Hackers post alleged blueprints and supplier data from India nuclear project
TfL hackers sentenced to 5½ years in prison, Hacking suspect once worked at Kaspersky, OpenAI unveils AI-powered red teaming tool, Ransomware attack disrupts Japan’s food supply chain, Qantas cleared after social-engineering breach, Health provider criticized for delayed breach disclosure, much more

Metacurity is the cybersecurity industry's daily reality check—an independent briefing that cuts through vendor spin, social media outrage, and endless recycled narratives to explain what actually matters and why.
Every weekday, thousands of cybersecurity professionals—including many of the industry's most respected security leaders—rely on Metacurity to separate signal from noise. We do the reading, research, and analysis so you don't have to.
If Metacurity helps you stay informed, save time, or see the bigger picture, please consider becoming a paid subscriber. Reader support is what keeps Metacurity independent, agenda-free, and focused on serving the cybersecurity community—not advertisers, vendors, or investors.
Ransomware group World Leaks has posted on the dark web a huge cache of files related to India's largest nuclear plant, including purported blueprints of parts of its facilities and supplier details — information it labeled as coming from Reliance Group.
The Kudankulam Nuclear Power Plant, located in the southern state of Tamil Nadu, is the largest of India's seven nuclear plants and central to Prime Minister Narendra Modi's ambitious plans to expand the country's atomic energy capacity.
Indian businessman Anil Ambani's Reliance Group, one of the plant's contractors, said that there had been a "partial breach" of its data on a server hosted by third-party Indian data center service provider Yotta, and that the government has been informed about the incident.
Reliance did not disclose what data had been breached.
The data breach could pose a "serious" risk to the safety of the plant, says Nickolas Roth, a senior director at the Nuclear Threat Initiative, which advises governments and benchmarks countries' preparedness on nuclear security. The breach also underscores how hacks have become more common in India, where many companies are ill-equipped to deal with such threats.
Nearly 19,000 files totaling 14.3 gigabytes that appear for the search term "KKNP" - an acronym for the nuclear plant - in the data have been online since June 11, according to independent cybersecurity researcher Rakesh Krishnan, who first alerted Reuters to the leak. (Munsif Vengattil and Aditya Kalra / Reuters)
Related: NDTV, The News Minute, The Hindu, Modern Diplomacy, The Federal
Thalha Jubair and Owen Flowers, members of the notorious Scattered Spider group who held London’s transport network, Transport for London, at their mercy during a 2024 cyberattack, were each sentenced to 5 and a half years in prison.
Flowers was also sentenced for hacking two US healthcare providers.
Sentencing the pair, Mr Justice Turner said the attack was “primarily motivated by selfish bravado, heedless of the severe consequences to others."
At one point, according to prosecutors in the case, Jubair and Flowers “could have shut out and shut down TfL completely”, having hacked their way to the “highest privileged access” in the system and creating a “domain admin” account described in court as “the keys to the kingdom”. They even searched through TfL’s customer database for celebrities.
The two hackers had led apparently closeted, online lives which nonetheless had a disproportionate impact on the outside world. (Dan Milmo and Joe Pinner / The Guardian)
Related: NCA, BBC News, Reuters, cp24, Sky News, The Times, Cybersecurity Insiders, Bleeping Computer

Denis Obrezko, a computer expert facing US hacking charges, previously held a senior position at Moscow-based antivirus firm Kaspersky Lab, according to a person familiar with the matter and records reviewed by Reuters.
Obrezko, who last week pleaded not guilty to computer crimes at a hearing in Boston, worked as a senior specialist for Kaspersky between 2017 and 2019, according to leaked salary documents and a former colleague. US prosecutors have said that Obrezko spent the preceding five years working for Russia's domestic intelligence service, known as the FSB.
Although the alleged hacking activity took place after he left Kaspersky, Obrezko's background is likely to draw further attention to the company's relationship with the Russian government. One of the world's leading antivirus makers, Kaspersky was a significant presence in the United States before concerns over its ties to the Kremlin effectively froze it out of the American market.
In a statement, Kaspersky said, "An employee with the name specified worked at the company between 2017-2019, and we have no information on the individual’s current status. The offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky." (Raphael Satter and Anton Zverev / Reuters)
Related: Jerusalem Post
OpenAI has introduced GPT-Red, an automated AI system designed to find security vulnerabilities in its language models.
GPT-Red takes its name from cybersecurity red teaming, which is the practice of deliberately attempting to break a system to identify weaknesses before attackers can exploit them.
OpenAI said the tool helped make GPT-5.6 more resistant to prompt injection attacks before deployment.
“As model capabilities grow, safety and alignment must scale with them,” OpenAI wrote on X. “Red-teaming is essential, but today’s approaches are difficult to scale, creating a critical bottleneck. GPT‑Red is one way we’re addressing it.”
According to OpenAI, GPT-Red was trained through self-play reinforcement learning, generating progressively stronger prompt injection attacks while defender models learned to resist them. The company said those attacks were incorporated into GPT-5.6's training process, reporting that GPT-Red succeeded in 84% of internal evaluation scenarios, compared with 13% for human red teamers in the same tests.
In one case study, OpenAI said the system manipulated an autonomous vending machine agent into lowering prices, ordering discounted inventory, and canceling another customer's order before the vulnerabilities were disclosed and addressed. (Jason Nelson / Decrypt)
Related: OpenAI, MIT Technology Review, SiliconANGLE, RuntimeWire, The Decoder, iThinkDifferent, r/OpenAI
A cyberattack reportedly by the Qilin ransomware group against major frozen food company Nichirei Corp. has caused shipment delays and food shortages at big-name restaurants and supermarkets across Japan.
The attack disrupted Nichirei’s logistics systems on July 13, forcing the company to shut down the network on the same day as a precaution. As a result, operations involving the receipt and release of products at refrigerated warehouses, along with shipments of frozen foods, have been severely affected.
The company is still assessing the full extent of the damage but plans to resume operations gradually beginning on July 17. Around 5,000 companies use Nichirei’s logistics network, including some of the biggest names in the food industry.
Nichirei also reported the incident to Japan’s Personal Information Protection Commission, saying personal information may have been compromised.
A Nichirei subsidiary operates about 140 logistics centers nationwide and has the largest refrigerated warehouse capacity in Japan. The effects of the cyberattack on this network are beginning to reach consumers.
Kentucky Fried Chicken Japan Ltd. said July 14 that disruptions in procuring ingredients from Nichirei could lead to shortages of certain menu items. The fast-food chain also announced possible reduced operating hours at some outlets and temporary closures at others.
Kura Sushi Inc., a major conveyor-belt sushi chain, reported shortages of some sushi toppings at dozens of restaurants in the Kansai region. At supermarket chain York Benimaru Co., raw materials for boxed lunches and in-store baked bread have not arrived, making it impossible to offer some products.
Product shortages have also been reported at supermarkets operated by Aeon group companies.
Imuraya Co. on July 15 started suspending some shipments of its frozen desserts and ice cream products, including its popular Azuki Bar, as well as steamed meat buns and sweet bean paste buns.
Major Japanese ice cream maker Ezaki Glico, known for popular snacks such as Pocky, said some of its ice cream products rely on refrigerated warehouses owned by Nichirei, the target of the latest hack on a Japanese firm’s computer systems, and is seeing its shipments delayed. (The Asahi Shimbun and The Straits Times)
Related: AFP, Salmon Business, Japan News, The Record, Seafood Source, Japan Forward, Bloomberg, The Cyber Express
Australia’s Privacy Commissioner revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers.
The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report.
Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket.
Those actions instead connected the CRM to a data extraction tool which the crooks used to siphon off customer records.
The Commissioner considered whether Qantas observed the Australian Privacy Principles (APPs), the binding rules that govern how businesses safeguard PII, and found the airline did the right thing.
The report found that Qantas audited the operator of the contact center and tested the security awareness of its employees – and had done so in the months before the incident. Qantas also conducted mandatory and recurring training on how to handle PII. The Commissioner was therefore satisfied Qantas took adequate steps to ensure the contact center observed the APPs and didn’t fail in its obligations.
The regulator made a similar finding regarding the airline’s cross-border data-sharing practices. (Simon Sharwood / The Register)
Related: Australian Privacy Commissioner, The Cyber Express, IT News, Cyber Daily, Lawyerly
Fariha Jaigirdar, a lecturer in cybersecurity at Deakin University, said the delay between Partnered Health identifying it had been the target of a hack and notifying the public was "unacceptable."
The company, which runs more than 60 health clinics nationwide, said it first became aware a "malicious actor" had accessed data from some of those clinics on June 23.
The patient information obtained by the hackers potentially included names, dates of birth, addresses, Medicare numbers, treatment details and notes written by healthcare professionals during consultation.
Partnered Health did not alert the public or those potentially impacted by the hack until yesterday.
Partnered Health said it wanted to identify which of its clinics were impacted before alerting the public.
"We wanted to avoid causing undue concern and confusion by notifying people before we had a reliable understanding of what had occurred and who was affected," a spokesperson said.
"Investigations of this nature can be extremely complex and take time to complete accurately, and there is nothing to be gained by communicating inaccurate information regarding a serious incident such as this."
The early part of the investigation has determined that 21 clinics were impacted.
The company said it would not comment on any correspondence received from the hackers during the investigation. (Will Murray / ABC.net.au)
Related: The Guardian, The Australian, The Nightly, Nine.com, Australian Cybersecurity Magazine, Information Age, The Daily Telegraph, newsGP, Cyber Daily
A former member of Morocco’s domestic intelligence service has helped to provide an unprecedented insight into how the North African state used hacking software – including Pegasus spyware, made by the notorious NSO Group – to target journalists, human rights defenders, French politicians and Spanish cabinet ministers and police officers.
Although NSO Group says Pegasus is sold only to governments to help them track criminals and terrorists, the spyware is alleged to have been used by several countries to target dissidents, journalists, diplomats and politicians.
Morocco has long denied using Pegasus to target critics at home or abroad, and has claimed that reporters who have investigated NSO Group were “incapable of proving [the country had] any relationship” with the company.
Pegasus allows its operator to access everything on a target’s mobile phone, including emails, text messages and photographs. It can also activate the phone’s recorder and camera, turning it into a listening device.
However, evidence from a whistleblower who worked for Morocco’s Direction Générale de la Surveillance du Territoire (DGST) for almost a decade suggests the country’s internal security services began using Pegasus in 2017 and went on to deploy it against domestic and foreign targets over the course of four years.
Testimony from the source, known by the pseudonym Safir, forms the basis of a multi-year investigation by the Moroccan journalist Hicham Mansouri, which has led to a collaborative investigation between several media groups, with technical support from Amnesty International’s Security Lab.
The consortium, which was coordinated by Forbidden Stories and comprises 14 media organizations – including Le Monde, Haaretz, El Confidencial, Die Zeit and the Guardian – has also analyzed material detailing Morocco’s surveillance practices, from leaked emails to targeting records relating to Pegasus and other spyware, and from victims’ testimony to internal training material.
Two other former Moroccan intelligence agents also provided information and corroborated facts. Safir’s testimony is corroborated by leaked material, including the Pegasus project dataset, which Amnesty International’s Security Lab has forensically analyzed.
According to information gathered by the consortium, NSO Group representatives gave high-ranking Moroccan intelligence officers and technical experts a long and detailed demonstration of new technologies – including Pegasus – in an expensive villa in Rabat in 2017. The source said the house was nicknamed “the FSSYS villa” after FSSYS Maroc, which was then the Moroccan branch of the UAE-based surveillance intermediary al-Fahad, and which frequently used the property for such demonstrations.
The whistleblower has suggested that the hugely expensive spyware was a gift from the UAE. “Millions for the Emiratis, that’s nothing,” said Safir. “The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.” (Sam Jones, José Bautista and Hicham Mansouri / The Guardian)
Related: OCCRP, Le Monde, Forbidden Stories, Sri Lankan Guardian
The AI music generation tool Suno scraped millions of songs and lyrics from YouTube Music, Deezer, and Genius, as well as from the stock music libraries Pond5, Jamendo, Freesound, the International Music Score Library Project, and podcasts via RSS feeds, according to a hacker who breached the company and shared data about Suno’s training libraries with 404 Media.
The hacker was also able to access user information for hundreds of thousands of Suno’s customers, as well as Stripe payment information, they said.
The hacked data is a rare look at exactly how AI models and tools are built. Suno is one of the largest AI music generation tools on the internet, and has been the subject of several major lawsuits from the record industry, which accused the company of training on millions of copyrighted songs. As part of these legal proceedings, Suno previously admitted that it was trained on “essentially all music files of reasonable quality that are accessible on the open internet,” which included a total of “tens of millions of recordings.” Suno has been making the argument that it is allowed to train on copyrighted works as fair use in those cases, one of which has been settled. (Jason Koebler / 404 Media)
Related: FirstPost, Pitchfork, Engadget, Gizmodo, TechCrunch, Variety, The Verge, CNET, Music Business Worldwide, 9to5Mac, Tech Times, Digital Music News
The Dutch Police announced the arrest of multiple individuals suspected of being part of an international investment fraud scheme estimated to have tens of thousands of victims.
The group is believed to have operated 20 call centers, with more than 700 people posing as financial advisers. Authorities estimate that the criminal organization at one point made more than 100 million euros ($114 million) per month.
The call centers were located in different places across multiple countries, and each hosted several teams with distinct roles and targeting focuses.
The main suspect is a 46-year-old Israeli-Polish national, who was arrested in Poland on May 26. The man was extradited to the Netherlands and placed in detention for two weeks pending trial.
“Publicly available online information shows that he was previously prosecuted for hacking several prominent foreign government organizations and is said to be a well-known hacker,” the Dutch Politie says.
“He is now suspected of having held an indispensable position within a criminal organization involved in investment fraud.”
Between July 7 and 10, multiple Dutch and Belgian nationals were arrested in Cyprus, Greece, and Belgium for suspected connection to the fraudulent scheme.
The authorities state that additional arrests in relation to this cybercrime organization should not be ruled out.
The modus operandi of the fraudsters involves building trust with victims over extended periods and introducing them to realistic-looking investment platforms that display fictitious profits.
The Dutch authorities linked at least 550 reports of fraud and $28.6 million in reported losses to this criminal organization. Police estimate that there may be tens of thousands of victims worldwide, with most victims in this investigation losing more than €10,000 ($11.4k). (Bill Toulas / Bleeping Computer)
Related: Politie, The Record, Help Net Security, Israel Hayom, NL Times, Ynet News, GBHackers, Dutch News, Cyber Press, The Cyber Express

Researchers at Trend Micro (branded as TrendAI) report that a jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes.
The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists.
Meanwhile, the AI agent did most of the hacking: migrating a botnet from an old architecture to a new one, writing and deploying a new C2 server, and even proactively carrying out 59 unprompted behaviors during the C2 migration.
“Persistence is evolving because of AI,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register.
“That's what you see in this report, with the capacity to shift C2 in less than six minutes dynamically, and make it portable and disposable, which is crazy-cool and terrifying," he added. "But also, you see the rebirth of steganography through invisible prompt injection.” In other words, it's hiding secret data – in this case, the C2 server malicious payloads – in plain sight.
Scanning for known malicious artifacts doesn't provide sufficient protection against AI-enabled C2, according to Kellermann. (Jessica Lyons / The Register)
Related: Trend Micro, Bleeping Computer, GBHackers

Zoom is warning of a critical vulnerability in its desktop client and software development kit for Windows that could be exploited by an unauthenticated party to hijack accounts.
Discovered internally, the security issue is tracked as CVE-2026-53412 and received a severity score of 9.8 out of 10.
In an advisory this week, the messaging platform says that the flaw affects Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15, and 6.5.18, and the Meeting SDK for Windows before version 7.0.0.
The vendor did not provide any technical details about the flaw in the bulletin, and just described it as an improper input validation issue.
“Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network access,” reads the security advisory.
To mitigate the risks stemming from CVE-2026-53412, the company recommends that users apply the latest updates. (Bill Toulas / Bleeping Computer)
Related: Zoom, Security Affairs, Hong Kong CERT, Heise Online
Researchers at Zscaler report that threat actors are hijacking Anthropic’s Claude AI platform and Google Ads to trick Mac users into infecting themselves with a dangerous new information-stealing malware called MacSync Stealer, according to Zscaler Threat Hunting.
The infection begins when a victim searches for terms like “claude download” or “claude mac” and clicks a paid Google ad that redirects to a shared Claude chat link, lending the attack instant credibility since it uses claude.ai’s legitimate domain.
The threat actors set their Claude display name to “Apple Support,” so the shared chat appears to be from Apple, making the fake fix instructions look trustworthy.
The chat instructs victims to copy and paste a Base64-obfuscated curl command into Terminal. This classic ClickFix technique first emerged in 2024 and has since become a favorite tool for macOS-focused malware operators.
Running this command triggers a multi-stage infection chain, silently redirecting output to hide any trace of execution while fetching progressively more capable payloads from attacker-controlled infrastructure.
Zscaler traced the campaign, active from June 12 to June 19, 2026, using 22 unique Google Ads campaign IDs and seven search terms related to Claude, including “claude ai,” “claude code,” and even a Chinese-language variant. (Guru Baran / Cyber Security News)
Related: Zscaler, Cyber Press, GBHackers

The UK's online safety regulator Ofcom opened an investigation into TikTok over whether the platform has complied with its duties under the Online Safety Act to protect children from harmful content.
The watchdog's probe will cover concerns raised in its two reports on children's experiences online and age assurance that age inference models used by TikTok, which guess users' ages based on their activity, are not highly effective and may have failed to identify child users correctly.
Under the OSA, platforms must use “highly effective” age assurance to make sure they're not exposing children to harmful content. In its age assurance report published Wednesday, Ofcom said it's concerned about the use of age inference to determine users' ages, and it does not consider that method to be highly effective.
Ofcom can impose a fine of up to £18 million or 10% of worldwide revenue, whichever is greater, if it finds TikTok in breach of the OSA. The regulator said it would provide an update on the investigation in October. (Mizy Clifton / Politico)
Related: The Guardian, Ofcom, The Sun Malaysia, Reuters, Deadline, The Independent, BBC, The Sun, Mirror, TimesLive, Ofcom, ISPreview UK, Mashable, Telecompaper, Anadolu Ajansı
Israel's Neo Security, founded in 2025 by three former executives of Israeli-American cybersecurity firm SentinelOne, is raising more than $50 million in a new funding round.
In its Seed round in 2025, Neo Security raised $25 million, led by Silicon Valley venture capital giant Andreessen Horowitz (a16z) and Merlin Ventures. In the new financing round, which recently closed, the company raised more than $50 million, with Kraft Group joining the investor syndicate. (Meir Orbach / CTech)
Identity security company Oak is stepping out of stealth, backed by $60 million in a seed funding round that it raised late last year.
Accel, Greylock Partners and Charles River Ventures (CRV) led the round with participation from Hetz Ventures, AlphaDrive Ventures, Sharin Fisher Dibrov’s Startpoint Capital, and strategic angel investors. (Anna Heim / TechCrunch)
Related: CTech
Cybersecurity dealmaking is on pace for another banner year as companies race to snap up artificial-intelligence capabilities, a sign the technology is reshaping the industry faster than previous waves of innovation.
The sector recorded 219 mergers and acquisitions in the first half of 2026, putting it on track to surpass last year’s 400 transactions, according to data from investment bank Momentum Cyber. (James Rundle / Wall Street Journal)
Related: Security Week, Axios
Best Thing of the Day: Meta Might Have to Pay Up for Ignoring Its Hacked Users
A proposed class of Facebook users who say Meta failed to protect their accounts from hackers and denied users access to their own accounts after they’d been compromised will likely be able to advance their claims against the tech giant, a federal judge ruled.
Bonus Best Thing of the Day: The US State Department Gets the Smackdown It Deserves
A federal court has pointed out that the only one who engaged in censorship when the Trump Administration denied visas to people who worked in misinformation/disinformation research was, in fact, the Rubio State Department.
Worst Thing of the Day: You Can Run, But You Can't Hide from AI
Employers that once performed cursory internet searches for red flags on job candidates now use AI to dig deeper, more quickly.
Bonus Worst Thing of the Day: Cheapo Wearables Do Not Protect Your Privacy
Most smart watches, rings, and bands lack basic transparency reports and key privacy features.
Closing Thought
