🇺🇸 🩺 Health tech company TriZetto says hackers stole personal and health data for more than 3.4 million people. The breach began in November 2024 but went undetected until October 2025. Some providers and patients across the U.S. have been confirmed affected.

🇳🇱 🇺🇸 Dutch paint giant AkzoNobel says hackers breached the network of one U.S. site. The Anubis ransomware gang claims to have stolen 170GB and leaked samples of confidential files. AkzoNobel says the incident is contained, impact is limited, and it is supporting affected parties.

🇺🇸 LexisNexis confirmed hackers breached its servers and stole files, which were later leaked by a group called FulcrumSec. The company says the data was mostly legacy, non-sensitive customer and business information from before 2020. LexisNexis has notified law enforcement, hired outside experts, and says the intrusion is contained.

🕹 Cloud Imperium Games says attackers accessed backup systems in January and saw some users' basic account information. The company reports no passwords, payment data, or signs the data was leaked. CIG is monitoring the situation and warns the exposed details could be used for phishing.

🇺🇸 Madison Square Garden confirmed a data breach tied to the Cl0p ransomware group exploiting Oracle E-Business Suite zero-day flaws. Hackers stole and leaked personal data in August 2025, including names and Social Security numbers. MSG says a third-party vendor hosted the affected system and it is notifying impacted individuals.

🇨🇦 A October 2025 breach at Canadian Tire exposed more than 38 million customer accounts after attackers accessed an e-commerce database. Leaked data included names, emails, PBKDF2-hashed passwords, some dates of birth, partial credit card details, addresses, phones, and gender. The company says bank and loyalty data were safe and has emailed affected users.

🇮🇷 🇺🇸 🇮🇱 After US‑Israeli strikes on Iran, hacktivist attacks have surged but Iran’s state-backed cyber operations remain quiet. Security firms report many claim-driven website defacements, DDoS attacks, and unverified breach claims. Analysts warn the threat is evolving and urge organizations to strengthen defenses.

→ Talos on the developing situation in the Middle East

→ UK warns of Iranian cyberattack risks amid Middle-East conflict

→ Hackers and internet outages hit Iran amid U.S. air strikes

🇮🇷 🇺🇸 🇮🇱 U.S. and Israeli forces used cyberattacks alongside airstrikes in the opening of the war with Iran to disrupt communications and gather intelligence. Hacked TV broadcasts and apps were used for psychological operations. The true impact of these cyber actions is unclear and may be overstated.

🇮🇷 🇺🇸 Iran-linked APT MuddyWater has breached networks of a U.S. airport, a bank, a software/aerospace contractor, and a Canadian NGO. The group deployed new backdoors named Dindoor and Fakeset, using fraudulent certificates to steal data. The intrusions persisted amid recent U.S.–Israel–Iran tensions and may still threaten other organizations.

🇮🇷 🇮🇱 Researchers observed Iran-linked actors intensifying scans and exploitation attempts against Hikvision and Dahua IP cameras across Israel, Gulf states, Lebanon, and Cyprus. This camera targeting aligns with missile strikes and likely supports battle-damage assessment and targeting. Defenders should patch cameras, remove public access, enforce strong credentials, and segment and monitor camera networks.

🇮🇷 💥 After the U.S.-Israel strikes on Iran, hacktivists launched 149 DDoS attacks on 110 organizations across 16 countries, mostly in the Middle East. Two groups, Keymous+ and DieNet, drove most attacks, targeting governments, infrastructure, finance, and telecoms. Security firms warn of continued cyber retaliation and urge stronger monitoring and defenses.

🇮🇷 🦠 A suspected Iran-linked group called Dust Specter targeted Iraqi officials by spoofing the Ministry of Foreign Affairs to deliver new malware. The campaign used two chains: SPLITDROP/TWINTASK/TWINTALK that poll files on disk, and GHOSTFORM that runs PowerShell in memory and hides artifacts. Attackers staged payloads on compromised Iraqi sites, used evasion and social engineering, and likely leveraged generative AI in malware development.

⚠ 🇰🇵 🧑‍🏭 Microsoft says North Korean threat groups are using generative AI to create fake remote worker identities and get hired at global companies. AI speeds up making convincing personas, lures, voice and image forgeries, and helps maintain access. Researchers warn this boosts scale, sophistication, and the risk of more advanced, semi‑autonomous attacks.

🇷🇺 ⚖ 🇺🇸 A 43-year-old Russian, Evgenii Ptitsyn, pleaded guilty in the U.S. for his role in the Phobos ransomware operation. He was arrested in South Korea in June 2024 and extradited to the U.S. in November. Ptitsyn faces up to 20 years for wire fraud conspiracy after helping run and sell the ransomware that hit over 1,000 organizations.

🇺🇸 🇫🇷 A U.S. contractor's son, John Daghita, was arrested in Saint Martin for allegedly stealing over $46 million in cryptocurrency from the U.S. Marshals Service. The arrest followed a joint FBI–French Gendarmerie operation after a blockchain investigator traced the stolen funds to Daghita. Authorities seized cash, hard drives, and security keys during the arrest.

🇪🇺 🎣 Europol and partners dismantled Tycoon 2FA, a large phishing-as-a-service toolkit that enabled adversary-in-the-middle attacks. The service powered tens of millions of phishing emails and was linked to over 64,000 incidents affecting schools, hospitals, businesses, and governments. Its tools stole credentials, MFA codes, and session cookies to allow account takeovers even after password changes.

🇪🇸 🇺🇦 Spanish and Ukrainian police broke up a criminal ring that exploited war-displaced Ukrainian women to run an online gambling and money-laundering scheme. The group forced the women to open bank accounts and used bots and stolen identities to place thousands of low-odds bets, laundering about €4.75 million. Authorities arrested 12 suspects, seized devices, cars, and accounts, and froze properties and funds across multiple countries.

❌ Authorities from 14 countries shut down LeakBase, a major online forum for stolen data and hacking tools. Law enforcement seized the site, arrested suspects, and took user accounts, posts, and logs for evidence. Officials said the site hosted hundreds of millions of stolen records and was linked to many high-profile attacks.

🇺🇸 Hacktivists called “Department of Peace” say they hacked the Department of Homeland Security and leaked documents about ICE contracts. A transparency group published searchable data showing more than 6,000 contractors, contract amounts, and contact details, including big firms like Palantir, Microsoft, and Raytheon. The hackers said they acted to expose DHS ties after recent killings by federal agents.

🇺🇸 ⚖ A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to hacking and extorting hundreds of women by stealing their social media passwords. He impersonated friends to get recovery codes, then threatened to post private nude images unless victims sent more photos, gave access, or paid him. Mosley faces sentencing on May 27.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 President Trump released a high-level national cyber strategy promoting offensive and defensive cyber operations, stronger federal network security, and use of AI and other emerging technologies. The plan has six pillars, including shaping adversary behavior, securing critical infrastructure and supply chains, streamlining regulation, and building cyber workforce capacity. Reactions were mixed, with industry praise for deterrence and regulation easing and critics saying the strategy is vague and lacks concrete implementation details.

🇺🇸 🔎 The FBI said it found and addressed suspicious activity on its networks but gave no details. Reports say the activity targeted a surveillance system used for warrants, wiretaps, and tracing data. It is unclear when the incident happened or who was responsible.

🇺🇸 🪖 Anthropic’s Claude is still being used by the U.S. military for targeting in the conflict with Iran. Many defense contractors and subcontractors are replacing Claude amid political and legal pressure. The Pentagon may label Anthropic a supply-chain risk, which could spark legal battles.

🙊 Anthropic CEO Dario Amodei accused OpenAI of lying about its Defense Department deal. Anthropic refused the DoD’s request over worries about mass surveillance and autonomous weapons. Public reaction favored Anthropic and hurt OpenAI’s reputation.

🇷🇺 🇺🇦 🐾 🐱 Researchers found a Russian-linked campaign targeting Ukraine that uses phishing to deliver new malware called BadPaw and MeowMeow. The attack tricks victims with a Ukrainian-language decoy, avoids sandboxes, and uses BadPaw to fetch the MeowMeow backdoor. MeowMeow can run remote PowerShell commands and manage files, and its Russian-language artifacts link it to APT28.

🪱 A self-propagating JavaScript worm infected Wikipedia by adding hidden scripts and vandalizing pages. It spread by modifying both user common.js files and the global MediaWiki:Common.js, affecting about 3,996 pages and ~85 users. Wikimedia engineers restricted editing, removed the malicious code, and reverted changes while investigating how the dormant script executed.

🎠 Malicious Packagist (PHP) packages pretending to be Laravel tools install a cross-platform remote access trojan (RAT) that works on Windows, macOS, and Linux. The RAT connects to a C2 server, sends system info, and executes commands with the web app's permissions. Users should remove the packages, assume compromise, rotate secrets, and audit outbound traffic.

🇰🇵 🪱 North Korean hackers published 26 malicious npm packages that hide command-and-control addresses using steganography in Pastebin posts. The packages install a loader that decodes C2 URLs and fetches platform-specific payloads, deploying a cross-platform RAT and credential stealers. The campaign uses Vercel hosting and typosquatting to evade detection and target developers.

🔓 A new quantum algorithm called JVG may break RSA and ECC using far fewer qubits and gates than Shor’s algorithm. Researchers claim JVG could factor RSA-2048 in about 11 hours with under 5,000 qubits, though the results are new and need more scrutiny. Organizations should urgently adopt crypto-agility and post-quantum standards to protect data now.

💬 🔓 TikTok says it will not add end-to-end encryption for direct messages — The company argues that end-to-end encryption could block police and safety teams from accessing messages when needed. TikTok keeps standard encryption and allows authorized access under strict conditions like valid law enforcement requests.

☁ AWS announced Security Hub Extended, a plan that unifies AWS and curated partner security tools into one console. It simplifies buying, onboarding, and billing with pay-as-you-go pricing and single-vendor support. Security findings from all solutions are normalized into OCSF and aggregated in Security Hub for faster response.

🔐 Google plans to make Chrome HTTPS certificates resistant to quantum attacks by using Merkle Tree Certificates (MTCs). MTCs shrink certificate data, keep Certificate Transparency, and avoid slowing TLS with post-quantum keys. Google will test MTCs with partners and roll out a quantum-resistant root program by 2027.

→ Google Chrome shifts to two-week release cycle for increased stability

➝ From the Patching Department:

🦊 🤝 🤖 Anthropic used its Claude Opus AI to find 22 vulnerabilities in Firefox over two weeks, 14 of them high-severity. Most bugs were fixed in Firefox 148, with a few patches delayed until the next release. The team struggled to build exploits, spending $4,000 in API credits but only making two proofs of concept.

🔎 🗒 Google tracked 90 zero-day vulnerabilities actively exploited in 2025, a 15% rise from 2024. Nearly half targeted enterprise systems like security appliances, VPNs, and networking gear. Commercial spyware vendors and state-linked groups drove much of the exploitation, and Google warns high rates may continue into 2026.

⚠ 🎣 LastPass warns of a new phishing campaign that tries to steal users' master passwords. Fake emails use a spoofed display name and link to counterfeit LastPass login pages. LastPass published IoCs and worked with partners to take down the malicious sites.

📱 Kaspersky says there is no evidence the Coruna iPhone exploit kit was made by the same group behind 2023 attacks blamed on the NSA. Google found Coruna uses many iOS zero-days and has been used in multiple campaigns. Some experts suspect US government links because of shared vulnerabilities, but Kaspersky rejects code-reuse claims.

😱 A critical FreeScout vulnerability (CVE-2026-28289) allows zero-click remote code execution by uploading a hidden .htaccess file. The bug bypasses a previous patch using a zero-width space in filenames and affects FreeScout 1.8.206 on Apache with AllowOverride All. Users should update to FreeScout 1.8.207 immediately to prevent full server compromise and data theft.

🇰🇵 Security researchers say APT28 likely exploited MSHTML zero-day CVE-2026-21513 before Microsoft patched it in February 2026. The flaw lets malicious HTML or LNK files trick Windows into running code outside the browser sandbox. Akamai found an artifact tied to APT28 and warned other MSHTML embedding methods could be abused too.

🦞 Security researchers found a high-severity "ClawJacked" flaw in OpenClaw that let malicious websites brute-force a local gateway and take control. The bug allowed hundreds of password guesses per second from browser JavaScript and auto-approved local device pairings. OpenClaw patched the issue in version 2026.2.26 — users should update immediately.

🥸 An old Rockwell Automation flaw (CVE-2021-22681) that lets attackers impersonate engineering workstations has been exploited in the wild. CISA added it to its Known Exploited Vulnerabilities list and ordered fixes by March 26. Exposed PLCs could be remotely manipulated, risking production disruption or physical damage.

🤷 A researcher says Honeywell’s IQ4 building controller can expose its web interface without authentication and allow attackers to create admin accounts during setup. Honeywell counters that devices are delivered unconfigured, meant for local setup by trained technicians, and not meant to be internet‑exposed. The researcher found thousands of internet‑visible instances and disputes Honeywell’s assessment, and a CVE is pending.

📡 The Global Coalition on Telecoms (GCOT) released principles for 6G security and resilience at Mobile World Congress 2026. The principles call for security-by-design, AI-enabled defenses, quantum-safe cryptography, and measures to protect supply chains, data, and service availability. GCOT says governments, telecoms, and suppliers must act now as 6G moves from research toward commercial rollout by 2029–2030.

🛞 🗺 Researchers found tire pressure sensors broadcast a permanent ID in plain text that can be captured with cheap receivers. By collecting millions of messages, they showed these signals can be used to track vehicles and infer driver behavior. Attackers could use or spoof these transmissions for mass or targeted tracking and even to cause fake alerts.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.