Security news | The Register

REG AD

SECURITY

Latest news and insight on information security and IT defenses

Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod

Clinical trial participant data stolen, but pharma giant says exposed records were pseudonymized

Microsoft has mostly repaired a flaw in Surface hardware that allowed unprotected devices to be bricked by a single packet

And it was Microsoft Copilot that unwittingly revealed the longstanding vulnerability

Google fires sueball at alleged Chinese phishers over AI-powered fraud ops

Telegram-based 'Outsider Enterprise' accused of sending millions of scam texts and impersonating trusted brands

Plymouth council exposes hundreds in latest local government email gaffe

Authority admits mass message to home-schooling families revealed recipients' addresses, prompting ICO report and apology

REG AD

UK digital ID gets brain trust to 'challenge' ministers on policy

CEO of Mumsnet among the six-member team

Person in a dark suit holds a knife upright against a green background

BOFH: For one ambitious security type, chaos is a ladder

Mission Control sends its regards

ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day

University of Nottingham is first of many, Shiny tells The Reg

Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day

Another day, another Windows exploit code

VRChat avatars posing in front of an in-game treehouse

VRChat says somebody faked a breach notice with the Maine AG's office

'We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General's office to have this removed.'

A student works from a notebook at a desk inside a home interior

Malware scare keeps schoolkids home for a second day

Great Marlow restricts network access while it investigates suspected infection

Nottingham Uni says student records raided after ShinyHunters claims cyberattack

Crooks claim 40 GB haul as breach database pegs number of exposed email addresses at 455K

Every employee’s password was stored in a single Excel file

The CEO thought this was the best way to deal with some email issues

REG AD

Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate

PRC eyes are watching you

Angry bug hunter with Microsoft beef drops new Windows 0-day

Revenge is a dish best served code

Camouflaged soldier holding a hand grenade with both hands outdoors.

GitHub pulls pin on npm's auto-run scripts

Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors

Green road sign saying Vulnerability Just Ahead against a cloudy sky.

Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9

Remote, unauthenticated RCE with root privileges is about as bad as it gets

AI is making Patch Tuesday (kinda) fun again

Unless you're an admin or vulnerability manager – then you're totally screwed

Top-down view of a giant sandworm-like creature on rippled desert sand with its mouth open.

Miasma worms its way onto GitHub as attack kit goes open source

As if there weren't enough package poisonings to worry about

Apple’s iOS 27 goes all agentic on compromised passwords, promises to change them with one tap

iBiz might not win the AI race, but analysts say it's focusing on features people may actually use

Signal says UK plan to scan devices for nude images 'endangers us all'

Encrypted messaging app warns device-level checks could be repurposed for censorship

Chrome's zero-day Whac-A-Mole continues with fifth exploited bug of the year

Google paid researcher a tidy $55K bounty for its discovery

France probes compromise of gov messaging platform after account hijack

Authorities say the breach only exposed public chat rooms, but alleged attacker claims to have accessed far more data

Qilin NHS breach tally grows as Essex trust confirms stolen records

Two years on from ransomware attack, hospitals are still trying to identify and warn patients

Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto

When an unsolicited job offer sounds too good to be true …

Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix

Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7

Four young people sit outdoors, with one smiling in the foreground and three behind

Ransomware sends Illinois high school on an early summer vacation

Meanwhile, 13 schools in Wales affected by separate attack

GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections

Miasma worm shapeshifts, but cloud secret-scouting remains the goal

NSO Group back in Meta's crosshairs after alleged WhatsApp targeting

Zuckercorp says surveillance-for-hire vendor was still running phishing operations after federal court told it to knock it off

UK boffin bait lands 18 international researchers

Global Talent visa program aims to draw in dissatisfied scientists from countries including the US

Oxford Uni student data pwned yet again - this time via career platform breach

Totally different attack from the break-in last month. Oh so that's OK then

REG AD

If you don't fall for these extortionists' calls, they'll show up with USB sticks

When 'Chatty Spider' morphs into tech services cosplay spider

Yet another Cisco SD-WAN 0-day under attack, and no patch in sight

Good luck, sys admins

World Food Programme breach exposes data of 600k vulnerable Gazan families

Those receiving aid in the famine-threatened, war-torn territory told support will remain

Council in UK's City of York outs hundreds of disabled residents with a single email blunder

Blue Badge holders exposed to each other after BCC function proves too complex

Pink is the latest goon squad to use fake helpdesk calls to steal creds

A familiar tactic popularized by chaotic crime crew Lapsus$

OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds

Codex drops an HTTP/2 Bomb

REG AD

Five Eyes: Watch out for odd LinkedIn connection requests, China's back on the hunt for state secrets

Cash-for-intel tradecraft continues to concern intelligence officials years after it was first spotted

Duo who sold car crash victims' data must repay £118k

Fresh penalties secured after initial prison, community service sentences for RAC double act

Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine

'Attackers can now cheaply operationalize known vulnerabilities at scale,' boffins tell The Reg

All the passwords were stored in Active Directory description fields

It was far too easy for a hacker to get the information

Commvault says it's time to rethink resiliency as AI crooks leave victims in a 'dark, dead' state

Those backup plans need backup testing

Bend the beam like Beckham to defeat anti-jamming tech

It's hard to stop a signal jammer if you can't locate the source, say Rice University researchers

Hands typing on a laptop with a glowing digital interface showing data flow and connected icons.

Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures

Researchers follow in Nightmare Eclipse’s footsteps, flipping off Redmond in favor of insta-leaks

The Bank of England building between London skyscrapers and older stone buildings.

UK banks offered access to OpenAI’s GPT-5.5 amid exclusion from Anthropic’s Glasswing expansion

150 new organizations inducted to cyber’s Soho House, including the first outside the US

'Dumbass' criminal breaks the 'first rule of ransomware club'

You don't infect anyone in Russia or other CIS countries

Cisco sings Mythos' praises - but doesn't say how many bugs the model uncovered

Meanwhile, Anthropic adds 150 partners to Project Glasswing

Russian spy agency says foreign spies turned officials' smartphones into surveillance devices

FSB claims large-scale snoop op compromised phones of senior officials, but gives no technical evidence to back allegations

Microsoft reaches for olive branch after public dustup with 0-day researcher

Following days of criticism from the security community, Redmond dials back rhetoric, insists vulnerability hunters not in its legal crosshairs

Claude celebrates Anthropic's stock market float with blockbuster ... outage

Chatbot has no respect for timing of its maker's financial announcement

mobile phone

Northern Ireland cops issue PSA after official phone number spoofed by scammers

If you’re going to impersonate an officer, perhaps choose a more sophisticated way to nick cash than asking for gift cards…

REG AD

Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week

TeamPCP? Or copycat malware dev?

Election interlopers register 5K+ domains, hope to catch some voting phish

Hacking voting machines is so 2017. Phishing, impersonation pose the real election risks

GTA cheat service Atlas Menu hacked as attacker alleges screenshot spying

A database containing 64,000 user records was published to GitHub after an attacker claimed to have compromised all Atlas systems

Palo Alto VPN bug graduates from advisory to active exploitation

Rapid7: Attackers exploit authentication bypass flaw in the wild, meaning more emergency patching for PAN-OS users

Password manager Dashlane suspends customer accounts amid brute-force attacks

Engineers' weekends ruined as Dashlane's automatic protections kicked in

Putin sends submarines to survey Britain's subsea cables. UK deploys Royal Navy, mobilizes parliamentary draftsmen

Proposed legislation threatens fines and prison for reckless damage. Russian Prez must be shaking in his boots

Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries

And then Microsoft busted them all

ICE to keep an eye on your eyes under $25M biometric scanner deal

And you thought a face recognition app was intrusive?

No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out

Researcher reported the vuln in March. Maintainers haven't responded to his messages since

23andMe inherits lawsuit over 'disturbing' DNA data breach

California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker

Dutch cops wrest 17M devices from mystery botnet's clutches

Hosting provider pulled the plug after police traced 200 servers to the Netherlands

ChatGPT blindly trusts browser content, turning the page into a payload

You and me go ChatGPhish-ing in the dark

Russia-linked threat group put ChatGPT to work from lure to payload

Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government

ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak

Telco giant says no sensitive data was taken, though names, addresses, phones, and emails are now out there

Troops’ phones gave away location data to foreign adversaries

Lawmakers push DoD to tighten smartphone controls after adversaries exploited commercial tracking data

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

Six 0-days, three under active exploitation, more to come on July 14?

Snowflake buys Natoma to help freeze out rogue agents

It is the database titan’s sixth acquisition announcement since June 2025

Man using a desktop computer in a server room with equipment racks.

Microsoft tests the 15-character limit of Windows Server admins' patience

May security update trips over hostnames of a very specific length

Carnival confirms ShinyHunters cruised off with 6M customer records after April breach

Travel and leisure giant was just one of many victims of the cybercrooks' crime spree this year

Company CEO flooded file share with smut, called for help after he deleted it

Also, missing school iPad resurfaced after coach’s kids uploaded video to YouTube