iPhone 18 secrets spill onto the dark web

LastPass confirms data breach in Klue supply chain attack

LastPass xác nhận dữ liệu khách hàng trong môi trường Salesforce bị truy cập sau cuộc tấn công chuỗi cung ứng nhằm vào Klue hôm 12/6. Nhóm tống tiền Icarus đã xâm nhập hạ tầng Klue bằng thông tin đăng nhập cũ, đánh cắp token OAuth kết nối Klue với Salesforce của khách hàng. Dữ liệu bị lộ bao gồm tên, số điện thoại, email, địa chỉ, thông tin hỗ trợ và dữ liệu CRM. LastPass cho biết sản phẩm cốt lõi, dịch vụ và kho dữ liệu khách hàng không bị ảnh hưởng.

Lập trình viên nên đọc bài này để hiểu rõ về cách tấn công supply chain attack hoạt động như thế nào, từ đó nâng cao kiến thức bảo mật cho các ứng dụng và hệ thống của mình, đặc biệt là khi sử dụng các dịch vụ cloud như Salesforce.

Malicious Edge extension abuses Native Messaging as bridge to malware

A malicious Microsoft Edge extension called 'Edgecution' has been discovered abusing Chrome's Native Messaging protocol to escape the browser sandbox and deploy a Python-based backdoor. The attack chain begins with social engineering via Microsoft Teams, where attackers pose as IT support and direct victims to a fake Microsoft update page. From there, multiple scripts (AutoHotKey, batch, PowerShell) deploy the malware, which runs in a headless Edge browser and communicates with a local Python backdoor capable of executing shell commands, running PowerShell, writing files, and gathering system information. Zscaler researchers link the campaign to an initial access broker connected to the Payouts Kings ransomware operation. Organizations are advised to monitor browser extensions and enforce strict native messaging host controls.

SpaceX’s Starpipe: a gas pipeline for Starship

SpaceX is planning to build an 8-mile natural gas pipeline called Starpipe from the Port of Brownsville to its Starbase facility in Texas. The pipeline would replace the current truck-convoy fuel delivery system, which cannot support the high launch cadence Elon Musk envisions. Starship burns roughly 630,000 gallons of liquid methane per launch, requiring hundreds of tanker trucks today. Beyond the pipeline, SpaceX has signed over 100 oil and gas leases in Texas since 2023 and is exploring its own gas drilling, with plans for an on-site liquefaction plant at Starbase. The 16-inch diameter of Starpipe implies fuel demand far exceeding the FAA's current 25-launches-per-year cap, signaling SpaceX's long-term ambitions for Starlink, AI satellites, and Mars missions.

OpenAI hires Apple’s Vision Pro chief Paul Meade

Paul Meade, Apple's VP overseeing Vision Pro and smart glasses, is leaving to join OpenAI's hardware unit. He reunites with former Apple colleagues Jony Ive, Tang Tan, and Evans Hankey, whose startup was acquired by OpenAI for $6.5bn. The move is the most senior Apple defection yet, continuing a pattern of Apple hardware talent migrating to AI companies. Meade's departure follows an internal Apple restructuring that left several VPs reporting to a new layer of management. OpenAI is effectively reassembling Apple's former hardware leadership to build a post-smartphone AI device, while Apple's Vision Pro line remains in retreat with no redesign expected before 2028-2029.

NAIC says public data stolen in ShinyHunters' PeopleSoft breach

The National Association of Insurance Commissioners (NAIC) disclosed that the ShinyHunters extortion group breached its Oracle PeopleSoft server by exploiting a zero-day vulnerability (CVE-2026-35273). NAIC contends that only publicly available statutory financial reports, outdated logs, and configuration files were stolen, with no PII or financial data exposed. ShinyHunters, after NAIC refused to pay ransom, leaked data and claims to hold 3.1 TB across 105,000 files including stored credentials for critical regulatory platforms. NAIC disputes these claims, stating those platforms were not compromised. The same zero-day has allegedly impacted over 100 organizations, primarily in the education sector.

Brand on the Line: CISOs to Watch in Retail and Consumer Brands

A profile of five CISOs leading cybersecurity programs at major retail and consumer brands including Levi Strauss, Topgolf Callaway, Burlington Stores, Family Dollar, and New Balance. Each leader brings cross-sector experience spanning healthcare, financial services, and hospitality. Key themes include protecting payment card data, loyalty program records, e-commerce platforms, and supply chain data. The piece frames retail security as fundamentally a consumer trust problem, where breaches damage brand relationships beyond just regulatory exposure.

Mastercard opens African cybersecurity hub

Mastercard has launched an Africa Cybersecurity Centre of Excellence, a virtual pan-African initiative starting in South Africa and Nigeria. The hub will offer cyber-risk analysis for up to 50 organisations and an Africa-focused threat-intelligence feed powered by Recorded Future, which Mastercard acquired for $2.65 billion in December 2024. The announcement was timed to CEO Michael Miebach's visit to both countries and carries endorsements from both nations' presidents. South Africa accounts for roughly 29% of ransomware attacks and 40% of phishing incidents on the continent. The move reflects Mastercard's broader strategy of expanding from card payments into security and intelligence services, having invested over $12.6 billion in cybersecurity since 2018.