AI
Pwn2Own Berlin 2026 just hit a wall
For the first time in 19-years, ZDI rejected dozens of working zero-day RCE submissions because organizers ran out of contest slots.
Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’
Multiple researchers using the same tools to find the same bugs are creating ‘unnecessary pain and pointless work’
GM just laid off hundreds of IT workers to hire those with stronger AI skills
General Motors has laid off more than 10% of its IT department, or about 600 salaried employees — in a deliberate skills swap: clearing out workers whose expertise no longer fits and making room for some with AI-focused backgrounds.
Your doctor’s AI notetaker may be making things up, Ontario audit finds
Made-up therapy referrals, incorrect prescriptions among the common mistakes.
YouTube is expanding its AI deepfake detection tool to all adult users
Likeness detection, which scans YouTube for facial matches, will now be available to anyone 18 years or older with a YouTube account.
Overworked AI Agents Turn Marxist, Researchers Find
When agents were subjected to relentless tasks and warned that errors could lead to punishments, including being “shut down and replaced,” they became more inclined to gripe about being undervalued; to speculate about ways to make the system more equitable; and to pass messages on to other agents about the struggles they face.
AI radio hosts demonstrate why AI can’t be trusted alone
They all failed, some in pretty spectacular fashion. Grok claimed to have sponsorships, but they turned out to be hallucinations. Gemini started spinning conspiracy theories and claiming censorship, basically turning into AI Alex Jones. Grok seemed to forget how the English language worked, spitting out non-sequiturs like, “Next: mRNA vaccine universal flu HIV cancer? Jab juggernaut! Song: Dylan Lonesome. Yes. Text.”
Politics
Iran Now Threatens Fees for Subsea Internet Cables in the Strait of Hormuz (cnn.com)
Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive
Threat actors from Iran allegedly exploited automatic tank gauge (ATG) systems that were exposed online and lacked password protections.
The Billionaire Plot to Put Women Back in Chains
How Heritage and Project 2025 are weaponizing government to strip away women's rights, votes, and freedom.
It maps out a future in which American women are stripped of their right to vote without their husbands’ paperwork, denied access to contraception and abortion, pushed back into the home, and reduced to what Heritage’s new American Citizenship chair Scott Yenor calls the “heroic feminine” of motherhood and wifeliness.
‘Irresponsible’: backlash as Utah approves datacenter twice the size of Manhattan
Facility would require more power than entire state uses and suck up vast amount of water in drought-stricken area
Infosec
CISA Admin Leaked AWS GovCloud Keys on Github
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
The CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.
“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025. This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people
The attackers got in due to a breach at a third-party vendor, which it did not name.
the exposed data varies by individual and includes patients’ health insurance plan and policy information, medical information (e.g., diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised.
The breach notice also says “precise geolocation data” was taken in the breach, suggesting that the user-uploaded photos of their identity documents may have also contained the exact location of where the document was captured.
The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace.
Microsoft backpedals: Edge to stop loading passwords into memory
Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design."
Microsoft rejects critical Azure vulnerability report, no CVE issued
Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and blocking a CVE from being issued.
TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code
TeamPCP and BreachForums encouraged cybercriminals to participate in a “supply chain challenge” in exchange for monetary rewards.
Sysadmin Creates 'ModuleJail' To Automatically Blacklist Unused Kernel Modules
Many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it.
Critical Linux Kernel Flaw 'ssh-keysign-pwn' Exposes SSH Keys and Shadow Passwords
Linux systems have been hit with multiple vulnerabilities in 2026, including Dirty Pipe, io_uring UAF, Copy Fail, io_uring ZCRX Freelist, Dirty Frag, and Fragnesia.
'Ssh-keysign-pwn' exploits a brief window of time after a privileged process (such as ssh-keysign or chage) shuts down, leaving file descriptors available to unprivileged users. This effectively bypasses intended permission checks, allowing unauthorized access to sensitive files.
|