The Register

CrowdStrike, working with Google and the Shadowserver Foundation, said it has taken down the Glassworm botnet, a self-propagating, credential-stealing worm that has targeted developers and spread through poisoned software packages since early 2025. The endpoint security giant’s Counter Adversary Operations team and partners hit all four Glassworm command-and-control channels simultaneously at 1400 UTC on Tuesday, “severing the operators from their infected machines and their ability to deliver new malicious payloads,” according to CrowdStrike’s blog. Google Threat Intelligence Group chief analyst John Hultquist confirmed his company’s involvement in a social media post. “As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” Hultquist wrote. A spokesperson declined to provide additional details to The Register about Google’s role in the takedown. The disruption comes as another self-replicating worm, Mini Shai-Hulud, rips through open source code and miscreants poison GitHub repositories and npm packages in similar supply-chain attacks also targeting developers’ environments. “Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software,” CrowdStrike wrote. “Adversaries are no longer just targeting products, they're targeting the developers who build them.” First spotted by endpoint security shop Koi in October 2025, Glassworm used invisible Unicode-based code injection, blockchain-based C2 infrastructure, and Google Calendar as a backup command server to turn infected developers’ machines into criminal proxy nodes. This self-replicating worm initially targeted VS Code extensions on the OpenVSX marketplace before moving on to npm and Python packages, and later poisoned more than 300 GitHub repos using stolen credentials harvested in earlier Glassworm infections. This worm appeared about a month after another self-propagating malware strain, Shai Hulud, first wormed through npm packages including those maintained by CrowdStrike. Glassworm infected all platforms - including Windows, macOS, and Linux systems - stealing credentials and other sensitive information, and also spawning its own Node.js remote access tool called GlasswormRAT. C2 architecture designed to withstand takedowns Glassworm’s C2 infrastructure used four distinct channels to complicate takedown efforts. These included the Solana blockchain, with C2 server addresses encoded in the memo fields of blockchain transactions, ensuring the C2 couldn’t be taken offline through conventional means. It also used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths. The GlasswormRAT used a decentralized BitTorrent Distributed Hash Table (DHT) for configuration data stored against hardcoded public keys. And finally, Glassworm relied on traditional C2 servers, hosted on commercial VPS providers, as the final payload delivery mechanism. Disrupting all four channels “required precision and timing,” according to CrowdStrike. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute.” All Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88[.]210. The security shop urges organizations to review network logs and endpoint telemetry for connections to this address, which indicate a Glassworm infection. ®

More than half of businesses had an AI-related security incident or a scare in the past year — even as executives remain overwhelmingly confident in their ability to manage the risks of employees using AI tools, according to a study commissioned by identity and access management leader Okta. “For the purposes of this survey, an AI security issue is defined as an actual incident, i.e. a breach, data exposure, or system disruption, or a close call, meaning an issue was identified before it caused harm to the organization,” Harish Peri, SVP and GM for AI Security at Okta, told The Register. Of those respondents who reported a security problem, 26.7 percent described an actual incident — a breach, data exposure, or system disruption — while 31.2 percent identified a close call caught before it caused harm. Yet, overall, 58 percent of executives reported that their organization experienced an AI-related security problem in the past 12 months and the data is pointing to “shadow AI” use by employees as the culprit, Peri said. “The old adage in cybersecurity is that you can’t protect what you can’t see. Our research shows that 52 percent of knowledge workers admit to using unapproved AI tools,” Peri told us. “Security and compliance teams can’t govern the usage of AI tools they don’t know are being used. Organizations must implement an effective AI governance framework that prioritizes identity-centric controls, automated discovery, and secure sandboxes to test drive AI tools safely.” The AI Agents at Work 2026 report was commissioned by Okta and conducted by Apprize360 in March. It surveyed 292 executives and 492 knowledge workers across seven countries: the US, UK, Australia, Canada, Japan, France, and Germany. It also showed a disconnect between how leaders believe AI is being used within their organizations and what employees actually do. Whether it's coding assistants, browser extensions, or industry-specific utilities, the study said what unites all of the tools is their need for data and, in many cases, access to an organization’s internal systems. Peri said the survey found risky employee behavior when it came to interacting with AI models. Knowledge workers actively used unapproved AI tools, shared confidential company documents with those tools, handed over HR information to AI, and in 16 percent of cases, provided their login credentials. "These risky behaviors — whether intentional or not — increase the attack surface across an organization," Peri told The Register. Despite that, 90 percent of executives had confidence in their organization's visibility into AI tools, even as more than half of knowledge workers admitted to using AI tools without approval, with 24 percent adding that they do so regularly. Apart from the security issues, the survey found that AI agents and AI tools are gaining widespread adoption. Ninety-two percent of executives surveyed said autonomous AI agents are already in widespread or moderate use across their organizations, while nearly two-thirds of knowledge workers reported using an AI tool at least daily. Among those workers, 68 percent used AI agents, while 62 percent regularly used LLMs and AI-infused chatbots. The results of the survey vary by geography, too. The United States led all surveyed countries, with 67 percent - more than two-thirds - of workers reporting they use unsanctioned AI tools. Australia came in second, with 60 percent of workers saying they engaged in unapproved AI usage. In the United Kingdom, some 55 percent of workers ignore the rules, while roughly 50 percent of Canadian workers reported using unauthorized AI tools. Workers in France and Germany reported the lowest rates of unauthorized AI usage with each at around 30 percent. The gap between executive confidence and employee reality is widest in the UK, where 96 percent of executives expressed confidence in their AI visibility, while more than half of workers used unapproved tools. Peri said there’s no easy fix. “For most organizations, shadow AI emerges unintentionally and isn’t intended to be malicious,” he told The Register. “Shadow AI primarily causes headaches for leaders because they don’t have the proper visibility, governance, and security controls for tools the organization isn’t managing.” Okta’s survey recommends that organizations should assume shadow AI exists and make discovery a priority. They should make the secure use of AI the easiest path, and define an AI governance strategy now. Peri said strict AI bans may actually make the problem worse by pushing more usage underground. A more effective approach, he said, involves talking with employees to understand what they need and making approved tools easier to use than unsanctioned alternatives. ®

The FBI is warning unsuspecting lawyers that their firms continue to be an active target for members of a longstanding extortion crew. Silent Ransom Group has been operating since 2022, by the FBI’s reckoning, and its latest message [PDF] about the gang comes almost exactly a year after its last. The group is still targeting US law firms and their staff, and the criminals are pretending to be company IT staff. It also warned last year that the callback phishing specialists had started physically walking into the law firms’ offices when remote social engineering attempts go south. The FBI’s latest advisory reaffirms these findings, with fresh attacks reported in Spring 2026. Law firms should be locking up their USB ports because the extortion crew is still sending members to plug in their thumb drives into the computers, for when they can’t convince employees to surrender remote access. In these scenarios, they rock up to the victim they’ve tried to phish and socially engineer from behind a phone or computer screen, continue the facade of being a company IT rep, and then claim they need to image the person's device or create a backup file to assess the damage of their own phishing email. What they’re actually doing is copying important files onto said thumb drive, which SRG will later use to extort the law firm. The FBI didn’t say exactly how many of these in-person callouts SRG has made, but it was evidently enough to include in a fresh advisory on the group’s methods and tactics. According to the advisory, these attacks were first reported in Spring 2026. SRG in brief SRG’s target industries used to be broader than just legal. The hack-and-leak group has been known to target organizations operating in various industries, but the legal sector has remained a common theme since 2023. The FBI said in its advisory on the group last year that it believes SRG consistently targets US law firms “likely due to the highly sensitive nature of legal industry data.” When they’re not sending crooks into office blocks, SRG’s primary goal is to achieve their aims through callback phishing. Using SMS messages or emails, group members would single out employees at target companies, asking them to call a number while impersonating real IT staff. If the staffer fell for the scheme, they’d call up, and the SRG IT imposter would attempt to convince them to grant access to a remote desktop session, during which they would elevate their privileges and set about stealing data to use as extortion leverage. In some cases, SRG will run WinSCP or a disguised version of Rclone to scoop up files of interest. In others, they are known to share those documents using internal file-sharing platforms such as Google Drive or Microsoft OneDrive. Before the callback phishing methodology, the group would send emails claiming that a fake subscription had been authorized that would charge small sums to the target’s account each month. The email included a phone number to call in order to cancel the subscription, and once on the call, the crooks would convince the target to install remote access software, and rinse-repeat the data theft playbook. SRG is not known for using ransomware, but it operates a data leak site (DLS) just like any other extortion crew and charges victims to return the data they stole, threatening to leak it online if they refuse to pay. Recent alleged victims of the group have included law giant Jones Day, the legal eagles favored by US president Donald Trump during both his election campaigns. SRG listed Jones Day on its DLS, and the law firm confirmed a “cyber phishing incident” in April, but did not name SRG as the culprits. Your country needs you The FBI pleaded with the public to send it any evidence of SRG in action to aid future investigations. Of particular use would be phone numbers used to contact the crooks, copies of the phone call transcripts and phishing emails, cryptocurrency wallet information, and identifying information of the individuals who step foot in office buildings. As for how to prevent attacks from SRG or others adopting similar methods, the FBI recommended that organizations disallow connecting external drives to company-issued devices, especially those that store confidential or otherwise sensitive information. Verifying the credentials of each person walking into the building wouldn’t hurt, either. The usual advice applies for the group’s remote attacks: limiting access to sensitive data from less-secure networks and requiring phishing-resistant MFA for as many services as possible. The FBI also recommends blocking port 22 access, which would prevent encrypted remote access, and investing in robust staff training programs so they know not to let outsiders plug hardware into their machines. ®

India's Computer Emergency Response Team (CERT-In) says defenders should endevor to patch or mitigate exploited n-day vulnerabilities within 12 hours as the cybercrime landscape continues its AI-ification. The organization's recommended half-day window applies only to bugs that affect internet-facing or "crown jewel" systems and are known to be exploited. In these cases, CERT-In told defenders to "patch, mitigate, or remove exposure within 12 hours where feasible." For other flaws, such as a standard critical vulnerability (CVSS 9.0 or higher) affecting an internal system, or a known exploited bug affecting an internal system, defenders can enjoy a much more leisurely 24-hour window. The revised suggestions come as part of a new guide released by CERT-In this week to help infosec pros better protect against AI-assisted cyberattacks. "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In's report reads. "As organizations become increasingly dependent on interconnected digital infrastructure, cloud ecosystems, software supply chains, operational technologies, and AI-enabled platforms, the potential impact of AI-enabled cyber threats continues to increase across sectors." CERT-In's report follows a trail of news stories in 2026 that all suggest AI is becoming an increasingly important part of cybersecurity for both attackers and defenders. The field of agentic AI has especially matured rapidly in the past year. Consumer-grade tools like OpenClaw have made it easier for non-technical users to experiment with autonomous tech, raising its profile and awareness of its capabilities. Agents are equipped with all the necessary permissions to make significant system changes, but as global intelligence agencies recently highlighted, their behavior can at times be unexpected, and they're also prone to mischief. Security pros are starting to see the potential for AI agents in their workflows, but for attackers, the technology represents an opportunity to hasten all parts of their process, from recon and exploitation to privilege escalation and data theft. CERT-In cited agentic AI as one of the core concerns behind the report's recommendations, and because of the disparate supply chains on which organizations are increasingly reliant, any vulnerability can lead to cascading damage on interconnected systems. Beyond agentic AI, the launches of frontier models such as Anthropic's Mythos and OpenAI's GPT-5.5, two certified cyber workhorses, threaten to empower attackers further with capabilities to uncover and exploit critical vulnerabilities at pace. A 12-hour window: Is it feasible? Any cybersecurity practitioner will attest to the onerous nature of the patching process, and how it's not as easy as clicking "Update," which is why a 12-hour patch window might seem initially unrealistic to some. Urgent warnings and demands for immediate patching are routinely delivered alongside critical vulnerability disclosures, but these fail to account for the downtime required to apply patches, or the testing required to prove that by applying them, everything else won't break. Microsoft has had its fair share of these cases, for example, and many readers will have borne the brunt. CISA's Known Exploited Vulnerabilities catalog is another prominent resource that sets patching deadlines, albeit only for federal agencies, but these are typically set at two to three weeks, or a number of days for the most serious vulnerabilities. The cybersecurity pros who spoke to The Register, weighing in on the CERT-In recommendations, agreed that 12 hours is far too short a window to properly test and deploy a patch, although they said the organization was on to something with its approach. Dray Agha, senior manager of security operations at Huntress, said that CERT-In’s recommendation to "patch, mitigate, or remove exposure within 12 hours where feasible" was solid advice, largely because of the caveat that it doesn’t necessitate a full patch within that time. "By explicitly encouraging temporary mitigations, such as isolation, access restriction, or disablement until a patch is ready, this turns the patching deadline into a highly feasible and necessary containment strategy," Agha told The Register. "And this corroborates the guidance we dispense at Huntress for critical threats: we often advise our community to deploy temporary mitigations to 'get them out of trouble' as soon as humanly possible, and then come up with a more coordinated strategy for patching that respects the business's need to function in its enterprises." Agha added that AI-assisted cyberattacks are seen every day in the wild, compressing the time taken to exploit vulnerabilities, meaning defenders must adapt to this new reality. In the pre-AI days, a 12-hour window to mitigate or patch a known exploited vulnerability was seen as excessively tight, but increased availability of advanced tooling and automation is reshaping the demands of vulnerability management. "Defenders must fundamentally reshape their operations to focus on quicker mitigations – prior to AI, at Huntress, we have seen vulnerabilities exploited within a handful of hours, let alone a full 12 hours," said Agha. He said the 12-hour guideline is less about an arbitrary clock, more about "forcing a necessary readjustment in how organizations drive their security approaches to be beyond compliance and move to a continuous defensive posture. "And this will involve the enterprise functions of the business being a part of the security posture – not just IT, thank you very much – as the consequences of AI-driven exploitation mean faster, higher impact cascading negatives on a targeted business; much better to proactively defend than reactively recover." ®

A security researcher found a foolproof way to guarantee tech conferences accept his speaker submissions: hack their systems. CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, a popular open source tool that conference organizers use to manage speaker submissions and schedules, that could allow attackers to effectively take over an organizer's session. Any user controlling searchable fields – including submission titles, speaker display names, and user names or email addresses – could inject arbitrary HTML or JavaScript. When an organizer's search query matched the malicious record, the payload would execute in the organizer interface. "Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's [Cross-Site Request Forgery] CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim," according to pretalx's security advisory. Project maintainers patched the flaw in April, and it has been fixed in pretalx 2026.1.0. Elad Meged, founding engineer and security researcher at AI penetration-testing and offensive-security startup Novee, found and disclosed the flaw when he was preparing conference speaker submissions. He noticed the exact same call for proposals (CFP) submission form appearing underneath all of these different hacker conferences and academic symposiums' logos. 'One codebase serving them all' While the events are unique, with different parent companies and organizers, "underneath, it is one codebase serving them all," Meged said in research published on Wednesday and shared in advance with The Register. Meged then used the flaw to auto-apply for 40 conferences - and got accepted to present his proposed talk, "Securing Modern Web Apps," at every single one of them. While Meged did submit real entries, he did not submit a live exploit payload into the conference systems. The Novee team validated all of their findings on a local instance. They didn't do any testing on pretalx.com or a third-party-hosted instance. "The goal was to validate the vulnerable workflow in the exact real-world setup while avoiding unnecessary harm," Meged told The Register. "So, we used realistic, normal-looking talk submissions and then validated exploitability through controlled, version-specific testing." Some of the events that use pretalx-based CFP infrastructure include OffensiveCon, TROOPERS, FOSDEM, HEXACON, and Recon, he told us, stressing that this does not mean any of these conferences were actively exploited or compromised. For any conferences that used pretalx for talk submissions, but weren't accepting submissions at the time, Meged followed up with them via responsible disclosure. And yes, Meged admits that he could have had more fun with the talk title, but he wanted to make it "intentionally boring and plausible," to blend in with other proposals. "I agree something outrageous would have been funnier, but it would also have been less responsible," he said. Human led, AI agent assist Meged described the research as "human-led vulnerability research, agent-assisted at internet scale." Once they understood the type of vulnerability, any "capable web security researcher" could reproduce the exploit, he said, adding "this would not require nation-state-level skill." Scaling the attack, reliably reproducing it, and adjusting the attack chain to each real-world pretalx deployment, however, benefited from an agentic AI assist – and this wasn't "a one-off script or a prank CFP submission," he told us. "Different pretalx versions, deployment choices, and enabled features can change the behavior," Meged said. "Something that works on one instance may fail on another or require a different validation path." Plus, some conferences use hosted infrastructure, while others run their own self-hosted instances. So the security shop built an agentic fingerprinting and validation system to scan the internet for public-facing, vulnerable systems, learn as much as possible about the version and configuration, and find the best way to exploit them. 'This type of work does not scale manually' "This type of work does not scale manually," Meged said. "A human can find the core idea, understand the primitive, and make the responsible disclosure decisions. But mapping internet-wide exposure, fingerprinting many deployments, comparing versions, modeling behavior, adjusting validation logic, and organizing disclosure steps is exactly where AI agents become useful. The agents helped with discovery, fingerprinting, version comparison, environment modeling, controlled validation, note-taking, and disclosure workflow management." After finding and fingerprinting public pretalx deployments, and identifying version-specific behavior, the agents selected the best non-destructive validation path for each one. While there's no indication that attackers found and exploited the security issue before Novee's team, it's serious in that it could have granted organizer-level access to the conference call-for-proposal and scheduling system - these typically contain speaker identities, submissions, acceptance decisions, and private communications between conference organizers and speakers. Gaining access to this type of information could have allowed for targeted phishing or other trust-based attacks impersonating a well-known industry event. "With organizer-level access, an attacker could potentially read or modify submissions, interfere with the review process, impersonate conference staff, alter CFP data, or communicate with speakers and submitters from a trusted conference context," Meged said. "The most realistic abuse case is targeted phishing or lateral movement through trust. If a speaker, sponsor, reviewer, or attendee receives a link or request from what appears to be a legitimate conference system, they are much more likely to trust it," he added. "So the story is not just: Someone could get a fake talk accepted. The bigger risk is that a trusted conference platform could become a launchpad for attacks against the entire event ecosystem." Tobias Kunze, a developer who created pretalx, told The Register that Meged reported 11 security findings on April 14, he assessed all of these and classed one as a serious vulnerability and five as non-vulnerability bugs – but with fixes – and five more as non-critical or intended behavior. "Contact with Elad was very positive and professional," Kunze told us. "We discussed the severity and impact of his findings, and it was as good a report as a small open source project like pretalx can hope to receive." ®

Crims found the soft spot in the company's security. MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim. The pillow shop first appeared on Play’s name-and-shame data leak site on Monday, with the gang threatening to leak stolen data by Friday if MyPillow execs don’t pay the ransom demand. While the extortionists didn’t specify how many gigabytes of data they allegedly stole from MyPillow, they claim it includes “private and personal confidential data, client documents, budget, payroll, IDs, taxes, finance information” and more, according to the dark-web post seen by The Register and shared on social media by threat-intel firm FalconFeeds. MyPillow did not immediately respond to The Register’s inquiries. We will update this story if we receive any response. As of May 2025, the FBI said Play ransomware operators had allegedly exploited about 900 organizations, and the crew’s ransomware variant consistently ranks among the top five targeting critical infrastructure. Play previously stole around 65,000 Swiss government files after breaching its IT supplier Xplain in 2023. A year later, the group hacked Microchip Technology. The American semiconductor manufacturer told regulators that the ransomware attack disrupted some of its business operations and cost it $21.4 million in expenses related to the security incident. North Korean government goons have also used Play ransomware in their intrusions. Cisco Talos' incident responders previously told The Register that Play was one of the crews that used so-called "EDR killers" to disable endpoint security products in their ransomware infections. MyPillow is probably best known for its founder and CEO's politics. Lindell is a major proponent of President Trump’s false claims that the 2020 election was stolen, and is now running for Minnesota governor. ®

National security and digital forensics experts have called foul on Nigel Farage's "disturbing" and unsubstantiated claim that Russia was behind the leak of a story about the UK politician receiving a £5 million gift from a crypto billionaire. Sources inside Farage's right-wing Reform UK told the Mail on Sunday that the party leader believes Russian spies hacked his phone and relayed details about Christopher Harborne's gift, a matter of which only four people were aware. Farage was said to have engaged outside "counter-espionage experts" to perform a technical analysis of his device – analysis that was said to point to Russia. According to Peter Sommer, professor of digital forensics at Birmingham City University, whichever outfit was entrusted to carry out this work would have been looking for two different types of markers to prove Russia was involved. These would be either the phishing message Farage clicked on that allowed Russia to access his private communications or the malware code an attacker used to exfiltrate them. "It's obviously trivial to disguise the source of an email, so that doesn't help," Sommer told The Register. "And the second thing is if you're talking about looking for hacking codes, hackers, whether they are juveniles or people in major SIGINT systems, are likely to be stealing from each other, so there's nothing unique about a code that would say where it comes from." Sommer also highlighted that advanced intelligence powers have tools at their disposal to obfuscate the source of malicious code. The CIA's leaked Marble Framework supposedly had the ability to translate malicious code into any language, including those used by its chief adversaries. "Now, absent from that, how on Earth do you determine that this is a Russian hack?" Sommer asked. Neither Farage nor Reform UK has spoken officially on the alleged Russian phone hack. They have not specified which experts on whose conclusions they used to make the claims, they have not stated what evidence pointed to Russia's involvement, and they have not committed to making this forensic assessment available for public scrutiny. Opening up the data for verification was one of the core issues raised by Ciaran Martin, founding chief executive of the UK's National Cyber Security Centre (NCSC), who labeled Farage's claims "disturbing" and "without any merit." Speaking to The Guardian, Martin said that not only is the lack of clear evidence concerning, but also if Russia was behind the hack-and-leak operation, a deliberate attempt at destabilizing a foreign democracy, then it would have significant consequences for the UK's Russia policy. "An aspiring prime minister has essentially claimed that Russia has launched an unprecedentedly aggressive intervention – a malicious intervention – in British politics, and he's not produced a shred of evidence to support that claim," Martin said. "It is a very, very serious thing to allege. It would be a national security issue," he added. "If it is true, the government should be in emergency session in COBR right now, considering their response to the most serious Russian intervention in internal British affairs for years." He said the claims published by the Mail on Sunday, at present, are unsubstantiated, and if true, in normal circumstances, this would prompt a formal government response. The Reg understands that the NCSC has not been engaged by Farage or Reform UK over the matter. The National Crime Agency did not respond to questions regarding its involvement and the Metropolitan Police Service declined to comment. Reform UK did not respond to our requests for more information, nor did Nigel Farage's office. What exactly did Reform UK claim? According to sources who spoke to the Mail on Sunday, Russian spies hacked Farage's phone, ascertained details about Harborne's £5 million donation to the party leader, and leaked it to The Guardian, which first reported the story. The Guardian said at the weekend that Farage is now under "mounting pressure" to prove his claim about the Russian phone hack. There is no indication the Graun 's reporting was connected to any illegal activity or Russian spies, but Farage is implying so, telling the Mail on Sunday: "This shocking revelation brings into question The Guardian’s judgment and whether Reform can cooperate with them in future." According to the analysis of Farage's phone, carried out by the unidentified counter-espionage experts, the findings were "almost certainly linked to Moscow," the Reform UK source said. They also claimed that spear-phishing tactics were used to compromise his phone, email, and bank accounts. "It bore all the sophisticated hallmarks of a nation-state actor using destabilization techniques in the run-up to this month's local elections," the source added. Farage said: "These actions by Russia are deeply concerning and highlight the threat they pose to British security." Regarding the motive for such an attack, Reform UK believes its leader angered Russian president Vladimir Putin by previously expressing support for NATO. He has said in the past that UK forces should shoot down Russian aircraft if they enter NATO airspace, and joined controversial calls for Ukraine to be admitted to the military alliance. The party also said that Harborne may be a target for the Russian regime because he joined former prime minister Boris Johnson on a trip to Ukraine in 2022, designed to showcase the impact of Russia's invasion earlier that year. ®

Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe. In case you came in late, in early April Anthropic announced it had developed a model called Mythos that is so good at finding security vulnerabilities in programming code that the company decided to offer it only to select entities because allowing unfettered access would mean cybercriminals could quickly discover and exploit software flaws. That access program is called “Project Glasswing” and participants report it quickly finds many bugs but few that humans couldn’t find given enough time and resources. Those with access to Mythos have also sometimes said the quantity of bugs it finds somewhat overwhelms their ability to patch them all. The mere existence of Mythos has sparked a little panic – Japan’s government ordered a sweeping security review and Indian authorities demanded a patching spree at financial institutions – plus a general realization that even lesser AI models are also decent bug-finders, meaning cyber-defenders must now expect attackers will weaponize more flaws, more often. No company—including Anthropic—has developed safeguards strong enough to prevent such models from being misused Anthropic last week published an “initial update” on Project Glasswing that in its second-to-last paragraph reveals the company’s next step will see it “… work with critical partners – including US and allied governments – to expand Project Glasswing to additional partners. And in the near future, once we’ve developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release.” The company didn’t explain what it means by “near future” and admits that “At present, no company—including Anthropic—has developed safeguards strong enough to prevent such models from being misused and potentially causing severe harm.” Further illustration of that assertion can be found earlier in the company’s post, which reveals that Anthropic has used Mythos to scan more than 1,000 open-source projects that it says “collectively underpin much of the internet – and much of our own infrastructure.” To date, Mythos has found an estimated 6,202 high-or-critical-severity vulnerabilities in these projects – and 23,019 flaws in all. The post reveals that when Mythos finds a flaw, Anthropic and its pals in the security community reproduce the issue that Mythos has found and “re-assess its severity.” “Once we’ve confirmed that a vulnerability is real, we check for whether there are already fixes in place, and write a detailed report to the software’s maintainers,” Anthropic explains. “We take considerable care here: on top of the regular challenges of maintaining open-source software, maintainers have been facing a deluge of low-quality, AI-generated bug reports. Indeed, several maintainers have told us they’re currently severely capacity constrained, and some have even asked us to slow down our rate of disclosures because they need more time to design patches.” 1,752 of the high-or-critical-rated vulnerabilities Mythos found in FOSS have gone through that process and 90.6 percent (1,587) proved to be valid flaws. Of those, 62.4 percent (1,094) “were confirmed as either high-or-critical-severity,” the post states. One of the critical flaws impacted the wolfSSL cryptography library used by billions of devices worldwide. “Mythos Preview constructed an exploit that would let an attacker forge certificates that would (for instance) allow them to host a fake website for a bank or email provider,” Anthropic wrote. “The website would look perfectly legitimate to an end user, despite being controlled by the attacker.” Thankfully, developers have already patched wolfSSL, and Anthropic said it will deliver a full technical analysis “in the coming weeks.” Keep an eye out for CVE-2026-5194 to learn more about this one. Mythos is adding to an already overloaded security ecosystem “75 of the 530 high-or-critical-severity bugs we’ve reported have now been patched, and 65 of those have been given public advisories,” the post states, then explains that low fix rate by revealing Anthropic is “still early in the 90-day window that’s set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon.” The company thinks it is also “likely to be undercounting patches because some vulnerabilities are patched without a public advisory.” Lastly, the flood of bugs Mythos found “is adding to an already overloaded security ecosystem.” Anthropic’s suggestion for security teams struggling to develop fixes for bugs AI discovered is, unsurprisingly, more AI such as skills that improve its Claude model’s ability to help developers. ®

OPINION Dirty Frag, Copy Fail, and Fragnesia are less a random cluster of Linux bugs and more the public unveiling of how AI tools can pry open security holes with just a prompt or two. What they also have in common is their shared abuse of a core kernel abstraction: The page cache. What does this mean for you and me? Is this the rainstorm before a downpour of killer Linux security problems, or is this just a shower? It depends on who you ask. Whatever else may be true, these problems must be addressed. As Igor Seletskiy, CEO of CloudLinux, said: "The real story here is that we typically see one or two kernel-level LPE (Linux privilege escalations) vulnerabilities that affect multiple distros/versions per year. And now we see two such vulnerabilities one week apart. We should expect this trend to continue for quite a few months, meaning companies might have to reboot servers weekly." Ouch! But is this the start of a trend? Linus Torvalds, who knows a thing or two about Linux, said at Open Source Summit North America in Minneapolis that until recently, the kernel community would quietly notify distributions about a bug and ask them to upgrade without detailing the vulnerability, and "most of the time, nobody would figure out what happened." That was then. This is now. With AI‑accelerated analysis, he recalled that "last week, we fixed the bug; within three hours, there was a blog post about the implications of that bug fix, because security people love getting attention." As a result of this kind of thing, Torvalds has changed how the Linux security community will deal with AI-discovered security holes. "AI-detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved – and only makes that duplication worse because the reporters can't even see each other's reports." In addition, Torvalds added, in the case of AI-discovered bugs, you need to keep in mind that just "because you found it with AI, 100 other people also found it with AI." That means we're going to hear a lot more about Linux security problems. But are they getting worse? I asked Greg Kroah-Hartman, the Linux stable kernel maintainer, and he told me: "Maybe? It's hard to tell; the 'recent' ones really are very minor, as the number of systems that have 'untrusted users' is not common anymore. I don't see any real uptick in our actual bug fixes that I can tell." He continued: "We fix bugs like that on a daily basis, it's just the rise of people wanting to 'name a bug' and release a public exploit seems to be all the rage at the moment." An important point that Chris Wright, Red Hat's CTO, made at Red Hat Summit, the week before, is that in "security, all things aren't created equal. There will always be a spectrum of vulnerabilities that will surface. Some of those will be really critical and we will need to respond very quickly, so that becomes a clear priority. Others will have a longer tail of lower severity." Torvalds also added at Open Source Summit that just because you read stories about Linux and AI-discovered bugs, you shouldn't think the same thing isn't happening to proprietary software, such as Windows. "If you think that AI can't reverse engineer closed source, you're in for a surprise." In fact, he warned, "closed source is even worse in this respect, because the AI can't help you fix those problems, but the AI sure can help find those problems in the first place." He also discouraged security researchers from publishing working exploits: "When it comes to things that really are security issues, you may not want to make the exploit public… Don't be that guy who then crows about it publicly and says, 'Look, I could bring down this big company.'" Following on this theme, Christopher "CRob" Robinson, chief security architect for the Open Source Software Foundation (OpenSSF), told The Register that thanks to AI, "roughly 30 percent of reported Linux security bugs were duplicates. That's going to be another problem in this AI age, where everybody's a researcher, right, with a $20 cloud code account." That, in turn, will burden already overworked maintainers with yet more patches to deal with. Linux, Torvalds added, is something that its maintainers can handle. Smaller open source projects, however, are all too likely to be overwhelmed. The real problem, according to what the Google Threat Intelligence Group has discovered, is that the mean time to exploit (TTE) for vulnerabilities has continually decreased "from 63 days in 2018 to -1 day in 2024 and further downward to an estimated -7 days in 2025. A negative number indicates that exploitation of a vulnerability, on average, occurred before a patch was released." So what does this mean? Yes, we're going to see a lot more security vulnerabilities showing up in Linux and other open source projects. Yes, some of them will be serious, and all too many will have exploits out before the patches arrive. It's not, however, that Linux has suddenly become less secure. It's that AI eyes are much better at detecting bugs than human eyes have ever been. We will catch up, and AI can help with that, too. In the meantime, system administrators and developers will have to be more security-conscious than ever before. As Wright told The Reg, it's high time we switched from using SELinux in permissive to restrictive mode. Enforcing strict security is a pain, but what's even more of a pain is having to rebuild your containers and servers after a serious attack gets through. ®

A solo Russian-speaking threat actor used a jailbroken Google Gemini in a fraud and credential-theft campaign targeting hardcore Trump supporters and conspiracy theorists. Between September 2025 and May 2026, the “low-skilled” scumbag using the handle bandcampro partnered with the LLM to impersonate an American veteran, run a Telegram channel (@americanpatriotus), hack admin credentials, and steal cryptocurrency, according to a threat report from TrendAI. His only "real cost" in the operation was stolen API keys. Bandcampro ultimately reached about 17,000 subscribers, used 73 likely-stolen Gemini API keys, hacked 29 WordPress admin credentials, infiltrated at least one company, and emptied at least one victim’s cryptocurrency wallets, according to TrendAI researchers Philippe Lin, Joseph C Chen, Fyodor Yarochkin, and Vladimir Kropotov. The threat-hunters detailed the campaign in a Thursday report, and said while the Telegram channel dates back five years, bandcampro’s success skyrocketed once he started using AI-generated content last fall. "We have reached an inflection point for cybercrime conspiracies,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register, adding that “bandcampro's conspiracy underscores the sophistication of the Russian cybercriminal community and how weaponized jailbroken LLMs are manipulated to orchestrate a systemic cybercrime campaign.” Kellermann said the attack “highlights LLMs' Achilles heel, which is the tremendous exposure to API attacks." TrendAI researchers discovered the scammer’s infrastructure in May, which exposed the full contents of the individual’s operational environment. He used Google Gemini to generate the Telegram channel text and Venice.ai to power an interactive chatbot designed to simulate a Quantum Financial System (QFS) terminal. Neither Google nor Venice responded to The Register’s requests for comment. The campaign targeted the QAnon and MAGA communities, mimicking the cryptic, anonymous “Q drop” messages at the heart of the QAnon conspiracy, but the researchers say his “use of information operation techniques was more likely for cryptocurrency fraud instead of political motives,” based on the content posted, and the stock remote access trojan (RAT) used alongside other commercial malware. On September 9, 2025, the actor posted a fake "freedom-first, self-custody wallet" called StellarMonster, with a welcome bonus of up to 1,000 XLM (about $380) on the Telegram channel. It was an executable named StellarMonSetup.exe. Malware analysis determined that in reality, StellarMonSetup.exe is a legitimate remote access tool called GoToResolve, which gives the operator a persistent remote desktop session with file access, command execution, and clipboard capture. Plus, any subscribers who used the "import your wallet" function and typed their seed phrase into the fake import screen gave the attacker their wallet keys. “At least one victim's crypto-wallet was fully compromised: password cracked, 12-word mnemonic stolen, and the owner's 40+ wallet addresses harvested across all major chains,” the researchers noted. The attacker also used an AI-powered brute-forcing tool to hack WordPress accounts, we’re told. “The script is built on the premise that people mutate familiar base passwords in predictable ways, and Gemini 2.5 Flash can model the mutations when supplied with static wordlists,” Trend wrote. In total, the AI-assisted WordPress hacking operation cracked 29 WordPress administrator accounts, including those belonging to weapons retailers, legal offices, medical practices, and small commercial sites. During his conversations with Gemini, bandcampro asked questions like: “When the bot accumulates 5,000 active users, how much can we earn from one pump-and-dump cycle?” The criminal also asked how professional crypto call centers scam North American victims and Gemini suggested Medicare and/or Health Canada fraud targeting the elderly. The Russian speaker also automated his content campaign through a pipeline he named "Quantum Patriot," a set of Python scripts that called Gemini to role-play as an American veteran patriot. The pipeline fed a preset list of newsfeeds into the LLM and Gemini rewrote them, prompted to act as an admin of an “American Patriot” channel looking for “hidden angles.” The crypto- and credential-thief also used Gemini to help him hack, set up a command-and-control framework - including a mail-testing tool, a Gmail aggregator, and an anonymous proxy on a VM in the Netherlands - steal and validate credentials, and run the chatbot. “In the anatomy of one busy working day, Gemini deployed servers, helped debug code, automated workflows, wrote a script to rotate API keys, and managed the actor’s Cloudflare tunnels,” the TrendAI researchers wrote. “The actor prompted in Russian, while the LLM reasoned and replied in English. Over one 16-hour session, the actor co-worked with Gemini end-to-end." At one point, after a nine-hour pause from the human partner, which the authors say “was likely a 9-hour sleep,” bandcampro found the bot posting every 20 minutes without a break - but with Russian slang appearing in the English posts. So he opened another session to fix it. “What previously required a team of writers, social media managers, IT workers, and malware programmers can now be automated by a single actor using a VPS, a Telegram bot, and API access to frontier models,” Trend’s team warned. ®

A malware-spreading scumbag swimming through GitHub pushed malicious commits to more than 5,500 repositories on Monday as part of an automated campaign called Megalodon. Similar to the earlier TeamPCP attacks that poisoned about 3,800 GitHub repositories, this new campaign has so far infected 5,561 repos with CI/CD credential-stealing malware, according to SafeDep researchers, who uncovered the predatory commits and published a full list of the compromised repositories. If a repository owner merges the commit, the malware executes inside their CI/CD pipeline and propagates further, Ox Security lead researcher Moshe Siman Tov Bustan said in a Thursday blog post. Megalodon steals AWS secret keys and Google Cloud access tokens. It also queries AWS, Google Cloud Platform, and Azure metadata for instance role credentials, reads SSH private keys, Docker and Kubernetes configurations, Vault tokens, Terraform credentials, and scans source code for more than 30 secret regex patterns. Then it exfiltrates GitHub tokens, including secrets used to authenticate with cloud providers, thus allowing attackers to impersonate developers’ cloud identities, along with Bitbucket tokens. In other words: consider ALL of your CI/CD variables pwned. "We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning,” Bustan told The Register. “What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide.” Plus, he added, hacking GitHub “compromises the security of every company with a private repository hosted on the platform.” This new wave of supply chain attacks hitting developers’ environments won’t stop until “companies like npm and GitHub take serious action against the spread of malicious code on their servers,” Bustan said. He noted npm’s statement on X saying it “invalidated npm granular access tokens with write access that bypass 2FA” to prevent additional supply-chain attacks like Mini Shai Hulud. “That could help a little with account hijacking, but it doesn’t solve the actual problem,” Bustan said. “Malicious code is still reaching their servers, and nothing is stopping it before it does.” npm … but not TeamPCP SafeDep spotted Megalodon hidden inside a legitimate package: Tiledesk, an open source live chat and chatbot platform. The attacker backdoored versions 2.18.6 (May 19) through 2.18.12 (May 21), and the same npm maintainer published the last clean version, 2.18.5, before unknowingly publishing these newer compromised versions. “The attacker never touched the npm account,” the open source supply-chain security startup researchers said. “They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it.” While publishing malicious packages on npm is a TeamPCP signature move, Bustan said there’s no threat-intel or code-analysis evidence that connects Megalodon to the crew behind the Trivy, Checkmarx, and other recent supply-chain attacks. “Our best guess now is that it's a different threat actor copying their behavior and style, but not much of the code itself,” he told us. And despite TeamPCP open sourcing its Shai-Hulud worm and announcing a supply-chain attack competition on BreachForums, Ox doesn’t believe Megalodon is a contest entry. “We have indications that they are not participating in the TeamPCP contest due to the contest having a specific rule to add a public encryption key that the actor behind the malware could match with his private key to prove his involvement,” Bustan said. Who is built-bot? SafeDep’s threat hunters traced the malicious commit (acac5a9) to an author “build-bot,” connected to the email address build-system[@]noreply.dev with the message “ci: add build optimization step.” The author name and noreply email mimic automated CI commits, and there’s no GitHub account linked to the author and committer user fields. “Someone pushed the commit to master with no PR and no merge commit, using a compromised PAT or deploy key,” according to the researchers. They searched GitHub for other commits authored by the same email address and found 2,878 results, plus a second email, ci-bot@automated.dev, with an additional 2,841 commits. All landed May 18 during a six-hour window (11:36 to 17:48 UTC) and targeted 5,561 repositories. This includes nine compromised Tiledesk repositories: tiledesk-server, tiledesk-dashboard, tiledesk-telegram-connector, tiledesk-llm, tiledesk-docker-proxy, tiledesk-community-app, tiledesk-campaign-dashboard, tiledesk-helpcenter-template, and tiledesk-ai. Others include Black-Iron-Project with eight compromised repos, WISE-Community, and hundreds of smaller repositories. ®

The US President’s oft-maligned Trump Mobile venture may be facing another setback after a security buff claims he discovered a now-plugged website vulnerability that he says was leaking what could be tens of thousands of suckers' customers' details. The individual behind the discovery, who goes by "Louis," says he's a self-taught tech tinkerer and described himself as "just a nerd between jobs with too much time on my hands." He reckons the website’s data could be scooped up with a simple POST request. “It wasn't SQL. That wouldn't be as bad,” he told The Register. “It was a really simple HTTP request. POST, and then just asking for the info I wanted, basically.” More than 27,000 people who ordered from Trump Mobile, the President’s all-American smartphone and cell service brand, had their data flimsily secured online, Louis claimed. Louis, a long-serving IT professional who refuses to be called a security researcher, said the types of data he was able to gather included: first and last names, primary addresses, secondary addresses, email addresses, phone numbers, customer/account numbers, "enrollment ID" (pre-order number), and whether the order was placed by phone or online. “I discovered it first by looking into the site to see if I could find how many orders there actually were, and noticing some API endpoints,” he added. “I tried a couple of basic commands, and then it started showing whatever data I wanted. “It was as easy as going to the website and writing a very simple HTTP POST request into the console.” The website flaw only allowed him to return ten customer records at a time, he said, but these records all contained a customer number, which Louis used to loop through them all. In the space of an hour, the method allowed him to access the records of around 5,000 Trump Mobile customers, he claimed. After confirming the issue was valid and that all the data his script scooped up was deleted, Louis tried to disclose his findings to Trump Mobile, and anyone else who could take action, but received no response, although someone appears to have fixed the issue. The Register also tried contacting Trump Mobile but similarly received nothing in return. Out of options for disclosure, Louis decided to go public, informing two prominent YouTube creators and known orderers of the Trump T1 phone, Stephen “Coffeezilla” Findeisen and Charles “penguinz0” White Jr., whose respective videos covering his findings have jointly gathered millions of views. Trump T1 begins shipping Trump Mobile’s flagship device, the T1 Android smartphone with the gold-colored casing, began showing up at pre-order customers’ doors this week, after originally being slated for an August 2025 release. The brand’s entire schtick since first being announced in June 2025, around the time of a significant escalation in US-China trade war conflict, was that everything was going to be “Made in America.” Early renders of the proposed T1 showed what appeared to be an iPhone-like device – gold-colored, of course – but those who received their orders this week confirm it is just a reskinned HTC U-24 Pro, a mid-range Android from the Taiwanese tech biz which first hit the market in June 2024. The American flag embossed on the back of the device also only has 11 stripes instead of 13, although all the stars are present and accounted for, at least. When the President’s sons launched the Trump Mobile Brand last year, they promised the devices would be manufactured in America, although the company soon dropped this from its marketing. The T1 comes loaded with 512GB of storage, a 120Hz display, a Snapdragon 7 chip, and, of course, Truth Social pre-installed. Customers can order now to lock in what the company calls promotional pricing, picking up the T1 for $499. It is not clear what this may rise to in the future. You can pick up a standard HTC U-24 Pro 512GB model for roughly the same price, depending on the retailer. ®

Cisco tested AI’s ability to write an accurate report on a tabletop security incident response exercise, and found that while the tech can save time, many risks remain. The networking giant revealed its results in a Thursday blog post https://blogs.cisco.com/security/ai-generated-reporting-lessons-learned-from-talos-incident-response by Nate Pors, a senior incident commander in the Cisco Talos Incident Response team. Pors opened by observing that when to used generate long-form technical content, large language models can deliver “significant inaccuracies, unusual conclusions, and inconsistent writing styles.” LLMs make those mistakes because they’re essentially a fancy autocomplete system that makes educated guesses. Pors wrote that the nature of LLMs therefore sees them mess up in four ways: Using different data for each query, which means it’s “difficult to rely on an LLM for repeatable, standardized research outcomes.”Reaching different conclusions from the same data. “In a data breach scenario, a model might suggest a full organization-wide password reset in one instance and a targeted reset in another,” Pors wrote and AI then “often defaults to whichever recommendation it generates first” – and may therefore give bad advice.Because LLMs generate content token-by-token, they can create documents with different structure and formatting on each new run. “This unpredictability is problematic for professional environments where standardized layouts, such as consistent executive summaries or recommendation sections, are essential for quality control,” the Talos man observed.AI can discard data, so its output might ignore critical information.Talos developed several techniques to stop this sort of thing happening. One involves giving an LLM “granular, single-task instructions” that focus on “a specific, small portion of the report.” Doing so means “risk of hallucination or cross-contamination between sections is significantly reduced.” Telling an LLM which sources to use also helps. So does setting rules about the style and format of output. Using those techniques, Cisco says the time required to draft an incident report based on a tabletop exercise fell by 50 percent. "A blind test of the sample report in our quality assurance process showed no noticeable drop in overall writing quality," Pors wrote. "The peer reviewer, professional editor, and management reviewer all made complimentary comments about the report while unaware that it was AI-generated. The peer reviewer commented that the incidence of typos and grammatical errors was far lower than in the average report." But the Talos team also found “editing multiple sample reports within a single session resulted in cross-contamination of content from one report’s source material to another, even if the notes used to generate the first report were deleted from the project’s reference documents.” The researchers therefore recommend starting a new session, and re-entering prompts, for each new incident report. They also developed a spelling-and-grammar-checking prompt that “hallucinated numerous grammar issues … failed to identify actual issues,” had a success rate below 50 percent and “would behave inconsistently, sometimes catching issues and sometimes overlooking them. “It is currently unsuitable for production use,” Pors concluded. Pors said Cisco concluded that its approach “could be adapted to any cybersecurity reporting use case with standardized inputs and predictable outputs," but also warned authors must "take ownership of every word of the final report." "While testing, we found that the LLMs generated recommendations that were duplicative, irrelevant, or not actionable. If this were used in a production environment without manual checks, it could result in poor-quality recommendations in a final report." Those problems arose when considering a tabletop exercise, a far simpler affair than analysis of an incident that involves analyzing log files from multiple systems. ®

Democratic lawmakers on Thursday blasted President Trump’s spending priorities – specifically a proposed $1 billion White House security and ballroom project and a nearly $1.8 billion “slush fund” for Trump allies tied to the January 6 Capitol riot – as his administration pushes deep cuts to cybersecurity funding. US Representative Delia Ramirez (D-IL) decried the president's priorities as Congress weighs reauthorization of the State and Local Cybersecurity Grant Program (SLCGP), a funding effort that began in 2022 and earmarked $1 billion to state and local governments over the next four years to help mitigate cyber risks. "Budgets are moral documents, and spending a billion dollars on a ballroom, which is what the president wants, or $1.7 billion to incentivize insurrectionists while we still are waiting for the reauthorization of this critical grant program, says a lot about where priorities are right now with this administration," she said during a House Homeland Security subcommittee hearing on state and local cybersecurity. Another Democrat on the committee, Rep. James Walkinshaw (D-VA), noted the US Cybersecurity and Infrastructure Security Agency (CISA) also eliminated federal support for the Multi-State Information Sharing and Analysis Center (MS-ISAC), which used to provide free and low-cost threat detection and response services to state and local governments. The MS-ISAC has since shifted to a fee-based model to support the state threat sharing program. This means, as expert witness Samir Jain, VP of policy for the Center for Democracy and Technology, testified, “jurisdictions that most need the help are least likely to be able to afford it. Smaller jurisdictions, because if they don't have the resources and the money to join the ISAC, they probably also don't have the resources and the money to buy equipment, to buy network monitoring tools, to have cybersecurity staff. It's the ones who need it the most are the least likely to be able to get it as a result.” Walkinshaw also pointed out that CISA’s 2025 budget was about $3 billion. President Trump proposed slashing the cyber-defense agency’s spending by $707 million in 2027, to just over $2 billion. This is on top of the $135 million in cuts to CISA, along with about a third of its workforce (close to 1,000 people) since Trump returned to office. “So we are looking at a one-third cut in federal funding for cybersecurity,” Walkinshaw said. “If President Trump gets his way, we'd be spending a billion dollars for the ballroom and $1.8 billion for the January 6 slush fund – $2.8 billion just on those two items, $800 million more than his total commitment to cybersecurity.” Meanwhile, other expert witnesses who testified before the committee, all IT and security chiefs from Tennessee, New York, and Florida, implored the lawmakers to spend more – not less – on state and local infosec. “State and local governments operate critical systems that citizens rely on every day, including emergency services, schools, utilities, courts, and public infrastructure,” Tennessee CIO Kristin Darby told lawmakers. “Those systems are increasingly targeted by criminal organizations and nation-state actors,” she said, adding that “demand for cybersecurity support far exceeds the current funding levels.” As AI-enabled attacks, ransomware infections, and cloud-based system intrusions accelerate across Tennessee, “many local governments across our state have little or no dedicated cybersecurity staff,” Darby continued. “This creates a dangerous imbalance between highly sophisticated attackers and severely resource-constrained defenders.” New York state director of security and intelligence Colin Ahern urged lawmakers to “reauthorize and fully fund the state and local cybersecurity grant program, which is the single most consequential investment in the cyber protection of state and local governments in this country.” He also advocated for frontier-model AI access for state and local governments, which are tasked with protecting the power grid, drinking water supply, public health systems, and other critical operations. “We cannot do that while frontier defensive AI capabilities are restricted to federal partners and a handful of large enterprises,” Ahern said. “Cybersecurity is the silent partner of democracy,” he continued. “When the utilities, school districts, and state and local governments that constitute the operational fabric of American life are hollowed out by cyber attacks, the institutions that support our democratic life are hollowed out with them.” ®

You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google’s automatic billing tier upgrades, can devastate victims. “We've identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.” Aikido tested the gap during 10 trials over two days. In each trial, researchers created an API key, deleted it, and then sent three to five authenticated requests per second until no valid response came back for several minutes. From the time a user deletes the Google API key to when it can no longer be used propagates gradually across Google's infrastructure, he said. Some servers reject the key within seconds while others keep accepting it for 23 minutes. What this means is that an attacker holding a deleted key can repeatedly send requests until one reaches a server that has not caught up, Leon said. If Gemini is enabled on the project, they can dump files that were uploaded and exfiltrate cached conversations. The paper cited a similar problem researchers disclosed in December involving AWS keys. In that case, after deletion, attackers had a four-second window to exploit, and researchers showed how they could create new credentials in that time. “Four seconds was enough to matter on AWS,” Leon wrote in the paper. “Given recent attention to Google API keys used to access Gemini, we set out to measure how long Google's API key revocation window remains open.” Flaws can hit devs with huge surprise bills The Register has reported numerous cases of Google API key abuse in which developers are suddenly hit with five figure bills after their credentials are compromised. The problem was compounded in April after Google reworked its billing policy to include spending tiers for users. While developers initially thought of it as a way to limit costs, Google automatically upgrades that spending tier to the next highest level without their knowledge. For users who have been working with Google for more than 30 days and have spent more than $1,000 over the lifetime of the account, their cap can be increased from $250 to $100,000 if their usage spikes – a windfall for crooks if the credentials fall into the wrong hands. Developers whose Google API keys were stolen told The Register that their bills rocketed up to five figures minutes after their credentials were stolen, as bad actors loaded up on Google’s Gemini models such as Nano Banana and its video production model Veo 3. Google issued refunds in the three instances that The Register brought to its attention, returning $154,000 to those developers. The victims told The Register that, during the attack, they were frantically trying to shut down the spending and turn off access to their projects even as costs climbed by thousands of dollars. Leon said in cases where a Google developer tries to shut off access to their account, deleting the API key will still give crooks time to inflict damage. “It's hard to put a dollar figure on it,” Leon told us. “The window averaged 16 minutes in our testing and stretched to nearly 23 at the worst. During that window, the success rate is wildly unpredictable. We saw minutes where over 90% of requests still authenticated, and others where fewer than 1% did. An attacker who knows this can send requests at high volume to maximize their odds of hitting a server that hasn't caught up. For Google API keys with Gemini access, the damage isn't just a compute bill. It's the files and cached context an attacker can exfiltrate before the key actually dies.” Using VMs, Aikido tested its findings across three Google Cloud regions – east coast US, western Europe, and southeast Asia – then they spot checked those results on different dates. For each trial, Aikido deleted a single API key and sent requests from each of the three VMs in parallel, Leon wrote in the paper. “VMs further from the US picked up the deletion faster, which is the opposite of what you'd expect. We can't say exactly why from the outside. Google's request routing is more complex than ‘VM region equals server region,’ and a VM in Singapore isn't necessarily talking to servers in Singapore,” the paper states. “But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference.” The trial used keys with access to Gemini, but he observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. Google has built faster revocation for other credential types, Leon said. He said Google’s service account API credential revocations propagate in about 5 seconds. Gemini's newer API key format – the one that starts with AQ – propagates in about a minute. “Both run at Google scale. Both suggest this is technically solvable for Google API keys, too,” Leon wrote. But Google told Aikido it has no plans to address the 23-minute gap researchers found with its other API keys. “After reviewing our report, they closed it as ‘Won't Fix (Infeasible)’ with the comment ‘the delay due to propagation of the deletion of these keys is working as intended,’ “ Leon told us. The Register has reached out to Google about this research, but has not yet received a response. ®

Finding vulns just doesn't pay like it used to. At least one bug hunter who found an open source security flaw and reported it months ago via HackerOne’s backlogged Internet Bug Bounty (IBB) program finally got paid for his work - but at a drastically reduced reward rate. The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level. Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward. HackerOne’s IBB remains on a break, and is not accepting new submissions. “The IBB program is currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem,” a spokesperson told us. “We remain committed to strengthening open source security through ethical security research.” When asked if AI-generated reports played a role in the pause and reduced reward amounts, a spokesperson didn’t give us a direct answer. “The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors,” the HackerOne spokesperson said. “Payouts under this program are regularly adjusted accordingly, as provided in the IBB program description.” Tale of two hackers Back in January, The Register talked with hacker Jakub Ciolek, who told us he reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne’s IBB program last fall. Both were assigned CVEs and fixed. Ciolek expected to receive about $8,500 for the two flaws - but instead HackerOne ghosted him for months, finally sending him an email after The Register reached out to the bug bounty platform. HackerOne thanked him for his patience and said his bug reports remain "pending reward processing due to a temporary operational backlog." Shortly after, we heard from another researcher in a similar situation. “I still hope to get some bounty some day for it,” the bug hunter told The Reg, noting that HackerOne set an end-of-March deadline to sort the backlog. On Wednesday, this hacker told us he finally received a bounty announcement and payout from HackerOne, although at $297, it was less than expected, as the payout amounts changed after they submitted their report. “I am glad I finally got something,” they said. Ciolek said he’s still waiting for any word from HackerOne, and told us repeatedly that this isn’t about the money. “The reduced payout is a symptom,” he said. “The economics of vulnerability reporting are changing very quickly.” Until just a few months ago, project maintainers - and bug hunters themselves, Ciolek included - dismissed this as an AI-slop problem. Recently, however, as models have gotten exponentially better at writing code and exploits, open source projects can’t keep up with the pace of bug reports, which still require humans to evaluate them. "Over the last few months, we have stopped getting AI slop security reports in the curl project,” Daniel Stenberg, founder and lead developer of curl, famously said in a social media post. "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI." Linux kernel maintainer Greg Kroah-Hartman also noted in an interview with The Register how AI-assisted bug reports contained less slop and more valid concerns. On Sunday, Linux kernel boss Linus Torvalds declared that the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. “The recent Linux security mailing list situation is a clear signal: AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them,” Ciolek told us. “Bug bounties were supposed to reward what was scarce,” he continued. “That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.” While Ciolek says he’s sympathetic to changing economics, and overworked, underpaid open source project maintainers' capacity to investigate every serious-looking security report, the trust issue between researchers and bug bounty programs remains. “The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation,” Ciolek said. “Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating.” Ciolek says he’s no longer actively doing bug bounty research - but will report serious issues as he finds them. “With the current flood of findings, I don't want to add more volume unless I'm confident the issue is serious enough,” Ciolek said. “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’ I think the original discovery-first bug bounty model is becoming obsolete. The next model has to reward more of the remediation cycle, not only the finding.” ®

Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. The site's co-creator has blamed "trusted members" of a Windows93 Discord channel for the leakage. The figure of 46,000+ users is a recent estimate from HaveIBeenPwned (HIBP) - the web's go-to breach aggregator - which ingested the related data this week, more than five years after the January 2021 attack. In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data. Myspace93 is an offshoot of the Windows93 project. They’re both websites that spoof the old social media network and operating system respectively, allowing users to experience them now that they’re long gone. Its co-creator, who only goes by the alias jankenpopp, or Janken, penned a note to the website’s users following the attack. Dated July 4, 2021, Janken explained that the breach came about after they shared a beta app with trusted members of the Windows93 Discord channel. According to Janken, those members betrayed the co-creator and used their access to the beta application to steal server files and gain access to an unencrypted credential store. “None of them alerted me immediately to what was going on,” Janken wrote. “On the contrary, they created a program to download our entire server, and it was only a week later that another honest user alerted me to the fact that these people were bragging about having the Myspace passwords. “They didn't want to tell me the truth, and it took me two days to get a confession from them: not only had they downloaded all the source files of Windows93 behind my back, but also the unencrypted file containing the passwords of more than 45k Myspace users. The group had also shared a download tool - along with instructions for using it - in their chat, and had posted numerous stolen files (unrelated to Myspace) across multiple platforms, said Janken. “I removed the .smash app from the server and called them to order. They whimpered and promised me on their honor to delete all the stuff and that things would not go any further. I believed them because at the time we were very close, we talked every day, and they regularly helped me to manage the community, to fix bugs, sometimes to code new features for Windows93 or to make the services more secure. I really trusted them back in the day and considered them part of my team. I blame myself for being so naive.” The MySpace93 website is still up and running for anyone who wants to revel in a little noughties internet nostalgia, but the ability to register an account and use the site as a social network is closed. Affected users should make sure they watch out for any reused passwords on other sites and switch on 2FA where they can. Janken said they had closed all the social network-related services across all the Windows93 offshoots as a result of the findings. ®

Cisco has disclosed yet another perfect 10 vulnerability, this time warning that unauthenticated attackers could gain Site Admin privileges in its Secure Workload platform simply by sending crafted API requests to vulnerable systems. The bug, tracked as CVE-2026-20223, earned the full 10.0 CVSS treatment and affects Cisco Secure Workload Cluster Software in both SaaS and on-prem environments. According to Cisco's barebones advisory, the issue boils down to weak validation and authentication checks in internal REST API endpoints. In practical terms, that means attackers don't require credentials, user interaction, or any significant effort to exploit the bug. Cisco said a successful attack could allow remote attackers to "read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user." Cross-tenant bugs tend to make cloud customers especially twitchy because they undermine one of the core assumptions of multi-tenant infrastructure: namely that somebody else's compromise is not supposed to become your problem. Cisco noted that the flaw affects internal REST APIs rather than the platform's web management interface, although that distinction is unlikely to bring much comfort to admins staring at a 10.0 severity score. The networking giant said there are currently no workarounds, and customers must install fixed releases to fully remediate the issue. Cisco Secure Workload 3.10 is fixed in version 3.10.8.3, while 4.0 is fixed in 4.0.3.17. Customers running version 3.9 or earlier are being told to migrate to a supported fixed release. Cisco added that its cloud-hosted SaaS deployments have already been patched and require no customer action. Cisco said it is not aware of active exploitation and that the flaw was discovered during internal security testing, though vulnerabilities carrying a 10.0 score and requiring no authentication rarely stay quiet for long. The bug lands less than a week after Cisco disclosed another maximum severity flaw affecting SD-WAN systems that could allow attackers to grant themselves administrator privileges, continuing what is becoming an increasingly awkward run of top-scoring Cisco security advisories. The company has spent much of the past year disclosing one 9.8-plus infrastructure flaw after another across products spanning firewalls, management platforms, identity systems, and enterprise networking gear. At this point, Cisco seems to be treating 10.0 CVSS scores as a recurring feature rather than a special occasion. ®

Microsoft on Wednesday open-sourced two AI tools designed to help developers and security teams build and maintain safer AI agents. The first is called RAMPART, which stands for Risk Assessment and Measurement Platform for Agentic Red Teaming. It’s a pytest framework for agentic AI applications built on Microsoft’s open‑source PyRIT toolkit that embeds automated red‑team tests into CI/CD pipelines. This allows developers to simulate real‑world attack scenarios - like prompt injection - and verify that agents stay within approved tool use, actions, and behavioral boundaries. It also supports statistical trials, meaning that teams can set policies such as “this action must be safe in at least 80 percent of runs,” to account for models’ probabilistic behavior. Plus, it allows red teams and incident responders to reproduce any AI security findings to ensure agents behave as intended - and that security mitigations work as they should. “It’s high time we stop talking about AI safety as a philosophy and start thinking about AI safety as an engineering discipline,” Ram Shankar Siva Kumar, Microsoft’s data cowboy and founder of its AI red team, told The Register. Microsoft has been using RAMPART internally, and while Kumar said he couldn’t provide specific details, he told us that a security researcher found an issue, and then the Redmond red team used RAMPART to test for the flaw across the agentic AI application. “RAMPART was able to take that one particular vector and find close to 100 different variants of that vector,” Kumar said. “And then we were able to use RAMPART to essentially go through this asset and see is this working, not just one time, not two times, but close to 300 times. We were also able to do in the context of multi-turn conversations.” The testing framework also allowed the developers to build mitigations into the product. “They were again able to use RAMPART to see if that remediation actually held water, not just against one vector, which the security researcher found, but multiple variations of those vectors,” Kumar explained. “This is empowering our incident responders and also our engineers.” The second AI tool that Microsoft open-sourced on Wednesday is an agent called Clarity, and it’s designed to serve as a “structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code,” according to a Wednesday blog that Kumar wrote about the two new tools. For example, say a developer wants to add real-time collaboration to a document editor. They tell Clarity this, and the agent responds with questions akin to what “experienced architects, product managers, and safety engineers would ask,” according to Microsoft. Clarity’s answers, as shown in a screenshot on GitHub: “Before we design that - what happens when two people edit the same paragraph at the same time? Do you need true real-time (cursors, presence), or is ‘no one loses work’ the actual requirement? Those lead to very different architectures.” The AI tool essentially aims to answer what problem the developer is trying to solve with an app, and what could possibly go wrong, and “talk” these issues out before the coding even begins. “It’s inherently collaborative,” Kumar said. “It helps the team take a step back, and say, ‘Hey, before we build this, are we going in the right direction? Because code is cheap. It takes a snap of a finger to generate a full system. Are we doing this in a way that makes sense?'” ®

PWNED Welcome once again to PWNED, the column where security flubs are held up to the harsh, piercing red light of the vulture signal. This week’s sad story concerns a municipality that failed to perform basic account housekeeping and paid for it dearly. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our tale of tech missteps comes courtesy of Nicole Beckwith, who serves as the senior director for security engineering and operations at Cribl, an AI platform for telemetry. She used to work as a consultant, and at one point was hired to investigate breaches in an American city’s network. A threat actor took a “leisurely tour” of the city’s online resources and had started messing around with conference room projectors and other relatively harmless endpoints. Then they realized that they could change settings with the water utility where they switched many controls off, potentially endangering the water supply. When Beckwith investigated, she found that all of the mischief was performed by an account that belonged to “Greg from Auditing.” There was just one problem. Greg hadn’t worked for the city for many years. Unfortunately, even though Greg was no longer around, his account was, and it retained extensive privileges, including domain admin rights, SCADA (Supervisory Control and Data Acquisition) operator access, and even the ability to perform help desk functions. It’s unclear if someone from auditing ever needed this level of access, but a former employee definitely did not. It wasn't Greg himself who hacked the network. But he had used his work email address to sign up for various online accounts, some of which may have been exposed in previous data leaks. She speculates the hackers saw an email address with a .gov in it and decided to try their luck with the leaked password that went along with it, and that Greg likely used the same password for work that he did for these outside services. We have a few takeaways here. First, the people who ran IT security for the city should have both deleted Greg’s account when he left and done periodic audits to see who had access and whether they should still have it. Second, Greg should have kept his work credentials separate from third-party services like shopping and social media sites. And he should not have used the same password in multiple places. “The lesson, beyond the obvious 'please, for the love of all that is holy, audit your dormant accounts,' is that every forgotten user is an easy ticket to being on the 5 o’clock news,” Beckwith told The Register. “Quarterly access reviews should be mandatory because everyone seems to think when a user leaves, that is the end of it and someone surely terminated access, deprovisioned accounts, removed access to tools, mobile communications, email and other business critical systems, but sadly I’ve responded to way too many incidents like this one because of this simple control which is often overlooked." ®