🚨 Major Breaches & Incidents - European Commission cloud intrusion, Salesforce warning after another customer attack wave

🧨 Emerging Threats & Vulnerabilities - F5 BIG-IP exploitation, Fortinet FortiClient EMS abuse, Microsoft SharePoint exploitation, Citrix NetScaler memory flaw, Cisco firewall zero-day in ransomware attacks, Axios npm supply chain compromise

🔐 Privacy Watch - OkCupid data-sharing settlement, Lloyds exposure impacts 450,000 users

🕵️ APTs and State-Sponsored Attacks - Iran-linked actors claim breach of FBI director’s personal email

🤖 AI in Cyber - Langflow workflow hijacking, OpenAI Codex GitHub token compromise risk

🔁 Story Follow-Ups - Salt Typhoon fatigue collides with telecom security reform

🇪🇺 European Commission reports cyber intrusion and data theft
The European Commission disclosed a cyber intrusion and data theft incident tied to its cloud environment, with threat actors claiming a sizable haul of stolen information. Beyond the direct impact, the story lands as another reminder that even major institutions with mature security programs are still one misstep away from a headline. Cloud concentration keeps making every compromise feel bigger.
👉 Key takeaway: The lesson is less “nobody is safe” and more “visibility, segmentation, and third-party cloud governance still make or break the blast radius.”

☁️ Salesforce issues new security alert tied to third customer attack spree in six months
Salesforce customers got yet another warning after attackers targeted Experience Cloud deployments in what CyberScoop framed as the third customer attack spree in six months. That is not a great trend line for anyone who enjoys stability in customer-facing SaaS environments. The repeated pattern suggests attackers see enough soft spots in implementation and configuration to keep coming back.
👉 Key takeaway: SaaS security is not magically handled by the logo on the invoice - customers still need to harden, monitor, and review how these platforms are exposed.

🌐 Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now
F5’s BIG-IP issue jumped from serious to drop-everything serious after researchers and vendors confirmed active exploitation. Attackers are reportedly using the flaw to deploy webshells on exposed, unpatched systems, which is about as subtle as a brick through a SOC dashboard. For organizations running BIG-IP APM, this is the kind of issue that moves from maintenance backlog to executive escalation fast.
👉 Key takeaway: If BIG-IP is anywhere in your environment, treat this like an incident-response-adjacent patching event, not routine hygiene.

🧱 Critical Fortinet FortiClient EMS flaw now exploited in attacks
Fortinet customers got another unpleasant reminder that management infrastructure remains prime attacker real estate. The FortiClient EMS flaw is now being actively exploited, giving defenders yet another reason to stop calling internet-exposed admin tools “temporary.” The broader theme here is painfully consistent: security tooling can become the initial access path when patching lags.
👉 Key takeaway: Prioritize EMS patching and verify whether management interfaces were exposed longer than anyone wants to admit.

🧠 Critical Citrix NetScaler memory flaw actively exploited in attacks
Citrix admins are once again living in a world where memory-related edge-device flaws become top-priority emergencies. Active exploitation raises the stakes for organizations that rely on NetScaler for application delivery and remote access, especially because edge devices are so often both critical and under-loved. Attackers know exactly where those gaps live.
👉 Key takeaway: Patch fast, rotate sensitive credentials where appropriate, and assume internet-facing appliances deserve threat-hunting attention after remediation.

🔥 Cisco firewall vulnerability exploited as zero-day in Interlock ransomware attacks
A Cisco firewall zero-day showing up in Interlock ransomware activity is the sort of sentence that gets leadership attention for all the wrong reasons. The story underscores how quickly criminal crews operationalize edge-device flaws when there is a clean route to access and extortion. Security teams already juggling patch fatigue now get the extra bonus level: ransomware urgency.
👉 Key takeaway: Review Cisco exposure immediately and map this flaw into ransomware playbook assumptions, not just vulnerability management queues.

📦 Axios supply chain attack pushes cross-platform RAT via compromised npm account
The Axios incident is a strong contender for today’s most developer-heartburn-inducing story. A compromised npm account reportedly pushed malicious package versions that delivered a cross-platform remote access trojan, reminding everyone that software supply chain risk is still very much a live fire problem. Open source trust is powerful, right up until account security is not.
👉 Key takeaway: Audit dependency versions immediately, identify whether affected Axios releases entered build pipelines, and treat developer endpoints as possible exposure points.

🗂️ Critical Microsoft SharePoint flaw now exploited in attacks
SharePoint remains one of those enterprise staples that also doubles as a very expensive headache when critical flaws go live in the wild. Reports of active exploitation mean orgs cannot treat this as a theoretical risk, especially in environments where SharePoint still touches sensitive internal documentation and collaboration workflows. Old enterprise software rarely dies - it just becomes tomorrow’s incident report.
👉 Key takeaway: Patch immediately and review access logs for suspicious web activity or post-exploitation persistence.

💘 Match Group settles US FTC claims it illegally shared OkCupid user data
Match Group agreed to settle FTC claims tied to allegations that OkCupid user data was improperly shared, keeping the long-running privacy-adtech collision very much alive. Dating platform data is especially sensitive because it can reveal personal preferences, beliefs, and patterns users never expect to leave the app’s walls. Privacy violations hit differently when the dataset is this intimate.
👉 Key takeaway: Consent language and backend data-sharing practices keep diverging, and regulators are clearly done pretending that is a minor documentation issue.

🏦 Lloyds data security incident impacts 450,000 individuals
Lloyds disclosed an incident affecting roughly 450,000 individuals after user transaction data was exposed due to a software update issue. This was not the classic smash-and-grab breach story, which arguably makes it more relatable for enterprises that fear internal process and engineering errors just as much as external attackers. Not every major exposure needs a hoodie and a command line.
👉 Key takeaway: Secure development and release controls deserve the same scrutiny as perimeter defense because user trust does not care what caused the exposure.

🎯 Iran-linked hackers breach FBI director’s personal email, publish photos and documents
Iran-linked actors reportedly breached the personal email account of the FBI director and published stolen material online. Whether the operation was meant for embarrassment, signaling, or broader influence, the message is the same: personal accounts tied to senior officials remain attractive targets with strategic value. National security risks do not politely stay inside government-managed systems.
👉 Key takeaway: Personal digital hygiene for high-profile officials is not a side issue - it is part of the threat surface.

🧪 CISA: New Langflow flaw actively exploited to hijack AI workflows
Langflow landed in the active exploitation spotlight after CISA warned attackers are abusing a flaw to hijack AI workflows. As organizations race to operationalize AI tooling, many are discovering that experimental infrastructure has a nasty habit of becoming production infrastructure without the matching security maturity. Innovation is fun until it gets shell access.
👉 Key takeaway: AI workflow tools need the same patch urgency, exposure reviews, and access controls as any other internet-facing platform.

🤖 Critical vulnerability in OpenAI Codex allowed GitHub token compromise
Researchers disclosed a critical issue in OpenAI Codex that could have enabled GitHub token compromise, highlighting the increasingly messy intersection of autonomous coding tools and secret management. When AI systems are granted repo access, even narrow validation failures can quickly turn into credential and supply chain risk. The convenience tax is starting to show up in very specific ways.
👉 Key takeaway: Treat AI coding agents like privileged software components, which means tight token scoping, isolation, and aggressive review of how inputs are handled.

Join the Superhuman AI newsletter - read by 1M+ professionals

Learn AI skills in 3 mins a day

Become the AI expert on your team

📡 Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules
The Salt Typhoon fallout may be fading from public attention, but officials are warning that the policy and telecom hardening work is nowhere near done. That gap between urgency during the breach cycle and apathy once headlines cool off is exactly how systemic weaknesses stay alive. Attackers do not need defenders to forget forever - just long enough.
👉 Key takeaway: The follow-up story matters because telecom security reform tends to die in the gap between outrage and implementation.