Daily Digest

Microsoft just dropped an urgent patch for two zero-day vulnerabilities in Windows Defender—and attackers are already exploiting them in the wild. One flaw lets hackers grab SYSTEM-level control of your machine, while the other can crash your system into a denial-of-service nightmare. If you're running Windows Defender (and let's be honest, most of you are), your PC is a potential target right now. The U.S. government is already ordering federal agencies to patch within two weeks, but home users and businesses need to act fast too.

**What exactly happened** Microsoft rolled out emergency patches on Wednesday for two actively exploited zero-day vulnerabilities in Windows Defender. The first, CVE-2026-41091, is a privilege escalation flaw in the Microsoft Malware Protection Engine (versions 1.1.26030.3008 and earlier). The second, CVE-2026-45498, is a denial-of-service vulnerability in the Microsoft Defender Antimalware Platform (versions 4.18.26030.3011 and earlier). Both bugs are being used in real-world attacks right now. That's not a drill. **Who is affected and how** If you're running Windows Defender—which ships with every modern Windows system—you're in the crosshairs. The vulnerabilities also impact Microsoft's System Center Endpoint Protection, System Center 2012 R2 Endpoint Protection, System Center 2012 Endpoint Protection, and Security Essentials. That means enterprise environments, small businesses, and home users are all potentially exposed. Attackers don't need to trick you into clicking anything; they can exploit these flaws silently once they have a foothold. **The real-world impact and consequences** The first flaw (CVE-2026-41091) is the scarier one. It lets attackers escalate privileges to SYSTEM level—the highest access tier in Windows. Once they have that, they can install malware, steal data, create backdoors, or disable security tools entirely. The second flaw (CVE-2026-45498) is a denial-of-service weapon. Attackers can crash Windows Defender, leaving your system blind and vulnerable to further attacks. Imagine your antivirus just... stops working. That's the nightmare scenario. **Technical breakdown** CVE-2026-41091 stems from an "improper link resolution before file access" weakness. In plain English: Windows Defender doesn't properly handle symbolic links when scanning files. Attackers can create malicious links that trick Defender into granting SYSTEM privileges instead of user-level access. CVE-2026-45498 is simpler but equally dangerous. It exploits a flaw in how the antimalware platform processes certain inputs, causing it to crash repeatedly. No fancy privilege escalation needed—just a system that's suddenly unprotected. **What should be done** Microsoft has released updated versions: Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. The good news? These updates install automatically by default. But don't just trust that—verify. Open Windows Security, go to Virus & threat protection, click "Protection Updates," then "Check for updates." Navigate to Settings > About and check your Antimalware Client Version. If it matches or exceeds the patched versions, you're safe. CISA has also mandated that federal agencies patch by June 3. For everyone else: don't wait. Check your updates now. **Why this matters in the bigger cybersecurity landscape** Zero-days in security software are particularly dangerous because they undermine the very tools we trust to protect us. When Defender itself becomes a vector, it's like your guard dog turning into a wolf. This also highlights a growing trend: attackers are targeting the security stack itself. We've seen similar flaws in CrowdStrike, SentinelOne, and now Microsoft's own products. The message is clear—no software is immune, and automatic updates aren't a "set it and forget it" solution. Verify, verify, verify.

GitHub just confirmed what many feared: the attackers who poisoned TanStack's npm packages last week didn't stop there. They used a compromised VS Code extension called Nx Console to breach GitHub's own internal systems, accessing over 3,800 private repositories. This isn't just another supply chain attack—it's a wake-up call for every developer and organization relying on open-source tooling. The threat group TeamPCP turned a popular developer extension into a backdoor, proving that even the platforms we trust to host our code can become victims of their own tools.

**What exactly happened** GitHub disclosed on Wednesday that attackers gained unauthorized access to its internal repositories by exploiting a malicious version of the Nx Console VS Code extension. This extension, officially available on the VS Code marketplace and used by developers to manage large codebases, was compromised during last week's TanStack npm supply-chain attack. The breach allowed the threat group, tracked as TeamPCP, to access approximately 3,800 internal repositories. GitHub's CISO Alexis Wales confirmed the company has since secured the compromised employee device and found no evidence that customer data outside those repos was stolen. **Who is affected and how** The attack chain began with the compromise of dozens of TanStack and Mistral AI npm packages. Using stolen CI/CD credentials, the attackers quickly pivoted to other high-profile projects including UiPath, Guardrails AI, and OpenSearch. GitHub's platform serves over 4 million organizations, including 90% of Fortune 100 companies, and more than 180 million developers. While GitHub says customer data remains safe, the breach of internal repositories raises serious questions about the security of the development tools we all rely on. **The real-world impact and consequences** TeamPCP is no stranger to major supply chain attacks. They've previously targeted PyPI, npm, GitHub, and Docker, and were recently linked to the "Mini Shai-Hulud" campaign that affected two OpenAI employees. This incident demonstrates how a single compromised developer extension can cascade into a breach of one of the world's most critical code hosting platforms. The attackers didn't need sophisticated zero-days—they just needed one developer to install a malicious extension. **Technical breakdown** The malicious Nx Console extension was uploaded to the VS Code marketplace after TeamPCP compromised the TanStack npm ecosystem. Once installed on a GitHub employee's machine, the extension provided attackers with a foothold into GitHub's internal network. From there, they used stolen credentials to access repositories containing proprietary code, internal tools, and potentially sensitive configuration files. The attack highlights how CI/CD pipelines and developer tooling have become prime targets for supply chain attackers. **What should be done — mitigation and recommendations** Organizations should immediately audit all VS Code extensions installed on developer machines and verify their integrity. GitHub recommends using only extensions from verified publishers and enabling automatic updates only from trusted sources. Developers should also implement strict access controls for CI/CD pipelines, rotate credentials regularly, and monitor for unusual activity in repository access logs. For organizations using Nx Console specifically, verify you're running the legitimate version from the official Nx publisher. **Why this matters in the bigger cybersecurity landscape** This breach is a stark reminder that supply chain attacks are evolving beyond just compromised packages. Attackers are now targeting the tools developers use to write, build, and deploy code—the very extensions and plugins we trust to make us more productive. With over 180 million developers on GitHub and 4 million organizations depending on the platform, the implications are enormous. If attackers can compromise a VS Code extension used by a GitHub employee, they can potentially access the internal repositories of the world's largest code host. The message is clear: every extension, every plugin, every tool in your development chain is a potential attack vector. Trust but verify is no longer optional—it's survival.

May 2026’s Patch Tuesday is rewriting the rules of cybersecurity—and it’s all thanks to AI. While artificial intelligence platforms are proving shockingly vulnerable to social engineering, they’re also becoming the star players in finding security flaws in human-written code. This month, Apple, Google, Microsoft, Mozilla, and Oracle are shipping near-record volumes of patches, and the tempo is only accelerating. If you use Windows, Chrome, Safari, or any major software, your devices are at risk until you update.

**What exactly happened** Microsoft kicked off this month’s Patch Tuesday with fixes for at least 118 security vulnerabilities across Windows and its ecosystem. That’s a hefty number, but here’s the twist: for the first time in nearly two years, Microsoft isn’t patching any emergency zero-day flaws that are already being exploited in the wild. No bugs were publicly disclosed ahead of time either, which means attackers didn’t get a head start. Sixteen of these bugs earned Microsoft’s “critical” label, meaning they can be abused to remotely take over a vulnerable Windows device with minimal user interaction. Rapid7 flagged several standout weaknesses, including CVE-2026-41089—a critical stack-based buffer overflow in Windows Netlogon that gives an attacker SYSTEM privileges on the domain controller. No privileges or user interaction required. That’s a nightmare scenario for enterprise networks. **Who is affected and how** If you’re running Windows, macOS, Chrome, Firefox, Safari, or Oracle software, you’re in the crosshairs. This isn’t just about Microsoft. Apple, Google, Mozilla, and Oracle all shipped updates this month, and many of these patches address vulnerabilities that could let attackers execute code remotely, steal data, or take full control of your system. The real danger lies in the speed of exploitation. While no zero-days are being actively used yet, the sheer volume of critical bugs means attackers are already reverse-engineering the patches to find exploitable weaknesses. Home users, small businesses, and large enterprises are all at risk—especially those slow to update. **The real-world impact and consequences** Imagine a scenario where a single unpatched Windows domain controller gets hit by CVE-2026-41089. An attacker gains SYSTEM privileges, moves laterally across your network, and deploys ransomware before you even notice. That’s not hypothetical—it’s the kind of attack these patches are designed to prevent. For organizations, the cost of inaction is steep. Data breaches, regulatory fines, and reputational damage are all on the table. For individuals, it could mean identity theft, financial loss, or losing access to personal files. The stakes are higher than ever because attackers are now using AI to automate exploit development, making the window for patching even narrower. **Technical breakdown (explain the "how" simply)** Let’s break down CVE-2026-41089. A stack-based buffer overflow happens when a program writes more data to a memory buffer than it can hold. In Windows Netlogon, this flaw lets an attacker send a specially crafted request to the domain controller. The overflow corrupts memory, allowing the attacker to execute arbitrary code with SYSTEM privileges—the highest level of access on Windows. No user interaction is needed. No credentials are required. It’s a remote code execution vulnerability that can be triggered over the network. Other critical bugs this month involve similar issues in Windows Remote Desktop Services, Microsoft Office, and the Windows Kernel. Each one is a potential entry point for attackers. **What should be done — mitigation and recommendations** Patch now. That’s the single most effective step you can take. Enable automatic updates for Windows, macOS, Chrome, Firefox, and Safari. For enterprise environments, prioritize patching domain controllers, internet-facing servers, and endpoints with sensitive data. Don’t forget about third-party software. Oracle, Adobe, and other vendors also released updates this month. If you’re using any of their products, apply those patches too. And before you update, back up your critical data and system drives. It’s sound advice that could save you from a ransomware attack if something goes wrong. **Why this matters in the bigger cybersecurity landscape** This Patch Tuesday marks a turning point. AI is now a double-edged sword: it’s finding vulnerabilities faster than humans ever could, but it’s also being tricked by social engineering. The near-record volume of patches reflects how quickly the threat landscape is evolving. For defenders, the takeaway is clear: speed is everything. Attackers are using AI to automate exploit development, so the gap between patch release and exploitation is shrinking. Organizations that delay updates are gambling with their security. This month’s patch cycle is a wake-up call—not just to update, but to rethink how we approach vulnerability management in an AI-driven world.

A massive cyberattack just brought thousands of schools and universities to a screeching halt. The education tech giant Canvas—used by nearly 9,000 institutions—was hit by a data extortion attack that defaced its login page with a ransom demand threatening to leak data on 275 million students and faculty. If your school uses Canvas for coursework, assignments, or communication, this hits close to home. The breach exposed names, email addresses, and student IDs, and the attackers are demanding payment to keep it all quiet. Instructure, Canvas's parent company, has already paid the ransom—but the damage to trust and security is just beginning.

**What exactly happened** On May 6, the cybercrime group ShinyHunters defaced Canvas's login page with a ransom demand, forcing Instructure to temporarily disable the platform. The attackers claimed they had stolen data on 275 million users and threatened to leak it unless paid. The initial deadline was May 6, later pushed to May 12. Instructure confirmed a data breach earlier that week. The stolen information includes names, email addresses, and student ID numbers, plus messages between users. The company says no passwords, birth dates, government IDs, or financial data were taken—but that's still a goldmine for identity theft and phishing. **Who is affected and how** Canvas is the backbone of online learning for thousands of K-12 schools, universities, and even some businesses. If your child logs in for homework, or you're a professor managing grades, you're in the blast radius. The attack disrupted classes and coursework nationwide, leaving students unable to submit assignments or access materials. The real victims are the 275 million users whose personal data is now in criminal hands. Even if the ransom was paid, the data could still be copied or sold. Schools are now scrambling to notify affected families and staff, while students worry about their privacy. **The real-world impact and consequences** Beyond the immediate disruption, this breach erodes trust in digital education tools. Parents and administrators will think twice before uploading sensitive data to cloud platforms. The attack also highlights how vulnerable critical infrastructure—like school systems—is to extortion. For students, leaked email addresses and IDs can fuel targeted phishing scams. Imagine getting a fake email from "your school" asking for your password. For faculty, exposed internal messages could lead to embarrassment or even legal issues. And for Instructure, the reputational hit could drive schools to seek alternative platforms. **Technical breakdown (the "how")** ShinyHunters likely gained access through a compromised credential or vulnerability in Canvas's system. Once inside, they exfiltrated user data and then defaced the login page—a classic double extortion tactic. The defacement served as a public shaming to pressure Instructure into paying. Instructure's response was to disable the platform, investigate, and eventually pay the ransom. They received digital confirmation of data destruction (shred logs) and claim no customers will be extorted. But paying ransoms is controversial—it funds cybercrime and doesn't guarantee data is truly gone. **What should be done — mitigation and recommendations** If you're a Canvas user, change your password immediately—even if Instructure says passwords weren't leaked. Enable multi-factor authentication on your school account. Be extra cautious of phishing emails asking for personal info or urging you to click links. Schools should review their data-sharing agreements with Instructure and consider encrypting sensitive data before uploading. They should also have a backup plan for when platforms go down—like offline assignment submission methods. For Instructure, the priority is transparency. They need to clearly communicate what data was taken, how they'll protect users going forward, and whether they'll invest in stronger security measures. Paying ransoms may solve short-term problems, but it invites future attacks. **Why this matters in the bigger cybersecurity landscape** This breach is a wake-up call for the education sector, which has long been underfunded in cybersecurity. Schools hold vast amounts of personal data but often lack the resources to defend it. Attackers know this—and they're targeting them more frequently. The Canvas incident also underscores the danger of single points of failure. When one platform serves millions of users, a single breach can ripple across the entire education system. It's a stark reminder that cybersecurity isn't just about protecting data—it's about keeping society functioning.

The Flipper Zero crew just dropped a bombshell—they're building a new device called Flipper One, and they want your help. This isn't an upgrade; it's a completely different beast. Think portable ARM Linux computer, not a pocket multi-tool. It's designed for serious networking, SDR analysis, and even running local LLMs. If you're into hardware tinkering, this is your next playground, but the project is still raw and needs community muscle to become real.

**What exactly happened** Flipper Devices, the team behind the wildly popular Flipper Zero, has announced the Flipper One project. Unlike its predecessor, which focused on offline radio hacking (NFC, RFID, infrared), the One is a high-performance, Linux-based platform for deep networking and hardware experimentation. The company is clear: this is not a sequel. It's a "completely different project with its own goals." They're now asking the community to help build it, signaling that this is a collaborative, open-source effort from the ground up. **Who is affected and how** This directly impacts cybersecurity enthusiasts, penetration testers, hardware hackers, and developers who want a portable Linux box. If you've ever wanted a device that can act as a router, VPN gateway, or SDR analysis tool on the go, this is for you. But here's the catch: the project is unfinished. Prototypes have missing parts, core software support is lacking, and architectural decisions are still up in the air. Early adopters will need patience and a willingness to contribute code or ideas. **The real-world impact and consequences** The Flipper One could democratize advanced networking and hardware testing. Imagine running a full SDR analysis or a local LLM on a portable device—that's powerful for fieldwork, penetration testing, and education. However, the financial risks are real. Founder Pavel Zhovner cited a "current RAM chip crisis" as a major hurdle. If the community doesn't step up, this ambitious project might stall, leaving a gap for competitors like the PinePhone or Raspberry Pi-based builds. **Technical breakdown (explain the "how" simply)** At its core, the Flipper One uses a dual-processor architecture. The main brain is a Rockchip RK3576 ARM SoC with 8GB RAM, handling Linux workloads. A secondary Raspberry Pi RP2350 microcontroller independently manages the display, power, buttons, and boot process. This means the device stays operational even when the OS is powered off—a clever design for low-power tasks. It's also modular, supporting M.2, GPIO, PCIe, USB 3.1, SATA, and SIM interfaces. You can plug in SDRs, SSDs, Wi-Fi cards, AI accelerators, or even 5G modems. **What should be done — mitigation and recommendations** If you're interested, start by following Flipper's R&D social media for updates. The company will share progress periodically, and community feedback will shape the final product. For developers, consider contributing to the open Linux platform—whether it's kernel patches, driver support, or software packages. For non-technical fans, spread the word and be patient. This is a risky, community-driven project, not a polished consumer product. **Why this matters in the bigger cybersecurity landscape** The Flipper One represents a shift toward open, modular, and powerful portable tools. It challenges the closed ecosystems of traditional devices and empowers tinkerers to build custom solutions. If successful, it could become a Swiss Army knife for network engineers, security researchers, and IoT developers. But if it fails, it's a reminder that even the most innovative hardware projects need community support to survive. The ball is in our court now.

An 18-year-old from Odesa has been identified by Ukrainian cyberpolice and U.S. law enforcement as the mastermind behind a massive infostealer operation. The malware targeted users of a California online store, compromising 28,000 accounts and causing over $700,000 in fraudulent purchases. This isn't just another teen hacker story—it's a wake-up call about how easily infostealers can bypass your passwords and even multi-factor authentication. If you shop online, your session tokens could be next on the chopping block.

**What exactly happened** Ukrainian cyberpolice, working with U.S. authorities, identified an 18-year-old man from Odesa as the suspected operator of an infostealer malware campaign. Between 2024 and 2025, the malware silently infected devices of users from a California-based online store. The goal was simple but devastating: steal browser sessions and account credentials. The attacker then used or sold this data through Telegram bots and specialized online marketplaces. **Who is affected and how** The operation compromised 28,000 customer accounts. Of those, the attackers actively used 5,800 accounts to make unauthorized purchases totaling roughly $721,000. Direct losses including chargebacks reached $250,000. The victims were everyday online shoppers, not high-profile targets. This shows that infostealers don't discriminate—anyone with a browser and a credit card is fair game. **The real-world impact and consequences** Beyond the immediate financial loss, victims face identity theft risks and compromised personal data. The stolen session tokens allow attackers to log into accounts without passwords, often bypassing MFA entirely. For the business, chargebacks and reputational damage add to the bottom line. And for the suspect, the evidence seized—phones, computers, bank cards, and crypto exchange logs—could lead to serious legal consequences. **Technical breakdown** Infostealers work by secretly installing malware on a user's device, often through phishing emails or malicious downloads. Once inside, they harvest browser cookies, session tokens, passwords, and crypto wallet details. The key here is "session tokens." These are like digital keys that let you stay logged into a website. Even if you use MFA, a stolen session token can let an attacker waltz right in without needing your password or second factor. The suspect then processed and sold this data through Telegram bots and online resources, using cryptocurrency to pay accomplices. **What should be done — mitigation and recommendations** For individuals: Use a password manager, enable MFA where possible, and avoid clicking suspicious links. Regularly clear browser cookies and log out of sessions when done. For businesses: Implement session timeouts, monitor for unusual login patterns, and educate users about phishing. Consider using device fingerprinting and behavioral analytics to detect session hijacking. **Why this matters in the bigger cybersecurity landscape** This case highlights a growing trend: young, technically skilled individuals turning to cybercrime for quick profit. Infostealers are becoming a commodity, with low barriers to entry and high potential rewards. The collaboration between Ukrainian and U.S. law enforcement shows that international borders are no shield. But the real lesson is that session hijacking is a silent, invisible threat that can bypass even strong authentication. As more of our lives move online, protecting session tokens is no longer optional—it's essential.

A contractor working for the Cybersecurity & Infrastructure Security Agency (CISA) just left the digital keys to the kingdom sitting in a public GitHub repository. This wasn't just any leak—it exposed credentials to highly privileged AWS GovCloud accounts and a trove of internal CISA systems. Security researchers are calling it one of the most egregious government data leaks in recent memory. The archive included blueprints for how CISA builds, tests, and deploys software internally. If you care about national security, this one hits close to home.

**What exactly happened** On May 15, a researcher from the security firm GitGuardian flagged a public GitHub repository named "Private-CISA" to KrebsOnSecurity. The repository belonged to a CISA contractor and contained a staggering amount of sensitive data—cloud keys, tokens, plaintext passwords, logs, and credentials for AWS GovCloud accounts. The contractor had been using this public repo to synchronize files between a work laptop and a home computer since November 2025. The commit logs showed they even disabled GitHub's default setting that blocks users from publishing SSH keys or secrets in public repositories. A textbook case of poor security hygiene. **Who is affected and how** The exposed credentials gave access to multiple highly privileged AWS GovCloud accounts—the cloud environment specifically designed for U.S. government sensitive workloads. Also compromised were a large number of internal CISA systems, including files detailing how the agency builds, tests, and deploys software internally. Anyone with basic GitHub browsing skills could have accessed this data. The repository was public, meaning threat actors, nation-state hackers, or curious script kiddies could have downloaded everything before it was taken down. The contractor in question wasn't even responding to GitGuardian's alerts. **The real-world impact and consequences** This isn't just an embarrassing leak—it's a national security concern. CISA is the agency responsible for defending the nation's critical infrastructure from cyber threats. Exposing their internal playbook and credentials is like handing a burglar the floor plan to a bank vault. Security experts noted that threat actors often use key credentials exposed on internal networks to expand their reach after establishing initial access. If malicious actors had already compromised other parts of the network, this leak could have accelerated their lateral movement. The potential for supply chain attacks or intelligence gathering is significant. **Technical breakdown** The repository contained plaintext passwords in CSV files, SSH keys, API tokens, and cloud service credentials. The contractor had disabled GitHub's secret scanning protection, which normally prevents accidental exposure of sensitive data. This allowed the credentials to remain visible for months. AWS GovCloud is a specialized environment with additional compliance controls for government data. Exposing credentials to this environment means attackers could potentially access classified or sensitive government workloads, modify infrastructure, or exfiltrate data without triggering standard alarms. **What should be done — mitigation and recommendations** CISA should immediately rotate all exposed credentials, revoke access for the contractor, and conduct a forensic audit of the repository's access logs. They need to determine if any unauthorized parties accessed the data before it was taken down. Organizations should enforce GitHub's secret scanning by default and implement policies that prevent disabling these protections. Regular automated scans of public repositories for exposed secrets should be mandatory, especially for government contractors. The contractor's access should be terminated pending investigation. **Why this matters in the bigger cybersecurity landscape** This leak highlights a persistent problem: even the agencies tasked with protecting our digital infrastructure struggle with basic security hygiene. It underscores the gap between cybersecurity policy and real-world practice. The incident serves as a stark reminder that insider threats—whether malicious or accidental—remain one of the biggest risks to national security. It also shows the critical role of security researchers and automated scanning tools in catching exposures that internal teams miss. For CISA, this is a humbling lesson that security starts at home.

A Brazilian cybersecurity firm that sells DDoS protection to ISPs has been caught red-handed launching massive DDoS attacks against those very same customers. The company's own CEO claims it was a hack—but the evidence tells a much darker story. This isn't just another botnet takedown. It's a betrayal of trust at the highest level, with a mitigation provider allegedly weaponizing its own infrastructure against the networks it was paid to defend. If you're a Brazilian ISP, your protector may have been your predator.

**What exactly happened** Security researchers tracking a years-long wave of massive DDoS attacks targeting Brazilian ISPs finally got a break. A confidential source shared a file archive exposed in an open directory online. Inside that archive were Python-based malware tools, SSH keys, and logs that directly tied the attacks to Huge Networks—a company that sells DDoS protection to Brazilian network operators. The archive contained the private SSH authentication keys of Huge Networks' own CEO. It also included evidence that the company's infrastructure was used to launch sustained, high-volume attacks against other Brazilian ISPs. The attacks were not subtle: they targeted the very networks Huge Networks claims to protect. **Who is affected and how** The primary victims are Brazilian ISPs and their customers. For years, these networks have been pummeled by DDoS attacks originating from within Brazil, with no clear source. Now it appears the attacker was a company they might have even considered hiring for protection. The attacks disrupted internet services for thousands of users, potentially costing ISPs millions in mitigation efforts and lost business. The trust damage is even worse—if a DDoS protection provider can't be trusted, who can? **The real-world impact and consequences** This is a catastrophic breach of trust in the cybersecurity industry. Huge Networks, founded in Miami but operating primarily in Brazil, built its reputation on protecting game servers and later expanded to ISP-level DDoS mitigation. The company had no public abuse complaints and was not linked to any DDoS-for-hire services—until now. The CEO's explanation that a competitor hacked them and used their infrastructure to launch attacks strains credibility. If true, it means Huge Networks' security was so weak that an attacker could steal SSH keys and launch massive attacks without detection. If false, it means the company was knowingly attacking its own market. **Technical breakdown** The exposed archive contained Portuguese-language Python scripts designed for DDoS attacks. More damningly, it included the CEO's private SSH keys—the digital keys to the kingdom. These keys would allow anyone with access to authenticate as the CEO on Huge Networks' servers and launch attacks. The malware was not sophisticated, but it didn't need to be. The attacks were massive because they leveraged Huge Networks' own infrastructure, which was designed to handle high traffic volumes. This is the classic "using your own shield against you" scenario. **What should be done** Brazilian ISPs should immediately audit any relationships with Huge Networks and review network logs for signs of attacks originating from their infrastructure. The exposed SSH keys should be considered compromised and revoked. The broader cybersecurity community should treat this as a reminder that DDoS protection providers are not immune to compromise—or to turning malicious. Any company with privileged access to your network should be subject to the same security scrutiny as any other third-party vendor. **Why this matters** This incident exposes a dangerous blind spot in the cybersecurity industry. Companies that sell protection have deep access to their customers' networks. If that trust is abused—whether through a hack or malicious intent—the damage is amplified because the attacker is already inside the castle walls. The CEO's claim of a competitor's "surprise" at an upcoming industry event adds a layer of intrigue, but it doesn't change the core lesson: trust but verify, especially when the trust involves the keys to your network. The cybersecurity industry needs better transparency and accountability, or the next "protector" might be the one knocking your network offline.

A 24-year-old British hacker who helped steal tens of millions in crypto has just pleaded guilty. His name is Tyler Robert Buchanan, known online as "Tylerb," and he was a senior member of the notorious cybercrime group Scattered Spider. He admitted to orchestrating SMS phishing attacks that hit major tech giants like Twilio, LastPass, and DoorDash in 2022. The result? Stolen cryptocurrency and a potential 22-year prison sentence. If you use any of these platforms, your data may have been caught in the crossfire.

**What exactly happened** Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, pleaded guilty to wire fraud conspiracy and aggravated identity theft. He was a top member of Scattered Spider, a cybercrime group infamous for its slick social engineering tactics. In the summer of 2022, Buchanan and his crew launched tens of thousands of SMS phishing attacks. These weren't random shots in the dark—they were carefully aimed at employees of major tech companies. The group successfully breached at least a dozen firms, including Twilio, LastPass, DoorDash, and Mailchimp. Once inside, they stole data that would fuel their next move: draining cryptocurrency wallets. **Who is affected and how** The immediate victims were the tech companies themselves, but the real damage hit individual cryptocurrency investors. After the initial breaches, Scattered Spider used stolen credentials to pull off SIM-swapping attacks. In a SIM-swap, criminals trick a mobile carrier into transferring a victim's phone number to a device they control. This bypasses two-factor authentication, giving them access to email, social media, and—most critically—crypto exchange accounts. Tens of millions of dollars in cryptocurrency vanished from investors' wallets. If you held crypto during that period and used any of the breached services, your account could have been targeted. **The real-world impact and consequences** Buchanan now faces a statutory maximum of 22 years in federal prison. His sentencing hearing is set for August 21, 2026. But the final sentence could be lighter, depending on factors like his age, cooperation with authorities, and time already served. This case sends a clear signal: even international cybercriminals hiding behind hacker handles can be caught and prosecuted. "Tylerb" once topped leaderboards in the English-speaking criminal hacking scene. Now, he's in U.S. custody. **Technical breakdown** How did they pull it off? The group relied on social engineering, not sophisticated malware. They impersonated employees or contractors, calling IT help desks to trick them into granting access or resetting passwords. The SMS phishing messages looked legitimate, often appearing to come from internal IT departments. Once a target clicked a link and entered credentials, the group had a foothold. From there, they moved laterally within networks, stealing data and credentials. The SIM-swapping phase required additional research—finding out which mobile carrier a victim used and then manipulating customer service reps. **What should be done — mitigation and recommendations** For companies: Train help desk staff to verify identities through multiple channels. Implement hardware-based two-factor authentication (like FIDO2 keys) that can't be bypassed by SIM-swaps. For individuals: Use authentication apps or hardware keys instead of SMS-based 2FA. Be skeptical of any unsolicited text messages, even if they appear to come from your employer. Enable account alerts for SIM changes. For crypto investors: Use cold wallets for long-term storage. Never share recovery phrases online or over the phone. Consider using a dedicated phone number for crypto accounts that's not publicly linked to your identity. **Why this matters in the bigger cybersecurity landscape** Scattered Spider represents a growing threat: highly organized, English-speaking groups that rely on human psychology rather than technical exploits. They're harder to detect because they don't leave malware signatures. Buchanan's guilty plea is a win for law enforcement, but it's a reminder that social engineering remains the weakest link in security. As long as humans answer phones and read texts, these attacks will keep evolving. The case also highlights the global nature of cybercrime. A hacker in Scotland can target a company in California and steal from a victim in Japan. International cooperation is no longer optional—it's essential.