Sign in Subscribe

InfoSec News 02APR2026

General

  • Some long-weekend reading - "Intro to Reality Pentesting". Thinking about social-engineering, as though it's a set of computer systems.
For years, the security industry has known that the easiest way to compromise a system is to hack the human operating it. Yet as a field, we remained convinced we could harden technical defenses to such a degree that the human element would become irrelevant.
Needless to say, that bet hasn’t paid off.
...
The model I’m proposing organizes human cognitive infrastructure into five layers across three scales: individual, collective, and civilizational.
The first three concentric layers make up an individual human unit:
Sensory Interface — Bidirectional membrane between internal and external reality.
NeuroCompiler — Interprets, filters, and prioritizes raw sensory data via heuristic processing prior to conscious awareness.
Mind Kernel — Persistent read/write storage of beliefs, memories, identity, & emotional architecture (ontological scaffolding). Cognitive system’s base operating layer.
...
Beyond the individual, we cross into the collective, or what I’m calling the Mesh. This is the emergent collective intelligence arising between networked individuals. The final layer is called the Cultural Substrate, and is the civilizational base layer for macro-society and the collective unconscious.
The terminology I’ve used is deliberate: an interface needs a compiler, which feeds into a kernel at the root access level. Kernels can also connect to one another and form a mesh. The mesh and kernels run on a substrate, but are unable to affect change to it individually.
Additionally, each layer inherits from and feeds back into the others, meaning compromise at any level can quickly cascade through the entire stack. Think of it as OSI Layer 8 (the theoretical “Human” layer) and beyond.
As detailed in the Chromium commit history, this vulnerability stems from a use-after-free weakness in Dawn, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project.
...
Google has now fixed the zero-day for users in the Stable Desktop channel, with new versions rolling out to Windows, macOS (146.0.7680.177/178), and Linux users (146.0.7680.177).
Google is aware that an exploit for CVE-2026-5281 exists in the wild.
...
[TBD][491518608] High CVE-2026-5281: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-10
Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users.
Ransomware detection: When users have Google Drive for desktop installed on their computers, file syncing will be paused when ransomware is detected. The user will see a notification appear on their computer. Admins will see an alert in the Admin console security center; notification emails will be delivered to both users and admins.
File restoration: Users are able to bulk restore their files to a previous version in Drive with ease, saving them time and money without paying a ransom. Users can select and restore multiple files prior to when ransomware infected their computer, making their files inaccessible.
The startup, Mercor, was one of thousands of firms to be impacted by the security compromise of the open-source effort LiteLLM, according to a company statement.
Mercor is a popular recruiting outfit that works with companies including OpenAI to hire experts and train AI models. As of October 2025, the company was reportedly valued at $10 billion.
...
Although the LiteLLM attack was reportedly tied to a group called TeamPCP, the hacking gang Lapsus$ claimed on its website that it obtained hundreds of gigabytes of Mercor’s data.
The Drift Protocol published multiple notices on Wednesday afternoon saying it is “experiencing an active attack” and that deposits as well as withdrawals are being suspended.
...
Multiple blockchain security firms said the losses appeared to be steep. Experts at PeckShield told Recorded Future News that they exceeded $285 million while other firms said at least $130 million worth of cryptocurrency was seen being siphoned from the platform. Drift did not respond to requests for comment about how much was taken.
- The attacker appears to have changed the admin keypair on the protocol (which requires multiple signers through Drift's Squads multisig)
- They then created a new spot market on the main lending pool, using a fake token and oracle
- After depositing this token with a propped-up value, they were able to use it as collateral to borrow unlimited amounts of other tokens from the main lending pool without hitting Drift's margin requirements
Today, Apple has released iOS 18.7.7 to make it available to more devices that want to stay on the older operating system while remaining protected from the latest threats.
...
iPhone users still running iOS 18 with Automatic Updates enabled will now receive the latest version and protections against the DarkSword exploit kit.

Getting Techy

  • An interesting Android malware, as reversed by McAfee. Some care was taken, to ensure that it appears to be legitimate - "no unusual permissions".
The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity
...
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
...
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.
...
The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
...
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.

Geo-Politics

  • [IT] WhatsApp have notified users that may have fallen foul of a fake WhatsApp version, linked to spyware maker SIO.
WhatsApp accused Italian spyware maker SIO of creating a fake version of its messaging app for iPhones, according to an announcement the company shared with TechCrunch.
...
In its announcement, WhatsApp also said it plans to “send a formal legal demand to stop any such malicious activity to this spyware firm.”
...
WhatsApp’s latest announcement comes a year after the company alerted around 90 users that they had been targeted with spyware made by the U.S.-Israeli surveillance tech maker Paragon Solutions. WhatsApp sent those notifications to journalists and pro-immigration activists, among others, sparking a wide-ranging scandal across Italy.
In response, Paragon cut ties with Italy’s spy agencies, which were its customers.
Li Xiong was the head of Huione Group, whose branded entities at one time included an online banking arm, cryptocurrency exchange and online marketplace which has been referred to as an “Amazon for criminals.”
Citing the Ministry of Public Security, Chinese state media linked Xiong to Chen Zhi, the former head of Prince Group who was recently arrested and extradited to China for allegedly overseeing a multibillion-dollar scamming enterprise.
...
From August 2021 until January 2025, the Treasury said, Huione laundered at least $4 billion of illicit funds.
“Huione Group has established itself as the marketplace of choice for malicious cyber actors like the DPRK [Democratic People’s Republic of Korea] and criminal syndicates, who have stolen billions of dollars from everyday Americans,” Treasury Secretary Scott Bessent said at the time.
President Donald Trump signed an executive order Tuesday that purports to limit mail-in voting, though critics say the move will almost certainly be challenged in court on constitutional grounds.
The order instructs the Homeland Security secretary, the director of U.S. Citizenship and Immigrations Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.
...
Those lists would then be transmitted to states, most of which have already rejected previous Trump administration efforts to collect voter data or dictate voter registration lists. The White House order instructs the Department of Justice to prioritize the investigation and prosecution of state and local officials or any others involved in the administration of federal elections who issue federal ballots to individuals not eligible to vote in a federal election.
The order also directs the postmaster general to issue new proposed regulations that require mail-in ballots to be mailed in special envelopes that include barcodes for tracking. Crucially, it asks states ahead of time whether they intend to submit a list of voters eligible to vote by mail, and attempts to assert the authority to deny sending ballots to states that do not participate. It also claims the attorney general is entitled to withhold federal funding from noncompliant states.
The Trump administration’s previous efforts to aggressively assert executive branch authority over elections have been rebuffed by courts, with judges noting the U.S. Constitution explicitly empowers states and Congress to set the time, manner and place for elections.
Secretary of State Marco Rubio signed a cable this week directing U.S. embassies and consulates around the world to launch coordinated campaigns countering foreign propaganda. The cable explicitly endorses Elon Musk’s X as an “innovative” tool for the effort and instructs U.S. diplomatic posts to align their work with the Pentagon’s Military Information Support Operations (MISO), known as Psyop, the military’s psychological operations unit. Rubio identifies five operational goals—countering hostile messaging, expanding information access, exposing adversarial behavior, elevating local voices sympathetic to U.S. interests, and “telling America’s story”—and instructs embassies to recruit local influencers and community leaders to carry U.S.-funded narratives in ways designed to feel organically local rather than centrally directed.
...
Hungary under Viktor Orbán engineered effective state control over much of its media ecosystem, including social media advertising flows and algorithmically amplified pro-government content funded by the state. What these regimes understood long before Western democracies fully reckoned with it was that the architecture of social media—recommendation algorithms, content moderation decisions, amplification mechanics—is not neutral. It is a political instrument. The question was never whether social media could be weaponized; it was only who would wield the controls.
Elon Musk’s acquisition of Twitter in 2022 was the pivot point. The structural consequences of that transaction alone were significant: By taking a publicly traded company into private ownership, Musk removed Twitter’s content moderation decisions from a number of key restrictions: from transparency obligations imposed by SEC disclosure requirements to the pressure of a corporate board, which represented public shareholders attuned to brand safety and advertiser concerns. Gone was the quarterly accountability to institutional investors who cared about whether the platform’s moderation practices could create legal or reputational liability.
...
What this trajectory reveals is less a sudden rupture than the culmination of a series of structural changes that individually appeared incremental but collectively transformed the relationship between state power and platform architecture. The privatization of Twitter removed all traces of public accountability. The gutting of content moderation infrastructure removed operational resistance. The political alliance between the administration and the tech sector removed institutional resistance. And now a formal diplomatic cable removes the last pretense of arms-length separation between U.S. government messaging objectives and the platforms that carry them.

AI

  • [CN] Baidu's "Apollo Go" driverless taxi service may not quite be ready for primetime yet.
A mass robotaxi outage in the Chinese city of Wuhan caused at least a hundred self-driving cars to stop mid-traffic, sparking renewed debate around the safety of driverless vehicles.
...
Videos on social media have documented the outage, with one appearing to show it resulting in a highway collision, although police said no injuries had been reported and passengers exited their vehicles safely.
...
The outage is not the first time self-driving cars have faced technical difficulties.
In December 2025, a large power outage in San Francisco led Waymo taxis to stop working around the city, causing huge traffic jams.
Meanwhile in August 2025, an Apollo Go robotaxi carrying a passenger in Chongqing fell into ​a construction pit.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe