Encryption

A significant cybersecurity incident targeting Notepad++ has been disclosed, revealing a prolonged hijacking attempt by suspected Chinese state-sponsored hackers. Between June and December 2025, attackers compromised the application's shared hosting infrastructure to intercept and redirect update traffic. This allowed for the distribution of malicious update manifests to selective users by exploiting insufficient update verification controls in older versions of the software. Although the hosting provider implemented remediation steps by December 2, 2025, Notepad++ has since migrated to a more secure hosting environment. To prevent future incidents, the WinGup updater was enhanced in v8.8.9 to verify digital certificates and signatures. Furthermore, the upcoming v8.9.2 release will enforce XMLDSig verification for update manifests, ensuring the integrity of the update process through multiple layers of authentication and cryptographic validation.

Security researchers xyzeva and Dziurwa developed an open-source bypass for Discord's k-id age verification system. By reverse-engineering the AES-GCM encryption and replicating face-prediction metadata, the script tricks the FaceAssure API into verifying users as adults globally without requiring a real face scan, exploiting a lack of server-side validation for encrypted biometric data.

In January 2026, GreyNoise analysts observed a sudden and dramatic 65% drop in global Telnet traffic within a single hour, which eventually settled at an 83% reduction from the baseline. This structural shift preceded the public disclosure of CVE-2026-24061, a critical authentication bypass vulnerability in GNU Inetutils telnetd that allows unauthenticated root access via a simple argument injection. The data suggests that major Tier 1 transit providers likely implemented port 23 filtering on backbone infrastructure in anticipation of the vulnerability's disclosure. This proactive infrastructure-level response significantly impacted residential and enterprise ISPs while leaving major cloud providers with direct peering largely unaffected. The incident highlights a potential shift in how global network operators coordinate to mitigate high-impact security risks at the routing level before they can be exploited at scale.

A recent FBI court filing has highlighted the effectiveness of Apple's Lockdown Mode, a security feature that successfully prevented federal investigators from extracting data from a Washington Post reporter's iPhone. During an investigation into classified leaks, the FBI's Computer Analysis Response Team (CART) found that the iPhone 13 belonging to Hannah Natanson was inaccessible due to this hardened security state. While the FBI was able to access her Macbook Pro using Touch ID, the iPhone remained protected. Lockdown Mode is designed to mitigate sophisticated spyware by limiting message attachments, web functionality, and physical accessory connections. This case demonstrates that the feature is also a formidable barrier against physical forensic tools like Graykey and Cellebrite, which require an unlocked connection to exploit system vulnerabilities. The incident underscores the ongoing technical struggle between consumer electronics companies and law enforcement agencies seeking digital access.

Researchers identified 287 Chrome extensions spying on approximately 37.4 million users. Using an automated Docker-based scanning pipeline, they found extensions from actors like Similarweb and Big Star Labs exfiltrating browsing history via obfuscated and encrypted requests. This widespread data harvesting poses significant risks for corporate espionage and credential harvesting.

Moltbook, a viral social network for AI agents built on the OpenClaw framework, has quickly transitioned from a curious experiment to a significant security threat. With over 770,000 agents active, the platform recently suffered a massive database breach allowing unauthorized hijacked control over agent identities and shell access to host machines. Researchers have identified critical vulnerabilities including unauthenticated shell command execution, improper input sanitization, and over-privileged system access. Many instances are currently exposed via Shodan, leading to the exfiltration of sensitive API keys and session tokens. The incident highlights the dangers of prompt injection at scale and the inherent risks of autonomous agents running without robust sandboxing or encryption in personal and enterprise environments.

A critical Remote Code Execution (RCE) vulnerability was discovered in AMD AutoUpdate software after a user investigated persistent console pop-ups on a new gaming PC. Upon decompiling the application, the researcher found that while the update manifesto is fetched via HTTPS, the actual executable download URLs within that manifest reside on insecure HTTP connections. This architectural flaw allows for Man-In-The-Middle (MITM) attacks where an attacker could replace legitimate updates with malicious binaries. Crucially, the software lacks certificate validation or digital signature checks, executing any downloaded file immediately. Despite the severity, AMD classified the report as 'out of scope,' prompting the researcher to disclose the findings publicly to warn users about the potential security risks associated with the unpatched software.

Moltbook, a social platform intended exclusively for AI agents, recently faced a significant security breach that exposed its production database. Billed as the front page of the agent internet, the platform attracted attention from the tech community for its vibe-coded architecture. However, researchers discovered an exposed Supabase API key that granted unauthenticated access to the entire database due to missing Row Level Security (RLS). The leak included 1.5 million API tokens, 35,000 email addresses, and private messages containing third-party credentials like OpenAI keys. Analysis revealed that the platform's high agent count was largely inflated by a small number of human users. This incident highlights the critical security risks associated with rapid, AI-driven development where secure defaults and manual reviews are often overlooked in favor of deployment speed.

New research introduces AirSnitch, a series of attacks revealing that low-level networking behaviors can bypass Wi-Fi encryption and client isolation. Despite decades of security improvements, these vulnerabilities affect numerous routers from major brands like Cisco, Ubiquiti, and Netgear, potentially allowing unauthorized communication and data exposure between connected clients.

This project introduces a security tool utilizing Shamir's Secret Sharing to protect sensitive files by distributing decryption privileges among a trusted group. By encrypting a file and splitting the key into multiple shares—for instance, five shares with a threshold of three—the system ensures that no single individual can access the data independently. Each recipient is provided with a self-contained bundle containing a recover.html file, which operates entirely offline in the browser. This architecture guarantees long-term accessibility regardless of the original website's status. The core objective is to provide a user-friendly, serverless implementation of complex cryptographic principles for emergency data recovery situations without relying on a central authority or a single point of failure.

In early 2026, Notepad++ developers confirmed a significant supply chain attack resulting from a hosting provider compromise between June and December 2025. This sophisticated campaign featured three distinct execution chains that victimized organizations in the Philippines, Vietnam, El Salvador, and Australia. Attackers constantly rotated C2 servers and payloads, including Cobalt Strike beacons and the Chrysalis backdoor. Chain #1 exploited an legacy vulnerability in ProShow software to bypass modern sideloading detections, while Chain #2 utilized compiled Lua scripts. Chain #3 involved DLL sideloading techniques frequently linked to Chinese-speaking threat actors. Security researchers identified numerous Indicators of Compromise (IoCs), including malicious NSIS installers and unusual traffic to temp.sh, emphasizing the importance of monitoring system tools like curl.exe and legitimate process activity.

Security researcher Jason Meller highlights a significant security vulnerability within the OpenClaw agent ecosystem, specifically regarding how 'skills' are distributed and executed. While OpenClaw offers powerful local access to files and terminals, its skill registry has become an active attack surface for infostealing malware. Since skills are often delivered as simple markdown files, they bypass traditional security protocols like MCP by using social engineering to trick users into running malicious shell commands or installing fake dependencies. A top-downloaded 'Twitter' skill was discovered to be a delivery vehicle for macOS malware designed to steal credentials, API keys, and browser sessions. Meller warns against running OpenClaw on corporate devices and advocates for a robust trust layer that includes sandboxing, identity-based permissions, and time-bound access to prevent agents from becoming a vector for supply chain attacks.

The author expresses concern over using passkeys with the PRF extension for data encryption. While passkeys are excellent for authentication, coupling them with encryption increases the risk of permanent data loss if a credential is deleted. The post urges the industry to limit PRF usage to durable contexts like credential managers.

PayPal disclosed a data breach affecting the PayPal Working Capital loan application due to a software error. Sensitive information, including Social Security numbers, was exposed between July and December 2025. PayPal rolled back the faulty code, reset passwords, and is offering affected customers two years of free credit monitoring through Equifax.

Apple released emergency patches for CVE-2026-20700, a decade-old zero-day vulnerability in the iOS dynamic linker dyld. Exploited in sophisticated attacks against individuals, the flaw allows arbitrary code execution. When chained with WebKit vulnerabilities, it enables zero-click device takeovers, resembling tools used by commercial surveillance firms like those behind Pegasus.

This guide details setting up a federated XMPP server using Prosody and Docker. It covers DNS configuration, SSL/TLS certificates via Let's Encrypt, and essential modules for mobile sync, push notifications, and OMEMO end-to-end encryption. Additionally, it addresses implementing file sharing and STUN/TURN services for voice and video calls.

This project enables storing files on YouTube by encoding them into lossless MKV videos using FFV1. It features both a CLI and a Qt6 GUI, supports XChaCha20-Poly1305 encryption via libsodium, and utilizes Wirehair fountain codes for redundancy. The C++23 implementation provides batch processing and high-resolution 4K encoding for data recovery.

enveil is a Rust-based security tool designed to protect .env files from AI coding tools and accidental exposure. It replaces plaintext secrets with symbolic references, storing actual values in an encrypted local vault. Secrets are decrypted via a master password and injected directly into subprocesses, ensuring they never reside on disk.

The US authorities have reportedly investigated allegations that Meta can bypass end-to-end encryption to read private WhatsApp messages. These claims originated from a lawsuit filed by Quinn Emanuel Urquhart & Sullivan, representing anonymous whistleblowers from multiple countries. Meta has vehemently denied these assertions, labeling them as absurd and meritless, while suggesting the legal action is a strategic distraction by the NSO Group following a recent legal defeat. While technology experts highlight the mathematical impossibility of retroactively accessing encrypted chats, the case brings renewed scrutiny to WhatsApp metadata collection practices and the legal battles surrounding global surveillance and user privacy rights.

Let’s Encrypt has announced a significant change to its default certificate issuance policy starting February 11, 2026. Certificates will shift to a 'server-only' authentication profile, omitting the 'client authentication' extension previously included. This transition poses a potential risk for XMPP server-to-server (s2s) federation because TLS libraries like OpenSSL often require the 'client authentication' flag when a server initiates an outgoing connection. While Prosody operators are protected due to existing software updates that accommodate this validation logic, other XMPP implementations like ejabberd and Openfire require specific versions to remain compatible. Failure to update incompatible server software may result in broken federation and authentication errors unless fallback mechanisms like dialback are enabled. This situation highlights the growing friction between web-centric Certificate Authority standards and the specific needs of decentralized federated protocols.