LastPass was fined £1.2m by the UK’s ICO for security mishaps leading to the 2022 data breach. While passwords remained secure, 1.6 million users had personal data exposed. Hacker antics included exploiting known vulnerabilities and keylogging. It’s a reminder that even password managers need to mind the gaps in their defenses.

Federal agencies have until December 12, 2025, to patch the React2Shell vulnerability, a critical flaw affecting React Server Components. This bug allows attackers to inject malicious code without needing authentication. With a CVSS score of 10.0, it’s the cybersecurity equivalent of leaving your front door wide open during a zombie apocalypse.

React Server Components just got a fix-up! The React team tackled two new flaws that could lead to denial-of-service (DoS) or source code exposure. Thanks to vigilant security researchers, users are urged to update to the latest versions to dodge these digital banana peels. Stay patched, stay safe!

Coupang’s CEO has stepped down after a massive data breach affecting 33.7 million users. Just as the dust was settling, the Seoul Metropolitan Police raided the company’s headquarters for information. Meanwhile, the new US-based executive is left to navigate the chaos and win back customer trust. What a week for Coupang!

MITRE has unveiled the 2025 top 25 list of dangerous software weaknesses. Cross-Site Scripting reigns supreme again, with new entries like Classic Buffer Overflow and Improper Access Control making their debut. Review this list to secure your software; after all, nothing says “fun” like preventing a cyber breach comedy of errors!

Researchers earned $320,000 at the Zeroday.Cloud live hacking competition in London, thanks to exploits targeting open source technologies. With a whopping $4.5 million prize pool, hackers demonstrated their skills across AI, Kubernetes, and more. The standout moment? A $40,000 prize for a Linux kernel exploit. Looks like hacking pays… in cloud currency!

Hamas’s cyber threat group, Wirte, has evolved from using basic tools to crafting a sophisticated malware suite. Known as “Ashen Lepus,” they’ve expanded espionage efforts beyond the Israel-Palestine conflict, targeting countries like Oman and Morocco. Their malware, “AshTag,” is designed to evade detection, proving it’s not just about rockets anymore.

The Alliance for Creativity and Entertainment (ACE) is cracking down on illegal streaming services faster than you can say “binge-watch.” With the help of major studios like Disney and Netflix, ACE has dismantled the MKVCinemas piracy network in India, redirecting millions to their “Watch Legally” portal. Talk about a plot twist!

CISA added a high-severity security flaw, CVE-2025-58360, in OSGeo GeoServer to its catalog. This vulnerability could let attackers access files, conduct server-side trickery, or cause chaos by exhausting resources. Before hackers make a GeoServer into their personal jukebox, patch it up with the latest version!

Trump’s executive order aims to prevent states from crafting their own regulations for artificial intelligence, warning that a “patchwork of onerous rules” could hinder U.S. competition with China. With AI’s role in crucial decisions growing, states like Colorado and California already have laws to increase transparency and limit personal data collection.

The 4th Annual EFF Benefit Poker Tournament at DEF CON raised $18,395, uniting digital rights advocates in a spirited game of No-Limit Texas Hold’Em. Hosted by EFF board member Tarah Wheeler, the event featured hacker royalty battling it out for prizes, with Sid taking home the jellybean trophy for the second year in a row.

Brave’s new AI browsing feature, powered by Leo, tackles the web like a privacy-focused superhero. While it can compare products and find promo codes, it’s not ready for mission-critical tasks. Running in a safe, separate profile, it promises no AI-driven cookie theft or accidental downloads from the Chrome Web Store.

Dell Cameron reports that experts warn Congress about the FBI’s warrantless access to Americans’ data under expanded US wiretap powers. The controversial spy program, meant for foreign threats, is allegedly being misused for domestic spying, sparking bipartisan outrage and calls for stricter safeguards.

Hardcoded cryptographic keys in Gladinet’s CentreStack and Triofox products are the latest party trick for hackers. By exploiting this vulnerability, they can access sensitive information and execute remote code. The fix? Update to the latest version and rotate those keys faster than a DJ at a wedding.

A critical Gogs zero-day vulnerability has led to the compromise of about 700 servers. Exploited by hackers, this flaw in the PutContents API allows remote code execution. Gogs admins, check your servers before your Git gets gory!

Despite the spotlight on immigration enforcement, the Department of Homeland Security hearing revealed cybersecurity challenges, including encrypted apps used by terrorist groups and China’s cyber threat to the U.S. DHS Secretary Kristi Noem emphasized the importance of protecting undersea cable security, involving multiple department components against hacking or sabotage attempts.

The public has spoken, and it’s loud and clear: “USPTO, don’t shut the public out of patent review!” With over 4,000 comments backing EFF’s stance, it’s a patent-pending protest against stifling access to inter partes review. Even patent trolls are trembling!

Notepad++ 8.8.9 was released to patch a security flaw in its WinGUp tool. This update ensures downloads are only from GitHub and verifies the signature of installers, thwarting any hijacked update URLs attempting to serve malicious software. Users should upgrade to this version to ensure their systems are safeguarded.

VSCode Marketplace has been housing a sneaky malware campaign with 19 malicious extensions since February. These extensions contain hidden malware posing as a .PNG image and are bundled with a modified dependency. If you’ve installed these, it’s time to channel your inner Sherlock and scan for malware, as they’ve been removed.

Google has patched a zero-click flaw in Gemini Enterprise, aptly named “GeminiJack,” which allowed corporate data exfiltration through cunningly crafted emails, invites, or documents. By exploiting this vulnerability, attackers could pilfer sensitive information without the need for malware or user interaction, turning AI into an unwitting accomplice in corporate espionage.