Texas AG sues Meta over claims that WhatsApp doesn’t provide end-to-end encryption - Ars Technica - In a complaint filed Thursday, Texas AG attorneys said Meta’s claims are false and that the company can and does read the unencrypted contents of WhatsApp messages. They said they are filing the action to “prevent WhatsApp and Meta from continuing to willfully deceive [Texans] by misrepresenting that their private communications were just that—private and inaccessible even to WhatsApp and Meta—when, in fact, WhatsApp and Meta have access to all WhatsApp users’ communications in their entirety.” According to Bloomberg, the January 16 email, sent to more than a dozen officials at other agencies, stated, “There is no limit to the type of WhatsApp message that can be viewed by Meta. The misconduct of Meta and its officers, including current and former high-level executives, involve civil and criminal violations that span several federal jurisdictions.”
Google publishes exploit code threatening millions of Chromium users - Ars Technica - Since its reporting 46 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, she learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code.
‘BusPatrol’ Put AI Cameras in Tens of Thousands of School Buses. Now They Want to Give Cops Access - BusPatrol plans to scan the license plates of all vehicles the buses drive past, and then let law enforcement search that data. The plan would essentially turn school buses into roaming surveillance vehicles. Internally, BusPatrol has acknowledged how controversial its plan to collect and share this data is, pointing specifically to concerns about ICE using license plate data, but emphasizes the likely success of selling the angle of protecting children.
Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw - Cisco noted that the flaw affects internal REST APIs rather than the platform’s web management interface, although that distinction is unlikely to bring much comfort to admins staring at a 10.0 severity score.
Threat hunters find Google API keys still usable 23 minutes after deletion - “We’ve identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.”
Breaches
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos - “While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO - The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of accounts in quick succession. “Several npm packages also deploy a shared payload, trap-core.js, that scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and plants persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, cron, and SSH.”
Grafana breach caused by missed token rotation after TanStack attack - “We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” reads Grafana’s update. “A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.”
Hackers bypass SonicWall VPN MFA due to incomplete patching - SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
Microsoft
Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks - The service allowed paying cybercriminal customers to upload malicious files for code-signing using certificates fraudulently obtained by Fox Tempest. This, in turn, allowed malware and ransomware to masquerade as legitimate software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex. The service cost between $5,000 and $9,000.
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit - YellowKey was disclosed by a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse). It essentially involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into the Windows Recovery Environment (WinRE), and triggering a shell with unrestricted access by holding down the CTRL key.
AI
HackerOne takes an axe to its bug bounty rewards - The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level. Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward.
Anthropic to release Mythos-class models to the public - Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe.
Trump/MAGA
Jailbroken Gemini helped Russian-speaking fraudster target MAGA crypto users - The campaign targeted the QAnon and MAGA communities, mimicking the cryptic, anonymous “Q drop” messages at the heart of the QAnon conspiracy, but the researchers say his “use of information operation techniques was more likely for cryptocurrency fraud instead of political motives,” based on the content posted, and the stock remote access trojan (RAT) used alongside other commercial malware. On September 9, 2025, the actor posted a fake “freedom-first, self-custody wallet” called StellarMonster, with a welcome bonus of up to 1,000 XLM (about $380) on the Telegram channel.
Customers say Trump Mobile is leaking their personal information | TechCrunch - They both said they were alerted of the leak by a source, who shared their personal information to prove they really had access to it. The researcher told them they were not able to get a hold of anyone at Trump Mobile, so the issue isn’t fixed yet. “All of us have been met with radio silence,” penguinz0 said.
Trump Mobile confirms it exposed customers’ personal data, including phone numbers and home addresses | TechCrunch - Walker said that the exposure was linked to a third-party platform provider that supports “certain Trump Mobile operations.” He did not name the provider.
Kash Patel’s clothing brand website shut down after reports it was hacked | TechCrunch - The merchandise website of FBI director Kash Patel was taken offline on Friday after reports that it had been hijacked by hackers trying to infect visitors with malware, as first reported by Straight Arrow News.