❌

Normal view

Two Scattered Spider Hackers Get 5.5 Years Each for Β£29 Million TfL Hack

16 July 2026 at 17:09
Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL's losses and recovery

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

16 July 2026 at 13:33
n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on theΒ subΒ claim alone and ignoredΒ iss. A valid token from issuer A carrying aΒ subΒ that belongs to someone under issuer B logged you in as them. Their password never

New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

16 July 2026 at 12:33
ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and

New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

16 July 2026 at 11:32
Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you

Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide

16 July 2026 at 09:23
Pull the certificate off the flash of a Shark RV2320EDUS robot vacuum, and you can run root commands on other people's Shark vacuums across the same AWS region: watch the camera, drive the robot, read the map of the house, and take the Wi-Fi password in plaintext. A researcher publishing under the handle tokay0Β put the method onlineΒ on Monday, having tested it only against vacuums he

❌