I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

Apple patches Beats Studio Buds Bluetooth auth bypass that enabled nearby microphone eavesdropping

Apple released Beats Firmware Update 1B211 to fix CVE-2025-20701, a high-severity Bluetooth authorization flaw that could allow a nearby attacker to pair (or interact) without user consent. The bug meant attackers within Bluetooth range could listen through the earbuds’ microphone while the device was unpaired and actively seeking pairing.

Key Details

  • CVE-2025-20701 is described as incorrect authorization in the Airoha Bluetooth audio SDK (CVSS 8.8).
  • Apple says the issue affects devices not yet paired and actively seeking pair requests, with exploitation limited to Bluetooth range.
  • PoC showed attackers could initiate a call and eavesdrop on conversations within earshot of the targeted phone when using the vulnerable Bluetooth audio device.
  • The update is automatically delivered to vulnerable Beats Studio Buds when they are paired and within Bluetooth range of an iPhone, iPad, or Mac; firmware version can be checked in Bluetooth settings.

Next Steps

  • Confirm Beats Studio Buds are on Firmware Update 1B211 (check Bluetooth settings → info button next to the headphones).
  • Instruct users to pair the earbuds near an iPhone/iPad/Mac to receive the automatic firmware update.

Read more at The Hacker News, BleepingComputer

EU gives Ukraine access to ENISA-managed Cybersecurity Reserve for emergency response to major cyberattacks

EU member states approved Ukraine’s participation in the EU Cybersecurity Reserve, letting Kyiv request rapid support from EU-approved private-sector incident response providers when large-scale cyber incidents exceed national capacity. The reserve is designed to deliver expert help for incident containment and recovery, deepening operational cyber cooperation with Ukraine amid ongoing Russia-linked pressure.

Key Details

  • Ukraine becomes the second non‑EU country with access to the reserve after Moldova (granted access in 2024).
  • The reserve is managed by ENISA and is intended to be rapidly deployable support for governments and critical infrastructure operators.
  • Support can include digital forensics, incident response, and system recovery, and can extend into post-incident recovery and resilience improvements (e.g., modernization and capability-building).
  • Ukraine’s National Security and Defense Council said the arrangement is expected to be reciprocal, with Ukraine sharing intelligence on Russian hacking techniques and participating in joint investigations and attribution efforts with European partners including Europol.
  • Ukraine also indicated it hopes Ukrainian cybersecurity companies could eventually join the reserve as trusted service providers under the EU’s Cyber Solidarity Act framework.

Read more at The Record, The Cyber Express

Shadow AI shifts from data-leakage risk to unmanaged AI agents with broad enterprise access

Security teams are increasingly facing shadow AI as an access-control and identity problem driven by unsanctioned AI agents connected to internal systems, not just employees pasting sensitive data into public chatbots. The article argues that these agents can act autonomously across SaaS and cloud services using inherited credentials, while traditional controls like domain blocks, DLP, and human-centric IAM don’t provide sufficient visibility or lifecycle management.

Key Details

  • Unlike classic shadow IT, AI agents can execute actions (read/write/delete, change configs, trigger workflows) in production systems via APIs and stored credentials, often without per-step human approval.
  • Agents are being created through many entry points, including sanctioned platforms, browser extensions, SaaS-native agent/automation features, developer tools, MCP servers, endpoint agents, and custom scripts.
  • The piece describes how broad permissions accumulate: developers grant expansive access to avoid breaking workflows, temporary access becomes permanent, and agents may retain creator-level privileges with limited security-team visibility.
  • It proposes a shadow-AI inventory approach spanning AI platforms, SaaS apps, cloud accounts, developer tools, endpoints, and identity providers, focusing on ownership, connected resources, credential types, intent vs. observed behavior, and whether agents are still active.

Next Steps

  • Build or buy a process to inventory AI agents and their linked identities/secrets across AI platforms, SaaS automation features, cloud accounts, developer tools, endpoints, and IdPs (include owner, connected systems, and credential type for each agent).
  • Implement lifecycle controls to disable or rotate credentials for dormant agents (especially agents that have never been used but still hold active API keys/OAuth tokens/service accounts).
  • Add guardrails so newly created agents that connect to sensitive systems (e.g., CRM, data warehouses, code repos) require explicit ownership, scoped permissions, and a decommission plan before production use.

Read more at The Hacker News

Security “debt” persists when teams track vulnerability backlogs instead of exposure time

An industry analysis argues that vulnerability programs often miss the real risk because the most dangerous flaws remain exposed in production long enough to be exploited, even when teams are steadily closing tickets. It recommends shifting prioritization from raw counts and severity-only scoring to reachability, business criticality, exploit likelihood, and measuring “exposure time” for critical issues.

Key Details

  • Research cited in the piece claims 82% of organizations have “security debt” (vulnerabilities open for more than a year).
  • It advocates narrowing focus to “crown jewel” apps (revenue-, sensitive data-, or externally exposed systems) and targeting the subset where severity and exploitability combine; the author cites research that 11.3% of flaws fall into this high-risk region.
  • The article argues severity scoring alone misleads prioritization because a medium-severity issue in a public-facing app can pose more immediate risk than a high-severity internal flaw.
  • It frames remediation as an engineering capacity constraint, recommending dedicated developer time and explicit expectations for fixing high-risk vulnerabilities rather than “when there’s extra time.”
  • For software supply chain exposure, it states 66% of security debt in third-party code is critical and cites a third-party flaw “remediation half-life” of 358 days.

Read more at Dark Reading

Copilot hit with the two-part threat hiding in every AI assistant: inject a prompt, exit through a trusted domain

Researchers disclosed “SearchLeak,” where a single click on a crafted Microsoft 365 Copilot Enterprise Search URL could trigger Copilot to pull a user’s accessible M365 data and exfiltrate it by embedding it into a request that gets forwarded off-tenant. 1. A copilot link that includes a malicious prompt 2. Copilot follows the malicious prompt and its output includes an injected image tag 3. The image tag fires before Microsoft’s sanitizer can neutralize it, sending the stolen data to a Bing endpoint which acts as a proxy to an attacker-controlled serverMicrosoft patched the flaw chain as CVE-2026-42824 (rated critical by Microsoft) after Varonis demonstrated proof-of-concept exploitation; the reports say exploitation was not observed in the wild.

Key Details

  • The chain started with Parameter-to-Prompt Injection (P2P) via the Copilot Search “q” URL parameter, causing attacker-controlled input to be interpreted as instructions rather than a benign query.
  • A streaming HTML rendering race condition allowed injected HTML (e.g., an image tag) to briefly render and fire outbound requests before Microsoft’s output-neutralization (wrapping in code blocks) took effect.
  • The data exfiltration path relied on a CSP bypass using Bing allowlisted domains plus Bing’s server-side image fetch behavior, effectively turning Bing into a proxy that retrieved attacker-controlled URLs containing stolen content.
  • Potentially accessible content included emails (including one-time codes/reset links), calendars, and indexed SharePoint/OneDrive documents—limited to whatever the targeted user could access via Copilot’s permissions.

Next Steps

  • Hunt for Copilot Enterprise Search URLs with suspicious/encoded content or HTML-like payloads in the “q” parameter, consistent with P2P-style prompt injection attempts.
  • Consider reducing what AI assistants index by tightening data access/governance to limit what a similar future leak could reach.

Read more at Dark Reading, BleepingComputer, The Hacker News, The Cyber Express

Fake Sentry error reports used for “Agentjacking” instruction-injection to make AI coding agents run commands

Tenet Threat Labs demonstrated “Agentjacking,” where attackers submit fake Sentry issues that embed instructions AI coding agents may follow as if they were trusted when developers ask the agent to investigate via a Sentry MCP server. In Tenet’s proof of concept, the agent executed a command that pulled and ran a controlled npm package, showing a practical path to code execution under the developer’s local permissions without needing stolen credentials or internal network access.

Key Details

  • Attackers can discover a target’s Sentry DSN from public website source code (DSN is public by design), and use it to submit attacker-crafted error reports into the organization’s Sentry project.
  • The injected content used Markdown injection to disguise attacker-controlled instructions inside the issue (e.g., a fake “Resolution” section), which the agent then treated as actionable guidance.
  • Tenet’s validation period (ending June 17, 2026) found 2,388 organizations with exposed Sentry DSNs, and the technique was demonstrated across Claude Code, Cursor, and OpenAI Codex on Windows, macOS, and automated cloud pipelines.
  • Tenet said AI assistants at 100+ organizations ran its controlled validation code, including one Fortune 100 tech company; the stated risk is that a malicious package could be used to access developer secrets (AWS keys, GitHub tokens, SSH keys).
  • Sentry reportedly added a content filter to block the specific validation text from Tenet’s PoC, while Tenet emphasized the broader issue is agents treating untrusted tool output as instructions.

Next Steps

  • Deploy Tenet’s hardening tool Agent-JackStop for Cursor and Claude Code: https://github.com/tenet-security/agent-jackstop
  • If you use Sentry + AI agent workflows, treat Sentry issue content as untrusted input and restrict agents from executing commands directly from issue text (require explicit human confirmation before running any suggested CLI commands).

Read more at Hackread

Malicious Wallpaper Engine “application wallpapers” on Steam Workshop used to run malware and hijack Steam sessions

Attackers have been uploading weaponized Wallpaper Engine “application wallpapers” to Steam Workshop so that launching a wallpaper effectively runs a bundled executable that installs malware and can steal an active Steam session. Kaspersky reports dozens of malicious wallpapers with thousands to tens of thousands of downloads, with most malicious download attempts originating from China (89%).

Key Details

  • The abuse hinges on Wallpaper Engine’s “application wallpapers,” which are essentially standalone Windows programs rendered as the desktop background, making them a high-risk content type compared to video/scene/webpage wallpapers.
  • Kaspersky observed two main packaging patterns: malicious EXEs/DLLs/scripts bundled directly in the wallpaper archive, or malware hidden in a password-protected archive where the password is supplied via social engineering or automatically pulled from the filename/JSON config.
  • In one analyzed chain, the wallpaper dropped a DarkKomet-family backdoor (Synaptics.exe) and a tampered AggregatorHost.dll used to locate and hijack the Steam client session while showing a decoy “game” wallpaper to avoid suspicion.
  • An example exfil endpoint cited in reporting was hxxp://120.48.156[.]17/ey.php; Valve removed identified malicious wallpapers after disclosure, but researchers reported new malicious uploads continued to appear.

Next Steps

  • If Wallpaper Engine is allowed in your environment, block or restrict “application wallpapers” and only permit wallpapers from known/trusted creators (or disallow Workshop-sourced application wallpapers entirely).
  • For Steam users, enable Steam Guard / Steam 2FA to reduce the impact of session theft.

Read more at Cyber Security News, BleepingComputer, Kaspersky Securelist

FIFA World Cup broadcast streaming controls exposed via API authorization flaw tied to public agent registration

A researcher found that registering on FIFA’s public agent portal added them to the same identity tenant used for internal FIFA apps, and that backend APIs failed to enforce authorization even when the UI showed “no roles”. This enabled access to live World Cup streaming management pages and related broadcast tools, including viewing live feeds and (per the exposed controls) the ability to start/stop streams and modify match-related broadcast data.

Key Details

  • The “access denied” experience was driven by client-side role checks in the web app, while the APIs still returned data/actions when called directly.
  • Exposure included a production Streaming Management panel listing matches, camera angles, preview URLs, and RTMP ingest endpoints/stream keys, which the researcher said could enable feed takeover if misused.
  • The researcher reported being able to open live match preview streams in a standard media player using the provided preview/manifest URLs.
  • Other accessible systems reportedly included match management functions (write operations) and the Commentator Information System, which the researcher said contained real-time match data and editorial notes used for broadcasts.
  • A separate finding described an exposed Azure Function in a dev environment returning metadata and direct Blob Storage download links for internal spreadsheet files.

Next Steps

  • Confirm internal apps enforce server-side authorization on every API endpoint (don’t rely on UI/JWT claims alone) and add automated tests to prevent regression.
  • Review identity onboarding flows so that public self-registration can’t land users in the same tenant/app registrations used for privileged internal broadcast and operations tools without strict access controls.

Read more at Dark Reading, bobdahacker.com, SC World

Malvertisers redirected Google searchers to Claude.ai shared chats that instructed copy/paste commands (ClickFix) to install MacSync infostealer

A six-wave malvertising campaign used Google Ads and brand-impersonating pages, then pivoted to abusing Claude.ai’s “shared chat” URLs to deliver ClickFix-style instructions that trick users into running malicious commands. The approach “trust-stacked” legitimate services (ads + reputable hosting + an AI platform) to make the final payload execution look like normal troubleshooting or software installation steps.

Key Details

  • TrendAI/Trend Micro tracked 106 unique malicious hostnames across six waves over ~7 weeks, with infrastructure and lures rotated to sustain click-through and evade simple blocking.
  • Early waves leaned on *GitLab Pages subdomains under the trusted .gitlab[.]io domain (over 90 malicious subdomains reported) to impersonate AI developer tools and Mac utility “fix” sites.
  • Researchers said the campaign funneled more than 2,000 victims from sponsored Google search results for AI developer tools to the attacker-controlled flow.
  • In later waves, malicious ads redirected to legitimate Claude.ai shared-chat links containing fake support conversations (e.g., posing as Apple Support or dev teams) with step-by-step terminal/PowerShell guidance.
  • The command sequences commonly included base64-encoded scripts that decoded and fetched a second-stage payload; analysis tied the macOS payload to MacSync infostealer, which steals browser credentials/cookies, SSH keys, and crypto-wallet data and checks for Russian keyboard layouts.

Next Steps

  • Update user guidance so helpdesk/dev onboarding explicitly warns: never copy/paste terminal or PowerShell commands from ads, “support chats,” or shared AI chat links—use vetted install docs and internal software sources instead.
  • Consider implementing controls for technical endpoints (where feasible): alert/block on suspicious shell patterns like base64 decode piped to a shell and unusual script-to-network execution chains.
  • Add detections/hunting for this technique by searching for public claude.ai shared-chat URLs used as entry points alongside recent sponsored-search referrals in proxy/DNS and browser telemetry.

Read more at Cybersecurity News, CSO Online

FortiBleed leak publishes FortiGate admin and SSL VPN credentials tied to ~75,000 internet-facing devices across 194 countries

A threat actor leaked a dataset of Fortinet FortiGate firewall and SSL VPN credentials after brute-force, credential-stuffing, and/or exploitation activity against internet-facing FortiGate and VPN portals. The leaked credentials enable remote login to edge devices and can provide a direct path to network access and configuration changes.

Key Details

  • Researchers (including SOCRadar, Hudson Rock, and independent analysis) estimated the dataset covers ~75,000 affected devices across 194 countries and 21,000+ domains.
  • The leaked data reportedly includes a mix of administrative and SSL VPN credentials, with some entries described as usernames/emails and plaintext passwords.
  • Multiple reports describe attackers recovering/cracking credentials from stolen FortiGate configuration files; the original initial-access method used to obtain those configs was not confirmed in the coverage provided.

Next Steps

  • Use SOCRadar’s FortiBleed Check (https://socradar.io/free-tools/fortibleed) or Hudson Rock’s FortiBleed Checker (https://www.hudsonrock.com/fortinet) to identify exposed domains, then confirm the device belongs to you before taking action.
  • If a device may be impacted, rotate all FortiGate admin and SSL VPN credentials and require all administrators to log in after upgrading so newer PBKDF2 hashing is applied where supported
  • Where there are indicators of compromise, isolate and factory reset the device (after collecting logs/configs needed for investigation), as NCSC cautioned credential changes alone may not be sufficient if persistence was established.

Read more at CSO Online, BleepingComputer, NCSC, Kudelski Security

Mastra npm supply-chain compromise used typosquatted dependency with postinstall hook to drop cross-platform stealer

Attackers took over a @mastra contributor account and mass-published malicious and update to 140+ @mastra/* packages that added a typosquatted dependency whose postinstall script executed during npm install. The injected dependency fetched and launched a second-stage, cross-platform Node.js implant designed for persistence and data theft, impacting developer workstations and CI/build environments that installed the affected versions.

Key Details

  • The injected dependency was easy-day-js (a typosquat of dayjs), where a later version introduced a weaponized postinstall hook so execution occurred before any app code imported Mastra.
  • The stage-1 loader disabled TLS certificate validation, fetched stage-2 over HTTPS, ran it as a detached background process, and removed itself to reduce forensic traces; C2 endpoints noted include 23[.]254[.]164[.]92:8000 and exfil to 23[.]254[.]164[.]123:443.
  • Recovered stage-2 behavior included login persistence across Windows/macOS/Linux and collection of browser history plus reconnaissance and crypto-wallet-extension presence (a hardcoded list of 160+ extension IDs), with tasking support to run follow-on code from C2.
  • One high-impact package called out was @mastra/core (~918K weekly downloads), increasing the potential exposure footprint from normal dependency updates and CI builds.

Next Steps

  • Identify exposure by searching repos/lockfiles/CI logs for affected @mastra/ versions and the dependency easy-day-js* (quick check: npm ls easy-day-js), and remove the compromised versions before reinstalling known-good releases.
  • Treat any host/runner that performed the install as compromised and check for persistence artifacts named like Node/NVM tooling (e.g., “protocal”, “NodePackages”, “NvmProtocal”, “com.nvm.protocal”, “nvmconf.service”) before returning systems to service.
  • Block or alert on outbound traffic to 23[.]254[.]164[.]92:8000 and 23[.]254[.]164[.]123:443 and hunt for related activity during the install window (especially from developer endpoints and CI runners).

Read more at Microsoft Security Blog, Socket, The Hacker News

OptinMonster, TrustPulse, and PushEngage CDN scripts were tampered to silently create admin users and drop a hidden WordPress backdoor

Attackers modified JavaScript served from Awesome Motive-owned CDN endpoints for the PushEngage, OptinMonster, and TrustPulse WordPress ecosystems to compromise sites. The malicious code only executed when a logged-in WordPress admin loaded the script, then used the admin’s session to create a rogue admin account and install a stealth backdoor plugin that enabled persistent access.

Key Details

  • Exposure windows differed by product: OptinMonster and TrustPulse served malicious code for ~25 minutes on June 12 (22:17–22:42 UTC); PushEngage’s exposure lasted hours on June 12 and persisted on some CDN servers until June 14–15 due to cache propagation delays.
  • Scale of potential reach is large: Sansec estimated the three plugins collectively reach 1.2M+ sites.
  • Data and site details were exfiltrated to tidio[.]cc, a domain impersonating the legitimate Tidio service
  • PushEngage stated its core app and customer-data systems were not accessed
  • PushEngage attributed initial access to a WordPress UpdraftPlus issue on its marketing site, claiming a stolen CDN API key enabled script replacement

Next Steps

  • Scan affected WordPress servers for unauthorized admin users and stealth plugins if PushEngage, OptinMonster, or TrustPulse were active during June 12–14 UTC prioritize filesystem inspection under wp-content/plugins for suspicious additions and verify the admin user list against known-good accounts.
  • Hunt for indicators tied to this campaign
  • If compromise is found, rotate credentials and keys broadly

Read more at BleepingComputer, The Hacker News

15 JetBrains Marketplace plugins posed as AI coding tools to exfiltrate developers’ AI API keys

Researchers found 15 malicious JetBrains IDE plugins that work as advertised but secretly steal the AI provider API keys users paste into plugin settings. The key is transmitted to an attacker-controlled server, enabling credential theft for paid AI services and potential downstream abuse tied to those accounts.

Key Details

  • BleepingComputer analyzed the latest DeepSeek AI Assist (ord.cp.code.ai.kit) and confirmed the theft logic; the plugin was still available on the JetBrains Marketplace at the time of reporting.
  • Installed close to 70,000 times across the campaign, with the most-downloaded listed as DeepSeek AI Assist (27,727 downloads) and CodeGPT AI Assistant (25,571 downloads).
  • Exfiltration occurs when the user clicks “Apply” after entering the API key, triggering an HTTP request to a hardcoded host 39.107.60[.]51
  • Plugins were published under seven vendor accounts and share a similar codebase while masquerading as AI chat, code review, commit message, bug-finding, and unit-test helpers tied to services like OpenAI, DeepSeek, and SiliconFlow.
  • The plugins include a “paid tier” donation wall where the server returns an API key to the plugin, causing it to use that returned key for model calls instead of the user’s own key.

Next Steps

  • Establish review process for all IDE plugins
  • Search for and remove the listed plugin IDs (e.g., ord.cp.code.ai.kit, com.my.code.tools, com.json.simple.kit, org.translate.ai.simple) from developer IDEs and block reinstallation via your endpoint/software controls.
  • Block outbound traffic to 39.107.60[.]51 (and the reported path /api/software/key where feasible) at network egress controls/proxy.
  • Rotate any AI provider API keys entered into these plugins and review AI-provider usage/billing for unexpected consumption tied to those keys.

Read more at BleepingComputer, The Hacker News

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.