Today's cybersecurity news highlights significant data breaches, critical vulnerabilities, and ongoing efforts against sophisticated threat actors. Several reports detail new attack techniques targeting macOS, AI platforms, and supply chains, while law enforcement continues to pursue cybercriminals globally.

Healthtech Firm Xolis Suffers Data Breach Impacting 1.4 Million People — Healthcare technology company Xsolis disclosed a phishing attack that compromised sensitive data for nearly 1.4 million individuals. Read more →
CISA Adds Four Known Exploited Vulnerabilities to Catalog — CISA has added CVE-2025-67038 (Lantronix EDS5000), CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 (Ubiquiti UniFi OS) to its KEV Catalog due to active exploitation. Read more →
New macOS ClickFix Attack Silently Mounts DMGs to Push Infostealer — A new macOS campaign, dubbed "ClickFix," uses Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. Read more →
Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps — Four vulnerabilities, collectively named DifyTap, in the Dify AI platform could allow attackers to read private chats and access internal APIs across tenants. Read more →
LastPass Confirms Data Breach in Klue Supply Chain Attack — LastPass announced that hackers accessed customer data from its Salesforce environment by stealing the company's OAuth tokens in the Klue supply chain attack. Read more →
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist — Threat actors are using a Golang-based sniffer to target 430,000 FortiGate firewalls, identifying 110 million credentials in an ongoing global campaign. Read more →
FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances — A newly disclosed FFmpeg flaw, 'PixelSmash,' could enable remote code execution in applications using the libavcodec library by sending crafted media files. Read more →
Scattered Spider Hackers Plead Guilty on Day 1 of Trial — Two members of the Scattered Spider cybercrime group pleaded guilty in the UK to charges related to the August 2024 cyberattack that crippled Transport for London. Read more →