Inconsistent Privacy Labels Don’t Tell Users What They Are Getting – Dark Reading
Data privacy labels are a great idea for mobile apps, but the current versions just aren’t good enough. – Read More
Security lapse lets researchers view React2Shell hackers’ dashboard – CSO Online
An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials,…
A core infrastructure engineer pleads guilty to federal charges in insider attack – CSO Online
When Daniel Rhyne pleaded guilty on April 1 to having launched an insider extortion attack against his then-employer, authorities enumerated the techniques he used, including unauthorized remote desktop sessions, deletion…
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing – The Hacker News
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been…
Google patches fourth Chrome zero-day so far this year – CSO Online
Google has patched another zero-day vulnerability in Chrome, its fourth this year. In patching the vulnerability, tracked as CVE-2026-5281, the company acknowledged that an exploit for it already exists in…
Internet Bug Bounty program hits pause on payouts – CSO Online
Researchers who identify and report bugs in open-source software will no longer be rewarded by the Internet Bug Bounty team. HackerOne, which administers the program, has said that it is…
Apple Breaks Precedent, Patches DarkSword for iOS 18 – Dark Reading
Even organizations with users unwilling or unable to adopt iOS 26 can now protect themselves from a severe, OSS mobile cracking tool. – Read More
Claude Code is still vulnerable to an attack Anthropic has already fixed – CSO Online
The leak of Claude Code’s source is already having consequences for the tool’s security. Researchers have spotted a vulnerability documented in the code. The vulnerability, revealed by AI security company…
CERT-EU blames Trivy supply chain attack for Europa.eu data breach – CSO Online
The European Union’s Computer Emergency Response Team, CERT-EU, has traced last week’s theft of data from the Europa.eu platform to the recent supply chain attack on Aqua Security’s Trivy open-source…
Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers – The Hacker News
Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft…
Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting – Dark Reading
As organizations disclose breaches tied to TeamPCP’s supply chain attacks, ShinyHunters and Lapsus$ are getting involved, taking credit, and creating a murky situation for enterprises. – Read More
Picking Up ‘Skull Vibrations’? Could Be XR Headset Authentication – Dark Reading
“Skull vibration harmonics generated by vital signs” can be used to sign in to VR, AR, and MR headsets, according to emerging research. – Read More
Source Code Leaks Highlight Lack of Supply Chain Oversight – Dark Reading
Or, why the software supply chain should be treated as critical infrastructure with guardrails built in at every layer. – Read More
Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain – Dark Reading
The rebuilt Chainguard platform adds deeper security designed to continuously reconcile open-source artifacts across containers, libraries, Actions and skills. – Read More
CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry – Dark Reading
Once CrowdStrike’s nemesis, Microsoft is now a collaborator. A shared interest in Formula 1 helped thaw the years-long fierce rivalry. – Read More