Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

GitHub disclosed that attackers accessed its internal repositories after compromising an employee device through a poisoned Visual Studio Code extension. The company said the activity appears limited to GitHub-owned internal repositories, with the attacker’s claim of roughly 3,800 repositories being “directionally consistent” with its investigation. GitHub also said it found no evidence that customers’ own enterprises, organizations or repositories were impacted.

A phishing campaign exploited a glitch in Robinhood’s account creation process to send phishing emails from the investment platform’s own systems, SecurityWeek reports.

UK residents lost £102 million ($138 million US) to romance scams in 2025, according to a new report from the City of London Police. “Data shows 10,784 reports of romance fraud were made to Report Fraud last year - a 29 percent increase compared with 2024,” the report says. “Police believe this rise is partly driven by increased awareness and confidence in reporting, but it also highlights the ongoing scale and impact of a crime that often unfolds over weeks or months.

Researchers at Guardo Labs are tracking a major phishing campaign that abused Google AppSheet as a relay to send phishing emails. The researchers identified more than 30,000 Facebook accounts that were compromised by this campaign. Since the emails are sent from Google’s legitimate infrastructure, they’re much more likely to land in users' inboxes.

Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used by employees to streamline workflows. Users can share files with coworkers, which generates a link hosted by Kuse’s domain. In this case, attackers are abusing the share feature to generate legitimate-looking phishing links.

At the Milken Conference in May 2026, Robert F. Smith, founder and CEO of Vista Equity Partners, described a shift that every security leader should hear. Software, he said, has moved through three states: product, then service and now worker. "That agent, that software, actually does work." Companies that do not make the transition to software as a worker, he was blunt, risk being disintermediated entirely.

A new report from the US Federal Trade Commission (FTC) has found that Americans lost $2.1 billion in 2025 to scams that began on social media. Nearly 30% of people who reported losing money to a scam said it started on social media, far outpacing other modes of contact.

It's getting harder to distinguish legitimate emails from malicious ones as phishing messages mimic real conversations, use trusted domains and increasingly leverage AI to scale and refine attacks. This shift is forcing organizations to rethink how they approach email security. Static controls that rely on known indicators can't keep up with threats that are evolving daily. To close that gap, teams need email security systems with integrated threat intelligence feeds.

Researchers at Bitdefender are tracking 40 separate SMS phishing (smishing) campaigns impersonating transport authorities, toll operators, and parking services around the world. The researchers have observed more than 79,000 scam text messages with over 29,000 unique variants. The attacks are targeting users in multiple languages. “These scam messages are designed to create a sense of urgency and pressure drivers into acting quickly,” the researchers write.