Plankey pulls out after a year-long CISA director confirmation stall

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Donald Trump’s pick to lead the government’s civilian cyber defense agency, Sean Plankey, is withdrawing from consideration after his candidacy languished in the Senate.

Plankey informed Homeland Security Secretary Markwayne Mullin (R-Okla.) and the White House of his intentions on Wednesday, Plankey confirmed.

“After thirteen months since my initial nomination, it has become clear the Senate will not confirm me,” reads a letter Plankey sent to the White House on Wednesday. “While I humbly request the removal of my nomination, I wholeheartedly support President Trump’s upcoming nomination for CISA and look forward to the continued success of the United States of America.”

Trump nominated Sean Plankey to lead CISA in March 2025. He was largely viewed as a stabilizing pick for the agency, and advanced out of the Homeland Security Committee following a low-drama 9-6 vote in July. He was renominated for the role in January alongside a slate of other nominees.

But the GOP Senate majority was unable to achieve the unanimity needed to advance his nomination, largely due to resistance from Sen. Rick Scott (R-Fla.) over a contested Coast Guard shipbuilding project.

Plankey spent most of his time awaiting confirmation as a senior adviser to then-DHS Secretary Kristi Noem on Coast Guard issues. He stepped down from that role shortly before Noem’s departure last month. (John Sakellariadis and Dana Nickel / Politico)

Related: CyberScoop, New York Times, Federal News Network, Nextgov/FCW

Natto Thoughts, a research group focused on Chinese cybersecurity, reports that a large Chinese cybersecurity firm, 360 Digital Security Group, is using artificial intelligence to identify security vulnerabilities in widely used software applications, positioning itself as a competitor to Anthropic PBC.

The company has, in recent months, said it has developed an AI-powered “Vulnerability Discovery Agent” that has uncovered close to 1,000 previously unknown vulnerabilities, including in Microsoft’s Office and in OpenClaw, an open-source framework for building and deploying AI agent workflows.

Earlier this year, Beijing-based 360 said it had developed AI tools that speed the identification of flaws and the construction of so-called exploit chains, which are required to hack into targeted computers, according to the report.

The effort resembles the new AI model from Anthropic, Mythos, which the company says can autonomously uncover and exploit software flaws in popular technologies. The model is so powerful, according to Anthropic, that the company has only released it to a select group of organizations, encouraging them to use it to find and plug their holes before attackers do. The US government is also moving to make some version of Mythos available to federal agencies. (Ryan Gallagher / Bloomberg)

Related: Natto Thoughts

More than half of the world's nation-states are believed to have purchased technology that could be capable of hacking into Britain's infrastructure, companies, and private networks, UK intelligence has found.

The UK National Cyber Security Centre — which is part of the GCHQ intelligence agency — believes around 100 countries have procured cyber intrusion software, suggesting the barrier for states to get their hands on the technology is dropping, the agency said ahead of a discussion about its findings at its CYBERUK conference in Glasgow.

The NCSC said the scope of spyware targets has “expanded” in recent years, with bankers and wealthy executives increasingly under attack. (Mason Boycott-Owen / Politico EU)

Related: TechCrunch, Reuters, r/uknews

OpenAI has been briefing federal agencies, state governments, and Five Eyes allies on the capabilities of its new cyber product over the past week.

OpenAI held an event in DC for approximately 50 cyber defense practitioners across the federal government to demo the capabilities of its new GPT-5.4-Cyber model, which it rolled out under a tiered access program last week.

One source said government applicants are going through the same vetting process as commercial customers who wish to join its Trusted Access for Cyber program.

OpenAI is pursuing a dual-track approach of making one version of its model more widely available with strong safeguards in place, while releasing another, more cyber-permissive version to defenders through the Trusted Access program.

OpenAI Chief Global Affairs Officer Chris Lehane said that approach would allow more companies, like local water utilities, to access advanced AI tools. (Sam Sabin / Axios)

Related: Reuters

Cybercriminals hacked a messaging app on the phone of German Bundestag President Julia Klöckner, the second-highest ranking German official, according to a report by Der Spiegel.

The magazine reported that Klöckner is among the victims of a recent phishing-style cyberattack targeting the messaging app Signal, amid a broader wave of attacks on European politicians in recent months.

The outlet reported that Klöckner was part of a Signal group chat with members of the executive board of the conservative Christian Democratic Union. Chancellor Friedrich Merz is also part of the group, although German domestic intelligence reportedly found no evidence that his phone had been compromised. Der Spiegel also reported that at least one other CDU lawmaker was affected. (Ferdinand Knapp / Politico EU)

Related: Politico EU, Heise Online, Der Spiegel

Sri Lanka's Finance Ministry has said that the computer system of the External Resources Department has been hacked by cyber hackers who gained unauthorized access and carried out a theft involving a foreign currency payment.

The Ministry of Finance, Planning and Economic Development on Wednesday said it has already lodged complaints with law enforcement agencies and other relevant institutions regarding the theft. (Press Trust of India)

Related: ADA Derana, News First

Netherlands-based cosmetics giant Rituals has confirmed a data breach affecting customers’ personal information after hackers stole reams of data from its membership database.

Rituals said it identified an “unauthorized download” of members’ data in April that contained customers’ full name, date of birth, gender, postal and email address, and phone number, as well as their preferred Rituals store and account type.

Rituals spokesperson Eline van Malssen said the hacker stole membership data about customers in Europe and the United Kingdom.

Some customers notified by Rituals are based in the United States. The spokesperson confirmed the incident also affects some US customers. (Zack Whittaker / TechCrunch)

Related: Rituals, Security Week, Fashion Network, Heise Online, NL Times, Dutch News

Privacy consultant Alexander Hanff claims that Anthropic's Claude Desktop for macOS installs files that affect other vendors' applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent.

He contends this makes Claude Desktop "spyware" and amounts to a violation of European privacy law.

"I want to be blunt," Hanff wrote in a blog post. "This is a dark pattern. It is also, in my professional opinion, a direct breach of Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive) as well as a multitude of computer access and misuse laws (usually criminal law), on a scale large enough to matter, in a vendor which has spent considerable effort on being perceived as the safety-conscious AI lab."

Article 5(3) requires service providers seeking access to a person's data to provide clear details about the data access request and to obtain consent unless access is strictly necessary to provide the service.

Hanff explains that he found the undisclosed file installation while trying to debug another application that used Native Messaging, an API for communicating between Chrome and other applications. Claude Desktop relies on the cross-platform Electron framework, which in turn relies on a bundled version of Chromium. (Thomas Claburn / The Register)

Related: That Privacy Guy

Apple released a software update for iPhones and iPads, fixing a bug that allowed law enforcement to extract messages that had been deleted or disappeared automatically from messaging apps because notifications that displayed the messages’ content were also cached on the device for up to a month.

In a security notice on its website, Apple said that the bug meant “notifications marked for deletion could be unexpectedly retained on the device.”

This is a clear reference to an issue revealed by 404 Media earlier this month. The independent news outlet reported that the FBI had been able to extract deleted Signal messages from someone’s iPhone using forensic tools, due to the fact that the content of the messages had been displayed in a notification and then stored inside a phone’s database — even after the messages were deleted inside Signal. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Apple, 9to5Mac, Forbes, Macworld, Engadget, MacRumors

South Korea's data protection agency said it has fined matchmaking service Duo 1.21 billion won ($815,400) over the leak of ​its members' sensitive personal information, including their weight, blood type, and ‌whether they were previously married.

The Personal Information Protection Commission said the company failed to implement adequate measures to safeguard its membership database and was slow to ​take action after its system was hacked last year.

Hackers gained unauthorized access to the company database in January last year ​and downloaded private personal information of more than 420,000 current and former members. The data also included phone numbers, addresses, schools graduated from, and workplaces, it said.

The commission said Duo also ​violated regulations on the collection and storage of personal data, such as ​citizenship ID numbers and passwords, and failed to meet a requirement to delete the information of ‌nearly ⁠300,000 members gathered more than five years ago. (Jack Kim / Reuters)

Related: Times of India, The Korea Herald, The Korea Times, The Chosun Daily, Seoul Economic Daily, Digital Today, Maeil Business, Korea JoongAng Daily, Yonhap News Agency

According to data collected by the Internet Watch Foundation (IWF), 15,031 commercial child sexual abuse sites were found in 2025, compared with 7,028 found in 2024, a 114% increase.

An analyst who worked on the report but did not wish to be named said that this content exists “across all social media platforms” and is “very easy” to find.

“I can find child sexual abuse content, the worst categories, category A content, which is penetration of children as young as babies on any social media platform in as little as one search term and two clicks,” said the analyst.

An analyst who worked on the report but did not wish to be named said that this content exists “across all social media platforms” and is “very easy” to find.

“I can find child sexual abuse content, the worst categories, category A content, which is penetration of children as young as babies on any social media platform in as little as one search term and two clicks,” said the analyst. (Sinéad Campbell / The Guardian)

Related: Internet Watch Foundation, Bloomberg

According to researchers at Rapid7, a new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.

Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.

Both variants share the same campaign ID and Tor-based ransom infrastructure, so they were deployed by the same ransomware affiliate, who likely sought to maximize impact by encrypting all servers simultaneously.

Bleeping Computer found only one listed victim on the Kyber data extortion portal at the time of writing, which is a multi-billion-dollar American defense contractor and IT services provider. (Bill Toulas / Bleeping Computer)

Related: Rapid7

US Cyber Command carried out over 8,000 missions in 2025, its new director, Gen. Joshua Rudd, told the House Armed Services Committee during a hearing.

He said he expects that number to increase through the remainder of 2026. He testified alongside Katie Sutton, the assistant secretary of defense for cyber policy.

The 2025 total is a 25% increase compared to 2024, Rudd added. The figures, which he did not elaborate on, help to underscore how cyber elements are becoming more ingrained in military activities. (David DiMolfetta / NextGov/FCW)

Related: House Armed Services Committee

Researchers at Citizen Lab uncovered two separate spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people’s locations. 

They say these two campaigns are likely a small snapshot of what they believe to be widespread exploitation of surveillance vendors seeking access to global phone networks.

The surveillance vendors behind them, which Citizen Lab did not name, operated as “ghost” companies that pretended to be legitimate cellular providers, and would piggyback their access to those networks to look up the location data of their targets.

The new findings reveal continued exploitation of known flaws in the technologies that underpin the global phone networks. 

One of them is the insecurity of Signaling System 7, or SS7, a set of protocols for 2G and 3G networks that, for years, has been the backbone of how cellular networks connect and route subscribers’ calls and text messages around the world. Researchers and experts have long warned that governments and surveillance tech makers can exploit vulnerabilities in SS7 to geolocate individuals’ cell phones, as SS7 does not require authentication or encryption, leaving the door open for rogue operators to abuse it. 

The newer protocol, Diameter, designed for newer 4G and 5G communications, is supposed to replace SS7 and includes the lacking security features of its predecessor. But as the Citizen Lab highlights in this report, there are still ways to exploit Diameter, as cell providers do not always implement the new protections. In some cases, attackers can still fall back to exploiting the older SS7 protocol. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Citizen Lab

Google Cloud unveiled significant updates in its cybersecurity suite, including the debut of new AI-powered security agents along with expanded support on the Wiz platform.

The announcements also included launches of new Wiz capabilities for securing AI-native development and speed gains for agentic-driven security operations.

Google said it is introducing three new AI agents within its Google Security Operations offering in an effort to boost machine-speed cyber defense.

The new Threat Hunting agent is aimed at enabling proactive hunting for previously unknown attack patterns and behaviors, which would have bypassed typical defenses in the past, according to Google Cloud. The Threat Hunting agent is now in preview.

Also in preview is the new Detection Engineering agent, which is capable of identifying gaps in coverage and creating new detections for various threats, according to Google Cloud.

The company’s third agentic announcement is the Third-Party Context agent, which is “coming soon” to preview, Google Cloud said. The agent is able to enrich security operations workflows utilizing contextual third-party data, according to the company. (Kyle Alspach / CRN)

Related: CTech, Google Cloud Blog, iPhone in Canada, Wiz, SiliconANGLE, The New Stack

Two-thirds of organizations have suffered from a cybersecurity incident related to the deployment of AI agents during the last year, research by the Cloud Security Alliance (CSA) has warned.

According to the research conducted alongside Token Security, unchecked AI agents operating on corporate networks caused damage, including data exposure, operational disruption, and financial losses.

The CSA paper warned that the majority of organizations have no strategy set up around decommissioning AI agents, further putting them at risk of cybersecurity incidents.

According to the report, 68% of respondents claim to have high confidence in the visibility of AI agents on their network. However, 82% of all respondents said they have discovered previously unknown agents in the past year.

The most common places for previously unknown AI agents to be discovered were within internal automation environments and large language model (LLM) platforms.

“This gap highlights a distinction between operational visibility and complete governance assurance, limiting the effectiveness of control models that depend on known and bounded agents,” said the CSA report. (Danny Palmer / Infosecurity Magazine)

Related: Cloud Security Alliance, SC Media, Digit, Beta News

Researchers at Forescout Technologies report that serial-to-IP converters are affected by potentially serious vulnerabilities that can expose operational technology (OT), healthcare, and other types of systems to remote attacks

Serial-to-IP converters, also known as serial device servers, are hardware devices that bridge legacy serial equipment to modern Ethernet/IP networks, allowing old industrial control systems (ICS) and other OT devices to communicate remotely.

Several major companies, including Moxa, Digi, Advantech, Perle, Lantronix, and Silex, make the devices.

Some of these vendors have reported deploying millions of devices, and a Shodan search shows nearly 20,000 internet-exposed systems worldwide. 

“Using open-source intelligence (OSINT), attackers can find details about some of these devices, including internal IP addresses, model and vendor names, and photographs from electrical substations, water treatment plants, and other critical infrastructure environments,” Forescout researchers explained.

In addition to internet-exposed devices, attackers could target serial-to-IP converters on local networks, which can be compromised via vulnerabilities or misconfigurations in edge devices such as routers and firewalls.

Forescout’s research, which focused on Silex and Lantronix devices, led to the discovery of 20 new vulnerabilities across the two vendors’ products, including weaknesses that can be exploited without authentication.

The vulnerabilities, collectively tracked as BRIDGE:BREAK, can be exploited for OS command injection and remote code execution, firmware tampering, denial-of-service (DoS) attacks, and device takeovers.

Some of the flaws can allow attackers to upload arbitrary files, bypass authentication, and obtain information. (Eduard Kovacs / Security Week)

Related: Forescout, SC Media, CSO Online, Industrial Cyber, Security Affairs, Business Wire

More than 50 US Republican legislators have urged South Korea to halt what they describe as a "targeted assault" on American companies, including Coupang Inc., through discriminatory regulations, calling it an "unacceptable" move that could risk helping Chinese firms gain market dominance.

The lawmakers made the call in a letter to South Korean Ambassador to the US Kang Kyung-wha, calling on Seoul to honor its commitment to avoid unnecessary legal and policy barriers in line with the summit agreements reached between the two countries' leaders last year.

However, South Korea pushed back against those claims saying investigations into Coupang are being carried out in line with domestic law regardless of nationality.

A Foreign Ministry official, requesting anonymity, said the government is “fully implementing” its commitment not to subject US digital companies to discriminatory treatment or unnecessary barriers, in accordance with agreements reached by the two countries’ leaders in the South Korea-US Joint Fact Sheet. (Kim Seung-yeon / Yohnap News Agency and Jung Min-kyung / The Korea Herald)

Related: The Straits Times, Korea JoongAng Daily, Hankyoreh, The Korea Times

Three US healthcare organizations — two in Illinois and one in Texas — have disclosed data breaches affecting a total of nearly 600,000 individuals.

The data breach tracker operated by the US Department of Health and Human Services (HHS) was updated this week to add three healthcare-related cybersecurity incidents impacting a significant number of people.

The biggest breach was disclosed by the North Texas Behavioral Health Authority, affecting 285,000 individuals.

The organization, which provides resources for mental health and substance abuse, revealed in March 2026 that it had detected a network intrusion in October 2025. An investigation showed that unauthorized individuals may have accessed and exfiltrated files containing personal information, including SSNs. 

The second healthcare organization for which the HHS disclosed the number of affected individuals this week is Southern Illinois Dermatology, with 160,000 victims. 

The Salem, Illinois-based skincare provider said in a data breach notice that it became aware of a cybersecurity incident in late November 2025. An investigation completed in early March showed that files storing personal information were compromised.

The Insomnia ransomware group listed Southern Illinois Dermatology on its website in February, claiming to have stolen the information of 150,000 patients. The cybercriminals have leaked the data allegedly taken from the healthcare organization’s systems. 

The third significant data breach hit Saint Anthony Hospital, which told the HHS that an email security incident exposed the information of 146,000 people. (Eduard Kovacs / Security Week)

Related: OCR Portal, SC Media

Two data privacy bills introduced in the US Congress would preempt nearly two dozen state laws to create a national standard limiting how tech and finance companies handle user data.

The bills — the SECURE Data Act, which focuses on technology companies, and the GUARD Financial Data Act, which focuses on financial services businesses – are designed to work together to form a single national standard. House Energy and Commerce Chair Brett Guthrie, R-Ky., and House Financial Services Chair French Hill, R-Ark., are throwing their support behind the bills, likely giving them momentum for first votes to take place next month.

Guthrie said the SECURE Act would “put an end to the confusing state-by-state patchwork of laws that fail consumers and small businesses alike.” He added the measure would be similar to certain bills already passed by states like Kentucky.

In addition to preempting state law, the bills would allow people to access, correct, or delete their personal data as well as opt out of targeted ads and the sale of their data, according to bill text first seen by CNBC.

Neither bill would allow people to sue companies over data privacy violations, something Democratic lawmakers have pushed for in the past in previous data privacy bills. (Emily Wilkins / CNBC)

Related: Financial Services, Energy and Commerce Committees, CyberScoop, IAPP, Politico, The Hill, StateScoop, MeriTalk, Axios, Punchbowl News, Bloomberg Government

Best Thing of the Day: Litigants Demand Better Data Protection

Mercor, a $10 billion startup that hires contractors to provide AI training feedback, has been hit with at least seven class-action lawsuits following a third-party data breach during which Mercor contractor information, ranging from recorded job interviews to facial biometric data and screenshots of workers’ computers, was exposed.

Worst Thing of the Day: Developers Beware of Claude Security Issues

Some cyber experts say Anthropic’s latest Claude models are introducing serious security issues into code.

Closing Thought