Last year, Neowin reported on a privacy-focused study which examined how various web browsers ensure user privacy. Surprisingly or perhaps unsurprisingly, Google Chrome came out on top as the worst among all, edging out Microsoft's Edge. The two scored 76 and 63, respectively (the higher the score, the worse it is). To be fair to Chrome, Vivaldi was just as bad as Chrome as it scored 75. Mozilla's Firefox however did much better as it put up 50 out of 100. You can view the full scorecard in our dedicated article.

From time to time, however, Google keeps adding features that promise to enhance user privacy. A new report though agrees with the previous study as it suggests that Google Chrome offers "almost no native anti-fingerprinting defences, unlike Brave, Firefox, or Tor." The report investigated the features Google offers on Chrome to protect users against device fingerprinting and browser fingerprinting, among others. Sadly most of it seemed sub-par, leading the author to conclude that Google abandoned its Privacy Sandbox plans and "left us with nothing". Google did have its reasons which you can read about in our coverage.

If you are not aware, browser fingerprinting, similar to one in real life, is unique, and it provides tracking data to browsers that is exclusive to only us and our devices. Hence, it essentially hinders anonymity on the web. It works by generating a unique fingerprint for each user, grabbing data from their OS, GPU, CPU, and other hardware.

The issue is mainly because of how modern browsers have come to be. They are far more than just simple web access tools now as they act as full-fledged platforms that can handle logins, store passwords and PINs, sync data across devices, and track user activity for performance and personalization.

Hence unlike malware which typically raise immediate red flags, browser-level tracking is often built into its core functionality and is dependent on collecting user information. Thus browsers become sort of like a centralized hub of sensitive data by collecting everything from browsing history, session tokens, to saved credentials and device fingerprints, and things can easily go wrong.

And they can go from bad to worse on Chrome as it comes with "canvas, audio, WebGL, fonts and speech synthesis APIs completely unprotected," which means all that unique user data could be accessible to the online world.

Interestingly, Mozilla Firefox offers some native resistance against fingerprinting with the privacy.resistFingerprinting flag that can be enabled inside about:config. Brave, meanwhile, offers even better privacy protection with its built-in Farbling feature such that it blocks known fingerprinting scripts and randomizes canvas output so it changes every session, even though it displays correctly to the end user. Finally, Microsoft's own Edge also offers more than Google Chrome thanks to its Tracking Prevention feature and can limit fingerprint tracking.

Source: That Privacy Guy

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 18 April 2026 at 7:35 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

On April 2, 2026, a security researcher using the name Chaotic Eclipse published a blog post stating that they were "doing it again." Under this warning, a link to a GitHub account page for a user named "Nightmare Eclipse" containing an exploit known as BlueHammer.

BlueHammer, as it turns out, is a zero-day Windows exploit, meaning it was released into the wild ahead of any Microsoft action. BlueHammer has been confirmed to work by Will Dormann, a principal vulnerability analyst at Tharros (via ).

As explained, BlueHammer works by exploiting a local privilege escalation (LPE), time-of-check to time-of-use (TOCTOU), and a path of confusion, breaking down Windows Defender to the point where attackers receive SYSTEM privileges for a complete PC takeover.

It's a nasty little bug, to say the least, and it appears to have been released into the wild due to perceived incompetence on the part of Microsoft's Security Response Center (MSRC).

Microsoft Security Response Center takes the blame; Microsoft responds

Google has doubled down on its crackdown on ad-blockers in recent years, systematically closing nearly every loophole that once let users watch YouTube videos without ads.

However, there may still be ways to bypass the intrusive ads that interrupt live content without resorting to YouTube’s costly Premium subscription. The company recently announced that it will stop showing ads in livestreams if certain conditions are met.

According to the blog post shared by the video-sharing platform, its system can now detect when engagement in a livestream's chat is at its peak, then automatically skips ads for everyone watching.

YouTube highlighted multiple ways to boost engagement during livestreams, including letting viewers send gifts through both horizontal and vertical broadcasts from their mobile devices. Gifts are also being expanded to Canada, Korea, Indonesia, Thailand, Australia, and New Zealand.

Just this year, YouTube intentionally turned off comments and descriptions for some users with ad-blockers installed on their devices. This is on top of killing background play on third-party mobile browsers, preventing playback, and intentionally throttling videos for users with ad blockers.

Until now, it seemed like the only way around these issues was getting YouTube's $14/month Premium subscription plan, even though Google plans to hike the price to $16 as part of the company's plan to “continue improving Premium and support the creators and artists.” Alternatively, you can switch to privacy-focused browsers like Brave.

I guess this new engagement-focused method of blocking ads during livestreams makes it a third option, albeit for a very specific type of content. I'll take it.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 16 April 2026 at 9:22 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Although Microsoft Office (LTSC and Microsoft 365) on the desktop offers the full fledged versions of Office apps, the web versions of these services are also very capable and do contain the core functionalities. The Redmond tech giant regularly tries to bridge some of these gaps between the two variants, and now, it has made some more headway in this regard.

Up until now, customers were only allowed to open and edit files with sensitivity labels and custom user permissions in Office for the web. If they wanted to apply new labels or modify permissions, they were forced to open the file in the desktop app. Fortunately, Microsoft has now fixed this issue across Word, Excel, and PowerPoint on the web, bringing feature parity for sensitivity labels.

Moving forward, when users open the Permissions settings in Office on the web, they will be greeted with the same modernized experience that they are accustomed to on desktop. They will be able to apply a label configured for user-defined permissions, based on what has been made available to them from IT admins using Purview. They can specify users and domains, their respective roles (Viewer, Restricted Editor, Editor, Owner), and leverage advanced options if needed. That said, do keep in mind that you won't be able to set a custom expiration date for permissions on the web.

Microsoft has assured customers that after they apply and update their changes on the web, their enforcement policies will be identical across desktop and the web, following your organization's policies.

The Redmond tech giant has requested IT admins to update their training material and documentation to make customers aware about this compliance change. Admins should also audit their existing labels and monitor their usage.

In order to leverage these sensitivity labels with custom user permissions, an organization should meet the following criteria:

• Have a license that supports configuring Purview sensitivity labels
• Have sensitivity labeling enabled for files stored in SharePoint and OneDrive
• Have configured at least one sensitivity label for user-defined permissions

You can find out additional details here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 15 April 2026 at 7:30 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Google has announced that it will start punishing websites found guilty of "back button hijacking," a practice where a site intentionally breaks your browser's back button.

You have likely experienced this before. Website developers, or sometimes ad network operators, use JavaScript to manipulate your browser's history stack. This means when you press back (especially on mobile), instead of returning to your search results, you get sent to a completely different page full of spam, unsolicited ads, or affiliate links.

Google said it has noticed a sharp rise in this behavior, which is why the company is making back button hijacking an "explicit violation" of its malicious practices policy. Site owners have about two months from today, until June 15, 2026, to remove any script that messes with a user's browser history. That includes checking any ad network code or third-party libraries they have installed on their websites. If they do not, they may face consequences like manual spam actions or demoted rankings in Google Search results.

The new anti-"back button hijacking" policy joins a host of other spam policies the search giant has added over the last two years. For example, the "Parasite SEO" policy targets the practice of a highly trusted, authoritative website renting out a section of its domain to a third party to host low-quality or unrelated content.

With "Parasite SEO," the third-party takes advantage of the fact that the host site has strong ranking signals to rank higher in search. Google first rolled out its spam policy against this in March 2024, then came back almost a year later with an update clarifying that it still counts as a violation even if the host site claims to have "editorial oversight" over the content.

There's also the policy that was announced on March 5, 2024, to deal with expired domain abuse. This is when people buy expired domains that have strong, pre-existing reputations and fill them with low-value affiliate content. A spammer could buy an old, respected charity's domain and use its old authority to sell questionable products.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 15 April 2026 at 7:29 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Michael Cotter had a problem: “Chargebacks” at his tech support company were too high. The reason for this was not hard to find; people at his company, Tech Live Connect, were scamming Cotter’s fellow Americans.

The scams usually began with a pop-up message warning that a user’s computer might have a virus. The pop-up then claimed to run a “scan” (which was always positive) of the computer and provided a toll-free number to call for more help. Those who called were connected to Tech Live Connect’s Indian call center, where they were asked for remote access to their computers, diagnosed with fake problems, and charged hundreds of dollars to “fix” them. Call center workers often pretended to be Apple or Microsoft employees.

Defrauded people complained in droves.

Even worse—they filed chargebacks with their credit card companies, disputing these payments. A high rate of chargebacks is usually a pretty good sign of fraud, and payment processors will often apply penalties or stop credit card acceptance altogether if chargeback ratios climb too high. By the middle of 2015, one payment processor was already warning that it could soon terminate five of Tech Live Connect’s merchant accounts over chargeback concerns.

To make the problem stop, Cotter could have clamped down on the fraud, of course, but this was where the money was. Cotter did claim that he had a policy of firing call center workers who conducted scams, but he eventually admitted that the policy “was not enforced consistently.” Repeat scammers at his company were in some cases promoted, not fired.

Instead, Cotter came up with a different approach to the chargeback problem, one that would fight concerns about fraud by… generating a lot more fraud.

Pay yourself first

In 2016, Cotter began purchasing virtual debit cards. Tech Live Connect then used the cards to pay fake invoices. Essentially, the company was paying itself. But it now looked like Tech Live Connect was processing many more legitimate charges, which diluted the impact of all those fraud claims. The chargeback ratio fell.

Payment processors aren’t idiots, and a huge number of new charges was likely to arouse suspicion. (Indeed, one processor suspected that Tech Live Connect was using “friendly” charges as early as 2018.) To make the charges look legitimate, Tech Live Connect processed them using real customer data, including names and addresses.

Once Tech Live Connect got its chargeback ratio low enough, it used this data to get more merchant accounts, allowing it to stay in business longer and for people there to scam new targets. Cotter eventually admitted that, by keeping his company open using this scheme, he defrauded Americans of an additional $8 million or so.

The scheme ran for four years, and it had to be managed every month. In March 2018, for instance, Cotter’s team realized that it needed 27,000 more “good” transactions that month to outweigh all the bad ones, so it spent $140,000 to acquire 3,000 virtual debit cards, which it then charged through six different payment gateways.

For a plan that involved giving money to yourself, this one proved surprisingly costly. By the time Tech Live Connect acquired the cards in bulk, which required third-party vendors, and then paid all processing charges, half of the money charged was gone.

Still, it was worth a few million dollars to keep the company in business. Tech Live Connect made significant cash—more than $13 million during the four years this system was in operation.

Payment processors grew suspicious despite Cotter’s tricks, and by 2020 the US Postal Inspection Service had launched an investigation. Cotter was charged later that year and by December 2020 had been hit with an injunction ordering him to stop “selling technical-support services or software via telemarketing or websites.”

The legal case dragged on for years, until Cotter finally pleaded guilty in January 2026 to one count of conspiracy to commit bank fraud. Last week, the 64-year-old Cotter was sentenced to 28 months in prison.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 14 April 2026 at 8:14 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Neowin readers are well aware of how legit Windows 11 updates can break important features and functions like Start menu Search and PC reset option; however, malicious forged ones can be even more deadly. One such fake Microsoft support website has been tricking users into installing a malicious “Windows update” that silently steals sensitive data, according to new research published by Malwarebytes.

The cybersecurity firm notes that the campaign is being carried out by a convincing phishing site hosted on a typosquatted domain designed to mimic official Microsoft support pages. The attack targets Windows users mainly in France by offering what appears to be a legitimate cumulative update for Windows 11 24H2. Coincidentally, the French government just decided to dump Windows in favor of Linux, and although likely unrelated, we wonder if that has any connection.

According to the researchers, the site "microsoft-update[.]support" presents a familiar UI and color scheme, complete with a fake knowledge base (KB) reference and a prominent "Download the update" button. Users who click it receive an 83MB installer file labeled “WindowsUpdate 1.0.0.msi,” that appears indeed authentic at first glance. Observant ones will notice in the image below, that the update being delivered, "KB5034765", was actually released back in February 2024 for Windows 11 23H2 and 22H2, not for 24H2.

The attack also uses trustworthy technologies to mask the real intent. The installer is built using WiX Toolset, a widely used open-source framework, and deploys an Electron-based app, effectively a Chromium browser shell, to execute the payload. This layered approach helps the malware evade antivirus detection. Malwarebytes notes zero detections recorded across dozens of security engines at the time of analysis as the executable itself is clean.

Once executed, the installer launches a Visual Basic script that triggers the Electron app, which in turn spawns a disguised Python process. This process installs multiple packages commonly associated with data theft, including tools for encryption, system inspection, and deep Windows API access. The malware then begins harvesting sensitive data as Malwarebytes found it can extract browser-stored credentials, Discord tokens, and capture payment-related information.

To maintain persistence, the malware has devised several things in its favor including a registry entry disguised as an actual Windows security component and a startup shortcut pretending to be a Spotify app .lnk launcher. This approach ensures the malware survives system reboots with minimal suspicion.

Users are advised to install updates only through official Windows Update settings or trusted Microsoft domains. You can also follow Neowin as we cover these updates and link to official, secure Microsoft sites only, or reputable third-party apps. Any standalone update downloads from an unfamiliar website should be treated as suspicious and with extreme caution. You can find more technical details in the original blog post here on Malwarebytes' website.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 14 April 2026 at 5:09 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

The use of Adobe PDF documents in cybersecurity threats is far from uncommon; they represent a primary “malicious document” attack surface for those using social engineering tactics, for example. When it comes to zero-day exploits targeting the Adobe Reader used to view such files, however, that’s a different matter. So, when a security researcher reveals a “highly sophisticated, fingerprinting-style PDF exploit" being used against such a zero-day vulnerability, you need to take it seriously. Perhaps even more so when those attacks have been ongoing since December 2025.

Sophisticated Adobe PDF Zero-Day Exploit—Attacks Against Adobe Reader Ongoing

A security researcher has confirmed that threat actors have been exploiting a zero-day vulnerability that exists within Adobe Reader, used to view Adobe PDF files, since at least December 2025. The critical vulnerability has now been comfirmed as CVE-2026-34621 by Adobe.

Haifei Li, best known for developing a sandbox-based exploit-detection platform called EXPMON, has warned that attackers are exploiting a “zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat Application Programming Interfaces, and it is confirmed to work on the latest version of Adobe Reader.”

The use of maliciously crafted Adobe PDF documents is, as mentioned previously, not exactly shocking nor new. Just ask Dropbox, Microsoft or PayPal users, and they will unhappily confirm that. This zero-day attack, however, isn’t reliant on a victim clicking a dodgy link in the PDF attachment, though. It’s much worse than that. The exploit “works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.

Another security researcher, posting on X as Gi7w0rm, said that it “seems to exploit part of Adobe Reader’s JavaScript engine,” and that the documents that have been seen to be used in attacks so far “contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia.”

I reached out to Adobe for a statement and advice for users, and a spokesperson confirmed that a security bulletin has now been added to address the vulnerability and that an update is now available for Adobe Acrobat and Reader for Windows and macOS.

The following products have updates available, and all have been given a priority one status by Adobe:

• Acrobat DC
• Acrobat Reader DC
• Acrobat 2024

Users can update their software manually by choosing the Help|Check for Updates menu option. Adobe said that the software will “update automatically, without requiring user intervention, when updates are detected. “

As far as administrators in managed environments are concerned, Adobe recommended installing the updates “via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM for Windows, or on macOS, Apple Remote Desktop and SSH." Sorry to spoil your weekend folks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 12 April 2026 at 4:01 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

The two utilities have millions of users who rely on them for tracking the physical health of internal computer hardware and for comprehensive specifications of a system.

Users who downloaded either tool reported on Reddit recently that the official download portal points to the Cloudflare R2 storage service and fetches a trojanized version of HWiNFO, another diagnostic and monitoring tool from a different developer.

The name of the malicious file is HWiNFO_Monitor_Setup, and running it launches a Russian installer with an Inno Setup wrapper, which is atypical and highly suspicious.

Users reported that downloading the clean hwmonitor_1.63.exe from the direct URL was still possible, indicating that the original binaries were intact, but the distribution links appear to have been poisoned.

The externalized download chain was also confirmed by Igor’s Labs and @vxunderground, who reported that a fairly advanced loader using known techniques, tactics, and procedures (TTPs) is involved.

“As I began poking this with a stick, I discovered this is not your typical run-of-the-mill malware,” stated vxunderground.

“This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.”

The researcher claims that the same threat group targeted users of the FileZilla FTP solution last month, suggesting that the attacker is focusing on widely used utilities.

The downloaded ZIP is flagged by 20 antivirus engines on VirusTotal, although not clearly identified. Some classify it as Tedy Trojan, and others as Artemis Trojan.

Some researchers on Virustotal say that the fake HWiNFO variant is an infostealer malware.

BleepingComputer has contacted CPUID to learn more about what happened, the date of the compromise, the affected versions, and what impacted users should do. A spokesperson has provided the following statement.

The same person told us that the hackers hit them at a time when the main developer was away on holiday.

Currently, it appears that CPUID has fixed the problem and now serves clean versions for both CPU-Z and HWMonitor.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 11 April 2026 at 4:58 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Brady Frey did not realize that his daughter lied about her age when she set up her Discord account. He only found out after her account got hacked and he got trapped in a spiraling support nightmare while trying to stop the hacker from targeting dozens of her young friends with financial extortion scams.

When Frey’s daughter signed up for Discord, she was 12 and technically not old enough to have an account. But like many kids who, regulators have found, commonly lie about their age to access social media platforms, she didn’t want to wait another year to join her friends on the messaging app. Hiding her age, she created an account that listed her as over 18 years old.

Now 13, the teen had been happily using the app for months when she suddenly got locked out of her account after clicking on a link from an attacker posing as Discord support. Since she didn’t enable two-factor authentication, the attacker was able to commandeer the account. Frey only found out what was happening when the attacker asked the teen to share her parents’ banking information if she wanted to get her account back.

Once Frey realized his daughter had been hacked, he assumed that Discord would promptly intervene, recognizing that many minor victims on her friends list could be harmed the longer the attacker kept control. Instead, Discord’s chatbot, Clyde, and a seeming human support member, Nelly, automatically closed her support tickets after telling her it would be best to report the issue from inside the app, which she could not access.

Frey told Ars he was shocked to see a platform as big as Discord relying on such poor support infrastructure.

“There’s no pathway for a parent to step in and advocate for a minor whose account has been compromised,” Frey told Ars.

Discord won’t update age setting

Eight days passed, as Frey attempted to evade the support forum’s irrelevant auto-responses and abrupt ticket closures by clearly explaining that “we’re requesting priority handling given this involves a minor, and this account is actively communicating with other minors who may also be targeted by the same social engineering tactics.” But the ticket was ignored, and the hacker wasn’t booted until Ars intervened.

Logging back into the account and surveying the damage, Frey told Ars that 38 of his daughter’s friends were targeted with a social engineering scam that Bitdefender reported in February is “widespread” on Discord.

Posing as the teen, the attacker claimed that she had accidentally reported her friends’ accounts as hackers and urged them to click links to verify their authenticity. Most of the friends seemingly did not fall for the scam, but two users appeared to have taken the bait, Frey told Ars.

While his daughter tried to contact her friends in the real world, Frey’s top priority once access was restored was to update the age setting. Hoping to help his daughter avoid future safety risks, he wanted to link her account to a Family Center that gave him parental controls. But the support nightmare continued, as Discord informed him that there is currently no way to “change the status of a Discord account if it was created as 18+.”

In the future, Discord plans to roll out global age checks that would rely on AI and other methods to detect and verify users like Frey’s daughter, who should be marked as a teen. But in the meantime, Frey’s experience shows “what happens after a minor in real life is compromised and a parent tries to get help,” Frey said.

On top of repeated issues with the support forum, “Discord’s in-app reporting tools failed repeatedly,” he told Ars. “I couldn’t successfully submit reports through the platform’s own safety infrastructure.” And “when I pointed out that the attack was actively spreading to multiple children at the same school, it didn’t change the response,” Frey said.

Eventually, Discord reviewed the support tickets and banned the account, telling the teen that she had violated community guidelines by starting an account when she was 12. The only way to restore the account with age-appropriate settings would be to share a photo of the teen with identifying documents, like a birth certificate or passport.

Asked for comment, a Discord spokesperson told Ars that the platform “takes situations like this seriously, especially when they involve teens and account security.”

“We have clear policies on account takeovers and when we’re able to restore access,” Discord’s spokesperson said. “In this case, we validated account ownership, restored access, and provided a path for the user to confirm their age.”

Commenting on the scam, Discord said that “users should avoid suspicious links and enable two-factor authentication, and we encourage teens to have open conversations with a parent or guardian about their experiences online, with families using tools like Family Center to stay informed and engaged.”

Although Frey was hesitant to share his daughter’s sensitive documents due to privacy concerns following a Discord breach that exposed 70,000 IDs last fall, he “decided to go ahead with the age verification” so that she wouldn’t lose access to her account entirely. That process also proved difficult, with two support tickets ignored before Ars intervened again.

For Frey and his daughter, the ordeal stretched for more than four weeks of back-and-forth to reach this resolution. But for Frey, Discord’s unwillingness to update his daughter’s age setting sparked additional concerns that the platform might be hiding what it knew about his daughter’s account and when.

“Regardless of what age the account was set to at creation, my daughter is 13,” Frey said. “She was hacked. The attacker locked her out via 2FA, used her account to propagate the same attack to other children at her school, and attempted to solicit financial information from her and her peers.”

Seeking answers he couldn’t get from Discord’s support forum, he requested her data from Discord and soon confirmed his suspicions: The platform had labeled his daughter as a teen internally days before the hack occurred.

Data reveals Discord knew teen’s age

Frey has a background in digital art and technology, and his daughter dreams of becoming an animator. He told Ars that as his daughter developed interests in various online tools, including apps like Discord and Roblox, his family openly discussed the risks of using these platforms and apps.

“We’re not rookies on technology,” he said.

After receiving the data dump on his daughter’s Discord account, a couple of things stuck out immediately as odd to Frey.

“There’s no age recorded at signup, but there’s something worth flagging: her data includes an age_group field set to ’13–17,’ confirming Discord’s system knows she’s a teen,” Frey told Ars.

According to the data, Discord updated this field on March 9, about nine days before the account was hacked on March 18.

“They changed the age on their side, even though we can’t change the age on ours,” Frey said.

Additionally, Frey noticed that a separate field, “is_underage,” was set to “false.” He told Ars that he thinks that “discrepancy matters because the underage flag likely controls whether stricter ad protections” for kids are “applied.”

Since his daughter set up the account with an 18+ setting, it’s possible that the field corresponded to her self-reported age. But Frey could see that Discord updated the setting twice: once two days after the hack, and again after her account was restored. Each time, she was marked as not underage, despite support forum messages that repeatedly informed Discord she was 13.

Seemingly, that meant that the platform could create “a detailed behavioral ad profile” on the teen, even though its internal system had categorized her in the 13–17 age group, Frey said.

Samantha Baldwin, a policy and research staff technologist for the Electronic Frontier Foundation (EFF), told Ars that Discord’s hesitancy to formally update the age setting is telling. Frey’s case shows why privacy advocates believe that age verification laws aren’t about “protecting children” but about “surveillance and censorship,” she said.

“That they would not recategorize a minor’s account demonstrates this clearly,” Baldwin said. “Discord is in the business of making money by selling their users’ personal data. They are implementing ‘age verification’ to meet regulatory compliance and to collect more data about their customers, not protect children.”

EFF has long warned against age-gating the Internet, opposing the mass collection of IDs that might block users from accessing platforms and viewing age estimation technology as ineffective and privacy-invasive.

Ultimately, Frey let his daughter share her passport with Discord to end the issues with her account. That could put the teen’s sensitive identifying information at risk of a future breach, but Frey said he weighed his options and decided that the passport seemed to risk less exposure for a minor than sharing her birth certificate.

To avoid such risks, Discord plans to stop collecting as many IDs and rely on new technology, like on-device face scans and age signals, to detect when users are lying about their ages as global age checks roll out later this year. But any time a user appeals their age estimation, Discord would still require an ID. And for minors who may not be as skilled at explaining their issues to a chatbot, Frey’s experience shows how easily they could end up in the support loop that he got stuck in while attempting to free his teen’s account from a hacker.

For his daughter, getting the OK to share her passport meant she could finally chat with her Discord pals again. After weeks of begging for support, the teen was clearly exasperated when she tried to share her passport, and Discord support did not accept it and instead asked for a face scan. The chatbot Clyde seemingly messed up when prompting her to verify her age with k-ID, which Discord uses in some regions but not in the US currently.

“Please reopen the ticket, it is not about the Face Scan,” the teen said.

But the ticket wasn’t reopened until Ars poked Discord one last time. Her chat with Clyde ended instead with a plea from the teen that fell on deaf ears: “Hi Discord, we have a history of this problem. Please reopen the ticket. The automatic close is incorrect, just like it was wrong on the other tickets over the past month.”

Source

The attackers used malicious Microsoft 365 sign-in pages to steal victims' authentication tokens and session cookies by redirecting them to domains (e.g., bluegraintours[.]com) hosting malicious web pages (pushed to the top of search engine results through malvertising or SEO poisoning) that masqueraded as Microsoft 365 sign-in forms.

This allowed Storm-2755 to bypass multifactor authentication (MFA) in adversary‑in‑the‑middle (AiTM) attacks by replaying stolen session tokens rather than re-authenticating.

"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," Microsoft explained.

"Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."

Storm-2755 attack flow (Microsoft)

After gaining access to an employee's account, the attacker created inbox rules that automatically moved messages from human resources staff containing the words "direct deposit" or "bank" to hidden folders, preventing the victim from seeing the correspondence.

In the next stage, they searched for "payroll," "HR," "direct deposit," and "finance," then sent emails to human resources staff with the subject line "Question about direct deposit" to trick staff into updating banking information.

Where social engineering failed, the attacker logged directly into HR software platforms such as Workday, using the stolen session to manually update direct deposit details.

Storm-2755 emailing HR staff (Microsoft)

To harden defenses against AiTM and payroll pirate attacks, Microsoft advises defenders to block legacy authentication protocols and implement phishing-resistant MFA.

If any signs of compromise are detected, they should also revoke compromised tokens and sessions immediately, remove malicious inbox rules, and reset MFA methods and credentials for all affected accounts.

In October, Microsoft disrupted another pirate payroll campaign targeting Workday accounts since March 2025, in which a cybercrime gang tracked as Storm-2657 targeted university employees across the United States to hijack their salary payments.

In these attacks, Storm-2657 breached the targets' accounts via phishing emails and stole MFA codes using AITM tactics, which allowed the threat actors to compromise the victims' Exchange Online accounts.

Payroll pirate attacks are a variant of business email compromise (BEC) scams that target businesses and individuals who regularly make wire transfers. Last year, the FBI's Internet Crime Complaint Center (IC3) recorded over 24,000 BEC fraud complaints, resulting in losses exceeding $3 billion, making it the second most lucrative crime type behind investment scams.

Source

A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's radar.

AI browser extensions don't trigger your DLP and don't show up in your SaaS logs. They live inside the browser itself, with direct access to everything your employees see, type, and stay logged into. AI extensions are 60% more likely to have a vulnerability than extensions on average, are 3 times more likely to have access to cookies, 2.5 times more likely to be able to execute remote scripts in the browser, and 6 times more likely to have increased their permissions in the past year. These extensions install in seconds and can remain in your environment indefinitely. 

The Browser Extension Threat Surface Is Everybody, Yet Nobody Is Watching

The first misconception is that extensions are a niche risk. Something limited to a subset of users or edge cases. That assumption is completely wrong.

According to the report, 99% of enterprise users run at least one browser extension, and more than a quarter have over 10 installed. This is not a long tail problem; it is universal.

Yet most organizations cannot answer basic questions. Which extensions are in use? Who installed them? What permissions do they have? What data can they access?

Security teams have spent years building visibility into networks, endpoints, and identities. Ironically, browser extensions remain a major blind spot. 

While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. 

A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's radar.

Organizations may block or monitor direct access to AI applications. But extensions operate differently. They sit inside the browser. They can access page content, user inputs, and session data without triggering traditional controls.

In effect, they create an ungoverned layer of AI usage, one that bypasses visibility and policy enforcement.

AI Extensions Are Not Just Popular. They Are Riskier

It would be easy to assume that AI extensions carry a similar risk to other extensions. The data shows otherwise.

AI extensions are significantly more dangerous. They are 60% more likely to have a CVE than average, 3x more likely to have access to cookies, 2.5x more likely to have scripting permissions, and 2x more likely to be able to manipulate browser tabs. 

Each of these permissions carries real implications. Cookie access can expose session tokens. Scripting enables data extraction and manipulation. Tab control can facilitate phishing or silent redirection.

This combination of fast adoption, elevated access, and weak governance makes AI extensions an urgent emerging threat vector.

Extensions Are Not Static. They Change Over Time

Security teams often treat extensions as static. Something that can be approved once and forgotten. But that’s not how it works.

Extensions evolve. They receive updates. They change ownership. They expand permissions.

The report shows that AI extensions are nearly six times more likely to change their permissions over time, and that more than 60% of users have at least one AI extension that has changed its permissions in the past year.

This creates a moving target that traditional allowlists cannot keep up with. An extension that was safe yesterday may not be safe today.

 The Trust Gap in Browser Extensions Is Wider Than Expected 

Security teams rely on a range of trust signals to evaluate extensions, including publisher transparency, install counts, update frequency, and the presence of a privacy policy. While these do not directly indicate malicious behavior, they are key to assessing overall risk. 

A significant portion of extensions have very low user bases. More than 10% of all extensions have fewer than 1,000 users, a quarter have fewer than 5,000 users, and a third have fewer than 10,000 installations. This is particularly a challenge with AI extensions, where 33% of AI extensions have fewer than 5,000 users, and nearly 50% of AI extensions have less than 10,000 users.A large user base is essential for establishing ongoing trust, but once again, AI extensions are showing substantially higher risk.

Moreover, around 40% of extensions haven’t received an update in over a year, suggesting that they are no longer actively maintained. Extensions that are not regularly updated may contain unresolved vulnerabilities or outdated code that attackers exploit.

As a result, most extensions used in enterprise environments show weak or missing signals across these areas. This raises serious questions about data handling and compliance. It also highlights how little scrutiny extensions receive compared to other software components.

Turning Insight into Action: The Path Forward for CISOs

The report outlines a clear direction for security teams:

• Continuously Audit The Organization's Extension Threat Surface: With 99% of enterprise users running at least one extension, a full inventory is a mandatory first step toward risk reduction. CISOs should do an organization-wide extension audit covering all browsers, managed and unmanaged endpoints, across all users.

• Apply Targeted Security Controls to AI Extensions: AI extensions represent an outsized risk due to their elevated permissions that can expose SaaS sessions, identities, and sensitive in-browser data. Organizations should apply stricter governance policies to control how these extensions interact with enterprise environments.

• Analyze Extension Behavior, Not Just Static Parameters: Static approvals are not sufficient. Risk needs to be continuously assessed based on permissions, behavior, and changes over time. 

• Enforce Trust and Transparency Requirements: Extensions that have very low install counts, lack privacy policies, or show poor maintenance history should be treated as higher risk. Establishing minimum trust criteria helps reduce exposure to unverified or abandoned extensions.

A New Lens On An Old Problem

For years, browser extensions have been treated as a convenience feature. Something to enable productivity and customization. However, they are no longer a peripheral risk. They are a core part of the enterprise attack surface. Widely used, highly privileged, and largely unmonitored, they create direct exposure to sensitive data and user sessions. 

Download the full Extension Security report from LayerX to understand the full scope of these findings, identify where your exposure truly lies, and get a clear path to controlling this growing attack surface without disrupting productivity.

Source

When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data.

The campaign was discovered by eCommerce security company Sansec, whose researchers believe that the attacker likely gained access by exploiting the PolyShell vulnerability disclosed in mid-March.

PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.

Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.

In the latest campaign, the researchers found that the malware is injected as a 1x1-pixel SVG element with an ‘onload’ handler into the target website’s HTML.

“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” Sansec explains.

“This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.”

When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake “Secure Checkout” overlay that includes card details fields and a billing form.

Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.

Sansec identified six exfiltration domains, all hosted at IncogNet LLC (AS40663) in the Netherlands, and each getting data from 10 to 15 confirmed victims.

To protect against this campaign, Sansec recommends the following:

• Look for hidden SVG tags with an onload attribute using atob() and remove them from your site files
• Check if the _mgx_cv key exists in browser localStorage, as this indicates payment data may have been stolen
• Monitor and block requests to /fb_metrics.php or any unfamiliar analytics-like domains
• Block all traffic to the IP address 23.137.249.67 and associated domains

As of writing, Adobe has still not released a security update to address the PolyShell flaw in production versions of Magento. The vendor has only made a fix available in the pre-release version 2.4.9-alpha3+.

Also, Adobe has not responded to our repeated requests for a comment on the topic.

Website owners/admins are advised to apply all available mitigations and, if possible, upgrade Magento to the latest beta release.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 9 April 2026 at 12:10 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

AI is slowly infiltrating every part of our daily lives, especially in the IT world. Google is among the leaders in this space and the company has been trying to get customers to use its Gemini model in various products like Workspace and Translate. Now, it is convincing its user base to leverage Gemini while using Gmail too.

Google has been integrating Gemini into Gmail for quite a while now. Its AI model can surface AI Overviews, help you write emails, suggest replies, proofread your content, prioritize important emails, and summarize your inbox, among lots of other things. In its latest blog post, the tech giant is now emphasizing that your Gmail data is completely secure and private even when you use it with Gemini.

Google says that it does not train its "foundational" AI models, such as Gemini, on your personal emails. This is because Gmail is secure by design and any tasks that you delegate to Gemini are performed in an isolated environment.

Secondly, any data used by Gemini is ephemeral by nature in terms of access. The AI model loses access to your inbox' data as soon as it performs the task you asked it to do, so there is no chance of data leakage.

Gmail's VP of product, Blake Barnes, likens the process to Gemini entering a "private room" which contains all your private data which is leveraged by the AI model to perfom a task, after which it leaves the room and loses access to the repository of information. Check out the YouTube Short on the topic below:

Looking at some historical data where there have been instances of data being leaked by AI models, it's not entirely surprising that Google wants to emphasize the idea that its different than its competitors. For example, Microsoft was caught accidentally uploading confidential emails to Copilot for summarization purposes. As such, it's understandable that Google doesn't want to be categorized in the same space, and is encouraging its customers to give Gemini a try in Gmail, without worrying about privacy or security.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 8 April 2026 at 12:19 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

GPUBreach was developed by a team of researchers at the University of Toronto, and full details will be presented at the upcoming IEEE Symposium on Security & Privacy on April 13 in Oakland.

The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU page tables (PTEs) and grant arbitrary GPU memory read/write access to an unprivileged CUDA kernel.

An attacker may then chain this into a CPU-side escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially leading to complete system compromise without the need to disable Input-Output Memory Management Unit (IOMMU) protection.

IOMMU is a hardware unit that protects against direct memory attacks. It controls and restricts how devices access memory by managing which memory regions are accessible to each device.

Despite being an effective measure against most direct memory access (DMA) attacks, IOMMU does not stop GPUBreach.

“GPUBreach shows that GPU Rowhammer attacks can move beyond data corruption to real privilege escalation,” the researchers explain.

“By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver.”

“The result is system-wide compromise up to a root shell, without disabling IOMMU, unlike contemporary works, making GPUBreach a more potent threat.”

The same researchers previously demonstrated GPUHammer, the first attack showing that Rowhammer attacks on GPUs are practical, prompting NVIDIA to issue a warning to users and suggesting the activation of the System Level Error-Correcting Code mitigation to block such attempts on GDDR6 memory.

However, GPUBreach is taking the threat to the next level, showing that it is possible not only to corrupt data but also to gain root privileges with IOMMU enabled.

The researchers exemplified the results with an NVIDIA RTX A6000 GPU with GDDR6. This model is widely used in AI development and training workloads.

Disclosure and mitigations

The University of Toronto researchers reported their findings to NVIDIA, Google, AWS, and Microsoft on November 11, 2025.

Google acknowledged the report and awarded the researchers a $600 bug bounty.

NVIDIA stated that it may update its existing security notice from July 2025 to include the newly discovered attack possibilities.

As demonstrated by the researchers, IOMMU alone is insufficient if GPU-controlled memory can corrupt trusted driver state, so users at risk should rely solely on that security measure.

Error Correcting Code (ECC) memory helps correct single-bit flips and detect double-bit flips, but it is not reliable against multi-bit flips.

Ultimately, the researchers underlined that GPUBreach is completely unmitigated for consumer GPUs without ECC.

The researchers will publish the full details of their work, including a technical paper and a GitHub repository with the reproduction package and scripts, on April 13.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 7 April 2026 at 1:00 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

According to BKA's disclosure, 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk acted as the heads of the two ransomware groups "from at least the beginning of 2019 until at least July 2021."

Shchukin hid behind the monikers UNKN/UNKNOWN for years, posting on cybercrime forums and speaking as a representative of the ransomware operation.

The German authorities say that Shchukin and Kravchuk participated in at least 130 extortion cases targeting companies in the country specifically.

Following these attacks, at least 25 victims paid Shchukin and his co-conspirators $2.2 million in ransom, while the total financial damage caused by them is estimated in excess of $40 million.

GandCrab started in early 2018, and its leader at the time decided to retire in June 2019, after claiming to have earned $2 billion from ransom payments. The leader, however, cashed out with $150 million, which they claimed to have invested in legal businesses.

Soon after, a new operation called REvil emerged, following the affiliate model established by GandCrab through advertising and building partnerships with cybercriminals.

REvil, also known as Sodinokibi, was formed from previous GandCrab affiliates and operators who had already learned the successful tactics and started to apply them to their operations.

REvil later added public leak sites and ran data auctions to pressure victims. Notable victims include multiple Texas local governments, computer giant Acer, and the Kaseya supply-chain attack that impacted around 1,500 downstream victims.

Following the massive Kaseya hack, REvil took a two-month break, during which law enforcement breached their servers and started to monitor operations.

Multiple infrastructure disruptions were recorded at the time, and in mid-January 2022, Russia arrested more than a dozen REvil gang members, who were released in 2025 after time served on carding charges.

It is unclear if either Shchukin or Kravchuk joined other ransomware operations following REvil’s demise in 2021.

BKA believes that Shchukin and Kravchuk are now in Russia and asks the public to share any information that could lead to their whereabouts. Relevant entries were also created on the EU’s Most Wanted portal.

The police shared several images, including tattoo photos, to help track down the two threat actors and bring them to justice.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 7 April 2026 at 1:00 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Microsoft releases new Windows Defender update packages very frequently to protect against various newly discovered malware. Once a while every three months or so, the company also pushes out these updates to Windows images (WIM and VHD) and ISOs, that are used to install Windows.

This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases.

When a new Windows installation is set up, there may be a temporary security risk due to outdated Microsoft Defender protection in the OS installation images. This happens because the antimalware software included in these images might not be up to date. Thus Microsoft says that these updated definitions essentially help close this protection gap.

Microsoft delivered the latest security definitions for Windows images via security intelligence update version 1.445.323.0. The Defender package version is also the same. It applies to Windows 11, Windows 10 ESU, Windows 10 Enterprise LTSC 2021, Win 10 Ent LTSC 2019, Win 10 Ent LTSB 2016, Windows Server 2022, Windows Server 2019, and Windows Server 2016.

Microsoft writes: "This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to the following versions:

• Platform version: 4.18.26020.6
• Engine version: 1.1.26020.1
• Security intelligence version: 1.445.323.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.445.323.0 was released early last month and adds threat detections for various malware like trojan, backdoor exploits, ransomeware, stealers, AutoKMS, and more.

For those wondering, the latest intelligence update is version 1.447.185.0 at the time of writing.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 6 April 2026 at 12:52 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

According to a report by Fairlinked e.V., which claims to be an association of commercial LinkedIn users, Microsoft's platform injects JavaScript into user sessions that checks for thousands of browser extensions and links the results to identifiable user profiles.

The author claims that this behavior is used to collect sensitive personal and corporate information, as LinkedIn accounts are tied to real identities, employers, and job roles.

"LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows each user's employer, it can map which companies use which competitor products. It is extracting the customer lists of thousands of software companies from their users' browsers without anyone's knowledge,' the report says.

"Then it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets."

BleepingComputer has independently confirmed part of these claims through our own testing, during which we observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.

This script checked for 6,236 browser extensions by attempting to access file resources associated with a specific extension ID, a known technique for detecting whether extensions are installed.

This fingerprinting script was previously reported in 2025, but it was only detecting approximately 2,000 extensions at that time. A different GitHub repository from two months ago shows 3,000 extensions being detected, demonstrating that the number of detected extensions continues to grow.

While many of the extensions that are scanned for are related to LinkedIn, the script also strangely detected language and grammar extensions, tools for tax professionals, and other seemingly unrelated features.

The script also collects a wide range of browser and device data, including CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio information, and storage features.

BleepingComputer could not verify the claims in the BrowserGate report about the use of the data or whether it is shared with third-party companies.

However, similar fingerprinting techniques have been used in the past to build unique browser profiles, which can enable tracking users across websites.

LinkedIn denies data use allegations

LinkedIn does not dispute that it detects specific browser extensions, telling BleepingComputer that the info is used to protect the platform and its users.

However, the company claims the report is from someone whose account was banned for scraping LinkedIn content and violating the site's terms of use.

LinkedIn claims the BrowserGate report stems from a dispute involving the developer of a LinkedIn-related browser extension called "Teamfluence," which LinkedIn says it restricted for violating the platform's terms.

In documents shared with BleepingComputer, a German court denied the developer's request for a preliminary injunction, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.

The court also found that automated data collection alone could infringe upon LinkedIn's terms of use and that it was entitled to block the accounts to protect its platform.

LinkedIn argues the BrowserGate report is an attempt to re-litigate that dispute publicly.

Regardless of the reasons for the report, one point is undisputed.

LinkedIn's site uses a fingerprinting script that detects over 6,000 extensions running in a Chromium browser, along with other data about a visitor's system.

This is not the first time that companies have used aggressive fingerprinting scripts to detect programs running on a visitor's device.

In 2021, eBay was found to use JavaScript to perform automated port scans on visitors' devices to determine whether they were running various remote support software.

While eBay never confirmed why they were using these scripts, it was widely believed that they were used to block fraud on compromised devices.

It was later discovered that numerous other companies were using the same fingerprinting script, including Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, Equifax IQ connect, TIAA-CREF, Sky, GumTree, and WePay.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 4 April 2026 at 12:21 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

"Google is aware that an exploit for CVE-2026-5281 exists in the wild," Google said in a security advisory issued on Tuesday.

As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in Dawn, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project.

Attackers can exploit this Dawn security flaw to trigger web browser crashes, data corruption, rendering issues, or other abnormal behavior.

While Google has found evidence that threat actors were exploiting this zero-day flaw in the wild, it did not share details about these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the company noted.

Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177). While Google says that this out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates today.

If you don't want to update the browser manually, you can also have it check for updates at the next launch and install them automatically.

This is the fourth actively exploited Chrome zero-day patched since the start of the year. The first (CVE-2026-2441) was an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), which Google addressed in mid-February.

Google patched two other Chrome zero-day bugs exploited in attacks earlier this month: the first is an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and the second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).

In 2025, Google fixed a total of eight zero-days exploited in the wild, many of which were discovered and reported by Google's Threat Analysis Group (TAG), which is known for tracking and identifying zero-day exploits used in spyware attacks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 2 April 2026 at 5:22 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

The hardware maker says that successful exploitation could potentially lead to code execution on the underlying system, privilege escalation, and a denial-of-service condition.

The GIGABYTE Control Center (GCC), which comes pre-installed on all the company’s laptops and motherboards, is GIGABYTE’s all-in-one Windows utility that lets users manage and configure their hardware.

It supports hardware monitoring, fan control, performance tuning, RGB lighting control, driver and firmware updates, and device management.

A feature in the Control Center is “pairing,” which allows the tool to communicate with other devices or services over the network. Systems with the 'pairing' option enabled on Control Center versions 25.07.21.01 and earlier are exposed to attacks.

“When the pairing feature is enabled, unauthenticated remote attackers can write arbitrary files to any location on the underlying operating system, leading to arbitrary code execution or privilege escalation,” warned Taiwan’s CERT.

The issue, tracked as CVE-2026-4415, was discovered by SilentGrid security researcher David Sprüngli. Based on the CVSS v4.0 scoring system, the issue has a critical severity rating (9.2 out of 10).

Users are recommended to upgrade to the latest version of Control Center, currently 25.12.10.01, which includes fixes for download path management, message processing, and command encryption to effectively mitigate the vulnerability.

“Customers are strongly advised to upgrade to the latest GCC version immediately,” the vendor warns in the security bulletin.

It is recommended that users of GIGABYTE products download the latest GCC version from the vendor’s official software portal to minimize the risk of receiving trojanized installers.

BleepingComputer has contacted both GIGABYTE and SilentGrid to learn more about CVE-2026-4415, but we did not receive a response by publishing time.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 April 2026 at 12:06 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

The UK’s Competition and Markets Authority will launch an investigation into Microsoft’s business software ecosystem in May this year. This move comes after the CMA worked with Microsoft in 2025 on issues it had over its cloud business. Now it wants to address issues it has with Microsoft’s business software practices.

The investigation into Microsoft will assess whether the Redmond giant has Strategic Market Status (SMS) in business software. The CMA said hundreds of thousands of UK businesses and public sector organizations depend on Microsoft’s business software, such as Windows, Word, Excel, Teams, and Copilot, every day.

By slapping Microsoft with an SMS label, it would allow the CMA to take action on Microsoft’s use of software licensing to reduce competition in the cloud. It would also allow it to ensure a level playing field as AI innovation reshapes competition in productivity software.

Commenting on this development, Sarah Cardell, Chief Executive of the CMA, said:

“An SMS designation would enable us to tackle remaining concerns around Microsoft’s licensing practices in cloud and would also enable us to ensure a level playing field as AI is rapidly embedded into everyday business software tools.

Through this package of actions, we’re driving changes across cloud and business software to make sure these markets are competitive and resilient for UK businesses and the public sector.”

The CMA said that the embedding of AI into workplace tools is a pivotal moment for the sector, and the implications for UK productivity are significant. It said that the UK will benefit the most if competitors can integrate with Microsoft’s business software so that organizations can mix-and-match AI to best suit their needs.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 April 2026 at 5:59 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

Yesterday, Microsoft found itself in hot water when it was discovered that the company is injecting ads into pull requests (PR) generated by Copilot. We discovered that these ads promoted other software in millions of GitHub PRs too, such as Copilot's integration in Slack, Teams, Visual Studio, VS Code, Eclipse, and more. Now, Microsoft has apologized for the situation and issued a clarification.

According to GitHub's Vice President for Developer Relations, Martin Woodward on X (formerly Twitter), the firm has no plans to integrate advertisements into PRs generated by Microsoft's coding assistant. The current issue has been blamed on a "programming logic issue" in GitHub Copilot that resulted in third-party product tips appearing "incorrectly" in PRs. This bug was apparently introduced on March 24 when Copilot's abilities were expanded. Woodward further went on to say that:

As a result, a third-party link was mistakenly displayed in a way that could be interpreted as a promotion. Our goal was to share novel ways to use Copilot coding agent, and in this case, we highlighted our integration with Raycast as part of a broader set of product tips, but this was surfaced more frequently than intended alongside other feature suggestions. We have removed Copilot agent tips from all pull requests moving forward. We appreciate the community flagging this and apologize for the error.

In other posts, Woodward has owned complete responsibility for the mistake, claiming that no formal ad arrangements were made with partners like Raycast. He has also emphasized that these product tips are being turned off forever, and it's not just a temporary delay until the firm figures out how to integrate them correctly.

That said, the timing series of events does indicate that Microsoft not anticipating the level of backlash that it received and that it was hoping that this would either be ignored or developers would appreciate it. However, as we have seen with Windows before too, customers generally aren't too pleased about ads product tips being integrated into products that they pay for. As such, the latest measure seems to be a course correction to placate angry developers rather than a planned strategy.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 1 April 2026 at 5:55 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix

If you are a JavaScript developer, you’re likely familiar with Axios, the popular library with over 80 million weekly downloads. Developers use Axios to make network requests, handle form submissions, perform CRUD operations, and manage file uploads in both browser and Node.js environments.

Now, researchers at StepSecurity have notified the public that two specific versions, axios@1.14.1 and axios@0.30.4, have been pwned by hackers. This was likely achieved through stolen npm credentials belonging to a lead maintainer, and the attackers even managed to change the account email address to ifstap@proton.me. They then manually published these poisoned versions, completely bypassing the project's standard GitHub Actions and cryptographic signing processes.

According to StepSecurity, the affected versions did not alter the core Axios code but instead injected a hidden, fake dependency named plain-crypto-js@4.2.1. This fake package, which Axios never actually uses in its source, runs a postinstall script right when you install it.

That script acts as a cross-platform remote access trojan (RAT) dropper, hitting machines running Window, macOS, and Linux, and then contacts a command and control (C2) server. After it installs the malware, the dropper attempts to self destruct, replacing its own package.json with a clean version to evade detection.

The hackers used some pretty clever obfuscation techniques to hide what the malware was actually doing on your machine. They encoded sensitive strings like shell commands and file paths into a complex array that gets decoded at runtime using a specific XOR cipher key.

To check if your computer has been compromised, try the following commands:

# Check for the malicious axios versions in your project
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"

# Look for the hidden dependency directory
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"

# Check for RAT artifacts on Linux
ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"

If you think you might be infected (remember the affected versions are axios@1.14.1 and axios@0.30.4), downgrade Axios to the last known safe version. Use axios@1.14.0 for 1.x users and axios@0.30.3 for 0.x users, but make sure to add an overrides block in your package.json to prevent transitive dependencies from pulling in the bad versions:

"overrides": {
  "axios": "1.14.0"
}

You also need to remove plain-crypto-js from node_modules and then run npm install --ignore-scripts to prevent any other postinstall hooks from running.

Another very important thing you should do is rotate all your credentials, like NPM tokens, AWS access keys, SSH private keys, cloud credentials, and any values found in .env files accessible during install.

For CI/CD pipelines, always run npm ci --ignore-scripts to stop postinstall hooks from running automatically.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 31 March 2026 at 6:13 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Google is finally rolling out its new ransomware detection and file restoration features for Google Drive. Both of these features were initially released in beta in September last year, and now they’re finally making their way to all users. Google claims that its upgraded detection models are now catching significantly more infections than before.

If you have Google Drive for desktop installed on your computer, it will now actively monitor for suspicious activity. If it detects a potential ransomware attack, the app will immediately pause your file syncing to prevent the infected data from spreading to your cloud storage. You will then get a desktop notification, and if you’re part of an organization, admins will be alerted by email, too.

Another useful part of this update is the new bulk file restoration tool. So, if you were a target of a ransomware attack, you are now able to restore your files to a previous version in bulk, so you don’t have to pay a ransom or manually dig through version histories one by one.

The detection feature is technically turned on by default for eligible accounts. However, it never hurts to double-check your settings to make sure your organization is actually protected. If you’re a workspace admin, you can enable or disable this feature from the Google Admin console.

While the file restoration feature is rolling out to everyone, including free personal Google accounts, the active ransomware detection is locked behind specific paid tiers. You will need a subscription like Business Standard or Enterprise Plus to actually get this feature.

Also, the new security features work with the Drive desktop version 114 or later, so make sure you update the client on your computer to receive the latest updates.

In other news, you can now edit password-protected Microsoft Office files directly in Google Drive.

Source: Google Workspace Blog

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 31 March 2026 at 11:51 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854

RIP Matrix

Microsoft may have committed to reducing microslop in Windows 11, but the tech giant seemingly forgot to CC GitHub about the initiative. A software developer named Zach Manson shared that Copilot injected an ad into a pull request on GitHub.

According to Manson, one of their team members used Copilot to correct a typo in a pull request. Copilot did fix the typo, but it also added an ad for Copilot and Raycast in the pull request description.

"⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast," reads the pull request. Text preceded by an emoji is a common trope that appears within content generated by Copilot.

Manson said of the addition, "This is horrific. I knew this kind of bullshit would happen eventually, but I didn't expect it so soon."