Overwhelmed by vulnerability surge, NIST scales back NVD coverage

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

The National Institute of Standards and Technology (NIST) announced significant changes to its National Vulnerability Database (NVD), the system that tracks cybersecurity vulnerabilities, admitting that bug submissions are growing exponentially each year.

NIST said it will only add details and information to the records of vulnerabilities that meet a certain threshold, changing a longstanding mission to categorize every CVE, which stands for cybersecurity vulnerabilities and exposures.

The agency typically adds descriptions and data, like the severity score of a vulnerability, to the CVE record after it is submitted to the NVD. According to a NIST statement, this task became impossible with the deluge of submissions this year.

“Submissions during the first three months of 2026 are nearly one-third higher than the same period last year. We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions.”

NIST, which runs the NVD, said CVEs that don’t meet the new criteria will still be listed but will not have new information added — a process cybersecurity experts call “enrichment.”

Starting on Wednesday, NIST will only enrich CVEs that appear in a federal catalog of exploited vulnerabilities organized by the Cybersecurity and Infrastructure Security Agency (CISA). Bugs added to the catalog will be enriched within one day of notice from CISA.

CVEs in products used by the federal government and software deemed “critical” will also be enriched by NIST.

NIST said the changes would allow them to focus on the most critical CVEs and continue work while developing “the automated systems and workflow enhancements required for long-term sustainability.” (Jonathan Greig / The Record)

Related: NIST, CyberScoop, Silicon Angle

Two US nationals, Kejia Wang and Zhenxing Wang, have been sent to prison for helping North Korean remote information technology (IT) workers to pose as US residents and get hired by over 100 companies across the country, including many Fortune 500 firms.

They were charged in June 2025 following a coordinated law enforcement action against the Democratic People's Republic of Korea (DPRK) government's fundraising operations led by the US Department of Justice (DoJ).

Kejia Wang was sentenced to 108 months in prison after pleading guilty to his role in the scheme in September 2025, and Zhenxing Wang to 92 months after pleading guilty in January 2026 to conspiracy to commit money laundering and conspiracy to commit wire fraud.

According to court documents, between 2021 and October 2024, the two generated more than $5 million in illicit revenue for the DPRK's government and an estimated $3 million in financial damages to companies that hired North Korean workers who were using the stolen identities of more than 80 US citizens.

As part of their scheme, they created financial accounts, fake websites, and multiple shell companies (e.g., Tony WKJ LLC, Hopana Tech LLC, Independent Lab LLC) to make it appear that DPRK workers were affiliated with legitimate US businesses and collect payments.

Zhenxing Wang also hosted company-issued laptops in homes across the United States to help remote North Korean IT workers access the companies' networks without raising suspicion.

​Nine other defendants linked to the same scheme, who were also charged in June 2025, remain at large. The US State Department has announced a reward of up to $5 million for information on the suspects, which can help disrupt illicit activities that support North Korea's weapons of mass destruction (WMD) program. (Sergiu Gatlan / Bleeping Computer)

Related: Department of Justice, CNN, Help Net Security, NK News, The Korea Herald

Anthropic quietly published identity verification requirements for Claude this week, asking certain users to hand over a government-issued photo ID and a live selfie—something its competitors don’t require.

“We are rolling out identity verification for a few use cases, and you might see a verification prompt when accessing certain capabilities, as part of our routine platform integrity checks, or other safety and compliance measures,” Anthropic said. “We only use your verification data to confirm who you are and not for any other purposes.”

Millions of users fled OpenAI for Anthropic in February after OpenAI signed a deal to deploy AI on Pentagon classified networks—a contract Anthropic turned down over concerns about mass surveillance and autonomous weapons. Daily signups broke records, and free users were up 60% since January, Anthropic said at the time. The privacy-conscious crowd had found its home.

That crowd, it seems, may now have some documents to prepare if it wants to continue using Claude. The reactions so far have been quite negative, pointing out that it’s a deliberate decision and not a regulation or a mandatory order imposed by a government on Anthropic as a service provider. (Jose Antonio Lanz / Decrypt)

Related: Claude, Help Net Security, Digit, TechNode, Hacker News, The Times of India, Firstpost, r/ClaudeCode

The Ministry of SMEs and Startups, the Korean National Police Agency, and the Korea Internet & Security Agency (KISA) said on the 16th that new ransomware attacks called "Midnight" and "Endpoint" targeting domestic small and midsize companies had been identified.

The attack is characterized by first breaching information technology (IT) system integration and maintenance firms and then spreading to their clients. While many of the victims were identified as small manufacturing corporations, cases were also confirmed in other sectors, including distribution, energy, and public institutions.

According to analyses by the Korean National Police Agency and KISA, the attackers infiltrated the internal systems of IT maintenance firms by sending malicious emails disguised as quote requests, job applications, or consulting inquiries. When the attachment is executed, a remote-control malware is installed, and internal information and account information are exfiltrated.

The attackers then used the stolen information to send emails impersonating the firms to their clients, and through this, secured access privileges to clients' internal systems and distributed ransomware.

It was confirmed that this ransomware not only encrypts files but also applies a "double extortion" method that involves exfiltrating internal data in advance and threatening to disclose it.

The Korean National Police Agency and KISA distributed a security advisory containing attack techniques and response measures to related agencies and corporations. This advisory is the first time the Korean National Police Agency has issued an official security advisory in cooperation with relevant ministries based on threat intelligence obtained during an investigation. (Park Su-hyeon / Chosun Biz)

Related: Maeil Business, Asia Business Daily, Seoul Economic Daily

Researchers at Huntress report that a digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors.

In a single day, the researchers observed more than 23,500 infected hosts in 124 countries trying to connect to the operator's infrastructure, with hundreds of infected endpoints present in high-value networks.

They discovered the campaign on March 22, when signed executables viewed as potentially unwanted programs (PUPs) triggered alerts in multiple managed environments.

Huntress researchers say that the software was signed by a company called Dragon Boss Solutions LLC, involved in "search monetization research" activity and promoting various tools (e.g., Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, Artificius Browser) labeled as browsers but detected as PUPs by multiple security solutions.

Huntress warns that, while the malicious tool currently uses an AV killer, the mechanism to introduce far more dangerous payloads onto infected systems is in place, and could be leveraged at any time to escalate the attacks.

Huntress recommends that system administrators look for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC. (Bill Toulas / Bleeping Computer)

Related: Huntress, Infosecurity Magazine

Pluto Security reports that a critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication.

The flaw, tracked as CVE-2026-33032, is caused by nginx-ui leaving the ‘/mcp_message’ endpoint unprotected, allowing remote attackers to invoke privileged MCP actions without credentials.

Because those actions involve writing and reloading nginx configuration files, a single unauthenticated request can modify server behavior and effectively take over the web server.

NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after Pluto Security AI reported it. However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month.

The exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint.

Given the active exploitation status and the availability of public PoCs, system administrators are recommended to apply the available security updates as soon as possible. The latest secure version of nginx-ui is 2.3.6, released last week. (Bill Toulas / Bleeping Computer)

Related: Pluto Security, Security Affairs, SC Media, Cyber Security News, Cyber Press

According to Ukraine's CERT team, a new malware family named ‘AgingFly’ has been identified in attacks against local governments and hospitals that steal authentication data from Chromium-based browsers and WhatsApp Messenger.

AgingFly is a C# malware that provides its operators with remote control, command execution, file exfiltration, screenshot capture, keylogging, and arbitrary code execution.

Based on the forensic evidence, targets may also include representatives of the Defense Forces.

CERT-UA has attributed the attacks to a cyber threat cluster it tracks as UAC-0247.

According to the Ukrainian agency, the attack begins with the target receiving an email purporting to be a humanitarian aid offer, which encourages them to click an embedded link.

After investigating a dozen such incidents, the researchers determined that the attacker is stealing browser data using the open-source security tool ChromElevator that can decrypt and extract sensitive information, like cookies and saved passwords, from Chromium-based browsers (e.g., Google Chrome, Edge, Brave) without needing administrator privileges. (Bill Toulas / Bleeping Computer)

Related: CERT-UA, Security Affairs

Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.

Dark web watchers spotted the move on Sunday, though 0APT's motive for extorting a fellow criminal outfit remains unclear. The notion seems even more bizarre given that 0APT hypocritically described Krybit in its leak blog post as a ransomware group, and that "such groups pose significant risks to cybersecurity and data privacy worldwide."

"If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and other," 0APT said. "And if you are one of their victims, contact us to get your data unlocked."

Following the standard double-extortion playbook, 0APT leaked a sample of the allegedly stolen Krybit data as a warning shot, threatening a full dump if payment isn't made.

The tactic loses much of its sting when aimed at criminals rather than businesses. Ransomware operators typically rely on the threat of reputational damage to coerce victims, but that leverage evaporates when the target has no reputation worth protecting. (Connor Jones / The Register)

Related: SC Media, Cyber Daily

Adult nightclub giant RCI Hospitality Holdings on Monday disclosed a cybersecurity incident that exposed sensitive personal information.

According to an SEC filing, the company’s RCI Internet Services subsidiary discovered on March 23 that an insecure direct object reference (IDOR) vulnerability in an IIS web server allowed access to personal information.

An investigation concluded earlier this month showed that the incident began on March 19.

The company said the data breach involved unauthorized access to the information of “numerous” independent contractors, including their names, dates of birth, contact information, SSNs, and driver’s license numbers. (Eduard Kovacs / Security Week)

Related: SC Media

Researchers at Kaspersky report that North Korean hacking group BlueNoroff is deploying increasingly sophisticated tactics — including generative artificial intelligence and staged video calls — to infiltrate corporate systems and steal digital assets.

The group has carried out a recent campaign dubbed “SnatchCrypto,” targeting executives in the Web3 and blockchain sectors across at least nine countries, including Japan, Singapore, and Hong Kong.

At the center of the operation is a social engineering scheme in which attackers impersonate venture capital investors and invite targets to what appear to be legitimate Zoom meetings. Instead of live participants, however, the hackers play back previously recorded footage of real individuals — covertly obtained from earlier victims — to create the illusion of a live conversation.

During these sessions, victims are prompted to install what is presented as a software update to fix a technical issue. The installation delivers malware, particularly on macOS systems, allowing attackers to bypass privacy protections and gain access to cameras, microphones, and sensitive files.

A parallel campaign, dubbed “GhostHire,” targets software developers by posing as recruiters. Victims are asked to complete technical assessments using GitHub repositories embedded with malicious code, often under tight time constraints designed to limit scrutiny. (Kevin Lee / The Korea Bizwire)

Related: Gulf Business

Researchers at Barracuda report that, while following Europol and other organizations' coordinated operation to disrupt and turn off Tycoon 2FA’s attack infrastructure in March 2026, the phishing gang's activity did drop, only to revive a bit later, even as other phishing kits rushed in to seize a share of the market left vacant by Tycoon 2FA.

Their analysis shows increased campaign activity involving the established platforms of Mamba 2FA and EvilProxy, as well as aggressive newcomers such as Sneaky 2FA and Whisper 2FA. Our analysis also reveals that these kits have boosted their feature sets and infrastructure maturity, often leveraging tools formerly used by Tycoon 2FA.

Barracuda reports that while the Tycoon 2FA-branded service absorbed the shockwave of the takedown operation, the underlying ecosystem remained viable. For example, Barracuda recently detected a ‘device code’ phishing campaign that
leveraged Tycoon’s stand-out features. Code similarities included Tycoon’s signature ‘noise’ of motivational style comments. In this incident, the comments all begin with the word ‘success.’ (Barracuda Networks Blog)

President Donald Trump is expected to sign more cybersecurity-focused executive orders in the near future, following the release of his administration’s national cyber strategy, National Cyber Director Sean Cairncross said.

At the Semafor World Economy forum in Washington, DC, Cairncross said, “I think that that's the case, yeah,” when asked about the likelihood of more cyber executive actions from the president.

“There’s more coming and we expect that it will be relatively soon,” he added, without elaborating.

The second Trump administration’s national cyber strategy was unveiled early last month, alongside an executive order focused on “combating cybercrime, fraud, and predatory schemes.” (David DiMolfetta / NextGov/FCW)

Related: Semafor, CyberScoop

According to a report by the Tech Transparency Project, Apple and Google have continued to offer mobile apps that let users make nonconsensual sexualized images of people despite their policies prohibiting such content.

Searching for terms like “nudify” and “undress” in the Apple and Google app download stores gives customers access to software that can be used to alter images of celebrities and others to make them appear nude or in a state of partial undress, according to the group, a research arm of the nonprofit Campaign for Accountability. The companies also run ads for similar nudifying apps in their search results.

Apps identified by the group have been downloaded 483 million times and generated $122 million in revenue, according to the report, which cited revenue estimates from market researcher AppMagic. A spokesperson for AppMagic said the Tech Transparency Project’s work has resulted in several apps being removed and prompted others to change their user policies.

Over the past year, politicians around the world have ratcheted up calls to curb the spread of nudifying apps. Earlier this year, the companies removed apps flagged by the Tech Transparency Project. But just a few months later, dozens of similar ones could be found, researchers from the organization said.

“It’s not just that the companies are failing to actually appropriately review these apps and continue to approve them and profit from them,” Katie Paul, director of the project, said in an interview. “They are actually directing users to the apps themselves.” (Julia Love and Cecilia D'Anastasio / Bloomberg)

Related: Tech Transparency Project, Business Today, 9to5Mac, Engadget, Silicon UK, MediaNama, Digital Trends, Digit, AppleInsider, MacTech.com, r/technology

According to a review of publicly reported incidents by WIRED and Indicator, a publication focusing on digital deception and misinformation, deepfake sexual abuse incidents have hit around 90 schools globally and have impacted more than 600 pupils.

The findings show that since 2023, schoolchildren—most often boys in high schools—in at least 28 countries have been accused of using generative AI to target their classmates with sexualized deepfakes. The explicit imagery, containing minors, is considered to be child sexual abuse material (CSAM). This analysis is believed to be the first to review real-world cases of AI deepfake abuse taking place at schools globally.

As a whole, the analysis shows the worldwide reach of harmful AI nudification technology, which can earn its creators millions of dollars per year. It shows that in many incidents, schools and law enforcement officials are often not prepared to respond to serious sexual abuse incidents.

Across North America, there have been nearly 30 reported deepfake sexual abuse cases since 2023—including one with more than 60 alleged victims, one where the victim was temporarily expelled from school, and others where pupils at multiple schools have allegedly been targeted simultaneously. More than 10 cases have been publicly reported in South America, more than 20 across Europe, and another dozen in Australia and East Asia combined. (Matt Burgess / Wired)

Related: Indicator, Hacker News

Privacy consultant Alexander Hanff says that Google Chrome does not protect against browser fingerprinting despite marketing the browser as having superior safety features.

"There are at least thirty distinct fingerprinting techniques that work in Chrome right now, today, as you read this," Hanff wrote in a recently published critique of Google's browser.

"Not theoretical attacks from academic papers that might work under laboratory conditions – real, production techniques deployed on millions of websites to identify and track you without your knowledge or consent." (Thomas Claburn / The Register)

Related: That Privacy Guy, Forbes, Cyber Security News

Over the course of a two-month investigation earlier this year, MIT Technology Review identified 22 Chinese-, Vietnamese-, and English-language public Telegram channels and groups advertising bypass kits and stolen biometric data.

The software kits use a variety of methods to compromise phone operating systems and banking applications, claiming to enable users to get around the compliance checks imposed by financial institutions, ranging from major crypto exchanges, such as Binance, to name-brand banks like Spain’s BBVA.

“Specializing in bank services—handling dirty money,” reads the since-deleted Telegram bio of the program used by the Cambodian launderer, complete with a thumbs-up emoji. “Secure. Professional. High quality.” Some of the channels and groups had thousands of subscribers or members, and many posted bullet points listing their services (“All kinds of KYC verification services”; “It’s all smooth and seamless”) alongside videos purporting to show successful hacks. 

Telegram says that after reviewing the accounts, it removed them for violating its terms of service. But such online marketplaces proliferate easily, and multiple channels and groups advertising similar tools remain active. (Fiona Kelliher / MIT Technology Review)

Related: r/technews

Cal.com, an open-source startup that builds scheduling infrastructure for developers and enterprises, announced that it’s moving its core codebase behind closed doors, citing growing security concerns tied to advances in AI.

Much has been written about the growing impact of AI on open-source projects, with already time-pressed maintainers battling a barrage of machine-generated “AI slop” masquerading as contributions. But the emergence of AI systems capable of systematically uncovering software vulnerabilities has pushed the conversation in a more serious, security-centric direction.

Anthropic recently unveiled Claude Mythos, an experimental system that it says can identify and exploit vulnerabilities across widely used software — including a 27-year-old flaw in OpenBSD, a security-focused Unix-like operating system long regarded as one of the most hardened in its class. (Paul Sawers / The New Stack)

Related: Cal.con, Implicator.ai, ZDNet

The Trump Administration's Office of Personnel Management announced that it will be expanding its Tech Force hiring program to include opportunities for agencies to hire cybersecurity specialists.

That’s on top of the program’s existing recruitment efforts for software engineers, data scientists, and product managers.

The newly added cybersecurity roles will focus on “protecting critical systems, strengthening federal cybersecurity capabilities and safeguarding the digital infrastructure relied on by millions of Americans,” OPM said in a press release.

OPM’s cyber hiring expansion this week comes amid limited federal job opportunities for early-career employees in the cybersecurity field. Many recent participants in the CyberCorps Scholarship-for-Service program have struggled to find roles in the federal government since the start of the Trump administration. (Drew Friedman / Federal News Network)

Related: OPM

UK Prime Minister Keir Starmer told representatives from the largest US tech companies that they “can’t go on like this” when it comes to online protections for children.

“Companies have to demonstrate credibly and quickly how these products can be made appropriate for children,” Starmer told corporate officials from Facebook and Instagram parent Meta Platforms, Elon Musk’s X, TikTok, Google, and Snap. “If they can’t, it becomes increasingly difficult to argue that these platforms should be part of childhood at all.”

Starmer joins European leaders including French President Emmanuel Macron, Spanish Prime Minister Pedro Sanchez and Danish premier Mette Frederiksen in explicitly calling out social media companies. The British premier’s comments in a meeting alongside Technology Secretary Liz Kendall suggest the UK is preparing to crack down on companies that don’t act to tighten safeguards.

“I will take whatever steps necessary to keep children safe online,” Starmer said in the statement ahead of the meeting. “The consequences of failing to act are stark.” (Rose Henderson / Bloomberg)

Related: BBC News

Cybersecurity startup Artemis has reportedly raised $70 million in Seed and Series venture funding rounds.

Felicis led the round with First Round Capital and Brightmind returning to increase their stakes, and joined by Theory VC, Two Sigma, Lockstep, and prominent cybersecurity industry leaders, including the founders of Demisto and Abnormal AI, the former CEO and CTO of Splunk, and senior executives from CrowdStrike, Palo Alto Networks, Microsoft, and Okta. (Sharon Goldman / Fortune)

Related: CTech, Globes, Tomasz Tunguz, GovInfoSecurity, PYMNTS, Silicon Angle, citybiz, MSSP Alert

Best Thing of the Day: Can't Keep High-Profile Vulnerabilities Secret Forever

Vulnerability researcher Patrick Garrity tracked down the vulnerabilities discovered by Anthropic's Project Glasswing and reports that the publicly attributable impact of Glasswing itself remains limited so far.

Bonus Best Thing of the Day: Holding Companies to Account for Supporting —something

Shareholders in Thomson Reuters demanded that the company’s board launch an investigation into whether its products have contributed to human rights violations, specifically with regard to Thomson Reuters’ ongoing sale of people’s personal data to Immigration and Customs Enforcement (ICE).

Worst Thing of the Day: GOP-Controlled Congress Can't Even Reauthorize FISA

House GOP leaders punted a key procedural vote on a clean reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA), the US's foreign spy powers, as they scramble to woo privacy-focused Republicans angling for a last-minute amendment before the powers expire on April 20.

Closing Thought