All Posts

CVE-2026-35273 is a critical (9.8) remote code execution flaw in Oracle PeopleSoft PeopleTools. The ShinyHunters extortion crew exploited it as a zero-day from May 27 to June 9, 2026 — before Oracle's June 10 advisory. Google's Mandiant notified more than 100 organizations; 68% were in higher education. What happened with the Oracle PeopleSoft zero-day? Attackers exploited a previously unknown flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand

The 2026 HIPAA Security Rule update is not final. OCR targeted May 2026 for a final rule; that window has passed with nothing published. It remains a proposed rule (NPRM) while OCR reviews roughly 4,745 comments and 100+ provider groups push for withdrawal. The current Security Rule is what you're held to today. If you've been told the big HIPAA Security Rule overhaul finalizes in May 2026, that date is now in the rearview mirror and no final rule exists. As of June 2026, the

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw, to its Known Exploited Vulnerabilities catalog on June 5, 2026 after confirming active exploitation. An unauthenticated attacker can crash the file-transfer service with a crafted HTTP request. SolarWinds fixed it in Serv-U 15.5.4 Hotfix 1; federal agencies must patch by June 19. File-transfer servers are quiet infrastructure. Most companies set them up once, point a few partners and internal teams at them

A campaign called LLMShare hides malware behind fake ChatGPT “outage” pages hosted on OpenAI’s real chatgpt.com domain. Because the link is genuine, corporate web filters let it through. Victims arrive via Google ads, see a fake “high traffic” notice, and download a poisoned “desktop app” that installs stealer malware. Security researchers at Push Security have documented a malware campaign that turns one of the most trusted addresses on the internet into a delivery mechanism

The DentaQuest data breach exposed records for 2.6 million accounts, including names, dates of birth, government-issued IDs, and health insurance details, according to Have I Been Pwned. The extortion group ShinyHunters leaked the data publicly after negotiations failed. For health plans, employers, and dental practices, this is a third-party vendor breach with HIPAA implications. What happened in the DentaQuest data breach? DentaQuest, one of the largest dental benefits admi

Microsoft Scout, announced June 2, 2026, is an always-on AI agent that works autonomously inside Microsoft 365 under its own Entra identity. It reads email, calendars, chats, and files to act on a user’s behalf. Its safety depends entirely on the identity, access, and data-protection controls your organization has already configured. Microsoft introduced Scout on June 2 at its Build conference and described it as the first of a new agent category called Autopilots: AI agents

Sophos researchers uncovered a ransomware-linked threat actor using AI agents, including Claude Opus 4.5 and the Cursor coding tool, to build malware and test it against Sophos, CrowdStrike, and Microsoft Defender in a private lab. What did Sophos find? Sophos found a complete malware research and development operation run by an active, ransomware-linked threat actor. The investigation started when payloads in a test directory on a customer endpoint triggered alerts. Behind t

An AI-security CISO is a security leader who governs the risks created by artificial intelligence — the models a company builds, buys, or lets employees use. Beyond a generalist CISO’s remit, the role adds AI inventory, shadow-AI discovery, model-specific threats like prompt injection, AI vendor due diligence, and board reporting tied to frameworks such as NIST AI RMF and ISO 42001. Most boards added a line about “AI strategy” to their agenda in the last 18 months. Far fewer

On May 21, 2026, the FBI warned that a phishing-as-a-service kit called Kali365 is hijacking Microsoft 365 accounts by stealing OAuth tokens through device code phishing. It bypasses multi-factor authentication without ever capturing a password, giving attackers persistent access to Outlook, Teams, and OneDrive. What is Kali365 and what did the FBI warn about? Kali365 is a subscription phishing-as-a-service (PhaaS) platform that lets attackers steal Microsoft 365 access token

The EU Cyber Resilience Act (CRA) makes companies legally accountable for the security of every connected product they sell in the EU — and it draws no line between human-written and AI-generated code. Vulnerability reporting obligations begin September 11, 2026, with full compliance by December 11, 2027. Penalties reach €15 million or 2.5% of global turnover. If your engineering team is shipping AI-assisted code into products sold in Europe, the legal question is no longer w

California's CPPA cybersecurity audit rule took effect January 1, 2026. Covered businesses must run an annual cybersecurity audit against 18 control areas, document the results, and certify completion to the state. The first certifications are due April 1, 2028 for businesses over $100M in revenue. The program to pass it has to be built now. Most of the coverage of California's new cybersecurity audit rule has been written by law firms, for general counsel. It explains what t

Answer: Microsoft Defender disclosed an active cryptojacking campaign in which AI chatbots are surfacing attacker-controlled download sites in response to user queries about common Windows utilities. The malicious downloads silently install ScreenConnect for persistent remote access and run GPU cryptocurrency miners. Microsoft has tied more than 150 malicious domains to the campaign since March 2026. What did Microsoft discover about AI chatbot recommendations and malware? On

A vCISO (virtual Chief Information Security Officer) is an outsourced senior security executive who runs a small business’s cybersecurity program on a part-time retainer — typically $3,000 to $20,000 a month in 2026. In Los Angeles, vCISO services and fractional CISO services give SMBs and mid-market firms board-level security leadership at roughly 20–30% of the cost of a full-time CISO. Why LA small businesses started calling vCISOs in 2026 Three years ago, a vCISO was a cat

On May 26, 2026, CrowdStrike, Google, and the Shadowserver Foundation disrupted Glassworm, a Russia-linked botnet that targeted software developers through poisoned npm packages, Visual Studio Code extensions, and GitHub repositories. Any business that consumes open-source software inherits the risk. Organizations should check network logs for connections to 164.92.88.210 and review their software supply chain controls. What is the Glassworm malware campaign? Glassworm is a R

Two May 2026 healthcare breaches — at The Oncology Institute and Radiology Associates of Richmond — were caused by third-party vendor compromises, not direct attacks on the providers. Verizon’s 2026 Data Breach Investigations Report found that third parties were involved in 48% of breaches last year, a 60% year-over-year increase. For healthcare organizations, vendor risk is now the dominant exposure. What happened at The Oncology Institute and Radiology Associates of Richmon

Anthropic released a Claude Compliance API on May 21, 2026, with 28 security and compliance integrations including CrowdStrike, Microsoft Purview, Okta, Wiz, and Zscaler. The API pipes Claude Enterprise conversation content and activity logs into existing DLP, SIEM, and identity tools, making LLM usage governable through the same controls businesses already run for other SaaS. What did Anthropic actually announce? Anthropic announced on May 21, 2026, that Claude now integrate

Webworm, a China-aligned APT group, is hiding command-and-control traffic inside Discord channels and Microsoft OneDrive folders to steal data from European governments. The campaign matters to businesses because every minute Webworm operates, its traffic looks like normal SaaS activity. Standard egress controls and EDR rarely flag it. What ESET found in the Webworm 2025 campaign ESET researcher Eric Howard published findings on May 20, 2026 detailing fresh activity from Webw

Microsoft’s Digital Crimes Unit disrupted Fox Tempest on May 19, 2026, a financially motivated cybercrime group that abused Microsoft Artifact Signing to issue more than 1,000 fraudulent code-signing certificates. The certificates made ransomware including Rhysida and Akira look like trusted software. For businesses, the takedown signals that “signed” no longer means “safe.” What happened in the Fox Tempest takedown? On May 19, 2026, Microsoft’s Digital Crimes Unit seized the

Researchers using Anthropic’s Mythos Preview AI built a working kernel exploit against Apple’s Memory Integrity Enforcement in five days — a hardware-level defense Apple reportedly spent five years and billions of dollars engineering. The exploit is real, not theoretical. The patch window mid-market businesses rely on has narrowed, and annual security reviews no longer match the threat tempo. What actually happened with the Mythos Preview exploit? On May 17, 2026, researchers

By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM Published: May 19, 2026 Last updated: May 19, 2026 Tycoon2FA's new device-code variant tricks Microsoft 365 users into pasting an attacker-supplied code at microsoft.com/devicelogin. Real MFA completes at Microsoft's own login servers, and tokens are issued to the attacker's polling client. MFA isn't bypassed; what it authorizes is hijacked. Conditional Access can block the OAuth device-code flow for users who don't need it. W