Someone misused Rec Room’s friend-finder feature to match phone numbers to the user names of hundreds of thousands of players on the social gaming platform — assembling a database that connects their online identities directly to their real-world contact information.
The incident, which took place in January, hasn’t been previously reported or publicly acknowledged except in a brief response by a Rec Room staffer to a question in an online forum. It’s not directly related to the subsequent announcement that the Seattle-based company will shut down the social gaming platform June 1, after 10 years in business.
In messages to GeekWire, a person familiar with the incident expressed concern that Rec Room has never proactively notified users whose phone numbers and user identities were linked through the brute-force attack — leaving them unaware of the situation and vulnerable to harassment, phishing, or other attacks, especially as the platform shuts down.
Responding to our inquiries about the incident, the company acknowledged that it learned in January that an individual was running a high volume of queries against its friend-finder API. After discovering this, the company said, it disabled the feature and banned the user.
Rec Room said it engaged an outside legal and forensics firm to conduct a review, which concluded that disabling the API was sufficient and no regulatory notification was required. The feature only returned a username when matched with a phone number or email, Rec Room said, and did not expose additional account information or credentials.
“We take user safety and security seriously and have robust measures in place to protect user data,” a Rec Room spokesperson said in a follow-up statement, adding that the company “reviewed our privacy settings and confirmed they’re working as intended.”
What happened: The incident didn’t involve someone breaking into Rec Room’s servers or accessing its database directly.
Instead, it happened through the platform’s friend-finder feature, which let players upload their phone contacts to see which of their friends were already on the platform. Under the hood, the system accepted a phone number and returned a Rec Room username if there was a match.
The feature was designed for individual users checking their personal contacts. However, the system had no apparent safeguards to prevent someone from querying it at a massive scale.
That’s what happened in January, according to the person familiar with the matter. Someone systematically ran all US and Canadian phone numbers through the system, collecting every hit. The result, the person said, was a database of nearly 279,000 records.
The database was subsequently sold to others, according to the person familiar with the incident, who said the system used to distribute it was itself not secure, potentially making it accessible to a wider audience.
Rec Room’s response: Asked about the size of the database, Rec Room said it did not recognize the number provided by the source, but did not offer its own count of affected users. Without additional information, it’s unclear if the company has determined the size of the assembled database or the full scope of the incident.
Rec Room said no phone numbers or emails were acquired directly from the company.
Responding to a user question about the incident in the company’s Discord server on Feb. 19, a Rec Room staffer said the platform had previously allowed users to find friends by searching their contacts, and that some users were “abusing this functionality at scale.”
The message said the feature had been disabled “out of an abundance of caution.”
Why it matters now: The company has not proactively notified affected users. Rec Room said its support team has been responding to players who’ve contacted the company after receiving unsolicited texts that were apparently connected to the assembled database.
With the platform now scheduled to shut down June 1, the window for proactive notification is closing. After that date, Rec Room will no longer have an in-app channel to reach its players.
Rec Room’s shutdown itself could increase the risk. An attacker with the database could use the closure to craft convincing phishing messages — for example, a text or email impersonating Rec Room and urging players to click a link to export their data before the platform goes dark. The shutdown would give such a message built-in plausibility.
Phone numbers can also be used to find real names and home addresses through publicly available records, or to attempt SIM swapping, in which an attacker takes over a victim’s phone number to intercept calls, texts, and authentication codes. Users can lock their phone number through their wireless carrier’s app or website, typically with a PIN, to help prevent this.
Privacy settings: One issue in dispute involves Rec Room’s privacy settings. The platform offered users a toggle to prevent others from finding them by phone number or email address.
But the person familiar with the incident said the setting did not protect against the type of mass queries used in the attack. This person said their own data appeared in the database despite having the setting turned off, and provided a screenshot supporting this assertion.
(The person declined to be identified, citing concerns that publishing their name could allow someone to use the data to connect their identity to their home address and other personal details using public records.)
Asked about the privacy setting, Rec Room said it verified that it worked as designed.
Historical precedents: It’s not the first time a social platform has faced this type of incident.
In 2014, an attacker used the same approach against Snapchat’s friend-finder feature, matching usernames to 4.6 million phone numbers. Snapchat was criticized for initially dismissing the vulnerability and took more than a week to apologize, but later acknowledged the breach, updated its app, and let users opt out of the feature.
In 2021, a similar technique was used to assemble a database of phone numbers and personal information from more than 530 million Facebook users. Facebook said it had fixed the underlying flaw in 2019 but declined to individually notify affected users, saying it couldn’t be certain which users needed to be notified.
Rec Room’s approach has more closely resembled Facebook’s: maintaining that the incident did not create a security or privacy risk and that no user data was acquired from its systems.
Rec Room’s user base: Rec Room attracted more than 150 million lifetime players across phones, consoles, PCs, and VR headsets, with millions still active each month before the shutdown was announced.
Rec Room CEO Nick Fajt told the Wall Street Journal in 2021 that the bulk of the platform’s users were between the ages of 13 and 16 — meaning many of the phone numbers in the assembled database would belong to minors or their parents.
The company’s path: Rec Room launched in 2016 as a platform for building and sharing virtual worlds. Founded by a group of former Microsoft engineers, the company went on to raise $294 million in venture funding over its lifetime, and was valued at $3.5 billion at its peak in 2021.
But it never found a way to become profitable, cutting staff in two rounds of layoffs last year.
The person familiar with the matter said last year’s layoffs significantly impacted the company’s cybersecurity team. The company also paused its bug bounty program on the security platform Bugcrowd on Feb. 10, halting new vulnerability reports. The program has not reopened.
After the March shutdown announcement, Snap acquired select assets from Rec Room, and some members of the team joined the Snapchat parent’s hardware subsidiary to work on its Specs augmented reality glasses. It’s not clear if any were impacted in Snap’s cuts last week.
What to know: Rec Room users who linked a phone number to their account should be aware that their number may have been connected to their user name in the assembled database.
Users should be skeptical of any unsolicited texts or emails related to Rec Room or to the upcoming shutdown, particularly messages urging them to click links.
With the platform closing in less than seven weeks, the person familiar with the incident said they hope bringing public attention to the issue will help users be alert to the risks.
Redwood Materials chief operating officer Chris Lister is leaving the battery recycling company to retire, TechCrunch has learned — and he’s not the only executive that recently departed.
Lister, a former vice president who led operations at Tesla’s Nevada Gigafactory, has been with Redwood since late 2023. He started as the company’s chief supply chain officer and was quickly promoted to the COO role in 2024. The promotion put him closer in the org chart to Redwood founder and CEO JB Straubel, who was Tesla’s longtime chief technology officer and currently sits on the automaker’s board.
Redwood Materials recently informed employees that Lister was retiring, according to an employee who was granted anonymity to speak about the announcement. The company confirmed Lister’s departure to TechCrunch on Thursday. “We wish him the best in his retirement,” a spokesperson said via email.
News of Lister’s retirement comes just a few days after TechCrunch revealed Redwood Materials recently laid off around 10% of its workforce, or roughly 135 employees.
Those cuts were part of a restructuring that Straubel told employees about in an email viewed by TechCrunch earlier this week. He said the shuffle will help support the company’s growing energy storage business. Redwood has recently signed deals with automaker Rivian and artificial intelligence company Crusoe to provide refurbished batteries that can be used as grid storage.
Other executives have left Redwood in recent months, too.
Bradley Mayhew, Redwood’s vice president of integrated supply chain and a former Tesla employee, left the company earlier this month, according to LinkedIn. Guillermo Urquiza, Redwood’s vice president of mechanical engineering — and another former Tesla employee — left in March. And Carlos Lozano, the company’s vice president of manufacturing, left earlier this year for a leadership role at Panasonic, according to LinkedIn.
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
Mayhew, Urquiza, and Lozano didn’t respond to requests for comment. Redwood declined to specifically comment on their departures, but noted that Straubel said in his all-staff email that he is trying to reduce layers of management at the company.
Straubel also told employees in his message that “parts of the company have expanded faster than needed” and that he was “more excited than ever with our path ahead as we build the most integrated and cost-effective critical materials and energy storage business in the world.”
“We are confident that we can deliver on our critical projects with a smaller team that is more focused,” he wrote. “We have successfully adapted to changes in the market that have bankrupted many of our competitors.”
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Porsche will start selling an all-electric Cayenne coupe in late summer, the latest signal from the German automaker that it still sees market demand for EVs.
The Cayenne coupe EV — which has four doors, unlike a traditional coupe — will join several other all-electric variants of the SUV when it comes to market later this year, including the base Cayenne Electric, Cayenne S Electric, and Cayenne Turbo Electric. Porsche does, after all, love its variants.
And it could be its most successful. When Porsche introduced a coupe version of its gas-powered Cayenne in 2019, it took just a year for the sportier version of the crossover SUV to capture 20% of sales within the Cayenne lineup. Five years later, the coupe variant accounts for 40% of Cayenne sales, according to Porsche. In some markets, the coupe accounts for as much as 90%.
In other words, the numbers suggest that the all-electric Cayenne coupe is a worthy bet even with its six-figure price tag.
The Cayenne Coupe Electric (as it is officially branded) won’t replace its gas-powered or hybrid brethren, unlike the Porsche Macan compact SUV, which will only be sold as an EV after this year.
The company says the Cayenne coupe EV will be sold alongside the other fuel variants well beyond 2030, according to a Porsche spokesperson. That could produce some valuable data for Porsche on what flavor of Cayenne coupe consumers actually want to buy — and whether this electric variant proves to be its most popular. (The extra front trunk space alone could influence some buyers, not to mention gas prices.)
None of those questions can be answered, however, until the Cayenne Electric, Cayenne S Electric, Cayenne Turbo Electric, and Cayenne Coupe Electric go on sale globally later this year — about nine months after the EV version was first unveiled.
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
When the Cayenne coupe EV does go on sale, it will be offered in three variants: the base version, an S coupe, and a turbo coupe. (If you think that’s a lot, go check out how many versions of its flagship Porsche Taycan EV exist.)
The Cayenne Coupe Electric starts at $113,800, not including the $2,350 delivery fee. Prices rise from there with the Cayenne S Coupe Electric at $131,200, and the Cayenne Turbo Coupe Electric at $168,000. Consumers can, of course, spend even more by adding on options like the lightweight sport package, which includes a carbon roof, performance tires, and motorsports-inspired interior features.
For that kind of money, consumers will get a lot of horsepower and torque tucked inside a crossover body with a sloping roofline that is reminiscent of the iconic 911. All variants of the coupe EV come with an 800-volt powertrain, air suspension, and a shared roof design that features a new windshield and an adaptive rear spoiler. The Cayenne coupe EV is also equipped with the North American Charging Standard port, or NACS, that Tesla popularized, as as well as an additional AC charging port.
From here, some specs change depending on the version a consumer buys. The base coupe EV generates up to 435 horsepower and 615 pound-feet of torque, with a top speed of 143 miles per hour and a zero-to-60 time of 4.5 seconds.
For those who aren’t satisfied, there are two more powerful options that push those performance specs much higher. At the top end, the turbo version generates up to 1,139 horsepower and 1,106 pound-feet of torque — putting it up there with the Tesla Model S Plaid, Lucid Air Sapphire, and Porsche Taycan Turbo GT. The turbo version has a top speed of 162 mph and can travel from 0 to 60 mph in an eye-watering 2.4 seconds.
Porsche hasn’t released EPA estimates for the range these coupe EVs will deliver on a single charge. But early real-world testing is in line with other Cayenne electric variants, which is about 360 miles. Of course, if coupe EV buyers opt for those larger tires — which create more rolling resistance, requiring the battery to work harder — the range could drop about 10%.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
A bonus in-cart coupon brings the M5 Pro 14-inch MacBook Pro down to a record low $1,949, but supply is limited at the reduced price.
Apple Authorized Reseller B&H Photo is beating Amazon’s price this Friday on the new 14-inch MacBook Pro that was released in March 2026.
The standard model, which is on sale for $1,949 in Space Black after a $200 cash discount stacked with a $50 in-cart coupon, features Apple’s M5 chip with a 15-core CPU and 16-core GPU. The laptop is also equipped with 24GB of unified memory and 1TB of storage (up from the standard 512GB found in the M4 Pro line).
Continue Reading on AppleInsider | Discuss on our Forums
Disclaimer: Unless otherwise stated, any opinions expressed below belong solely to the author. Data sourced from the Sensing SG survey by Blackbox Research.
The impact of the war in Iran is being felt by Singaporeans, according to the latest update to the long-running domestic sentiment survey carried out by Blackbox Research on approximately 1500 residents in Apr. The disruption caused by the closure of the Strait of Hormuz, which has led to oil and gas shortages across Asia, is also reflected in higher energy and petrol prices in Singapore.
This, in turn, not only influences the day-to-day transportation costs or electricity tariffs, but the costs of most goods as well, since the country imports almost everything, and all those goods have to arrive by air, road, or, mostly, sea.
It’s hardly a surprise, then, that the cost of living has rebounded as a top national concern, rising from 34% of responses in Q4 2025 to 46% in Q1 2026.
What’s more, according to Blackbox, just 46% of Singaporeans feel better off today than a year ago, which is the lowest reading recorded yet and sharp drop from 54% in Q4 of 2025.
And optimism about the future is melting equally quickly.
43% of respondents believe that the country will be doing better a year from now (down from 53%), while the share of those who think it’s going to be worse has doubled from just 19% to 38%.
There’s a warning for the government hidden in these statistics, too, as public confidence in the management of cost pressures is sliding already.
While the Government continues to receive high marks for Defence and National Security, which rose by six percentage points to 90%, its performance on Cost of Living has slipped 6 points to 46%.
Other key measures, such as housing affordability, the wealth gap, and GST, have all declined by at least three percentage points.
While a vast majority of the population may be happy with how the country is managed, they do expect the authorities to proactively address crises such as the current one caused by a distant, foreign war. Since the measures announced by PM Wong are only scheduled to be deployed in the coming months, most people haven’t yet felt them in their wallets.
Interestingly, the pessimism about the next 12 months in Singapore doesn’t translate into self-doubt, as still more than half of the local residents (52%) expect to be better off. Even though it’s a drop from 59% in Dec, it is relatively much smaller.
Similarly, just 19% see themselves falling behind over the next year—half as many as those who predict that to be the case for the entire country.
What’s more, in spite of the headwinds caused by the war, 86.3% are satisfied with the current situation in Singapore, 81.4% rate the economic situation positively, and 76.5% are happy with their personal finances.
In other words, while more people are anxious about what the turbulent future might bring, the vast majority are still very comfortable with where they are. And feel about the same about Singapore as a whole, too.
Featured Image Credit: Guo Xin Goh via Unsplash
Ctrl-Alt-Speech is a weekly podcast about the latest news in online speech, from Mike Masnick and Everything in Moderation‘s Ben Whitelaw.
Subscribe now on Apple Podcasts, Overcast, Spotify, Pocket Casts, YouTube, or your podcast app of choice — or go straight to the RSS feed.
In this special episode, Mike and Ben reflect on 100 episodes of the podcast, followed by an important announcement: we’re launching a Patreon and making some changes to Ctrl-Alt-Speech!
Starting on May 28th, Patreon members will get early access to extended weekly episodes with in-depth coverage of an extra major story. The free episodes will continue here on this feed, just slightly shorter and released one day later.
You can become a member now at one of two levels: Supporters get early access to the extended episodes, and for a limited time Founders get that plus the opportunity to send us news stories that you think we should cover each week. After the new episodes begin at the end of May, the Founder tier will become the Insider tier with all the same benefits at a slightly higher price, so act now if you don’t want to miss out (you’ll also get bragging rights as a founding member!)
We’re immensely grateful to the incredible audience we’ve found over these past 100 episodes, and this is our way of helping make the podcast sustainable for the next 100!
Filed Under: content moderation, trust and safety
Companies: patreon
Summary: Meta is cutting approximately 8,000 employees (10% of its workforce) beginning 20 May, cancelling 6,000 open roles, and planning additional cuts for H2 2026. The layoffs, announced via an internal memo from HR head Janelle Gale, are structural rather than performance-based, reorganising teams into AI-focused “pods” while Meta spends $115-135 billion on AI infrastructure this year. The cuts arrive alongside executive stock options worth up to $921 million each and a workplace surveillance programme capturing employee keystrokes to train AI agents.
Meta told employees on Wednesday that it will cut approximately 8,000 jobs, roughly 10% of its global workforce, beginning on 20 May. The company is also cancelling 6,000 open requisitions it had planned to fill, bringing the effective headcount reduction to 14,000 positions. Additional cuts are planned for the second half of the year, though their timing and scope have not been finalised. If the second wave matches the first, Meta will have eliminated roughly 20% of its pre-2026 workforce. The memo announcing the cuts was written by Janelle Gale, Meta’s head of human resources, who said the announcement came early because details had already leaked. “We’re doing this as part of our continued effort to run the company more efficiently and to allow us to offset the other investments we’re making,” Gale wrote. “This is not an easy tradeoff and it will mean letting go of people who have made meaningful contributions to Meta during their time here.”
The investments she is referring to cost between $115 billion and $135 billion this year alone. That is Meta’s guided capital expenditure for 2026, a 73% increase over the $72.2 billion it spent in 2025, nearly all of it directed at AI infrastructure. The company is building Prometheus, a one-gigawatt AI supercluster in Ohio coming online this year, and Hyperion, a 2,250-acre, $10 billion facility in Louisiana capable of five gigawatts. It hired Alexandr Wang, the former Scale AI chief executive, as its first chief AI officer in June 2025 through a deal that included a $14.3 billion investment in Scale AI. It is poaching elite AI talent with packages worth up to $1.5 billion for a single engineer. The people being hired are not the same people being fired. That is the point.
The May cuts are the third wave of 2026 layoffs at Meta. In January, the company eliminated more than 1,000 positions in Reality Labs, shutting down several VR game studios and cutting roughly 10% of the division. In March, it cut another 700 employees across at least five divisions, including Reality Labs, Facebook social, recruiting, sales, and global operations. The May round is company-wide and structural rather than performance-based, a distinction Gale’s memo made explicitly. Meta is reorganising teams into AI-focused “pods” and transferring engineers from across the company into the Applied AI organisation. New role categories are being created: “AI builder,” “AI pod lead,” and “AI org lead.” The company’s internal language describes the goal as driving “a step change in engineering productivity and product quality” through “fundamentally rewiring how we operate.”
The cumulative toll since 2022 now exceeds 33,000 jobs. Meta cut 11,000 in November 2022, 10,000 in March 2023, 3,600 in January 2025 (framed as performance-based, though employees with positive reviews were caught in the sweep), and approximately 9,700 across the three 2026 waves. The company ended 2025 with 78,865 employees, up 6% year over year, having rehired aggressively through 2024 and 2025 after the original “year of efficiency” reductions. It is now cutting deeper than it rehired. US workers affected by the May round will receive 16 weeks of base pay plus two additional weeks per year of service, and 18 months of health coverage.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Days before the March layoffs, Meta filed SEC disclosures revealing a new stock option programme tied to reaching a $9 trillion market capitalisation by 2031, roughly six times its current valuation. The potential payout: up to $921 million each for chief technology officer Andrew Bosworth, chief product officer Chris Cox, and chief operating officer Javier Olivan, and $787 million for chief financial officer Susan Li. Mark Zuckerberg is not included in the plan. The programme is modelled after Tesla’s Elon Musk compensation structure and is Meta’s first such award since going public in 2012.
The optics are difficult to defend. Stock-based compensation consumed approximately 96% of Meta’s $43.6 billion in free cash flow in 2025. Rank-and-file employees have seen reduced stock compensation in recent years while absorbing successive layoff rounds. The message, whether intended or not, is that the people who survive the cuts will work for less while the people who direct the cuts stand to make nearly a billion dollars each. The $9 trillion target requires Meta’s market capitalisation to grow at roughly 35% annually for five years. If the target is met, the stock appreciation that generates the executive payouts will have been funded in part by the labour cost reductions that the layoffs produce.
The layoff announcement arrived days after a separate disclosure that sharpened employee anxiety. Meta is installing software on US employees’ work computers under a programme called the “Model Capability Initiative,” which captures keystrokes, mouse movements, and screenshots to train AI agents. Bosworth told employees that “there is no option to opt out of this on your work provided laptop.” The Register reported that employees protested the programme on internal forums. Cornell researchers raised consent and compensation questions about using employee behaviour as AI training data.
The juxtaposition is stark. Meta is asking its remaining employees to generate the training data that will teach AI systems to replicate computer-use patterns, while simultaneously laying off the employees whose patterns the AI will eventually replace. Zuckerberg is building a personal AI agent to handle executive information retrieval and coordination, the same kind of work that middle-management and operational roles traditionally perform. Internal tools called MyClaw and Second Brain are already reshaping how Meta employees interact with the company’s systems. The trajectory is clear: more AI, fewer people, and the people who remain will train the AI that makes the next round of people unnecessary.
Meta’s cuts landed on the same day Microsoft announced its first voluntary retirement programme in 51 years, offering buyouts to roughly 7% of its US workforce. Oracle eliminated 20,000 to 30,000 employees in March. Atlassian cut 1,600 and replaced its CTO with two AI-focused executives. The tech sector has recorded more than 73,000 job cuts across 95 companies in the first four months of 2026, with projections that the full-year total will exceed the 124,201 eliminated in all of 2025. Every major company cites AI restructuring as the primary driver. The methods differ, Oracle’s was abrupt, Microsoft’s is voluntary, Meta’s is phased, but the direction is the same: traditional roles out, AI roles in, and the spending saved on the former redirected to the latter.
Meta’s Q4 2025 results, the most recent available, showed $59.89 billion in revenue (up 24%), $22.77 billion in net income, and earnings per share of $8.88, beating estimates by 8.4%. Full-year revenue crossed $200 billion for the first time. Q1 2026 results are due on 29 April, with revenue guidance of $53.5 billion to $56.5 billion. The company is not cutting because it is struggling. It is cutting because it has decided that the fastest path to a $9 trillion valuation runs through AI infrastructure, not through the 8,000 people it no longer needs. The question that Gale’s memo does not answer, and that no memo from any tech company this year has answered, is what those people are supposed to do next.
Updated with further information from Bitwarden.
The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects.
According to reports by Socket, JFrog, and OX Security, the malicious package was distributed as version 2026.4.0 and remained available between 5:57 PM and 7:30 PM ET on April 22, 2026, before being removed.
Bitwarden confirmed the incident, stating that the breach affected only its npm distribution channel for the CLI npm package and only those who downloaded the malicious version.
“The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately,” Bitwarden shared in a statement.
“The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data.”
Bitwarden says it revoked the compromised access and deprecated the affected CLI npm release.
According to Socket, threat actors appear to have used a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code into the CLI npm package.
According to JFrog, the package was modified so that the preinstall script and the CLI entry point use a custom loader named bw_setup.js, which checks for the Bun runtime and, if it does not exist, downloads it.
The loader then uses the Bun runtime to launch an obfuscated JavaScript file named bw1.js, which acts as credential-stealing malware.
Once executed, the malware collects a wide range of secrets from infected systems, including npm tokens, GitHub authentication tokens, SSH keys, and cloud credentials for AWS, Azure, and Google Cloud.
The malware encrypts the collected data using AES-256-GCM and exfiltrates it by creating public GitHub repositories under the victim’s account, where the encrypted data is stored.
OX Security says that these created repositories contain the string “Shai-Hulud: The Third Coming,” a reference to previous npm supply chain attacks that used a similar method and text string when exfiltrating stolen data.
The malware also features self-propagation capabilities, with OX Security reporting that it can use stolen npm credentials to identify packages the victim can modify and inject them with malicious code.
Socket also observed that the payload targets CI/CD environments and attempts to harvest secrets that can be reused to expand the attack.
The attack comes after Checkmarx disclosed a separate supply chain incident yesterday that impacts its KICS Docker images, GitHub Actions, and developer extensions.
While it is not known exactly how attackers gained access, Bitwarden told BleepingComputer the incident was linked to the Checkmarx supply chain attack, with a compromised Checkmarx-related development tool enabling abuse of the npm delivery path for the CLI during a limited time window.
Socket told BleepingComputer that there are overlapping indicators between the Checkmarx breach and this attack.
“The connection is at the malware and infrastructure level. In the Bitwarden case, the malicious payload uses the same audit.checkmarx[.]cx/v1/telemetry endpoint that appeared in the Checkmarx incident. It also uses the same __decodeScrambled obfuscation routine with the seed 0x3039, and shows the same general pattern of credential theft, GitHub-based exfiltration, and supply chain propagation behavior,” Socket told BleepingComputer.
“That overlap goes beyond a superficial resemblance. The Bitwarden payload contains the same kind of embedded gzip+base64 components we saw in the earlier malware, including tooling for credential collection and downstream abuse.”
Both campaigns have been linked to a threat actor known as TeamPCP, who previously targeted developer packages in the massive Trivy and LiteLLM supply chain attacks.
Developers who installed the affected version should treat their systems and credentials as compromised and rotate all exposed credentials, especially those used for CI/CD pipelines, cloud storage, and developer environments.
Update 4/23/26: Updated the story with information from Bitwarden confirming the incident was linked to the Checkmarx supply chain attack.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication.
The security issue is tracked as CVE-2026-3844 and has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem.
The Breeze Cache WordPress caching plugin from Cloudways has more than 400,000 active installations and is designed to improve performance and loading speed by reducing page load frequency through caching, file optimization, and database cleanup.
The vulnerability received a critical severity score of 9.8 out of 10 and was discovered and reported by security researcher Hung Nguyen (bashu).
Researchers at WordPress security company Defiant, the developer of Wordfence, say that the problem stems from missing file-type validation in the ‘fetch_gravatar_from_remote’ function.
This allows an unauthenticated attacker to upload arbitrary files to the server, which can lead to remote code execution (RCE) and complete website takeover.
However, successful exploitation is possible only if the “Host Files Locally – Gravatars” add-on is turned on, which is not the default state, the researchers say.
CVE-2026-3844 affects all Breeze Cache versions up to and including 2.4.4. Cloudways fixed the flaw in version 2.4.5, released earlier this week.
According to statistics from WordPress.org, the plugin has had roughly 138,000 downloads since the release of the latest version. It is unclear how many websites are vulnerable, though, because there is no data on the number that have the Host Files Locally – Gravatars enabled.
Given the active exploitation status, website owners/admins who rely on Breeze Cache to boost performance are recommended to upgrade to the latest version of the plugin as soon as possible or temporarily disable it.
If upgrading is currently not possible, admins should at least disable the “Host Files Locally – Gravatars.”
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Spending too much time on social media and doomscrolling is bad for your brain. We all know it instinctively, and research has proven it time and again. But the fear of missing out keeps us glued to our feeds anyway.
Noscroll, a new AI-powered service, aims to solve that by reading the internet for you and texting you only what matters. The pitch is simple: no feeds, no brainrot, just signal.
To get started, you text Noscroll’s AI agent at (415) 718-4828. It sends you a link to connect your X account, which gives it access to your likes, bookmarks, and the accounts you follow.
From there, you tell the bot in plain language the topics you want to follow and the ones you don’t care about. It then pulls information from across the web, including news sites, blogs, Reddit, Hacker News, Substack, research papers, and more. You can even point it to specific sources you want it to monitor.
The bot then texts you news digests at whatever frequency works for you. If you are a casual reader, you might want a weekly roundup, while a news aficionado might prefer multiple updates a day.
Each digest includes links and a short summary, but you can always tap through to read the full article. You can also reply to the bot to discuss what you’re reading and tweak your digest.
Noscroll was built by Nadav Hollander, former CTO at NFT marketplace OpenSea. He told TechCrunch that his relationship with X inspired the idea. “It’s phenomenally entertaining and really informative in ways you just don’t get from normal media,” he said, but added that the platform is “so toxic culturally.”
He wanted the news without the misery. So he built the tool himself, alongside a friend from the open source world. Noscroll costs $9.99 per month, but you can try it free for seven days. You can find it at Noscroll.com.
United States soldier Gannon Ken Van Dyke has been arrested and charged for placing bets on prediction marketplace Polymarket using classified information he had access to related to the capture of former Venezuelan president Nicolás Maduro. The US Army Special Forces master sergeant, who was directly involved with the planning and execution of the operation, allegedly made $409,881 in profits.
According to the Department of Justice, Van Dyke created a Polymarket account around December 26, 2025 and made 13 bets related to Maduro from December 27 to January 2. He took the “Yes” position on several Polymarket wagers, including “US Forces in Venezuela… by January 31, 2026,” “Maduro out by… January 31, 2026, “Will the US invade Venezuela by January 31” and “Trump invokes War Powers against Venezuela by… January 31.” The US military captured Maduro and his wife on January 3.
Van Dyke allegedly bet a total of $33,034 and made over ten times that amount from his winnings. He withdrew his money from Polymarket on the day Maduro was captured and then sent it to a foreign crypto vault before depositing it to a new online brokerage account.
Shortly after Maduro’s capture, reports came out about how an anonymous gambler made almost half a million dollars before it was announced, raising concerns that someone had profited off insider military knowledge. The Justice Department says Van Dyke tried to cover his tracks. After reports about the potential insider bets were published, he allegedly asked Polymarket to delete his account, falsely claiming that he lost access to the email he used. He also changed the email address linked to his crypto account to another one not associated with his name.
Van Dyke has been charged with three counts of violation against the Commodity Exchange Act, with each one carrying a max sentence of 10 years in prison. He has also been charged with one count of wire fraud with a max penalty of 20 years in prison, as well as one count of unlawful monetary transaction with a max sentence of 10 years.
Prediction marketplaces have been struggling with insider trading problems, and this is far from the first incident. Recently, Kalshi took action against three political candidates, accusing them of insider trading related to their campaigns. Matt Klein of Minnesota and Ezekiel Enriquez of Texas face a fine of less than $1,000 and suspensions of up to five years. Meanwhile Mark Moran of Virginia faces disciplinary action, a five year suspension and a fine of more than $6,000.
NWFL Suspends Two Players Over Post-Match Clash in Ado-Ekiti
Weekend Open Thread: Theodora Dress
Palestine barred from entering Canada for FIFA Congress
NBA Analyst Charles Barkley Chimes in on Ice Spice McDonald’s Fiasco
Auto Enthusiast Scores Running Tesla Model 3 for Two Grand and Turns It Into Bare-Bones Go-Kart
Powerball Result April 18, 2026: No Jackpot Winner in Powerball Draw: $75 Million Rolls Over
Zack Polanski demands ‘council homes not luxury flats for foreign investors’
Russia Pushes Bill to Criminalize Unregistered Crypto Services
Gary Stevenson delivers timely reminder to register to vote as deadline TODAY
Rolls-Royce Voted UK’s Most Iconic Trade Mark as IPO Register Hits 150
Disabled people challenge government SEND proposals over segregation concerns
Making troops accountable for war crimes threatens US alliance, ex-SAS colonel warns
Russia Introduces Bill To Criminalize Unregistered Crypto Services
Starmer handler McSweeney to be dragged from shadows by Foreign Affairs Committee
Wings Over Scotland | How To Get Away With Crimes
Zack Polanski responds to home secretary’s taser threat
Kelp DAO rsETH Bridge Hack Drains $292M as DeFi Losses Top $600M in Two Weeks
‘Iran is still a nuclear threat’
New York sues Coinbase, Gemini over prediction market offerings
Kevin Kisner apologizes for Masters criticism: ‘I crossed the line’
You must be logged in to post a comment Login