ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

It's Thursday again, and there are more strange security things that happened in just seven days This article explores thursday strange security. . Some of it is smart.

A little bit of it is lazy. Some things fall into the uncomfortable category of "yeah... this is probably going to happen in real life sooner than we'd like." The pattern this week is a little annoying because it seems so familiar. Getting better at old tricks.

Exposed sensitive UI or APIs also went down, from 11.8% in H1 to 4.9% in H2.

This drop shows that automated guardrails are making it harder for hackers to take advantage of identity and configuration mistakes. It also shows that hackers are being pushed toward more complex and expensive methods that specifically target software weaknesses to get a foothold. "Google found that in most of the attacks they looked into, the goal of the attacker was to quietly steal a lot of data without immediately extorting it and staying in the system for a long time.

Quarkslab's new research shows that voltage fault injection can get around the 16-byte password protection needed for debug access on some versions of the RH850 microcontroller family in less than a minute. ""The security company said that the voltage glitching technique involves underpowering or overpowering the chip for a set amount of time to change how it works."

The "crowbar attack" is a certain kind of voltage glitch in which the power supply is shorted to the ground instead of sending a certain voltage, like with a MOSFET. Authorities in the Indian state of Uttar Pradesh have arrested two Nigerians for their alleged role in an e-crime operation called Solar Spider. The suspects, who were between 12 and 16 years old at the time of the alleged crimes, are accused of selling DDoS tools as part of a scheme to make money by targeting popular websites like auction and sales sites, IT domains, hosting services, and accommodation booking sites.

"Using the tools they provide, popular websites like auction and sales sites, IT domains, hosting services, and hotel booking services were attacked," said Poland's Central Bureau for Combating Cybercrime (CBZC). Microsoft is adding passkey support for Microsoft Entra on Windows devices. This will let users sign in without a password using Windows Hello, which is resistant to phishing.

"We're adding Microsoft Entra passkeys to Windows so that you can sign in to Entra-protected resources without worrying about phishing." According to Microsoft, this update lets users make device-bound passkeys that are stored in the Windows Hello container and use Windows Hello methods (face, fingerprint, or PIN) to log in. Finally, employees expect HR to do their regular tasks. "Zombie ZIP" is a new method that lets attackers hide payloads in specially made compressed files that can get past security tools.

The CERT Coordination Center (CERT/CC) said that "badly formed ZIP headers can make antivirus and endpoint detection and response software (EDR) give false negatives." "Even though the headers are messed up, some extraction software can still decompress the ZIP archive, which means that potentially harmful payloads can run when the file is decompressed." Christopher Aziz, the researcher who found the flaw, gave it the code name Zombie Zip.

It is known as CVE-2026-0866. Chris Aziz, a security researcher at Bombadil Systems, showed how the method works. CodeWall, a startup that focuses on autonomous offensive security, says that their AI agent hacked McKinsey's internal AI platform Lili and got full read and write access to the chatbot platform in just two hours.

Anthropic said in its own statement, "We had been having productive talks with the Department of War over the last few days about how we could help the Department while still following our two narrow exceptions, and how we could make sure that the transition goes smoothly if that isn't possible." The Pentagon, on the other hand, said that there are currently no negotiations going on with Anthropic. It also said again that the department "does not do and will not do domestic mass surveillance."

The development comes after OpenAI signed a deal with the U.S. Department of Defense. CEO Sam Altman said that the defense contract would include protections against the same red lines that Anthropic had insisted on.

The company has since changed its contract to say that "the AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals." Dario Amodei, the CEO of Anthropic, has said that OpenAI's messages are "safety theater" and "straight up lies." A new campaign to steal information that spreads BoryptGrab is using a network of more than 100 public GitHub repositories that say they offer free software tools.

They use search engine optimization (SEO) keywords to trick people into clicking on links. After a review of TikTok's national security, Canada's Minister of Industry, Mélanie Joly, said the company can keep doing business.

The government said, "TikTok will implement enhanced protection for Canadians' personal information, including new security gateways and privacy-enhancing technologies to control access to Canadian user data in order to reduce the risk of unauthorized or prohibited access." "TikTok will put in place better protections for kids." This change is a complete 180 from a decision made in 2024, when it was told to stop doing business because of "national security risks" that were not explained.

But that order was put on hold in early 2025. Flashpoint said that in 2025, it recorded 44,509 vulnerability disclosures, which is a 12% increase from the previous year. Of those, 466 were confirmed to have been used in the wild.