See the no-go signals before they become incidents.
BWH Hotels, operator of the Best Western brand, confirmed a security incident involving unauthorized access to a web application used for guest reservations. The breach spanned approximately six months, exposing personal guest information from October 2025 through April 2026. Read more
Microsoft’s May 12, 2026 Patch Tuesday release disclosed 137 CVEs across Microsoft products (down from 165 the prior month, per iThome). Including third‑party component fixes Microsoft shipped, the total reaches 265 vulnerabilities. iThome highlights 13 vulnerabilities Microsoft assessed as more likely to be targeted by attackers; most are elevation-of-privilege issues across Windows components, plus two Word remote code execution bugs. Four of the 13 are rated Critical, and the highest CVSS score called out is 9.1 for a Microsoft Single Sign-On (SSO) plugin used with Jira and Confluence. Read more
Security researchers at LayerX have identified a design flaw dubbed 'ClaudeBleed' in the Claude in Chrome extension. The vulnerability allows malicious extensions with zero permissions to inject commands and hijack the Claude AI agent, potentially leading to unauthorized data exfiltration and sensitive cross-site operations. Read more
The Distributed Management Task Force (DMTF) announced that its Security Protocol and Data Model (SPDM) has been officially incorporated into the U.S. FIPS 140-3 Implementation Guidance, establishing a new federal reference for hardware and firmware authentication. Read more
TWCERT/CC disclosed a high-severity “Missing Authentication” vulnerability in WinMatrix agent software from Da Yang Technology (達煬科技). The issue (CVE-2026-6348, TVN-202604001) affects WinMatrix agent versions 3.5.13 through 3.5.26.15 and could allow an already-authenticated local attacker to execute arbitrary code with SYSTEM privileges on the local host and other hosts in the same environment that have the agent installed. TWCERT/CC recommends updating to WinMatrix agent 3.5.27.5 or later. Read more
Taiwan’s national CERT (TWCERT/CC) held its 2025 Taiwan Cybersecurity Incident Notification & Response Annual Conference on Dec. 3 under the theme “Build Secure Products, Connect a Trusted Defense Line.” Government leaders from the Ministry of Digital Affairs and the Administration for Cyber Security emphasized that product security is now tied to brand trust and global market access, citing AI, IoT, and smart manufacturing expansion—and noting that international rules increasingly treat product security as a supply-chain governance requirement. The event brought together major Taiwan and regional vendors and institutes (including ASUS, Zyxel, Delta Electronics, Synology, Panasonic Taiwan, Institute for Information Industry, and others) to share practices around AI-driven threats, vulnerability disclosure, and PSIRT governance—signals relevant to global security and infrastructure teams that rely on Taiwan-linked hardware, NAS, networking, and industrial components. Read more
OpenSSF’s review of CVE-2024-3094 describes an intentionally inserted, obfuscated backdoor affecting xz/liblzma 5.6.0 and 5.6.1. The tampering was designed to land in specific Linux distribution build outputs—DEB/RPM packages for x86-64 built with gcc and the GNU linker—rather than appearing uniformly across all builds. Red Hat warned the issue could allow remote compromise via sshd authentication bypass, but OpenSSF notes exposure was limited because the impacted versions were largely confined to experimental or pre-release distro channels and were detected quickly through community oversight and coordinated distro response. Read more
Taiwan’s TWCERT/CC reports a technical evolution in the “Contagious Interview” campaign: instead of relying on victims to manually execute a file, attackers embed a malicious VS Code workspace configuration so code runs automatically when developers open a project folder in Trusted Mode. The technique abuses VS Code’s tasks.json automation (including a run-on-folder-open behavior) and social engineering around Workspace Trust prompts. The activity primarily targets cryptocurrency software engineers and freelancers via recruiting outreach on LinkedIn and gig platforms, then directs them to download test projects from GitHub/GitLab. TWCERT/CC says the resulting payload has been identified as a newer BeaverTail variant (Type 701), with noted functional overlap with OtterCookie (sometimes referred to as “OtterCandy”), and is focused on stealing crypto-related browser extension and wallet data as well as high-value browser-stored secrets. Read more
Microsoft’s MSRC investigation into Storm-0558 concludes that operational errors likely allowed Microsoft Account (MSA) consumer signing key material to escape a secure token signing environment via a crash-dump/debug workflow, after which the actor (attributed by Microsoft as China-based) likely obtained it by compromising a Microsoft engineer’s corporate account with access to the debugging environment. A separate engineering failure—missing issuer/scope validation when mail systems relied on a common key metadata endpoint—meant a consumer key could be used to forge tokens accepted for enterprise email access. Microsoft says it has since corrected the race condition, improved key-material detection and credential scanning, and updated libraries to automate scope validation. Read more
OWASP’s Top 10 for Large Language Model (LLM) Applications has been published as a community security baseline that catalogs common failure modes in GenAI applications—ranging from prompt injection to model theft. OWASP says the effort has expanded beyond a list into the OWASP GenAI Security Project, a broader open initiative covering risks across LLMs, agentic systems, and AI-driven applications, with a large global contributor community and separate project resources and participation tracks. Read more