In today’s cybersecurity news…
runC flaws could allow hackers to escape Docker containers
There are actually three new vulnerabilities disclosed by Aleksa Saraiin, a software engineer at Luxembourg-base open-source software company SUSE and also a board member at the Open Container Initiative (OCI). The runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system, he says. The three issues all have CVE numbers (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). runC is “a universal container runtime and the OCI reference implementation for running containers. It is responsible for low-level operations such as creating the container process, setting up namespaces, mounts, and cgroups that higher-level tools, like Docker and Kubernetes, can call.” Currently, there have been no reports of any of the flaws being actively exploited in the wild.
Lost iPhone scam warning
The Swiss National Cyber Security Centre (NCSC) is warning iPhone owners about a phishing scam that claims to have found a lost or stolen iPhone with a true motive of stealing Apple ID credentials.” The campaign is based on a message that users can set in Apple’s Find My Phone app that appears on the lock screen, which can include an email address or phone number of another iPhone owned by the lost iPhone’s owner or someone close to them. Threat actors “may be using this information to send targeted phishing texts through SMS or iMessage to the displayed contact information, claiming to be from Apple’s Find My team and stating that their phone had been found. The NCSC advises users to ignore any text messages like these, stating that Apple will never contact customers via SMS or email to report a found device.
Landfall Android spyware targets Samsung Galaxy phones
Security researchers from Palo Alto Networks’ Unit 42 uncovered a nine-month hacking campaign targeting Samsung Galaxy phones, primarily in the Middle East. The attackers used “commercial-grade” Android spyware called LANDFALL, which exploited a previously unknown vulnerability in Galaxy image-processing libraries (CVE-2025-21042). Delivered through WhatsApp as malicious DNG image files, the spyware could secretly record audio, track location, and steal photos, messages, and contacts, possibly without user interaction. (DNG stands for Digital Negative images, a variation of TIFF image files) The flaw was patched in April 2025. Unit 42 noted similarities to Middle Eastern commercial spyware operations, but the perpetrators and number of victims remain unknown. The campaign’s goal appeared to be targeted surveillance.
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME. With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
AI chat privacy at risk through Whisper Leak side-channel attack
Microsoft describes this attack as “a side-channel attack that lets network snoopers infer AI chat topics despite encryption, risking user privacy.” It lets attackers who can monitor network traffic infer what users discuss with remote language models, even when the data is encrypted, an activity that could expose sensitive details from user or enterprise conversations with streaming AI systems, creating serious privacy risks. In short, despite the encryption models used, “attackers can infer token length, timing, or cache patterns to guess prompt topics. Microsoft’s Whisper Leak expands on these, showing how encrypted traffic patterns alone can reveal conversation themes.”
Illuminate Education fined $5.1 million for poor data security practices leading to hack
Three state attorneys general announced Thursday that “the educational technology company Illuminate Education will pay a $5.1 million fine and agree to make changes to its business to settle allegations that shoddy security practices led to a 2021 data breach. The breach exposed student names, races, coded medical conditions and whether they received special education accommodations,” impacting students in 49 states and three million in California alone. The failings included an alleged failure to delete the login credentials of former employees, which is thought to be the resource used by the hacker. The company also allegedly failed to monitor its systems for suspicious activity and did not separately secure backup and active databases, which meant the backup databases were also compromised when the active database was breached.
Destructive time bomb malware in industrial .NET extensions found and removed
Following up on a story covered by Sean Kelly in March of 2023, security experts have now helped remove malicious NuGet packages that had been planted in that year and were designed to destroy systems especially in “safety-critical systems in manufacturing environments,” and specifically in Siemens S7 programmable logic controllers, in 2027 and 2028. Researchers from Socket identified nine malicious packages on the .NET package manager and noted that the packages are comprised mostly of genuinely useful, legitimate code, making them more trustworthy.
Brian Krebs assesses U.S. government’s proposed TP-Link ban
In his recent blog, Brian Krebs, states that the U.S. government is considering banning sales of networking gear from TP‑Link, a major player in consumer and small-business routers, citing national-security concerns over its reported ties to China and the high stakes of sensitive data passing through its hardware. TP-Link denies these risks, claiming it severed connections with its China-based parent and is U.S.-headquartered, with design and manufacturing in Vietnam and Singapore. The article warns that the issue is broader: many budget routers rely on China-sourced components and ship with known weak default settings, meaning the challenge is less about one brand than systemic security in home networking.