In today’s cybersecurity news…
Gottumukkala ousted as CISA Director
This departure follows widespread dissatisfaction with the agency’s performance over the past year with particular bipartisan criticism aimed directly at Madhu Gottumukkala’s leadership. He will now take on a new role at DHS, as director of strategic implementation. The role of CISA Director will now be filled with current agency executive director for cybersecurity Nick Andersen replacing him as the interim leader.
Ron Wyden blocks Rudd confirmation to lead Cyber Command, NSA
The Oregon senator “pledged to block a vote confirming Lt. Gen. Joshua Rudd as the new head of both U.S. Cyber Command and the National Security Agency, citing his lack of digital warfare and intelligence experience.” A letter written by Senator Wyden was included in the Congressional Record on Wednesday. He added that Lt. Gen. Rudd is “not qualified for this job,” and that “when it comes to the cybersecurity of this country, there is simply no time for on-the-job learning.”
Hackers weaponize Claude Code in Mexican government cyberattack
According to researchers at cybersecurity startup Gambit Security, ten Mexican government bodies and one financial institution were compromised in this attack, starting with the country’s tax authority in late December. In analyzing the attacker logs, Gambit assessed that “over 1,000 prompts were sent to Claude Code to mount the attacks, and that information was also passed to OpenAI’s GPT-4.1 for analysis.” The researchers added, “AI didn’t just assist, it functioned as the operational team: writing exploits, building tools, and automating exfiltration.” The attack bypassed Claude’s guardrails by convincing it that all actions were authorized. As a result, the attacker “exfiltrated over 150GB of data, including civil registry files, tax records, and voter data, exposing 195 million identities in the process.
North Korea hackers use new malware to breach air-gapped networks
The group APT37 has been using newly uncovered tools to “move data between internet-connected and air-gapped systems, spread via removable drives, and which conduct covert surveillance.” The campaign, named Ruby Jumper, is being analyzed by cloud security company Zscaler. Although there are many components in this campaign, it starts with tricking a human user into activating a Windows LNK shortcut, which then enables removable drives to become infected. According to the researchers, “the malware turns removable storage devices into a bidirectional covert C2 relay.”
Huge thanks to our sponsor, Adaptive Security
Steaelite RAT delivers both data theft and ransomware
This new remote access trojan currently available on cybercrime networks “enables double extortion attacks on Windows machines by bundling ransomware and data theft, along with credential and cryptocurrency stealers, live surveillance, and a whole host of other illicit capabilities, all controllable from a centralized dashboard.” This was discovered by researchers from BlackFog who described it as “fully undetectable” and the “best Windows RAT,” in November 2025. It works across Windows 10 and 11, with an Android module reportedly in development. “Data theft, they say, begins at the moment of connection.”
Public Google Cloud API keys exposed with Gemini Access after API enablement
New research from Truffle Security, has found that “Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data.” The researchers discovered nearly 3,000 Google API keys (identified by the prefix “AIza”) “embedded in client-side code to provide Google-related services like embedded maps on websites.” Truffle Security found that creating a new API key in Google Cloud defaults to “Unrestricted,” meaning it’s applicable for every enabled API in the project, including Gemini.
Samsung TVs to stop collecting Texans’ data
“Samsung and the State of Texas have reached a settlement agreement over the alleged unlawful collection of content-viewing information through its smart TVs.” The company will now have to revise its privacy disclosures to clearly explain its data collection and processing practices to consumers. This is all based on a lawsuit filed by Texas Attorney General Ken Paxton last December, in which several TV manufacturers were charged with “using Automated Content Recognition (ACR) technology to collect and process viewing data without first obtaining their express, informed consent.” The allegations were that Samsung was using the technology to capture screenshots of consumers’ TVs to determine what they were watching in order to deliver targeted advertising. The Court found that there was “good cause to believe” that Samsung automatically enrolled customers in this system using “dark patterns” that included “over 200 clicks spread across four or more menus for a consumer to read the privacy statements and disclosures.”