New vulnerability report from Talos:

Norton Secure VPN Installation Insecure Operation On Junction Privilege Escalation Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276

CVE-2025-58074

"Marketing agencies are pitching influencers deals such as $5,000 per TikTok video to amplify Build American AI’s messaging about how China’s technological rise should be seen as a threat"

https://www.wired.com/story/super-pac-backed-by-openai-and-palantir-is-paying-tiktok-influencers-to-fear-monger-about-china/

[RSS] Lateral Movement via Cross-Session Activation

https://ipurple.team/2026/05/04/cross-session-activation/

-DigiCert hacked with a malicious screensaver file
-Ransomware negotiators get four years in prison
-Trellix discloses security breach
-Another Russian hacker arrested vacationing in the wrong place
-Secessionist party leaks Albertans personal data
-Fakestortion campaign hits cPanel sites
-Rockstar stock went up after the hack (leaked financials were spectacular)
-Hacker leak exposes Hungarian-Kremlin propaganda coordination

Podcast: https://risky.biz/RBNEWS559/
Newsletter: https://news.risky.biz/risky-bulletin-digicert-hacked-with-a-malicious-screensaver-file/

#copyfail also affects #wsl. #linux #windows #infosec

I saw that there’s now a mobile version of Roller Coaster Tycoon (Roller Coaster Tycoon Touch) and I thought it might be fun (one of the Netflix bundled mobile games). A couple of hours of casual play in, it was clear that the game was carefully designed to make it progressively harder and harder to make progress without in-app purchases.

@EUCommission , if you want to actually make things safer online, how about making that kind of predatory practice illegal? Children are particularly vulnerable, but so are a lot of adults. No need for age verification, just an outright ban.

So sad to see a such a respected game series used for this kind of whale farming.

[RSS] Punk, or why I don't stream anymore

https://geohot.github.io//blog/jekyll/update/2026/05/03/punk-or-why-i-dont-stream.html

"What killed the hacker culture I grew up in was spectacle."

[RSS] A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202

https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202

[RSS] Three Bugs Walk Into a PDF: Prototype Pollution, Served Cold

https://starlabs.sg/blog/2026/04-three-bugs-walk-into-a-pdf-prototype-pollution-served-cold/

CVE-2026-34621, CVE-2026-34622, CVE-2026-34626

[RSS] Carrot disclosure: Forgejo

https://dustri.org/b/carrot-disclosure-forgejo.html

[RSS] A Route to Root in a 4G Industrial Router

https://tantosec.com/blog/2026/04/route-to-root-in-4g-industrial-router/

[RSS] Discovering Vulnerabilities in Enterprise Audiovisual Hardware

https://spaceraccoon.dev/discovering-vulnerabilities-enterprise-audiovisual-hardware/

[RSS] libghidra - SDK for automating Ghidra from Python, Rust, and C++

https://github.com/0xeb/libghidra

#Ghidra

[RSS] TAPOcalypse Now: Exploiting TP-Link Smart Devices From Anywhere

https://labs.taszk.io/articles/post/tapocalypse/

@wolf480pl @joshbressers @gregkh I don't think a negative externality has to affect *everyone*. We can argue about who are 1st, 2nd, and 3rd parties in this game, but in the end suboptimal vulnerability management (caused by arguably bullshit CVEs) definitely hurt the security of end users who don't have a say about which vendors their service provider choose (not that there are many orgs out there today who can run without Linux, so this demand is a bit unrealistic too).

@gregkh @joshbressers What you are describing is called a "negative externality".

News shouldn’t disappear. 🕳️

Some publishers are blocking the Wayback Machine, putting the public record at risk. Journalists are speaking out.

Add your name. Stand for preserving the news.

✍️ https://www.savethearchive.com/NewsLeaders

Detailed report from DigiCert (thanks!) about "a limited number of code signing certificates, few of which were then used to sign malware".

At the beginning a ZIP file with a .scr executable, and some time later 60 revoked Code Signing certificates. https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

Hungary's pro-Kremlin media gets hacked by WorldLeaks

The leaked data exposes coordination with the Kremlin in anti-Ukraine coverage: https://telex.hu/zacc/2026/04/30/mediaworks-hekkertamadas-memo-zelenszkij-lejaratas-telefonos-segitseg-moszkvabol

Mediaworks threatens lawsuits over coverage of the hacked data: https://hirtv.origo.hu/ahirtvhirei/2026/05/a-mediaworks-kozlemenye

It sues one of the sites that covered the Kremlin ties: https://media1.hu/2026/05/01/mediaworks-buntetofeljelentes-media1-telex-lapszemle-toth-tamas-antal/

h/t @rqm --> https://mastodon.social/@rqm@exquisite.social/116498047329184815

@tj there should be no API for this at all!