// News Desk

The News Desk.

A short editorial column built off the morning cyber briefing. Each post picks a story off the daily feeds and adds the defender-side take — the bit the news write-up usually leaves to the reader. Roughly daily, sometimes less.

37 posts · newest first

17 MAY 2026 · nation state · technology · 4 min

Turla rebuilds Kazuar as a peer-to-peer botnet that elects who talks Turla has rebuilt Kazuar as a modular peer-to-peer botnet. Compromised hosts elect a single talker to the C2 server. Per-endpoint beacon detection fails by design.
15 MAY 2026 · vulnerability · technology · 4 min

Pwn2Own Day Two — Exchange grabbed the headline, the AI dev tooling slate fell quietly Day Two of Pwn2Own Berlin paid out another $385,750 across 15 zero-days. Orange Tsai's Exchange chain led the news. The category nobody flagged was AI tooling.
14 MAY 2026 · ransomware · healthcare · 4 min

West Pharmaceutical's 8-K — and the attacker no one will name West Pharmaceutical filed a clean Item 1.05 cyber 8-K on 7 May confirming data theft and encryption. Ten days on, no ransomware crew has listed them. That gap is the editorial.
14 MAY 2026 · vulnerability · policy · 4 min

NCSC's quiet 'go slow' on AI vulnerability finding NCSC has published 10 questions to ask before pointing an AI model at your codebase. Read together, they are one question: do you have anywhere to put the vulnerabilities you find?
12 MAY 2026 · vulnerability · identity · 4 min

Google flags the first wild AI-built zero-day. It's a 2FA bypass, and the giveaway was a hallucinated CVSS score. Google's Threat Intelligence Group says cybercriminals shipped the first known in-the-wild zero-day exploit built with an LLM. The defender lesson isn't the exploit, it's the cycle time.
12 MAY 2026 · data breach · vulnerability · 4 min

Škoda's online shop was breached. The logs can't tell anyone what walked out. Volkswagen Group's Škoda confirmed attackers exploited its online-shop software and reached customer PII plus password hashes. The logs can't confirm what was actually exfiltrated.
10 MAY 2026 · fraud · brand impersonation · 4 min

28 fake call-history apps cleared 7.3 million Google Play downloads selling fabricated data ESET names CallPhantom: 28 fake call-history apps on the official Play Store, 7.3 million downloads, $6 to $80 subscriptions for randomly generated phone numbers.
08 MAY 2026 · phishing · fraud · 3 min

TCLBanker turns WhatsApp Web and Outlook into a banking-trojan worm Elastic Security Labs documents a Brazilian banking trojan that hijacks WhatsApp Web and Outlook to spread itself, with WPF overlays mimicking 59 banking and crypto platforms.
08 MAY 2026 · ransomware · supply chain · 4 min

Everest claims Fiserv — silent supplier, very loud blast radius The Everest extortion crew listed Fiserv on its leak site on 3 May. Fiserv hasn't confirmed. The implications, if true, run through every bank Fiserv supplies.
08 MAY 2026 · data breach · cloud · 4 min

ShinyHunters' second Instructure breach — Free-For-Teacher was the seam ShinyHunters re-hit Instructure on 7 May, eight months after the Drift-borne Salesforce intrusion. The seam this time: Canvas's Free-For-Teacher tier sharing a trust boundary with 9,000 paying schools.
06 MAY 2026 · phishing · identity · 3 min

Microsoft flags AitM phishing wave dressed up as HR conduct reviews Microsoft logged 35,000 phishing attempts in 72 hours, 92% of them US targets. The lure: a fake HR 'code of conduct' notice that ends in adversary-in-the-middle token theft.
06 MAY 2026 · vulnerability · commentary · 3 min

Taiwan high-speed rail halted by SDR and 19 years of unrotated TETRA keys A 23-year-old student halted four Taiwanese high-speed trains for 48 minutes using off-the-shelf SDR kit and TETRA radio parameters that hadn't been rotated in 19 years.
04 MAY 2026 · identity · technology · 4 min

Cisco's $400M Astrix bet: non-human identity is now a platform category Cisco has agreed to buy Astrix Security in a deal reportedly worth $400 million. The price tells you more about the category than the technology.
03 MAY 2026 · vulnerability · ransomware · 3 min

cPanel CVE-2026-41940 mass-exploited — 44,000 servers hit by 'Sorry' ransomware An auth-bypass flaw in cPanel and WHM, exploited as a zero-day since February, has now been turned into a mass ransomware campaign. Shadowserver counts 44,000 compromised IPs.
02 MAY 2026 · nation state · crypto · 4 min

76% of stolen crypto in 2026 is now in North Korea Three heists, eighteen days, $575M to Pyongyang. TRM Labs says 76% of stolen crypto in 2026 is now funding North Korea, and AI is collapsing the social-engineering ramp.
01 MAY 2026 · policy · identity · 5 min

Five Eyes agentic AI guidance lands. The asks are more cautious than the market wants. ASD, CISA, NSA, NCSC-UK, NCSC-NZ and Canada's Cyber Centre co-sealed joint guidance on agentic AI. The headline ask is more cautious than what the vendors are selling.
30 APR 2026 · policy · financial services · 5 min

Japan's FSA scrambles over Anthropic's Mythos. Practitioners say the panic is overblown. Japan's finance minister, central-bank governor and the three megabank presidents have stood up an emergency working group on Anthropic's Mythos. The practitioner read is calmer.
30 APR 2026 · fraud · identity · 4 min

Lviv arrests three over 610,000-account Roblox hijack ring. The infostealer pipeline is the story. Ukrainian prosecutors and the SBU have arrested three people in Lviv over a year-long Roblox account-takeover ring. The supply chain underneath is the same one that drove Snowflake.
30 APR 2026 · commentary · technology · 4 min

Anthropic ships Claude Security. Act 2 of the Frankenstein-reflex playbook. Three months after Mythos, Anthropic launches the defender product. Eleven named partners endorse it; zero independent voices are quoted in the launch piece.
29 APR 2026 · identity · commentary · 5 min

Chris Inglis on Snowden, 13 years on: the insider-threat lessons NSA learned in public Chris Inglis was NSA Deputy Director when Snowden walked out with the documents. His Dark Reading interview lays out three insider-threat failure modes still worth flagging in 2026.
29 APR 2026 · ransomware · commentary · 4 min

0APT vs KryBit: when ransomware gangs leak each other, defenders read the receipts Two ransomware-as-a-service gangs leaked each other's infrastructure. KryBit's dump of 0APT exposed access logs proving its January 190-victim list was entirely fabricated, plus a rare baseline of RaaS economics.
29 APR 2026 · ransomware · identity · 5 min

The insurance data CISOs can take to the board: misconfigured MFA loses more than no MFA at all Resilience's manufacturing cyber-insurance claims data shows misconfigured MFA drove 26% of losses — more than triple the loss from no MFA at all. Three numbers CISOs can take to the board.
28 APR 2026 · fraud · brand impersonation · 3 min

FTC: $2.1bn lost to social-media scams in 2025 The headline is the bait. The brand-impersonation detail underneath is what enterprise security teams and retail banks should actually be reading.
27 APR 2026 · nation state · vulnerability · 3 min

APT28 turns an incomplete Windows patch into a zero-click attack Russia's GRU exploited a Windows flaw that Microsoft thought it had fixed. The 'patch the patch' problem keeps shipping defenders a worse version of what they paid for.
27 APR 2026 · phishing · fraud · 3 min

Toronto SMS-blaster arrests: a fake cell tower in a city centre Three men arrested for operating a fake cellular base station in central Toronto, sending phishing SMS to nearby phones. Physical-layer attacks on telco are real and operating.
27 APR 2026 · supply chain · technology · 3 min

GlassWorm returns: 73 'sleeper' extensions on OpenVSX, malicious only after install Extensions that pass scanning at install and turn malicious after an update. The model where you scan the artefact once and stop watching is finally broken.
27 APR 2026 · supply chain · data breach · 3 min

Checkmarx confirms its GitHub repo data is on the dark web The March supply-chain attack on Checkmarx has produced its second-order disclosure. The interesting question is what their customers' build pipelines were exposed to.
27 APR 2026 · supply chain · cloud · 3 min

PyPI hijack: elementary-data turned into an infostealer at 1.1M downloads a month Maintainer-account compromise turned a popular data-engineering package into a credential vacuum. The blast radius starts at 1.1M downloads a month and ends in cloud.
27 APR 2026 · phishing · identity · 3 min

Robinhood's account-creation flow turned into a phishing pipe Threat actors injected phishing content into Robinhood's own transactional emails. The trust-the-sender heuristic that customers were trained on for two decades doesn't survive this.
27 APR 2026 · nation state · commentary · 3 min

Silk Typhoon: alleged Chinese MSS contractor extradited from Italy to face US charges Italy hands over a named individual linked to one of China's most prolific espionage clusters. Western prosecutors are starting to pick off contractors. The threat-model arithmetic shifts.
27 APR 2026 · supply chain · commentary · 3 min

TeamPCP supply-chain campaign: 26-day pause, three concurrent compromises, then back to work A campaign that goes quiet then re-fires across three ecosystems at once. Defenders' mental model needs to include intermittency, not just persistence.
24 APR 2026 · vulnerability · commentary · 3 min

CISA KEV adds Samsung MagicINFO and SimpleHelp — quiet flaws in noisy estates Four CVEs joined the Known Exploited list. None are flashy. All sit in software that lives quietly inside large enterprise estates and almost never gets patched.
23 APR 2026 · vulnerability · commentary · 3 min

Apple patches an exploited iOS notification flaw — zero-click is back on the menu iOS 26.4.2 fixes a single Notification Services vulnerability (CVE-2026-28950), already exploited in the wild. Patch high-value targets first.
23 APR 2026 · identity · policy · 3 min

NCSC: passkeys are the future. The cover for banks to move has just shifted The UK's lead cyber agency has formally said passkeys should be the default consumer authentication method. That changes the regulatory arithmetic for FS firms still on SMS OTP.
21 APR 2026 · phishing · identity · 3 min

Scattered Spider's 'Tylerb' pleads guilty — twelve firms, eight million in crypto Tyler Buchanan admits wire fraud and aggravated identity theft. The plea writes down the kill chain that the Twilio, LastPass and DoorDash reports paraphrased out.
14 APR 2026 · vulnerability · technology · 4 min

Patch Tuesday April 2026: 167 fixes, a SharePoint zero-day, and a Defender bug nicknamed BlueHammer Microsoft's biggest single Patch Tuesday in years lands a SharePoint zero-day already in the wild and a Defender privilege-escalation flaw with a leaked exploit.
07 APR 2026 · nation state · cloud · 4 min

Russia's APT28 hijacks 18,000 home routers to harvest Office 365 tokens Forest Blizzard turned end-of-life MikroTik and TP-Link boxes into DNS pivots, ran AiTM against Outlook on the web, and stole post-MFA OAuth tokens at scale.