Google released an emergency Chrome update (v146.0.7680.75+) fixing two actively exploited zero-days: CVE-2026-3909, an out-of-bounds write in the Skia graphics library, and CVE-2026-3910, an inappropriate implementation in the V8 JavaScript engine enabling arbitrary code execution. Both were triggered via crafted HTML pages with confirmed in-the-wild exploits. Update Chrome immediately.
Iranian state-sponsored group MuddyWater has been active inside U.S. and Canadian networks since early February 2026, deploying two previously unseen tools: Dindoor, a backdoor built on the Deno JavaScript runtime, and Fakeset, a Python-based backdoor hosted on Backblaze cloud storage. Targets include U.S. banks, airports, a Canadian non-profit, and a defense software firm with Israeli operations — with initial access gained through spear-phishing and social engineering. The timing follows U.S. and Israeli military strikes on Iran, consistent with MuddyWater's pattern of ramping up intrusions during geopolitical escalation.
In a coordinated sweep across eight countries, the FBI and Europol seized LeakBase — a forum where stolen credentials, stealer logs, and financial data from hundreds of millions of accounts were bought and sold since 2021. Around 100 enforcement actions were carried out globally, with 37 of the platform's most active users directly targeted. The forum's Russian administrator, identified as 33-year-old Artem Kuchumov, was named as part of the operation, and all user accounts, private messages, and IP logs were secured as evidence — a reminder that criminal forums are rarely as anonymous as their members assume.
Push-based MFA is better than nothing, but it's vulnerable to fatigue attacks and real-time phishing. Hardware keys (FIDO2/WebAuthn) eliminate this attack surface by requiring physical presence and cryptographically binding each login to the legitimate site — a phishing page can't intercept the handshake. When choosing one: look for FIDO2 certification, USB-C and NFC support for cross-device compatibility, open or audited firmware, and a pin-protection option. Always register a backup key. The YubiKey 5 series and Google Titan keys are widely recommended starting points.
GrapheneOS has matured significantly. With broad app compatibility, hardened sandboxing, and a growing user community, it's no longer just for security researchers — it's a practical choice for anyone who values their data. The OS supports the Google Play Store via isolated profiles, meaning most apps work normally while being denied access to the underlying hardware and identifiers they'd typically exploit. If you're running a stock Android device and wondering whether there's a better option, the answer in 2026 is yes.
Attackers found an MGM employee on LinkedIn, called the IT helpdesk impersonating them, and gained access to internal systems — causing widespread outages across hotels and casinos. No technical exploit was needed. A single successful social engineering call was enough to begin the breach. Identity verification at the service desk isn't a formality — it's a control that, when bypassed, can cascade into a nine-figure incident.
An attacker bombarded an Uber employee with MFA push notifications until they accepted one out of frustration — then impersonated IT support to escalate access further. The attacker had already obtained the employee's password through other means; the MFA prompt was the last barrier. Number-matching MFA, push rate limits, and awareness training around helpdesk impersonation are now baseline expectations for any organization using push-based authentication.
Dirty Pipe is a Linux kernel vulnerability that allows unprivileged processes to overwrite the contents of read-only files — including setuid binaries. On Android, this meant local privilege escalation to root. The CVE was publicly disclosed on March 7, 2022. GrapheneOS shipped a patch the following day. Google's May 2022 Android Security Bulletin — released roughly eight weeks later — was when most Pixel users received the fix. The gap between public disclosure and patch delivery is exactly when exposure is highest.
A critical remote code execution flaw in Apache Log4j — a logging library embedded in hundreds of thousands of applications, from enterprise software to cloud services — allowed attackers to execute arbitrary code by triggering a single malicious log entry. No authentication required. The vulnerability was actively exploited within hours of public disclosure by ransomware groups, cryptominers, and nation-state actors. CISA described it as one of the most serious vulnerabilities ever seen. Full remediation required organizations to audit every product in their stack for a dependency most had never thought to inventory.
REvil exploited a zero-day in Kaseya VSA — remote monitoring software used by managed service providers — to simultaneously push ransomware to approximately 1,500 downstream businesses. The attackers chose the Fourth of July weekend deliberately, when security teams are understaffed. By targeting the MSP layer rather than individual organizations, a single vulnerability multiplied into a mass-casualty ransomware event. The $70 million ransom demand was among the largest ever made, and the incident accelerated scrutiny of third-party and MSP supply chain risk across the industry.
A single reused VPN credential — with no MFA — gave attackers a foothold that led to a 6-day shutdown of the largest fuel pipeline in the United States. The account wasn't even actively in use at the time. Credentials don't expire when an employee stops using them, and legacy remote access accounts are rarely audited. This incident made clear that remote access hygiene — MFA, disabled unused accounts, credential monitoring — is not optional for critical infrastructure.
Nation-state attackers attributed to Russia's SVR compromised SolarWinds' build pipeline, injecting backdoor code into digitally signed Orion software updates distributed to approximately 18,000 organizations — including the US Departments of Treasury, Commerce, Homeland Security, and State. The malware lay dormant for two weeks after installation before activating and went undetected for months. SolarWinds redefined the threat model for software supply chains: a trusted vendor, a legitimate signed update, and a routine patch cycle were all weaponized simultaneously.
Attackers used phone-based social engineering to manipulate Twitter employees into granting access to internal admin tools. Within hours, the verified accounts of Barack Obama, Elon Musk, Jeff Bezos, Apple, and others were hijacked to run a Bitcoin scam — generating roughly $120,000 before the platform was locked down. Three individuals, the youngest just 17, were responsible. No sophisticated exploit was used. The breach demonstrated that privileged internal tooling can be more accessible than public-facing security would suggest, and that social engineering scales against the highest-value targets.
A former AWS engineer exploited a misconfigured web application firewall to execute a server-side request forgery (SSRF) attack against Capital One's cloud infrastructure — accessing the EC2 instance metadata service and pivoting to S3 buckets containing sensitive customer data. Over 100 million records were exfiltrated, including names, addresses, credit scores, and Social Security numbers. Capital One later paid $190 million to settle class-action suits. The incident established SSRF against cloud metadata endpoints as a headline attack vector and made cloud WAF misconfiguration a board-level conversation.
Marriott disclosed that attackers had maintained persistent access to the Starwood guest reservation database since at least 2014 — two years before Marriott acquired Starwood. By the time the breach was detected in 2018, the compromised database contained records for up to 500 million guests: names, addresses, passport numbers, payment card data, and dates of birth. Four years of undetected access represented failures across asset discovery, network segmentation, and anomaly detection — and raised a question rarely asked during M&A: what security debt are we inheriting?
Equifax failed to patch a known Apache Struts vulnerability (CVE-2017-5638) for five months after a fix was available. Attackers exploited it to exfiltrate Social Security numbers, birth dates, addresses, and driver's license numbers for 147 million Americans — roughly half the adult US population. An expired SSL inspection certificate had left malicious traffic unexamined for 76 days. Equifax paid over $700 million in settlements. The breach became a landmark case for the legal consequences of documented, known-but-unpatched vulnerability management failures.
WannaCry ransomware spread globally by exploiting EternalBlue — an NSA-developed exploit for a Windows SMBv1 vulnerability leaked by a group calling itself the Shadow Brokers. Microsoft had issued patch MS17-010 two months prior, but millions of unpatched systems remained exposed. The UK's NHS was among the hardest hit: hospitals diverted ambulances, cancelled surgeries, and reverted to paper records. A kill-switch domain discovered by researcher Marcus Hutchins halted propagation. WannaCry was widely attributed to North Korea and defined ransomware as a geopolitical weapon.
A buffer over-read bug in OpenSSL's TLS heartbeat extension allowed anyone to read up to 64KB of server memory per request — no authentication required, no trace in logs. The affected memory could contain private SSL keys, session tokens, and user passwords. OpenSSL was used by an estimated two-thirds of the internet at the time, and the vulnerability had been silently present since December 2011. There was no way to know whether a server had already been exploited. Heartbleed was the first vulnerability to receive a branded identity — name, logo, dedicated website — setting a precedent for how critical disclosures are communicated.
Attackers used credentials stolen from Fazio Mechanical, a third-party HVAC vendor, to gain initial access to Target's network during the 2013 holiday shopping season. They moved laterally to the point-of-sale network — a segment that should have been isolated — and installed RAM-scraping malware on payment terminals across all US stores. Roughly 40 million credit and debit card numbers were stolen, along with personal data for 70 million customers. Target's security tooling had generated automated alerts before the breach was discovered — they went uninvestigated. Target paid $18.5 million in a multistate settlement.