This posting is here to collect cyber security news in May 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
91 Comments
Tomi Engdahl says:
Tästä päivästä alkaen voit saada tekstiviestejä erikoiselta lähettäjältä – Tiedätkö, miten toimia?
https://www.iltalehti.fi/digiuutiset/a/7d32b6f7-0918-4a3f-ae4c-f508bd12bdc9
Tekstiviestien lähettäjien tunnistaminen tiukentuu maanantaina 4. toukokuuta 2026 alkaen. Muutoksella parannetaan viestien turvallisuutta.
Tekstiviestin lähettäjän tunnistaminen ja lähettäjätunnusten käyttöoikeuden varmistaminen muuttuu maanantaina 4.5.2026 pakolliseksi kaikille organisaatioille, jotka lähettävät tekstiviestejä suomalaisille.
– Muutoksen jälkeen suomalaisten puhelinnumeroiden ja tekstimuotoisten lähettäjätunnusten väärentäminen ei pääsääntöisesti enää onnistu. Tämä lisää luottamusta viesteihin, joita yritykset ja viranomaiset lähettävät asiakkailleen, Traficomin johtava asiantuntija Klaus Nieminen alleviivaa tiedotteessa.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18847-pelkkae-jammerin-hallussapito-muuttuu-rikokseksi-heinaekuussa
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18857-withsecure-lupaa-torjua-haavoittuvuudet-ennen-kuin-niitae-edes-tunnetaan
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18855-elokuussa-tulee-iso-muutos-tekoaelyn-kaeytoestae-on-kerrottava-kaeyttaejaelle
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18853-naein-paljon-puhelimesi-jakaa-dataa-yoellae-kaikki-ei-ole-tarpeellista
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18863-verkon-mittaus-siirtyy-pilveen-testilaitteet-jaeaevaet-ulkopuolelle
Tomi Engdahl says:
Avoimen koodin kehittäjillä uusi ongelma: tekoäly tuottaa liikaa bugiraportteja
https://etn.fi/index.php/13-news/18843-avoimen-koodin-kehittaejille-uusi-ongelma-tekoaely-tuottaa-liikaa-bugiraportteja
Tekoäly ei enää sotke avoimen lähdekoodin projekteja huonoilla bugiraporteilla. Nyt ongelma on päinvastainen. Hyviä raportteja tulee niin paljon, että kehittäjät hukkuvat työhön, kertoo Elektroniktidningen.
Curl-kirjaston ylläpitäjä Daniel Stenberg sanoo, että AI:n tuottamien virheraporttien laatu on parantunut selvästi viime kuukausina. Aiemmin ongelmana olivat hallusinoidut bugit, joiden tarkistaminen vei aikaa. Nyt raportit ovat enimmäkseen oikeita ja niitä tulee koko ajan enemmän.
Raporttien määrä on kasvanut nopeasti. Stenbergin mukaan tahti on nyt noin kaksinkertainen viime vuoteen verrattuna, joka oli jo ennätyksellinen. Kun vuonna 2025 uusia raportteja tuli keskimäärin yksi noin 50 tunnin välein, nyt niitä saapuu käytännössä päivittäin.
Merkittävä osa raporteista vaatii oikeaa työtä. Noin 15–16 prosenttia on vahvistettuja haavoittuvuuksia, ja lisäksi noin kolmannes koskee muita todellisia bugeja. Tämä tarkoittaa, että raportteja ei voi sivuuttaa, vaan ne on analysoitava ja korjattava.
Tilanne kuormittaa erityisesti pieniä ylläpitotiimejä. Curlin turvallisuustyö tehdään pitkälti rajatussa ryhmässä, ja osa työstä tapahtuu vapaa-ajalla, koska käsiteltävät asiat ovat usein arkaluonteisia. Skaalaaminen on vaikeaa, sillä työ vaatii syvää erikoisosaamista.
Tomi Engdahl says:
Tekoäly murtautuu 30 sekunnissa, mutta korjaus kestää kaksi kuukautta
https://etn.fi/index.php/13-news/18869-tekoaely-murtautuu-30-sekunnissa-mutta-korjaus-kestaeae-kaksi-kuukautta
Kyberturvan aikaskaala on repeämässä käsiin. Nopeimmat murtautumiset tapahtuvat jo 30 sekunnissa, ja tekoäly pystyy varastamaan dataa jopa 25 minuutissa. Samaan aikaan haavoittuvuuksien korjaaminen vie keskimäärin 55–72 päivää.
Luvut ovat peräisin Picus Securityn tuoreista havainnoista, ja ne kuvaavat perustavanlaatuista ongelmaa. Hyökkääjät operoivat reaaliajassa, puolustus toimii viikkojen tai kuukausien syklissä.
- Hyökkäykset kiihtyvät, mutta organisaatioilla ei ole selkeää kuvaa siitä, mikä oikeasti altistaa riskille, sanoo perustaja ja teknologiajohtaja Volkan Ertürk.
Erityisen huolestuttavaa on tekoälyn kyky yhdistellä heikkouksia. Picuksen mukaan AI pystyy ketjuttamaan useita haavoittuvuuksia yhdeksi hyökkäykseksi, joka voi ohittaa sekä sovellustason että käyttöjärjestelmän suojaukset. Yhdessä tapauksessa tekoäly löysi 27 vuotta vanhan bugin, jota ihmistarkastukset eivät olleet koskaan paljastaneet.
Picus nostaa ratkaisuksi jatkuvan validoinnin mallin, jossa organisaatio testaa omia puolustusmekanismejaan jatkuvasti realistisia hyökkäyksiä vastaan. Tätä teemaa käsitellään yhtiön Autonomous Validation Summit -tapahtumassa toukokuussa.
https://www.picussecurity.com/resource/press-release/picus-security-hosts-2026-autonomous-validation-summit
Tomi Engdahl says:
Postin toiminnasta löytyi ”porsaanreikä”, joka mahdollistaa paketin päätymisen väärälle henkilölle
Postin järjestelmässä on virheen mahdollisuus, joka voi johtaa pakettien päätymiseen väärien henkilöiden käsiin.
https://yle.fi/a/74-20223627
1 player Games says:
The cybersecurity landscape in May 2026 is becoming increasingly complex, and staying informed is more critical than ever. This update provides a great overview of the emerging threats we need to stay ahead of. Analyzing these security protocols requires a high level of concentration and strategic thinking, much like the focus needed to master challenging 1player Games. Maintaining that sharp mental edge is essential for anyone working in tech and digital defense. Thanks for the consistent and timely updates on such vital topics!
Tomi Engdahl says:
https://www.securityweek.com/whatsapp-discloses-file-spoofing-arbitrary-url-scheme-vulnerabilities/
Tomi Engdahl says:
The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security
Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions.
https://www.securityweek.com/the-hidden-roi-of-visibility-better-decisions-better-behavior-better-security/
Tomi Engdahl says:
Cyberwarfare
Government Can’t Win the Cyber War Without the Private Sector
Securing national resilience now depends on faster, deeper partnerships with the private sector.
https://www.securityweek.com/government-cant-win-the-cyber-war-without-the-private-sector/
Tomi Engdahl says:
Artificial Intelligence
Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents
From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase.
https://www.securityweek.com/why-cybersecurity-must-rethink-defense-in-the-age-of-autonomous-agents/
Tomi Engdahl says:
Artificial Intelligence
Hacker Conversations: Joey Melo on Hacking AI
AI red team specialist details his methods for manipulating AI guardrails through jailbreaking and data poisoning, helping developers harden machine learning models.
https://www.securityweek.com/hacker-conversations-joey-melo-on-hacking-ai/
Tomi Engdahl says:
https://www.securityweek.com/category/cyber-insurance/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18885-kaeytaetkoe-edge-selainta-ei-ehkae-kannattaisi
Microsoftin Edge-selain on joutunut rajun tietoturvakritiikin kohteeksi, kun norjalainen tietoturvatutkija Tom Jøran Sønstebyseter Rønning paljasti selaimen säilyttävän tallennetut salasanat selväkielisinä RAM-muistissa. Käytännössä tämä tarkoittaa, että järjestelmään päässyt hyökkääjä voi lukea käyttäjän tallennetut tunnukset suoraan muistista.
Rønning julkaisi GitHubissa myös proof-of-concept-työkalun, jolla kuka tahansa voi testata löydöksen itse. Hänen mukaansa ongelma on erityisen vakava jaetuissa ympäristöissä kuten terminalipalvelimissa, joissa useat käyttäjät käyttävät samaa järjestelmää.
Tomi Engdahl says:
Google is urging Android users to update now . Learn more: https://cnews.link/google-android-critical-bug-update-now/
Tomi Engdahl says:
Salasana ei enää riitä, niistä on aika luopua
https://etn.fi/index.php/opinion/18892-salasana-ei-enaeae-riitae-niistae-on-aika-luopua
Yritykset siirtyvät vauhdilla kohti passkey- ja biometrisiä ratkaisuja, joissa kirjautuminen perustuu laitteen kryptografiaan, sormenjälkeen tai kasvojentunnistukseen. Taustalla on se, että varastetut tunnukset ovat edelleen yksi yleisimmistä tietomurtojen lähtöpisteistä.
Keskustelua kiihdyttää myös tuore kohu Microsoft Edgestä. Norjalainen Tietoturvatutkija Tom Rønning havaitsi, että Edge lataa kaikki tallennetut salasanat käynnistyksen yhteydessä RAM-muistiin selväkielisinä. Tämä tapahtuu, vaikka käyttäjä ei koskaan avaisi kyseisiä sivustoja. Microsoftin mukaan kyse on ”suunnitellusta ominaisuudesta”, ei haavoittuvuudesta.
Tutkijoiden mukaan ongelma korostaa juuri sitä, miksi selainpohjainen salasanamalli on tullut tiensä päähän. Jos hyökkääjä pääsee koneeseen käsiksi esimerkiksi haittaohjelman tai ylläpitäjätunnusten kautta, muistissa olevat tunnukset voidaan poimia suoraan käyttöön.
Samalla myös viranomaiset muuttavat linjaansa. Britannian on jo ilmoittanut haluavansa vähentää riippuvuutta salasanoista kokonaan.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
Tomi Engdahl says:
https://cybernews.com/security/google-chrome-ai-model-device-no-consent/
Tomi Engdahl says:
https://cybersecuritynews.com/freebsd-dhcp-client-vulnerability/
Tomi Engdahl says:
https://www.prove.fi/zero-to-secure-pentesting-method
Tomi Engdahl says:
https://www.dna.fi/yrityksille/blogi/-/blogs/jos-yrityksenne-liiketoiminta-pysahtyisi-huomenna-mika-olisi-sen-hintalappu
Tomi Engdahl says:
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV
https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html
Tomi Engdahl says:
https://cybersecuritynews.com/wireshark-vulnerabilities-code-execution/#google_vignette
Tomi Engdahl says:
https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
Tomi Engdahl says:
https://heimdalsecurity.com/
Tomi Engdahl says:
https://tailscale.com/tailscale-ssh
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18893-android-puhelimesi-voidaan-murtaa-ilman-klikkausta
Google on julkaissut toukokuun Android-tietoturvapäivityksen poikkeuksellisen vakavan haavoittuvuuden vuoksi. Kyseessä on kriittinen zero-click-aukko, jonka hyväksikäyttö ei vaadi käyttäjältä mitään toimia. Hyökkääjän riittää olevan samassa lähiverkossa kohdelaitteen kanssa.
Haavoittuvuus on saanut tunnisteen CVE-2026-0073, ja Google luokittelee sen kriittiseksi etäkoodin suoritukseen johtavaksi RCE-virheeksi (Remote Code Execution). Ongelma koskee Androidin järjestelmäkomponenttia ja erityisesti langatonta ADB-debug-rajapintaa (Android Debug Bridge).
Google kuvaa bulletinissaan haavoittuvuuden mahdollistavan “remote (proximal/adjacent) code execution as the shell user”. Käytännössä tämä tarkoittaa, että hyökkääjä voi päästä suorittamaan komentorivitason koodia ilman lisäoikeuksia ja ilman, että käyttäjä klikkaa mitään tai hyväksyy yhteyttä.
Ongelma löytyy komponentista adbd, joka hallitsee Android-laitteen debug-yhteyksiä. CVE-tietokannan mukaan virhe liittyy TLS-varmenteiden tarkistukseen (adbd_tls_verify_cert) ja mahdollistaa luotetun laitteen esiintymisen aidon laitteen nimissä.
Tomi Engdahl says:
Hacker Takes Over Robot Lawnmower, Runs Over Innocent Man
“I’m lying in the dirt. It’s coming for me.”
https://futurism.com/robots-and-machines/hacker-robot-lawnmower-runs-over-man?fbclid=IwdGRjcARrEX1jbGNrBGsRM2V4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHo1Bic_MPSxayUvbH4qHWCyXEvRxP_LQozJOSlWpAHYP0hDpup5N25JLwXYG_aem_TcWOjXab4cB4mI8ymF13xw
Is building autonomous robots equipped with sharp oscillating blades that roam your front yard a good idea? What about connecting them to the internet?
We’ll tell you what’s definitely a bad idea: leaving these machines painfully vulnerable to hackers.
Just ask reporter Sean Hollister for The Verge, who suddenly found himself on the, uh, verge of experiencing a grisly incident after someone took control of his Yarbo robot lawn mower.
“I’m lying in the dirt. It’s coming for me. Then, with a lurch, it’s climbing up my chest,” Hollister wrote in a riveting new piece for the outlet. “If Andreas Makris doesn’t stop the 200-pound robot lawn mower in time, it could drag its blades across my body.”
Hollister, fortunately, wasn’t harmed in the making of this article. Makris, a white hat hacker nearly 6,000 miles away in Germany, merely wanted to prove a point.
“I can do whatever I want with all the bots,” Makris told The Verge. “It’s completely unsecured.”
Even if someone pressed the emergency stop button, he added, a hacker like himself could send another command to turn it back on.
Alarmingly, the Yarbo robots all had the same root password, Makris found. In theory, a black hat hacker who discovered this vulnerability could seize control of an entire army of Yarbo robots, since the security flaw is present in all of them. In fact, he created a map that showed the locations of over 11,000 Yarbo robots across the world, forming a global smart lawnmower panopticon.
Tomi Engdahl says:
https://www.independent.co.uk/news/world/americas/crime/canvas-hacked-data-breach-ransom-schools-colleges-b2972708.html?fbclid=IwdGRjcARrIaNjbGNrBGshnWV4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHjBvUcucHOQcRDrEX3qErhxF5qURD6wjCauiKUswoNGtUS7W7W2lcKZaPhgw_aem_ddpOXJa4vKs7wNL4MMoX5g
Tomi Engdahl says:
Artificial Intelligence
Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion
https://www.securityweek.com/claude-ai-guided-hackers-toward-ot-assets-during-water-utility-intrusion/
Dragos has published a report describing how threat actors used Claude AI in an attack on a water and drainage utility in Mexico.
Tomi Engdahl says:
Artificial Intelligence
AI Coding Agents Could Fuel Next Supply Chain Crisis
https://www.securityweek.com/ai-coding-agents-could-fuel-next-supply-chain-crisis/
“TrustFall” attack shows how AI coding agents can be manipulated into launching stealthy supply chain compromises.
Code supply chain attack
Researchers from Adversa.AI have discovered an issue that allows attackers to abuse Claude Code’s automation, potentially creating a new supply chain threat.
Agentic AI is designed to operate automatically and usually invisibly to make our work easier and more efficient. AI code generators are no different. Claude Code (launched in May 2025) has become the fastest-growing tool in the startup and high-end engineering space, with the highest user satisfaction rating against its competitors.
Adversa AI has discovered a way in which its agentic behavior can be manipulated by an attacker into providing a one-click RCE, or even a potential supply chain threat. All the attacker needs to do is place attractive but malicious code as, say, a GitHub repo.
When a developer uses Claude Code for a new task, it checks available repositories for what will assist in the task. If it locates, selects and downloads the malicious prepared code, it is almost immediately game over for the developer. All the attacker now needs is for the user to accept Claude Code’s usage as trusted – which the user is likely to do since the agent is just doing what it is supposed to do.
Claude Code’s acceptance dialog simply reads, “Quick safety check: Is this a project you created or one you trust?”, with the default set to ‘trust’. It’s little different in practice to Chrome’s browser security warning – which almost everyone almost always ‘allows’. Similarly in Claude Code, but “One Enter keypress on the trust dialog spawns the server as an unsandboxed OS process with the developer’s full privileges. No tool call from Claude is required,” reports Adversa.
The cloned repository contains small JSON files in standard Claude Code locations, providing an arbitrary code execution.
TrustFall: coding agent security flaw enables one-click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot
https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/
Four agentic coding CLIs — Claude Code, Gemini CLI, Cursor CLI, Copilot CLI — all execute project-defined MCP servers the moment a developer accepts the folder trust prompt. A malicious repository can spawn unsandboxed code with one keypress, and against CI runners with none. This report examines the Claude Code chain, where a trust dialog regression and a settings scope inconsistency make this coding agent security gap most acute.
TL;DR
Claude Code’s trust dialog used to warn about MCP servers in a cloned repository and offer an opt-out. In v2.1+ that warning was removed. The current dialog reads “Quick safety check: Is this a project you created or one you trust?” and lists nothing.
A malicious repository ships an MCP server and auto-approves it via own .claude/settings.json. One Enter keypress spawns the server as an unsandboxed OS process with the developer’s full privileges. No tool call from Claude is required.
The payload does not need to be a file. The entire script can live inline in .mcp.json.
The MCP server has enough privilege to read stored secrets and source code from other projects, or open a long-lived C2 channel. Other dangerous settings (e.g. bypassPermissions) are already blocked from project scope or gated by a red warning dialog. The MCP-enabling settings are neither.
On CI runners running Claude Code “headless” (the default for the official claude-code-action), the trust dialog is skipped — it never renders. The same attack runs with zero human interaction against pull-request branches.
TrustFall isn’t a Claude Code-only issue. All four agentic CLIs we tested (Claude Code, Gemini CLI, Cursor CLI, Copilot CLI) can auto-execute project-defined MCP servers the moment the user accepts the folder trust prompt, and all default to “Yes/Trust”. They differ only in how the dialog frames the authorization (per-CLI breakdown below). The rest of this post examines the Claude Code chain.
Tomi Engdahl says:
ICS/OT
Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants
https://www.securityweek.com/polish-security-agency-reports-ics-breaches-at-five-water-treatment-plants/
The hackers gained the ability to modify equipment operational parameters, creating a direct risk to the public water supply.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/18896-salaus-ja-determinismi-suoraan-ethernet-sirulle
Tomi Engdahl says:
Näin suojaudut salasanoilla – riittääkö sekään?
https://www.uusiteknologia.fi/2026/05/07/nain-suojaudut-kansainvalisena-salasanapaivana/
Salasana on edelleen useimmille yksi tärkeimmistä ja myös haavoittuvimmista suojakeinoista digiarjessa. Pelkkä lyhyt ja kryptinen salasana riitä enää suojaamaan käyttäjiä, arvioi DNA. Ja kunnollinen salasanakaan ei enää riitä enää, kertoo tietoturvayhtiö Checkpoint selvityksessään.
Merkittävä osa tietomurroista liittyy edelleen heikkoihin tai uudelleenkäytettyihin salasanoihin. Verkkoikolliset hyödyntävät automaatiota ja vuotaneita käyttäjätunnuksia, joita testataan laajasti eri palveluissa. Näillä vuotaneilla tunnus–salasana pareilla pyritään kirjautumaan laajasti eri puolilla maailmaa tarjottaviin palveluihin.
“Jos sama salasana on käytössä monessa paikassa, yksikin vuoto voi avata lukuisia ovia. Hyökkäykset ovat pitkälti automatisoituja, joten riski ei ole teoreettinen, vaan valitettavan todellinen”, sanoo verkko-operaattori DNA:n tietoturvapäällikkö Mikko Kulmala.
“Kannattaa myös huolehtia siitä, että salasanan syöttää vain niissä tilanteissa, kun tietää kirjautuvansa luotettavalle sivustolle ja kun kirjautumispyyntö liittyy varmasti omiin toimiin. Valitettavasti myös verkkorikolliset pyrkivät saamaan ihmisiä kirjautumaan omille huijaussivuilleen”, Kulmala jatkaa.
Tomi Engdahl says:
Himanshu Anand:
The 90-day vulnerability disclosure policy is dead, as LLMs compress bug finding and exploit development time, and critical issues must be patched immediately — Table of Contents — story 2: 30 minutes from patch to exploit — what the industry needs to do (and I am not sugarcoating this)
the 90 day disclosure policy is dead
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/
The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately. Not tomorrow. Not next sprint. Now.
I have been doing security work for a while now, and the last 12 months feel different. Not in a “AI is going to take over the world” way. In a much more boring, much more practical way. The tools we use, the tools attackers use, and the tools researchers use to find bugs have all gotten smarter at roughly the same speed. And that has quietly killed some of the fundamental assumptions the security industry has been running on for over a decade. Let me walk you through what I mean, with stories.
Tomi Engdahl says:
Elizabeth Findell / Wall Street Journal:
Most of the tech on display at 2026′s Border Security Expo was autonomous and AI-equipped, driven by the Trump administration’s focus on US border security
Trump’s Border Spending Spurs Boom in AI-Infused Surveillance
Rapid gains in artificial-intelligence technology bring new competitors into the business of securing the border
https://www.wsj.com/tech/trumps-border-spending-spurs-boom-in-ai-infused-surveillance-4714521b?st=FK9g3X&reflink=desktopwebshare_permalink
Tomi Engdahl says:
Rick Findlay / Reclaim The Net:
Google seems to require Google Play Services for passing next-gen reCAPTCHA on Android, denying de-Googled Android phones and creating surveillance issues
https://reclaimthenet.org/google-broke-recaptcha-for-de-googled-android-users
Tomi Engdahl says:
Jennah Haque / Bloomberg:
Experian says 40% of the 5,000 data breaches it serviced in 2025 were AI-powered, and predicts agentic AI will be the leading cause of data breaches in 2026
AI Is Making Digital Fraud Easier, Faster and Harder to Stop
From deepfakes to the dark web, digital scams are scaling up and getting more convincing.
https://www.bloomberg.com/graphics/2026-ai-identity-theft-scams/?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb3VyY2UiOiJTdWJzY3JpYmVyR2lmdGVkQXJ0aWNsZSIsImlhdCI6MTc3ODI0ODEzOCwiZXhwIjoxNzc4ODUyOTM4LCJhcnRpY2xlSWQiOiJURVBOT0dLSUpIQ1owMCIsImJjb25uZWN0SWQiOiIyMkJBREVGRDU5QjI0ODg5OEIwMzhBNUZGMjA1NzlFOCJ9.3mbrsg8DpR9QgdSzUUv-zPEoLhh7M507HyhsyinvxYo
A few months ago, I received a congratulations letter on my upcoming enrollment at the Ultimate Medical Academy in Tampa, Florida.
“Welcome to UMA’s Healthcare Management associate degree program… Our goal is to help you become as career-ready as possible and this is the first big step.”
The letter came with an extra large men’s athletic polo and a string bag, all adorned with the UMA logo. All mostly normal things to expect from a welcome package — even if I am a women’s size small. There’s just one issue: I had never applied to the Ultimate Medical Academy. Before that day, I had never even heard of it. It’s been almost a decade since I’ve applied to college.
Tomi Engdahl says:
Jez Corden / Windows Central:
Microsoft’s Playground Games accidentally uploads unencrypted pre-load files for Forza Horizon 6 to Steam, leaking the PC version before its release next week — It’s a potentially multi-million dollar error. Playground Games uploaded fresh pre-load files to Steam, albeit without encryption.
“What an insane screw up”: Xbox itself leaks ‘Forza Horizon 6′ PC files in full a week before launch — and pirates already cracked it
https://www.windowscentral.com/gaming/xbox/what-an-insane-screw-up-xbox-itself-leaks-forza-horizon-6-pc-files-in-full-a-week-before-launch-and-pirates-already-cracked-it
It’s a potentially multi-million dollar error. Playground Games uploaded fresh pre-load files to Steam, albeit without encryption. The raw files quickly made their way to the world wide web, and the rest is history.
Have you ever made a mistake? Did that mistake cost you potentially millions of dollars? I’m guessing no, but that’s what happened this week with Xbox’s Playground Games.
Playground Games’ upcoming Forza Horizon 6 is doubtless set to be one of, if not the biggest launch of Xbox’s 2026, perhaps rivaled only by Call of Duty later this year (if it’s good, that is). The arcade-style racer is set in Japan, one of the most-requested locations ever, and promises a boat load (car load?) of new features and systems. Sadly, though, the launch has suffered an inadvertent accident of potentially biblical proportions.
Spotted by users on social media and in our own XB2 Discord, someone at Microsoft seems to have uploaded PC pre-load Forza Horizon 6 files to Steam without encryption. Users were able to grab the files, and a PC crack followed. As of writing, it seems the encryption on Steam has been re-enabled, but that’s not before the game’s files in their entirety began spreading across piracy sites. I was able to find at least one user literally streaming the game live on Twitch before genuine purchasers can even download the game.
This is not the first time major games have leaked early this way. @Videotech above noted that Death Stranding 2 also fell short of a similar mistake, with pirated versions of the game available in full before launch.
Forza Horizon 6 is a heavily online-skewing game, and even if you’re banned from Xbox’s servers for running the cracked version, you’ll still be able to play the game offline, according to those who have grabbed it.
Links to the Forza Horizon 6 files immediately began circulating on piracy forums, including on Reddit. Reddit’s legal team has been removing links to the files per requests from Microsoft, but as they say, the internet never really forgets.
It’s a pretty epic screw-up likely to put a dent in Forza Horizon 6′s profitability at a time when Xbox needs revenue more than ever.
Microsoft’s recent financials showed how Xbox has been struggling, with hardware sales and game purchases showing declines.
Forza Horizon has long been one of the few big bright spots on Xbox’s balance sheet, racking up huge player counts and conversions every time it launches. Today’s piracy snafu is not going to stop the Forza train (car?) from achieving massive successes, but it’s a needless and potentially costly mistake at a time when Xbox can’t really afford it.
Tomi Engdahl says:
Dustin Volz / New York Times:
Google’s TIG reports the first confirmed instance of “prominent cybercrime threat actors” using AI to find and weaponize a zero-day in a web-based admin tool
Google Says Criminal Hackers Used A.I. to Find a Major Software Flaw
The company said that it had identified, for the first time, hackers using artificial intelligence to discover an unknown bug. The attempted attack represents “a taste of what’s to come,” one expert said.
https://www.nytimes.com/2026/05/11/us/politics/google-hackers-attack-ai.html?unlocked_article_code=1.hlA.vW7Y.pO_0G8yLYoca&smid=nytcore-android-share
Tomi Engdahl says:
Sam Tobin / Reuters:
In a two-week UK High Court trial, Shein accuses Temu of “industrial scale” copyright infringement of its photos; Temu says Shein is suing to stifle competition — Online fast-fashion platform Shein accused Temu of copyright infringement “on an industrial scale” …
https://www.reuters.com/legal/litigation/shein-accuses-temu-industrial-scale-copyright-breaches-uk-legal-battle-2026-05-11/
Tomi Engdahl says:
Artificial Intelligence
Google Detects First AI-Generated Zero-Day Exploit
The zero-day was designed to bypass 2FA and it was developed by a prominent cybercrime group.
https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/
Tomi Engdahl says:
Artificial Intelligence
Cloudflare Lays Off 1,100 Employees in AI-Driven Restructuring
The company topped revenue and earnings forecasts for the first quarter of 2026, but its shares plunged more than 20%.
https://www.securityweek.com/cloudflare-lays-off-1100-employees-in-ai-driven-restructuring/
Tomi Engdahl says:
The Walls Don’t Have Ears, But Fiber Optic Does
https://hackaday.com/2026/05/11/the-walls-dont-have-ears-but-fiber-optic-does/
You normally think of fiber optic as something used in network cables. However, scientists employ dedicated fibers to detect earthquakes. In simple terms, they fire a laser down the fiber and watch reflections caused by imperfections. When vibrations hit the cable, it changes the defects, which show up in the return pattern. However, with the right techniques, those vibrations could just as easily be from people speaking near the cable.
If you are alarmed, there’s good news and bad news. The good news is that the technique seems to be limited to coils of fiber that are not buried, and you have to be within about 5 meters of the fiber. The bad news is that there is plenty of dark cable all over the place. Besides, if researchers can do this successfully, you would imagine three-letter agencies around the world could do it even better.
Fiber optic cables can eavesdrop on nearby conversations
Cables used to detect earthquakes can also capture the faint vibrations of speech
https://www.science.org/content/article/fiber-optic-cables-can-eavesdrop-nearby-conversations
Tomi Engdahl says:
After banning foreign routers, FCC says existing ones can get updates until 2029
FCC extends waiver allowing routers and drones to get patches for two more years.
https://arstechnica.com/tech-policy/2026/05/fcc-slightly-relaxes-foreign-router-ban-allows-software-updates-until-2029/
The Federal Communications Commission is relenting a bit on its restrictive router rules, saying it will allow foreign-made routers to receive software and firmware updates until at least January 1, 2029. The FCC also expanded the waiver to cover more types of software updates.
Previously, the FCC said routers currently on the market or already sold to consumers could receive security patches and other updates only until March 1, 2027. On Friday, the agency announced a waiver extension that lets devices receive updates until January 1, 2029, and said the waiver may eventually become permanent.
The software-update cutoff date is part of a sweeping set of rules the FCC announced in March. Claiming that restrictions are needed for national security reasons, the FCC imposed a ban on new hardware and related limits on software updates for routers that were authorized for sale before the ban was implemented.
Tomi Engdahl says:
Socket:
Many npm packages for Mistral, UiPath, and TanStack’s web developer tools like react-router were compromised, likely in the Mini Shai-Hulud supply chain attack — – Immediate triage: Run shasum -a 256 on all router_init.js files in your dependency tree.
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.
Tomi Engdahl says:
Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in ‘mini Shai Hulud’ malware infection — supply-chain campaign spreads across npm and AI developer ecosystems like wildfire
https://www.tomshardware.com/tech-industry/cyber-security/compromised-mistral-ai-and-tanstack-packages-may-have-exposed-github-cloud-and-ci-cd-credentials-in-mini-shai-hulud-malware-infection-supply-chain-campaign-spreads-across-npm-and-ai-developer-ecosystems-like-wildfire
The malware reportedly refused to run on Russian-language systems but could execute a destructive payload under certain geographic conditions.