A DOD contractor's API flaw exposed military course data and service member records
Adefense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks, according to an account published by Strix, an open-source autonomous security testing project. The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants. READ MORE...
Crypto gang member gets 6.5 years for role in $230 million heist
A 20-year-old California man was sentenced to 78 months in prison for serving as a home invader and money launderer in a criminal ring that stole over $250 million in cryptocurrency. Marlon Ferro (also known online as GothFerrari and Marlo) was arrested on May 13, 2025, carrying two firearms and a fake identification document. He pleaded guilty in October and was also ordered to pay $2.5 million in restitution and serve three years of supervised release. READ MORE...
Cisco Patches High-Severity Vulnerabilities in Enterprise Products
Cisco on Wednesday announced patches for multiple vulnerabilities across its enterprise products, including five high-severity bugs. Two high-severity issues, tracked as CVE-2026-20034 and CVE-2026-20035, which could lead to server-side request forgery (SSRF) attacks, were resolved in Cisco Unity Connection. Rooted in the insufficient validation of user-supplied input and specific HTTP requests, the flaws could be exploited by remote, authenticated attackers. READ MORE...
Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack
Daemon Tools, a widely used app for mounting disk images, has been backdoored in a monthlong compromise that has pushed malicious updates from the servers of its developer, researchers said Tuesday. Kaspersky, the security firm reporting the supply-chain attack, said it began on April 8 and remained active as of the time its post went live. Installers that are signed by the developer's official digital certificate infect Daemon Tools executables, causing the malware to run at boot time. READ MORE...
Fake Claude AI website delivers new 'Beagle' Windows malware
A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle. The threat actor advertises Claude-Pro as a "high-performance relay service designed specifically for Claude-Code" developers. The fake website is a simplistic attempt at mimicking the legitimate site for the popular Claude large language model (LLM) and an AI assistant, using similar colors and fonts. READ MORE...
Google Chrome's silent 4GB AI download problem
Google Chrome has been quietly downloading a 4GB AI model onto users' devices without asking first. Security researcher Alexander Hanff, aka ThatPrivacyGuy, reports that Chrome has been silently installing Gemini Nano, Google's on-device AI model, as a file called weights.bin stored in the OptGuideOnDeviceModel directory within users' Chrome profiles. This 4GB download happens automatically when Chrome determines your device meets the hardware requirements READ MORE...
World's First AI-Driven Cyberattack Couldn't Breach OT Systems
A small, unknown band of hackers pulled off history's first recorded, truly artificial intelligence-directed cyberattack earlier this year, stealing troves of data from the government of Mexico in the process. Yet when the enterprising ne'er-do-wells tried bridging the gap from IT to OT systems, the AI had no luck. Between December 2025 and February 2026, the mysterious hackers targeted at least nine entities of the Mexican government. READ MORE...
Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
A critical vulnerability in Gemini CLI could have allowed attackers to mount a supply chain attack via indirect prompts injected into a GitHub issue, Pillar Security warns. Gemini CLI is the open source AI agent that provides access to Google's Gemini AI assistant directly from a terminal. The security defect, assigned a CVSS score of 10/10 but no CVE identifier, existed because Gemini CLI in -yolo mode would ignore tool allowlists, leading to the execution of any command. READ MORE...
Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk
An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft. Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. READ MORE...
- ...in 1946, the Tokyo Telecommunications Engineering Corporation is founded in Japan. 12 years later, it would change its name to "Sony."
- ...in 1952, English scientist Geoffrey Dummer publishes a paper with the first public description of an integrated circuit, the basis of all modern electronics.
- ...in 1992, the Space Shuttle Endeavour is launched on its first mission, including the only three-person EVA ever attempted.
- ...in 1998, Mercedes-Benz buys Chrysler for $40 billion forming DaimlerChrysler.
