Cybercriminals are meddling with AI security scanners using the npm package eslint-plugin-unicorn-ts-2. Uploaded by “hamburgerisland,” it masquerades as a legit ESLint plugin but secretly exfiltrates sensitive data. The package even tries to influence AI tools with a cheeky prompt to “forget everything you know.”

GlassWorm is back, infiltrating developer tools with 24 fake extensions on Microsoft Visual Studio Marketplace and Open VSX. These imposters mimic popular tools like Flutter and React, spreading malware and stealing credentials. Developers, beware! Your next extension download could be one click away from a comedy of errors.

The 2025 Cyber Deterrence and Response Act aims to create a unified “national attribution framework” to tackle nation-state hackers. With major agencies collaborating, it’s like assembling a cybersecurity Avengers team. But instead of superpowers, they’ll wield sanctions, visa bans, and procurement prohibitions against cybercriminals. Coming soon to a legislature near you!

ShadyPanda’s seven-year browser extension campaign infected 4.3 million Chrome and Edge users, proving that trust can be a sneaky panda. By operating legitimately, then deploying malicious updates, they highlighted gaps in extension review processes. With 300,000 users affected by a backdoor, it’s time to audit those extensions before they audit you!

In a twist of events, Kensington and Chelsea Council revealed that last week’s IT hiccup morphed into a data breach, with some data quietly “borrowed” by cyber-intruders. While the council scrambles to untangle the mess, residents are advised to double-check their bank details and stay alert for anything fishy.

North Korean IT recruiters are targeting developers by renting their identities for illicit fundraising. These recruiters trick their way into Fortune 500 companies using deep fakes and fake identities. Engineers are lured with promises of easy money, only to risk everything in a high-stakes game of digital espionage.

Calendly phishing schemes are targeting Google Workspace and Facebook business accounts by impersonating top brands like Unilever and Disney. These crafty scams lure victims into clicking fake meeting invites that lead to credential-stealing pages. It’s like being promised a fancy dinner date but ending up at a fast-food drive-thru with no fries!

Iranian nation-state actors, MuddyWater, have targeted Israeli entities with a new backdoor called MuddyViper. Their cyber antics are like a spy thriller with a computer science degree, complete with phishing emails, fake Snake games, and more RATs than a New York City subway. MuddyWater’s evolving tactics highlight its operational maturity.

Illuminate Education’s data breach exposed 10 million students’ sensitive info, prompting FTC action. Although no fines were issued, the company must now overhaul its security practices. This serves as a cautionary tale for edtech firms: if you promise top-notch data security, be prepared to deliver—or face the consequences.

Microsoft’s KB5070311 update for Windows 11 aims to enhance dark mode but instead leaves users feeling flash-banged by unexpected white screens when using File Explorer. While Microsoft works on a solution, users might want to embrace the light—literally—by switching off dark mode to avoid these blinding surprises.

Coupang, often called “Korea’s Amazon,” revealed a massive data breach affecting nearly 34 million South Korean customers. Personal information was exposed over five months. The incident sparked a response from authorities and has added another chapter to South Korea’s cybersecurity saga. Luckily, your payment data remains untouched—just like that gym membership you forgot to cancel.

Penn’s Oracle EBS breach has made the Ivy League a hacker’s playground, with attackers exploiting a zero-day flaw to swipe personal data. The university’s investigation revealed that 1,488 individuals were compromised, making it part of a larger extortion campaign by the notorious Clop ransomware gang.

Frenetik, a Maryland cyber startup, has a novel approach to cybersecurity: confuse attackers by constantly changing the environment. Imagine musical chairs for hackers—they’re left guessing while defenders know the real seats. Frenetik’s strategy deprives attackers of reliable information, making their job as frustrating as assembling IKEA furniture without instructions.

In the 2025 State of AI Data Security Report, AI is the office ninja: everywhere, unstoppable, and sometimes up to no good. Nearly universal adoption but only 13% oversight means AI is like a hyperactive toddler with access to the cookie jar. Enterprises need eyes on their AI, or risk a sugar rush of data…

Google’s latest Android security update squashes 107 bugs, including two actively exploited ones. It’s like a bug exterminator’s dream come true!

Proxyearth claims it can pinpoint any Indian citizen’s location using just their mobile number, making privacy as extinct as a dodo. While the site sounds like a harmless “mobile number tracker,” it’s actually a master at exposing highly sensitive data, from Aadhaar numbers to full identities.

Google’s latest Android Security Bulletin reveals 107 zero-day vulnerabilities, affecting the Android Open Source Project. While 51 flaws are patched, 56 more will be addressed soon. Notably, CVE-2025-48633 and CVE-2025-48572 may be under limited exploitation. So, if your phone starts acting like a rebellious teen, it’s time for an update!

Microsoft’s KB5070311 update for Windows 11 tackles the mystery of disappearing passwords and the enigma of File Explorer freezes. It’s like a digital detective, solving issues while keeping your computer safe from the chaos of holiday festivities. Install it for a smoother Windows 11 experience, minus the security fixes.

The UK’s data protection regulator is reviewing mobile games for privacy law compliance, targeting popular titles. Concerns include intrusive design, data sharing, and targeted ads. 84% of parents worry about children’s exposure to harmful content, while 76% fret over personal data sharing. The ICO aims to enforce the Children’s code for better privacy standards.

Cybersecurity experts in the US and UK are fretting over state-sponsored cyber-attacks, citing geopolitical tension and supply chain woes as major risks. Yet, 74% are boosting resilience measures. With the right preparation, they hope to thwart threats from notorious groups like North Korea’s Bybit burglars and Russia’s Sandworm.