Errata
NCSC: Passkeys now good enough to be the default standard • The Register - The UK’s National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.
NCSC’s first gadget blocks malware transfer over HDMI cables • The Register - Very little exists in the research literature about these kinds of attacks. A team based out of Montevideo’s Universidad de la República published findings in 2024 about the potential for highly technical individuals to intercept the electromagnetic radiation emitted from HDMI cables and use deep learning algorithms to reproduce text intended to be displayed on a monitor.
macOS ClickFix attacks deliver AppleScript stealers • The Register - A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.
Cheapskate cyber strategy won’t stop Beijing’s finest • The Register - According to a transcript of his speech shared with The Register ahead of time, Horne will tell delegates attending the Glasgow conference on Wednesday that China is no longer just a capable cyber threat, but thanks to its whole-of-state approach, it now represents “a peer competitor in cyberspace.”
Surveillance
High Court approves Met Police’s facial recog after dispute • The Register - In short, the justices found the Met’s planned use of LFR is legal and does not violate the human rights of Britons who are subjected to it.
Proton CEO: Age checks turn internet into ID checkpoint • The Register - The problem, he says, is that you can’t reliably identify minors without identifying everyone else first, meaning systems built to protect kids inevitably sweep up adults too. “We cannot accept a world where every adult is expected to hand over ID as the price of going online.”
Greece’s flexible approach to Europe biometric entry system • The Register - The EU has built a Travel to Europe app allowing those required to use EES to undertake some of the process in advance. However, so far only Sweden and Portugal are accepting its use.
UK government says 100 countries have spyware that can hack people’s phones | TechCrunch - The U.K., along with several other countries, also continues to experience China-linked intrusions aimed at stealing sensitive data, spying on high-profile individuals, and setting the groundwork for potentially disruptive hacks to stall a Western military response ahead of an anticipated Chinese invasion of Taiwan.
Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say | TechCrunch - On Thursday, the Citizen Lab, a digital rights organization with more than a decade of experience exposing surveillance abuses, published a new report detailing the two newly identified campaigns. The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers and would piggyback their access to those networks to look up the location data of their targets.
DEV
More ancient Linux device support facing the ax • The Register - One tactic to deal with LLM-powered vulnerability detection is simple – just speed up the removal of old code. If it’s gone, it no longer matters if it’s buggy.
Open source package with 1 million monthly downloads stole user credentials - Ars Technica - On Friday, unknown attackers exploited the vulnerability to push a new version of element-data, a command-line interface that helps users monitor performance and anomalies in machine-learning systems. When run, the malicious package scoured systems for sensitive data, including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys, developers said.
Another npm supply chain worm hits dev environments • The Register & Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens - The list of affected packages is below -
- @automagik/genie (4.260421.33 - 4.260421.40)
- @fairwords/loopback-connector-es (1.4.3 - 1.4.4)
- @fairwords/websocket (1.0.38 - 1.0.39)
- @openwebconcept/design-tokens (1.0.1 - 1.0.3)
- @openwebconcept/theme-owc (1.0.1 - 1.0.3)
- pgserve (1.1.11 - 1.1.14)
What’s new in pip 26.1 - lockfiles and dependency cooldowns! | Richard Si - A dependency cooldown involves configuring a set period of time before a newly released package is eligible for installation, providing time for package registries and third-party security firms to discover and package authors to recover from a compromise. It’s worth noting that while a cooldown can minimize the impact of supply chain attacks, it will also delay security fixes from reaching your environment. If you use this option, pair it with a vulnerability scanning tool such as Dependabot or pip-audit so that you are notified of security issues independently of your update schedule.
USGov
US farms have new steward for their safety nets: Palantir • The Register - Palantir has pledged to provide operational software to enable the USDA to boost supply chain resilience and protect programs from fraud, abuse, and “foreign adversary influence.” The government department is to gain critical visibility into risks that can affect America’s agricultural production and food supply, the US spy-tech company said in a statement.
CISA, NCSC issue Firestarter backdoor warning • The Register - CISA said Firestarter was especially sophisticated in that it maintained persistent access to compromised networking devices even after they were updated, allowing attackers to re-enter victims’ networks without needing to exploit any new vulnerabilities.
FCC adds mobile hotspots to router ban • The Register - The agency has updated its FAQs about the issue to include “consumer-grade portable or mobile MiFi Wi-Fi or hotspot devices for residential use” and “LTE/5G CPE devices for residential use,” where CPE refers to customer premises equipment (CPE). However, mobile phones that support hotspot features are not included, nor are industrial, enterprise, or military equipment – for now, at least.
Trump’s pick to run US cyber agency CISA asks to drop out | TechCrunch - A White House spokesperson did not immediately comment on whether the administration has accepted Plankey’s request to withdraw his nomination, nor say who the Trump administration plans to nominate as the agency’s permanent director.
Breaches
France’s ‘Secure’ ID agency probes claimed 19M record breach • The Register - Officials say the data theft, detected on April 15, may have exposed personal data tied to user accounts, including login IDs, full names, email addresses, dates of birth, unique account identifiers, postal addresses, and telephone numbers.
China-linked crews turn routers into covert attack proxies • The Register - Some of these covert networks are created and maintained by Chinese information security companies, the advisory says. For example, China’s Integrity Technology Group controlled and managed the so-called Raptor Train network, which in 2024 infected more than 200,000 devices worldwide, including small office home office (SOHO) routers, internet-connected web cameras and video recorders, plus firewalls and network-attached storage (NAS) devices.
ShinyHunters claim they have cruise giant Carnival’s booty • The Register - Carnival Corporation, the world’s largest cruise company, is dealing with choppy waters after Have I Been Pwned flagged what it claimed were 7.5 million unique email addresses all allegedly tied to one of its subsidiaries.
Burglar alarm biz gets burgled, ShinyHunters pursues ransom • The Register - ShinyHunters, meanwhile, is telling a rather different story. In a post on its dark web leak site, seen by The Register, the crew claims it lifted “over 10M Salesforce records containing PII and other internal corporate data” and is now airing the lot after talks with ADT went nowhere.
AI
Intel expects AI inference to drive demand for its CPUs • The Register - Lip-Bu also referenced a recent long-term deal with Google for co-development of infrastructure processing units (IPUs) to offload networking and other tasks, saying: “This is a good example of how we win in AI infrastructure build-out. And then stay tuned - at the right time, we will announce other contracts.”
Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE - “An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.”
Infrastructure
Attackers could disable all of a city’s public EV chargers • The Register - Shi thinks the techniques he created also make it possible to deny service, and do so at scale – creating the possibility of taking out an entire city’s network of EV chargers. And not just in China: The researcher tested 11 apps published by European providers of shared bikes and scooters, and found similar problems - suggesting his findings will be applicable elsewhere.
Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software & Researchers find sabotage malware that may predate Stuxnet • The Register - SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006.
Critical infrastructure giant Itron says it was hacked | TechCrunch - The Liberty Lake, Washington-based company provides technology for managing energy consumption of energy grids, including water, gas, and electricity supplies. The company provides internet-connected utility meters to over 110 million homes and businesses, according to its website. Itron has thousands of customers, including cities and municipalities, as well as operations in over 100 countries, its website reads.
Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack - “Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload,” the Russian cybersecurity vendor said. “These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper.” Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state.
Crypto scam lures ships into Strait of Hormuz, falsely promising safe passage - Ars Technica - The company alerted shipowners that scammers posing as Iranian authorities had sent messages to shipping companies asking for “transit fee” payments in bitcoin or tether.
Tankers passing through Strait of Hormuz will have to pay cryptocurrency toll - Ars Technica - “Once the email arrives and Iran completes its assessment, vessels are given a few seconds to pay in bitcoin, ensuring they can’t be traced or confiscated due to sanctions,” Hosseini added.