The Register

CISA gives federal agencies 4 days to patch

America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes.…

Data from browsers, cryptocurrency wallets, 200+ extensions hoovered up

A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.…

Plus: Court papers reveal nonprofit paid a ransom worth nearly $26.8 million

The third of three former ransomware negotiators accused of assisting the ALPHV/BlackCat ransomware gang in extorting US businesses has pleaded guilty, months after his two co-workers did the same.…

CEO suspects silicon sidekick behind 'surprising velocity' breach - cyber crims shop stolen data for $2M

Vercel's CEO reckons the crooks behind its recent breach likely had a helping hand from AI, saying the attackers moved with "surprising velocity" and a deep understanding of the company's infrastructure.…

Mexican IT services firm admits it was hacked, but says client operations weren't affected

A Mexican IT infrastructure and digital transformation biz is on clean-up duty after a criminal posted screenshots of what they claimed was company video surveillance footage to a cybercrime forum.…

No facial recognition privacy intrusions either! Well, maybe a little

London's Metropolitan Police is trialing new retail technology to help curtail the city's pervasive shoplifting problem… and it doesn't rely on live facial recognition (LFR).…

Fake emails already doing the rounds as ransomware crew boasts about what it allegedly stole

UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting.…

Admins are tired of taking photos, so this enables secure on-site unattended enrolment

Japanese industrial giant Panasonic has created a new form of QR code it says will only work on designated devices and environments.…

And China is loving it

Iranian media is claiming that the US used backdoors and/or botnets to disable networking equipment during the current war, and Chinese state media is dining out on the allegations.…

A lesson in how not to respond to vulnerability reports

Vibe-coding platform Lovable is pooh-poohing a researcher’s finding that anyone could open a free account on the service and read other users' sensitive info, including credentials, chat history, and source code. However, the company’s story keeps changing: First it attributed the publicly exposed info to "intentional behavior" and "unclear documentation," then threw bug-bounty service HackerOne under the bus.…

Installation and pre-approval without consent looks dubious under EU law

One app should not modify another app without asking for and receiving your explicit consent. Yet Anthropic's Claude Desktop for macOS installs files that affect other vendors' applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent.…

Tyler Buchanan admits role in scheme that stole at least $8 million in virtual currency

A Scottish man linked to the Scattered Spider cybercrime crew has pleaded guilty in the US to a phishing and SIM-swap scheme that stole at least $8 million in cryptocurrency.…

Out-of-band or out of control?

Microsoft has pushed out an out-of-band update to address the restart loop that hit some Windows Server devices after its April update.…

Blames outfit called Context.ai, which reckons an agentic OAuth tangle caused the incident

Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess.…

Aren't we all just prompting tokens of linguistic meaning and hoping the other person isn't bullshitting us?

kettle  It's a week of the year, which means there's been the discovery of yet another prompt injection attack that will force supposedly well-guarded AI bots to spill secrets by asking the right way. …

Passing the buck, and the blame, down the road shows lack of AI companies' maturity

OPINION  AI vendors: "You need to use AI to fight AI threats (and do everything else in your corporate IT environment)." Also AI vendors: "That's not a security flaw; it's working as intended."…

Bug hiding in plain sight for over a decade lands on KEV list

CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…

Or, how public information and a €5 tracker exposed an avoidable opsec lapse

Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.…

University student says he plans to move to Android, but concedes iOS engineers acting fast

Apple is finally working on a fix for a bug that has locked some users out of their iPhones for months, The Register understands.…

Pause your Mythos panic because mainstream models anyone can use already pick holes in popular software

Anthropic withheld its Mythos bug-finding model from public release due to concerns that it would enable attackers to find and exploit vulnerabilities before anyone could react.…