Security researchers found two AI-branded VS Code extensions with 1.5M installs that covertly send source code and files to China-based servers.
Category: security
Microsoft patches actively exploited Office zero-day vulnerability
Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks.
The security feature bypass vulnerability, tracked as CVE-2026–21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company’s cloud-based subscription service).
However, as noted in today’s advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible.
6 Okta security settings you might have overlooked
What worked six months ago may no longer be sufficient to protect against today’s threats.
This article outlines six fundamental Okta security best practices that form the backbone of a resilient identity security program.
Beyond implementing these settings, continuous security posture monitoring for Okta (and the rest of your SaaS ecosystem) with a tool like Nudge Security can help you stay ahead of emerging threats and maintain a robust security posture as your environment grows and changes.
Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies
The defense mechanisms that NPM introduced after the ‘Shai-Hulud’ supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.
Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM.
Researchers at endpoint and supply-chain security company Koi discovered the issues and reported them to the vendors. They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior “works as expected.”
Scientists Uncover Hidden Weakness in Quantum Encryption
Quantum key distribution (QKD) is a next generation method for protecting digital communications by drawing on the fundamental behavior of quantum particles. Instead of relying on mathematical complexity alone, QKD allows two users to establish a shared secret key in a way that is inherently resistant to interception, even if the communication channel itself is not private.
When an unauthorized observer attempts to extract information, the quantum states carrying the data are unavoidably altered, creating telltale disturbances that signal a potential security breach.
The real-world performance of QKD systems, however, depends on precise control of the physical link between sender and receiver. One of the most influential factors is pointing error, which occurs when the transmitted beam does not perfectly align with the receiving device.
Critical GNU InetUtils telnetd Flaw Lets Attackers Bypass Login and Gain Root Access
A critical security flaw has been disclosed in the GNU InetUtils telnet daemon (telnetd) that went unnoticed for nearly 11 years.
The vulnerability, tracked as CVE-2026–24061, is rated 9.8 out of 10.0 on the CVSS scoring system. It affects all versions of GNU InetUtils from version 1.9.3 up to and including version 2.7.
“Telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a ‘-f root’ value for the USER environment variable,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).
Filling the Most Common Gaps in Google Workspace Security
Security teams at agile, fast-growing companies often have the same mandate: secure the business without slowing it down. Most teams inherit a tech stack optimized for breakneck growth, not resilience. In these environments, the security team is the helpdesk, the compliance expert, and the incident response team all rolled into one.
Securing the cloud office in this scenario is all about finding leverage: identifying the strategic control points that drive the most resilience without adding operational overhead.
Google Workspace provides an excellent security foundation, but its native tooling has inherent limitations, and relying on the default configurations can cause headaches. To build a truly resilient program, there are some common-sense first steps teams can take to secure Workspace natively, before intelligently augmenting the platform where its capabilities fall short.
Microsoft shares workaround for Outlook freezes after Windows update
Microsoft shared a temporary workaround for customers experiencing Outlook freezes after installing this month’s Windows security updates.
As explained one week ago, when Microsoft acknowledged the issue, the bug causes the classic Outlook desktop client to hang for users with POP email accounts who have deployed the KB5074109 security update on Windows 11 25H2 and 24H2 systems.
Other symptoms include the inability to reopen Outlook without ending the process via Task Manager or restarting the device, Outlook redownloading emails, and emails not appearing in the Sent Items folder even though they were sent.