News
-
Apple adds beta end-to-end encryption to RCS chats in iOS 26.5
Apple released iOS 26.5 with beta end-to-end encryption for RCS chats on iPhone and Android, enabled by default for supported users. The update also fixes more than 50 vulnerabilities in iOS and iPadOS.
-
Checkmarx says modified Jenkins plugin was published in supply chain attack
Checkmarx said a modified Jenkins AST plugin was published to the Jenkins Marketplace and warned users to stay on an older safe version. The incident is the latest attack linked to TeamPCP in a broader supply chain campaign.
-
Attackers exploit cPanel flaw to deploy Filemanager backdoor
Attackers linked to Mr_Rot13 are exploiting CVE-2026-41940 in cPanel and WHM to install the Filemanager backdoor, with more than 2,000 source IPs seen in activity, according to a technical analysis by QiAnXin XLab.
-
TrickMo Android banker adds TON blockchain for covert communications
A new TrickMo Android banking malware variant is targeting users in Europe and using the TON blockchain for covert command and control traffic, according to a technical analysis. The malware adds new network and tunneling commands and targets banking and crypto wallets.
-
Google says hackers used AI to help find and weaponize a zero-day 2FA bypass
Google said it found what it believes is the first known in-the-wild use of AI for vulnerability discovery and exploit generation, after attackers used a zero-day Python script to bypass two-factor authentication on an open-source admin tool.
-
Fake OpenAI privacy filter repository hit top of Hugging Face trending list
A malicious Hugging Face repository impersonating OpenAI’s Privacy Filter model reached the platform’s trending list before being disabled. HiddenLayer said it delivered Windows infostealer malware and drew about 244,000 downloads in 18 hours.
-
Ollama flaw could expose process memory from exposed servers, researchers say
Researchers say a critical Ollama flaw could let remote attackers leak process memory from exposed servers, while separate Windows update bugs may allow persistent code execution. The disclosures affect widely used local AI software.
-
Sri Lanka arrests 37 Chinese nationals in suspected scam centre raid
Sri Lankan police arrested 37 Chinese nationals in a suburb of Colombo after raiding a suspected scam centre, seizing phones, tablets and SIM cards. Officials say the case fits a broader pattern of suspected fraud compounds in the country.
-
Mozilla says AI-assisted Mythos found 271 Firefox vulnerabilities with few false positives
Mozilla said its Mythos AI-assisted security research found 271 Firefox vulnerabilities, including 180 rated sec-high. The company faced skepticism over false positives and the lack of individual CVEs.
-
Ivanti says EPMM flaw exploited in limited attacks, CISA adds it to watchlist
Ivanti said a high-severity flaw in its Endpoint Manager Mobile software has been used in limited attacks and can allow remote code execution on affected on-premises systems. CISA added the issue to its exploited vulnerability catalog.
