Russia’s internet regulator Roskomnadzor reportedly added the decentralized social network Bluesky to its registry of banned websites, the latest step in a widening crackdown on foreign online services. The block comes amid broader restrictions on Telegram, WhatsApp and other platforms, continued use of VPNs to bypass controls, and intermittent mobile internet…
Category: Cyber Security News
Stolen credentials accounted for 22% of known initial access vectors in 2025 and remain the most common way attackers breach networks. Identity-centric Zero Trust—enforcing least privilege, continuous context-aware authentication, device trust, granular segmentation, and centralized governance—limits escalation and lateral movement, reducing breach impact. #Specops #ActiveDirectory
SAP released 20 security notes in its April 2026 patch day, including a critical CVE-2026-27681 SQL injection in Business Planning and Consolidation and Business Warehouse that can lead to arbitrary code execution. A separate high-severity missing authorization (CVE-2026-34256) affects ERP and S/4 HANA, and numerous medium- and low-severity fixes across BusinessObjects,…
Basic-Fit, Europe’s largest gym chain, disclosed a breach in which unauthorized access was detected and blocked within minutes. Personal details for roughly 1 million members — including names, contact details, dates of birth, and bank account information — were downloaded, with about 200,000 members in the Netherlands affected. #BasicFit #Netherlands…
Anthropic’s Claude Mythos collapses the time between vulnerability detection and exploitation, creating the potential for near-instantaneous, AI-powered attacks that defenders are currently ill-prepared for. The Cloud Security Alliance urges organizations to use Project Glasswing’s temporary restraint to harden basics—patching, segmentation, MFA, AI-driven defenses, and tabletop exercises—before Mythos-like capabilities proliferate. #ClaudeMythos #CloudSecurityAlliance…
A critical Remote Code Execution vulnerability in the Kali Forms WordPress plugin (all versions up to 2.4.9) was publicly disclosed and rapidly exploited in the wild, enabling unauthenticated attackers to run arbitrary PHP via manipulated form placeholders. The flaw originates in improper validation in prepare_post_data() that allows attacker-controlled values to reach…
New research from the Molly Rose Foundation and YouthInsight finds that over half of Australian children aged 12–15 continue to access restricted platforms such as TikTok, YouTube, and Instagram despite the country’s under-16 social media ban. The study highlights weak platform enforcement, widespread active underage accounts, and mixed impacts on safety,…
Goldman Sachs is taking a cautious, proactive stance toward Anthropic’s advanced AI model Mythos because of its ability to autonomously discover and exploit software vulnerabilities that could significantly disrupt financial systems. The bank is collaborating with Anthropic, cybersecurity partners, and other major firms through Project Glasswing to assess risks and strengthen…
CISA added six security flaws to its Known Exploited Vulnerabilities catalog after citing evidence of active exploitation. Notable entries include an SQL injection in Fortinet FortiClient EMS observed being probed since March 24, 2026 and a Microsoft Exchange deserialization flaw that Microsoft says Storm-1175 has used to deliver Medusa ransomware, #Medusa…
A critical unrestricted file upload vulnerability in ShowDoc (CVE-2025-0520 / CNVD-2020-26585) is being actively exploited to drop web shells and achieve remote code execution. Users should update ShowDoc to the latest release immediately to mitigate observed attacks and the widespread exposure of vulnerable instances. #ShowDoc #CVE-2025-0520…
Basic-Fit confirmed that unknown hackers accessed a centralized system storing member data across multiple countries and downloaded personal information, including names, addresses, contact details, dates of birth and bank account details. The breach was detected and stopped within minutes, affected up to about 1 million members (around 200,000 in the Netherlands),…
A TierOne dark web forum announced a $10,000 article contest running April 13–May 14, 2026, offering prizes sponsored by the ransomware group cry0 for technical write-ups on vulnerability exploitation. The contest solicits advanced exploit techniques across topics like RCE, IDOR, SSTI, firmware attacks, and AV/EDR bypasses, highlighting how underground communities mirror…
Dutch fitness giant Basic-Fit disclosed a cyberattack that exposed personal data of around one million club members across several European countries. The company says the intrusion was detected and stopped within minutes, affected members and the relevant data protection authority were notified, and no identification documents or passwords were accessed. #BasicFit #MyBasicFitApp
Booking.com confirmed that unauthorized third parties accessed booking information associated with some reservations, potentially exposing full names, emails, postal addresses, phone numbers, and communications with property providers. The company forced reservation PIN resets, emailed impacted users with updated PINs, urged caution against phishing, and said support is available while investigations continue. #Bookingcom #SageHunter
OpenAI is revoking and rotating macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package (v1.14.1) in a supply chain attack. Although its investigation found no evidence of certificate misuse or user data exposure, OpenAI is treating the keys as potentially compromised and requires macOS users to update apps before May 8, 2026. #Axios #UNC1069