Geopolitics
Sweden blames Russian hackers for attempting ‘destructive’ cyberattack on thermal plant | TechCrunch - Sweden’s minister of civil defense, Carl-Oskar Bohlin, said during a press conference on Wednesday that the attempted attack happened in early 2025 and attributed the incident to hackers with “connections to Russian intelligence and security services.”
Palantir posts mini-manifesto denouncing inclusivity and ‘regressive’ cultures | TechCrunch - 6. National service should be a universal duty. We should, as a society, seriously consider moving away from an all-volunteer force and only fight the next war if everyone shares in the risk and the cost. The Manifesto:
With US spy laws set to expire, lawmakers are split over protecting Americans from warrantless surveillance | TechCrunch - Known as Section 702 of the Foreign Intelligence Surveillance Act (FISA), the law allows the National Security Agency, the CIA, the FBI and other federal intelligence agencies to record overseas communications that flow through the United States without needing individualized search warrants.
Declassified Report Reveals NSA Broke Surveillance Rules | Project On Government Oversight - Years after Edward Snowden’s jaw-dropping disclosures of sweeping domestic surveillance, the National Security Agency (NSA) continued to violate key rules limiting the government’s ability to conduct warrantless searches of Americans’ electronic communications, according to a declassified September 2021 federal watchdog report obtained by POGO Investigates. The report also found that the NSA still failed to have a system in place meant to prevent these violations of Americans’ privacy rights, more than half a decade after pledges that internal oversight and agency reforms, made in the months following Snowden’s 2013 disclosures, would curb abuses.
Iran claims US used backdoors in networking equipment • The Register - The report linked to above hypothesizes that a hidden backdoor in firmware or bootloader allows remote attacks at a pre-determined time or can be activated by a signal from a satellite. In either scenario, the US uses the backdoor to bring down networks at the most inconvenient moment for Iran. The thrust of the Iranian stories we’ve seen is that US-based vendors are complicit in the installation of backdoors. Another scenario Iranian reports float is that someone has installed a botnet on networking equipment and has therefore been able to target devices from Cisco – and from MikroTik, the Latvian networking equipment vendor that emphasizes its product development takes place within the European Union.
New AgingFly malware used in attacks on Ukraine govt, hospitals - A new malware family named ‘AgingFly’ has been identified in attacks against local governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp messenger. “A distinguishing feature of AGINGFLY compared to similar malware is the absence of built-in command handlers in its code. Instead, they are retrieved from the C2 server as source code and dynamically compiled at runtime,” CERT-UA explains.”
North Korea targets macOS users in latest heist • The Register - These attacks begin with social engineering. The crew creates fake recruiter profiles on social media and networking platforms like LinkedIn and then reaches out to finance professionals with phony job opportunities before scheduling a technical interview - that’s the delivery mechanism for the malware.
US-sanctioned currency exchange says $15 million heist done by “unfriendly states” - Ars Technica - “The digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states,” Grinex said. “According to preliminary data, the attack was coordinated with the aim of causing direct damage to Russia’s financial sovereignty.”
Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems - “The malware combines privilege escalation, persistence, USB propagation, and ICS scanning with sabotage capabilities aimed at chlorine and pressure controls, highlighting growing experimentation with politically motivated critical infrastructure attacks against industrial operational technologies globally,” the company said.
Dutch navy frigate tracked by mailing it a Bluetooth tracker • The Register - According to Dutch defence officials Vervaart spoke to for his story, the tracker was found during mail sorting and was disabled. Still, the Ministry is reportedly changing its mail policies in response to the incident and will now ban greeting cards containing batteries along with further reviewing mail guidelines.
Rep. Roy Introduces MAMDANI Act to Denaturalize and Deport members of a socialist party, a communist party, the Chinese Communist Party, or Islamic fundamentalist party, or advocates for socialism, communism, Marxism, or Islamic fundamentalism - “Notwithstanding any other provision of law, any determination made under this subparagraph shall be final and shall not be subject to review by any court.”
AI
Anthropic, Google, Microsoft paid AI bug bounties – quietly • The Register - The researchers targeted Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and Microsoft’s GitHub Copilot, then disclosed the flaws and received bug bounties from all three. But none of the vendors assigned CVEs or published public advisories, and this, according to researcher Aonan Guan, “is a problem.”
Git identity spoof fools Claude into giving bad code the nod • The Register - In a blog published this week, Manifold Security showed how an AI-powered code reviewer built on Claude accepted changes that appeared to come from a legitimate maintainer. By setting a fake author name and email in Git, the team made a commit appear to originate from a trusted source, then passed it through an automated review flow where the model approved it.
Claude Desktop changes software permissions without consent • The Register - One app should not modify another app without asking for and receiving your explicit consent. Yet Anthropic’s Claude Desktop for macOS installs files that affect other vendors’ applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent.
MCP ‘design flaw’ puts 200k servers at risk: Researcher • The Register - Abusing this logic can lead to four different types of vulnerabilities. Ox argues that Anthropic has the ability and responsibility “to make MCP secure by default.” “One architectural change at the protocol level would have protected every downstream project, every developer, and every end user who relied on MCP today,” the researchers wrote. “That’s what it means to own the stack.”
Claude Opus wrote a Chrome exploit for $2,283 • The Register - Pedhapati said that while $2,283 is a significant sum for an individual to pay, it’s very little if you consider the weeks it would take a person to develop a similar exploit without assistance. Even if you added several thousand dollars for Pedhapati’s time tending the model, that’s still significantly less the theoretical reward (~$15,000) one might get from Google’s and Discord’s vulnerability reward programs. And that’s just the legitimate market – who knows what criminals might pay for a hot 0-day?
AI-pwned: Vercel breach traced to stolen employee creds • The Register - Researchers at Hudson Rock point to a February infostealer infection as the likely starting point, with Lumma stealer malware lifting corporate credentials from an employee’s machine. The same system was used to download Roblox “auto-farm” scripts and exploit tools – a common way these infections get a foothold.
Errata
NIST Updates NVD Operations to Address Record CVE Growth | NIST - All submitted CVEs will still be added to the NVD. However, those that do not meet the criteria below will be categorized as “Lowest Priority - not scheduled for immediate enrichment.” This will allow us to focus on CVEs with the greatest potential for widespread impact. While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.
- CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog
- CVEs for software used within the federal government
- CVEs for critical software as defined by Executive Order 14028
“TotalRecall Reloaded” tool finds a side entrance to Windows 11’s Recall database - Ars Technica - The TotalRecall Reloaded tool uses an executable file to inject a DLL file into AIXHost.exe, something that can be done without administrator privileges. It then waits in the background for the user to open Recall and authenticate using Windows Hello. Once this is done, the tool can intercept screenshots, OCR’d text, and other metadata that Recall sends to the AIXHost.exe process, which can continue even after the user closes their Recall session.
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover - The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security.
Over 100 Chrome Web Store extensions steal user accounts, data - The threat actor published the extensions under five distinct publisher identities in multiple categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and utilities.
Microsoft: Teams increasingly abused in helpdesk impersonation attacks - In a recent report, Microsoft describes a nine-stage attack chain that begins with the threat actor contacting the target via an external Teams chat, posing as a member of the company’s IT staff and claiming they need to address an account issue or perform a security update.
Fake Linux Foundation leader using Slack to phish devs • The Register - “Installing the certificate enables interception of encrypted traffic and credential theft,” Robinson, who also serves as chief security architect of the Linux Foundation, said in an April 7 security advisory. “Executing the binary may result in full system compromise.”
Google Chrome lacks browser fingerprinting defenses • The Register - “There are at least thirty distinct fingerprinting techniques that work in Chrome right now, today, as you read this,” wrote Hanff, an occasional contributor to The Register, in a recently published critique of Google’s browser. “Not theoretical attacks from academic papers that might work under laboratory conditions – real, production techniques deployed on millions of websites to identify and track you without your knowledge or consent.”