The US government has paused sanctions on China’s Ministry of State Security, prioritizing trade talks over cybersecurity. Critics argue it’s like trading your umbrella for a handshake in a rainstorm. With Salt Typhoon attacks still fresh, the key question remains: Can you really negotiate your way out of a cyber compromise?

Phishing kits like BlackForce are the Swiss Army knives of cybercrime, offering everything from credential theft to bypassing multi-factor authentication (MFA). Sold on Telegram, BlackForce cleverly sidesteps security measures and impersonates brands like Disney and Netflix. It’s phishing, but with a masterclass in misdirection, leaving victims blissfully unaware of their compromised credentials.

Hackers are shaking down Gladinet CentreStack like it’s a vending machine, exploiting a new vulnerability to grab cryptographic keys and achieve remote code execution. Huntress warns that insecure cryptography is letting attackers swipe these keys from the web.config file. Time to update your software, lest your data becomes a hacker’s snack!

The US is suing a former senior manager at Accenture, Danielle Hillmer, for allegedly misleading the government about the security of an Army cloud platform. Hillmer is accused of deceiving auditors with claims of meeting high security standards, despite knowing the platform wasn’t compliant. Talk about clouding the truth!

Microsoft is revamping its bug bounty program to reward exploit hunters for finding vulnerabilities in all its products and services. The “in scope by default” approach covers even new products without established bounty schemes, aiming to bolster security, especially in high-risk areas. Expect more payouts, with over $17 million awarded last year.

Fieldtex Products, the US company known for sewing and medical supplies, has been stitched up by a ransomware group. The cybercriminals claim to have purloined 14 Gb of data, including sensitive health info. The breach impacts 238,615 individuals, making it one of those “you had one job” moments in cybersecurity.

Dark Reading Commentary is evolving to include Tech Talks and Ask the Expert articles, focusing on practical cybersecurity tips and peer advice. Think less “what does this technology do” and more “here’s how to wield it like a pro.” Just remember, no AI-written submissions—our editors still prefer their content like their coffee: human-brewed.

Civil society groups are urging the UK’s data watchdog to probe the Home Office’s digital-only eVisa scheme for potential GDPR breaches. They claim it exposes sensitive data and leaves migrants unable to prove their legal status. Could this be the plot of a new thriller, or just another day in bureaucracy?

MITRE’s 2025 CWE Top 25 list reveals cross-site scripting vulnerabilities still reign supreme. Six new weaklings join the dangerous party, while others drop out like they missed curfew. CISA urges software makers to review the list, adding a sprinkle of Secure by Design practices. Check the methodology if you’re into the nerdy details!

Elastic Security Labs has discovered a sneaky Windows backdoor, NANOREMOTE, using the Google Drive API for command and control. It’s like FINALDRAFT’s mischievous cousin, using similar code but with a new twist. This malware is a master of disguise, making data theft look like just another file upload to the cloud.

Free unofficial patches are swooping in to save the day for a new Windows zero-day vulnerability. The RasMan service crash bug gives attackers a backstage pass to mischief. Thanks to ACROS Security’s 0patch, your Windows won’t be caught with its digital pants down, at least until Microsoft gets around to patching it officially.

Half of the internet-facing systems vulnerable to the React2Shell flaw remain unpatched, giving attackers a comfortable head start. The flaw has sparked a dozen active attack clusters, from cryptominers to state-linked intrusion. With React’s ubiquity, patching remains challenging, giving attackers little reason to move on.

Notepad++ has patched a vulnerability allowing hijackers, allegedly from China, to compromise its updater. The flaw let attackers intercept updates, redirecting users to download malicious files. Notepad++ now verifies installer signatures, but the mystery of how traffic is hijacked remains. It’s a plot twist worthy of a tech thriller!

Microsoft is expanding its bug bounty program to include third-party and open source code. If vulnerabilities impact Microsoft’s online services, researchers are eligible for rewards. This approach aligns with the hacker mentality that all security defects matter. Microsoft’s bug bounty program now covers all online services by default, raising the security bar for everyone.

Breach fatigue is real and it’s changing behavior. Consumers, tired of constant data breaches, now treat them as background noise. Businesses must shift from reactive apologies to proactive transparency, showcasing security as a customer benefit. Empathy, education, and user control are key to turning this crisis into an opportunity for loyalty.

Cyber deception: the art of sending attackers on a wild goose chase through fake environments. The NCSC is on a mission to make hackers sweat with honeypots and honeytokens, proving that while cyber deception isn’t new, it’s an underused trick that can turn the tables on cybercriminals.

The GenAI browser threat model demands a fresh approach to security. As employees paste sensitive data into prompts, traditional controls fall short. By treating the browser as the GenAI control plane, enterprises can better manage risks while maximizing productivity. So, don’t hit the “block” button; instead, embrace browser-level defenses and keep the laughs coming.

CISA has ordered U.S. federal agencies to patch a critical GeoServer vulnerability currently exploited in XML External Entity (XXE) injection attacks. This flaw, tracked as CVE-2025-58360, can lead to denial-of-service attacks and data breaches. Agencies must patch by January 1, 2026, or face a stern talking-to from their IT department.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog. This flaw, with a CVSS score of 8.2, could allow attackers to access internal files or trigger server-side requests. Federal agencies must fix this vulnerability by January 1st, 2026.

LastPass was fined £1.2m by the UK’s ICO for security mishaps leading to the 2022 data breach. While passwords remained secure, 1.6 million users had personal data exposed. Hacker antics included exploiting known vulnerabilities and keylogging. It’s a reminder that even password managers need to mind the gaps in their defenses.