Updates

Attackers flood inboxes with spam, then call victims posing as IT support to deliver the Havoc command-and-control framework via DLL sideloading and social engineering.

AI-assisted “vibe coding” now lets spammers produce polished, visually convincing phishing emails with almost no technical skill — making traditional red flags like poor formatting far less reliable.

A new phishing platform called Starkiller loads legitimate login pages through headless browsers, intercepting credentials and session tokens in real time to defeat MFA.

The ShinyHunters extortion gang is combining voice phishing with OAuth device code flows to hijack Microsoft Entra accounts and bypass MFA.

CISA added four flaws to its Known Exploited Vulnerabilities catalog. A Chrome use-after-free and a critical Zimbra SSRF top the list. Patch now.

Citizen Lab found forensic extraction indicators on a seized Samsung phone belonging to a Kenyan pro-democracy activist. The case adds to a growing pattern of surveillance tool misuse.

A code bug let Microsoft 365 Copilot read and summarize emails marked confidential — bypassing sensitivity labels and DLP policies since late January.

Bitwarden’s new Cupid Vault feature lets free-tier users securely share credentials with one other person — no more texting passwords.

Microsoft’s February patch batch fixes 50+ vulnerabilities, including six zero-days actively exploited in the wild. Patch now.

A developer’s take on the real tradeoff with AI coding tools: writing code was never the hard part, and skipping it makes the hard parts — reading, reviewing, and understanding — even harder.