Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

Troy Hunt, owner of HaveIBeenPwned.com, writes: You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the…

There’s an update on a previously reported case: Tampa, Florida – United States Attorney Gregory W. Kehoe announces that Liridon Masurica (33, Gjilan, Kosovo), also known as “@blackdb,” has pleaded guilty to conspiracy to commit access device fraud. Masurica faces a maximum penalty of 10 years in federal prison. A sentencing date has not yet been……

Cybersecurity researchers have discovered what has been described as the first-ever instance of a Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks. According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called “postmark-mcp” that copied an official Postmark Labs library of…

Explore the Cybersecurity toolkit and start building your prevention-first strategy today. 

Alys Keys reports: Former Buzzfeed journalist Anne Helen Petersen had been putting the final touches on the latest episode of her podcast last month when an email landed in her inbox. It warned of suspicious activity on her Substack account and said her ability to send emails would be frozen until she confirmed she wasn’t a bot…….

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that’s delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple’s Gatekeeper checks. “Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix-style techniques, this sample adopts a more