Hacking, Security & Privacy

A public dispute between Microsoft and security researcher Nightmare Eclipse has escalated into a full-scale backlash from the cybersecurity community, after Microsoft threatened criminal prosecution over a series of uncoordinated zero-day disclosures.

Between early April and mid-May 2026, Nightmare Eclipse published proof-of-concept exploit code for six Windows vulnerabilities without coordinating with Microsoft. Three of those, BlueHammer, RedSun, and UnDefend, were confirmed as being used in live attacks shortly after going public, prompting emergency patches and CISA adding them to its Known Exploited Vulnerabilities catalog. Three others, YellowKey, GreenPlasma, and MiniPlasma, remain unpatched.

Following these discoveries, Microsoft published a formal blog post describing uncoordinated disclosures as "never justifiable" and warning its Digital Crimes Unit could pursue criminal charges against those responsible. The company also had Nightmare Eclipse's GitHub account suspended around May 23, followed by their GitLab account between May 26 and 27.

Microsoft has warned users about an active cryptojacking campaign that uses AI chatbots to serve malicious downloads disguised as trusted PC utilities. Microsoft Defender Experts and the Security Research Team said in a report published Tuesday that "this emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations."

The campaign impersonates legitimate system utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The idea is to target applications favored by PC users with high-performance GPUs to gain access to systems with higher cryptocurrency mining potential, rather than infecting a large number of machines at random.

Downloads from this cryptojacking campaign have also been found to establish persistent remote access through ScreenConnect deployments. ScreenConnect, also known as ConnectWise Control, is a legitimate remote management tool widely used by IT administrators, but it can also be leveraged for data theft, lateral movement, or ransomware.

Last week, Trump Mobile announced that its T1 phone was finally shaping up to be an actual product ready to ship after months of delays and controversy. Now, the Trump Mobile website is allegedly facing serious security issues that have reportedly led to the leakage of customers' private information and order numbers.

According to YouTubers Coffeezilla and Cr1TiKaL, the official Trump Mobile website has been leaking customer information, including full names, email addresses, mailing addresses, and order numbers. Customers' credit card information appears to be safe. Anyone who ordered the phone or opted for Trump Mobile's cellular service could be affected.

Coffeezilla received the information via an anonymous source who shared personal data to prove they had access. The anonymous individual claimed to have exploited a vulnerability in the Trump Mobile website, allowing access to the entire pre-order database and even the ability to place fake orders for the T1 phone. "Long story short, I found a vulnerability in the Trump T1 Mobile preorder website and gained the ability to both place fake orders, but also to scrape and search the entire preorder database," the person told Coffeezilla.

A security researcher going by the alias Nightmare-Eclipse has uncovered a zero-day exploit they describe as one of the most insane discoveries ever, saying it "almost feels like a backdoor." Dubbed YellowKey, the exploit allows anyone with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted device within seconds.

BitLocker is Microsoft's full-volume encryption that protects storage disks and their contents from anyone without the decryption key. That key is stored in a Trusted Platform Module (TPM), and BitLocker is a mandatory protection for many organizations, including government contractors.

The researcher refers to it as a backdoor because the bug appears only in WinRE (Windows Recovery Environment) and not in Windows itself, which lacks the required functionality needed to trigger the bypass. Additionally, the bypass affects only Windows 11, Windows Server 2022, and Windows Server 2025 systems with the default BitLocker configuration, while Windows 10 machines are unaffected.

With AI models achieving new milestones, it was inevitable that security experts' fears would come true. Google's Threat Intelligence Group has, for the first time, discovered a threat actor using a zero-day exploit likely developed with AI. A zero-day vulnerability is a software or hardware flaw that is unknown to developers, leaving them with zero days to patch it before attackers can exploit it.

The exploit targeted a popular open-source web-based system administration tool. Google called the threat actor a prominent cybercrime group that allegedly planned to use the flaw in a mass exploitation campaign. Had it gone undetected, the flaw would have allowed hackers to bypass two-factor authentication and access victim accounts with just a password.

Google investigators suspect, with "high confidence," that the exploit was developed with the help of an unidentified AI program, based on the Python code's structure and content. The report says the script has educational docstrings, a fake CVSS score, and a Pythonic format typical of LLM training data.

North Korean hackers have compromised a gaming platform popular with ethnic Koreans in China, delivering a Trojanized backdoor that steals data and executes commands.

The threat, allegedly carried out by the state-sponsored group ScarCruft (APT37), has been active since late 2024 and targets users of the SQgame platform, which hosts traditional card and board games. The malware, dubbed BirdCall, exfiltrates everything from messages and media to ambient audio and clipboard data.

ESET researchers uncovered the BirdCall backdoor embedded in both Windows and Android versions of the platform. On Windows, it captures screenshots, logs keystrokes, and executes shell commands, while on Android, it steals contact lists, SMS, and call logs. All stolen data is uploaded to cloud services such as Dropbox. The malware has been updated seven times, indicating active development and maintenance.

Updated drivers. Active antivirus. A router with a strong password. Everything is locked down tight. Most tech-savvy people stop there and assume the job is done. It is not. A hacker does not always need to breach your device to steal your personal information. Sometimes your data is already sitting in public view - harvested by a data broker long before any breach ever happens.

Clearnym fills the gap that cybersecurity software ignores. Their opt-out guides walk through exactly how to remove your personal information from people search sites and data broker databases. Beyond guides, Clearnym automates the entire removal process, submitting opt-out requests on your behalf and monitoring for re-listing so your personal data does not quietly reappear. It is the protection layer that no antivirus covers. Learn how to protect what lives outside your devices - because that exposure is just as real.

For a hacker to get into your financial accounts does not always need malware. They need your name, phone number, and the answers to your security questions. That information sits on people search sites right now. Thieves use it to pass verbal verification at your bank and gain access to your bank accounts without touching a single device.

Two of the most popular hardware monitoring utilities, HWMonitor 1.63 and CPU-Z, were recently found to be infected with malware. The official websites were hacked, and users trying to download the latest version were getting flagged by antivirus software. After roughly six hours of investigation, the developers identified the breach and removed the malware. Both of the monitoring utilities are now safe to download.

The issue first surfaced on Reddit, where users reported that the official download links had been replaced with malware-infected executable files instead of the legitimate installers. User u/DMkiller shared that while updating HWMonitor from version 1.42 to 1.63, the downloaded file was named "HWiNFO_Monitor_Setup.exe" rather than the expected "hwmonitor_1.62."

When he ran the file, Windows Defender flagged it as a virus, and a quick check on VirusTotal returned 32 security flags. Further analysis by u/Hattix under the same post revealed that the official download links on CPUID's website pointed to a Russian domain with the page header "Установка - HWiNFO Monitor, версия 1.63".

Last month, a malware toolkit called DarkSword had Apple users holding their iPhones a little tighter. The exploit could be used to break into older iPhones and iPads running iOS 18.4 through 18.7 simply by visiting a website hosting malicious code. Even legitimate websites that had been breached could be affected. The exploit could steal messages, browser histories, location data, and cryptocurrency, then upload everything to an attacker-controlled server. Bad news all around.

Apple responded by rolling out updates to address the two known exploits: Coruna, which affects devices running iOS 13 through iOS 17.2.1, and DarkSword, which targets iPhones running iOS 18.4 through 18.7.

There was a catch, though. Apple only patched iOS 18 for devices unable to run iOS 26. This left anyone who could upgrade but chose not to completely exposed. That is how Apple typically operates. If you are running an older version of iOS on a device that can be updated, Apple will withhold security patches until you make the jump to the latest version.

The Xbox One was a polarizing console. Many gamers preferred the PlayStation 4 over Microsoft's offering. Yet, the Xbox One's security stood out. For over a decade, numerous attempts to bypass its protections failed, giving it an "impenetrable" reputation until now.

At the recently held RE//verse 2026 conference, security researcher Markus Gaasedelen unveiled the "Bliss" double glitch. This security exploit bypasses the Xbox One's encryption by precisely adjusting the device's voltage (the electrical power supplied) at specific times. By doing so, it interrupts the typical security checks that the hardware performs to keep the device secure.

This is a monumental milestone: the first public, reproducible bypass of the Xbox One since its launch in November 2013. Although Markus successfully demonstrated the "Bliss" glitch, it is not as straightforward as jailbreaking a PS4 or JTAGging an Xbox 360.

South Korea's National Tax Service accidentally exposed the mnemonic recovery phrase of a seized cryptocurrency wallet, leading to $4.4 million in crypto assets being stolen.

The stolen funds were stored in a Ledger cold wallet that was seized by local law enforcement during an operation targeting tax evaders. Law enforcement celebrated the success of the raid by releasing photos of the Ledger device containing the stolen funds, but failed to realize that the image also showed a piece of paper with a handwritten note containing the wallet recovery phrase. That phrase enables a user to recover the device's assets onto another device, and since it was made public, it was only a matter of time before the funds were stolen.

That's exactly what happened. Shortly after the press release was published, 4 million Pre-Retogeum (PRTG) tokens were transferred out of the confiscated wallet to a new address. Blockchain data analysis expert Cho Jae-woo, a professor at Hansung University in Seoul, commented on the theft of the digital assets, and said the mistake of law enforcement is comparable to the police finding a full wallet on the side of the street and advertising it to the nation that it's open and the money is free to take if they want it.

The Department of Justice (DOJ) has announced it has seized LeakBase, a leading hacker forum that is home to more than a hundred thousand members.

In a press release posted to the DOJ website, it states authorities seized LeakBase, a forum that was commonly used by cybercriminals to buy and sell stolen data, and tools used to commit cybercrimes. LeakBase had more than 142,000 members and more than 215,000 messages between the accounts. The DOJ goes on to describe the forum had an "enormous, continuously updated archive of hacked databases, including many from high-profile attacks, including hundreds of millions of account credentials."

Some of this data included information that was illegally obtained from "U.S. corporations and individuals, and offered credit and debit card numbers, banking account and routing information, usernames and associated passwords which could facilitate additional account takeovers, as well as other sensitive business and personally identifiable information."

The developer of Notepad++ has furnished us with more information about how the popular text editor was compromised by hackers for some six months.

Ars Technica picked up the blog post which supplies further details about the exploitation of some Notepad++ users, which was leveraged via an "infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org".

Meaning that the compromise was enacted at the web hosting provider level, and wasn't a direct hack of the Notepad++ software itself - targeted users were redirected to download compromised updates, essentially.

On October 24, 2025, the largest DDoS attack "ever observed in the cloud" on a single endpoint of Microsoft's Azure services in Australia was recorded. Measuring 3.64 billion packets per second or 15.72 Tbps, enough data to stream millions of movies, the good news is that Microsoft's Azure DDOS Protection automatically detected and mitigated the attack before it caused any harm.

With DDoS attacks and recorded instances on the rise, this particular record-breaking attempt was carried out by the Aisuru botnet. Botnets and DDoS attacks are fundamentally straightforward: multiple IP addresses and devices target specific IP addresses and attempt to flood them, aiming to overwhelm them and take them offline.

According to Microsoft's Sean Whalen, this attack originated from over 500,000 source IPs across various regions, indicating it was a global attack targeting a single point in Australia. Aisuru is a Turbo Mirai-class IoT botnet behind many recent record-breaking DDoS attacks, exploiting devices such as home routers, cameras, and other smart devices, mainly located in residential homes.

Although we're still waiting for an official response or acknowledgement from Nintendo, there are reports that the hacking group Crimson Collective has breached Nintendo and stolen data. Cybersecurity firm Hackmanac, which tracks and verifies cyber attacks, posted a screenshot on social media showcasing directories and folders from the group as proof of the successful hack.

The files and folders reportedly cover everything from manuals to administrative items, assets, development data, backups, and more. As of writing, the scale of the breach and whether it will become as high-profile as the Insomniac breach remain to be seen. This breach led to the leak of an early playable build of the studio's upcoming Marvel's Wolverine game, so hacked Nintendo data could include a lot of game-related stuff the company wouldn't want to see released.

Crimson Collective recently made a name for itself among hacking groups when it breached Red Hat's private GitHub repositories in September 2025, reportedly stealing 570GB of data, including sensitive information.

Discord has responded to the recent reports that an unauthorized party stole 1.5 terabytes worth of age verification images from a third-party customer service provider. The claims were that the group responsible for the hack stole 2 million images of Discord users.

Discord has responded to these reports, with a spokesperson informing Insider Gaming that 2 million age verification images isn't an accurate figure, and that Discord has identified around 70,000 users "that may have had government-ID photos exposed, which our vendor used to review age-related appeals."

Discord also notes that this hack was not a breach of Discord itself, but a breach of a third-party customer service provider that has since been severed from Discord's ticketing process.

A distributed denial-of-service attack, or DDoS attack, is designed to bring down a network, site, or online service by flooding it with fake requests to the point that it becomes overwhelmed and becomes inaccessible to all. It's a very serious issue that can lead to the loss of service for critical infrastructure, and over the years, the scale and complexity of DDoS attacks have continued to increase.

Cloudflare, a "connectivity cloud" solution designed to protect websites and networks, block bot traffic, and generally make the internet faster and more accessible, has announced that it recently blocked the largest recorded DDoS attack in history, which peaked at 11.5 terabits per second (Tbps) of traffic. Which is around 5.1Bpps, or 'billions of packets per second,'

"Cloudflare's defenses have been working overtime," Cloudflare wrote in a post on social media. "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps."

A security researcher has claimed they have discovered significant vulnerabilities within Intel's websites, leading to the exposure of sensitive data on every single employee at the company.

The claims originate from security researcher Eaton Z, who outlined their findings in a blog post. According to the researcher, they discovered a business card portal that failed due to manipulation attempts, which resulted in Eaton being able to access deeper into Intel's database. Eaton writes that they were able to download a file of nearly a gigabyte in size, which contained the personal details of Intel's 270,000 employees.

Notably, Intel recently reduced its headcount size to 75,000, down from 109,800 at the end of 2024. So, if Eaton's reporting is correct, the file contains sensitive data on more than just Intel's employees. The sensitive data included roles at the company, addresses, phone numbers, and managerial positions. Furthermore, the vulnerability wasn't exclusive to one portal, as Eaton says three other Intel websites suffered from the same issue.

A security firm has warned about a free VPN extension for Google's Chrome browser which is spying on those who've been unfortunate enough to install the add-on.

This is FreeVPN.One, and the worrying thing is that as Koi Security - which offers a platform for managing self-provisioned software for enterprises - points out in a blog post (flagged by Neowin), this extension not only has over 100K users, alongside 1,100 mostly positive reviews, but it's featured by Google (for "following recommended practices").

I'm betting, though, that a recommended practice isn't secretly taking screenshots of every website the Chrome user visits, and then sending those grabs back to the app developer.

The Brave web browser, which is a privacy-focused affair, just announced that it's blocked Microsoft's Recall feature, and AdGuard has as well - leaving us wondering if this is going to be a move other software developers follow.

The Verge reports that Brave announced the decision in a blog post, saying:

In Brave version 1.81 on Windows, there's a new slider to 'Block Microsoft Recall' which prevents the feature from taking snapshots (screenshots) of Brave browser windows. The key part here is that this will be on by default - though you can, of course, turn it off, so Recall can screenshot Brave if you prefer that way of working.