Latest CyberSec News by @thecyberpicker

A highly sophisticated email scam is targeting PayPal users with the subject line of "Set up your account profile."

Really good research on practical attacks against LLM agents. “Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous” Abstract: The growing integration of LLMs into applications has introduced new security risks, notably known as Promptware­—maliciously engineered prompts designed to manipulate LLMs to compromise the CIA triad of these applications. While prior research warned about a potential shift in the threat landscape for LLM-powered applications, the risk posed by Promptware is frequently perceived as low. In this paper, we investigate the risk Promptware poses to users of Gemini-powered assistants (web application, mobile application, and Google Assistant). We propose a novel Threat Analysis and Risk Assessment (TARA) framework to assess Promptware risks for end users. Our analysis focuses on a new variant of Promptware called Targeted Promptware Attacks, which leverage indirect prompt injection via common user interactions such as emails, calendar invitations, and shared documents. We demonstrate 14 attack scenarios applied against Gemini-powered assistants across five identified threat classes: Short-term Context Poisoning, Permanent Memory Poisoning, Tool Misuse, Automatic Agent Invocation, and Automatic App Invocation. These attacks highlight both digital and physical consequences, including spamming, phishing, disinformation campaigns, data exfiltration, unapproved user video streaming, and control of home automation devices. We reveal Promptware’s potential for on-device lateral movement, escaping the boundaries of the LLM-powered application, to trigger malicious actions using a device’s applications. Our TARA reveals that 73% of the analyzed threats pose High-Critical risk to end users. We discuss mitigations and reassess the risk (in response to deployed mitigations) and show that the risk could be reduced significantly to Very Low-Medium. We disclosed our findings to Google, which deployed dedicated mitigations...

Cloudflare has notified customers that hackers may have accessed their data as part of the Salesloft Drift campaign

Barracuda observed new methods to disguise phishing links in Tycoon phishing attacks, which are designed to bypass automated email security systems

Iranian group used 104 hijacked accounts in embassy spear-phishing, exploiting geopolitical tensions for espionage.

A quiet but consequential change is reshaping the foundations of online trust. Related: CISA on quantum readiness Starting in 2026, TLS certificate lifespans will shrink in stages — from 200 days, to 100, and eventually just 47 by 2029. The shift marks a sharp departure from today’s 398-day standard and will force organizations to rethink

Android droppers now spread banking trojans, SMS stealers, and spyware, disguised as government or banking apps in India and Asia.

Evertec subsidiary Sinqia has posted details of an attempt to steal $130m from two B2B partners

Jaguar Land Rover shut down systems after a cyberattack, disrupting production and retail, but says customer data likely remains safe.

Le 1er septembre 2025, Cloudflare a annoncé sur son compte X avoir déjoué une cyberattaque d’une ampleur inédite. Survenue durant l’été, cette attaque par déni de service distribué (DDoS) aurait atteint un pic de 11,5 térabits par seconde, établissant ainsi un nouveau record mondial selon l’entreprise américaine

Cloudflare mitigated a record 11.5 Tbps DDoS attack in 35 seconds, highlighting rising hyper-volumetric threats.

CISA adds TP-Link CVE-2020-24363 and WhatsApp CVE-2025-55177 to KEV; mitigations required by Sept 23, 2025.

Salesloft suspended Drift after August 2025 OAuth token theft hit 700+ firms, exposing Salesforce data.

In October 2024, Amazon disrupted another APT29 operation that attempted to use phishing domains impersonating AWS.

Hackers tried to steal $130 million from Evertec's Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank's real-time payment system (Pix).

He takes over a key leadership role in a position that’s seen rapid turnover over the past year.

Salesloft said the AI chat agent for sales and leads will be taken offline, as investigations into the attack spree widen and reveal more victims.

Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week.

Pennsylvania Attorney General Dave Sunday said his office has made significant progress in recovering from an August 11 cyberattack, and it did not pay a ransom to the intruders.

Cloudflare blocked a record 11.5 Tbps DDoS attack, a UDP flood from Google Cloud, part of weeks-long assault waves.

Lazarus Group used PondRAT, ThemeForestRAT, and RemotePE in a 2024 DeFi attack, likely via Chrome zero-day.

MystRodX backdoor, active since Jan 2024, uses encrypted payloads and DNS/ICMP triggers for stealthy C2 control.

WhatsApp believes the vulnerability could have been combined with a separate OS-level vulnerability on Apple devices to potentially launch sophisticated attacks against “specific targeted users."

The US Immigration agency has resumed a $2m contract with the Graphite spyware developer, now owned by US investor AE Industrial Partners

A hacking campaign using credentials linked to Salesloft Drift has impacted a growing number of companies, including downstream customers of leading cybersecurity firms.

A malicious npm package “nodejs-smtp” has been discovered impersonating nodemailer and injecting code to drain crypto wallets

Internet infrastructure company Cloudflare said it recently blocked the largest recorded volumetric distributed denial-of-service (DDoS) attack, which peaked at 11.5 terabits per second (Tbps).

Internet of Things device-makers are eager to participate, but the commission’s concerns about its lead administrator have halted progress of the U.S. Cyber Trust Mark program.

An independent testing firm found that SlashNext’s product has a 100% detection rate for business email compromise and QR code attacks.

Experts have revealed an Azure AD vulnerability exposing ClientId and ClientSecret in a publicly accessible appsettings.json file