🔥 New Edition Just Dropped!

Cybersecurity Weekly Recap | May 5 —— From nation-state hacks to deepfake-ready malware, this week’s intel is packed:

• Iranian APT lurked 2 yrs in critical infra
• Claude chatbot abused for political ops
• TikTok hit with $601M fine over China data
• 30+ new CVEs to patch now
• Magento supply chain backdoor activated after 6 yrs

Read the full recap → https://thehackernews.com/2025/05/weekly-recap-nation-state-hacks-spyware.html

Evolving OpenAI's Structure
Article, Comments

Show HN: TextQuery – Query CSV, JSON, XLSX Files with SQL
Article, Comments

Show HN: Pipask – safer pip without compromising convenience
Article, Comments

An important open source initiative needs your help!

https://news.itsfoss.com/osu-open-source-lab-closure/

Mission Center's 1.0 release is here:

https://news.itsfoss.com/mission-center-1-0-release/

🛑 Critical Langflow Flaw Actively Exploited!

CISA has added CVE-2025-3248 to its Known Exploited Vulnerabilities list.

• CVSS: 9.8
• Affects most Langflow versions
• Allows remote code execution without login
• PoC exploit published April 9
• 466 servers exposed worldwide

➡️ Full story: https://thehackernews.com/2025/05/critical-langflow-flaw-added-to-cisa.html

🚨 Exploited in the wild. No user click needed.

Google patches 46 Android flaws, including CVE-2025-27363—a critical System bug tied to the FreeType font engine.

Discovered by Meta in March, it's now confirmed active.

🔗 Learn more: https://thehackernews.com/2025/05/google-fixes-actively-exploited-android.html

🔥 AI agents are the new insider threat—fast, autonomous, and already slipping past security.

Meanwhile, users just want to work—on personal devices, with unsanctioned apps, and now AI tools.

The Access-Trust Gap is real—and growing.

✅ It’s time to move from blocking to governing access, for humans and machines.

👉 Read more from Dave Lewis, Global Advisory CISO at 1Password: https://thehackernews.com/expert-insights/2025/05/ai-access-trust-gap-droids-were-looking.html

🚨 UPDATE - Darcula’s secret weapon exposed!

NRK & Mnemonic uncover Magic Cat — a phishing toolkit behind 884K+ stolen cards in 7 months.

🔹 13M+ clicked links
🔹 600+ scammers
🔹 Real-time data & PIN capture
🔹 19K+ victims in Norway alone

Dev behind it? A 24-year-old from China.
The company? Claims it’s just “a website builder.”

🔗 Full story: https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.html

Circuitpainter: Create PCBs using a simplfiied graphics language
Article, Comments

Show HN: Klavis AI – Open-source MCP integration for AI applications
Article, Comments

Analyzing Modern Nvidia GPU Cores
Article, Comments

Open WebUI changed license from BSD-3 to Open WebUI license with CLA
Article, Comments

OpenAI Reaches Agreement to Buy Windsurf for $3B
Article, Comments

🚨 Plug-and-play ≠ safe.

Default Helm charts are silently exposing your Kubernetes clusters to attackers.

Microsoft warns: popular open-source tools like Apache Pinot, Meshery & Selenium Grid ship with no auth, open ports, and public IPs by default.

Details → https://thehackernews.com/2025/05/microsoft-warns-default-helm-charts-for.html

Act now:
✔️ Audit Helm charts & YAMLs
✔️ Lock down network exposure
✔️ Monitor container behavior

🚨 600 million attacks hit Microsoft Entra ID—every single day.

It’s the heart of your access and identity. If it goes down, everything stops:

❌ No logins
❌ No compliance
❌ No recovery

Built-in tools won’t save you.

You need full backup and fast recovery. Because when identity breaks, so does your business.

Learn more: https://thehackernews.com/2025/05/entra-id-data-protectionessential-or.html

Scammers Steal NFT Gifts Using Business Chatbots

A scam is spreading on Telegram involving the theft of NFT gifts by connecting a business chatbot to the victim's account.

How the scheme works:
• Scammers deceive the victim into connecting the chatbot and granting it a set of permissions, including the ability to manage gifts. For example, they may ask the victim to test the bot in exchange for a reward.
• Once access is given, the bot automatically transfers all NFT gifts from the victim's profile to the scammers.

Important security tip:
• Access to your account should only be given to trusted bots from reliable services.

How to protect yourself:
• Never give unknown bots permission to manage accounts.
• Always check what specific permissions the bot is requesting before adding it.
• Do not believe promises of easy money for “simple actions.”

#gifts #hacking

https://archive.is/bOOUY "Google plans to roll out its Gemini artificial intelligence chatbot next week for children under 13 who have parent-managed Google accounts, as tech companies vie to attract young users with A.I. products.
“Gemini Apps will soon be available for your child,” the company said in an email this week to the parent of an 8-year-old. “That means your child will be able to use Gemini” to ask questions, get homework help and make up stories.
The chatbot will be available to children whose parents use Family Link, a Google service that enables families to set up Gmail and opt into services like YouTube for their child. To sign up for a child account, parents provide the tech company with personal data like their child’s name and birth date.
Gemini has specific guardrails for younger users to hinder the chatbot from producing certain unsafe content, said Karl Ryan, a Google spokesman. When a child with a Family Link account uses Gemini, he added, the company will not use that data to train its A.I."