In today’s cybersecurity news…
US cyber chief uploaded sensitive files into public ChatGPT
Politico’s sources say the US’s acting cyber chief, Madhu Gottumukkala, uploaded contracting documents marked “for official use only” into a public version of ChatGPT last summer, triggering automated security alerts inside the Department of Homeland Security. The documents weren’t classified, but the uploads prompted an internal review to determine whether sensitive government material had been exposed. Gottumukkala had received a special exception to use ChatGPT at a time when it was blocked for other DHS employees. DHS hasn’t said what the review concluded. (Politico)
Vibe-coded ‘Sicarii’ ransomware can’t be decrypted
Security researchers at Halcyon and Check Point Research say a new ransomware strain called Sicarii is so poorly built that paying the ransom won’t decrypt victims’ data. The malware generates fresh RSA keys on each execution and discards the private key, leaving no viable recovery path. Sicarii surfaced as a ransomware-as-a-service offering and uses Hebrew symbols and language that Check Point believes may be machine-translated and a false-flag identity. Researchers say the code likely involved AI tooling, and victims are urged not to pay. (Dark Reading)
WhatsApp account feature combats spyware
WhatsApp introduced a “Strict Account Settings” option that lets high-risk users lock down their accounts against sophisticated spyware attacks. The feature blocks attachments and media from non-contacts and joins protections like Apple’s Lockdown Mode and Google’s Advanced Protection. Digital civil rights group Access Now called it a useful, free safeguard for journalists, activists, and other vulnerable users. Users can enable it under Settings > Privacy > Advanced. (CyberScoop)
Mustang Panda deploys infostealers via CoolClient
Kaspersky researchers say China-linked Mustang Panda is running an updated “CoolClient” backdoor in espionage operations against government targets in Myanmar, Mongolia, Malaysia, Russia, and Pakistan. The new variant adds clipboard monitoring, browser credential theft across Chromium-based browsers, active window tracking, and expanded plugins for remote shell access, file and service management. Researchers also saw operators using hardcoded API tokens for Google Drive and Pixeldrain to exfiltrate data. (BleepingComputer)
Huge thanks to our sponsor, Conveyor
Meet Conveyor’s new Trust Center Agent.
The Agent lives in your Conveyor Trust Center and answers every customer question, surfaces documents and even completes full questionnaires instantly so customers can finish their review and be on their way.
Top tech companies like Atlassian, Zapier, and more are using Conveyor to automate away tedious work. Learn more at conveyor.com.
Judge dismisses Virginia Flock camera case
A federal judge upheld Norfolk, Virginia’s use of 176 Flock automated license plate reader cameras, rejecting claims they amount to unconstitutional warrantless surveillance. The court ruled the network is too sparse to reveal a “whole” picture of someone’s movements, contrasting it with mobile phone tracking and aerial surveillance cases. The Institute for Justice, which brought the suit, plans to appeal as other cities end Flock contracts over privacy concerns. (The Record)
WinRAR flaw still exploited
Google’s threat intel unit says the WinRAR path traversal flaw is still being exploited by both state-backed and financially motivated groups for initial access. The bug lets attackers use Alternate Data Streams to drop payloads (often into Windows Startup) via booby-trapped archives. Activity started in mid-2025 and involves Russia-aligned units, Turla, and China-linked actors, plus criminals pushing RATs and stealers. Google notes a growing market for packaged WinRAR exploits. (BleepingComputer)
Telnet flaw exposes forgotten attack surface
Threat actors are exploiting a decade-old authentication bypass in GNU InetUtils’ telnetd server that CISA just added to its KEV list. The bug lets attackers log in as root using a simple argument injection. InetUtils fixed it in v2.8, but hundreds of thousands of exposed telnet instances are still online, particularly in legacy IoT and OT equipment. Forescout data shows telnet usage is rising across industries while SSH declines. Researchers say patches may take years due to supply chain dependencies and advise eliminating or isolating telnet services. (Dark Reading)
Fortinet blocks exploited zero day
Fortinet confirmed a new FortiCloud SSO authentication-bypass zero-day that attackers used to create rogue admin accounts and pull firewall configs from fully patched FortiGate devices. The company disabled abused FortiCloud SSO accounts, then temporarily shut off SSO globally before restoring it with server-side blocks for vulnerable firmware while patches are developed. The flaw, which also affects other SAML SSO paths, lets attackers with a FortiCloud account authenticate to other customers’ devices. Fortinet is telling admins to treat impacted systems as compromised. (BleepingComputer)