Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity breaches and vulnerabilities that are reshaping the digital landscape. In a world where data is the new gold, today's stories highlight the fragility of our digital fortresses and the relentless pursuit of those who seek to exploit them.

We begin with Coupang's confirmation of a data breach affecting 200,000 accounts in Taiwan, a ripple effect from a larger incident in South Korea. This breach raises critical questions about data security practices in e-commerce platforms. Meanwhile, BookMyForex faces a similar fate, with thousands defrauded due to a major breach, underscoring the urgent need for fortified cybersecurity measures.

CarGurus finds itself in the crosshairs of the notorious ShinyHunters group, compromising 12.5 million accounts and spotlighting the vulnerabilities in automotive marketplaces. Across the globe, New Zealand's health sector grapples with a bizarre breach, renaming patients "Charlie Kirk" and causing chaos in healthcare services.

In what could be the largest breach in U.S. history, Conduent's fiasco exposes millions to potential identity theft, igniting calls for stronger data protection laws. Meanwhile, LinkedIn's ID verification partner, Persona, faces scrutiny over security concerns, prompting a reevaluation of third-party service trustworthiness.

The digital battlefield extends to developers, with self-spreading npm malware posing a new threat in supply chain attacks. AI's prowess in bug detection is tempered by its limitations in fixing them, highlighting the indispensable role of human expertise in cybersecurity.

On the governmental front, the Department of Energy addresses a critical security flaw, while Anthropic's Claude Code Security tool disrupts the cybersecurity industry, revealing deep-seated vulnerabilities and challenging existing industry moats.

Finally, we delve into the technical realm with a series of CVEs affecting major platforms like Apache Superset, NVIDIA Cumulus Linux, and Altec DocLink, emphasizing the importance of timely updates and vigilant security practices.

Stay informed and stay secure as we navigate the ever-evolving landscape of cybersecurity threats and defenses.

Data Breaches

1. Coupang Confirms Recent Data Breach Affected 200,000 Taiwan-Based Accounts: Coupang Inc., a major e-commerce platform, has confirmed a significant data breach impacting 200,000 accounts in Taiwan. The breach, linked to a larger incident in South Korea, exposed sensitive customer information, including names and emails. Coupang has denied any data leak specific to Taiwan, but the incident has raised concerns about data security practices. Source: KBS World
2. BookMyForex Suffers a Major Data Breach; Thousands Defrauded: BookMyForex, a foreign exchange service, experienced a major data breach resulting in unauthorized transactions and fraud affecting thousands of customers. The breach has led to significant financial losses for users, highlighting vulnerabilities in the platform's security measures. The company is under pressure to enhance its cybersecurity protocols to prevent future incidents. Source: The Economic Times
3. CarGurus Data Breach Affects 12.5 Million Accounts: CarGurus, an automotive marketplace, has been hit by a data breach compromising the personal information of 12.5 million users. The breach exposed names, email addresses, phone numbers, and physical addresses, raising concerns about user privacy and data protection. The incident is attributed to the ShinyHunters extortion group, known for targeting large databases. Source: TechCrunch
4. Major Data Hack Sees NZ Patients Renamed 'Charlie Kirk': A data breach in New Zealand's health sector has led to bizarre errors, with patients being wrongly listed as deceased or renamed "Charlie Kirk." The breach has caused significant disruptions in healthcare services, prompting urgent investigations by authorities to rectify the errors and secure patient data. The incident underscores the critical need for robust cybersecurity measures in healthcare systems. Source: 10 News
5. 'Likely the Largest Breach in U.S. History': What You Need to Know About the Conduent Fiasco: Conduent, a business process services company, is at the center of what is being called potentially the largest data breach in U.S. history. The breach exposed sensitive information, including names, social security numbers, and health insurance details, affecting millions. The incident has sparked widespread concern and calls for stronger data protection regulations. Source: Gizmodo

Security Research

1. LinkedIn ID verification partner Persona under fire for security concerns: A researcher from The Local Stack has raised potential data collection issues with LinkedIn's ID verification partner, Persona. This has prompted companies like Discord to reconsider their use of the system, highlighting the importance of scrutinizing third-party services for security vulnerabilities. Source: Social Media Today.
2. Self-spreading npm malware targets developers in new supply chain attack: Security researchers have discovered a new supply chain attack involving 19 typosquatting npm packages. These packages were published on npmjs.com, posing a significant threat to developers by potentially spreading malware through their projects. Source: Help Net Security.
3. AI gets good at finding bugs, not as good at fixing them: While AI has shown proficiency in identifying bugs, security researchers argue that its ability to fix them is still lacking. This highlights the ongoing need for human oversight and expertise in the software development and security process. Source: The Register.
4. DOE Fixes Critical Mineral Portal Identity Verification Flaw: The Department of Energy (DOE) has addressed a security flaw in its critical minerals portal after it was disclosed by a security researcher. This fix underscores the importance of continuous security assessments and prompt remediation of vulnerabilities in governmental systems. Source: ExecutiveGov.
5. Anthropic's “Claude Code Security” Triggers Cybersecurity Flash Crash as AI Upends Industry Moats: Anthropic's Claude Code Security tool has caused a significant disruption in the cybersecurity industry by rapidly identifying deep-seated vulnerabilities in source code. This development showcases the transformative potential of AI in cybersecurity, but also raises concerns about the stability of existing industry structures. Source: Market Minute.

Top CVEs

1. CVE-2026-23982: An Improper Authorization vulnerability in Apache Superset allows low-privileged users to bypass data access controls by overwriting SQL queries of existing datasets. This affects versions before 6.0.0, and users are advised to upgrade to version 6.0.0 to mitigate the issue. Source: Vulners.
2. CVE-2025-33181: NVIDIA Cumulus Linux and NVOS products have a vulnerability in the NVUE interface that allows low-privileged users to inject commands, potentially leading to privilege escalation. Source: Vulners.
3. CVE-2026-23984: Apache Superset has an Improper Input Validation vulnerability that allows authenticated users with SQLLab access to bypass read-only verification checks on PostgreSQL database connections. This affects versions before 6.0.0, and upgrading to version 6.0.0 is recommended. Source: Vulners.
4. CVE-2024-56373: A vulnerability in Apache Airflow 2 allows DAG Authors to execute arbitrary code in the web-server context, potentially leading to remote code execution. The issue is mitigated by disabling the log template history functionality by default in version 2.11.1, with an upgrade to Airflow 3 recommended. Source: Vulners.
5. CVE-2026-26222: Altec DocLink exposes insecure .NET Remoting endpoints, allowing remote attackers to read arbitrary files and potentially execute unauthenticated remote code. This affects version 4.0.336.0, and users should take measures to secure their systems. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From Coupang's data breach affecting thousands in Taiwan to the massive Conduent fiasco in the U.S., these incidents remind us of the critical importance of robust cybersecurity measures. Meanwhile, the rise of AI in identifying vulnerabilities, as seen with Anthropic's Claude Code Security, offers a glimpse into the future of cybersecurity innovation.

We've also highlighted the ongoing need for vigilance in software development, as demonstrated by the self-spreading npm malware targeting developers. The vulnerabilities in platforms like Apache Superset and NVIDIA Cumulus Linux further emphasize the necessity for continuous updates and security assessments.

In a world where data breaches and security flaws are becoming increasingly common, sharing knowledge and staying informed is more important than ever. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a community that prioritizes security and stays ahead of emerging threats.

Thank you for joining us today. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO!