I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

Leonardo’s “SignalTrace” would add Bluetooth device identifiers to automatic license plate reader captures

Surveillance vendor Leonardo is planning a feature called SignalTrace that would pair automatic license plate reader (ALPR) captures with unique identifiers from nearby Bluetooth devices (e.g., phones and wearables) inside passing vehicles. This shifts ALPRs from primarily tracking cars to more directly tracking people by linking vehicles to the devices traveling in them.

Key Details

  • SignalTrace would “sweep up” unique identifiers from mobile phones, wearables, and other Bluetooth-enabled devices detected in vehicles passing an ALPR camera.
  • The stated consequence is potentially identifying specific drivers or passengers by associating a license plate with the Bluetooth devices present in the car at that time.
  • ALPRs are described as commonly deployed across the U.S., and SignalTrace would expand the kinds of data some existing ALPR deployments could collect.
  • Bruce Schneier highlights that smartphone ecosystems already collect extensive location and behavioral data, while still calling expanded ALPR-linked collection “bad.”

Read more at Schneier on Security, 404 Media

npm v12 will disable install-time script auto-execution by default, forcing explicit approvals to curb malicious package code runs

GitHub announced breaking changes coming in npm v12 (expected July 2026) that turn off automatic execution of dependency install scripts during npm install by default to reduce supply-chain attacks that rely on lifecycle hooks for code execution. The release also tightens default rules around Git and remote-URL dependencies so projects must explicitly opt in before npm will fetch from those sources.

Key Details

  • The new default allowScripts=off blocks preinstall/install/postinstall scripts (including implicit node-gyp rebuilds) unless explicitly approved.
  • Developers can generate and manage an allowlist using npm approve-scripts (and block with npm deny-scripts); the approved list is stored in package.json and intended to be committed to version control.
  • npm v12 will default —allow-git to “none”, preventing resolution of Git-based dependencies unless explicitly enabled.
  • npm v12 will default —allow-remote to “none”, blocking installs from remote URLs (e.g., HTTPS tarballs) unless explicitly enabled.

Next Steps

  • Upgrade build/dev environments to npm 11.16.0+ and run normal installs to surface the new warnings ahead of npm v12.
  • Run npm approve-scripts —allow-scripts-pending to enumerate packages with install-time scripts, then approve only what you need and commit the resulting package.json changes.

Read more at SecurityWeek, Cybersecurity News, The Hacker News, CSO Online, BleepingComputer, The Register

CISA mandates 72-hour patching for highest-risk exploited vulnerabilities under new risk-tiered federal directive

CISA issued Binding Operational Directive 26-04 requiring federal civilian agencies to remediate the highest-risk known exploited vulnerabilities in as little as three calendar days under a new rubric shaped by concerns that AI can accelerate discovery and exploitation. The directive replaces earlier 15- and 30-day patch timelines with a risk-based framework that also requires forensic triage to check for compromise in the most urgent cases.

Key Details

  • The 3-day deadline applies when a vulnerability meets all four risk criteria: the affected asset is publicly exposed, the CVE is in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, exploitation can be fully automated, and exploitation yields high technical impact (e.g., total control).
  • When fewer criteria are met, the directive allows longer remediation windows—14 or 60 calendar days—and some lower-risk issues can be deferred to a normal upgrade cycle.

Next Steps

  • Update your vulnerability management policy to rank patch urgency using the four-factor rubric (public exposure, KEV status, exploit automation, technical impact) rather than fixed SLA buckets.
  • Build an internal playbook for the top tier that pairs emergency patching with mandatory forensic triage to determine whether exploitation occurred before remediation.
  • Ensure your asset inventory can reliably flag publicly reachable systems so exposure can be assessed quickly when a KEV-listed CVE is announced.

Read more at WIRED, Dark Reading, CSO Online, CyberScoop, Cybersecurity News

VS Code adds a 2-hour delay to automatic extension updates to blunt supply-chain attacks

Microsoft says VS Code will wait two hours after an extension update is published before auto-updating when automatic updates are enabled, aiming to reduce exposure to problematic or compromised releases.

Key Details

  • Available starting in VS Code 1.123.
  • Users can manually update an extension immediately via the “Update” button even during the delay window.
  • VS Code will show why an extension hasn’t updated yet and when the auto-update will occur in the extension details view when an update is pending.
  • The two-hour delay does not apply to extensions from trusted publishers (Microsoft listed Microsoft, GitHub, and OpenAI), which continue to update immediately.
  • The article notes similar “minimum age” controls have been added across package ecosystems (e.g., Bundler opt-in cooldown; Bun/npm/pnpm/Yarn minimum release age settings) to limit the spread window of newly published malicious versions.

Next Steps

  • Update VS Code 1.123 or later
  • Consider disabling extension auto-updates and using controlled/manual update windows where teams can review changes before rollout.

Read more at The Hacker News

GitHub disables dozens of Microsoft repos after Miasma supply-chain compromises planted credential-stealing code that can auto-run in AI coding tools

Microsoft and GitHub took multiple Microsoft-owned GitHub repositories offline after investigators found malicious code injected into open-source projects to steal credentials and other secrets. Researchers reported the payload could trigger when a developer opens affected repos in AI-assisted coding tools/IDEs, making repo cloning or inspection a potential execution path.

Key Details

  • More than 70 Microsoft repositories were disabled during the response; Microsoft said some repos have since been restored after review while others remain offline during the investigation.
  • Microsoft said it notified a small number of customers who may have downloaded content from impacted repositories.
  • Analysis described the malware’s objective as harvesting high-value secrets from developer workstations and CI/CD environments and exfiltrating them to a public GitHub repository.
  • Separately, researchers reported the Miasma worm/toolkit was published on GitHub as an “open source release”, described as a broader supply-chain attack toolkit targeting registries (e.g., PyPI, npm, RubyGems), GitHub/GitHub Actions, and AI-tool configuration poisoning.

Next Steps

  • Search your org for dependency use or installs of the reported typosquat/bait packages (e.g., rsquests, tlask, rlask, langchain-core-mcp) and remove/contain any affected environments.
  • Hunt for signs of secrets exfiltration to public GitHub repositories from developer and CI/CD hosts, and rotate any credentials that may have been exposed.

Read more at BleepingComputer, 404 Media, The Register, The Hacker News, Ars Technica

U.S. export-control directive forces Anthropic to shut off Fable 5 and Mythos 5 globally after foreign-national access ban

Anthropic disabled access to its Fable 5 and Mythos 5 AI models for all users worldwide after receiving a U.S. government export-control directive requiring the company to block any “foreign national” (including foreign-national employees) from using the models. Anthropic said it could not reliably enforce nationality-based controls in real time, and the directive appears tied to government concerns about a reported Fable 5 “jailbreak” technique.

Key Details

  • Anthropic said it received the directive at 5:21 p.m. ET on June 12, 2026, and that all other Anthropic models remain available.
  • Anthropic’s stated understanding is that the government believes it has identified a method to bypass (“jailbreak”) Fable 5, but Anthropic said the government has provided only “verbal evidence” of a narrow/non-universal technique.
  • Anthropic said it reviewed a demonstration and found it surfaced only a small number of previously known, minor vulnerabilities, and that other publicly available models (including OpenAI’s GPT-5.5) could produce similar results without any bypass.
  • Anthropic described its approach as defense-in-depth: aim to make universal jailbreaks prohibitively expensive, keep non-universal jailbreaks narrow in scope, and use monitoring to detect/shut down successful attacks.

Read more at CyberScoop, BleepingComputer, The Hacker News, Cybersecurity News, Socket

Draggable “browser-in-the-browser” popups mimic Microsoft OAuth to steal Microsoft 365 sessions

A phishing campaign targeting Microsoft 365 users uses a fake Microsoft OAuth login popup rendered inside the victim’s browser tab, designed to look and behave like a real sign-in window (including a spoofed address bar and padlock). After the victim enters credentials, attackers aim to capture the OAuth consent grant/token for longer-lived access that can persist beyond a password change.

Key Details

  • The fake sign-in window is a DOM element built with HTML/CSS/JavaScript (not a real OS-level popup), but it’s made draggable to remove a common visual cue that something is wrong.
  • Attackers use OS and browser fingerprinting to tailor fonts/styling/behavior so the popup matches the victim’s environment and appears more legitimate.
  • Evasion techniques described include blocking debugging attempts, fragmenting keywords to bypass content filters, and redirecting automated bots away from the malicious content so security tooling may see benign pages.
  • Victims may be redirected to the real Microsoft login page after submission, increasing the chance they assume they mistyped their password and don’t realize credentials/tokens were captured.
  • Unit 42 reported the campaign as targeting users who click “Sign in with Microsoft” on compromised sites, using the familiar SSO flow as the lure.

Next Steps

  • Where feasible, require phishing-resistant authentication (passkeys/FIDO2 security keys) for Microsoft 365 sign-ins.
  • Use Conditional Access to restrict sign-ins to managed devices for high-risk roles and sensitive apps.
  • Treat token theft as part of incident response: revoke suspicious sessions/OAuth grants in Microsoft 365 in addition to resetting passwords.

Read more at Cyber Security News

Phishing operators are buying aged, previously legitimate domains to inherit reputation and bypass email filters

An incident response investigation describes how phishing-as-a-service operators acquire long-standing legitimate domains and repurpose them for credential theft, allowing lures to pass reputation-based email controls that heavily weight domain age. The article argues that reputation systems often fail to reset or re-evaluate trust after ownership/hosting changes, and that certificate transparency (CT) and “stability” signals can expose takeovers faster than traditional reputation feeds.

Key Details

  • A recent case involved Sneaky2FA infrastructure on 117 origin servers in Kansas City, used to target a mix of UK/US government, energy, and US healthcare organizations.
  • The domain digitalscrapbookingfreebies.com is presented as an example of “aged-domain acquisition,” where years of benign certificate issuance patterns shifted into phishing-related subdomains after an apparent takeover.
  • The takeover indicators highlighted include a new certificate authority appearing after years of consistent issuance, followed by a months-long certificate renewal gap and then fresh issuance for unrelated/new subdomains.
  • CT data showed new Let’s Encrypt R13 certificates for subdomains including nativems-mfl09093004.digitalscrapbookingfreebies.com, which was observed used in phishing against a US state health agency.
  • The article recommends detection focused on hosting-pattern stability + subdomain naming anomalies + CT log monitoring, rather than treating domain age as a primary trust signal.

Next Steps

  • Add detections that flag aged domains with abrupt certificate/CA pattern changes (e.g., long-stable issuance followed by a gap, then new subdomains/certs) and feed those into email/link reputation decisions.
  • Pilot certificate transparency monitoring for high-risk/newly observed domains and blocklist candidates to surface suspicious subdomains soon after cert issuance (see background on CT logs: https://letsencrypt.org/2019/02/20/crl-and-ct.html).
  • Hunt for and consider blocking observed indicator nativems-mfl09093004.digitalscrapbookingfreebies[.]com if it appears in mail logs, proxy logs, or DNS telemetry.

Read more at CSO Online

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.