Zero-day exploit completely defeats default Windows 11 BitLocker protections
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds. The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the key. READ MORE...
OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
OpenAI says attackers behind the TanStack npm supply chain compromise stole internal credentials after reaching two employee devices, forcing the company to rotate signing certificates for several desktop products. The company disclosed this week that it had been caught up in the wider "Mini Shai-Hulud" campaign targeting npm ecosystems and developer infrastructure, though it said there was no evidence that customer data, production systems, or deployed software were compromised. READ MORE...
American Lending Center Data Breach Affects 123,000 Individuals
American Lending Center this week revealed that a data breach discovered last year has impacted more than 123,000 individuals. American Lending Center (ALC) is a California-based non-bank lender that manages a $3 billion portfolio specializing in government-guaranteed small business loans. The organization is notifying individuals affected by the data breach that information such as names, dates of birth, and SSNs may have been stolen in a ransomware attack detected in July 2025. READ MORE...
Fired hacker twins forget to end Teams recording, capture own crimes
Perhaps you remember Muneeb and Sohaib Akhter, the 34-year-old twin brothers we profiled earlier this week. Although they had the tech chops to commit years of petty crimes (like stealing airline miles), what landed them in truly serious trouble was deleting 96 US government databases in the hour after both were fired last year by the same federal IT contractor, Opexus. (Opexus had just found out that both brothers had previously been in prison for cyberfraud.) READ MORE...
Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Cisco on Thursday announced the availability of patches for yet another critical SD-WAN zero-day vulnerability that has been exploited in attacks. It is the sixth SD-WAN flaw whose exploitation came to light in 2026. The new SD-WAN zero-day is tracked as CVE-2026-20182, and it has been described by Cisco as an authentication bypass vulnerability that can allow a remote attacker to gain admin privileges on the targeted system via specially crafted packets. READ MORE...
Attackers replaced JDownloader installer downloads with malware
If you downloaded the JDownloader installer during the compromise window (May 6-7), you are advised to verify the file. JDownloader is a popular download management application, particularly favored for automated downloads from file-hosting services, video sites, and premium link generators. The JDownloader website was confirmed to have been compromised on May 6-7, 2026. During that window, the Windows "Download Alternative Installer" links and the Linux shell installer were compromised. READ MORE...
Taiwan Incident Highlights Cybersecurity Gaps in Rail Systems
The communications and monitoring platforms for rail networks has come under scrutiny following the recent "hacking" of a Taiwanese railway operators' radio system, which led to the emergency stoppage of three high-speed bullet trains for nearly an hour. On April 5, a 23-year-old train enthusiast used a software-defined radio set up and hardware bought online to spoof a general alarm, or GA, alert to the operations center of Taiwan High Speed Rail (THSR). READ MORE...
18-year-old NGINX vulnerability allows DoS, potential RCE
An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. The vulnerability is tracked as CVE-2026-42945 and received a critical severity rating of 9.2, based on the latest version of the Common Vulnerability Scoring System (CVSS). Three more memory corruption security issues were discovered in the same six-hour code scanning session. READ MORE...
- ...in 1800, President John Adams moves the federal government from its original home in Philadelphia, to the nation's new capital in Washington, D.C.
- ...in 1942, a bill establishing the Women's Auxiliary Army Corps (WAACs) becomes law, and granting women official military status in the US Army.
- ...in 1963, astronaut Gordon Cooper becomes the first American to spend more than 24 hours in space, during the Mercury-Atlas 9 mission.
- ...in 1973, California Angels pitcher Nolan Ryan strikes out 12 Kansas City Royals and walks three to pitch the first no-hitter of his career.
