chaos as a MuddyWater Iranian APT false-flag tool, complicating attribution.
Shai-Hulud Hades Wave Poisons 29 Bioinformatics PyPI Packages
The Shai-Hulud Hades variant targeted ~29 bioinformatics and ML PyPI packages in a second wave, introducing a loader-payload split and bringing the campaign past 100 ...
Oracle PeopleSoft CVE-2026-35273: ShinyHunters Breaches 100+ Orgs
Oracle issued emergency mitigations for CVE-2026-35273, an RCE flaw in PeopleSoft, after ShinyHunters breached 300 instances across more than 100 organizations.
Nottingham University Breach Exposes Data on 454,600 Students
ShinyHunters posted 40GB of stolen data on 454,600 University of Nottingham students, exposing passport numbers, disability data, and credit card details.
FBI Seizes 13 Chinese Spy Sites Targeting U.S. Clearance Holders
The FBI and DOJ seized 13 websites used by Chinese intelligence services to recruit current and former U.S. government workers who hold security clearances.
China-Linked JDY Botnet Hits 1,500 Devices Targeting U.S. Military
Black Lotus Labs tracked the JDY botnet's growth to 1,500-plus compromised devices, with U.S. military networks identified as the primary target sector.
CISA BOD 26-04 Mandates 3-Day Patch Window for Federal Agencies
CISA BOD 26-04 requires all federal civilian agencies to patch critical KEV-listed exploited vulnerabilities within three days, cutting the two-week timeline.