Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity threats and vulnerabilities that have surfaced. In a world where data is the new currency, the stakes have never been higher, and today's stories are a testament to that.

We begin with a colossal data breach at IDMerit, where billions of records were left exposed due to an unsecured database. This incident underscores the critical importance of robust data protection practices, especially for companies handling sensitive information. Meanwhile, Microsoft finds itself in hot water as a bug in its Office suite allowed confidential emails to be accessed by its AI tool, Copilot, raising questions about the security of AI integrations.

The healthcare sector isn't spared either, as the University of Mississippi Medical Center faces its fourth cyberattack in three years, highlighting persistent vulnerabilities. Across the globe, over 200,000 Australian driver's licenses have been compromised, prompting a reevaluation of data protection measures.

In the realm of AI, a study reveals that many AI bots lack basic safety disclosures, potentially increasing security risks. Adding to the complexity, PromptSpy, a new Android malware, uses generative AI to enhance its execution flow, posing fresh challenges for security professionals.

On the software front, vulnerabilities in popular packages like minimatch and node-tar for JavaScript and Node.js are exposed, emphasizing the need for vigilance in software supply chains. Meanwhile, the FBI reports a rise in ATM 'jackpotting' attacks, where hackers exploit vulnerabilities to steal millions in cash.

As we navigate these turbulent waters, today's newsletter serves as a reminder of the ever-evolving landscape of cybersecurity threats and the relentless pursuit required to safeguard our digital world. Stay informed, stay secure.

Data Breaches

1. Billions of Records Exposed by Unsecured IDMerit Database: A massive data breach involving IDMerit has resulted in billions of records being exposed. The breach was due to an unsecured database, highlighting significant vulnerabilities in data protection practices. This incident has raised concerns about the security measures employed by companies handling sensitive information. Source: SC Media.
2. Microsoft Admits an Office Bug Exposed Confidential User Emails to Copilot: Microsoft has acknowledged a security flaw in its Office suite that allowed confidential user emails to be accessed by its AI tool, Copilot. This vulnerability has raised alarms about the security of AI integrations in widely used software, prompting Microsoft to take corrective measures. Source: TechRadar.
3. UMMC Cyberattack is Fourth to Hit Mississippi Hospital Systems in Three Years: The University of Mississippi Medical Center (UMMC) has suffered its fourth cyberattack in three years, underscoring ongoing vulnerabilities in the healthcare sector. This breach has prompted UMMC to reassess its cybersecurity strategies to prevent future incidents. Source: WLBT.
4. Hackers Expose Over 200,000 Australian Driver's Licences in Data Breach: A significant data breach in Australia has resulted in the exposure of over 200,000 driver's licenses. The breach has led to increased scrutiny of data protection measures and has prompted the affected company, youX, to enhance its security protocols. Source: Drive.
5. Millions of Passwords and Social Security Numbers Exposed as Old Hacks Remain a Threat: An investigation has revealed that millions of passwords and Social Security numbers have been exposed due to old data breaches. This highlights the persistent threat posed by outdated security practices and the need for continuous vigilance in data protection. Source: 9to5Mac.

Security Research

1. AI-generated passwords are a security risk: This research highlights the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329. A remote attacker can exploit this vulnerability to execute arbitrary code, posing significant risks to systems relying on AI-generated passwords. Source: Cybersecurity Review.
2. Most AI bots lack basic safety disclosures, study finds: A study led by researcher Leon Staufer reveals that many AI bots fail to provide essential safety disclosures. This oversight could lead to increased security risks as users may not be fully aware of the potential dangers associated with these AI systems. Source: Tech Xplore.
3. PromptSpy: First Android malware to use generative AI in its execution flow: Security researcher Lukáš Štefanko discovered PromptSpy, an Android malware leveraging generative AI to enhance its execution flow. This innovation in malware design poses new challenges for security professionals in detecting and mitigating such threats. Source: Help Net Security.
4. Supply Chain Attack Secretly Installs OpenClaw for Cline Users: Security researcher Henrik Plate uncovered a supply chain attack involving the Cline CLI npm package. The attack uses a post-install hook to secretly install OpenClaw, highlighting vulnerabilities in software supply chains. Source: Dark Reading.
5. FBI says ATM 'jackpotting' attacks are on the rise, and netting hackers millions in stolen cash: The FBI reports a surge in ATM 'jackpotting' attacks, where hackers exploit vulnerabilities to dispense cash from ATMs. These attacks have become more sophisticated, resulting in significant financial losses. Source: TechCrunch.

Top CVEs

1. CVE-2026-26996: The minimatch utility for JavaScript is vulnerable to a Regular Expression Denial of Service (ReDoS) in versions 10.2.0 and below. This occurs when a glob pattern with many consecutive wildcards is used, leading to exponential backtracking in V8's regex engine. This vulnerability can cause significant delays or hangs in applications using user-controlled strings. The issue is resolved in version 10.2.1. Source: Vulners.
2. CVE-2026-26960: The node-tar package for Node.js has a vulnerability in versions 7.5.7 and below, where an attacker-controlled archive can create a hardlink pointing outside the extraction root. This allows arbitrary file read and write, bypassing path protections. The severity is high due to the potential for direct filesystem access. The vulnerability is fixed in version 7.5.8. Source: Vulners.
3. CVE-2025-30410: Acronis Cyber Protect products are affected by a vulnerability that allows sensitive data disclosure and manipulation due to missing authentication. This impacts various versions across Linux, macOS, and Windows platforms. Users are advised to update to the latest builds to mitigate this issue. Source: Vulners.
4. CVE-2026-27476: RustFly 2.0.0 has a command injection vulnerability in its remote UI control mechanism. Attackers can exploit this by sending crafted hex-encoded payloads over UDP port 5005, allowing execution of arbitrary operations on the target system, including establishing a reverse shell. Proper sanitization is required to fix this issue. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From the massive data breach at IDMerit to Microsoft's Office bug exposing emails, and the relentless cyberattacks on healthcare systems like UMMC, the need for robust cybersecurity measures has never been more pressing.

We've also seen how AI, while a powerful tool, can introduce new vulnerabilities, as evidenced by the risks associated with AI-generated passwords and the lack of safety disclosures in AI bots. The emergence of threats like PromptSpy and supply chain attacks further underscores the evolving nature of cyber threats.

In the realm of vulnerabilities, the recent discoveries in software like minimatch and node-tar remind us of the importance of keeping systems updated and patched. Meanwhile, the rise in ATM 'jackpotting' attacks highlights the financial stakes involved in cybersecurity.

As we continue to navigate these complex issues, remember that staying informed is your first line of defense. If you found today's insights valuable, please share this newsletter with your friends and colleagues. Together, we can build a more secure digital world.

Thank you for joining us today. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO.