#bug-bounty-payments
#bug-bounty-payments

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

Software development

Internet Bug Bounty program hits pause on payouts

Python

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

Information security

Don't glamorize cybercrims, roast them instead

Cybercrime groups should not be glamorized; they are ordinary individuals using computers for theft, not mythical entities.

Venom Stealer Raises Stakes With Continuous Credential Harvesting

Stolen credentials via infostealers like Venom Stealer are central to modern cybercrime.

15 hours ago

Don't glamorize cybercrims, roast them instead

Cybercrime groups should not be glamorized; they are ordinary individuals using computers for theft, not mythical entities.

Venom Stealer Raises Stakes With Continuous Credential Harvesting

Stolen credentials via infostealers like Venom Stealer are central to modern cybercrime.

CBP facility codes sure seem to have leaked via online flashcards

Immigration offenses and internal systems of CBP are detailed in flashcards, highlighting procedures and responsibilities of agents.

#cybersecurity

22 hours ago

Node JS

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

EU data protection

Europe's cyber agency blames hacking gangs for massive data breach and leak | TechCrunch

Healthcare

Healthcare IT Platform CareCloud Probing Potential Data Breach

Information security

After fighting malware for decades, this cybersecurity veteran is now hacking drones | TechCrunch

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

A targeted social engineering campaign by North Korean actors led to a supply chain compromise of the Axios npm package.

fromTNW | Eu

European Commission breached after hackers poisoned open-source security tool Trivy

A major data breach at the European Commission was caused by TeamPCP exploiting a supply chain attack on the Trivy security tool.

22 hours ago

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

36 malicious npm packages disguised as Strapi CMS plugins facilitate exploitation and credential harvesting.

EU data protection

Europe's cyber agency blames hacking gangs for massive data breach and leak | TechCrunch

A cybercriminal group known as TeamPCP hacked the EU's executive body, stealing 92 gigabytes of data, including personal information.

Healthcare

Healthcare IT Platform CareCloud Probing Potential Data Breach

CareCloud experienced a cybersecurity incident that may have compromised patient information, but the impact is believed to be limited and manageable.

After fighting malware for decades, this cybersecurity veteran is now hacking drones | TechCrunch

Mikko Hyppönen emphasizes the invisible nature of cybersecurity work, comparing it to Tetris where successes vanish and failures accumulate.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

A targeted social engineering campaign by North Korean actors led to a supply chain compromise of the Axios npm package.

fromTNW | Eu

European Commission breached after hackers poisoned open-source security tool Trivy

A major data breach at the European Commission was caused by TeamPCP exploiting a supply chain attack on the Trivy security tool.

Human Error, Not Hacking, Cited as Top Cause for Crypto Access Loss

Human error is the leading cause of cryptocurrency access loss, affecting 35% of holders, primarily due to forgotten passwords and lost seed phrases.

Understanding the risks of OpenClaw

OpenClaw is an orchestration layer that requires external services to function effectively, rather than being a standalone cloud platform.

OpenClaw gives users yet another reason to be freaked out about security

OpenClaw's vulnerabilities pose severe security risks, allowing attackers to gain administrative access with minimal permissions.

DevOps

Understanding the risks of OpenClaw

OpenClaw is an orchestration layer that requires external services to function effectively, rather than being a standalone cloud platform.

OpenClaw gives users yet another reason to be freaked out about security

OpenClaw's vulnerabilities pose severe security risks, allowing attackers to gain administrative access with minimal permissions.

more#openclaw

#meta

fromwww.businessinsider.com

Meta paused its work with AI training startup Mercor after a data breach

Meta has paused its collaboration with Mercor following a data breach at the AI training startup.

fromWIRED

Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk

Meta has paused work with Mercor due to a major security breach affecting data used for AI training.

fromwww.businessinsider.com

Meta paused its work with AI training startup Mercor after a data breach

Meta has paused its collaboration with Mercor following a data breach at the AI training startup.

fromWIRED

Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk

Meta has paused work with Mercor due to a major security breach affecting data used for AI training.

more#meta

Artificial intelligence

fromMedium

Most Developers Are Using AI Wrong.

Using AI in coding can create an illusion of speed, leading to a lack of understanding and ownership of the code.

Roam Research

New Rowhammer attacks give complete control of machines running Nvidia GPUs

Rowhammer attacks on Nvidia GPUs can compromise CPU memory, allowing full control of host machines.

Venture

Variance Raises $21.5M for Compliance Investigation Platform Powered by AI Agents

Variance raised $21.5 million for an AI platform focused on compliance and risk investigations, enhancing fraud detection and management for financial institutions.

Remote teams

Security contractor blew the whistle on shabby support crew

Brad, a security contractor, faced challenges with antivirus alerts while working in a labor hire company's office without proper IT support.

#claude-code

4 hours ago

Software development

Claude Code's innards revealed as source code leaked online

Claude Code is still vulnerable to an attack Anthropic has already fixed

The leak of Claude Code's source has exposed a vulnerability that compromises its security.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

Anthropic's Claude Code source code was leaked, revealing operational details but not compromising sensitive data like model weights or customer information.

4 hours ago

Software development

Claude Code's innards revealed as source code leaked online

Claude Code is still vulnerable to an attack Anthropic has already fixed

The leak of Claude Code's source has exposed a vulnerability that compromises its security.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

Anthropic's Claude Code source code was leaked, revealing operational details but not compromising sensitive data like model weights or customer information.

Axios npm hack used fake Teams error fix to hijack maintainer account

A social engineering attack linked to North Korean hackers compromised Axios maintainers, leading to a supply chain attack with malicious npm package versions.

Node JS

Axios NPM Package Breached in North Korean Supply Chain Attack

fromSiliconANGLE

Information security

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios npm hack used fake Teams error fix to hijack maintainer account

A social engineering attack linked to North Korean hackers compromised Axios maintainers, leading to a supply chain attack with malicious npm package versions.

Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious Axios NPM library versions were distributed in a supply chain attack by North Korean hackers, affecting millions of users.

fromSiliconANGLE

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios HTTP client library was hacked to distribute malware via a compromised npm account, affecting multiple operating systems.

Drift Protocol Hack 2026: What Happened, Who Lost Money, and What's Next

A Solana-based perpetual futures exchange lost $286 million in 12 minutes due to a sophisticated attack involving fake collateral and social engineering.

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK

Drift decentralized exchange lost $285 million due to a sophisticated attack involving unauthorized access and social engineering.

Cryptocurrency

fromnews.bitcoin.com

Drift Protocol Hack 2026: What Happened, Who Lost Money, and What's Next

A Solana-based perpetual futures exchange lost $286 million in 12 minutes due to a sophisticated attack involving fake collateral and social engineering.

Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK

Drift decentralized exchange lost $285 million due to a sophisticated attack involving unauthorized access and social engineering.

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

more#npm

#data-breach

Telehealth giant Hims & Hers says its customer support system was hacked | TechCrunch

Hims & Hers confirmed a data breach affecting customer support data, including names and contact information, but not medical records.

HackerOne hit by data breach via third-party partner

HackerOne confirmed a data breach at Navia, affecting 287 employees' personal data, including sensitive information like Social Security numbers.

HackerOne slams supplier over delayed breach notice

HackerOne employees were affected by a data breach linked to a third-party benefits provider, Navia Benefit Solutions, due to a security flaw.

fromSecuritymagazine

AI Startup Mercor, Which Works With Open AI and Anthropic, Confirms Data Breach

Mercor, an AI startup, experienced a data breach involving 4 terabytes of stolen data linked to a supply chain attack by hacking groups.

The company's biggest security hole lived in the breakroom

An internet-connected coffee machine caused a major data breach by exploiting security vulnerabilities in a corporate network.

Telehealth giant Hims & Hers says its customer support system was hacked | TechCrunch

Hims & Hers confirmed a data breach affecting customer support data, including names and contact information, but not medical records.

HackerOne hit by data breach via third-party partner

HackerOne confirmed a data breach at Navia, affecting 287 employees' personal data, including sensitive information like Social Security numbers.

HackerOne slams supplier over delayed breach notice

HackerOne employees were affected by a data breach linked to a third-party benefits provider, Navia Benefit Solutions, due to a security flaw.

fromSecuritymagazine

AI Startup Mercor, Which Works With Open AI and Anthropic, Confirms Data Breach

Mercor, an AI startup, experienced a data breach involving 4 terabytes of stolen data linked to a supply chain attack by hacking groups.

The company's biggest security hole lived in the breakroom

An internet-connected coffee machine caused a major data breach by exploiting security vulnerabilities in a corporate network.

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet released patches for a critical vulnerability in FortiClient EMS, allowing unauthenticated attackers to execute unauthorized commands.

Exploitation of Critical Fortinet FortiClient EMS Flaw Begins

Threat actors exploit a critical SQL injection vulnerability in Fortinet FortiClient EMS, allowing remote code execution without authentication.

22 hours ago

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet released patches for a critical vulnerability in FortiClient EMS, allowing unauthenticated attackers to execute unauthorized commands.

Exploitation of Critical Fortinet FortiClient EMS Flaw Begins

Threat actors exploit a critical SQL injection vulnerability in Fortinet FortiClient EMS, allowing remote code execution without authentication.

Why Code Validation is the Next Frontier - DevOps.com

Shared staging environments are inadequate for modern development; isolated, on-demand setups are needed for effective validation.

fromThe Verge

Pinterest said he violated laid-off colleagues' privacy. Now he's going public

A former Pinterest engineer claims he was unjustly fired for sharing a tool that revealed employee layoffs.

Cryptocurrency

De-fi platform Drift suspends deposits and withdrawals after millions in crypto stolen in hack | TechCrunch

Drift has suspended withdrawals and deposits due to a significant security incident involving a potential theft of up to $285 million.

DevOps

Panel: Security Against Modern Threats

Modern threats to software supply chains require resilience by design, integrating security into engineering workflows and empowering developers with the right tools.

Software development

Vim and GNU Emacs: Claude Code helpfully found zero-day exploits for both

LLMs can quickly identify security vulnerabilities in code, but their rapid evolution poses potential risks.

#ai-security

fromTNW | Corporates-Innovation

Meta freezes AI data work after breach puts training secrets at risk

Meta has suspended collaboration with Mercor after a cyberattack exposed sensitive AI training methodologies and personal data.

Claude Code leak puts enterprise trust at risk as security, governance concerns mount

Leaks threaten Anthropic's market position and raise security concerns about its AI coding tools.

Exabeam now monitors AI agents in ChatGPT, Copilot, and Gemini

Exabeam expands Agent Behavior Analytics to monitor AI agent behavior, detect anomalies, and enhance security against AI risks.

fromTNW | Corporates-Innovation

Meta freezes AI data work after breach puts training secrets at risk

Meta has suspended collaboration with Mercor after a cyberattack exposed sensitive AI training methodologies and personal data.

Claude Code leak puts enterprise trust at risk as security, governance concerns mount

Leaks threaten Anthropic's market position and raise security concerns about its AI coding tools.

Exabeam now monitors AI agents in ChatGPT, Copilot, and Gemini

Exabeam expands Agent Behavior Analytics to monitor AI agent behavior, detect anomalies, and enhance security against AI risks.

more#ai-security

FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for Hackers

Threat actors accessed FBI Director Kash Patel's personal email, but no government information was compromised.

fromComputerworld

A core infrastructure engineer pleads guilty to federal charges in insider attack

Rhyne's attack involved unauthorized remote desktop sessions, deletion of network administrator accounts, and changing of passwords, showcasing significant security vulnerabilities.

Information security

Mobile Attack Surface Expands as Enterprises Lose Control

Mobile device security is inadequate, with many organizations using critically outdated operating systems and exposing sensitive data to potential attacks.

Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response

A malicious release of the Trivy vulnerability scanner exposed critical weaknesses in software supply chain security, allowing for potential credential theft.

Critical ShareFile Flaws Lead to Unauthenticated RCE

Two critical vulnerabilities in ShareFile could allow unauthenticated remote code execution through improper access to configuration pages.

fromWIRED

1 month ago

A $10K Bounty Awaits Anyone Who Can Hack Ring Cameras to Stop Sharing Data With Amazon

Usually, when you see a feel-good story about finding a lost dog, you don't immediately react with fear and revulsion. But that was indeed the case in response to a Super Bowl commercial from Amazon-owned security camera company Ring. There's now a group offering to dole out a $10,000 bounty to wrest back control of the user data Ring controls.

Privacy technologies

React2Shell Exploited in Large-Scale Credential Harvesting Campaign

Threat actor exploits Next.js vulnerabilities to exfiltrate credentials and compromise systems at scale, affecting over 766 systems and collecting more than 10,000 files.

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

A large-scale credential harvesting operation exploits the React2Shell vulnerability to steal sensitive data from compromised hosts across multiple regions.

#malware

Information security

Fake Claude Code source downloads actually delivered malware

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Operation REF1695 uses fake installers to deploy RATs and cryptocurrency miners, monetizing infections through CPA fraud since November 2023.

Information security

Sophisticated CrystalX RAT Emerges

Information security

New DeepLoad Malware Dropped in ClickFix Attacks

fromTechRepublic

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

Information security

New RoadK1ll WebSocket implant used to pivot on breached networks

Fake Claude Code source downloads actually delivered malware

Leaked Claude Code source code led to malware downloads, including credential-stealing Vidar and proxy tool GhostSocks, via a malicious GitHub repository.

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Operation REF1695 uses fake installers to deploy RATs and cryptocurrency miners, monetizing infections through CPA fraud since November 2023.

Sophisticated CrystalX RAT Emerges

CrystalX RAT is a new malware-as-a-service combining spyware, stealer, and remote access capabilities, promoted on Telegram and YouTube.

New DeepLoad Malware Dropped in ClickFix Attacks

DeepLoad malware steals credentials and intercepts browser interactions, utilizing ClickFix for distribution and evading detection through sophisticated techniques.

fromTechRepublic

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

New RoadK1ll WebSocket implant used to pivot on breached networks

RoadK1ll is a Node.js implant that enables attackers to pivot from a compromised host to other internal systems undetected.

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Google has released a security update for Chrome due to multiple high-severity vulnerabilities, including an actively exploited use-after-free flaw.

Information security

Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome

fromTechRepublic

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Google has released a security update for Chrome due to multiple high-severity vulnerabilities, including an actively exploited use-after-free flaw.

Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome

Google's Chrome 146 update addresses 21 vulnerabilities, including a zero-day exploit tracked as CVE-2026-5281.

Jamf warns of massive app insecurities

Mac and iOS users face significant security threats, with many devices vulnerable to attacks and outdated systems.

Cisco Patches Critical and High-Severity Vulnerabilities

Cisco has released fixes for two critical and six high-severity vulnerabilities affecting various enterprise networking products.

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released critical updates to address vulnerabilities in its Integrated Management Controller and Smart Software Manager On-Prem.

Cisco Patches Critical and High-Severity Vulnerabilities

Cisco has released fixes for two critical and six high-severity vulnerabilities affecting various enterprise networking products.

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released critical updates to address vulnerabilities in its Integrated Management Controller and Smart Software Manager On-Prem.

more#cisco

Mercor Hit by LiteLLM Supply Chain Attack

We believe that the compromise originated from the Trivy dependency used in our CI/CD security scanning workflow. Our security team moved promptly to contain and remediate the incident.

Information security

I knew about North Korean hackers-they still tricked me and got into my computer | Fortune

North Korean hackers are increasingly targeting individuals in the crypto industry, employing sophisticated deception tactics.

fromwww.cybersecuritydive.com

Axios open-source library targeted in sophisticated supply chain attack

A North Korean threat actor compromised the axios library, introducing a malicious dependency that deploys a backdoor across multiple operating systems.

fromFortune

I knew about North Korean hackers-they still tricked me and got into my computer | Fortune

North Korean hackers are increasingly targeting individuals in the crypto industry, employing sophisticated deception tactics.

fromwww.cybersecuritydive.com

Axios open-source library targeted in sophisticated supply chain attack

A North Korean threat actor compromised the axios library, introducing a malicious dependency that deploys a backdoor across multiple operating systems.

Blind trust in hardware vendors is always a bad idea

Attackers are increasingly targeting hardware and firmware vulnerabilities as traditional security tools focus primarily on software layers.

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation - Patch Released

"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page."

Information security

#phishing

Information security

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

Major phishing campaign on GitHub using fake security alerts

A large-scale phishing campaign targets developers on GitHub, exploiting Discussions to spread fake security alerts about Visual Studio Code and distribute malware.

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

A phishing campaign targets Spanish-speaking users in Latin America and Europe, delivering banking trojans via malware called Horabot.

Major phishing campaign on GitHub using fake security alerts

A large-scale phishing campaign targets developers on GitHub, exploiting Discussions to spread fake security alerts about Visual Studio Code and distribute malware.

Curl shutters bug bounty program to stop AI slop

cURL maintainer ended the bug bounty program due to overwhelming AI-generated and low-quality submissions that burdened the security team.

Critical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise

OAuth tokens pose significant security risks, especially when long-lived, as they can lead to widespread breaches across multiple organizations.

The Next Cybersecurity Crisis Isn't Breaches-It's Data You Can't Trust

Data integrity now encompasses data trust, emphasizing the importance of reliable data in AI-driven decision-making.

CrewAI Vulnerabilities Expose Devices to Hacking

Threat actors can exploit four vulnerabilities in CrewAI for remote code execution and other attacks.

Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks

Stolen credentials significantly enhance ransomware attacks, enabling illegitimate access and operational disruption within networks.

fromComputerWeekly.com

Banning routers won't fix what's already broken | Computer Weekly

The FCC's ban on foreign-made routers addresses future procurement, not current security risks, as routers are already vulnerable and widely deployed.

Cloudflare Adds Active API Vulnerability Scanning to Its Edge

Cloudflare's Web and API Vulnerability Scanner focuses on detecting Broken Object Level Authorization vulnerabilities in APIs.

Exploitation of Fresh Citrix NetScaler Vulnerability Begins

Exploitation of a critical Citrix NetScaler vulnerability began shortly after its public disclosure, with active attempts detected within days.

OpenAI Launches Bug Bounty Program for Abuse and Safety Risks

OpenAI launched a public safety bug bounty program targeting AI-specific abuse and safety risks in its products.

We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do with Them

AWS Bedrock's connectivity makes it powerful but also exposes it to multiple attack vectors that can compromise enterprise data.

2 weeks ago

Hundreds of millions of iPhones can be hacked with a new tool found in the wild

DarkSword, a sophisticated iPhone hacking technique discovered in use by Russian hackers, can silently compromise hundreds of millions of iOS devices running older operating system versions through infected websites.

3 weeks ago

Google Paid Out $17 Million in Bug Bounty Rewards in 2025

Google distributed $17.1 million in bug bounty rewards in 2025, a 40% increase from 2024, bringing its 15-year total to $81.6 million across over 700 security researchers.

2 months ago

HackerOne 'ghosted' me over $8,500 bounty: Researcher

HackerOne's Internet Bug Bounty delayed payment of an $8,500 reward after CVE-assigned Argo CD DoS flaws were fixed, leaving the researcher uncontacted for months.

2 months ago

Vulnerability exploits now dominate intrusions

Exploit of disclosed vulnerabilities now causes most intrusions, with attackers weaponizing new flaws within hours while many organizations patch slowly.