Cybersecurity

DOGE-aligned White House web projects funnel citizen data to analytics firm

Microsoft's threat to security researcher draws criticism, Commerce IG says NIST has mismanaged NVD, Obama White House Instagram was hacked, Teen researcher flagged flaws in India's school exam board website, Gravity Bridge exploited for $5.4m, DxSale legacy site hacked for $7.3m, much more

President Donald Trump participates in a press conference with departing DOGE adviser Elon Musk, Friday, May 30, 2025, in the Oval Office. (Official White House Photo by Molly Riley)

A sprawling digital modernization effort inside the White House is drawing scrutiny after researchers uncovered evidence of numerous federal web projects, including what appears to be a previously undisclosed staging version of Vote.gov, that feed visitor data to an outside analytics firm.

The projects are bifurcated from the agencies that own them and extend to a wide variety of areas of citizen interest, including Trump.rx, the federal drug pricing site, RealFood.gov, a MAHA nutrition site, and other sites.

The effort is being led by the National Design Studio, a relatively new organization tasked with redesigning and streamlining citizen-facing government services. The National Design Studio was created by executive order in August 2025. Its job, officially, is to redesign how Americans experience their government. Its leader is Joe Gebbia, co-founder of Airbnb.

Gebbia spent six months at DOGE before taking his current role. The senior staff at the National Design Studio come back from the same place, DOGE. DOGE is currently named as the defendant in multiple federal lawsuits for letting engineers without proper security clearance access Social Security data and Department of Homeland Security data, and for sharing sensitive federal information with outside parties.

This development suggests that a growing number of federal websites and digital services may be operating on centralized infrastructure rather than through the agencies that have traditionally managed them. Researchers identified dozens of domains, prototypes, and development projects associated with the initiative, spanning voter registration, government forms, benefits delivery, and identity services.

Particular attention has focused on the apparent use of Login.gov as a unifying identity platform across multiple government services. While centralization could simplify interactions with federal agencies and improve the user experience, critics argue that concentrating authentication and personal information in fewer systems could increase both privacy risks and the consequences of a successful cyberattack.

Researchers also found evidence that several of the sites use PostHog, an analytics platform that collects information about visitor activity and user behavior. The discovery has raised questions about what data is being gathered, how long it is retained, and whether third-party analytics platforms are appropriate for services that may handle sensitive citizen information.

Last week, PostHog disclosed a security incident that exposed customer project data and account information, underscoring the risks associated with centralizing analytics data in a third-party platform. (The Drey Dossier and PostHog)

After a security researcher called Nightmare Eclipse published a series of unpatched bugs in Microsoft products, along with code to exploit them, the software giant is now threatening to take legal action and call the cops on them, reigniting a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants.

On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine, Defender, and the disk-encryption tool BitLocker.

The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities

Hackers in real-world attacks have since used Nightmare Eclipse, according to Microsoft, as well as the US cybersecurity agency CISA. (Lorenzo Franceschi-Bicchierai / TechCrunch)

A Department of Commerce inspector general report found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database, the National Vulnerability Database or NVD, through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users.

The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025.

NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past.

The report found major inefficiencies in how NIST enriches the information that is attached to the vulnerabilities.

Analysts spend about 80% of their time on two tasks: calculating severity scores and identifying which products are affected. The inspector general’s office tested NIST’s severity scores and found they matched independent evaluators only 12% of the time.

Moreover, nearly 80% of vulnerability submissions already include these scores from the companies that are responsible for the software. This means NIST is doing work that is often unnecessary and inconsistent. The inspector general proposed cutting back on severity score calculation work over the next two years, estimating that NIST would save $800,000 that it could redirect to other program areas. (Greg Otto / CyberScoop)

The official Instagram account for the Obama White House was hacked with messages claiming the White House is under Shiite control.

A rep for Meta confirmed the hack and told us the account has since been secured, and now the unauthorized content has been scrubbed. (TMZ)

Related: WANA, The Wrap, AA, Daily Mail

Images of the hacked Instagram account. Source: TMZ.

The Central Board of Secondary Education, a national school exam board in India, said it has been monitoring and has contained vulnerabilities in its online grading portal for one of the country’s most important school-leaving exams that a teenage cybersecurity researcher first flagged.

The board, run by the government and one of India’s main school exam boards, said in an X post that it has been “closely monitoring” weaknesses in the OnMark portal — an online grading website for teachers — after they were flagged publicly. The portal, which was first introduced this year, uploads scanned copies of the physical answer books of students for teachers to grade digitally.

The controversy stems from complaints by students that their physical answer sheets did not match the digital versions shared by the education board upon request for reevaluation. The incident has sparked outrage on social media platforms, forcing the CBSE and the country’s Education Minister, Dharmendra Pradhan, to address the concerns.

In a blog post on May 22, teenage cybersecurity researcher Nisarga Adhikary flagged that the online grading portal used by CBSE could have permitted a full takeover of an examiner’s account, and potentially allowed tampering with marks or disruption of the grading process.

Adhikary said he had disclosed five critical vulnerabilities in the On-Screen Marking portal to the country’s Computer Emergency Response Team on Feb. 25. The emergency response agency acknowledged the disclosure with a standard email but did not follow up, he said. (Sidhartha Shukla / Bloomberg)

Gravity Bridge, a cross-chain protocol that moves assets between Ethereum and the Cosmos ecosystem, was drained of roughly $5.4 million in what security researchers believe was a compromised signing key rather than a smart contract bug.

The unusual outflows were first flagged by onchain analyst Specter and later corroborated by security firm PeckShield. Specter said it appears the bridge's signing keys may have been compromised, allowing the attacker to push out a series of unauthorized withdrawals.

The stolen funds break down to about $4.3 million in USDC, 274 wrapped ethers worth roughly $553,000, $434,000 in Tether, and 14.16 PAXG tokens worth about $64,000, according to PeckShield's tally. The assets were routed to an address ending in 7C62da1F9, with the drained contract identified by Specter as one ending in 1F2D906.

"There was an unfortunate incident on Gravity," the team wrote on X Saturday. "Validators should halt their validators and orchestrators while this incident is being investigated." In a follow-up post, the team said the bridge is currently halted while it investigates the attack.

The attacker began moving funds almost immediately. PeckShield said a portion of the haul has already been laundered through the instant-swap service ChangeNow and through Binance, while the theft wallet was still holding around 2,100 ETH, or about $4.23 million, at the time of its report. An Arkham snapshot shared by Specter showed a related wallet holding roughly $4.16 million in ether. (Zack Abrams / The Block)

Token decentralized launch pad platform DxSale’s legacy liquidity locker on BNB Chain suffered a $7.3 million exploit across old liquidity positions.

On-chain investigators reported that attackers targeted more than 1,400 liquidity pools linked to outdated locker contracts. The incident has raised fresh questions around contract ownership changes, old DeFi infrastructure, and possible insider-level access.

Blockchain security firm PeckShield and on-chain analyst Tahax reported the exploit on DxSale’s legacy locker contracts. The attackers drained assets from old liquidity provider positions that remained locked on BNB Chain. DxSale gained wide use during the early BNB Chain token boom. Many memecoin projects used the platform to lock LP tokens and assure token holders.

Several of those contracts dated back to the 2021 market cycle. Many positions stayed untouched for years, which left substantial liquidity inside older contract structures. Investigators traced the primary attacker's address to several post-exploit transactions. The address moved 2,958 BNB, worth about $1.87 million, to two main wallets.

The funds then moved through routes linked to multiple Binance deposit addresses. Separate tracking also showed swaps and mixer-related activity, including AnySwap routes. Researchers reported that the attackers used custom contracts to drain liquidity in batches. They also manipulated unlock timestamps and reduced fees close to zero. (Maxwell Mutuma / Blockonomi)

Alephium, a proof-of-work Layer 1 that runs a private fork of the Wormhole bridge, lost about $815,000 across Ethereum and BNB Chain after an attacker pushed forged messages through the bridge backend and out the other side as legitimate-looking transfers, according to the team.

Alephium has shut the bridge down and said no new transactions can be initiated.

The attacker drained 200,967 USDT, 17,594 USDC, 5.18 WETH and 0.335 WBTC on Ethereum, plus 36,750 USDT and 24.386 WBNB on BNB Chain, per Alephium's accounting, and minted 13.76 million wrapped ALPH on Ethereum with no corresponding ALPH locked on the Alephium chain. The full sequence took about seven minutes, according to blockchain security firm Blockaid, which spotted the exploit first and brought in the SEAL 911 emergency-response unit. (The Defiant)

Related: Yellow, cryptonews, AMB Crypto

Password manager Dashlane responded to what it called a “brute force attack by an external party” over the weekend, following multiple users reporting issues logging in or receiving suspicious emails.

The incident began and ended on 31 May, with initial reports first emerging around 3 pm UTC.

“We have received reports from several users having received an email stating that their account has been suspended. We have also received reports that some users are experiencing difficulties in logging in to Dashlane after resetting their master password,” Dashlane said in its first status notification.

The company said it was investigating the issue, with its engineering teams working to establish the cause for most of the rest of the day. (David Hollingworth / Cyber Daily)

Related: r/cybersecurity

Source: https://infosec.exchange/@briankrebs

Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks.

The company fixed the CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device.

"GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," reads Palo Alto's advisory.

The flaw received a Medium severity rating because it requires devices to be configured with authentication override cookies enabled and a specific certificate configuration.

However, on Friday, Palo Alto Networks updated the advisory to warn that the flaw was now being actively exploited in attacks against unpatched devices, raising the severity rating to High.

This update comes after Rapid7 warned that it had observed the flaw being exploited against numerous customers starting on May 17. (Lawrence Abrams / Bleeping Computer)

Permiso threat hunter Andi Ahmeti discovered that ChatGPT can’t tell its own generated content from attacker-controlled Markdown pulled from external sources in what amounts to a prompt injection attack.

An attacker could abuse this blind trust to inject phishing URLs into ChatGPT responses, or even trick the model into showing fake security alerts written in ChatGPT's own style, Permiso threat hunter Andi Ahmeti said.

Ahmeti also demonstrated how criminals could exploit this trust issue to pivot their attack from a victim’s browser to their mobile device by displaying an inline QR code. The victim scans the QR code with their phone and is taken to content hosted in an attacker-controlled S3 bucket, and this allows the baddie to bypass every desktop URL defense, including blocklists and password-manager domain checks, Ahmeti warned.

Ahmeti doesn’t know if the flaw has been fixed, and OpenAI has not responded to questions. (Jessica Lyons / The Register)

Related: Permiso, Cyber Security News

ChatGPT, Gemini and other Western AI programs have turbocharged Iran’s cyber operations, helping it develop malware, craft phishing messages in perfect Hebrew and Arabic, and then unleash attacks at unprecedented scale and speed, cyber experts and tech companies say.

This has enabled Iran, which has been in a fragile ceasefire with Israel and the US since early April, to keep up the digital pressure on its more advanced adversaries, scanning the internet for enemy vulnerabilities and safeguarding Tehran’s own weaknesses. They even use AI to create convincing personas to dupe targets in the US and Israel.

The United Arab Emirates, battered by thousands of missiles and drones during the fighting, has said it was facing more than half a million cyber attacks every day, assisted by OpenAI’s ChatGPT. Israelis have been spammed with wave after wave of phishing emails and texts, some reportedly inviting them to collaborate with Iranian intelligence. (Jacob Judah / Financial Times)

Related: Implicator.ai

A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites.

The issue impacted all WP Maps Pro versions up to 6.1.0. The plugin had more than 15,000 sales at the time the vulnerability was disclosed.

The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026. Security researcher David Brown discovered and responsibly reported the flaw, earning a $1,950 bounty.

Wordfence stated that attackers could exploit a vulnerable AJAX action to create administrator accounts without authentication. (Ashish Khaitan / The Cyber Express)

Related: WordFence, Bleeping Computer

The Bombay High Court has granted a temporary injunction against a ransomware group identifying itself as Morpheus from distributing or disclosing confidential data exfiltrated by it from the HFDC Asset Management Company.

A vacation bench of Justice Shreeram Shirsat, in the order passed on May 29, said prima facie an arguable case was made out to grant interim relief.

"If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences, and it can cause irreparable and irreversible damage to the plaintiff company," the court said.

Apart from the injunction against the ransomware group from using, distributing, or disclosing the confidential data, the court also directed the Union government to take all steps necessary to remove, delete, block, and disable accounts in relation to the stolen confidential data. (Press Trust of India)

International Business Machines and Red Hat have committed $5 billion to establish a new model for open-source software, aiming to secure software supply chains for enterprises.

Under the new project, dubbed Project Lightwell, the companies said Thursday they will deploy a global force of 20,000 engineers, supported by advanced artificial intelligence, to establish a trusted enterprise clearinghouse.

The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to identify, test, and fix security vulnerabilities across massive volumes of open-source code.

The capabilities will be available through commercial subscriptions, allowing enterprises to report bugs within open-source frameworks and receive validated, production-ready patches that can be directly integrated into their software supply chains. (Connor Hart / Wall Street Journal)

Best Thing of the Day: Let's Hope Hegseth Doesn't Hurt Him

Adm. Frank Bradley, head of US Special Operations Command, told attendees of a recent annual special forces conference in Tampa, Florida, that troops “have to be very careful about how we come to (AI’s) employment and its inspiration into the delivery of lethality.”

Worst Thing of the Day: It Might Feel Good For Only a Moment

Back in 1996, a one-time "whiz kid" named Timothy Lloyd hacked his employer, Omega Engineering, because he felt unfairly treated, depriving his company of millions of dollars, and resulting in the layoffs of dozens of his former colleagues.