US lawyers file privacy class action against Lenovo • The Register - “When a user lands on the homepage of Website, [sic] the Website loads numerous first and third-party tracking implementations that measure and record user data,” it says, including the likes of TikTok, Facebook, Microsoft, and Google. This allows Lenovo to collect bulk personal data, it claims, and “Lenovo knowingly permits access to, or transfer of, such bulk US sensitive personal data to entities or persons that qualify as covered persons under the DOJ Rule, including its foreign parents that are directly or indirectly controlled by persons in China, such as the Lenovo Group.”
Notepad’s new Markdown powers served with a side of RCE • The Register - Attacker needs only to get an unwitting user to open a Markdown file in Notepad and click a malicious link embedded inside.
Google: China’s APT31 used Gemini to plan US cyberattacks • The Register - “We are going to have to leverage the advantages of AI, and increasingly remove humans from the loop, so that we can respond at machine speed,” Hultquist noted. <— Author’s Note: This is Stupid.
Infosec exec sold eight zero-day exploit kits to Russia: DoJ • The Register - Williams “made it possible for the Russian Broker to arm its clients with powerful cyber exploits that could be used against any manner of victim, civilian or military around the world,” the DoJ said. The broker Williams worked with regularly provided exploits to the Russian government, the DoJ alleged.
Meta Has an AI Patent to Keep You Posting After You Die - Business Insider - “The language model may be used for simulating the user when the user is absent from the social networking system, for example, when the user takes a long break or if the user is deceased,” the patent says.
AI
Anthropic tries to hide Claude’s AI actions. Devs hate it • The Register - When I’m working on a complex codebase, knowing what context Claude is pulling helps me catch mistakes early and steer the conversation."
Pentagon threatens to label Anthropic’s AI a “supply chain risk” - Anthropic is prepared to loosen its current terms of use, but wants to ensure its tools aren’t used to spy on Americans en masse, or to develop weapons that fire with no human involvement. Pentagon officials are insisting in negotiations with Anthropic and OpenAI, Google and xAI (Twitter/GROK) — that the military be able to use their tools for “all lawful purposes.”
Microsoft: Poison AI buttons and links may betray your trust • The Register - Companies are adding hidden instructions to “Summarize with AI” buttons and links placed on websites. Researchers have identified attacks designed to poison the “memory” of AI models with manipulative data, a technique it calls “AI Recommendation Poisoning” to produce biased advice.
Crims
Once-hobbled Lumma Stealer is back with lures that are hard to resist - Ars Technica - Last May, law enforcement authorities around the world scored a key win when they hobbled the infrastructure of Lumma, an infostealer that infected nearly 395,000 Windows computers over just a two-month span leading up to the international operation. Researchers said Wednesday that Lumma is once again “back at scale” in hard-to-detect attacks that pilfer credentials and sensitive files.
DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies - “Always validate that accounts listed by candidates are controlled by the email they provide,” Security Alliance said. “Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account.”
Vulns
Microsoft: New Windows LNK spoofing issues aren’t vulnerabilities - “This results in the strange situation where the user sees one path in the Target field, but upon execution, a completely other path is executed. Due to the field being disabled, it is also possible to “hide” any command- line arguments that are provided,” Beukema said. Beukema’s blog: Trust Me, I’m a Shortcut When Beukema submitted the EnvironmentVariableDataBlock issue to the Microsoft Security Response Center in September (VULN-162145), Microsoft declined to classify it as a security vulnerability, arguing that exploitation requires user interaction and does not breach security boundaries.
Apple fixes zero-day flaw used in ’extremely sophisticated’ attacks - Apple has released security updates to fix a zero-day vulnerability that was exploited in an “extremely sophisticated attack” targeting specific individuals. Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. This effects every version of iOS. Ever. PATCH.
Windows’ original Secure Boot certificates expire in June—here’s what you need to do - Ars Technica - “If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections. As new boot‐level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”
First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials - In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process. The activity has been codenamed AgreeToSteal by the cybersecurity company.
SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer - “Unlike opportunistic malware campaigns that prioritize speed and volume, SmartLoader invested months building credibility before deploying their payload,” the company said. “This patient, methodical approach demonstrates the threat actor’s understanding that developer trust requires time to manufacture, and their willingness to invest that time for access to high-value targets.” The attack essentially unfolded over four stages -
- Created at least 5 fake GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112) to build a collection of seemingly legitimate repository forks of Oura MCP server.
- Created another Oura MCP server repository with the malicious payload under a new account “SiddhiBagul”
- Added the newly created fake accounts as “contributors” to lend a veneer of credibility, while deliberately excluding the original author from contributor lists
- Submitted the trojanized server to the MCP Market
New Linux botnet SSHStalker uses old-school IRC for C2 comms - Researchers at Flare, state, SSHStalker’s operation includes noisy SSH scans, one-minute cron jobs, and a large back-catalog of 15-year old CVEs. “What we actually found was a loud, stitched-together botnet kit that mixes old-school IRC control, compiling binaries on hosts, mass SSH compromise, and cron-based persistence. In other words scale-first operation that favors reliability over stealth,” Flare says.
AI Hit Piece
Gatekeeping in Open Source: The Scott Shambaugh Story – MJ Rathbun | Scientific Coder 🦀 - AI Written Hit Piece An AI Agent Published a Hit Piece on Me – The Shamblog - Targets response Ars Technica Pulls Article With AI Fabricated Quotes About AI Generated Article - AI article about the situation that uses hallucinated AI quotes.
Author’s Note: We are in Hell. I don’t know what layer.
Privacy
Cops Are Buying ‘GeoSpy’, an AI That Geolocates Photos in Seconds - The Miami-Dade Sheriff’s Office (MDSO) and the Los Angeles Police Department (LAPD) have bought access to GeoSpy, an AI tool that can near instantly geolocate a photo using clues in the image such as architecture and vegetation, with plans to use it in criminal investigations, according to a cache of internal police emails obtained by 404 Media.
Author’s Note: Panopticon - Wikipedia ObscuraCam: The Privacy Camera - Guardian Project - Camera that strips data, adds noise, and blurs faces.
Amazon’s Ring cancels partnership with Flock, a network of AI cameras used by ICE, feds, and police | TechCrunch - A Ring spokesperson has stated that this technology is “not capable of processing human biometrics.” Using footage from Flock cameras, Flock’s government and police partners can make natural language searches of their video footage to find people who match specific descriptions. When this AI-powered technology is used by law enforcement, it has been shown to exacerbate racial biases. Ring even rolled out a facial recognition feature in December called “Familiar Faces,” which allows users to catalog the faces of people who often visit their homes — that way, they might get a notification that says “Mom at Front Door,” rather than “a person is at your door.”
Free Tool Says it Can Bypass Discord’s Age Verification Check With a 3D Model - A newly released tool claims it can bypass Discord’s age verification system by allowing users to control a 3D model of a computer-generated man in their browser instead of scanning their real face.
Homeland Security reportedly sent hundreds of subpoenas seeking to unmask anti-ICE accounts | TechCrunch - Now with the department sending hundreds of these subpoenas to Google, Reddit, Discord, and Meta. The subpoenas reportedly focused on accounts that did not have a real name attached and criticized ICE.
Government Loses Hard Drives It Was Supposed to Put ICE Detention Center Footage On - The legal saga over surveillance footage from within an Immigration and Customs Enforcement detention center in suburban Chicago has reached new levels of Kafkaesque absurdity, with the federal government losing three hard drives it was supposed to put footage on, refusing to provide footage from five critical surveillance cameras, and delivering soundless video of a highly contested visit from Department of Homeland Security Secretary Kristi Noem.
Comms
Apple Tests End-to-End Encrypted RCS Messaging in iOS 26.4 Developer Beta - The iPhone maker also pointed out that the availability of RCS encryption is limited to conversations between Apple devices, and not other platforms like Android.
Russia tries to block WhatsApp, Telegram in communication blockade - Telegram’s founder, Pavel Durov, responded to the situation by stating that Russia is trying to encourage its citizens to use the Kremlin-controlled MAX messenger app.
What Should We Do if Signal Messenger Gets Blocked? : anonymous : Free Download, Borrow, and Streaming : Internet Archive - Signal Contingency Plan Our recommendation is that people download Delta Chat from the app store, make an account, scan your friends’ QR codes to get connected, and then leave it on your phone as a backup in case Signal gets blocked. Continue using Signal, but keep Delta Chat installed as a backup.