Meta moves to hold NSO in contempt over WhatsApp attacks

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Meta said it is filing a federal court contempt order against Israeli spyware ​firm NSO Group for violating a permanent injunction that barred ‌it from ever targeting WhatsApp and its users.

The company said its WhatsApp messaging service disrupted new spear phishing attempts linked to NSO, an entity ​denylisted by the U.S. government for engaging in activities that ​are contrary to national security or foreign policy ⁠interests.

These attempts were similar to previous "1-click phishing campaigns," aimed to trick ​users into clicking malicious links and direct them to external websites, ​Meta said in a blog post."1-click" is a type of cyberattack where a single click on a malicious link or attachment is sufficient to compromise a victim's ​device or account, without requiring them to enter their credentials.

Meta ​said WhatsApp took down test accounts and groups created by NSO on its ‌platform. ⁠NSO did not immediately respond to a Reuters request for comment. Last year, a US court ordered NSO to stop targeting Meta's WhatsApp, a development the spyware company warned could put it out of business.

Last month, Meta was joined by 12 prominent civil rights ⁠organizations, a ​coalition of security researchers, privacy advocates ​and digital rights experts, who filed their amicus briefs to fight NSO's appeal against the ​permanent injunction. (Jaspreet Singh / Reuters)

Related: Meta, TechCrunch, SecurityWeek, The Record, Security Affairs, Ars Technica, Financial Times, Axios, TechCrunch, iTnews, New York Times, Engadget, CTech, Help Net Security, BleepingComputer, The Register, CyberScoop, Nairametrics, Jerusalem Post, HackRead, Security Affairs

Big tech firms operating in Britain must stop children ​from circulating nude images on their phones, or they will face legislation forcing them to do so, UK Prime Minister Keir Starmer said.

The announcement is Starmer's latest effort to protect children from the harmful impacts of technology. It comes as the Times reported that he is also planning to announce a ban on some social media platforms for those aged under 16.

"Today I'm calling on tech companies operating in this country to introduce device controls that prevent children from sending and receiving sexually ​explicit images," Starmer said in a speech at London Tech Week. "This is not an impossible challenge." Under the new plans, firms like Apple and Google would have to build or activate technical solutions on smartphones and tablets to detect and block nude images for children. ⁠

Adults would still be able to take, share, or view nude content through an age verification process.

If companies did not act within three months, the government said ​it would bring forward legislation to force them to do so or risk facing fines or, as a last resort, the threat of criminal liability for bosses.

Privacy-oriented messaging app Signal came out strongly against the move. In a statement, Signal said it believes that while the government must keep children "safe" and "protected," it should do so through social services and education, not by "surveillance, funding cuts, and cover-ups."

The company called the plan "dystopian" and warned that it violates everyone's fundamental right to privacy, arguing that scanning on the presumption of nudity will only strengthen the market dominance and data control of giant corporations like Apple and Google. (Paul Sandle and Sam Tabahriti / Reuters and David Uzondu / Neowin)

Related:  The Guardian, AppleInsider, Daily Mail, BBC, Miami Herald, The Standard, Politico, Metro.co.uk, Mirror, Reuters,  Benzinga, The Guardian, Lawyer Monthly, The Times, Mirror, GOV.uk, Signal, South China Morning Post, Jurist, UPI, CNET, The Stack, The Telegraph, The Record, The Times, Politico, The Independent, Signal, Neowin

Microsoft has shut down a wave of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigates a data breach after hackers planted malware that would harvest people’s credentials when they opened it in AI coding tools like Claude Code or Gemini CLI.

The exact contours of the breach are unclear, but researchers say Microsoft has disabled more than 70 of its own repositories and pointed to a particular package that was previously compromised.

“We have temporarily removed some repositories as we investigate potential malicious content,” Microsoft said.

Last week, cybersecurity website OpenSourceMalware.com, which acts as a clearing house for indicators of supply chain attacks so defenders can secure their own networks and which also publishes its own write-ups, wrote about the mass disabling of Microsoft GitHub repositories.

“GitHub disabled 73 Microsoft repositories across four of its GitHub organizations—the entire Azure Functions org, the whole Durable Task family, and a row of AI sample apps—in a 105-second sweep on June 5,” the website wrote.

Researchers from StepSecurity wrote that the GitHub closures came after a malicious commit was pushed to the durabletask repository. That attack planted configuration files that would harvest people’s credentials when they opened the repository in Claude Code, Gemini CLI, Cursor, or VS Code, StepSecurity wrote.

Hackers from the group TeamPCP previously compromised Microsoft’s durabletask, publishing three malicious versions of the tool in May. TeamPCP has performed a wealth of supply chain attacks in the first half of this year, impacting hundreds of organizations, WIRED reported. (Joseph Cox / 404 Media)

Related: Open Source Malware, Ars Technica, Step Security Blog, TechCrunch, The New Stack,  Hacker News, r/cybersecurity, r/pwnhub

The Pentagon updated its list of Chinese businesses the US has identified as aiding Beijing’s military, designating around two dozen new companies, including tech giants Alibaba Group and Baidu, and limiting their operations in America.

The list of Chinese military-linked companies, which the Defense Department revises annually, is an expansion from last year, underscoring the view from U.S. national security officials that China leverages its private sector to build and improve military technology. New additions this year include a range of Chinese consumer and tech companies, including electric carmaker BYD, pharmaceutical firm WuXi AppTec and humanoid robotics company Unitree.

Alibaba is a Chinese conglomerate with e-commerce, cloud computing, and other businesses in the U.S., while Baidu is a Chinese internet search and artificial intelligence company.

A spokesperson for the Chinese embassy in Washington said the Pentagon was “overstretching the concept of national security and making discriminatory lists to go after Chinese companies.”

Alibaba, Baidu, BYD and WuXi AppTec said they didn’t belong on the list and were weighing actions to get removed from it. Alibaba said it wasn’t a Chinese military company and wasn’t part of any military-civil fusion strategy. The other three companies made similar statements.

The list’s release, and its inclusion of China’s leading businesses, comes at a notable moment for the Trump administration and its ties to Beijing. Since the fall, the administration has curbed plans to impose penalties on certain Chinese companies, levy hefty tariffs, and investigate China-linked hackers.

This year’s initial list was released in February but was immediately rescinded. The clawback came ahead of President Trump’s meeting last month with Xi Jinping, his Chinese counterpart. Trade between the countries was high on the agenda of the summit in Beijing. (Heather Somerville / Wall Street Journal)

Related: Department of Defense, CNBC, Al Jazeera, NPR, Reuters, Fortune, BBC News, The Guardian, Bloomberg, Washington Post, France24, CNEV Post, Financial Times, South China Morning Post

AI giant Anthropic said its Mythos Preview can now turn newly disclosed software vulnerabilities into working exploits in hours instead of weeks.

This development could dramatically shrink the "patch gap" between a vulnerability's disclosure and widespread patching.

Anthropic's frontier red team tested Mythos against vulnerabilities in Mozilla Firefox and the Microsoft Windows kernel that were disclosed in January and February.

Researchers evaluated bugs disclosed after the models' knowledge cutoff dates to measure how quickly AI could turn public patches into working exploits. Within 31 minutes, Mythos generated its first proof-of-concept exploit for a Windows kernel vulnerability.

In 18 out of the 21 kernel bugs tested, Mythos was able to cause a "blue screen of death." Mythos also created 8 distinct exploits, with the longest exploit taking about 5.7 hours to create. (Sam Sabin / Axios)

Related: The Next Web, Anthropic, Help Net Security, Developer Tech News

Israeli cybersecurity company Check Point released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks.

Tracked as CVE-2026-50751, this vulnerability can be exploited by unauthenticated, remote attackers to bypass authentication on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls and establish a remote access VPN connection.

According to the company, this security flaw affects only deployments configured to use the deprecated IKEv1 key exchange protocol, with security gateways that accept legacy Remote Access clients and do not require a machine certificate for connections.

The attacks began on May 7, surged in early June, and have affected only "a few dozen" organizations worldwide, with at least one incident linked to the Qilin ransomware operation.

"Check Point Research has identified active exploitation of CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol," the company warned.

The US Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their Check Point Remote Access VPN and Mobile Access deployments against a critical vulnerability exploited in zero-day attacks by Qilin ransomware affiliates. (Sergiu Gatlan / Bleeping Computer and Sergiu Gatlan / Bleeping Computer)

Related: Check Point, CISA, Help Net Security, Hong Kong CERT Coordination Center, Cyber Daily, Infosecurity Magazine, Techzine, Cyber Security News, The Register, Dark Reading

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

DINUM, the digital affairs directorate of the French government, warned that hackers used a hijacked user account to breach Tchap, the French government's encrypted messaging platform.

Developed in-house by DINUM in collaboration with ANSSI (the French Cybersecurity Agency) in 2018, Tchap is an instant messaging service and collaboration tool based on the decentralized Matrix protocol, designed exclusively for the French public sector.

Tchap has now reached over 300,000 monthly users and over 500,000 downloads on Google's Play Store after Prime Minister François Bayrou mandated the use of Tchap and banned foreign apps for work communications for all civil servants in early August 2025.

DINUM revealed on Monday that ANSSI detected a Tchap breach on Sunday and said that a threat actor gained access to the secure instant messaging platform using a compromised user account.

The French digital affairs directorate has also alerted France's data protection authority, the CNIL, to the incident due to the potential exposure of personal data shared by some users in conversations that the attacker could access, and has alerted all Tchap users, reminding them that public chat rooms are accessible to any user and are not encrypted.

While the DINUM has not shared any further details regarding this breach, a threat actor claimed responsibility for the incident over the weekend, shared a sample of stolen files, and said they gained access to the platform following a social engineering attack.

​"I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach, other shards will have more," they said.

​They claim to have stolen hardcoded LDAP credentials allegedly leaked via a PowerShell script shared by a French tax authority regional director and over 13.5GB of documents and media files shared by public servants using the Tchap service.

The threat actors also allegedly scraped nearly 650,000 messages and information on over 73,000 accounts, including email addresses, organization information, meeting links, and account and device metadata. (Sergiu Gatlan / Bleeping Computer)

Related: French Government

Ethical hacker Wesley Neelen discovered that cybercriminals have easy access to data from Dutch financial administrators’ poorly secured old email addresses, RTL Nieuws reports.

As a result, the personal data of people with financial problems - a group particularly vulnerable to fraud and exploitation - can easily end up in criminals’ possession.

Financial administrators manage the affairs of people unable to do so themselves, for example, due to debt or an intellectual disability. Hundreds of thousands of people in the Netherlands are under financial administration.

These administrators possess highly sensitive data about their clients, including tax documents, medication data, payslips, doctors' bills, fines, and bills from their telecom provider, with an overview of all calls, much of which arrives via poorly secured email.

Neelen gained access to 258 financial files of people with debts. After that, he closed the mailbox.

The emails he received contained details about people’s private lives. For example, an email from a Rotterdam housing corporation read: “The home is again severely filthy, and the lady appeared confused.” Another contained a death certificate and a last will. (NL Times)

Related: RTL News

The University of Oxford disclosed a new data breach last week after being informed by its third-party provider, Group GTI, that its CareerConnect career services platform had been compromised.

This platform is also used by other UK educational organizations, such as King's College London and the University of Manchester, to run their institution-specific career hubs.

Oxford University said the CareerConnect platform was breached on May 28 by attackers who gained access to users' first names, last names, email addresses, and encrypted passwords (for users who do not sign in using Single Sign-On (SSO).

"Alumni, research staff and employer users access CareerConnect with a password set locally on CareerConnect. These passwords were invalidated by GTI and users will be asked to reset their password next time they sign in," the university said.

"There is no evidence that course information, uploaded files, appointment information, or financial information were involved in this incident. GTI has stated this breach appeared to be focused on gathering credentials which may lead to phishing attempts."

The institution noted that the incident affected only GTI's third-party system and that there is no evidence that the attack has compromised university systems. Additionally, GTI and the university have found no evidence that students' passwords or financial information have been accessed.

It also warned staff, students, and external CareerConnect users that they might be targeted by phishing or scam emails. (Sergiu Gatlan / Bleeping Computer)

Related: Oxford University, SC Media, TechRadar, The Register, The International News, Cherwell Online

Two hospitals on Japan's northernmost main island of Hokkaido said that information on around 186,000 people was confirmed to be on hard disks sold online, with the potential number of affected people estimated at up to 510,000.

The disks contain information on patients and hospital staff, the Hokkaido Medical Center and Hokkaido Cancer Center said. There have been no reports of unauthorized use of the data or any secondary damage.

The Sapporo-based hospitals, both part of the National Hospital Organization network, had contracted Reprowork Co., a waste disposal company in the city of Ishikari, to dispose of the disks, but said the company may have passed them to a recycling firm without ensuring they were destroyed.

The organization, which manages 140 hospitals nationwide according to its website, filed a criminal complaint with police against the disposal company. (Japan Today)

Related: NHK, Databreaches.net

A major wave of DDoS attacks on media outlet Tempo has disrupted access to one of Indonesia’s leading news websites, with the media outlet reporting millions of malicious requests directed at its servers over several days.

According to Tempo’s technology team, the attacks, which began on June 5, generated an extraordinary volume of fake internet traffic, placing significant pressure on the organization’s servers and temporarily affecting the availability of the website for readers in Indonesia and elsewhere. (Ashish Khaitan / Cyber Express)

Related: Tempo

Apple announced a new feature called Apple Intelligence at WWDC 2026, which can automatically change inadequate passwords.

The tool, which builds on a previous security feature that can identify passwords that are either weak or compromised, can apparently use Apple’s AI to navigate through websites and sign in, allowing Apple Intelligence to “agentically take action on a user’s behalf,” according to Apple.

It then saves the new password in the Passwords app so users don’t have to worry about forgetting it as soon as it’s changed. (James Pero / Gizmodo)

Related: Apple, MacRumors, ByteHaven, 9to5Mac, MacRumors, ByteHaven, 9to5Mac, Bleeping Computer, The Apple Post, ABC News, TechCrunch, Computerworld

The US Federal Trade Commission finalized an order against K-12 software vendor Illuminate Education, directing the company to improve its data security measures and barring it from misrepresenting its data privacy practices or breach notification times after a breach in 2021 impacted the data of more than 10 million current and former students.

The final order, which the FTC said was modified following a period of public comment, comes after the federal agency found that Illuminate, which provides student grading and attendance software, allegedly failed to implement reasonable security controls. These failures, the FTC alleged, were contributing factors in a December 2021 cyberattack on the company, which exposed the personal data of about 10.1 million current and former students across dozens of school districts in several states, including New York City’s large public school system.

In the attack, a hacker allegedly used credentials of a former employee to access the data, which included students’ email and mailing addresses, dates of birth, student records, and health-related information. The FTC also alleged that Illuminate ignored security warnings dating back to 2020, such as those from a third-party vendor about security vulnerabilities on its network. Illuminate’s security woes included failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, vulnerability monitoring, and patch management practices.

Additionally, the FTC claimed the company did not inform some school districts of the breach in a timely manner, with some not notified until two years after the breach.

Instead of a monetary settlement, the agency has directed the company to show that it’s making improvements to its data practices. The order directs the company to establish a comprehensive data security program and to limit the collection and retention of certain consumer data. It also orders Illuminate to delete unnecessary personal data and to make public a data retention schedule along with other records demonstrating compliance. (Keely Quinlan / StateScoop)

Related: FTC, SC Media, Cybernews

Proofpoint researchers report that there's another likely North Korean-linked scam they call UNK_DeadDrop hitting developers and their employers, while gathering credentials and cryptocurrency.

A previously unseen phishing crew, suspected to have DPRK ties, sent more than 250 emails to people working in almost 100 organizations, mostly based in the US, over six weeks in April and May in a bid to steal cryptocurrency wallets and developer credentials.

Like earlier phishing expeditions from the Norks, including the Contagious Interview campaign, this one uses developer recruitment or code review lures to target victims, primarily in technology, education, business services, and financial services, and ultimately steal credentials and cryptocurrency.

In another common tactic seen with DPRK-linked credential-stealing activities, the lures attempt to send victims to attacker-controlled GitHub repositories hosting malicious scripts that execute cross-platform malware across macOS, Linux, and Windows machines. (Jessica Lyons / The Register)

Related: Proofpoint

Financial technology company SoFi Hong Kong is warning that it suffered a data breach after hackers gained access to a database at a third-party vendor containing customer information.

In emails sent to customers, SoFi said it discovered the incident on April 30, 2026, after detecting unauthorized access to a database of SoFi Securities (Hong Kong) Limited via one of its vendors.

After discovering the incident, they engaged with a third-party cybersecurity firm to respond.

The company says its investigation is ongoing and that it still does not know which specific data may have been exposed. (Lawrence Abrams / Bleeping Computer)

Google released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year.

"Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in a security advisory.

The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.

While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.

Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch. (Sergiu Gatlan / Bleeping Computer)

Related: Google Chrome

The crackdown on scam compounds in Cambodia is leading some gangs to relocate to beach resorts and office buildings in Sri Lanka, in what may be the next phase of one of the world’s fastest-growing criminal industries.

A combination of visa-free travel, available building space, relatively strong telecommunications networks and a well-established informal money transfer system make the South Asian island nation an appealing destination for scammers, investigators say.

Authorities in Sri Lanka have set up a new cybercrimes unit and say they’ve arrested more than 1,000 people this year alone, most in western beach areas where tourists flock or in the capital, Colombo. “Police, along with the immigration department and the central bank, are working as a collective effort to see that this is being controlled,” said assistant police superintendent Fredrick Wootler.

Still, observers say the country has a brief window to get its arms around what are fast-moving and increasingly sophisticated operators. “In Sri Lanka there are issues with implementing our laws, the fact that we don’t necessarily crack down on these companies — they simply use tourist visas,” Dilrukshi Handunnetti, director at the Center for Investigative Reporting Sri Lanka, said. (Rosalind Mathieson and Philip Heijmans / Bloomberg)

One day after WIRED revealed that Meta had quietly embedded an unreleased face-recognition system into an app installed on more than 50 million phones, the company removed it, according to a WIRED analysis of the latest version’s code.

The most recent version of Meta AI, a companion app for its line of smart glasses, strips out the unactivated software components that powered the system Meta internally called NameTag. The version published the day of WIRED’s report included several code libraries explicitly named for face recognition. Friday’s release includes none of them.

Andy Stone, Meta's vice president of communications, told WIRED on Monday that the feature is purely exploratory, adding: “No final decision has been made on what to do here, if anything.” (Dhruv Mehrotra and
Dell Cameron / Wired)

A Security, a NYC-based platform fortifying organizations against weaponized AI by discovering and remediating real attack paths, announced it had raised $37 million in funding.

Backers included Lightspeed Venture Partners, Cyberstarts, and angel investors including Wiz CEO Assaf Rapaport, Cyera CEO Yotam Segev, and Cerca Partners. (Lily Mae Lazarus / Fortune)

Related: Jerusalem Post, FinSMEs, Globes, CTech, Lightspeed Venture Partners, VC News Daily, A.Security on LinkedIn

Best Thing of the Day: Sorry for the Employees, But....

Tools for Humanity, the eyeball-scanning startup co-founded by Sam Altman, is laying off employees.

Worst Thing of the Day: Pay Us Twenty Years of Your Income for a Single Night

An unknown hacker breached a budget hotel's system to charge a young school teacher $1 million for a single night's stay.

Closing Thought