Vendors
-
State actors hijacked Notepad++ updater to redirect users to malicious servers
Notepad++’s maintainer said attackers compromised hosting infrastructure to hijack the updater and redirect some users to malicious servers. The activity began in June 2025 and credentials persisted until December 2 2025.
-
TriZetto breach may have exposed PHI for more than 700,000, Oregon providers to notify patients
An intrusion into TriZetto Provider Solutions discovered in October 2025 may have exposed protected health information for more than 700,000 people. Local Oregon providers will notify thousands of patients about exposed records.
-
SmarterMail patched critical unauthenticated RCE and path coercion flaws
SmarterMail fixes address a critical unauthenticated remote code execution flaw CVE-2026-24423 rated 9.3 and a medium severity path coercion issue that can enable NTLM relay. Administrators should install the updated builds immediately.
-
Ivanti issues fixes for two critical EPMM code injection zero day flaws
Ivanti released updates for two critical EPMM code injection vulnerabilities that allow unauthenticated remote code execution. One was added to the CISA KEV catalog. Patches, detection steps and remediation guidance are published in the vendor advisory.
-
eScan update server breached to deliver malicious update on January 20 2026
An eScan update server was breached on January 20 2026 and pushed a malicious update to a subset of customers. Morphisec’s security bulletin details the modified updater and final backdoor payload.
-
WhatsApp adds Strict Account Settings to block media from unknown contacts
Meta announced Strict Account Settings for WhatsApp to lock accounts to restrictive options and block media from unknown contacts. The feature rolls out over weeks and a Rust-based media library will be used to improve memory safety.
-
Microsoft issues emergency patch for Office zero-day CVE-2026-21509
Microsoft issued out-of-band patches for Office zero-day CVE-2026-21509, rated 7.8. Service-side protection covers newer builds and a registry workaround is provided for older Office versions. Federal agencies must remediate by February 16, 2026.
-
CISA publishes post-quantum procurement guidance but experts warn it lacks operational detail
CISA published guidance on Jan. 23 listing federal products for post-quantum cryptography. Experts warned the document lacks operational detail on inventories, timelines and authentication support, complicating procurement and migration efforts.
-
Google expands Personal Intelligence into AI Mode in Search
A product blog from Google announced Personal Intelligence will expand into AI Mode in Search, letting AI Pro and AI Ultra subscribers opt in to link Gmail and Photos for tailored results as a Labs experiment starting today.
-
Entra ID to auto-enable passkey profiles and add synced passkeys from March 2026
Starting March 2026 Entra ID will automatically enable passkey profiles and add support for synced passkeys. A Microsoft message center announcement outlines staged rollout with opt-in and automatic migration and a new passkeyType profile setting.
