Latest Interesting Cybersecurity News – 2026-13-04

I go through about 700 cybersecurity newsevery week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

1. Anthropic’s Project Glasswing brings major vendors together to use an unreleased AI model that autonomously finds and exploits zero-days at scale

Anthropic announced Project Glasswing, a partner initiative to apply its unreleased Claude Mythos Preview model to defensive security work after internal testing showed it can autonomously find and develop exploits for thousands of high-severity vulnerabilities. 

Anthropic says the model has already uncovered issues across major operating systems and web browsers, and the company is providing usage credits and open-source funding while coordinating disclosure for fixes.

Key Details

• Project Glasswing launch partners include AWS, Apple, Google, Microsoft, NVIDIA, Palo Alto Networks, CrowdStrike, Cisco, Broadcom, JPMorganChase, and the Linux Foundation (and 40+ additional organizations that build or maintain critical software infrastructure)
• Anthropic’s examples of patched findings include a 27-year-old OpenBSD bug enabling remote crash via connection, a 16-year-old FFmpeg vulnerability missed despite extensive automated testing, and a Linux kernel vulnerability chain enabling privilege escalation to full control.
• On Anthropic’s CyberGym “vulnerability reproduction” benchmark, Mythos Preview scored 83.1% vs. 66.6% for Claude Opus 4.6.
• Sceptics argue that without information about the vulnerabilities found and efforts required to find them, it is difficult to assess the real impact of this new model and for now it is in Anthropic’s interest to potentially overstate the models capabilities.

Read more at Anthropic, SecurityWeek, Wired, CyberScoop, CSO Online

2. FBI extracted deleted Signal message text from iPhone push-notification database after the app was removed

Court testimony in a Texas case described how the FBI recovered copies of incoming Signal messages from an iPhone’s push-notification database, even after the Signal app was deleted. 

The message content was available because iOS generates and stores notification previews at the OS level, which can persist independently of what the app later deletes.

Key Details

• Investigators reportedly used Cellebrite to forensically extract data from the seized iPhone.
• Signal includes an option to reduce exposure via notifications by blocking message content in push notifications.
• The reporting ties the extraction to iOS keeping a record of notification previews handled by the operating system, not by Signal itself.

Next Steps

• On iOS devices, set Signal notifications to Show Previews: Never (iPhone Settings → Notifications → Signal → Show Previews).
• In Signal, set notification content to “No Name or Content” (Signal → Settings → Notifications → Notification Content).
• Apply the same no-preview notification policy to other messaging apps that display message text in notifications.

Read more at HackRead, 404 Media

3. Gmail client-side (end-to-end) encrypted email now works natively in the Android and iOS Gmail apps

Google has rolled out mobile support for Gmail’s client-side encryption so eligible organizations can compose and read end-to-end encrypted emails directly in the Gmail app on Android and iOS without separate secure-mail apps or portals. Encrypted messages are protected with customer-controlled keys and can be sent to any recipient, with non-Gmail recipients accessing and replying via a browser-based flow.

Key Details

• Requires Google Workspace Enterprise Plus plus the Assured Controls or Assured Controls Plus add-on for client-side encryption (CSE) users.
• Admins must explicitly enable Android and iOS clients in the CSE admin interface via the Workspace Admin Console before users can use the mobile capability.
• External (non-Gmail) recipients can open and reply in a web browser after an authentication/verification step, rather than needing a Gmail app or a separate account.
• Encrypted content is encrypted on-device before reaching Google’s servers, with encryption keys managed outside Google by the customer organization.
• Some Gmail features are unavailable on encrypted content, including AI features and comprehensive search, consistent with existing CSE limitations on web/desktop.

Next Steps

• Consider enabling end-to-end encryption for some correspondence.

Read more at Cybersecurity News, BleepingComputer, CSO Online

4. Open Source AI Skills for Governance, Risk & Compliance

A new set of installable “Claude Skills” packages positions Claude as a compliance-focused assistant by auto-loading framework-specific instructions and references when a conversation hits a trigger topic. 

The author frames the skills as a way to quickly generate audit-ready artifacts (policies, control narratives, templates) and run structured gap assessments across major security, privacy, and regulatory frameworks.

Key Details

• Skills are delivered as a .skill archive containing a primary SKILL.md plus optional reference materials that load via “progressive disclosure” (core instructions in context; deeper references loaded on demand).
• Skills listed include SOC 2,  GDPR, HIPAA, NIST CSF, PCI DSS (v4.0.1), and TSA cybersecurity directives.

Next Steps

• After a detailed review of the skill files and references, test these skills in your workflows.

Read more at sushegaad.github.io

5. APT28 hijacked SOHO router DNS at scale to intercept Microsoft 365 OAuth tokens

Russia-linked APT28/Forest Blizzard compromised vulnerable MikroTik and TP-Link routers to change DNS settings and perform adversary-in-the-middle interception of Microsoft 365/Outlook web sessions. 

By capturing OAuth tokens after successful login (including MFA), the campaign enabled account access without deploying malware on endpoints and was later disrupted via a coordinated law-enforcement and industry operation.

Key Details

• More than 18,000 routers across 120+ countries were observed in the campaign at its peak (December 2025), according to Lumen’s Black Lotus Labs.
• Microsoft reported 200+ organizations and at least 5,000 consumer devices were affected by the activity it tracked.
• The intrusion flow relied on router DNS reconfiguration to attacker-controlled resolvers/VPS infrastructure, allowing malicious redirection to lookalike services and interception of credentials and tokens in transit.

Next Steps

• Identify and replace end-of-life or unpatched SOHO edge routers (notably older MikroTik/TP-Link) used in homes, small offices, and remote sites; where replacement isn’t immediate, apply vendor updates and lock down router management interfaces.
• Hunt for signs of unauthorized DNS configuration changes on routers (unexpected resolvers, sudden DNS changes across a site) and restore to known-good settings.

Read more at Microsoft Security Blog, KrebsOnSecurity, BleepingComputer, CyberScoop, UK National Cyber Security Centre

6. France announces plan to migrate government workstations from Windows to Linux as part of digital sovereignty push

France says it will exit Microsoft Windows in favor of Linux-based workstations across state infrastructure, as part of a broader program to reduce dependence on non-European technology vendors. 

The plan was announced at an April 8, 2026 interministerial seminar led by DINUM with participation from ANSSI and other government bodies.

Key Details

• Ministries must submit individual transition plans by fall 2026; the initial announcement did not name a Linux distribution or provide a rollout timeline.
• The migration scope extends beyond desktops to collaboration tools, antivirus, AI platforms, databases, virtualization environments, and network equipment.
• France’s National Health Insurance Fund said it is moving 80,000 agents to government platform tools including Tchap (secure messaging), Visio (video conferencing), and FranceTransfert (document transfer).
• The government also confirmed its national health data platform will move to a ‘trusted sovereign cloud’ by end of 2026.

Read more at Cybersecurity News

7. Chrome 146 on Windows adds Device Bound Session Credentials to make stolen session cookies unusable

Google is rolling out Device Bound Session Credentials (DBSC) in Chrome to stop account takeovers that rely on stealing and replaying session cookies harvested by infostealer malware. 

DBSC binds an authenticated browser session to the local device using hardware-backed keys, so exfiltrated cookies quickly expire unless Chrome can prove it still holds the device’s private key.

Key Details

• Available now in Chrome 146 for Windows; Google says macOS support is coming in a future Chrome release.
• DBSC uses hardware-backed key pairs (e.g., TPM on Windows; Secure Enclave on macOS) where the private key can’t be exported, limiting reuse of stolen session material on other machines.
• Sites adopt DBSC by adding dedicated registration and refresh endpoints; Chrome handles the cryptography and cookie rotation while apps continue using standard cookies.
• Google says an early version deployed last year showed a significant reduction in session theft when DBSC was enabled, based on testing with multiple web platforms including Okta.
• DBSC is designed for privacy: each session uses a distinct key, and the protocol avoids sending device identifiers/attestation data that could enable fingerprinting or cross-site tracking.

Next Steps

• If you operate a web app, evaluate implementing DBSC using Chrome’s registration/refresh endpoint pattern (guide: https://developer.chrome.com/docs/web-platform/device-bound-session-credentials).
• Roll out Chrome 146 on Windows where feasible to benefit from DBSC protections as they become available for supported sites.

Read more at Google Security Blog, BleepingComputer, SecurityWeek

8. White House proposes $707M cut to CISA, shifting funding away from election security and external engagement

The White House’s FY2027 budget request would cut CISA funding by about $707 million (roughly $2.9B to $2.4B), describing the change as a refocus on “core” missions like federal network defense and critical infrastructure security. The proposal sits inside a broader set of uneven federal cyber shifts that reduce overall civilian cyber spending while increasing funding for some agencies (notably DOJ and State).

Key Details

• The cut is framed as eliminating activities the administration says are duplicative or out of scope, including programs tied to election security, misinformation/disinformation, and external engagement.
• CSO reported the request would eliminate 867 CISA positions (about 766 FTE) from a current staffing level of 3,732 positions.
• CISA’s Stakeholder Engagement Division would be heavily reduced, including cutting 120 of 145 positions and reducing the program’s funding by more than $50 million (per CSO’s reporting).
• The Stakeholder Engagement Division handles CISA’s outreach to private-sector critical infrastructure operators — energy, water, healthcare, finance — the organisations that own the majority of US critical infrastructure. The proposed cuts would reduce it from 145 to 25 positions, leaving the scope of that work significantly reduced.

Read more at SecurityWeek, SiliconANGLE, CSO Online

9. Adobe fixes actively exploited Acrobat/Reader prototype-pollution bug (CVE-2026-34621) enabling code execution via crafted PDFs

Adobe released emergency updates for Acrobat and Acrobat Reader to patch 8.6 CVE-2026-34621, an actively exploited flaw that can lead to arbitrary code execution. 

The bug is a prototype-pollution issue triggered when a victim opens a specially crafted PDF, enabling malicious JavaScript to run and potentially escalate into code execution.

Key Details

• The flaw is a prototype pollution (JavaScript) vulnerability that attackers can abuse by manipulating object properties in the PDF/JS context.

Next Steps

• Update to the fixed releases: 26.001.21411 (Acrobat/Reader DC) or 24.001.30362 (Windows) / 24.001.30360 (macOS) for Acrobat 2024. (Adobe advisory: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html)

Read more at SecurityWeek, The Hacker News

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.