βΌοΈ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories.
The response from the security community isn't going Microsoft's way. As theyβre not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
The response from the security community isn't going Microsoft's way. As theyβre not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
π₯13β€5
π¨ BREAKING: Anthropic released Claude Opus 4.8 today, just 41 days after 4.7.
The jump in six weeks:
agentic coding 64.3% β 69.2%
knowledge work 1753 β 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
The jump in six weeks:
agentic coding 64.3% β 69.2%
knowledge work 1753 β 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
π₯13π4π―2π©1
βΌοΈπ¨ Hacked Fortinet FortiClient EMS servers are pushing infostealer malware disguised as a Fortinet patch to every managed endpoint.
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
π€―2π1π1π€£1
βοΈ iPhone 18 Pro dummy units just surfaced in four finishes: Black, Silver, Dark Cherry, and Light Blue.
Dark Cherry looks set to be this year's headline color, the successor to the Cosmic Orange that became a phenomenon in China. That orange shade was nicknamed "Hermès orange" for resembling the luxury brand's signature color, and it's credited with driving Apple's China iPhone sales up 38% year-over-year, the company's best-ever quarter in the region.
πΈ: SonnyDickson
Dark Cherry looks set to be this year's headline color, the successor to the Cosmic Orange that became a phenomenon in China. That orange shade was nicknamed "Hermès orange" for resembling the luxury brand's signature color, and it's credited with driving Apple's China iPhone sales up 38% year-over-year, the company's best-ever quarter in the region.
πΈ: SonnyDickson
β€7π€£4π©1
π¨ California's State Assembly approved a Stop Killing Games bill targeting games that need a server connection to play. Before shutting those servers down, developers would have to give 60 days' notice, then either release a patch that makes the game playable offline or refund players. Only applies to games released after Jan 1, 2027. The Senate still has to approve it.
Stop Killing Games is an international consumer campaign (started in 2024 by YouTuber Ross Scott) pushing to stop publishers from making purchased games unplayable. It's pursued an EU Citizens' Initiative and backs related bills like California's AB 1921.
Source: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1921
Stop Killing Games is an international consumer campaign (started in 2024 by YouTuber Ross Scott) pushing to stop publishers from making purchased games unplayable. It's pursued an EU Citizens' Initiative and backs related bills like California's AB 1921.
Source: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1921
π₯15β€9π1
βΌοΈπ¨ Malicious actors can now use your SSD's activity, just by getting you to open their website, to spy on which other sites you're browsing and which apps you're running.
The attack, called FROST, is accurate: 88.95% on identifying websites, 95.83% on identifying applications. It works on macOS and Linux, across browsers, and runs entirely in JavaScript.
The browser makers were told, and largely shrugged. Chromium says fingerprinting isn't a security bug. Apple called it out of scope. Mozilla acknowledged it and shipped nothing.
Researchers at Graz University of Technology developed the attack. It abuses the Origin Private File System, a browser feature that lets sites store files on your disk without asking. The attack creates one huge file, then constantly times how fast it can read from it. When you open another tab or launch an app, that activity competes for the same SSD, and the tiny changes in read speed leak what you're doing. A trained neural network turns those timing patterns into guesses about which site or app it is.
https://hannesweissteiner.com/pdfs/frost.pdf
The attack, called FROST, is accurate: 88.95% on identifying websites, 95.83% on identifying applications. It works on macOS and Linux, across browsers, and runs entirely in JavaScript.
The browser makers were told, and largely shrugged. Chromium says fingerprinting isn't a security bug. Apple called it out of scope. Mozilla acknowledged it and shipped nothing.
Researchers at Graz University of Technology developed the attack. It abuses the Origin Private File System, a browser feature that lets sites store files on your disk without asking. The attack creates one huge file, then constantly times how fast it can read from it. When you open another tab or launch an app, that activity competes for the same SSD, and the tiny changes in read speed leak what you're doing. A trained neural network turns those timing patterns into guesses about which site or app it is.
https://hannesweissteiner.com/pdfs/frost.pdf
π©13π3π€3π₯΄2
βοΈ John Daghita, the 22-year-old accused of stealing $46 million in crypto from the US Marshals Service, has been cleared by a French court for fast-tracked extradition to the United States.
He was arrested March 4 in a luxury villa on Saint-Martin in a joint FBI and GIGN operation, caught "by ruse and without incident." Agents seized computers, crypto wallet credentials, several phones, around 250,000 euros in cash, and a loaded Glock. The full $46 million was recovered.
He allegedly pulled it off using privileged access tied to his father's federal contracting firm, which held a US government contract to manage seized cryptocurrency. He got caught after blockchain investigator ZachXBT traced the funds, reportedly tipped off when Daghita flexed a $23M wallet on Telegram.
Daghita requested his own extradition at his first hearing on May 21, saying he wants to explain himself to US courts.
He was arrested March 4 in a luxury villa on Saint-Martin in a joint FBI and GIGN operation, caught "by ruse and without incident." Agents seized computers, crypto wallet credentials, several phones, around 250,000 euros in cash, and a loaded Glock. The full $46 million was recovered.
He allegedly pulled it off using privileged access tied to his father's federal contracting firm, which held a US government contract to manage seized cryptocurrency. He got caught after blockchain investigator ZachXBT traced the funds, reportedly tipped off when Daghita flexed a $23M wallet on Telegram.
Daghita requested his own extradition at his first hearing on May 21, saying he wants to explain himself to US courts.
π15π4β€2π€¬1π’1
βοΈπ¨ BREAKING: Security researchers are now handing Nightmare-Eclipse vulnerabilities for free, in what looks like both a show of support and a reaction to how Microsoft treats researchers. First up: "Bitskrieg," violates Secure Boot trust and fully bypasses BitLocker.
It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.
It seems aimed squarely at Microsoft's recent blog, where the company said its Digital Crimes Unit would bring cases against threat actors "and those that enable their criminal activity," language many researchers read as a threat pointed at them.
β€26π₯6π₯°3
βοΈ Google wants to release up to 64 million male mosquitoes in Florida and California, infected with a bacteria that makes them mate with wild females and produce eggs that never hatch.
The plan comes from Verily's "Debug" project. The released males carry Wolbachia, a naturally occurring bacteria (not genetic engineering). Males don't bite, so the releases shouldn't add to the biting. But when they mate with wild females, the eggs fail to hatch, suppressing the population over time.
The scale: up to 16 million males per state each year, for two years. That's up to 64 million total across both states. The EPA is reviewing the experimental use permit and has flagged it as potentially of "regional and national significance," which is why it opened public comment.
The technique isn't new. Wolbachia-based control has been trialed for years, and the Florida Keys Mosquito Control District is already testing a similar approach.
Source: https://www.federalregister.gov/documents/2026/04/20/2026-07625/pesticide-experimental-use-permit-receipt-of-application-comment-request-february-2026
The plan comes from Verily's "Debug" project. The released males carry Wolbachia, a naturally occurring bacteria (not genetic engineering). Males don't bite, so the releases shouldn't add to the biting. But when they mate with wild females, the eggs fail to hatch, suppressing the population over time.
The scale: up to 16 million males per state each year, for two years. That's up to 64 million total across both states. The EPA is reviewing the experimental use permit and has flagged it as potentially of "regional and national significance," which is why it opened public comment.
The technique isn't new. Wolbachia-based control has been trialed for years, and the Florida Keys Mosquito Control District is already testing a similar approach.
Source: https://www.federalregister.gov/documents/2026/04/20/2026-07625/pesticide-experimental-use-permit-receipt-of-application-comment-request-february-2026
π€9π±5π2β€1π₯°1
A United Airlines Boeing 767 made an emergency return to Newark because a 16-year-old passenger had named his personal Bluetooth speaker "BOMB."
United Flight 236 was heading to Palma de Mallorca, Spain, and was nearly two hours into the transatlantic crossing when the discoverable speaker name popped up on nearby phones in the cabin. A passenger flagged it, the crew looped in United's operations center in Chicago, and announcements began ordering everyone to turn off Bluetooth or the plane would turn back. After repeated warnings and a final one-minute ultimatum, two devices were still showing. The jet squawked 7700 and returned to Newark.
The aircraft was taxied to a remote stand and met by airport police and federal agents. Passengers deplaned with only passports and phones, leaving belongings on board, and were bussed back through TSA rescreening. The teen reportedly admitted the speaker was his and was taken into custody.
The same 767 eventually flew the route as a replacement, departing around 2:30 AM, roughly nine hours behind schedule. It's the second name-based scare on United this month, after a Wi-Fi hotspot reading "Free Palestine, F Zionists" drew an FBI warning from a pilot.
See photos: https://www.reddit.com/r/unitedairlines/comments/1tsk81w/ua_236_the_bluetooth_flight/?rdt=55081
United Flight 236 was heading to Palma de Mallorca, Spain, and was nearly two hours into the transatlantic crossing when the discoverable speaker name popped up on nearby phones in the cabin. A passenger flagged it, the crew looped in United's operations center in Chicago, and announcements began ordering everyone to turn off Bluetooth or the plane would turn back. After repeated warnings and a final one-minute ultimatum, two devices were still showing. The jet squawked 7700 and returned to Newark.
The aircraft was taxied to a remote stand and met by airport police and federal agents. Passengers deplaned with only passports and phones, leaving belongings on board, and were bussed back through TSA rescreening. The teen reportedly admitted the speaker was his and was taken into custody.
The same 767 eventually flew the route as a replacement, departing around 2:30 AM, roughly nine hours behind schedule. It's the second name-based scare on United this month, after a Wi-Fi hotspot reading "Free Palestine, F Zionists" drew an FBI warning from a pilot.
See photos: https://www.reddit.com/r/unitedairlines/comments/1tsk81w/ua_236_the_bluetooth_flight/?rdt=55081
π€£24π3π€―2
Media is too big
VIEW IN TELEGRAM
βΌοΈπ¨ BREAKING: Meta's AI feature let attackers hijack Instagram accounts for days with nothing but a username. It was being A/B tested on a slice of users, and if you were in the test, you couldn't turn it off. Among the casualties: the official Obama White House account.
The method: get on a VPN near the target's region, ask the Meta AI support agent to send a verification code to any email you control, relay that code back to the agent, and it hands over a password reset link. Without ID or human review. From there, the account is yours.
The flaw lived in the AI's logic layer, which acted on recovery requests with no real identity checks. One researcher compared it to the Roblox AI assistant exploit from days earlier, where you needed a target's billing info. Instagram was easier: the username and a regional VPN were enough and victims reported sessions revoked and passwords changed with no email, text, or push alert at all.
By the time it went public, the method was common knowledge in blackhat Telegram circles and had been used to allegedly hijack 100+ high-value accounts.
Accounts hit:
- obamawhitehouse (the archived official Obama White House account, ~2.4M followers. Hackers posted an AI-generated image captioned "The White House is under Shiites' control," plus cryptic anti-Trump and pro-Iranian Stories. Meta confirmed the hack and scrubbed it.
- Premium short handles like hey and jowo, worth over $1M combined, stolen and flipped on Telegram.
- albert (owned by Albert Renshaw), whose owner publicly reported being locked out and unable to reach Meta support.
Meta has since patched it. There was no public acknowledgment.
The method: get on a VPN near the target's region, ask the Meta AI support agent to send a verification code to any email you control, relay that code back to the agent, and it hands over a password reset link. Without ID or human review. From there, the account is yours.
The flaw lived in the AI's logic layer, which acted on recovery requests with no real identity checks. One researcher compared it to the Roblox AI assistant exploit from days earlier, where you needed a target's billing info. Instagram was easier: the username and a regional VPN were enough and victims reported sessions revoked and passwords changed with no email, text, or push alert at all.
By the time it went public, the method was common knowledge in blackhat Telegram circles and had been used to allegedly hijack 100+ high-value accounts.
Accounts hit:
- obamawhitehouse (the archived official Obama White House account, ~2.4M followers. Hackers posted an AI-generated image captioned "The White House is under Shiites' control," plus cryptic anti-Trump and pro-Iranian Stories. Meta confirmed the hack and scrubbed it.
- Premium short handles like hey and jowo, worth over $1M combined, stolen and flipped on Telegram.
- albert (owned by Albert Renshaw), whose owner publicly reported being locked out and unable to reach Meta support.
Meta has since patched it. There was no public acknowledgment.
β€8π±6π2π₯1π©1