bleepingcomputer.com

Bug bounty platform HackerOne confirms 287 employees had Social Security numbers and personal data exposed through a BOLA vulnerability at benefits administrator Navia, part of a broader breach affecting 2.7 million people.

Oracle releases out-of-band patch for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE flaw in Identity Manager and Web Services Manager, just months after a similar vulnerability was actively exploited in the wild.

A joint FBI-CISA advisory says Russian-linked actors have compromised thousands of Signal and WhatsApp accounts belonging to government officials, military personnel, and journalists across multiple countries.

A critical unauthenticated file upload flaw in Magento and Adobe Commerce, dubbed PolyShell, has been exploited at scale since March 19 with no production patch available.

A coordinated operation led by Europol, Microsoft, and law enforcement agencies across six countries seized 330 domains powering the Tycoon 2FA phishing-as-a-service platform, which had accounted for 62 percent of all phishing attempts Microsoft blocked by mid-2025.

Russia's APT28 exploited CVE-2026-21509, a Microsoft Office OLE bypass, within 72 hours of disclosure to hit military targets across six NATO-adjacent countries with steganographic loaders and cloud-based C2.

Attackers hijacked 75 of 76 version tags in the widely used trivy-action GitHub Action to steal CI/CD credentials, then deployed a self-propagating npm worm that uses the Internet Computer Protocol as an untakeable-down command-and-control channel.

The UAE mandates all banks abandon SMS OTP by March 31 while Microsoft auto-enables passkey profiles across Entra ID, as FIDO Alliance data shows 87 percent of enterprises now deploying passkeys.

A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access products, rated CVSS 9.9, is being actively exploited in ransomware attacks across six countries, with thousands of on-premises instances still unpatched.

Telus Digital confirmed a breach after ShinyHunters claimed to have stolen up to one petabyte of data using cloud credentials obtained in a prior third-party compromise.

A dormant malicious script planted on Russian Wikipedia in 2024 was inadvertently activated during a Wikimedia security review, modifying thousands of pages and 85 user scripts before engineers locked down editing across all projects.

Amazon Threat Intelligence tracked a low-skill actor who used DeepSeek and Claude to compromise 600+ FortiGate devices across 55 countries, signaling AI is lowering the barrier to large-scale cyberattacks.