Microsoft ends Authenticator password autofill, moves users to Edge - App will stop storing passwords. Users have until August 1st to move passwords to another option.
- June 2025: You can no longer save new passwords in Authenticator.
- July 2025: Autofill will stop working in Authenticator; stored payment info will be deleted.
- August 2025: Saved passwords and unsaved generated passwords will no longer be accessible in Authenticator.
FBI: End-of-life routers hacked for cybercrime proxy networks - Threat actors are breaking into edge devices, notably Linksys and Cisco EoL routers, and adding them to residential proxy botnets.
Interestingly, Cradlepoint was temporarily implicated when the FBI Flash failed to identify which E100, E300s, etc… causing some online articles to reference Cradlepoint as impacted. As of this morning, the Register article still reads incorrectly (End-of-life router botnet shut, 4 ‘foreign hackers’ charged • The Register )
DoD announces overhaul of ‘outdated’ software procurement • The Register - If FedRamp weren’t already DOA, DoD is introducing its new Software Fast Track (SWFT) initiative, with plans to have a comprehensive framework in the next 90 days.
New Zealand kind-of moves to ban social media for under-16s • The Register - NZ, UK, and AUS move to make Age Verification mandatory for participation in social media.
Delta Air Lines class action cleared for takeoff • The Register - Delta Sues Crowdstrike. Passengers sue Delta. Delta offered “partial reimbursements” with a hook, giving up all legal recourse. Judge wasn’t very fond of that and is letting the passenger suit move forward.
Vulns
Critical Langflow RCE flaw exploited to hack AI app servers - AI App server has unauthenticated RCE. Send bad code to the endpoint, and the AI will run it. CVE-2025-3248
Linux wiper malware hidden in malicious Go modules on GitHub - Go doesn’t have a centralized, single name per package requirement, allowing threat actors to abuse the process. An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times - full RAT included, read file, write file, execute commands, other packages impacted:
- beautifulsoup4 (a typosquat of the BeautifulSoup4 Python library)
- apache-httpclient (a typosquat of the Apache HttpClient Java library)
- opentk (a typosquat of the OpenTK .NET library)
- seaborn (a typosquat of the Seaborn Python library)
- discordpydebug
Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi - AirBorne allows for a wormable zero-click RCE across visionOS, macOS, tvOS, iPadOS, and iOS. If an infected device reached a network that allowed unrestricted host-to-host communication (say a home network, or corp network) the device could effectively infect every Apple based device on the network.
Hackers now testing ClickFix attacks against Linux targets - Remember the Windows + R, CTRL + V captcha users were getting? We’re seeing it on Linux now as well.
CVE/CISA
EU bug database fully operational as US slashes infosec • The Register - EU’s Vuln Database is up and running, with the new convention of EUVD-YYYY-NNNNN Vulnerability Database
CISA changes vulnerabilities updates, shifts to X and emails • The Register - CISA notifications are now fragmented across X, Email, and GovDelivery? The Known Exploited Vulnerabilities RSS feed is also being cut. This follows other X based information delivery streams, including the Social Security Administration, the National Transportation Safety Board, to name a few, which will only publish on X going forward.
Trump would cut CISA budget by $491M amid ‘censorship’ claim • The Register - CISA set to lose 20% of its budget in 2026 if Trump Whitehouse proposal is taken up by Republicans. Trump admin pulled most staff from RSA last week, instead introducing Dir of Homeland Security Kristi Noem as a surprise keynote speaker. Who used part of her time to rail against the “censorship industrial complex” while key speeches from the NSA (namely the yearly State of the Hack) and other CISA and NSA participants were pulled from panels.
Android
Google fixes actively exploited FreeType flaw on Android Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
- Zero click vuln for Android devices based in font parsing libraries
RaaS
PowerSchool hacker now extorting individual school districts - PowerSchool hackers lied (gasp!) and didn’t delete the data they were paid to delete. Now individual school districts are facing extortion.
Education giant Pearson hit by cyberattack exposing customer data - Pearson hit after a GitLab Personal Access Token is discovered online. The exposed token allowed the threat actors to access the company’s source code, which contained further hard-coded credentials and authentication tokens for cloud platforms. Over the following months, the threat actor reportedly used these credentials to steal terabytes of data from the company’s internal network and cloud infrastructure, including AWS, Google Cloud, and various cloud-based database services such as Snowflake and Salesforce CRM.
Kickidler employee monitoring software abused in ransomware attacks - Attackers used Kickidler to monitor breached systems. Luckily, Microsoft will be install the software for them in the near future with the rollout of Recall!
NPM
Supply chain attack hits npm package with 45,000 weekly downloads - rand-user-agent, used to generate randomized user-agent strings, has been downloaded over 45k times per week in the last 7 months, all while maintaining a malicious RAT.
K8s
Microsoft finds default Kubernetes Helm charts can expose data - The researchers highlight three cases of Helm charts that put Kubernetes environments at risk of attacks, summarized as follows.
- Apache Pinot: Exposes core services (pinot-controller and pinot-broker) via Kubernetes LoadBalancer services without any authentication.
- Meshery: Public sign-up is allowed from exposed IP, allowing anyone to register and gain access to cluster operations.
- Selenium Grid: A NodePort exposes the service across all nodes in a cluster, relying only on external firewall rules for protection. The issue doesn’t impact the official Helm chart, but many widely referenced GitHub projects.