Apple faces supply chain leak as AI threats accelerate security updates

Metacurity is the cybersecurity industry's daily reality check—independent, agenda-free coverage that cuts through vendor hype, social media noise, and recycled talking points to explain what matters and why.

Trusted by thousands of cybersecurity professionals, including many of the industry's most influential security leaders, Metacurity delivers the context, analysis, and perspective that busy readers don't have time to assemble themselves.

If you find value in that work, please consider becoming a paid subscriber. Metacurity remains independent because its readers choose to support it.

Sensitive lists of components and suppliers, and photos of Apple's upcoming iPhone 18 Pro models, are part of files posted on the ‌dark web by the ransomware group that stole data from the US firm's Indian supplier, Tata Electronics, according to documents and a source.

The exposure threatens the carefully negotiated business of building the iPhone, which Apple assembles from a thicket of suppliers worldwide. It could also upset Apple and its relationship with Tata, given most of the supplier arrangements are fiercely protected by Apple, and could also hand ​rivals, counterfeiters, and its own vendors a view of who makes what.

Tata, which both supplies parts and assembles iPhones as a contract manufacturer, is emerging as ​one of Apple's most important manufacturing partners outside China, an expansion that is a cornerstone of Prime Minister Narendra Modi's push to ⁠make India an electronics manufacturing powerhouse.

Apple is reportedly on track to release its iPhone 18 Pro and Pro Max in September. The leak comes at a difficult time ​for Apple, which last week raised iPad and MacBook prices due to soaring memory and storage chip costs, with analysts expecting Apple to increase iPhone prices in the coming months.

Separately, Apple said it is pushing forward a series of software updates that would previously have been ​bundled with a new version of its iOS operating ‌system, making them available, opens new tab earlier than in previous cycles in response to AI-driven security concerns.

The company said it was adapting to ​the reality that, given the ability of artificial intelligence ​to speed the development of malicious hacking tools, it ⁠needed to reduce the time between when updates were first ​made public and when they were put into customers' hands. (Munsif Vengattil, Aditya Kalra and Stephen Nellis / Reuters and Raphael Satter / Reuters)

Related: 9to5Mac, StrictlyVC, Mashable, AppleInsider, Digit, Times of India, iThinkDifferent, Digital Trends, The Verge, The Tech Portal, MacRumors, Daring Fireball, MacDailyNews, MacRumors Forums, Simply Wall Street, Mezha, Huawei Central, Storyboard18, The Hindu Business Line, Times of India, Gadget Review, Macworld, iClarified, Benzinga

Hundreds of contractors working on a project for Meta were instructed to pose as minors online and probe how competitor chatbots responded to prompts involving suicide, sex, eating disorders, and other high-risk subjects, according to internal documents and five people familiar with the project.

The effort, which Meta contractor Covalen managed, was active as recently as April 21. Known internally as Cannes, it targeted OpenAI’s ChatGPT, Google’s Gemini, and Character.AI. The project asked workers to create dummy under-18 accounts, send written prompts and images to rival chatbots, and copy the responses into spreadsheets. Some of the images contractors sent included pills, knives, nooses, and a medical diagram of a gynecological procedure.

The prompts were often designed to push the chatbots toward responses their safety systems were supposed to refuse, according to instructions describing the project. A single round of testing completed in August 2025 saw more than 45,000 prompts run through the rival chatbots. The companies behind the chatbots weren’t aware of the testing.

A spreadsheet reviewed by WIRED listed several of the dummy profiles and included names, email addresses, passwords, and birth dates. The accounts used throwaway Gmail and Outlook addresses and a shared password.

The documents reviewed by WIRED do not indicate how, or whether, Meta used the collected responses. An internal Covalen document described the project as “comprehensive AI safety benchmarking” and said it delivered “critical datasets for model comparison and compliance.”

In a statement, Meta defended the work as routine safety testing. “Testing and benchmarking chatbot responses to help ensure safe and age-appropriate experiences is a responsible, industry-standard practice, and any suggestion otherwise completely misunderstands how technology companies work to refine and improve their systems,” a Meta spokesperson said in a statement. The company doesn't use competitor benchmarking to train its own AI models, the spokesperson said. (Dhruv Mehrotra and Joel Khalili / Wired)

Related: r/technology

The US Supreme Court limited the law enforcement use of “geofence” search warrants, in a major legal ruling that is likely to have broad ramifications for privacy rights and law enforcement across the United States.

In the 6-3 ruling, the top court said that “an individual has a reasonable expectation of privacy in his cell-phone location information.” According to the court, that means people have privacy rights when it comes to the location history collected by their phones, as well as the services and apps running on them. 

Because of that, the court ruled that authorities need to obtain a search warrant when asking tech companies, such as Google, for the location data of their users, including when requesting historical geofence location data.

In part, the Supreme Court argued that authorities need to obtain a search warrant to get geofence location data because a user is not willingly sharing their location data to a company like Google by simply using its services. If that were the case, then the “third-party doctrine,” which generally says people do not expect privacy when it comes to data they willingly share with others, would apply. In those cases, authorities don’t need a search warrant to obtain user data from telecom providers, for example.

Geofence warrants allow law enforcement to force tech companies to hand over information about where any of their millions or billions of users were located at a particular place in time, based on a record of their phone’s location stored in their databases. In practice, police will draw a shape over a map and ask a judge to allow them to demand that tech companies, such as Google, search their vast banks of users’ location data and tell them which of their users was there at the time of inquiry. (Zack Whittaker and Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Supreme Court, CyberScoop, The Guardian, Scotus Blog, NPR, NBC News, MS Now, The Hill, New York Times, ABC News, Ars Technica

Google’s top privacy and security staff have warned that plans in Europe, designed to get it to open up its search data and Android operating system to competitors, could lead to people’s search queries being hacked and an increase in cybercrime across the content, according to multiple interviews and documents.

Mountain View’s alarm comes as European Commission officials are set to make final decisions next month in two cases, around Google Search and Android interoperability, under the European Union’s landmark Digital Markets Act competition rules. The rules, which were first adopted at the end of 2022, are designed to force open Big Tech companies that dominate markets, make it easier for others to compete, and reduce reliance on a handful of firms.

Heather Adkins, Google’s vice president of security engineering and a founding member of its security team, says the company has concerns around the proposed changes for both Search and Android. In April, the European Commission published initial details, plus now-closed public consultations, on how Google should open up its search data—sharing anonymized search data with rivals—and allowing other AI services to have more access to the Android operating system. (Matt Burgess / Wired)

Related: Ars Technica, Amateur Photographer

According to Google Threat Intelligence, four years into the Kremlin’s illegal invasion of its neighboring country, Russian influence operations have moved beyond their near-exclusive focus on Ukraine to their former favorite targets: the US and Europe, and especially covert cyber-ops intended to undermine political stability within these countries and the unity between them.

“This shift is significant because it likely signals increased focus outside of Ukraine, warning that pro-Russia influence activity targeting the European Union (EU), North Atlantic Treaty Organization (NATO), and other top targeting priorities may intensify,” Google threat hunters James Sadowski and Alden Wahlstrom said in a Monday report.

The war in Ukraine helped Russian operatives refine their influence activities, and Moscow’s increasing use of AI for planning, reconnaissance, and content generation “marks a forward trend in pro-Russia IO,” the duo wrote. (Jessica Lyons / The Register)

Related: Google Cloud, Ars Technica, r/google, The Verge

Amazon agreed to pay $2.25 million to settle US claims that it routinely failed to provide records to help customers who were victims of identity theft.

The accord disclosed in a court filing follows an investigation by the Federal Trade Commission into allegations the company was not providing customers with legally required information about fraudulent purchases made in their name, as required by the Fair Credit Reporting Act.

The FTC referred the case to the Justice Department, which reached a settlement in May that requires Amazon to provide business transaction records free of charge to ID theft victims within 30 days of receiving a request, according to Monday’s filing in Washington federal court.

“We’ve resolved this matter with the FTC and have implemented process improvements for customers who believe they may be victims of identity theft,” Amazon said in a statement. “Customers who need assistance requesting their records can visit our Help Page to learn more.” (Josh Sisco / Bloomberg)

Later this year, WhatsApp plans to add usernames as an additional and more privacy-friendly way for WhatsApp users to connect without sharing phone numbers.

WhatsApp says username reservations open up this week on the platform, and users will see a notification in the app when it’s available. (Reece Rogers / Wired)

Related: Meta, Security Affairs, Bleeping Computer, TechCrunch, 9to5Mac, BBC News, Al Jazeera, Associated Press, The Verge, Mashable

About three months after it detected suspicious activity within its network systems, AssuranceAmerica has started alerting consumers.

The Atlanta-based managing general agency with about 9,500 agents selling personal auto, renters, and commercial auto policies in 14 states said on March 17 it detected the suspicious activity targeting one employee.

The MGA said it notified authorities and immediately enlisted an outside forensic specialist. It was determined an unauthorized third party accessed the company’s systems through the targeted attack and copied “a number of data files,” according to the breach notice filed in at least a half-dozen states.

AssuranceAmerica said that, due to the scope and the files involved, the investigation was only recently completed. (Insurance Journal)

Related: Consumer.sc.gov, Insurance Business, WUSA9, WLTX

The United States has seized nearly 400 internet domains that were being used to illegally ​stream the World Cup, officials said, describing ‌the move as one meant to disrupt international networks profiting from the popularity of the tournament.

The US Justice Department said the domains were ​identified with the assistance of soccer governing body ​FIFA and others, including NBC Universal and Warner Brothers.

The ⁠domains were used to offer users illegally copyright-protected content ​in the form of real-time streams of the World Cup ​matches as they were being played and first broadcast, the department said.

"These streamers not only violate copyright laws but also expose viewers to ​potential threats — including malware attacks and unsecure connections that can ​compromise personal and financial data," Eric Weindorf, a special agent in charge ‌at Homeland Security Investigations, said in a statement.

Servers and domains linked to the unauthorized streaming of the tournament's matches were targeted in Peru and Bulgaria, the DOJ said, adding that ​additional disruptions took ​place in ⁠Croatia, Romania, Poland and Colombia. (Jasper Ward / Reuters)

Related: Justice Department, TechRepublic, Bleeping Computer, Gizmodo, Advanced Television, Tech Times

Nissan has joined the growing list of Oracle customers cleaning up after a cyberattack, warning employees that payroll records, bank details, Social Security numbers, and other personal data may have been stolen.

In a filing submitted to the California Attorney General on Friday, Nissan Americas said Oracle had informed it of "a cyber event" involving the personnel records of "hundreds of companies." The automaker said it later learned Nissan had been "specifically targeted" in the attack.

A notification sent to current and former employees says the company believes attackers accessed a haul of sensitive info, including contact and banking information; Social Security, Social Insurance, or other national identification numbers; financial and tax records; and dependent and beneficiary details.

Current and former employees in the US, Canada, Mexico, and Brazil may have been affected, although Nissan said it is still working to determine exactly whose information was exposed. (Carly Page / The Register)

Related: California Attorney General, SC Media, Cyber Daily, Cyber Insider

Researchers at BlackPoint say hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux.

The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM).

Earlier this month, offensive security company Horizon3.ai published details about CVE-2026-48558, saying that the flaw could be leveraged to create highly privileged technician accounts without authentication.

Exploiting the vulnerability is possible on servers using the OpenID Connect (OIDC) authentication protocol. According to the researchers, around 1,000 SimpleHelp servers exposed online were running a vulnerable configuration at the time of the disclosure. (Bill Toulas / Bleeping Computer)

Related: BlackPoint, Dark Reading

In 2025, the Reserve Bank of India created the .bank.in subdomain and required all local banks to start using it for their online presences but now, a security research group which goes by the name CashlessConsumer has alleged that the entity chosen as the sole registrar of the subdomains – the Institute for Development and Research in Banking Technology (IDRBT) – botched the job and leaked sensitive data.

“The IDRBT Domain Registration Portal (registrar.idrbt.ac.in) – the exclusive registrar for India’s .bank.in namespace – exposed its entire REST API via 33+ unauthenticated endpoints,” the post alleges. “Anyone with curl could retrieve the bcrypt password hashes, mobile numbers, email addresses, login IPs, and device fingerprints of all 5,576 bank employees trusted with managing India’s banking domains.”

The researcher behind the exposé, “Srikanth L”, says he accessed info through the portal and found evidence that some Indian banks host websites on shared servers in the United States, Singapore, and Lithuania. He also found 80 percent of registered .bank.in domains don’t use DNSSEC, 40 percent don’t employ the DMARC email security protocol that verifies senders’ identity, and many domains are secured with free Let’s Encrypt certificates. (Simon Sharwood / The Register)

Related: CashlessConsumer, CashlessConsumer, MediaNama

Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused.

This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks.

Oracle released security updates to address the vulnerability with its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," the company warned at the time.

"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply security patches without delay." (Sergiu Gatlan / Bleeping Computer)

Related: Security Affairs, Cyber Security News, Cyber Press

Critical and high-severity vulnerabilities in some Daktronics controllers could allow hackers to tamper with highway signs and billboards, according to Thomas Jou, the cybersecurity researcher who discovered the flaws.

According to an advisory published by CISA last week, the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers, which control the company’s large-scale displays, are affected by three vulnerabilities.

The list includes a path traversal issue that can be exploited without authentication to enumerate arbitrary file system paths, an authenticated arbitrary file upload issue, and default admin credentials that provide full system access.

“Successful exploitation of these vulnerabilities could provide an unauthenticated user with complete root-level access and control of the system,” CISA warned in its advisory.

Daktronics has released patches and has advised users to change default passwords. (Eduard Kovacs / Security Week)

Related: CISA

The Washington Department of Social and Health Services (DSHS) is issuing a notice of a massive data breach that happened in March, potentially compromising the personal data of around 8,600 people.

An internal investigation revealed that a former DSHS employee accessed the data without authorization.

DSHS said there is no evidence that the employee had access to specific health information, such as “diagnoses, test results, treatments, claims, or chart notes,” the department said.

The investigation determined that the employee viewed specific client accounts for “reasons unrelated to their job duties,” DSHS said.

DSHS said it immediately terminated the individual’s access to DSHS systems and investigated what personal information had been viewed. (KIRO7 News)

Related: The HIPAA Journal

The DC Housing Authority's systems have been "compromised," according to Councilmember Robert White.

White's office sent out an email alert about the issue on Monday afternoon. 7News I-Team reporter Scott Taylor reached out to White's office, which confirmed a cyberattack hit the housing authority.

It is not clear whether anyone's personal information has been exposed in this attack. (Thomas Mates / WJLA)

Related: DCHA on Facebook

The US House passed legislation to require new online safety protections for children, a sign of growing momentum in Washington to address a widespread concern among US parents even as the measure sets up a clash with senators seeking stronger safeguards.

The House-passed legislation stops short of demands in the Senate to impose a legal requirement on tech companies, such as Meta Platforms Inc., TikTok Inc., and Snap Inc., to “exercise reasonable care” to prevent harms to minors. Republican and Democratic senators last week derided the House effort as inadequate.

The House’s so-called KIDS Act, passed 267-117, requires online platforms to limit minors’ access to sexual material, including through mandatory age verification for pornography websites, and provide parental controls on social media and online video game platforms. Artificial intelligence chatbots would also have to disclose that they are not human to users who identify themselves as minors and provide suicide prevention resources to children who show signs they are considering suicide.

It would also require social media companies to create default settings for minors that limit addictive design features and provide parents with tools to manage their child’s privacy settings. (Emily Birnbaum and Oma Seddiq / Bloomberg)

Related: National Technology News, Reuters, USA Today, Tech Policy Press, The Hill, Axios, NBC News, Roll Call

Secret Service agents have put US officials and national security at risk by routinely using personal smartphones, laptops and other mobile devices with unsecured messaging apps to carry out operations, making them vulnerable to hackers, according to a federal watchdog report.

The report, part of a review of security issues stemming from the attempted assassination of President Trump in Pennsylvania two years ago, blamed outdated or glitchy apps in government-issued devices for prompting on-duty agents to use their own phones and laptops.

Of nearly five million mobile calls placed by agents between October 2022 and April 2025, investigators at the Homeland Security Department’s Office of Inspector General identified more than 15,000 that were sent or received from personal phones during protective operations. They also tracked roughly 24,000 text messages between agents’ personal devices and government-issued devices, the report said. Most of the calls and texts were within the U.S.

In one case, a Secret Service agent used a personal device to receive a Butler, Pa., police photo of the suspected shooter in the July 24, 2024, assassination attempt. The agent told investigators he wasn’t able to share the photo on an approved messaging app. (Angus Loten / Wall Street Journal)

Related: DHS OIG, ASIS, FedScoop

The US Federal Communications Commission last week voted to toughen oversight of submarine communications cables that handle 99% of international internet traffic, proposing ​rules that will make it harder for Chinese companies to provide equipment and fast-track approvals ‌for trusted US tech firms.

The FCC said it was planning to require licenses for the first time for operators of submarine line terminal equipment, which performs the most critical function of a submarine cable system by connecting to US terrestrial facilities. (David Shepardson / Reuters)

Related: FCC, CyberScoop, sdxCentral

The Artificial Intelligence Access, Gatekeeper Exchange, and Nondiscriminatory Transfer (AI AGENT) Act, led by Sen. Mark Warner (D-VA), would establish a list of AI agent software providers that people can use to establish human ownership and securely run agents on social media and other online platforms.

The bill would allow end users of large online platforms with more than 50 million customers or subscribers per month the right to choose at least one AI agent provider who complies with security and identity standards developed by the Federal Trade Commission.

Under the bill, the FTC would certify independent bodies to vet AI agent vendors. These certification bodies would ensure products meet baseline protections for privacy, data security, and acting in the user’s interest. The bill would also require providers to link each AI agent to its human operator’s identity and to include built-in controls that let users clearly grant or revoke permission for the agent to act on their behalf.

While the commission cannot bar platforms from using AI agent providers that fail to meet those standards, it can deregister violators from the FTC list. (Derek B. Johnson / CyberScoop)

Related: Warner.senate.gov, CIO

Microsoft has built a bouncer to keep bots out of Teams meetings.

“Bots have begun joining meetings that participants never intended them to attend,” wrote Microsoft product marketing manager Meera Ajam in a Monday post. “For example, after connecting a third-party service to a meeting, some users have found that its bot continues joining future meetings automatically.”

Ajam thinks bots butting into meetings that include discussion of sensitive matters is a potential security and privacy problem. Your correspondent has personal experience of this when transcription bots add themselves to meetings conducted under non-disclosure agreements.

Microsoft has therefore built tech that requires a human to check a bot’s ID in the “lobby” where guests wait before a meeting. If a human rates a bot as worthy of coming inside, it gets to join the meeting.

The software giant says it’s “strengthened Teams' ability to distinguish between bots and human participants as they join a meeting” by using “a combination of behavioral and infrastructure signals to identify bots with a higher degree of accuracy.” (Simon Sharwood / The Register)

Related: Microsoft Teams Blog

Financial scam attempts in Australia more than doubled during winter over the past two years, according to new data from Gen, the company behind Norton.

Gen said it blocked more than 460,000 financial scam attacks during winter months in Australia, representing a 105% increase compared to the average across the rest of the year.

The company said the activity includes cryptocurrency and investment scams that rely on trust-based tactics to convince victims an offer is legitimate. One method described in the data involves scammers compromising social media accounts and using them to promote fake investment opportunities.

Gen said that once an account is taken over, scammers may post fabricated stories, screenshots, and testimonials designed to suggest the account holder has made significant profits through cryptocurrency trading, bitcoin mining, or online investment schemes. (Australian Cybersecurity Magazine)

Related: Cyber Daily, CyberShack

Straiker, a startup led by a former Palo Alto Networks executive, raised $64 million to train, test, and continuously improve security models using large-scale AI infrastructure.

Marathon Management Partners, Citi Ventures, Illuminate Financial, and Workday Ventures led the round with continued support from Bain Capital Ventures and Lightspeed. (Michael Novinson / GovInfoSecurity)

Related: PR Newswire, The Next Web, The SaaS News

Agentic coding startup Baz Technologies Inc. announced it raised $9 million in extended seed funding to launch a new platform that sits between developers and the code bases they’re working on in order to catch software vulnerabilities before they enter production workflows.

Existing investors Battery Ventures and Boldstart Ventures led the round with participation from new backers including AFG Partners and Disruptive VC. (Mike Wheatley / Silicon Angle)

Related: The Verge, AppleInsider, 9to5Mac, MacRumors, Digital Trends, The Tech Portal, Benzinga, MacDailyNews, Trusted Reviews, iPhone in Canada, Tom's Guide,  Livemint, Digit, Notebookcheck, iClarified, Moneycontrol, MacRumors Forums, Business Today

Best Thing of the Day: Time for Spotify to Step Up

Music streaming service TIDAL is introducing an AI policy that will automatically tag wholly AI-generated music in its app and block it from earning royalties.

Worst Thing of the Day: Please Don't Be a Loser Like This Person

 An anonymous researcher called bikini has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open-source projects without notifying any vendors or maintainers prior to publishing - and attackers are already exploiting at least two of these.

Closing Thought