Три тонны груза, ноль взрывов, один конкурент.

Защита стала декорацией, пока хакеры присваивают чужое имущество.

Как ультрафинитисты объявили войну основам математики.

Что показало крупнейшее исследование 4600 школ?

Как компания годами помогает мошенникам чистить чужие счета (и чем это полезно).

Выясняем, как хакерам удалось обхитрить систему проверки сертификатов.

Галактики тратят впустую почти весь строительный материал для новых звезд.

Grok понял шифровку, Bankrbot понял буквально, токены ушли.

Китайский DeepSeek-TUI лишает западные корпорации легких денег.

Теперь аналитики знают о BO Team почти всё.

У Европола нашли секретный софт, о котором не знали даже регуляторы.

Французский предприниматель запустил соцсеть eYou с проверкой фактов.

Вопрос для бизнеса уже не в том, случится ли атака, а в том, насколько быстро и грамотно организация сможет на неё отреагировать и минимизировать последствия.

Скорость и качество реагирования на инциденты в области информационной безопасности напрямую влияют на бизнес-показатели.

Константин Мушовец порекомендовал компаниям, выстраивающим систему реагирования на инциденты, в первую очередь обратить внимание на решения класса EDR.

Использование ИИ при реагировании на инцидентыАлександр Григорян рассказал, что его департамент разрабатывает собственный инструментарий для расследования и реагирования на инциденты на всех этапах жизненного цикла.

Ключевая проблема многих организаций кроется не в …

Согласно судебным документам, речь шла не о взломе Signal, не о компрометации его серверов и не о расшифровке трафика.

Обновление вышло 22 апреля 2026 года и доступно для iPhone 11 и новее, а также для ряда iPad; параллельно Apple выпустила исправления и для старой ветки iOS / iPadOS 18.7.8.

Сначала сообщение поступало в Signal на iPhone.

Отключить содержимое уведомлений в мессенджерахНапример, в случае Telegram на iOS это делается через «Настройки» → «Приложения» → «Telegram» → «Уведомления» → «Показывать содержимое».

ВыводыЭтот инцидент не дискредитирует мессенджеры и Signal в частности и не доказывает бесполезность сквозного шифрования.

Анализ мирового и российского рынка показал, что спектр услуг, объединённых под понятием Red Team Operations, стал значительно шире.

Это касается и Red Team Operations (редтиминга), содержание и задачи которых со временем претерпели изменения.

Что такое Red Team OperationsКонцепция Red Team появилась в военной сфере, где силы делились на «синие» (Blue Team) и «красные» (Red Team) для отработки боевых сценариев.

Чем Red Team отличается от пентеста и BASРабота Red Team отличается от традиционного пентеста или имитации атак (Breach and Attack Simulation, BAS).

Мировой рынок услуг по оценке киберзащищённости Red Team OperationsВ зарубежной практике редтиминг чаще называют Red Team Operations ил…

У более чем трети компаний он не изменился, что в условиях инфляции, особенно опережающего роста цен на ИТ-оборудование, также означает фактическое снижение.

На чём и как можно сэкономитьПо мнению участников дискуссии, у CISO есть возможности при необходимости снизить затраты.

Однако, по его наблюдениям, как правило, и та и другая системы являются неполными, что затрудняет такие проекты и создаёт почву для конфликтов.

Дмитрий Найдёнов даже заявил, что при наиболее жёстком прессинге со стороны бизнеса можно пойти на то, чтобы полностью заморозить развитие.

Положение осложняет и то, что популярные SSD-диски, как локальные, так и на серверах и системах хранения, имеют склонность выходить из ст…

Corelight — разрабатывает коммерческую платформу на базе открытого проекта Zeek (бывший Bro), специализируется на сборе и нормализации трафика для передачи в SIEM.

Заказчики выбирают не отдельный NDR, а готовый набор ИБ-продуктов, который также включает SIEM, SOAR, NDR и системы управления уязвимостями, и всё это от одного вендора.

Основные игроки российского рынка NTA/NDR: Positive Technologies (PT NDR), R-Vision (R-Vision NDR), «Солар» (Solar NDR), «Инфосистемы Джет» (КОМРАД NDR), «Гарда Технологии» (Гарда NDR), «ИнфоТеКС» (ViPNet NDR) и «Айдеко» (Айдеко NDR).

PT NAD (Positive Technologies)PT Network Attack Discovery (PT NAD) — система поведенческого анализа сетевого трафика для обнаружен…

Средства ЭП, проверяющие статус аккредитации УЦ, будут строить цепочку до корневого сертификата в TSL и не найдут там соответствующего сертификата АУЦ.

Совокупность всех «должно» необходимо учесть в момент проверки квалифицированной электронной подписи, и вот тут-то многие средства электронной подписи могут дать осечку.

То есть они либо совсем не работали с TSL при проверке, либо не обновляли TSL (работали со старым, в котором ещё не было информации о прекращении аккредитации).

Поэтому, если средство ЭП не умеет проверять электронные подписи с метками доверенного времени, такая подпись будет ошибочно признана недействительной.

Litoria Desktop 2 корректно обрабатывает усовершенствованные фор…

Процесс управления уязвимостями и концепция VOCVulnerability Management — это непрерывный циклический процесс выявления, оценки, приоритизации, устранения и последующей верификации уязвимостей в ИТ-инфраструктуре организации.

Процесс управления уязвимостями (источник: ФСТЭК РФ)Именно на эту схему опирается большинство российских систем Vulnerability Management.

Обзор отечественных систем управления уязвимостямиКоличество систем управления уязвимостями (Vulnerability Management), предлагаемых российскими вендорами, продолжает расти.

Платформа объединяет технологии управления уязвимостями и их жизненным циклом (VM), активами (AM) и внешней поверхностью атаки (EASM), предлагая единый подход к …

Vibe coding — это постоянный диалог разработчика с ИИ, генерация кода «на лету», быстрые итерации без формального дизайна, перенос части инженерных решений в ИИ.

Патч уходит в репозиторий и в CI/CD (continuous integration/continuous delivery).

Контролировать на уровне кода и передаваемых данных отсутствие секретов, персональных данных и другой чувствительной информации в коде и промптах.

Обнаружение секретов, встроенных в код, с помощью ИИ-анализатораINFERA AI.Firewall в реальном времени анализирует все запросы и выявляет секреты в коде, отправляемом на анализ в ИИ-модель.

Для понимания руководства — это как идеальный сотрудник, который внезапно может решить работать на конкурента и не боит…

ВведениеВ условиях изменений на рынке ИТ-решений российские компании активно ищут отечественные альтернативы зарубежным офисным платформам, таким как Microsoft 365 и Google Workspace.

Это связано не только с вопросами импортозамещения, но и с необходимостью соблюдения требований законодательства, обеспечения контроля над данными и снижения зависимости от иностранных сервисов.

Хотя раньше преобладало иностранное ПО, сейчас и коммерческие организации, и госструктуры осознают риски в сфере информационной безопасности, что и побуждает их искать альтернативы.

Платформа должна быть защищённой, стабильной, удобной для ежедневного использования и экономически обоснованной — не только по цене лиценз…

Облако обеспечивает комплексную защиту, ускорение и доступность сайтов, приложений и API в режиме «единого окна» через единый пользовательский интерфейс.

Например, пользователь может настроить блокировку запросов по геолокации, методам запросов и другим параметрам (их более 25).

Пользователь услуги в NGENIX Multidesk или через API может настроить дополнительные правила обработки запросов для блокировки запросов по их параметрам и управления бот-трафиком.

Работа DNS реализована следующим образом:Пользователь услуги делегирует доменную зону DNS-серверам NGENIX и управляет её содержимым через удобный веб-редактор DNS в NGENIX Multidesk, NGENIX API или Terraform.

Решение подходит как для неболь…

Дмитрий Северинов разделил сценарии атак на цепочку поставок на 2 основные группы:те, где данные обрабатываются внутри периметра компании;те, где обработка происходит на стороне поставщика.

Проверка поставщиковНикита Котиков отметил, что в России наблюдается активный рост практики управления рисками в цепочке поставок, которая постепенно становится стандартом на рынке.

Отдельно взятый инструмент или сотрудник не в состоянии оценить системные риски — только целостный взгляд позволяет говорить о реальной защищённости».

Автоматизация — единственный устойчивый путь в этой ситуации, и в будущем искусственный интеллект сможет частично заменить аудиторов.

Критически важно выстраивать процессы не н…

В гетерогенной инфраструктуре, где одновременно используются несколько СУБД, такой подход неизбежно приводит к росту числа разрозненных средств защиты и усложняет их сопровождение и контроль.

При этом задача независимого контроля и аудита СУБД по-прежнему актуальна и требует применения специализированных средств защиты, к которым относится, например, «Гарда DBF».

Эффективность применения решений класса DBF на примере «Гарды DBF»«Гарда DBF» — система класса DAM / DBF для защиты СУБД и независимого аудита операций с базами данных и бизнес-приложениями.

Она функционирует вне самой СУБД и обеспечивает централизованный контроль безопасности, включая среды с различными СУБД разных производителей.…

Проблемы и риски для организаций, возникающие в связи с внедрением ИИ (McKinsey, 2026)Пример инфраструктурной поддержки Agentic AIПерейдём к практике.

Цифровая среда разработки AI Factory выстроена из нескольких взаимосвязанных сервисов, которые охватывают полный цикл работы с ИИ.

Приоритетной задачей является освоение навыков использования ИИ и технологий людьми, которые относятся к руководящему составу.

Ценность от внедрения ИИ появляется только тогда, когда технологии доходят до реального внедрения и масштабирования.

Необходимо обеспечить эффективную кибербезопасность, предлагать надёжные продукты и услуги на основе ИИ, обеспечить прозрачность в отношении использования ИИ и данных.

Сообщение в Telegram от хорошего знакомого:Привет UserName, могу я тебя попросить В благотворительном соревновании детских рисуночков принимает участие ребёнок моих родственников — Мария Янкова.

У нас два разных хостинга, потому что у бейта и у боевого домена разные IP.

Краткие выводыСовременный фишинг на Telegram — это не «введите пароль», а полноценный форк клиента с MTProto‑проксированием и Service Worker.

Поэтому единственная надёжная эвристика — смотреть на домен и на сам сценарий («войди в Telegram, чтобы проголосовать»), а не на отправителя.

Любой сайт, который просит ввести номер Telegram или код из Telegram «чтобы за кого‑то проголосовать / получить подарок / подтвердить участие», …

Сегодня познакомим вас с самой долгожданной новинкой апреля — книгой «Алгоритмы на языке Go», которую мы успели выпустить в продажу 30 числа.

Наиболее фундаментальный труд в этой области, который мы переиздаём и допечатываем на протяжении многих лет — это «Алгоритмы» Стивена Скиены (сейчас актуально 3-е издание).

Алгоритмы — это как рецепты: хороший рецепт творит чудеса, позволяя даже скромному коду обогнать сырой и неоптимизированный вариант, запущенный на самом мощном сервере.

Причем идеи алгоритмов универсальны и не зависят от языка программирования — разобравшись в них на Go, вы сможете с тем же успехом применять их и на Python, и на Java, и на любом другом языке.

Мы будем изучать алгор…

Я подготовил для вас статью, в которой расскажу, как можно обнаружить инфостилер, встроенный в библиотеку LiteLLM в результате ее недавней компрометации.

Считаю, что это в целом ни на что не влияет, поскольку самое интересное все равно происходит в двух других скриптах.

Возьмем любое событие из предыдущей выборки и в контекстном меню выберем Parent context.

Поиск событий, связанных с тем же родительским процессом, что и выбранное событиеВидим сработавшие детекторы, которые указывают на создание и эксфильтрацию архива собранных данных.

Итак, предположим, что мы не знаем конкретную реализацию этого шага, но мы точно знаем, что скрипт, инициировавший сбор секретов, запустил вредоносный под.

Так что пока здоровый скептицизм призывает не поддаваться на ИИ-провокации, ждать полноценных технических отчётов с раскрытиями и следить за руками.

На деле же был только пост от ноунейма на BF с сэмплами на Mega и продажей списка файлов за 10 XMR.

И это не на школьном проекте вида “Мой первый сервер”, а на панели, на которой 70+ миллионов доменов висят.

За атакой стояли те же злоумышленники, что и за доставкой фейковых установочников FileZilla в марте.

По оценкам, украдено больше $280 миллионов — так что это не только крупнейшая кража крипты 2026-го, но и кандидат в топ-10 за всю историю.

Проблема даже не в том, что ИИ может ошибаться, а в том, что он делает это уверенно и в промышленных масштабах.

Самое забавное, что в некоторых сценариях новая версия Copilot предложила больше уязвимостей, чем старая.

Также уровень внедрения ИИ в Java (25,45%) и C (27,33%) заметно ниже, чем в TypeScript или C#, из-за жестких требований к стабильности систем.

В 2026 году мало что поменялосьВедь проблема не в недостатке знаний, а в архитектуре.

Ни один из них, естественно, не панацея, и не такие OP как Aardvark и TitanCA.

Очевидно, что ключевой вопрос не в том, использовать ли ИИ, а в том, как именно это делать.

В EdTech ИИ постепенно становится ассистентом как для преподавателей, так и для студентов, а в маркетинге и медиа генеративные технологии уже фактически стали стандартом.

Уже сейчас появляются кейсы, когда отчеты, публикации или деловая переписка явно сгенерированы ИИ — и это приводит как к репутационным, так и к финансовым потерям.

И, возможно, главный риск — это не сама технология, а то, как с ней работают люди.

Та же логика работает и в технической плоскости.

Почему «периметр умер» – не метафора, а инфраструктурный фактТрадиционная модель безопасности стояла на простой посылке: внутри корпоративной сети – доверено, снаружи – враждебно.

Доступ выдаётся не к сети, а к конкретному приложению.

Model Context Protocol на JSON-RPC 2.0 стал де-факто стандартом подключения агентов к инструментам, и здесь мы можем наступиит на старые грабли.

Identity Fabric: операционная модель для CISOIdentity-first на практике – не покупка нового IAM, а новый взгляд на архитектуру безопасности.

Сдвиг от централизованных IdP-баз к идентификаторам, которыми владеет сам пользователь, и к криптографически проверяемым учётным данным.

Это означает, что, если в вашем сервисе/системе есть функция, реализованная с ИИ, например, объект КИИ в транспорте с системой распознавания номеров с помощью ИИ, то система подпадает под определение методики.

ВведениеПеред тем, как анализировать требования методики к безопасности ИИ, давайте посмотрим в исходные требования к ИИ в основном документе – Приказе № 117.

Требования распространяются как на собственные разработки оператора, так и на случаи использования внешних сервисов ИИ (например, API сторонних провайдеров).

В методике и приказе ФСТЭК отсутствуют требования к объяснимости решений ИИ и борьбе с «галлюцинациями» (хотя, например, для госуслуг и КИИ это критично).

Финальные акценты…

Это может пригодиться, если вы собираетесь отдать дамп на анализ внешнему подрядчику и не хотите, чтобы он знал, чем занимается ваше приложение.

Выглядит это примерно так:Чтобы не перестараться и не сломать парсинг самому себе, Eclipse MAT по умолчанию исключает из обфускации классы пакетов java.

В этом случае снятый дамп будет лежать внутри целевого контейнера и его нужно будет забрать оттуда руками (если успеете, пока его не прибил какой-нибудь Kubernetes).

Едва ли много кто сталкивается с этими проблемами, но если вдруг, то вот вариант и на этот случай:Способ 3.

Однако и цель у него иная – оно призвано сократить объём дампа, сохранив его структурную, но не содержательную идентичность.

Форк репозитория — операция настолько привычная, что на нее редко смотрят с подозрением.

Но что, если через обычный форк можно запустить произвольный код на CI/CD-воркере чужой приватной компании?

Имеет ли пользователь права на форк репозитория?

Дополняет эту проблему еще и то, что у такого форка появляются два полноправных владельца: тот, кто инициировал форк, и тот, кому он формально принадлежит.

Всё-таки это критGitFlic позиционирует себя как современная платформа, и в части непрерывной интеграции и развертывания она действительно не отстает от трендов.

Если сервер сообщает о доступности обновления, клиент предлагает загрузить пакет обновления по URL, который указан сервером.

13.04.2026 CISA добавила эту уязвимость в каталог KEV, отметив важность исправления уязвимости до 27.04.2026.

Агентство CISA добавило эту уязвимость в каталог KEV, отметив важность исправления до 06.05.2026.

По данным ShadowServer, на конец апреля в мире в открытом доступе находятся около 1134 потенциально уязвимых серверов SharePoint.

Они обычно в себя включают URL с путями до ресурсов в http://sharepoint_example/_layouts/15/* и нестандартные параметры в запросе.

Но глав­ный тезис я сфор­мулирую пря­мо сей­час: ес­ли план защиты мобиль­ного при­ложе­ния сво­дит­ся к вклю­чению обфуска­тора, то это не план защиты.

ProGuard и R8: первый рубеж обороныДля подав­ляюще­го боль­шинс­тва Android-раз­работ­чиков зна­комс­тво с обфуска­цией начина­лось с ProGuard — бес­плат­ного инс­тру­мен­та, который изна­чаль­но соз­давал­ся как опти­миза­тор и минифи­катор кода, а не как пол­ноцен­ное средс­тво защиты.

Клю­чевой нюанс, который час­то упус­кали из виду, зак­лючал­ся в том, что обфуска­ция в ProGuard «исполь­зует­ся толь­ко в целях минифи­кации (не безопас­ности)».

Индус­трия при­няла это как дан­ность: абсо­лют­ной защиты не сущес­тву­ет, но мож­но сде­лат…

В этой статье мы пос­тарались соб­рать основные исто­рии о безопас­ности OpenClaw в одну хро­ноло­гию.

Штай­нбер­гер пере­име­новал про­ект в Moltbot, а через нес­коль­ко дней — в OpenClaw, потому что Moltbot, по его сло­вам, «не очень ложил­ся на язык».

Вско­ре пос­ле пуб­ликации CERT ста­ло извес­тно, что в ряде государс­твен­ных учрежде­ний и гос­банков Китая зап­ретили уста­нав­ливать OpenClaw на рабочие компь­юте­ры.

Эн­тузи­асты, впро­чем, уже наш­ли спо­соб час­тично сни­зить угро­зу: они мас­сово ску­пают Mac mini для раз­верты­вания OpenClaw на выделен­ном железе.

Не­кото­рые поль­зовате­ли даже заводят для OpenClaw отдель­ные email-адре­са и акка­унты в менед­жерах паролей — как д…

При этом нес­коль­кими дня­ми ранее Свин­цов уве­рял, что пол­ной бло­киров­ки ждать не сто­ит, а Telegram «дос­таточ­но эффектив­но вза­имо­дей­ству­ет» с рос­сий­ски­ми влас­тями.

Вско­ре в ФАС офи­циаль­но под­твер­дили свою позицию: раз­мещение рек­ламных интегра­ций в Telegram, на YouTube, в Instagram, Facebook, WhatsApp и в VPN-сер­висах наруша­ет законо­датель­ство.

Поэто­му для мно­гих бло­киров­ка Telegram, по сути, озна­чала пол­ную перес­борку биз­нес‑модели, а не прос­то сме­ну мес­сен­дже­ра.

Так­же хорошую оцен­ку получил и Telegram X. От­метим, что в кон­це мар­та, с выходом обновле­ния Telegram 12.6.2, в про­филях поль­зовате­лей появи­лись спе­циаль­ные пре­дуп­режде­ния.

Ф…

Тиражи первых двух печатных спецвыпусков «Хакера» уже распроданы полностью, а запасы остальных активно сокращаются на нашем складе.

Печатные спецвыпуски «Хакера» — это не просто подборка старых статей, а коллекционный артефакт и настоящий «срез эпохи», где зафиксированы идеи, подходы и задачи, которые в последние годы двигали инфобез вперед.

Внутри номера тебя ждут лучшие материалы за 2019–2021 годы про Active Directory, SDR, checkm8, VeraCrypt и многое другое.

Также классический для печатных сборников бонус — статьи сопровождаются комментариями авторов и редакции с закулисными деталями, которые не вошли в оригинальные публикации.

В этот спецвыпуск войдут 15–20 самых интересных и важных мат…

Атака на цепочку поставок затронула инструменты компании Checkmarx, привела к краже секретов и утечке данных из приватных репозиториев на GitHub.

В них спрятали дополнительный компонент — аддон MCP, который загружал с GitHub инфостилер, ворующий секреты разработчиков.

Вредонос нацеливался на данные, с которыми работает KICS: токены GitHub, учетные данные AWS, Azure и Google Cloud, npm-токены, SSH-ключи, переменные окружения и даже конфигурации Claude.

Но, как показало дальнейшее расследование, 30 марта атакующие и вовсе похитили с GitHub данные компании.

В Checkmarx заявляют, что уже отозвали и сменили все учетные данные, заблокировали доступ хакеров к GitHub, а также привлекли к расследова…

]ru как spyware, но разработчики мессенджера утверждают, что это ложное срабатывание, которое не имеет отношения к реальному анализу кода.

В отчете сервиса Cloudflare Radar от 30 апреля 2026 года указано, что ресурс классифицируется как шпионское ПО, однако при этом у него есть действительный TLS-сертификат, подтверждающий подлинность.

Компания Cloudflare также отмечала его домены как «шпионское ПО», причем отметку снимали и возвращали снова.

Представители Max уже сообщили СМИ, что не согласны с оценкой Cloudflare.

В пресс-службе мессенджера заявили, что речь идет о ложной классификации:«Классификация Cloudflare вызвана неверной интерпретацией заголовков запросов к сервисам обыкновенной веб…

В cPanel и WebHost Manager (WHM) обнаружили критическую уязвимость, позволяющую обойти аутентификацию и войти в панель управления без учетных данных.

cPanel и WHM — одни из самых популярных панелей управления хостингом на Linux.

Например, хостинг-провайдер Namecheap временно закрыл доступ к портам 2083 и 2087 (они используются cPanel и WHM), чтобы защитить своих клиентов до выхода патча.

Спустя несколько часов после выпущенного Namecheap предупреждения, разработчики cPanel опубликовали собственный бюллетень безопасности, в котором сообщили, что уже устранили проблему в версиях:110.0.97;118.0.63;126.0.54;132.0.29;134.0.20;136.0.5.

Получение доступа к cPanel фактически означает полный захват …

Ис­сле­дова­тели отме­чают, что вре­донос­ный архив регуляр­но обновлял­ся, так что в будущем в него могут добавить допол­нитель­ные пей­лоады.

Са­мый популяр­ный сер­верный софт — Pure-FTPd (1 990 000 сер­висов), за ним сле­дует ProFTPD (812 000) и vsftpd (379 000).

За наруше­ние юри­дичес­ким лицам гро­зит штраф от 500 000 до 1 000 000 руб­лей, а при пов­торном — от 3 000 000 до 5 000 000 руб­лей.

21 000 000 000 долларов США потеряли американцы из-за киберпреступлений По дан­ным ФБР, жер­твы кибер­прес­тупле­ний в США потеря­ли поч­ти 21 000 000 000 дол­ларов США за 2025 год — на 26% боль­ше, чем в 2024 году.

Круп­ней­шие потери свя­заны с крип­товалют­ными схе­мами — свы­ше 11 000 000 00…

Издание Torrent Freak сообщило, что на этой неделе десятки пиратских стриминговых сайтов (включая Sflix, Myflixerz, HDtoday и клоны Fmovies) внезапно перестали открываться.

Все они отображают одинаковую ошибку Cloudflare 521, но, похоже, проблема заключается не в действиях правообладателей, а в сбое общей для ресурсов PaaS-инфраструктуры (Piracy-as-a-Service).

]to и многие другие ушли в офлайн с ошибкой 521.

Отмечается, что в последние годы такие платформы начали выступать не только в роли источников видео, но и как полноценный хостинг для пиратских сайтов.

Сопоставимый по масштабам случай произошел в 2023 году, когда закрыли сервис 2embed, и в офлайн ушло множество ресурсов.

Аналитики «Лаборатории Касперского» предупредили, что хак-группа HeartlessSoul сместила фокус атак: теперь злоумышленники активно охотятся за геоинформационными данными российских организаций, используя JS-RAT и фишинг.

Исследователи отмечают, что группировка активна как минимум с осени 2025 года и по-прежнему концентрируется на российских целях.

Так, среди целей группы — госсектор, предприятия в сфере промышленности и авиационных систем, а также частные пользователи.

Анализ инфраструктуры злоумышленников показал, что HeartlessSoul действует не в одиночку.

С учетом связей с GOFFEE и продолжающейся активности группы, эксперты полагают, что в будущем можно ожидать новых кампаний HeartlessSoul.

По сути, PocketOS представляет собой бэкенд для прокатных сервисов, в котором работает вся критичная бизнес-логика и хранятся данные клиентов.

Но вместо дебага он обратился к API Railway и удалил том (volume).

Проблема заключалась в том, что этот том не был изолирован, и вместе с ним оказалась уничтожена и продакшен-база.

«Агент столкнулся с несоответствием учетных данных и решил — по собственной инициативе — “исправить” эту проблему, удалив том Railway, — рассказывает Крейн.

«Я пишу это, потому что каждый основатель, каждый техлид и каждый журналист, который освещает ИИ-инфраструктуру, должен понимать, что на самом деле произошло, — заявляет глава PocketOS.

В ядре Linux нашли уязвимость CopyFail, которая позволяет получить root-доступ без состояния гонки и сложных эксплоитов.

Уязвимость связана с повышением привилегий, и с ее помощью локальный пользователь без повышенных привилегий может записать данные в кеш страниц, что в итоге позволяет получить root-права практически в любом дистрибутиве последних лет.

Корень проблемы кроется в криптографическом компоненте authencesn, и уязвимость появилась в коде в 2017 году, в результате оптимизации algif_aead.

Он правит бинарник setuid и позволяет получить root-доступ.

Подчеркивается, что эксплоит работает в большинстве дистрибутивов Linux, выпущенных после 2017 года, включая Ubuntu, RHEL, SUSE, Amazon …

Представители видеоплатформы Vimeo сообщили об утечке пользовательских и клиентских данных после атаки на стороннего подрядчика — компанию Anodot, которая занимается обнаружением аномалий в данных.

При этом в компании подчеркивают, что сами видеоролики, действующие учетные данные пользователей и платежная информация в ходе атаки не пострадали.

«Данные, к которым был получен доступ, не включают видеоконтент Vimeo, действующие учетные данные пользователей или информацию о платежных картах.

Учетные данные пользователей и клиентов Vimeo также находятся в безопасности.

После обнаружения атаки специалисты Vimeo отключили все учетные данные Anodot и удалили интеграцию сервиса со своими системами.

Популярный пакет elementary-data из Python Package Index (PyPI) оказался скомпрометирован: злоумышленник опубликовал вредоносный релиз 0.23.3, который похищал секреты разработчиков и файлы криптокошельков.

Из-за особенностей пайплайна вредонос попал не только в PyPI, но и в Docker-образ проекта.

Пакет популярен в экосистеме dbt и насчитывает более 1,1 млн загрузок в месяц.

Пайплайн сам собрал и опубликовал зараженную версию в PyPI, а также отправил вредоносный образ в GitHub Container Registry.

Как объясняют специалисты, это произошло потому, что workflow для релиза в PyPI также содержал job для сборки и публикации Docker-образа.

The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation.

The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence.

In September 2020, the threat actor was attributed to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.

Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, li…

Introducing the CyberStars Awards 2026We are launching the Cybersecurity Stars Awards 2026, a global program that recognizes excellence across the cybersecurity industry and highlights outstanding work that often goes unnoticed.

Submissions are now open, and companies, products, and professionals can apply via the official awards portal: https://awards.thehackernews.com/We don’t just want to report the news anymore.

Recognition through the Cybersecurity Stars Awards is not just symbolic.

The Hacker News has built its reputation on independent, reliable reporting for a global audience of security professionals.

The Cybersecurity Stars Awards extend that same foundation to provide credible, v…

Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them.

AI agents operate differently — they run continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed.

Question 1: "What AI Agents Are Running in Our Environment?"

AI agents are being spun up across business units, embedded in SaaS platforms, integrated via APIs, and built in-house by development teams.

It works inside applications, at the source of identity activity, rather than at the perimeter of a centralized IAM system.

Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks.

"Digital signatures are a certificate of origin, but binary transparency is a certificate of intent."

To that end, Google's production Android applications released after May 1, 2026, will have a corresponding cryptographic entry confirming their authenticity.

"If the software is not on the ledger, Google did not release it as production software.

The development comes amid a string of supply chain attacks that have targeted developers and downstream users of popular software in recent months.

"According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs)," Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in a Tuesday analysis.

What makes the attack novel is that CloudZ uses the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, permitting the plugin to monitor for active Phone Link processes and potentially intercept sensitive mobile data like SMS and one-time passwords (OTPs) without the need for deploying malware on the phone.

Built into Windows 10 and Windows 11, Phone Link offers a way for…

Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild.

It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any untrusted network.

According to Palo Alto Networks, the vulnerability has come under "limited exploitation," specifically targeting instances where the User-ID Authentication Portal has been left publicly accessible.

The company also said the vulnerability is applicable only to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal.

In the absence of a patch, users are advised to…

The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.

This issue affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67.

When reached for comment, Dmitruk told The Hacker News via email that the severity of CVE-2026-23918 is critical, as it can be exploited to achieve denial-of-service (DoS) and RCE.

Additional details of the vulnerability are below -CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2, specifically in the stream cleanup path of h2_mplx.c.

The scoreboard sits at a fixed address for the lifetime of the server, even with ASLR, which is what…

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky.

"These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said.

The supply chain attack is active as of writing.

Specifically, three different components of DAEMON Tools have been tampered with -DTHelper.exeDiscSoftBusServiceLite.exeDTShellHlp.exeAny time one of these binaries is launched, which typically happens during system startup…

The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups.

It's currently not known what initial access methods the adversary employs to break into target networks, but it's suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications.

UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it.

Besides using custom malware, the threat actor sets up alternative means of backdoor access usi…

OAuth grants don't expire when employees leave.

80% of security leaders consider unmanaged OAuth grants a critical or significant risk.

The more pressing issue is that OAuth grants are an active attack vector.

What monitoring actually needs to look likeThe current generation of OAuth security tools addresses OAuth risk at the point of installation.

Material's OAuth Threat Remediation AgentMaterial Security's OAuth Threat Remediation Agent is built around this more complete model of OAuth risk.

The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution.

"MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code," the NIST National Vulnerability Database (NVD) states.

"Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server."

As a result, remote, unauthenticated attackers could exploit this loophole to inject and execute arbitrary PHP code.

As many as 2,000 inst…

In the wake of the ClawdBot fiasco — the viral self-hosted AI assistant that’s averaging an eye-watering 2.6 CVEs per day — the Intruder team wanted to investigate how bad the security of AI infrastructure actually is.

In fact, the AI infrastructure we scanned was more vulnerable, exposed, and misconfigured than any other software we've ever investigated.

Wide open agent management platformsWe also discovered exposed instances of agent management platforms, including n8n and Flowise.

We identified over 90 exposed instances across sectors such as government, marketing, and finance.

Don't wait for an attacker to find your exposed AI infrastructure first.

]net, a gaming platform used by ethnic Koreans living in the Yanbian region in China bordering North Korea and Russia.

Windows versions of BirdCall, dubbed an advanced evolution of RokRAT, have been detected in the wild since 2021.

]net supply chain attack, incorporates a subset of its Windows counterpart, while collecting contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio.

Interestingly, the supply chain attack has been found to only poison the Android APKs available for download from the platform, leaving the Windows desktop client and the iOS games intact.

"The Android backdoor has seen active development, and provides surveillance capabilities…

A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild.

The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312.

The advisory also noted that the Shadowserver Foundation observed the first signs of active exploitation on March 31, 2026.

Chinese security vendor QiAnXin said it was able to successfully reproduce the remote code execution vulnerability in its own alert released on March 17, 2026.

Security researcher Kerem Oruc has made available a Python-based dete…

In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.

sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS.

Android BirdCall analysisIn this section, we provide a technical analysis of the Android BirdCall backdoor – an Android port of the eponymous Windows backdoor written in C++.

Trojanized Android gamesAndroid BirdCall is distributed via trojanized Android games.

During our research, we observed 12 Zoho WorkDrive drives used by the Android BirdCall backdoor for C&C purposes.

Tony also offers insights that the they may hold for your own cyber-defenses.

Iranian-linked hackers are targeting Rockwell programmable logic controllers (PLCs), with almost 4,000 such devices exposed on the networks of U.S. critical infrastructure organizations, according to a warning from multiple U.S. federal agencies.

How can critical infrastructure organizations using Rockwell PLCs stay safe?

How do the FBI's figures compare to those from 2024 and what was the most damaging scam to affect businesses last year?

Learn this and more from Tony's video and be sure to check out the March 2026 edition of Tony's monthly security news roundup for more insights.

Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger.

Yet more trapsThe formal state of an organization’s security is easy to measure and – assuming all turns out well – also easy to feel good about.

When the confidence shattersThis all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide.

Discipline is everythingIn addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting.

It’s what security tools can ‘convert’ into detections and alerts that let security teams act in time.

GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and exfiltration.

GopherWhisper leverages Discord, Slack, Microsoft 365 Outlook, and file.io for C&C communications and exfiltration.

The malware we initially discovered consists of the following:JabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll .

GopherWhisper toolset overviewRevealing messagesAs mentioned in the introduction, GopherWhisper is characterized by the extensive use of legitimate services such as Slack, Discord, and Outlook for C&C communication.

In addition, several interesting links to GitHub reposi…

Additionally, the code can also capture the victim’s payment card PIN and exfiltrate it to the operators’ C&C server.

Apart from relaying NFC data, the malicious code also steals payment card PINs.

The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data.

Once installed, the app asks to be set as the default payment app, which can be seen in Figure 10.

Initial request to set the app as the default NFC payment appFigure 11.

Collectively, they pave the way for the intrusion long before the ransom note arrives.

ESET’s detection data shows ransomware rising by 13 percent in the second half of 2025 compared to the prior six months, following a 30-percent increase in the first half of 2025.

Meanwhile, Verizon’s 2025 Data Breach Investigations Report (DBIR) recorded a jump from 32% to 44% in the share of breaches involving ransomware, while the median ransom payment fell from $150,000 to $115,000.

As the products have improved, criminals responded by building a clandestine market for tools designed to disable them.

The sheer investment in EDR killers is, somewhat perversely, the clearest measure of how much damage t…

Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse.

What do fake breach notification scams look like?

Either:The scammers wait for a real breach, and piggyback on the news to send out a fake notification.

Spotting the red flagsFake breach notifications should be easy to spot if you know what to look out for.

Staying safeUnderstanding what to look out for is the first step to staying safe from breach notification scams.

This seems extremely low given the scale and frequency of supply chain incidents – and how broadly ‘supply chain’ really stretches.

Notably, 3CX itself was the downstream victim of another supply chain attack, courtesy of a compromised Trading Technologies X_TRADER installer.

CISOs rated supply chain disruption #2 for 2025 and #2 again for 2026, while CEOs rate supply chain disruption #3 for 2025.

Talk about a supply chain blind spot…What are key considerations around geopolitical supply chain risk?

Resilience is imperativeIn a world of escalating threats and risky interdependencies, supply chain cyber resilience is a competitive differentiator at the survival level.

If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse.

Online scammers only care about one thing: making money, so when new opportunities arise to do just that, they take them.

Recovery fraud is an umbrella for several predatory tactics, all sharing a common goal: the “second strike.”How does recovery fraud work?

This is basically a kind of advance fee fraud.

If you’ve been victimized by recovery scammers, there are a limited set of options available to you.

Threat actors are using AI to supercharge tried-and-tested TTPs.

The former are using AI, automation and a range of techniques to sometimes devastating effect.

But n the other hand, threat actors are just doing what they have done before – supercharging existing tactics, techniques and procedures (TTPs) to accelerate attacks.

Threat actors are:Getting better at stealing/cracking/phishing legitimate credentials from your employees.

Catching threat actors at this point is essential – especially as exfiltration (when it begins) is also being accelerated by AI.

Now just have a think about all of the digital assets you’re likely to leave for loved ones to manage.

From a legal perspective, inheritance laws often don’t include digital assets, online policies can be “opaque” and tools fragmented, it says.

However, a proposed Property (Digital Assets, etc.)

However, a proposed Property (Digital Assets, etc.)

Or a fictitious “account recovery” service provider claiming they can access your loved one’s digital assets for a fee.

The past four weeks have seen a slew of new cybersecurity wake-up calls that showed why every organization needs a well-thought-out cyber-resilience planAs March 2026 draws to a close, ESET Chief Security Evangelist Tony Anscombe looks at some of the top cybersecurity stories that made the news this month and offers insights that they may hold for your cyber-defenses.

Here's Tony's rundown of some of what stood out most over the four or so weeks:The medtech giant Stryker fell victim to a cyberattack that was claimed by the Iran-linked Handala hacktivist group and reportedly wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data,Research by the Google Threat…

This year, AI agents took the center stage – as a defensive capability, but more pressingly as a risk many organizations haven't caught up withThat's a wrap on the RSAC™ 2026 Conference.

For its 35th edition, the conference drew the usual mix of security practitioners, researchers and vendors.

Predictably, AI agents dominated much of the conversation – as a defensive capability, but more pressingly as a risk that many organizations have yet to fully think through.

Watch the video with ESET Chief Security Evangelist Tony Anscombe, who was on the ground all week, to learn more about what else was trending at this year's edition of the event.

If you caught any of them, or stopped by our booth,…

A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.

Active since at least 2023, Silver Fox initially focused on Chinese-speaking targets before expanding into Southeast Asia, Japan, and potentially North America, running each campaign in a local language.

This pattern isn’t new – similar activity was observed during the same period last year, indicating that Silver Fox deliberately aligns its operations with this season.

In this operation, Silver Fox sends tailored spearphishing emails crafted to look like legitimate HR or tax-related messages.

Silver Fox is clearly do…

Indeed, some now run entirely in the cloud, while many others have paired cloud workloads, often in multi-cloud setups, with on-prem resources that won’t be retired anytime soon.

Of all the things that these organizations have in common, one warrants a closer look: virtual machine (VM) sprawl, or uncontrolled growth of virtual machines that are often left to fend for themselves.

This tracks with the identity-driven nature of cloud workloads, where both the VM itself and what it can access deserves scrutiny.

Catching the anomaly requires connecting what’s happening on the VM itself to what the VM’s identity is doing across the wider environment.

Parting thoughtsVMs are one of the oldest and …

Intel 471 has announced Retroactive Threat Detections (RTD), a new capability within its Verity471 platform.

RTD helps security teams quickly understand the impact of new threats on their environments.

This transforms static intelligence reports into actionable answers within minutes, enabling faster confirmation of compromise and remediation.

“The question every security team gets when a new threat breaks is around if they were hit and how fast they knew,” said Brandon Hoffman, Chief Product and Strategy Officer at Intel 471.

“Our customers don’t need more intelligence, they need intelligence that immediately transfers into defensive action,” said Michael DeBolt, President and Chief Intell…

Extreme Networks has introduced Extreme Agent ONE, a new class of AI agents for enterprise networking.

Moving beyond generic, prompt-based AI, Extreme Agent ONE runs on the Extreme AI stack purpose-built for enterprise environments, which combines advanced AI reasoning, live network context, and operational expertise to transform enterprise networks into systems that detect, decide, and act autonomously within the established governance framework.

Our vision is autonomous networking at scale delivered on a foundation of trust between humans and AI agents, which means fewer disruptions, faster outcomes, and operational efficiency,” said Nabil Bukhari, CTO and President of AI Platforms at Ext…

UiPath has announced the release of agentic AI capabilities on UiPath Automation Suite.

The Automation Suite updates help government agencies and regulated industries accelerate agentic AI and automation adoption and are designed to address strict data sovereignty and compliance requirements.

Key features in the latest release of Automation SuiteThe latest UiPath Automation Suite version enables government agencies to deploy and govern AI and automation securely within their own environments, orchestrating mission-critical workflows end-to-end.

UiPath Maestro serves as the enterprise control plane for agentic automation, orchestrating end-to-end workflows with real-time visibility and contr…

8×8 has released a set of platform updates to the 8×8 Platform for CX that target the operational gaps most commonly stalling organizations, including AI deployments requiring months of integration, queues IT teams cannot monitor in real time, customers abandoning sessions at login, agents stretched across simultaneous digital interactions without visibility into where their attention is going, and CRM integrations limited to natively supported platforms.

The updates, spanning AI agent development, analytics, mobile authentication, and managing frontline teams, are available within the 8×8 Platform, without new infrastructure or additional vendor relationships.

“These updates didn’t come fr…

Post-quantum protection is now available as an optional feature in Proton Mail across all plans, including the free tier.

How post-quantum protection worksOnce enabled, Proton Mail generates new encryption keys designed to protect future encrypted emails against attacks from quantum computers.

Because the feature relies on new encryption keys, users need updated Proton apps that support post-quantum protection.

It does not retroactively re-encrypt the emails already in your mailbox, for now,” Anant Vijay Singh, Product Lead for Proton Mail and Drive, explained.

To enable post-quantum protection, users need to sign in to their Proton account settings, open the “Encryption and keys” section, …

A critical vulnerability (CVE-2026-0300) affecting Palo Alto Networks firewalls is being actively exploited by attackers, the security company acknowledged today, and urged customers to implement mitigations as they are still working on fixes.

About CVE-2026-0300CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software.

Palo Alto Networks says that exploitation is automatable, though it did not speculate on whether the current in-the-wild attacks are automated.

They merely stated that “limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are expos…

New Relic has announced New Relic Knowledge, a new platform capability that integrates telemetry and knowledge sources to enhance issue detection and resolution.

As organizations adopt AI-driven and agentic operations, the reliability of autonomous systems depends entirely on accurate, real-time system context.

Without it, AI agents lack the institutional knowledge needed to correctly diagnose issues or take trustworthy action.

New Relic Knowledge addresses this by delivering a continuous intelligence layer that operates across the entire New Relic Intelligent Observability Platform.

New Relic Knowledge connects telemetry, documentation, and historical incidents to deliver context aware and…

groundcover has expanded its capabilities with new and enhanced offerings across Synthetic Monitoring and Real User Monitoring (RUM).

Proactively detect issues with enhanced Synthetic Monitoringgroundcover’s synthetic performance monitoring empowers teams to identify and resolve issues before they impact users.

Session Replay: See what users experiencegroundcover has introduced Session Replay, now generally available as part of its RUM capabilities, enabling teams to visually replay real user sessions and understand what users experienced.

This ensures that all telemetry, including sensitive session data, remains fully within the customer’s infrastructure.

This approach eliminates the need …

ServiceNow has launched Autonomous Security & Risk to govern every AI agent, identity, and connected asset.

Security and risk crossed $1 billion in annual contract value (ACV) for ServiceNow last year, making it one of the fastest-growing sources of demand on the ServiceNow AI Platform.

“Today’s CISOs have to operate at two speeds: neutralizing threats in real time while reporting risk to the board with conviction,” said John Aisien, SVP and GM, Central Product Management, Security & Risk, ServiceNow.

That is what Autonomous Security & Risk delivers.

ServiceNow’s own security operations team runs Autonomous Risk & Security, handling incidents seven times faster than prior workflows using AI…

Megaport has announced the launch of Megaport DDoS Protection.

As enterprises increasingly migrate to distributed cloud environments, traditional DDoS mitigation has struggled to keep pace with cloud and distributed infrastructure adoption.

Megaport DDoS Protection removes these challenges by integrating fabric-native protection directly into the Megaport network, closing the gap between basic ISP tools and complex enterprise-grade security solutions.

Unlike external providers, Megaport filters traffic within its own network, eliminating the need for traffic redirection to external scrubbing centers, reducing latency, and maintaining control.

Megaport DDoS Protection offers both passive and…

That data foundation is what sets the new operating standard for IT and security in the age of AI.

Tanium Atlas is purpose-built for this moment.

Tanium Atlas runs on a curated ensemble of leading AI models from OpenAI, Anthropic, Google and others.

That depth of data is what makes Tanium Atlas possible — and what makes it powerful,” said Harman Kaur, CTO at Tanium.

“Tanium Atlas doesn’t just give individuals a smarter interface.

Researchers at Striga have disclosed two vulnerabilities (CVE-2026-42248, CVE-2026-42249) in Ollama’s Windows auto-updater that, when chained together, may allow an attacker to covertly plant a persistent executable that runs on every login.

CVE-2026-42249 is a path traversal flaw, and stems from the fact that Ollama’s Windows updater builds the local path for a staged installer directly from HTTP response headers without sanitizing them.

“For the secondary path (CVE-2026-42248 alone, without traversal), Ollama additionally needs to be launched from the Startup-folder shortcut so DoUpgradeAtStartup fires.

“CERT Polska tested 0.15.1 end-to-end with our PoC and listed that as confirmed-vulner…

LastPass has launched Mobile Smart Scanner, a solution that converts photographs of typed or handwritten credentials into structured, ready-to-use password entries that can be reviewed, saved, and autofilled directly from the vault.

Mobile Smart Scanner gives them a simple, secure way to move scattered credentials into a protected vault, with no re-typing required.

Privacy and security design: Mobile Smart Scanner uses on-device optical character recognition (OCR), and scans are never stored or sent to LastPass servers for training or retention.

Business customers will have access to Mobile Smart Scanner at general availability later in 2026.

How does Mobile Smart Scanner work?

Google has revised its Android and Chrome Vulnerability Reward Programs (VRPs), which pay security researchers to report vulnerabilities in Android, Google hardware, and the Chrome browser.

The update raises top bounties to $1.5 million and adjusts rewards for lower-complexity reports.

The maximum reward of $1.5 million applies to a zero-click, full-chain compromise of Pixel devices targeting the Titan M2 security chip with persistence.

“We are revising our program scope to emphasize categories that represent the highest risk to our users,” Google said.

Google is discontinuing additional rewards for renderer remote code execution (RCE) and arbitrary read/write vulnerabilities.

Secure Foundations for AI Workloads on AWSCenter for Internet Security, Inc. (CIS®) helps organizations deploy AI and high-performance compute environments from a trusted, hardened operating system baseline.

CIS Hardened Images® help teams reduce misconfiguration risk, support compliance efforts, and move faster in AWS.

View AWS Marketplace ListingsWhat Are AI-Optimized CIS Hardened ImagesCIS Hardened Images are secure, on-demand, scalable cloud images that help organizations deploy from a more secure operating system baseline.

For AI workloads on AWS, they support GPU-accelerated and distributed compute environments that need stronger security from the start.

Instead of spending days on ma…

DarkSword is a sophisticated piece of malware—probably government designed—that targets iOS.

Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices.

Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword.

These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit.

Hacking PolymarketPolymarket is a platform where people can bet on real-world events, political and otherwise.

Leaving the ethical considerations of this aside (for one, it facilitates assassination), one of the issues with making this work is the verification of these real-world events.

Polymarket gamblers have threatened a journalist because his story was being used to verify an event.

And now, gamblers are taking hair dryers to weather sensors to rig weather bets.

Posted on May 4, 2026 at 5:46 AM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Fast16 MalwareResearchers have reverse-engineered a piece of malware named Fast16.

It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet:“…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”Another news…

No, it’s an extraordinary number:Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.

We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.

This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.

Our experience is a hopeful one for teams who shake off the vertigo and get to work.

Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up.

This capability will have major security implications, compromising the devices and services we use every day.

The news rocked the internet security community.

Unpatchable or hard to verify systems should be protected by wrapping them in more restrictive, tightly controlled layers.

These are bog-standard security ideas that we might have been tempted to throw out in the era of AI, but they’re still as relevant as ever.

Rethinking Software Security PracticesThis also raises the salience of best practices in software engineering.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

It was used to track a Dutch naval ship:Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside.

Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus.

While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk.

[…]Navy officials reported that the tracker was discovered within 24 hours of the ship’s arrival, during mail sorting, and was eventuall…

404 Media reports (alternate site):The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database….

The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places.

Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.

“We learned that specifically on iPhones, if one…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Is “Satoshi Nakamoto” Really Adam Back?

The New York Times has a long article where the author lays out an impressive array of circumstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Back.

I was a member of the Cypherpunks mailing list for a while, but I was never really an active participant.

I knew a bunch of the Cypherpunks, though, from various conferences around the world at the time.

I really have no opinion about who Satoshi Nakamoto really is.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign.

That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan is the second known Scattered Spider member to plead guilty.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft.

Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities.

For example, a Google Chrome update released earlier t…

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today.

The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by …

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

REvil never recovered f…

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.

TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote.

The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices.

That disclosure help…

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint.

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program.

Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tues…

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025.

“The testimonials are remarkable,” the AI security firm Snyk observed.

WHEN AI INSTALLS AIOne of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant.

Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.

Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet.

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$.

Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse.

The breach tracking service Constella I…

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms.

Enter Starkiller, a new phishing service that dynamically loads a live copy of the target login page and records everything the user types, proxying the data to the legitimate site and back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterp…

I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network …

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

This is the picture that US prosecutors have painted of a teenager arrested earlier this month at Helsinki Airport while trying to board a flight to Tokyo.

Prosecutors allege that the teenage suspect took part in at least four Scattered Spider attacks , the earliest in March 2023 - just months after his 16th birthday.

The complaint also alleges that the Scattered Spider gang mocked law enforcement, with one 2024 screenshot reportedly showed failed login attempts captioned "F*** off, FBI."

Scattered Spider is a loosely-formed English-speaking collective of teenagers and young adults who became infamous after the 2023 attacks on MGM Resorts and Caesars Entertainment.

You should also consider …

US Marines stationed around the Persian Gulf have been receiving WhatsApp messages from strangers suggesting they call home and make their final goodbyes.

The messages, which began arriving on Monday, came signed by the Iran-linked Handala hacking group, that has spent much of 2026 attacking US and Israeli targets.

A day later, the Handala hacking crew took to its Telegram channel to announce that it had published the names and phone numbers of 2,379 US Marines stationed in the Persian Gulf.

Handala, which first surfaced in late 2023, presents itself as a pro-Palestinian hacktivist group.

If a Marine receives a WhatsApp message naming them and threatening their family, it does not really ma…

All this and more in episode 465 of the “Smashing Security” podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

34-year-old Xu Zewei arrived in Houston, Texas at the weekend after Italian authorities approved his extradition to the United States.

The US Department of Justice alleges that Xu was following orders from officers at the Shanghai State Security Bureau, an arm of China's Ministry of State Security.

According to the FBI, Hafnium targeted more than 60,000 organisations in the United States and successfully broke into over 12,700 of them.

The Chinese Foreign Ministry opposed Xu's extradition to the United States, and claimed that cases are being fabricated against Chinese citizens.

But every so often, a suspect makes the mistake of going on holiday somewhere with an extradition agreement with …

A 21-year-old man suspected of conducting approximately 100 data breaches since late 2025 - including a hack of the French Ministry of National Education that exposed records on almost a quarter of a million employees — has been arrested at his home in western France.

According to French prosecutors, the man was reportedly preparing to dump yet another collection of stolen data online at the time of his arrest on 20 April, and has admitted to using the pseudonym "HexDex" online.

The police investigation began on 19 December last year, when the Paris prosecutor's cybercrime unit received around 100 reports of data exfiltration, all apparently linked to the same perpetrator.

In an interview g…

Yeah, yeah.

Yeah, yeah.

As a journalist, this really, really bugs me because of course, it's really difficult when you cover these cybercrime incidents because the victim here, is it P3?

And the company have been clearly really, really terrible in transparency.

Yeah, yeah, yeah.

Garrett Dutton, better known as G. Love - the front man of blues-hip-hop outfit G. Love & Special Sauce - has learnt that lesson the hard way.

In what must have been a painful admission earlier this month, G. Love described how while setting up a new computer, he downloaded what he believed was the legitimate Ledger Live app from Apple's official App Store.

The bogus app tricked the singer into entering his seed phrase - the master key to his cryptocurrency holdings.

The real Ledger Live app will never ask you for your seed phrase.

In the past Apple has presented its App Store as a more secure and safer place to find and download apps than other operating systems.

Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the Fortra blog.

Right, right.

And by legacy, I mean software that's already out in production that's been out one or more years.

Oh, whether we've got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.

Right, right.

Right, right.

Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point.

Between them, before being identified, the extensions had racked up approximately 20,000 installs from the Chrome Web Store.

And to further disguise the reality of what was going on, each malicious Google Chrome extension adopted differing disguises - including posing as a Telegram sidebar client, slot machine games, tools to enhance YouTube and TikTok, or translation tools.

More recently, in 2023, a rogue "ChatGPT for Google" extension…

The fraud landscape has been changed by AI and cryptocurrency in a way that should concern organisations and individuals alike. Read more in my article on the Fortra blog.

All this and more in episode 462 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Dave Bittner.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

But with Amnesty International simultaneously revealing that state-licensed casinos are directly linked to torture and trafficking, serious questions linger about whether enforcement will match the rhetoric.

Cambodia's Law on Combating Online Scams was signed on April 6 in a royal decree, and takes effect immediately.

The scam compound bosses whose activities lead to death face between 15-30 years - or life imprisonment.

According to figures from the United Nations and USAID, between 100,000-150,000 people are exploited in scam compounds across Cambodia.

The hard part is going to be dismantling the criminal networks, protecting the victims, and rooting out corruption and complicity which ha…

And in a surprising twist, it turns out that he was caught out after accidentally trying to swindle a fellow fraudster.

He and his fellow conspirators exploited the fake online relationships to convince their victims into handing over money and personal information.

Owolabi's crimes went beyond romance fraud.

Romance scams remain among the most financially devastating forms of cybercrime, exploiting human emotion rather than technical vulnerabilities.

The victims of romance scam are not tricked by malware.

All this and more in episode 461 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Danny Palmer.

Smashing Security listeners get $1000 off!

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Наши эксперты обнаружили масштабную атаку на цепочку поставок через ПО для эмуляции оптического дисковода DAEMON Tools.

Кого именно атакуютС начала апреля было зарегистрировано несколько тысяч попыток установки дополнительной вредоносной нагрузки через зараженное ПО DAEMON Tools.

Что именно было зараженоВредоносный код был обнаружен в DAEMON Tools начиная с версии 12.5.0.2421 и до 12.5.0.2434.

Если у вас на компьютере (или где-то в организации) используется ПО DAEMON Tools, наши эксперты рекомендуют тщательно проверить устройства на наличие аномальной активности начиная с 8 апреля.

Наши решения успешно защищают пользователей от всего вредоносного ПО, используемого в атаке на цепочку поставо…

Практически в каждом фильме или сериале из вселенной «Звездных войн» присутствуют дроиды.

Кто-то, наверное, скажет: «Да какая разница?» И с точки зрения нормального зрителя будет абсолютно прав.

Дроид — сложная киберфизическая система, повлияв на мотивацию которой атакующий может получить доступ к конфиденциальным данным, а то и вовсе причинить вред настоящему владельцу.

В нескольких случаях человек, не являющийся формальным владельцем дроида, старается повлиять на его поступки, пытаясь ввести дроида в заблуждение.

Ферн вводит в дискуссию понятие из детских игр — unclaimsies (то есть как бы обнуление прав) и заявляет собственные права на место капитана.

Динамически обновляемый контентКорреляционный контент сегодня — это не статичный набор правил, а процесс: он постоянно развивается и адаптируется под актуальные угрозы.

Только за 2025 год мы выпустили 55 обновлений пакетов правил для разных версий и разных языков нашей SIEM-системы KUMA.

Всего за год добавилось 10 новых пакетов, а также 250 правил обнаружения и множество улучшений существующего контента.

Эффективность работы KUMA повышается за счет интеграции с Kaspersky EDR и отдельными наборами правил для Active Directory, в которых реализованы десятки сценариев обнаружения атак на разных стадиях.

В целом SIEM перестает быть набором правил и превращается в постоянно обновляемую систему об…

В случае если авто или его владелец потенциально связаны с преступлением, автомобиль могут изучать не только под микроскопом и ультрафиолетом.

Комплексная слежкаДля слежки за «лицами, представляющими интерес», данные, полученные с самого автомобиля, связывают с информацией из других источников.

Журналисты обнаружили, что некоторые компании рекламируют возможность дистанционного скрытного включения микрофонов и камер автомобиля, что позволяет прослушивать разговоры в реальном времени.

Если это приложение вам очень нужно, откажитесь от передачи своих данных «на сторону» в настройках фирменного приложения.

Откажитесь от передачи данных и в настройках самого автомобиля, если это возможно.

Например, приложение, которое обрабатывает конфиденциальные данные организации, опубликовано на публичном конструкторе вайб-код-приложений (Lovable и ему подобным) и по умолчанию доступно всему Интернету.

Нельзя один раз проделать упражнение «защита приложения» и на этом остановиться.

Всегда просите ИИ добавлять проверки для любых данных, которые вводят люди (как в формы, так и в строки поиска).

Тестируйте новые функции и новые версии приложения в безопасной среде — на копии сайта или приложения и на копии базы данных.

С помощью сканера вы проследите, чтобы файлы с ключами и паролями не попадали в Git и не публиковались вместе с проектом.

Преступники внедряют уже известные трюки в новые цепочки атак, в том числе ловят жертв в App Store.

Подделки под криптокошелькиВ марте этого года мы обнаружили в топе китайского App Store фишинговые приложения, иконки и названия которых мимикрируют под приложения для управления распространенными криптокошельками.

Чтобы приложения были пропущены в App Store, в них добавляли какую-либо базовую функциональность, например игру, калькулятор или планировщик задач.

Установка без App StoreКлючевой частью схемы является установка вредоносов на iPhone жертв в обход App Store и его процесса верификации.

Такие приложения не требуют публикации в App Store, и их можно устанавливать без ограничений по кол…

Возможно, именно это в какой-то мере сформировало их отношение к информации и сподвигло заняться ее защитой.

То есть, по сути, описана виртуальная реальность, неотличимая от настоящей (и это за 35 лет до «Матрицы»).

«Нейромант» (1984)«Нейромант» — книга, опубликованная в 1984 году и, по сути, положившая начало популярности жанра «киберпанк» (хотя само слово было изобретено немного раньше).

И эту идею отложили в долгий ящик, и она до сих пор так и не реализовалась.

Это уже не фантастика, и в этой подборке он стоит скорее для контраста.

Такие документы — лакомый кусочек для злоумышленников, ведь в них хранятся личные данные, информация о работе, доходах, собственности и банковских счетах — и далее по списку.

Неудивительно, что именно в это время мошенники становятся особенно активными: Интернет сейчас буквально кишит поддельными сайтами, имитирующими государственные ресурсы и налоговые органы.

В этом посте рассказываем, как действуют поддельные сайты от «налоговых органов» в разных странах и чего делать точно не стоит, чтобы сохранить свои деньги и конфиденциальную информацию.

На подобных сайтах-подделках мошенники крадут учетные данные от легитимных сайтов и личную информацию, а затем предлагают оформить налоговый вычет и…

«Оптика» уже давно является стандартным средством передачи данных благодаря возможности транслировать информацию с высокой скоростью и на большие расстояния.

Потенциально это позволяет превратить оптоволоконный кабель в микрофон и перехватывать разговоры в помещении, находясь в километрах от источника звука.

Конечно, данная работа имеет скорее теоретический характер, как и другие подобные исследования, о которых мы писали ранее (прослушивание через датчик мыши, модули оперативной памяти как радиопередатчик, похищение данных с сенсора камеры видеонаблюдения, подглядывание в экран через кабель HDMI).

Трудности оптического подслушиванияВпервые о таких особенностях оптического кабеля задумались…

Если компания производит программное обеспечение, то злоумышленники получат возможность организовать масштабную атаку на цепочку поставок для атаки на пользователей разрабатываемого приложения.

Варианты атак на разработчиков ПОВыбрав целью разработчика программного обеспечения, злоумышленники, как правило, пытаются теми или иными способами подсунуть ему вредоносный код.

Вредоносный код в тестовых заданияхПериодически злоумышленники публикуют привлекательные вакансии для разработчиков и снабжают их тестовыми заданиями, в которых содержится вредоносный код.

Атака была направлена на разработчиков, которые пытаются найти способ использовать ассистентов без ведома ИБ-службы компании.

Узкоспециал…

DarkSword и Coruna — два новых инструмента для бесконтактных и незаметных атак на iOS-устройства, которые уже активно используются злоумышленниками «в дикой природе».

Однако DarkSword и Coruna, обнаруженные исследователями кибербезопасности в этом году, меняют правила игры: эти зловреды уже используются для массового заражения рядовых пользователей.

Получается зловред двойного назначения, который может использоваться как для шпионажа, так и для кражи криптовалюты.

Последняя версия Coruna, как и DarkSword, имеет модификации для кражи криптовалюты, а также ворует фотографии и в некоторых случаях электронную почту.

Кто создал Coruna и DarkSword и как они попали в «дикую природу»Исследование ко…

Помимо экранных дикторов, для помощи незрячим и слабовидящим существуют и специальные приложения и сервисы для мобильных устройств, среди которых один из самых популярных — Be My Eyes.

Кроме того, в Be My Eyes встроен ИИ, который может распознавать и озвучивать текст и называть объекты вокруг.

Приложение для Windows, Android и iOS позволяет незрячим и слабовидящим обращаться за помощью к волонтерам по видеосвязи с любыми бытовыми вопросами.

Мы также рекомендуем установить на все ваши устройства — и смартфоны, и компьютеры — надежное защитное решение, которое заблокирует попытки фишинга и перехода на вредоносные или подозрительные сайты.

При этом фото и видео шифруются как при передаче, так …

Так случилось с исследованиями GDDRHammer и GeForge: в них описаны две очень похожие атаки класса Rowhammer.

Заодно была продемонстрирована возможность атаки на оперативную память более новых стандартов — DDR4 и DDR5.

За счет этого обеспечивается возможность произвольного чтения и записи данных в видеопамять и даже чтение и запись в основную оперативную память, управляемую центральным процессором.

Насколько атаки на графическую память реалистичны?

Так что, несмотря на остающиеся ограничения, эти три исследования показывают, что атаки Rowhammer остаются опасными.

В результате компьютер жертвы отправляет исходящий трафик не в сеть, а атакующему.

Атаки на RAIDUS.

Затем атакующий сможет создать фальшивый RAIDUS-сервер и точку доступа и перехватывать данные подключившихся устройств.

Как защитить корпоративную сеть от AirSnitchУгроза наиболее реальна для организаций, использующих гостевые и корпоративные сети Wi-Fi на одних и тех же точках доступа без дополнительной сегментации VLAN.

В любом случае нужно перестать воспринимать «изоляцию клиентов» на точке доступа как меру безопасности и считать ее скорее элементом удобства.

The Missing Surface: Security ContextAsk a SOC analyst what they need from a security platform and you get consistent answers.

Cisco Secure Access now includes Security Insights: a security analytics dashboard that surfaces where risk is concentrated, helps teams identify emerging threats and policy gaps, and gives security leadership the trend data to report on posture and measure the impact of initiatives over time.

Secure Access addresses this through the AI view, which tracks GenAI application usage and guardrail violations alongside the rest of security operations.

Security Insights gives analysts the signals to start an investigation, security managers the view to close policy gaps, a…

The integrity of the systems we depend on, the trust layer underneath everything, is equally exposed.

This integrates naturally with external key management systems, including Quantum Key Distribution platforms for the most sensitive environments.

In the meantime, visit the Cisco Trust Center to learn more about our PQC approach and stay ahead of what’s coming.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Catalyst SD-WAN for Government integration with Cisco Secure Access FedRAMP instances: Government agencies require secure, compliant networking solutions that meet stringent federal security standards.

Cisco Catalyst SD-WAN for Government now integrates with Cisco Secure Access FedRAMP instances, enabling government organizations to maintain secure connectivity while ensuring compliance with federal security standards.

Policy groups in Cisco Catalyst SD-WAN Manager enable agencies to define IPSec tunnels and connection parameters to Secure Access instances, ensuring secure and compliant access across their network infrastructure.

AI application classification and shadow AI control: Ci…

With modular N+1 clustering (supporting up to 16 nodes), the 6100 Series scales to up to 8 Tbps of L7 throughput.

Using our AI-driven Encrypted Visibility Engine (EVE), the 6100 Series identifies threats in encrypted traffic without decryption, preserving privacy and line-rate speed.

Because at this scale, security shouldn’t hold you back—it should help you move faster.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Cisco Secure Firewall uses encryption for many things: VPN tunnels, remote management, hardware-level trust, and inline decryption.

They also define stronger baselines of security for existing algorithms, which are already incorporated into Cisco Secure Firewall.

Support arrives in Secure Firewall Threat Defense (FTD) 10.5 and ASA 9.25, targeted for General Availability in late 2026.

PQC support for TLS client features is planned for ASA/FTD 11.0, while management web server PQC support depends on underlying web server library readiness.

Cisco Secure Firewall is building post-quantum cryptography into every layer of the platform, so that when your organization is ready to make the transitio…

At this year’s Mobile World Congress in Barcelona, service providers showed up from around the world to join over 115,000 attendees from 210 countries.

We leveraged the lessons learned from previous SOC deployments, adding the new Secure Firewall 6160, which is designed specifically for AI-ready data centers.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

Mobile World Congress (MWC) Barcelona is one of the most demanding environments for network and security operations.

For the 2nd year, the Cisco team leveraged Splunk, in addition to its other security products, to deliver a unified Security Operations Center (SOC) and Network Operations Center (NOC) experience.

Clockwise from the upper left quadrant: Firepower in Security Cloud Control, Splunk Cloud dashboard for MWC, Splunk Enterprise Security Mission Control and Cisco XDR.

Bridging SOC and NOC: From Visibility to ContextTraditionally, SOC and NOC teams operate in parallel, often using separate tools and datasets.

Edge engineering still matters in cloud-first architecturesComponents like …

Among the new security features, the one I was most eager to explore was Shadow Traffic detection.

Observing Shadow Traffic at scale on the live congress wireless network provided useful insight.

The Shadow Traffic dashboard put Tailscale VPN, ExpressVPN, and NordVPN at the top of the list.

Shadow Traffic detection conveniently labels the suspicious connections, making filtering in the Unified Events Viewer straightforward and precise.

With Shadow Traffic detection, you expand visibility into inspection gaps that most organizations don’t even realize they have.

Please note that the network of the venue remains protected at the DNS level by Cisco Secure Access outside the event.

Access to these AI models can be managed with Secure Access to secure AI apart from just leveraging AI for security.

During the event, Secure Access blocked access to one of those phishing domains.

Secure Access Investigate, as appearing above, provides real-time actionable threat intelligence by analysing global data from the Secure Access network using AI to detect, score, and predict emerging threats.

ConcludingThe AI-powered Security and Network Operations Center (S/NOC) at Mobile World Congress 2026 demonstrated Cisco’s commitment to leveraging cutting-edge technologie…

Data optimization in security is often discussed as a cost control mechanism.

In a Splunk security stack, data optimization is not about reducing volume.

Advanced Optimization Blind Spots in Splunk Security EnvironmentsData Model Acceleration Blindness: Aggressive filtering often breaks Common Information Model (CIM) compliance or data model population.

Security data optimization must include: Search workload modeling; concurrent triage simulation; adversary emulation exercises.

Final Thought and Call to ActionIn Splunk security architectures, data optimization is not a storage tuning exercise, finance initiative, or infrastructure refresh it is a security engineering discipline.

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape.

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security.

For the full discussion, head over to the Cisco Talos blog where you can also download the Year in Review report.

Old vulnerabilities, new speedMarshall: One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited.

Read full post on the Cisco Talos blogWe’d love to hear what you think!

Our research shows that nearly 60% of security leaders view security concerns as the primary barrier to broader agentic AI adoption.

At the exact same time, 29% rank securing agentic AI among their top three priorities for the coming year.

Much like a public-facing web service, an external AI agent can be attacked, exploited, or “poisoned” by malicious inputs.

The “Who Owns This?” ProblemAs agentic AI expands into operational systems, who is actually responsible for securing it?

Explore our Agentic AI Security Solution to learn more, or view the full survey results infographic.

Welcome to the Agentic AI EraEnterprise interest in agentic AI is accelerating.

AI agents operate at machine speeds to execute complex tasks, yet they completely lack essential human judgment and contextual awareness.

Current challenges in the agentic AI ecosystemWhen our teams were analyzing the problem around governing this new digital AI workforce, we saw three areas across our customer and prospect conversations on why zero trust access built for humans must adapt to agentic workflows:Early and fragmented ecosystem.

Zero trust for agentic AI in practiceLet’s look at a typical scenario — a financial automation agent kicking off vendor payments.

We are thrilled to partner with AI-driven o…

Meet Cisco Talos Incident Response, or Talos IR – our frontline response team.

Talos IR works holidays, weekends, and through the night because someone on the other end of that call is counting on us.

The threats responders see in the field today become the protections in Cisco products tomorrow.

Different perspectives, same missionAsk a Talos IR team member why they do this work and you will get different answers.

Unlike many security roles, incident responders build deep connections with the people they help.

Part 2 is about the uncomfortable reality that our identity systems are unprepared for what’s already here.

The Attacks from Part 1 Were Identity FailuresEvery major attack examined in Part 1 was, at its core, an identity problem.

Every one expands the potential damage of a security breach, and our identity systems were not built for this.

What Workload Identity Gets Right — And Where It Falls ShortThe security industry’s answer to machine identity is SPIFFE, and SPIRE, a standard that gives every workload a cryptographic identity card.

Today’s workload identity systems typically assign the same identity to every copy of an application when instances are functionally identical.

Microsoft Defender detectionsMicrosoft Defender customers can refer to the list of applicable detections below.

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com Domain Domain hosting sender email address 2026-04-14 2026-04-16 Gadellinet[.

]com Domain Domain hosting sender email address 2026-04-14 2026-04-16 Harteprn[.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen…

Microsoft Defender is investigating a high-severity local privilege escalation vulnerability (CVE-2026-31431) affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu, and AWS Linux.

CVE-2026-31431 (also known as “Copy Fail”) is a high‑severity local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem.

Tactic Observed activity Microsoft Defender coverage Execution Exploitation of CVE-2026-31431 Microsoft Defender Antivirus– Exploit:Linux/CopyFailExpDl.A– Exploit:Python/CopyFail.A– Exploit:Linux/CVE-2026-31431.A– Behavior:Linux/CVE-2026-31431Microsoft Defender for Endpoint– Possible CVE-2026-31431 (“Copy Fail”) vulnerability explo…

Microsoft Defender is investigating a high-severity local privilege escalation vulnerability (CVE-2026-31431) affecting multiple major Linux distributions including Red Hat, SUSE, Ubuntu, and AWS Linux.

CVE-2026-31431 (also known as “Copy Fail”) is a high‑severity local privilege escalation (LPE) vulnerability affecting the Linux kernel’s cryptographic subsystem.

Tactic Observed activity Microsoft Defender coverage Execution Exploitation of CVE-2026-31431 Microsoft Defender Antivirus– Exploit:Linux/CopyFailExpDl.A– Exploit:Python/CopyFail.A– Exploit:Linux/CVE-2026-31431.A– Behavior:Linux/CVE-2026-31431Microsoft Defender for Endpoint– Possible CVE-2026-31431 (“Copy Fail”) vulnerability explo…

Microsoft Agent 365 Now generally available for commercial customers.

Additionally, we’re announcing the previews of new Agent 365 capabilities and integrations to help you scale agent adoption with the right controls in place.

Agent 365 software development company launch partnersAgent 365 Software Development Company Launch Partners have built agents fully enabled to be managed by Agent 365.

These Agent 365 enabled agents are then observable, governable, and securable in the Agent 365 control plane, accelerating adoption for your organization.

Each of today’s announcements build upon Agent 365 capabilities we shared in March 2026 as well as detailed feedback of customers using the Frontie…

New capabilities in Microsoft Agent 365; new Microsoft Defender and GitHub integrationAt Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI.

In the Loop is a new series from Microsoft Security that delivers timely news and updates to the global security community.

New demo: Run a data security investigation in Microsoft PurviewData Security Investigations Get started ↗Step into the role of a data security analyst and see how Microsoft Purview Data Security Investigations helps you identify investigation‑relevant data, analyze it using AI‑powered deep content analysis, and mitigate sensitive data risks—all within a s…

New capabilities in Microsoft Agent 365; new Microsoft Defender and GitHub integrationAt Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI.

In the Loop is a new series from Microsoft Security that delivers timely news and updates to the global security community.

New demo: Run a data security investigation in Microsoft PurviewData Security Investigations Get started ↗Step into the role of a data security analyst and see how Microsoft Purview Data Security Investigations helps you identify investigation‑relevant data, analyze it using AI‑powered deep content analysis, and mitigate sensitive data risks—all within a s…

This blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by Microsoft Threat Intelligence.

Monthly CAPTCHA-gated phishing volume by distribution method (Q1 2026)Another notable shift in CAPTCHA-gated phishing attacks was the erosion of Tycoon2FA’s impact on the landscape.

Example of file names used in the campaign include the following:_statements_inv_.svg401K_copy___241.svgCheck_2408_Payment_Copy___241.svgINV#_1709612175_.svgListen_().svgPLAY_AUDIO_MESSAGE____241.svgIf an attached SVG file was opened, the user’s browser would open locally and fetch content from o…

This blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by Microsoft Threat Intelligence.

Monthly CAPTCHA-gated phishing volume by distribution method (Q1 2026)Another notable shift in CAPTCHA-gated phishing attacks was the erosion of Tycoon2FA’s impact on the landscape.

Example of file names used in the campaign include the following:_statements_inv_.svg401K_copy___241.svgCheck_2408_Payment_Copy___241.svgINV#_1709612175_.svgListen_().svgPLAY_AUDIO_MESSAGE____241.svgIf an attached SVG file was opened, the user’s browser would open locally and fetch content from o…

In this blog, Rico Mariani, Deputy CISO for Microsoft Security Products, Research Infrastructure, and Engineering Systems shares some of his best practices and expertise in conducting risk reviews.

Risk reviews are also a topic I’ve lent focus to during my first six months as Deputy CISO for Microsoft Security.

With good network isolation comes the ability to log any attempts to gain access at the perimeter, and potentially even internally.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

In this blog, Rico Mariani, Deputy CISO for Microsoft Security Products, Research Infrastructure, and Engineering Systems shares some of his best practices and expertise in conducting risk reviews.

Risk reviews are also a topic I’ve lent focus to during my first six months as Deputy CISO for Microsoft Security.

With good network isolation comes the ability to log any attempts to gain access at the perimeter, and potentially even internally.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This is where Microsoft Sentinel UEBA adds value.

The Microsoft Sentinel UEBA ML engine maintains these automatically with baseline windows that vary by enrichment (ranging from 7 to 180 days).

Built-in anomaly surfaced: Names of built-in Microsoft Sentinel UEBA anomalies you can pivot to during triage, including AnomalyScore (0–1) and AnomalyReasons in the Anomalies table.

AWS environment onboarded to Microsoft Sentinel UEBAEnsure that AWS CloudTrail (management events and, where applicable, object-level data) is connected, and UEBA is enabled for the AWS data source.

The Microsoft Sentinel UEBA Essentials solution provides additional built-in queries.

This is where Microsoft Sentinel UEBA adds value.

The Microsoft Sentinel UEBA ML engine maintains these automatically with baseline windows that vary by enrichment (ranging from 7 to 180 days).

Built-in anomaly surfaced: Names of built-in Microsoft Sentinel UEBA anomalies you can pivot to during triage, including AnomalyScore (0–1) and AnomalyReasons in the Anomalies table.

AWS environment onboarded to Microsoft Sentinel UEBAEnsure that AWS CloudTrail (management events and, where applicable, object-level data) is connected, and UEBA is enabled for the AWS data source.

The Microsoft Sentinel UEBA Essentials solution provides additional built-in queries.

Recent advances in AI model capabilities are changing how vulnerabilities are discovered and exploited.

AI models can autonomously discover weaknesses, chain multiple lower-severity issues into working end-to-end exploits, and produce working proof-of-concept code.

In addition, Microsoft Security customers will have access to capabilities that enable them to assess their exposure and take action.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.