#amazon

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild. Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code

## Summary A potential Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the `issuu_id` parameter. ## Details The issue was caused by the use of insufficiently constrained regular expressions applied to attacker-controlled input: if (issuu_id.match(/\d+\/\d+/)) { issuu_embed = '#' + issuu_id; } else if (issuu_id.match(/d=(.*)&u=(.*)/)) { issuu_embed = '?' + issuu_id; } These expressions are not anchored and rely on greedy patterns (`.*`). When evaluated against specially crafted input, they may cause excessive backtracking, leading to high CPU consumption and potential denial of service. ## Impact An attacker able to control the `issuu_id` parameter could exploit this vulnerability to degrade performance or cause temporary service unavailability through CPU exhaustion. No confidentiality or integrity impact was identified. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/f0bbda...

# Security Disclosure: SSRF via MetaIssuer Regex Bypass ## Summary Fulcio's `metaRegex()` function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through [Blind SSRF](https://portswigger.net/web-security/ssrf/blind). ## Impact - SSRF to cloud metadata (169.254.169.254) - SSRF to internal Kubernetes APIs - SSRF to any service accessible from Fulcio's network - Affects ALL deployments using MetaIssuers ## Patches Upgrade to v1.8.5. ## Workarounds None. If anchors are included in the meta issuer configuration URL, they will be escaped before the regular expression is compiled, not making this a sufficient mitigation. Deployments must upgrade to the latest Fulcio r...

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that's specifically designed for long-term, stealthy access to Linux-based cloud environments According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular

This week made one thing clear: small oversights can spiral fast. Tools meant to save time and reduce friction turned into easy entry points once basic safeguards were ignored. Attackers didn’t need novel tricks. They used what was already exposed and moved in without resistance. Scale amplified the damage. A single weak configuration rippled out to millions. A repeatable flaw worked again and

Cybersecurity researchers have shed light on two service providers that supply online criminal networks with the necessary tools and infrastructure to fuel the pig butchering-as-a-service (PBaaS) economy. At least since 2016, Chinese-speaking criminal groups have erected industrial-scale scam centers across Southeast Asia, creating special economic zones that are devoted to fraudulent investment

This week on the Lock and Code podcast, we speak with Cory Doctor about enshittification and its dangerous impact online and off.

### Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. A defense-in-depth enhancement has been implemented in the AWS SDK for .NET v4. This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on Nov 21, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security. ### Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Impacted versions: All versions of the AWS SDK for .NET V4 prior to the 4.0.139.0 release (the AWS SDK for .NET V3 wa...

After years of security failures and partner-spying marketing, pcTattletale’s founder has pleaded guilty in a rare US federal stalkerware case.