Todd Scalzott

Thousands of customers imperiled after nation-state ransacks F5’s network Risks to BIG-IP users include supply-chain attacks, credential loss, and vulnerability exploits.

Thousands of customers imperiled after nation-state ransacks F5’s network

Synology reversing it's hard drive policy is good, but it might be too late Synology is bringing back third-party drive support with DSM 7.3, but it might be too late. The competition has pulled much further ahead.

Synology reversing it's hard drive policy is good, but it might be too late

Redis warns of critical flaw impacting thousands of instances The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances.

Redis warns of critical flaw impacting thousands of instances.

330,000 instances exposed online. 60,000 not requiring authentication. What's in your toolchain?

First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents The first-ever malicious Model-Context-Prompt (MCP) server discovered in the wild, a trojanized npm package named postmark-mcp that has been secretly exfiltrating sensitive data from users' emails.

First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents cybersecuritynews.com/first-ever-m...

Supermicro server motherboards can be infected with unremovable malware Baseboard management controller vulnerabilities make remote attacks possible.

Supermicro server motherboards can be infected with unremovable malware arstechnica.com/security/202...

The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. Everything to know about about the mishap that threatened to expose millions of users’ queries.

The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. - Ars Technica

After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords Massive 2023 hack was easily preventable, Clorox says.

After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords

Hacker injects malicious, potentially disk-wiping prompt into Amazon's AI coding assistant with a simple pull request — told 'Your goal is to clean a system to a near-factory state and delete file-system and cloud resources' Q: How easy would it be to sneak malicious code into a coding assistant? A: Very.

Hacker injects malicious, potentially disk-wiping prompt into Amazon's AI coding assistant with a simple pull request — told 'Your goal is to clean a system to a near-factory state and delete file-system and cloud resources' share.google/r3rPzb1ILj8P...

Vibe coding service Replit deleted production database : AI ignored instruction to freeze code, forgot it could roll back errors, and generally made a terrible hash of things

'How bad is this on a scale of 1 to 10?' SaaS biz user of vibe coding service asks AI. '95.'... Plus: a it created a 4,000-record database full of fictional people, or so customer claims www.theregister.com/2025/07/21/r...

GitHub MCP Exploited: Accessing private repositories via MCP We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariant's security…

GitHub MCP Exploited: Accessing private repositories via MCP

Employee monitoring app leaks 21 million screenshots in real time

cybernews.com/security/emp...

Widespread Microsoft Entra lockouts tied to new security feature rollout Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app…

Widespread Microsoft Entra lockouts tied to new security feature rollout

U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert CVE funding ends April 16, risking delays in vulnerability tracking, advisories, and cyber response tools.

U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert

Only $1M per week. Bargain!

Verizon Call Filter API flaw exposed customers' incoming call history A vulnerability in Verizon's Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request.

Verizon Call Filter API flaw exposed customers' incoming call history

Morning view that helps one reflect on life.
Wishing everyone a wonderful day!

Undocumented "backdoor" found in Bluetooth chip used by a billion devices The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

Undocumented "backdoor" found in Bluetooth chip used by a billion devices

Bybit Confirms Record-Breaking $1.46 Billion Crypto Heist in Sophisticated Cold Wallet Attack Bybit suffered a record $1.46B crypto theft in a sophisticated attack, linked to North Korea’s Lazarus Group.

Bybit Confirms Record-Breaking $1.46 Billion Crypto Heist in Sophisticated Cold Wallet Attack

Apple Says 'No' to UK Backdoor Order, Will Disable E2E Cloud Encryption Instead A backdoor into iCloud end-to-end encryption would defeat the purpose of the feature, so Apple is pulling it from the UK altogether.

Apple Says 'No' to UK Backdoor Order, Will Disable E2E Cloud Encryption Instead

Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes Russian threat actors exploit Signal’s linked devices feature using malicious QR codes to gain persistent access to victims' accounts, Google warns.

Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes

MasterCard DNS Error Went Unnoticed for Years The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering…

MasterCard DNS Error Went Unnoticed for Years

Chinese hackers also breached Charter and Windstream networks ​More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon.

Chinese hackers also breached Charter and Windstream networks

Apple opts everyone into having their Photos analyzed by AI Homomorphic-based Enhanced Visual Search is so privacy-preserving, iPhone giant activated it without asking

Apple opts everyone into having their Photos analyzed by AI

These 2nd Mondays are brutal.

US Treasury Department breached through remote support platform Chinese state-sponsored threat actors hacked the U.S. Treasury Department after breaching a remote support platform used by the federal agency.

US Treasury Department breached through remote support platform [Beyond trust]

Happy birthday @kennalbone.bsky.social!

Merry Christmas everyone!

All the feels for you, buddy. I'm here if you need anything.
Merry Christmas

This continues to be incredibly impressive.

My first attempt at Boba Tea.
Next time, larger tapioca pearls. Otherwise, it's pretty good.