Cristian Luțic
Cristian Luțic is a cybersecurity professional and Editor-in-Chief of iSec.News, with experience in security enablement, risk analysis, and vulnerability reporting. As Editor-in-Chief, he is responsible for editorial standards, source verification, and publication oversight at iSec News.
From professional sports to cybersecurity, his career path may have been unconventional, but it has been driven by the same core values: discipline, perseverance, and a passion for doing meaningful, impactful work.
iSec.News Motto: “Only news, only information security and privacy news. No fluff.”
-
NIST enters 2026 with staff cuts, tighter budget and cryptography validation backlog
NIST begins 2026 with over 700 positions shed, a smaller labs budget and a cryptographic module validation backlog that averaged 348 days per recent projects, even as the agency tests post-quantum modules and seeks automation.
-
Mass spam wave uses unsecured Zendesk ticket systems to send hundreds of automated emails
A global spam wave beginning January 18 used unsecured Zendesk ticket systems to deliver hundreds of automated confirmation emails that bypassed filters and confused recipients. The advisory urges restricting ticket creation to verified users and removing open placeholders.
-
Two high severity flaws in Chainlit allow file theft and SSRF in cloud deployments
Two high severity Chainlit vulnerabilities allow arbitrary file reads and SSRF that can expose secrets and internal services. Patches were released in Chainlit 2.9.4 on December 24, 2025. Upgrades are recommended.
-
Android click-fraud trojans use TensorFlow.js to tap hidden browser ads
Android click-fraud trojans using TensorFlow.js analyze hidden WebView screenshots to tap ads. Infected apps were distributed through Xiaomi GetApps and third-party APK sites, causing battery drain and increased mobile data charges.
-
Report: North Korean-linked PurpleBravo targeted 3,136 IPs and 20 companies
Recorded Future’s technical analysis found PurpleBravo targeted 3,136 IPs and claimed 20 potential victim companies across multiple regions from August 2024 to September 2025, using infostealers and backdoors to create supply-chain risk.
-
Researchers Hack Tesla Infotainment at Pwn2Own Automotive 2026, 37 Zero‑Days Exploited on Day One
Researchers exploited 37 zero-days at Pwn2Own Automotive 2026 in Tokyo to hack Tesla’s Infotainment System and other systems, earning $516,500 on day one. Vendors have 90 days to issue fixes.
-
NCSC alert warns pro-Russian DDoS groups targeting UK local government and operational technology
On January 21, 2026 the UK’s National Cyber Security Centre issued an alert warning that pro-Russian DDoS attacks are targeting British organisations, especially local government and operational technology, and advised steps to harden defences.
-
ChainLeak flaws in Chainlit framework risk API key exposure and SSRF
High-severity ChainLeak vulnerabilities in the Chainlit AI framework can leak cloud API keys and enable SSRF. Two CVEs were disclosed in November 2025 and patches were issued in version 2.9.4 on December 24, 2025.
-
Password manager vendor warns of active phishing campaign urging 24 hour vault backups
A phishing campaign that began around January 19 2026 uses maintenance and backup lures to pressure users into creating local vault backups within 24 hours. The vendor advises never to disclose master passwords and is working to remove the malicious infrastructure.
-
Critical ACF Extended bug lets attackers gain admin on about 50,000 WordPress sites
A flaw in ACF Extended allows unauthenticated attackers to gain administrator privileges. The bug, CVE-2025-14533, affects versions 0.9.2.1 and earlier. About 50,000 sites may still be exposed. Update to 0.9.2.2.
