In today’s cybersecurity news…
OpenAI rolls out GPT-5.4-Cyber
OpenAI is rolling out GPT-5.4-Cyber to a limited group of trusted users to help identify software vulnerabilities, expanding access from hundreds to thousands in the coming weeks as part of its Trusted Access for Cyber program. The model arrives days after Anthropic’s Mythos launch, intensifying competition in AI-driven security tools that can not only defend but enable cyberattacks. The U.S. Treasury has already warned industry leaders to take these systems seriously amid growing concerns about misuse. (Bloomberg)
McGraw Hill breach due to Salesforce misconfig
Education provider McGraw Hill disclosed a data breach tied to a Salesforce misconfiguration, with the ShinyHunters group claiming to have stolen 45 million records and threatening extortion, though the exposed data appears to be limited and non-sensitive with no compromise of core systems. The incident reflects a broader pattern of attackers exploiting cloud misconfigurations and third-party environments to quickly extract and monetize data. McGraw Hill says there’s no evidence of a platform-wide vulnerability. (Security Magazine)
Signed adware operation disables antivirus software
Huntress researchers found a signed adware campaign linked to Dragon Boss Solutions that disabled antivirus software across more than 23,000 systems by using a legitimate code-signing certificate and update mechanism to deploy PowerShell scripts that kill, uninstall, and block security tools. The malware establishes persistence via scheduled tasks and WMI, repeatedly terminates AV processes, and prevents updates, leaving systems exposed. A hijackable update domain revealed infections across 124 countries, with researchers warning the infrastructure could pivot to ransomware or data theft. (Infosecurity Magazine)
Autovista blames ransomware for service disruption
Autovista confirmed a ransomware attack disrupting its automotive data and analytics applications across Europe and Australia, with services still offline and no clear timeline for recovery. The company brought in external experts to investigate but hasn’t identified the initial breach vector, while some customers have blocked communications from Autovista as a precaution. No ransomware group has claimed responsibility. Autovista says it’s prioritizing secure restoration of affected systems. (The Register)
Huge thanks to our sponsor, Conveyor
The trust center is live. The SOC 2 is published. And somehow the security questionnaires just keep piling up.
That’s when teams realize a static trust center isn’t the finish line. Conveyor is what comes next. AI that completes questionnaires automatically. A trust center customers can actually self-serve. And a knowledge base that updates itself with AI.
Companies like Atlassian and Zapier are already there. See what’s possible at conveyor.com.
Cal.com abandons open source
Open source project Cal.com is shifting its core scheduling platform to a proprietary model due to rising security risks from AI tools that can quickly analyze public code to find vulnerabilities. The company says modern models like Claude make open-source software significantly easier to exploit, forcing a tradeoff between transparency and protecting sensitive user data. Cal will maintain a separate open-source version for hobbyists. (ZDNET)
Sweden blames pro-Russian group for energy cyberattack
Sweden says a pro-Russian group was behind a previously undisclosed cyberattack on a heating plant in western Sweden last year, part of a broader pattern of infrastructure targeting across Europe since Russia’s 2022 invasion of Ukraine. Swedish officials say similar attacks have hit energy, water, and transport systems in Poland, Norway, Denmark, and Latvia, in some cases disrupting services, warning the campaign is meant to undermine support for Ukraine, spread instability, and strain government resources. (SecurityWeek)
New orders expected for US cyber strategy
National Cyber Director Sean Cairncross announced the US administration is preparing more executive orders to implement its recently released cybersecurity strategy, including imposing consequences on adversaries targeting U.S. systems and coordinating closely with industry, particularly around emerging AI risks. Officials are also reportedly weighing the implications of models like Anthropic’s Mythos while continuing efforts to address cybercrime, critical infrastructure threats, and international hacking activity. (CyberScoop)
n8n Webhooks abused to deliver malware via emails
Researchers at Cisco Talos report attackers have been abusing n8n webhook URLs since October to run phishing campaigns that deliver malware and track victims. The attacks use trusted n8n cloud domains to evade filters, luring in users with fake document links that trigger CAPTCHA pages and then download malicious payloads, including remote management tools for persistence. Cisco Talos found phishing emails using these links had activity up 686% since early 2025. (The Hacker News)