Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally.

CVE-2026-20809: Windows Kernel Memory Elevation of Privilege Vulnerability

Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.

CVE-2026-20803: Microsoft SQL Server Elevation of Privilege Vulnerability

The state of Minnesota, along with the Twin Cities, have sued the US government and several officials to halt the flood of agents carrying out an Immigration and Customs Enforcement operation.

The State of Minnesota and the cities of Minneapolis and St. Paul on Monday filed a sweeping federal lawsuit to halt what they call an unprecedented and unlawful surge of US federal agents in the Twin Cities, arguing that the deployment amounts to a constitutional violation and a direct threat to public safety.

The 80-page complaint, filed in US district court in Minnesota, targets the US Department of Homeland Security and senior federal officials, including DHS secretary Kristi Noem. It asks a judge to immediately block what the federal government calls “Operation Metro Surge,” a large-scale immigration operation that plaintiffs say has sent thousands of armed, masked federal agents into Minnesota communities far from the border, overwhelming local infrastructure and law enforcement.

At a press conference Monday afternoon, Minnesota attorney general Keith Ellison said the lawsuit is intended to stop what he described as an unlawful federal escalation. “This is, in essence, a federal invasion of the Twin Cities and Minnesota, and it must stop.” He accused DHS agents of sowing “chaos and terror” across the metro area through warrantless arrests, excessive force, and enforcement actions at schools, churches, hospitals, and other sensitive locations.

Ellison said the surge has forced school closures and lockdowns, hurt local businesses, and diverted police resources away from routine public safety work. He cited more than 20 ICE-related incidents, including reports of people being pulled into unmarked vehicles by masked agents and vehicles left abandoned in the streets, calling it an “unlawful commandeering of police resources.”

The lawsuit also points to the recent fatal shooting of Minneapolis resident Renee Nicole Good by an ICE agent as a turning point that intensified fear and unrest. Ellison said that the killing, along with subsequent federal rhetoric, left families and entire communities feeling unsafe in public spaces.

Good, 37, was a wife and mother of three. She was fatally shot by an ICE officer during a Minneapolis enforcement operation on January 7. The FBI has assumed sole jurisdiction over the investigation, effectively barring Minnesota authorities from accessing evidence or taking part in the probe, a move state officials say undermines transparency and the integrity of law enforcement in the public eye.

Plaintiffs argue the federal operation violates the Tenth Amendment, federal administrative law, and long-standing limits on immigration enforcement. They also accuse the Trump administration of “retaliatory conduct based on Minnesota’s lawful exercise of its sovereign authority.”

Asked by a reporter from PBS Frontline, who said his crew had been pepper-sprayed by federal agents earlier in the day, whether the litigation sought to curb the use of crowd-control weapons, Ellison urged journalists to file complaints. “Part of what our case is about is First Amendment protection,” he said. “The press is protected by the First Amendment, and it’s vitally important in this moment.”

In a separate lawsuit Monday, the state of Illinois and the city of Chicago sued DHS and senior federal officials, accusing the Trump administration of unleashing a militarized immigration operation that has “rampaged for months through Chicago and surrounding areas, lawlessly stopping, interrogating, and arresting residents, and attacking them with chemical weapons.”

Minnesota Sues to Stop ICE ‘Invasion’

New research from Recorded Future reveals how Russian state hackers (BlueDelta) are using fake Microsoft and Google login portals to steal credentials. The campaign involves using legitimate PDF lures from GRC and EcoClimate to trick victims.

Recent findings from the research firm Recorded Future’s Insikt Group reveal that it only takes two seconds of distraction for a professional’s private data to fall into the wrong hands.

According to Recorded Future’s latest blog post, a Russian state-sponsored hacking group, known as BlueDelta (or Fancy Bear), has been carrying out sneaky campaigns to steal login information from professionals worldwide.

Reportedly, betweet Feburary and September 2025, BlueDelta targeted individuals is specialised frields like energy and nuclear research, particularly in Türkiye and Europe. Researchers observed that the campaign’s objective seems to be credentials harvesting.

****How the Scams Work****

Researchers noted that the hackers are becoming much more convincing because, instead of using obvious fake links, they show the victim a real document first. For example, a target may receive a link that opens a legitimate-looking PDF about climate change or international politics, such as a report from the Gulf Research Centre (GRC) regarding Israel and Iran.

Authentic GRC PDF lure (Source: Recorded Future)

Another such lure was a report from the EcoClimate Foundation titled “Climate Action as a Strategic Priority,” which specifically targeted scientists working on renewable energy. While the victim is distracted by these documents, the website is actually working in the background. After just two seconds, the page automatically switches to a fake login screen.

Further investigation revealed that these fake pages were designed to look like:

*   Google: Using Portuguese-language pages to trick users.
*   Sophos VPN: Aimed at staff within a European think tank.
*   Microsoft Outlook (OWA): Specifically targeting military staff in North Macedonia and IT experts in Uzbekistan.

****Simple but Effective Tactics****

It is worth noting that BlueDelta doesn’t use expensive equipment for these attacks; they rely on free internet services like Webhook.site, ngrok, and InfinityFree. According to researchers, this makes the attacks a “low-cost, high-yield” way to steal data because when a victim enters their details, the hackers’ code automatically saves the info and then sends the user back to the real website.

Attack process (Source: Recorded Future)

“The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility,” the blog post reads. By the time the victim is redirected to the real login page, their credentials have already been stolen. 

This activity represents a major expansion of BlueDelta’s operations, showing their commitment to collecting information from government and research networks. 

That’s why, experts urge you to always check links for suspicious addresses like webhook.site, and never trust login prompts that appear suddenly while reading a PDF. It also helps to ensure you have multi-factor authentication active on all professional accounts to stay protected.

(Photo by KOBU Agency on Unsplash)

Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds

The testimony also calls into question whether Ross failed to follow his training during the incident in which he reportedly shot and killed Minnesota citizen Renee Good.

In testimony last month in federal court in Minnesota, FBI special agent Bernardo Medellin appeared to directly contradict a claim that ICE agent Jonathan Ross made under oath about whether a man they were trying to detain had asked to speak to his attorney.

Medellin’s testimony, which details federal training for interactions with drivers, also calls into question whether Ross followed his training during the interaction that led to the shooting and killing of Renee Nicole Good, a 37-year-old mother, last week. Ross has been identified by multiple media outlets as the shooter; while the Trump administration has declined to confirm those reports, details about the shooter shared by Vice President JD Vance match details of Ross’ biography.

As WIRED previously reported, in December Ross testified that last June he led a team seeking to apprehend a man named Roberto Carlos Muñoz-Guatemala, who had an administrative warrant out for being in the US without authorization. According to his testimony, after following Muñoz-Guatemala in an unmarked car, Ross—who was wearing ranger green and gray and had his badge on his belt—approached the man and asked him to roll down his window and open his door. He then broke the rear driver side window with a special tool and reached into the vehicle. Muñoz-Guatemala accelerated, eventually shaking Ross, who’d fired his Taser at him with the vehicle in motion. Ross testified that he needed 33 stitches due to his injuries; Muñoz-Guatemala was later convicted of assault on a federal officer with a dangerous weapon.

At trial, prosecutors sought to establish that Muñoz-Guatemala understood that Ross was a federal law enforcement officer during their initial interaction. Ross testified that he repeatedly told Muñoz-Guatemala that he was law enforcement in both English and Spanish, and that he had “no concerns” Muñoz-Guatemala didn’t speak English because he replied to Ross in English.

“When you say, ‘replied back in English,’” asked assistant US attorney Raphael Coburn, “what do you mean?”

“He would—he would reply back he wants his attorney, I believe he said,” responded Ross.

During the trial, this became a point of contention because it had not come up during pretrial interviews, and was thus a surprise to both Muñoz-Guatemala’s attorney, Eric Newmark, and to US prosecutors.

“I was, frankly, quite shocked that he said it,” Newmark told district court judge Jeffrey Bryan. “It was not in any of his previous statements, and it's my understanding he never—the government was as surprised as I was that he said it.” Newmark went on to explain that Ross’ claim pertained to whether his client “believed he was talking to law enforcement or someone who was trying to do him harm,” and that he intended to cross-examine Ross on the fact that Muñoz-Guatemala’s purported request for a lawyer had come up neither during an interview Ross gave the FBI nor during pretrial preparation—something neither Bryan nor Coburn, the government lawyer, objected to. Under questioning from Newmark, Ross conceded it was “fair to say” he had not previously made this claim.

The question came up again as Newmark cross-examined Medellin, an FBI special agent who took part in the operation under Ross’ leadership. Medellin testified that Muñoz-Guatemala—whose English he described as limited, and for whom the court provided an interpreter during the two-day trial—had asked Ross repeatedly who he was.

“You never heard Mr. Muñoz-Guatemala ask for an attorney, did you?” asked Newmark.

“No,” said Medellin, who affirmed that he had overheard most or all of the conversation, and said again that he had never heard Muñoz-Guatemala ask for a lawyer.

In response to a WIRED question about his opinion of the credibility of Ross’ testimony, Newmark said: “I'm not commenting about this case as it is still pending, but I think you can tell by my questioning of him and others what I thought about that.”

In response to a request for comment, Department of Homeland Security spokesperson Tricia McLaughlin said, “You’re referring to the case with the child sexual predator?” (Muñoz-Guatemala pleaded guilty in 2023 to criminal sexual conduct with a victim who “was at least 16 but under 18 years of age at the time of the sexual contact,” according to Minnesota court records.) The FBI declined to comment.

Since Good’s killing, experts speaking to outlets like CNN and The Washington Post have raised questions about whether Ross was following his training, as McLaughlin has repeatedly said he was while defending his actions. Further testimony from Medellin raises questions about whether Ross complied specifically with FBI training about interactions with drivers during his confrontations with both Muñoz-Guatemala and Good. This training would have been relevant to Ross, who, Medellin testified, “works as an FBI task force officer in the Minneapolis Field Office.”

“Typically, when we conduct traffic stops, it's in a supportive role. So if a local marked unit or a federal partner is executing a traffic stop, we typically find ourselves near the rear of the vehicle,” Medellin testified. “If we are to have agents near the front of the vehicle or near the driver's side door, passenger side door, we train to place ourselves in a position where we minimize the chance that we will be hit by the vehicle or run over by the vehicle or potentially taken away by the vehicle if it decides to—to leave or flee.”

While agents placing themselves near the front of a vehicle seems to run counter to FBI training, a 2013 independent review of Customs and Border Protection’s use-of-force policies, as well as more than a dozen cases in which shots were fired at vehicles, reportedly found an apparent pattern of Border Patrol agents intentionally staking out ground in front of vehicles to justify the use of deadly force. Of the cases reviewed, the independent agency found that most cases “involved non-violent suspects who posed no threat other than a moving vehicle,” and concluded that “there is little doubt that the safest course for an agent faced with an oncoming vehicle is to get out of the way of the vehicle.”

Ross testified that he was a member of Border Patrol from 2007 to 2015. According to his own sworn testimony in December, Ross has also acted as a firearms instructor for ICE, as well as a member of a Special Response Team—ICE’s version of a SWAT team—and a leader of teams drawn from multiple federal agencies including the FBI.

According to Medellin’s December testimony, the plan, which was originated by Ross as team lead, was to just interview Muñoz-Guatemala; but because Ross exited his vehicle and soon drew his gun, Medellin told the court that he, too, unholstered his weapon to “provide coverage with lethal force.” The incident escalated as soon as Ross approached the vehicle, Medellin testified, because he believed Ross “had seen something that made him very uncomfortable and I wanted to be in a good position to support him.” Ross ultimately approached to break the window and got his arm stuck between the car’s B pillar and the headrest.

Medellin further testified that during the initial stop, his foot had been placed on the driver’s-side tire.

“It's an early indicator, a touch point, so to speak. If—if a vehicle is going to flee or to leave, the tires might turn before the vehicle actually starts moving,” Medellin said. “So if the tires start moving, somebody in that position with their foot up against the tire would feel it immediately.”

Even before the release of first-person footage of the killing of Good showed her turning the wheel of her vehicle away from immigration agents immediately before she was shot, video analyses by The New York Times and The Washington Post showed that her wheels were turning away from, not toward, Ross—who does not appear in any footage to maintain contact between his foot and her tires. In the video footage, Ross appears to stand directly in front of the car, parallel to the car’s hood.

FBI Agent’s Sworn Testimony Contradicts Claims ICE’s Jonathan Ross Made Under Oath

Instagram users received emails last week about purported password reset attempts. At the same time, Instagram data appeared on the dark web.

Last week, many Instagram users began receiving unsolicited emails from the platform that warned about a password reset request.

The message said:

> “Hi {username},  
> We got a request to reset your Instagram password.  
> If you ignore this message, your password will not be changed. If you didn’t request a password reset, let us know.”

Around the same time that users began receiving these emails, a cybercriminal using the handle “Solonik” offered data that alleged contains information about 17 million Instagram users for sale on a Dark Web forum.

These 17 million or so records include:

*   Usernames
*   Full names
*   User IDs
*   Email addresses
*   Phone numbers
*   Countries
*   Partial locations

Please note that there are no passwords listed in the data.

Despite the timing of the two events, Instagram denied this weekend that these events are related. On the platform X, the company stated they fixed an issue that allowed an external party to request password reset emails for “some people.”

So, what’s happening?

Regarding the data found on the dark web last week, Shahak Shalev, global head of scam and AI research at Malwarebytes, shared that “there are some indications that the Instagram data dump includes data from other, older, alleged Instagram breaches, and is a sort of compilation.” As Shalev’s team investigates the data, he also said that the earliest password reset requests reported by users came days _before_ the data was first posted on the dark web, which might mean that “the data may have been circulating in more private groups before being made public.”

However, another possibility, Shalev said, is that “another vulnerability/data leak was happening as some bad actor tried spraying for \[Instagram\] accounts. Instagram’s announcement seems to reference that spraying. Besides the suspicious timing, there’s no clear connection between the two at this time.”

But, importantly, scammers will not care whether these incidents are related or not. They will try to take advantage of the situation by sending out fake emails.

“We felt it was important to alert people about the data availability so that everyone could reset their passwords, directly from the app, and be on alert for other phishing communications,” Shalev said.

If and when we find out more, we’ll keep you posted, so stay tuned.

**How to stay safe**

If you have enabled 2FA on your Instagram account, we think it is indeed safe to ignore the emails, as proposed by Meta.

Should you want to err on the safe side and decide to change your password, make sure to do so in the app and not click any links in the email, to avoid the risk that you have received a fake email. Or you might end up providing scammers with your password.

Another thing to keep in mind is that these are Meta-data. Which means some users may have reused or linked them to their Facebook or WhatsApp accounts. So, as a precaution, you can check recent logins and active sessions on Instagram, WhatsApp, and Facebook, and log out from any devices or locations you do not recognize.

If you want to find out whether your data was included in an Instagram data breach, or any other for that matter, try our free Digital Footprint scan.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Received an Instagram password reset email? Here’s what you need to know 

The fundraiser for the ICE agent in the Renee Good killing has stayed online in seeming breach of GoFundMe’s own terms of service, prompting questions about selective enforcement.

The crowdfunding platform GoFundMe is allowing a fundraising campaign tied to the potential legal defense of an Immigration and Customs Enforcement (ICE) agent who fatally shot a civilian to remain online, despite company rules barring fundraisers connected to violent crimes and past enforcement actions against similar campaigns.

The fundraiser, titled “ICE OFFICER Jonathan Ross,” seeks at least $550,000 to support potential legal expenses for the ICE agent identified as having shot and killed Renee Nicole Good, a mother of three and widow of a military veteran, during an encounter with immigration agents in Minneapolis.

The officer was first identified as Jonathan Ross, 43, by the Minnesota Star Tribune.

The GoFundMe campaign’s stated purpose—raising money for legal services following a killing—directly conflicts with GoFundMe’s terms of service, which specifically bars fundraisers that are intended to support the legal defense of people accused of financial or violent crimes.

GoFundMe has not publicly explained why the Ross fundraiser remains active despite its terms of service stating users agree not to “use the Service or Platform to raise funds” for the “the legal defense of financial and violent crimes, including those related to money laundering, murder, robbery, assault, battery, sex crimes or crimes against minors.”

Ross has not been formally charged with any crime. The shooting is being investigated exclusively by the FBI after federal authorities effectively blocked Minnesota investigators from participating, prompting the state attorney general and Hennepin County attorney to launch a parallel effort to collect evidence independently.

In an email, a GoFundMe spokesperson told WIRED on Sunday night that it was in the process of reviewing all fundraisers tied to the shooting. “During the review process, all funds remain safely held by our payment processors,” the spokesperson said. “GoFundMe’s Terms of Service prohibit fundraisers that raise money for the legal defense of anyone formally charged with a violent crime. Any campaigns that violate this policy will be removed.”

The company added that it was working directly with the organizer of the Ross fundraiser to “gather additional information.” The organizer is identified on the site as Clyde Emmons of Mount Forest, Michigan. WIRED could not immediately reach Emmons or confirm his identity.

On Sunday night, Emmons’ fundraiser stated that “funds will go to help pay for any legal services this officer needs.” That language was removed after WIRED’s inquiry and replaced by Monday morning with the phrase, “Funds will go to help him.”

GoFundMe did not respond to multiple follow up requests for comment, including questions as to whether it had advised the organizer to change the description to better comport with its rules.

Despite the changes, several slides in a carousel at the top of the Ross fundraising page—which remain active at time of writing—make the purpose of the fundraising explicitly clear: “Give to cover Jonathan’s legal defense” and “Officer Jonathan Ross’s legal defense fund pays attorney fees and court costs.”

GoFundMe’s inaction contrasts with its handling of earlier cases involving law enforcement officers and civilians killed during encounters with police.

In 2015, GoFundMe removed a Baltimore City Fraternal Order of Police fundraiser for Baltimore police officers charged in the death of Freddie Gray, citing violations of its rules against supporting legal defenses in violent cases. That same year, the platform removed a campaign for a South Carolina officer charged in the fatal shooting of Walter Scott.

Said a company spokeswoman at the time of the Gray fundraiser: “GoFundMe cannot be used to benefit those who are charged with serious violations of the law. The campaign clearly stated that the money raised would be used to assist the officers with their legal fees, which is a direct violation of GoFundMe’s terms."

Good, 37, was gunned down during a January 7 encounter with ICE agents in Minneapolis. Video recorded by bystanders shows Good in a dark red SUV reversing as masked agents approach. One agent, identified in the press as Ross, is shown circling the vehicle with his cell phone raised, then stepping into position almost directly in front of the idling SUV before firing as it moves past him.

The video evidence sharply conflicts with public accounts offered by senior Trump administration officials, including DHS statements describing Good as a “domestic terrorist” who “weaponized” her vehicle, as well as President Donald Trump’s claim that “she ran him over.”

State officials said over the weekend that the Minnesota Bureau of Criminal Apprehension had been cut off from the crime scene and no longer had access to key evidence, including Good’s vehicle and witness interviews. Local prosecutors claimed that without access to the FBI’s case file, it may be impossible for the state to assess whether charges are warranted, even though the shooting is well documented, occurred in Hennepin County, and involves a Minnesota resident.

A separate fundraiser for Good’s widow and family has currently raised more than $1.5 million.

GoFundMe Ignores Own Rules by Hosting a Legal-Defense Fund for the ICE Agent Who Killed Renee Good

### Impact
Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.

### Patches
* https://github.com/WeblateOrg/wlc/pull/1098

### Workarounds
Remove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections.

### References
This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-9rp8-h4g8-8766: Weblate wlc has insecure API key configuration

Public sector cybersecurity faces outdated systems, budget gaps, and rising attacks. Learn key challenges, defense strategies, and proven best practices.

Once upon a time, computer crimes were associated with the image of a hacker in a black hoodie working in a dark room by the glow of a monitor. But times have changed, and so have the threats. From simple penetration attempts, cyber attacks have evolved into complex, coordinated operations specifically targeting state systems, rather than pursued merely for entertainment or recognition.

Today, cyber attacks on government structures occur for various reasons. Some attackers are motivated by political pressure, attempting to influence legislative decisions or discredit the authorities. Others seek recognition in the world of cybercriminals, counting on fame and reputation. A third category has purely commercial interests. However, the most prevalent motivation remains the theft of personal data of citizens stored in state registers: medical records, registration documents, and income data. This data is then sold on the dark web, generating millions of dollars in the process.

This is precisely why cybersecurity in the public sector cannot tolerate mistakes. Unlike private companies, which can afford certain risks for the sake of innovation, the public sector opts for verified, tested, and maximally secure solutions. After all, breaches in healthcare systems can cost people their lives, failures in transport systems can lead to road chaos, and compromises of citizen registries leave millions vulnerable to fraud.

Over the past few years, the volume of cyber attacks on state bodies has increased by more than 40 percent. This figure speaks for itself. It is no longer possible to view public sector cybersecurity as a secondary issue to be dealt with later. This is a matter of national security and citizen trust. And this urgency is intensified by the growing digitalization of the public sector.

If you’ve ever watched the series “Black Mirror” or “Mr. Robot,” you know how terrifying scenarios of cyber attacks at the state level can be. Unfortunately, reality is sometimes even worse than fiction, but the sector itself is indeed very conservative.

Therefore, overly untested or innovative ideas are not introduced here. Everything that the state integrates undergoes dozens, and sometimes hundreds, of rounds of verification, testing, and controlled attacks to identify weaknesses.

****Why Governments Become Primary Targets for Hackers****

1.  State and municipal structures attract the attention of cyber attackers for several reasons simultaneously. First, there are enormous volumes of personal data. State registers contain information about every citizen: document numbers, addresses, contacts, medical data, and tax records. One successful breach opens access to tens of millions of records. On the black market, such databases command serious money.
2.  Second, many government systems are built on outdated technologies. “Legacy systems” are windows into the past through which modern hackers can easily penetrate. These systems were often written decades ago, when nobody even thought about internet security as we understand it today. Updating these systems costs millions and proceeds slowly through bureaucratic channels.
3.  Third, state bodies, which are often government agencies, are often underfunded when it comes to preventing cybersecurity threats. Money is allocated to hospitals, schools, and roads, while IT security receives scraps of the budget. The result: a shortage of experts, an absence of a unified defense strategy, and outdated equipment.
4.  Fourth, there is prestige. Every hacker who has cracked a major government portal automatically enters the “ranking” of cybercriminals. This attracts new members to groups, funding, and opportunities.

Real examples illustrate the scale of the problem. In 2021, hackers attacked American healthcare systems, rendering hospitals non-operational. In 2022, the Portuguese tax service was compromised, with data from millions of citizens stolen. In 2019, the United States experienced a powerful attack on Baltimore’s city system, making it difficult for residents to obtain documents.

Groups similar to “Anonymous” deserve special mention. These well-organized cybercriminals are motivated not solely by financial gain. They attack state structures as symbols of systems they wish to destabilize or criticize. Such attacks are harder to predict because the driving force behind them is not just money but ideology. Cybersecurity threats to government from such organized groups represent an unprecedented challenge.

Precisely because of such threats, the state can no longer rely solely on internal resources. The IT departments of government bodies simply do not have sufficient resources and expertise to fight organized groups of cybercriminals. This has created the need for partnerships with private companies specializing in cybersecurity.

Private companies operating in the field of cybersecurity in the public sector have many advantages. They constantly monitor global threats, maintain international networks of experts, and invest in cutting-edge technologies.

Such companies have decades of experience working with government bodies in 70 countries worldwide, understanding the specifics of the public sector far better than those who have never encountered bureaucracy and the peculiarities of state administration. More information can be found at: https://dxc.com/industries/public-sector.

These companies help states not merely react to attacks but develop proactive defense. They integrate modern technologies, establish security centers, train civil servants, and develop strategies that account for the peculiarities of specific countries and government bodies. Without such partnerships, public sector cybersecurity would remain a positional game where attackers always have the advantage.

****Core Challenges of Cybersecurity in the Public Sector****

The first and most obvious challenge is underfunding. Imagine you have a budget of 1 million dollars for IT security. But you need to protect thousands of computers, servers, databases, and web portals. What private companies can solve flexibly, the public sector must handle through lengthy tenders and procurements.

The second challenge is a shortage of experts. A competent cybersecurity specialist on the job market is expensive, and working conditions at private companies are often more attractive than in government agencies. Where will young talent choose to work? In a comfortable office with a salary two or three times higher, or in a government institution with average pay? The result is obvious, and state bodies remain with teams of veterans who often fall behind the pace of technological development.

The third challenge is legacy systems. They drag on like an anchor to the past. These systems were often written in programming languages that are no longer needed, run on outdated equipment, and have architectures that do not adapt to modern patches and updates. Yet rewriting them anew remains impossible because they contain critical data, and any downtime would have catastrophic consequences.

The fourth challenge is the human factor. Most successful cyber attacks do not begin with technical vulnerabilities but with the simple “clicking in the wrong place.” A civil servant receives an email from the “Personnel Management System” asking to update their password. They follow the link, enter their credentials, and the hacker now has access to their account. This then spreads further throughout the organization. Thus begin the most complex attacks.

The fifth challenge is the weight of potential attacks. Hackers are interested precisely in large, important systems. A small company might get by without a leading cybersecurity specialist, but a government structure serving millions of people does not have that luxury. It becomes a magnet for attacks because the stakes are very high for both attackers and defenders.

****From Fighting Fires to Prediction: Building Powerful Cyber Defense****

Consider what happened in the public sector over the last 10-15 years. Previously, everything was about a reactive approach: we wait for something to happen, then fight the fire, fire someone, and promise it won’t happen again. Now everything has changed, and those organizations that have transitioned to preventive thinking are winning.

1.  The first step is centralized monitoring systems. Imagine a nuclear power plant’s control room where every sensor is tracked in real time. In cybersecurity, this works similarly. All systems transmit information to one observation center, where analysts can view it on a single screen. If someone attempts to slip beyond normal parameters, the system alerts them. This allows problems to be caught before they escalate into real attacks.
2.  The second element is cyber education. Not only should the IT department understand how to protect itself, but it should also understand how to protect the organization. Every civil servant, from clerk to minister, must know the basic rules of cybersecurity hygiene. How to recognize phishing, why passwords shouldn’t be written on sticky notes, and what to do if something seems suspicious. Some Czech cities experimented: they informed all agencies that a fake attack would occur for training purposes, but did not say when. The result was striking. In the first wave, 60 percent of people “clicked” on fraudulent links. After six months of training, this figure dropped to 15 percent.
3.  The third factor is the integration of artificial intelligence and machine learning. Modern systems can detect threats in real time by analyzing millions of events per second. AI “learns” from historical attack data and recognizes patterns that the human eye would miss. This is like the difference between a police officer walking a district on foot and a camera system with facial recognition that analyzes every face against a database of wanted persons.

Examples of successful practices can be found in the EU and the US. Estonia, for instance, has built an e-governance system considered one of the most secure in the world. They use cryptography, multi-factor authentication, and continuous monitoring. Every operation leaves a trace that can be verified. If the system detects unauthorized access even years later, it can recover and certify it.

Denmark developed a centralized incident management system for all government bodies. When an attack occurs anywhere, it is immediately transmitted to the center, and on-site specialists can receive assistance, and other bodies receive warnings about potential threats.

****Best Practices for a Secure Digital State****

If you truly want to protect a government system, you must follow verified practices. The first is regular audits. Not just once a year, but continuously. Every quarter, every month, depending on system criticality.

The second practice is regular software updates. It sounds simple, but in reality, it is a serious challenge. Each patch requires testing on thousands of computers and servers. Testing may reveal that some legacy software stops working with the new update. Yet failure to implement updates means leaving doors open to attacks.

The third is the principle of minimum access. In simple terms, every person should have access only to what they need to do their job. A clerk working with registrations should not have access to the medical data of millions of people. A bus driver should not be a database administrator. If a hacker steals a regular employee’s credentials, they will have limited access.

Real cases demonstrate how this works in practice. In the United Kingdom, the Department of Work and Pensions (DWP) entered into multi-year contracts with companies specializing in vulnerability testing. They regularly conduct comprehensive system reviews, essentially posing as hackers. The result is a system that withstands hundreds of attacks per year without compromise. In the Netherlands, the employment service modernized its infrastructure to cloud solutions, which allowed it to update security faster and more efficiently.

Just as ancient cities once built walls against enemies, modern governments are erecting digital fortresses, layer by layer, barrier by barrier, so that an attack requires not only skill but also enormous resources, time, and luck.

****Securing the Future:** **Public Sector Cybersecurity** **as a Long-Term Mission****

Cybersecurity is a constant, continuous process of adaptation, learning, and improvement. 

Technology helps, but the human factor remains critical. You need specialists who understand both technical and organizational aspects. 

The second component is continuous collaboration between sectors. Private companies have specialization and resources; government bodies have access to critical infrastructure and information about real threats. Government administration should accumulate knowledge, hire private experts to solve specific problems, but not rely entirely on external consultants. 

The third component is investment. Building security is not cheap. But it is far cheaper to build it from the start than to later excavate from the ruins of a broken system. 

The fourth component is the legislative framework. Regulations, standards, and norms must be clear and consistent. When an organization knows it will be checked for compliance with certain standards, it takes it more seriously. The European General Data Protection Regulation (GDPR) became revolutionary precisely because it established clear rules and strict penalties for violations.

Let us conclude with one thought often forgotten. Citizen trust in a digital state does not begin with beautiful portal designs or rapid request processing. It begins with one simple feeling: a sense of security with every click. When a person enters personal data on a government website, they must be confident that this data is protected maximally. 

(Photo by Ayrus Hill on Unsplash)

Cybersecurity in the Public Sector: Challenges, Strategies and Best Practices

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials.
One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then

Vulnerability / Workflow Automation

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers' OAuth credentials.

One such package, named "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon it to servers under the attackers' control.

"The attack represents a new escalation in supply chain threats," Endor Labs said in a report published last week. "Unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location."

The complete list of identified packages, which have since been removed, is as follows -

*   n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (4,241 downloads, author: kakashi-hatake)
*   n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (1,657 downloads, author: kakashi-hatake)
*   n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (1,493 downloads, author: kakashi-hatake)
*   n8n-nodes-performance-metrics (752 downloads, author: hezi109)
*   n8n-nodes-gasdhgfuy-rejerw-ytjsadx (8,385 downloads, author: zabuza-momochi)
*   n8n-nodes-danev (5,525 downloads, author: dan\_even\_segler)
*   n8n-nodes-rooyai-model (1,731 downloads, author: haggags)
*   n8n-nodes-zalo-vietts (4,241 downloads, authors: vietts\_code and diendh)

The users "zabuza-momochi," "dan\_even\_segler," and "diendh" have also been linked to other libraries that are still available for download as of writing -

*   n8n-nodes-gg-udhasudsh-hgjkhg-official (2,863 downloads)
*   n8n-nodes-danev-test-project (1,259 downloads)
*   @diendh/n8n-nodes-tiktok-v2 (218 downloads)
*   n8n-nodes-zl-vietts (6,357 downloads)

It's not clear if they harbor similar malicious functionality. However, an assessment of the first three packages on ReversingLabs Spectra Assure has uncovered no security issues. In the case of "n8n-nodes-zl-vietts," the analysis has flagged the library as containing a component with malware history.

Interestingly, an updated version of the package "n8n-nodes-gg-udhasudsh-hgjkhg-official" was published to npm just three hours ago, suggesting that the campaign is possibly ongoing.

The malicious package, once installed as a community node, behaves like any other n8n integration, displaying configuration screens and saving the Google Ads account OAuth tokens in encrypted format to the n8n credential store. When the workflow is executed, it runs code to decrypt the stored tokens using n8n's master key and exfiltrates them to a remote server.

The development marks the first time a supply chain threat has explicitly targeted the n8n ecosystem, with bad actors weaponizing the trust in community integrations to achieve their goals.

The findings highlight the security issues that come with integrating untrusted workflows, which can expand the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.

N8n has also warned about the security risk arising from the use of community nodes from npm, which it said can execute malicious actions on the machine that the service runs on. On self-hosted n8n instances, it's advised to disable community nodes by setting N8N\_COMMUNITY\_PACKAGES\_ENABLED to false.

"Community nodes run with the same level of access as n8n itself. They can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution," researchers Kiran Raj and Henrik Plate said. "There is no sandboxing or isolation between node code and the n8n runtime."

"Because of this, a single malicious npm package is enough to gain deep visibility into workflows, steal credentials, and communicate externally without raising immediate suspicion. For attackers, the npm supply chain offers a quiet and highly effective entry point into n8n environments."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Tag

#auth