🕵🏻‍♂️ [InfoSec MASHUP] 04/2026

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 🎽 Under Armour is investigating a data breach that exposed about 72 million customers' email addresses and some personal details. The company says there is no evidence passwords or payment data were taken. Security experts agree but note it is odd Under Armour has not issued a full public disclosure.

💸 IT distributor Ingram Micro suffered a ransomware attack on July 3, 2025, that disrupted services and forced systems offline. About 42,521 people had personal and employment data exposed, including Social Security and passport numbers. The company restored systems within a week and is offering 24 months of free credit monitoring while the stolen data was later published online.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇵🇱 Security firm ESET says Russian government hackers likely tried to knock out parts of Poland’s power grid in late December. The attackers used destructive “wiper” malware tied to the Sandworm group, which has hit energy systems before. Poland says defenses held and critical infrastructure was not knocked out.

🇺🇸 🔑 Microsoft gave the FBI BitLocker recovery keys to unlock three suspects’ laptops in a fraud probe. BitLocker keys are often stored in Microsoft’s cloud by default, letting the company and authorities access encrypted drives. Experts warn this practice risks privacy and could be dangerous if Microsoft’s cloud is breached.

🇷🇺 🇬🇧 The U.K. warns that Russian-aligned hacktivists, especially NoName057(016), are carrying out disruptive DDoS attacks against critical infrastructure and local governments. These attacks, while not sophisticated, can take services offline and cause big costs and operational disruption. The NCSC urges stronger defenses, redundancy, and rehearsed response plans to reduce DDoS risk.

🇯🇴 🧑‍⚖️ A Jordanian man, Feras Albashiti, pleaded guilty to selling access to the networks of at least 50 companies. He was extradited from Georgia and faces up to 10 years in prison and large fines. Authorities say initial access brokers like him enable ransomware and other cybercrimes.

🚓 🇪🇺 EU and INTERPOL have listed Oleg Nefedov, the alleged leader of the Russia-linked Black Basta ransomware group, as most wanted — Ukrainian and German police say two Ukrainians tied to the group were identified and searched for hash-cracking and deploying ransomware. Black Basta is blamed for attacking 500+ companies and may have splintered or shifted members to other ransomware gangs.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇯🇴 📲 Researchers found Jordanian authorities used Cellebrite phone-cracking tools to extract data from activists’ phones without consent. Citizen Lab said this likely violates human rights treaties and urged Cellebrite to investigate. Cellebrite denied misuse, saying it vets customers and requires legal authority for access.

🇺🇸 A watchdog group sued the government to get records about a TSA-ICE data sharing deal that gave passenger travel data to immigration agents. The group says FOIA requests were ignored after it asked what data was shared and whether U.S. citizens were affected. TSA defends the practice as legal and part of DHS’s security mission, while critics say TSA should not help with immigration enforcement.

🇮🇪 👀 Ireland plans a new law to let police use spyware and other surveillance tools. The bill would cover encrypted and unencrypted communications but promises judicial oversight and safeguards. Critics warn spyware has a history of abuse in Europe despite some existing rules.

🇻🇪 U.S. officials say cyberattacks helped shut off power and disable air-defense radar during the January 3 operation that captured President Nicolás Maduro. Some evidence also points to physical attacks (like graphite bombs) and Venezuela’s weak grid making disruption easier. Analysts say the mission used layered cyber and kinetic tools rather than cyberattack alone.

🇺🇸 🤷 Trump administration admits DOGE may have misused Americans’ Social Security data — Two members of Elon Musk’s DOGE team at the Social Security Administration may have used and shared Americans’ Social Security data to help a political advocacy group. The group wanted to find voter fraud and overturn election results in some states. The SSA referred the employees for possible Hatch Act violations and a judge had already blocked their access to sensitive records.

🇺🇸 Congressional appropriators proposed a spending package that extends a key cyber threat information-sharing law through Sept. 30. The bill provides $2.6 billion for CISA, including $39.6 million for election security and rules to maintain staffing levels. The package also extends cybersecurity grants and the Technology Modernization Fund but faces political hurdles in Congress.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇻🇪 🏧 🇺🇸 Two Venezuelan nationals were convicted for using malware to make ATMs spit out cash and will be deported after serving prison time. They targeted older ATMs across several southeastern states and stole money directly from banks. Larger related indictments in Nebraska tie dozens more to the scheme and to a known gang leader.

📄 Security researchers found a new malware family called PDFSider that acts like an APT backdoor and is used by ransomware groups. It is sideloaded through a legitimate PDF24 app delivered in spear-phishing ZIPs and runs mostly in memory to hide and execute commands. PDFSider uses encrypted C&C, evades AV/EDR, and includes checks to avoid analysis and virtual machines.

🇰🇵 North Korean hackers are luring macOS developers with fake GitHub/GitLab projects that contain malicious VS Code task files. When a developer trusts the project, obfuscated JavaScript runs, installs a persistent backdoor, and phones home to a C&C server. The backdoor can execute further code, gather system info, and expand its capabilities.

📲 Researchers found Android trojans that use TensorFlow.js to visually detect and click hidden browser ads inside a concealed WebView. The malware spreads via Xiaomi’s GetApps, third-party APK sites, Telegram, and Discord, often appearing as working game or mod apps. Users should avoid installing apps outside Google Play to reduce risk of covert ad fraud, battery drain, and data overuse.

🐍 ℹ️ SolyxImmortal is a new Python-based information stealer that quietly monitors Windows users and steals credentials, documents, keystrokes, and screenshots. It uses hardcoded controllers and Discord webhooks to stage and exfiltrate data over HTTPS, avoiding network detection. Cyfirma says it targets opportunistic attackers and can be easily repurposed or redistributed.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

👶 OpenAI added an age-prediction feature to ChatGPT to better protect young users — The system uses account signals like stated age, account age, and activity times to flag likely minors and apply stricter content filters. Users who are misidentified can verify their age by submitting ID via a selfie through OpenAI’s partner.

📆 🤖 Researchers tricked Google’s Gemini assistant using a malicious Calendar event description. When a user asked about their schedule, Gemini created a new event that exposed private meeting details. Miggo Security warned Google and mitigations were added, but the attack shows AI prompt handling can still leak sensitive data.

💬 🔐 Moxie Marlinspike launched Confer, a ChatGPT-like service built to protect user privacy — It encrypts conversations and runs model inference in secure hardware so hosts can’t access or use the data. A free tier limits messages, while paid plans offer unlimited access and more features.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Atlassian, GitLab, Zoom Release Security Patches

• Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

• Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers

• Google Patches High-Severity V8 Race Condition in Chrome 144

• Oracle’s First 2026 CPU Delivers 337 New Security Patches

• TP-Link Patches Vulnerability Exposing VIGI Cameras to Remote Hacking

💥 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2025-59718) is not fully patched. Attackers have been exploiting the flaw to create admin accounts and steal firewall configurations, even on fully updated devices. Fortinet advises disabling FortiCloud SSO and restricting admin access while it works on a complete fix.

🇪🇺 🐛 A European group launched GCVE, a decentralized system for naming software security flaws — It lets many organizations assign IDs without central approval while staying compatible with the old CVE format. The move responds to funding and governance worries about the 25-year CVE program.

🎣 📩 LastPass warns of a phishing campaign pretending to be LastPass and asking for master passwords. Scam emails urge a 24-hour “backup” and link to fake sites; LastPass says it will never ask for your master password. They are working to take down the malicious domains and shared the scammer email addresses.

💰️ 🚗 Security researchers earned $1,047,000 by exploiting 76 zero-day bugs at Pwn2Own Automotive 2026 in Tokyo. They hacked in-vehicle infotainment systems, EV chargers, and car OSes and must give vendors 90 days to fix the bugs. Team Fuzzware.io won top prize with $215,000.

🤖 HackerOne launched a Good Faith AI Research Safe Harbor to protect researchers who test AI systems for security and safety issues. Participating companies pledge to avoid legal action and support researchers facing third-party claims. The goal is to enable more open testing of AI while formal laws and rules catch up.

🛰️ ICS, OT & IoT

📄 MITRE released the Embedded Systems Threat Matrix (ESTM) to help secure hardware and firmware. It maps attack tactics and techniques for industries like energy, healthcare, and transportation. ESTM 3.0 is community-focused and designed to integrate with existing security models.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.