Dependabot sounded the alarm on a large scale. Thousands of repositories automatically received pull requests and warnings, including a high vulnerability score and signals about possible compatibility issues. According to Valsorda, this shows that the tool mainly checks whether a dependency is present, without analyzing whether the vulnerable code is actually accessible within a project.
Peter Williams stole a U.S. defense contractor's trade secrets about highly sensitive cyber capabilities and sold them to a broker whose clients include the Russian government, putting our national security and countless potential victims at risk.
We have learned that an unauthorized third party acquired certain employee data. Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts. The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused.
The threat actor gained access to Optimizely's systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment. The incident was confined to certain internal business systems including Zendesk, records in our Salesforce CRM, and a limited set of internal documents used for back-office operations.
Rather than relying completely on scans that are run as code is moving through a continuous integration/continuous delivery (CI/CD) pipeline, Checkmarx Developer Assist can eliminate 90% of vulnerabilities before they enter the DevOps workflow, said Kinsbruner. That's critical because the first generation of AI coding tools are creating more vulnerabilities that, unless discovered and remediated, are actually making applications less secure than ever, he added.
The man, Catalin Dragomir, 45, of Constanta, Romania, obtained access to the computer network in June 2021. The hacker allegedly advertised admin access to the state's emergency management department, negotiated a $3,000 sale in Bitcoin, and accessed the network several times to prove the legitimacy of his claim. According to court documents, Dragomir provided a prospective buyer with samples of personal identifying information extracted from the compromised network, including an employee's login information, name, email address, and Social Security number.
This week, meet a reader we'll Regomize as "Curt" who once worked as IT security manager at a company where the helpdesk manager routinely ignored company policy by not logging out of his PC. The machine sat there ready for use, instead of reverting to a password-protected screensaver that could only be dispelled by pressing Ctrl-Alt-Del to spawn a login dialog.
Microsoft is warning organizations about the impending end of support for several Windows products from 2016. These include Windows Server 2016, Windows 10 Enterprise 2016 LTSB, and Windows IoT Enterprise LTSB 2016. According to Microsoft, these products are approaching the final stage of their lifecycle, which has direct consequences for organizations that still depend on this software. The lifecycle documentation on Microsoft Learn shows that Windows Server 2016 has not received regular support since January 2022 and is now fully in the extended support phase.
Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.
Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user's machine. This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.
Google has issued a patch for a high‑severity Chrome zero‑day, tracked as CVE‑2026‑2441, a memory bug in how the browser handles certain font features that attackers are already exploiting. CVE-2026-2441 has the questionable honor of being the first Chrome zero-day of 2026. Google considered it serious enough to issue a separate update of the stable channel for it, rather than wait for the next major release.
An FBI informant helped run the Incognito dark web market and allegedly approved the sale of fentanyl-laced pills, including those from a dealer linked to a confirmed death, WIRED reported this week. Meanwhile, Jeffrey Epstein's ties to Customs and Border Protection officers sparked a Department of Justice probe. Documents say that CBP officers in the US Virgin Islands were still friendly with Epstein years after his 2008 conviction, illustrating the infamous sex offender's tactics for cultivating allies.
Uncle Sam's cyber defenders have given federal agencies just three days to patch a maximum-severity Dell bug that's been under active exploitation since at least mid-2024. CISA this week added the flaw, tracked as CVE-2026-22769, to its Known Exploited Vulnerabilities catalog, ordering civilian agencies to secure affected systems by February 21 - giving them just three days to get fixes in place.
Axonius has laid off approximately 40 employees, representing less than 4% of its global staff, with the majority of cuts in marketing and sales. Co-founder Dean Sysman has stepped down from his role as CEO to become executive chairman, with company president Joe Diamond appointed as interim CEO. The workforce adjustment aims to refine the company's organizational structure and improve operational efficiency as it prepares for a potential IPO.
Your mobile phone is a treasure trove of personal and confidential information. That's why it's a prime target for hackers who want to compromise or steal your data. Through malicious apps and websites, phishing attacks, and other threats, an attacker can gain control of your device through spyware. But how can you tell if your phone has been hacked or tapped?
NIST has developed a chip that reliably emits a single photon on demand. This ability will improve the efficiency of QKD (quantum key distribution) as we prepare for the arrival of quantum computers. Quantum computers will upend current cryptology by using Shor's algorithm to rapidly negate the current public/private key secure encryption methods. This has largely been solved by NIST's post quantum cryptology (PQC) algorithms.
PayPal has notified about 100 customers that their personal information was exposed online during a code change gone awry, and in a few of these cases, people saw unauthorized transactions on their accounts. All of these customers have been fully refunded, according to a PayPal spokesperson. "When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson told The Register. "In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter."
Two former Google engineers and a third alleged accomplice are facing federal charges after prosecutors accused them of swiping sensitive chip and security technology secrets and then trying to cover their tracks when the scheme began to unravel. According to the Department of Justice, sisters Samaneh and Soroor Ghandali, both former Google employees, along with Mohammadjavad Khosravi, who worked at another unnamed technology company, have been charged with conspiracy, theft of trade secrets, and obstruction of justice.
2FA or two-factor authentication is a specific type of multi-factor authentication. As the name suggests, 2FA requires two distinct forms of user verification factors to access a specific protected, registered user-only software system. In the past, software teams used only a one-factor authentication strategy with users' passwords, but nowadays, with growing security concerns and user authentication evolution, every digital product uses 2FA with password-based authentication, starting from simple SMS OTPs (One Time Tokens) to futuristic AI-powered adaptive 2FA methods and high-security hardware keys.
The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos, researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio said in a report published this week. These files are bundled with authentic media and a Farsi-language report providing updates from 'the rebellious cities of Iran.' This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information.
We've excised the text, but suffice it to say that the whiteboard contains usernames and passwords for system access. It's a change from a Post-it note stuck to the screen, but it's no less likely to make a security professional shriek in horror. After all, not only is the account exposed, but anyone can use it, which renders an access log somewhat redundant.
