In today’s cybersecurity news…
Linus Torvalds not into AI bug hunters
Linus Torvalds says AI-powered bug hunting tools are overwhelming the Linux kernel security mailing list with duplicate reports, making it “almost entirely unmanageable.” He said multiple researchers are using the same AI tools to uncover the same vulnerabilities, forcing maintainers to spend time redirecting reports or explaining that bugs were already fixed. Torvalds said AI-generated findings are useful only when paired with meaningful contributions like patches and technical analysis, criticizing “drive-by” reports that add little value beyond what automated tools already surface.. (The Register)
7-Eleven hit with ransom demand
7-Eleven confirmed a data breach after the ShinyHunters group claimed it stole more than 600,000 Salesforce records containing personal and corporate data. The company said attackers accessed systems used to store application documents, though it hasn’t disclosed the total number of affected individuals. ShinyHunters allegedly tried to extort the company before offering the stolen data for $250,000. ShinyHunters has increasingly targeted Salesforce environments through phishing attacks, third-party integrations, and configuration weaknesses rather than flaws in Salesforce itself. (SecurityWeek)
MENA runs new cybercrime op
INTERPOL said countries across the Middle East and North Africa (MENA) carried out the region’s first large-scale coordinated cybercrime crackdown, dubbed Operation Ramz, between October 2025 and February 2026. The operation involved 13 countries targeting phishing campaigns, malware infrastructure, and online scams, resulting in 201 arrests, the identification of 3,867 victims, and the seizure of 53 servers. Authorities also shared nearly 8,000 intelligence records during the operation. (Security Magazine)
TanStack weighs invitation-only pull requests
TanStack is considering making pull requests invitation-only after that supply chain attack from last week, tied to the Shai-Hulud worm, compromised its GitHub Actions workflows. Attackers exploited a feature to run malicious code through automated CI pipelines, poisoning a shared cache across the repository. TanStack has removed the vulnerable workflow pattern, disabled shared caches, strengthened dependency and authentication protections, and adopted new safeguards in the Node.js package manager pnpm. (The Register)
Huge thanks to our sponsor, ThreatLocker
New infostealer campaign gets bigger
Researchers at OXsecurity say copies of that leaked Shai-Hulud malware are being used in various malicious npm packages targeting developers, noting four typosquatted or fake packages that stole credentials, cloud configuration files, crypto wallet data, and other sensitive information, with one package also adding infected systems to a DDoS botnet. The malware appears to be a largely unmodified copy of Shai-Hulud’s leaked source code, which was previously linked to the TeamPCP hacking group and recent supply chain attacks against Node.js ecosystems. The infected packages were downloaded more than 2,600 times and developers are urged to remove them and rotate compromised credentials and API keys. (BleepingComputer)
US healthcare breaches continue
Several major healthcare data breaches affecting potentially millions of people were recently added to the US Department of Health and Human Services breach tracker. New York City Health and Hospitals Corporation reported the largest confirmed incident, with attackers accessing systems through a third-party vendor between late 2025 and early 2026, exposing sensitive personal, medical, insurance, biometric, and financial data tied to 1.8 million people. Other breaches include those at Erie Family Health Centers affecting 570,000 individuals and Florida Physician Specialists affecting 276,000. (SecurityWeek)
NGINX Rift attackers target exposed servers
Researchers at VulnCheck say attackers are already probing and exploiting the newly disclosed “NGINX Rift” (Engine-X) vulnerability, just days after patches and proof-of-concept code were released. The 18-year-old flaw in NGINX was originally disclosed by researchers at DepthFirst and can let specially crafted HTTP requests crash worker processes and potentially enable remote code execution in rare cases where Linux memory protections like ASLR are disabled. VulnCheck researcher Patrick Garrity said exploitation attempts were already hitting the company’s canary systems. Security researcher Kevin Beaumont noted that modern Linux defaults make widespread real-world remote code execution attacks unlikely. (The Register)
AI won’t stop the slop
GitHub product security engineer Jarom Brown warns that many submissions lack reproducible proof-of-concept exploits or duplicate known issues, requiring stricter validation standards. Cloudflare Chief Security Officer Grant Bourzikas said AI tools are worsening triage overload by producing large volumes of plausible but unverified findings that drain security teams’ time. Cloudflare testing of Anthropic’s Mythos showed some improvement in generating exploit chains and proof-of-concepts, but security researcher Daniel Stenberg, lead developer of cURL, said most findings were false positives or low impact and argued the model’s gains over earlier tools are modest despite the hype. (CyberScoop)