🎦 Vimeo says hackers stole user and customer data after breaching a third-party analytics vendor. Stolen items include technical data, video titles/metadata, and some email addresses, but not video content, passwords, or payment cards. The ShinyHunters group claims responsibility and is threatening to leak files unless a ransom is paid.

🇧🇷 💥 A Brazilian DDoS protection firm, Huge Networks, was tied to a botnet that launched massive attacks against Brazilian ISPs. An exposed archive showed attackers used the CEO’s leaked SSH keys and scripts to hijack vulnerable TP-Link routers and DNS servers. The CEO says the company was breached and blames a competitor, not his team.

⚕Sandhills Medical Foundation suffered a ransomware attack discovered May 8, 2025. Nearly 170,000 people may have had personal and health data exposed, including SSNs, IDs, and financial information. The stolen files were posted by the Inc Ransom group and the organization has notified affected individuals.

🇺🇸 🇮🇪 Medtronic says cybercriminals breached its corporate IT systems but so far the company found no impact on products, manufacturing, or patient safety. The gang ShinyHunters claims it stole 9 million records and threatened to publish them. This hack is one of several recent attacks on large medical device makers, raising industry-wide security concerns.

🇺🇸 Checkmarx says a cybercriminal group posted data from its GitHub repository on the dark web after a March 23 supply-chain attack. The company says the repo is separate from customer production systems and no customer data is stored there, and it has locked down the repo while investigating. The breach involved tampered workflows, plugins, and extensions that pushed a credential stealer and affected other packages.

🏡 🔓 Home security company ADT suffered a data breach that exposed personally identifiable information for about 5.5 million customers. The hacker group ShinyHunters posted over 10 million records and said it accessed ADT systems via social engineering. ADT says payment data and security systems were not affected and it has contacted affected customers.

🇺🇸 Itron, a major maker of internet-connected utility meters, says it was hacked in mid-April and attackers accessed some of its systems. The company says it expelled the intruders, found no signs of ongoing access, and notified law enforcement. Itron reported operations are continuing and is using backups, but the full impact and any data breach details are still unclear.

🇫🇷 French police detained a 15-year-old suspected of selling data from a breach of France Titres (ANTS) — Authorities say the teen, using the alias "breach3d," offered millions of records including names, emails, birthdates, addresses, and phone numbers. Prosecutors seek formal charges and judicial supervision while a judge reviews the case.

🇺🇸 ⚖ Two former incident responders pleaded guilty to ransomware attacks and were each sentenced to four years in prison. They used ALPHV/BlackCat ransomware to extort victims, including medical and engineering firms, stealing data and demanding payments. One co-conspirator extorted far more and faces a longer sentence while employers say they were unaware and fired the employees.

🇮🇷 🇺🇸 🇧🇭 Iran-linked group Handala sent threatening WhatsApp messages to US troops in Bahrain and posted personal data of thousands of Marines. The group, tied to Iran’s Ministry of Intelligence, conducts influence, hacking, and destructive cyber operations. Authorities say Handala aims for psychological damage and has used malware, wipers, and social engineering in past attacks.

🇺🇦 🕹 Ukrainian police arrested three people for hacking and selling 610,000 Roblox accounts, making about $225,000. They seized cash, phones, computers, and storage devices during raids in Lviv. The group used malware to steal credentials, sold high-value accounts online, and faces up to 15 years in prison.

🇨🇦 Canadian police arrested three men in Toronto for using an "SMS blaster" that mimics cell towers to send phishing texts to nearby phones. The device forced phones to connect, sent fake messages that look like they come from banks or the government, and blocked access to real networks and emergency services. Authorities seized equipment, said millions were affected, and warned users to treat SMS as insecure and use encrypted channels.

🇪🇺 ❌ Austrian and Albanian police, with Europol and Eurojust, broke up a crypto investment scam that stole over €50 million from people worldwide. They arrested 10 suspects, searched call centres and homes, and seized cash, computers, phones, and other devices. The fraud used fake trading platforms and call-centre "brokers" to trick victims and launder their money.

🇺🇸 ⚖ A 19-year-old dual U.S.-Estonian citizen nicknamed "Bouquet" was arrested in Finland and charged in the U.S. for major hacking and extortion with the Scattered Spider group. Prosecutors say he helped breach multiple companies, forcing victims to pay or suffer millions in damages. Scattered Spider is a young, criminal hacking collective known for social engineering and MFA-bypass attacks on many high-profile firms.

🇺🇸 ⚖ Evan Tangeman, 22, was sentenced to 70 months for laundering millions from a $230M cryptocurrency theft. He helped move at least $3.5M for the group that stole over 4,100 Bitcoin in 2024. The gang used mixers, exchanges, VPNs, and lavish spending to hide and spend the stolen funds.

🇨🇳 ⚖ 🇺🇸 A Chinese national, Xu Zewei, was extradited from Italy to the U.S. and charged for his role in a large cyberespionage campaign. The attacks, linked to the Silk Typhoon/HAFNIUM group, exploited Microsoft Exchange flaws to steal COVID-19 research and other sensitive data. Xu faces multiple federal charges and up to 62 years in prison.

→ More:

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇪🇺 ✈ 🇺🇸 The U.S. is asking the EU to let American authorities access Europeans’ personal and biometric data or lose visa-free travel. EU leaders and privacy experts warn this clashes with strong EU data protections and could enable mass surveillance. Critics call the demand coercive and fear it will chill free speech and travel.

🇺🇸 ⏳ Congress approved a 45-day extension of Section 702, which allows warrantless surveillance of foreign targets. Lawmakers want more time to address privacy concerns after a court found compliance problems and a declassification review is underway. The extension delays a long-term decision as political fights continue over reform.

🇮🇹 Italian prosecutors say Paragon Solutions has NOT cooperated with their year-old probe into Graphite spyware that targeted journalists and activists. Paragon previously offered to help and then publicly clashed with Italy, even cancelling contracts. Prosecutors still await a response as the investigation continues.

🇷🇺 🇩🇪 Russian-linked phishing attacks using malicious Signal QR codes likely compromised high-ranking German officials — Signal says its app and encryption were not hacked but will add protections and warns users to enable Registration Lock. European and U.S. agencies blame Russian intelligence for a wider campaign targeting officials across multiple countries.

🇺🇸 💰 U.S. states issued a record $3.45 billion in privacy fines in 2025, more than the prior five years combined. Stronger state laws, cross-state enforcement and scrutiny of AI data use drove the increase. Regulators warn enforcement will stay strong as concerns about AI and privacy grow.

🇪🇺 🆚 🇺🇸 Europe is trying to reduce reliance on U.S. tech because laws like the CLOUD Act and political concerns threaten data sovereignty. Governments are pushing for “sovereign” cloud and open-source alternatives, but European providers still struggle to match U.S. rivals. Public contracts and rising demand for non‑American solutions may help build competitive European tech.

🐍 🔙 🚪 Researchers uncovered a stealthy Python backdoor called DEEP#DOOR that hides inside a batch dropper and establishes persistent access on Windows. 
It uses a public tunneling service (bore.pub) for command-and-control to steal browser, cloud, SSH, and other credentials and perform spying (keylogging, screenshots, webcam, audio). The malware includes many anti-analysis and persistence tricks to avoid detection and make removal difficult.

🔑 Researchers warn of a supply-chain attack that infected SAP-related npm packages with credential-stealing malware called "mini Shai-Hulud". The malicious releases added a preinstall hook that downloads and runs a Bun runtime to steal developer credentials, GitHub/npm tokens, cloud secrets, and exfiltrate them to public GitHub repos. The payload can self-propagate via GitHub Actions and injects files to trigger execution in VS Code and AI coding agents, making this a novel persistence and spread method.

🐍 Attackers pushed malicious PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI to steal credentials. The malware runs on import, downloads a Bun JavaScript runtime, and exfiltrates tokens to spread to repositories and npm packages. PyPI quarantined the project; users should remove those versions, downgrade to 2.6.1, and rotate exposed credentials.

🐍 A malicious release (v0.23.3) of the popular PyPI package elementary-data was published and stole developer secrets and crypto wallets. The attacker used a GitHub Actions script-injection to forge a signed release, which also pushed a compromised Docker image. Users who installed that release or pulled the affected images must rotate secrets and restore from a safe backup.

🪱 💤 The GlassWorm campaign returned to OpenVSX with 73 "sleeper" extensions that appear benign at first but turn malicious after an update. Researchers say six are active and deliver malware, while the rest are likely dormant or suspicious. Developers who installed any listed extensions should rotate secrets and clean their environments.

🆕 Anthropic has opened Claude Security, powered by Opus 4.7, as a public beta for enterprise customers to find and patch software flaws. The tool explains vulnerabilities, rates confidence and impact, and generates patch instructions usable in Claude Code. Some experts urge caution about real-world impact, and stricter access remains for the more powerful Mythos model.

🇰🇵 💸 North Korean-linked hackers spoof fake Zoom/Teams meetings to record and trick cryptocurrency executives — They replay stolen or deepfaked video, then push malware or use captured footage to lure more victims. Researchers link the campaign to BlueNoroff/Lazarus and say it helps fund Pyongyang’s illicit activities.

🦞 ✅ Red Hat engineer Sally O’Malley released Tank OS, an open source tool that runs OpenClaw agents inside secure, bootable Podman containers. Tank OS isolates agents, stores credentials safely, and helps IT teams deploy and update many agents across fleets. The tool aims to make enterprise OpenClaw use safer while still requiring technical skill to manage.

➝ From the Patching Department:

Effective March 27, the IBB program has been paused for new submissions.

The Internet Bug Bounty (IBB) program was created to strengthen security in open source and core internet infrastructure projects. From the outset, it was designed to reward both vulnerability discovery and remediation, with 80 percent of rewards supporting new findings and 20 percent supporting remediation efforts. The intent has been to align discovery with effective remediation so that meaningful findings lead to durable security improvements in open source projects.

The discovery landscape is changing. AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed. The balance between findings and remediation capacity in open source has substantively shifted. We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. Accordingly, we are pausing submissions while we consider the structure and incentives needed to further these goals.

Active IBB submissions will continue through standard review and payout processes without disruption.

→ https://hackerone.com/ibb

🐧 A new Linux bug called Copy Fail (CVE-2026-31431) lets a local unprivileged user gain root on kernels from 2017–2026. Researchers released a tiny, reliable exploit that works across major distributions and was fixed in recent kernel updates. Admins should apply kernel patches or disable the AF_ALG crypto interface until updates are installed.

🐧 A high-severity PackageKit flaw called Pack2TheRoot (CVE-2026-41651) lets unprivileged users install RPMs as root without authentication. The bug is a TOCTOU race that corrupts transaction flags so backends run attacker-supplied actions. It affects many Linux distributions but was fixed in PackageKit 1.3.5 and patched by major distros.

💥 A severe authentication bypass in cPanel (CVE-2026-41940) is being actively exploited in the wild. cPanel has released patches and detection tools after researchers and hosts found attacks that let attackers inject session data to bypass login checks. CISA added the flaw to its Known Exploited Vulnerabilities list and the issue carries a 9.8 CVSS score.

💥 A critical SQL injection in LiteLLM (CVE-2026-42208) allowed unauthenticated attackers to read and modify its proxy database. Exploitation began within 36 hours of disclosure, targeting keys and config data tied to cloud LLM credentials. Users should update to 1.83.7 or enable disable_error_logs to block the attack path.

🩺 Researchers found 38 vulnerabilities in OpenEMR, an open-source electronic medical records platform used by over 100,000 providers. Many flaws were authorization errors, plus XSS, SQL injection, path traversal, and session issues; two critical SQL injection bugs could let attackers steal patient data or run code. All issues have been patched after Aisle’s review, and no public reports show widespread real-world exploitation.

🔓 Researchers found a critical GitHub vulnerability (CVE-2026-3854) that let any authenticated user run commands on GitHub servers with a single git push. The flaw exposed millions of public and private repositories and could fully compromise Enterprise Server instances. GitHub patched the issue quickly and says it found no signs of real-world exploitation, but many Enterprise Server installs remain unpatched.

🐡 A 15-year-old OpenSSH bug (CVE-2026-35414) lets a comma in a certificate principal bypass access checks and grant root shells. The flaw breaks authorization parsing so attacks do not show as failed logins. OpenSSH fixed it in version 10.3; update and audit systems now.

🤗 A critical unpatched flaw (CVE-2026-25874) in Hugging Face’s LeRobot lets unauthenticated attackers run arbitrary code via unsafe pickle deserialization over gRPC. The bug affects the PolicyServer async inference pipeline and can lead to full server compromise, theft of credentials, and impact on connected robots. A fix is planned for v0.6.0, but the issue is currently exploitable in v0.4.3.

→ Hugging Face, ClawHub Abused for Malware Distribution

🤷 CISA's new guidance adapts zero trust for operational technology but is high-level and vague — Experts say it skips key questions like who will pay and how to prioritize long, costly changes. They warn many OT owners lack resources to implement the recommendations.

🔓 Researchers found millions of RDP and VNC servers exposed to the internet, including hundreds that give direct access to industrial control systems. Many exposed servers run unsupported Windows, lack authentication, or are vulnerable to known exploits. Attackers have used such access for spying, ransomware, and OT disruption, so organizations should use secure remote access solutions.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.