Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
A new phishing-as-a-service (PhaaS) platform dubbed “ARToken” appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365.
Cisco Talos researchers discovered the platform while investigating phishing infrastructure used in an incident response engagement and identified a React-based management panel called “ARToken Panel” that exposed more than 80 API endpoints.
Reverse engineering the client-side JavaScript code revealed previously undocumented capabilities that extend well beyond what you would normally find in a phishing platform.
The platform allows attackers to steal Microsoft 365 authentication tokens, establish persistent access using Primary Refresh Tokens (PRTs), and access Outlook mailboxes, SharePoint sites, and OneDrive files. It also includes tools to deploy phishing infrastructure through Cloudflare Workers and automate many aspects of business email compromise (BEC) operations.
According to Talos’ report, multiple technical similarities strongly suggest ARToken is tied to the EvilTokens phishing platform discovered earlier this year.
The researchers found the ARToken phishing kit uses the same API calls for Microsoft’s device code authentication flow, including an identical `POST /api/device/start` request previously associated with EvilTokens attacks.
Talos also identified the same primary refresh token API endpoints documented in Sekoia’s EvilTokens research, including the endpoints for setting up, refreshing, renewing, and reacquiring Primary Refresh Tokens, even after they expire.
The platform also uses a similar Cloudflare Workers deployment model and operates as a multi-tenant phishing service, in which affiliates manage their own campaigns through dedicated workspaces.
EvilTokens focuses heavily on exploiting Microsoft’s OAuth 2.0 Device Authorization Grant authentication workflow to breach accounts, a technique known as device code phishing.
Victims are tricked into entering a legitimate Microsoft-issued device code on Microsoft’s official device login page, causing Microsoft to issue authentication tokens directly to the attacker instead of the victim. Because the victim authenticates through Microsoft’s legitimate infrastructure, the attacks can successfully bypass multi-factor authentication protections.

Sekoia first documented the EvilTokens platform in March, describing it as a commercial phishing service sold to cybercriminals for a $1,500 setup fee and a $500 monthly subscription.
In a follow-up report, Sekoia found an AI-driven workflow that ingests harvested mailboxes to score financial exposure, then uses AI and LLMs to draft BEC campaigns and translate stolen emails for operators working in other languages.
Microsoft later warned about the platform as device code phishing attacks surged dramatically, and numerous threat actors adopted the technique due to its high success rate against Microsoft 365 users.
What sets EvilTokens apart from other device code phishing kits is its use of AI to automate fraud.
Talos’ report provides a detailed overview of the functionality available to EvilTokens affiliates following a successful account compromise.
Once a victim completes the device code authentication process, ARToken allows operators to refresh stolen tokens and elevate access to persistent primary refresh tokens (PRT).
The researchers also found tools for conducting business email compromise attacks, including full Outlook mailbox access, the ability to send emails as compromised users, the ability to create inbox rules that automatically forward or hide messages, the ability to monitor multiple mailboxes for keywords simultaneously, and the ability to download email attachments.
Attackers can also browse, upload, download, and manage files stored in victims’ SharePoint sites and OneDrive accounts, enabling data theft and the delivery of malware for additional attacks.
ARToken also revealed several features not identified in previous EvilTokens research.
Threat actors can monitor multiple hijacked mailboxes simultaneously for specific keywords, load tokens stolen from other sources, and share access to compromised accounts.
They can also quietly set up inbox rules that hide or delete messages to cover their tracks, and use phishing pages that automatically update their content based on the victim’s location.

Talos also analyzed phishing emails associated with the platform, finding that attackers impersonated legitimate vendors in invoice-themed lures targeting accounts payable employees.
Rather than linking to an obviously attacker-controlled site, the emails display what appears to be a legitimate SharePoint address while actually directing victims to a look-alike tenant hosted within the attacker’s Microsoft 365 workspace.
In April, Push Security reported that device code phishing attacks had surged 37-fold over the past year, with at least 11 phishing kits now offering this technique to cybercriminals.
For organizations looking to defend against modern Microsoft 365 phishing attacks, business email compromise (BEC), and account takeovers, BleepingComputer is hosting a webinar with Abnormal titled “Stop chasing alerts: Automating email security with behavioral AI.“
The webinar will explore how attackers use techniques such as device code phishing to bypass MFA and compromise accounts, why these attacks evade traditional email security controls, and how behavioral AI can help security teams automate the detection, investigation, and remediation of phishing and compromised account activity.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Seattle-based Overland AI has landed a U.S. Marine Corps contract to produce autonomous ground vehicles, a milestone the defense-tech startup says makes it the first ground autonomy company to serve as the prime contractor on a military production deal.
The nearly $20 million agreement — $19.7 million, according to the Department of War — calls for Overland to deliver more than a dozen autonomous ground vehicles, along with the software that runs them. Initial deliveries are expected to begin sometime in early 2027.
The agreement was announced June 29. The vehicles will work with a Marine Corps system that shoots down enemy drones. Overland’s vehicles will initially handle resupply for those crews rather than replace any existing vehicles, co-founder and CEO Byron Boots said in a media briefing, as reported by trade publications DefenseScoop and Defense One.
Boots is a University of Washington machine-learning professor who leads the school’s Robot Learning Laboratory and is the Amazon Professor of Machine Learning at the UW’s Allen School of Computer Science & Engineering. He co-founded Overland in 2022 with Stephanie Bonk, the company’s president, spinning it out of the UW.
The company’s technology is designed to let military vehicles drive themselves across rough, off-road terrain in places where GPS isn’t available.
Overland has grown to more than 100 employees and raised over $140 million in venture funding, including a $100 million round in February led by the venture firm 8VC. It opened a 22,000-square-foot production facility in Seattle last year, and ranks No. 9 on the GeekWire 200, our index of the top privately held Pacific Northwest tech companies.
The company isn’t alone in chasing military ground autonomy. One of its rivals, Maryland-based Forterra, won a larger, $92 million Marine Corps production deal earlier in June — but as the autonomy supplier under prime contractor Oshkosh Defense, rather than holding the contract itself. That’s the distinction Overland is claiming as a first.
Overland’s deal came through a Pentagon program called APFIT — short for Accelerate the Procurement and Fielding of Innovative Technologies — which fast-tracks funding to move promising technology from prototypes into production. For Overland, it marks a step from testing and demonstrations into building vehicles at scale for the military.
“We’re registering extremely high demand from U.S. operational units who want to incorporate this technology into their concepts of operation,” Boots said in the briefing, pointing to the war in Ukraine as evidence of a growing role for uncrewed vehicles.
Overland has been working for years with the Army, Marine Corps and Special Operations Command, also completing a multiyear DARPA autonomy program. The new contract builds on recent work integrating its self-driving technology into Marine Corps vehicles.
Anthropic’s most advanced publicly available Claude model is still leaving standard subscription access after July 7, but the company is now trying to calm fears that the move is permanent.
Fable 5 recently returned to Claude after drawing scrutiny from the U.S. government. Anthropic said it would be included on Pro, Max, Team, and select Enterprise plans for up to 50% of weekly usage limits through July 7. After that date, the model is set to move to usage-credit billing, meaning users will pay for access outside their regular plan limits.
That raised an obvious concern. Is Fable 5 becoming a paid add-on for good? A Claude Code lead engineer has now clarified that Anthropic does not intend to keep Fable 5 as a permanent paid add-on.
In a post on X, the engineer said Anthropic has heard questions about Fable’s availability on subscription plans. While Fable 5 will come off subscriptions after July 7, Anthropic aims to restore it as a standard part of subscriptions “as soon as capacity allows.”
That lines up with what Anthropic said earlier. In its original blog post, the company said demand for Fable 5 would likely be “very high, and difficult to predict,” so it was taking a more cautious approach to subscription access.
Switching to usage-credit billing may be disappointing for subscribers, but it does not come as a surprise. Anthropic has been facing sustained demand for Claude for some time, and the popularity of Fable 5 seems to have made things even harder to manage.
A couple of months ago, the company announced a deal with SpaceX to use all of the compute capacity at the Colossus 1 data center, adding more than 300 megawatts of capacity and over 220,000 Nvidia GPUs.

That extra capacity has already led to visible changes across Claude. Anthropic has doubled Claude Code’s five-hour rate limits, removed peak-hour limit reductions for Claude Code on Pro and Max accounts, and expanded API rate limits.
Even with that added capacity, Anthropic still appears to be having a hard time keeping up with demand for Fable 5. Subscribers can only hope the company sticks to its word and brings the model back to regular subscription plans when capacity allows. Until then, anyone who wants continued access after July 7 will need to move to usage-credit billing.
Sony just dropped exciting news for fans of its versatile bridge cameras — a new RX10 camera will be revealed next week.
The teaser on Sony’s Instagram reveals a surprising amount of detail, including the release date plus a silhouette of the next RX10, which from we can glean some info about its lens.
Perhaps the most surprising part of all is that Sony is launching a new RX10 in the first place. Its most recent bridge camera was the Cyber-Shot RX10 IV which was released all the way back in 2017, and has been discontinued for more than two years.
The RX10 IV is still regarded as the best bridge camera available, which tells you everything you need to know about this space, which has been largely dormant for years, save for a tired Lumix re-release and the occasional cheap Kodak model.
Despite the RX10 IV’s skills, we can only hope that Sony has a little more in store for the next RX10, because an upgrade on the mark IV could be super interesting. The teaser (below) gives us a little snippet of what we can expect.
The most obvious point to note is the release date, which will be July 9 at 7am PT / 10am EDT / 3pm BST. I predict that putting a Sony bridge camera back in stores will be a popular move, especially among enthusiast wildlife photographers desiring a versatile telephoto lens in a lightweight setup.
Otherwise, there’s one little clue, and that’s the part of the teaser when the lens is extending upwards. We can’t see the focal length of the lens, but we can see the aperture range, which is f/2.4 to f/16.
That aperture range is identical to the RX10 IV, which features a 25x optical zoom with a 24-600mm focal length range. The other details in that lens silhouette also look the same as those in the RX10 IV; the Vario Sonnar T* and twin control rings.
It’s harder to glean much else from the teaser — the silhouette of the camera body looks similar to the one before it, but it could very well be different.
We won’t have long to wait to find out more, with the next RX10 coming in less than a week.
What do you think of Sony’s teaser? Is this the next Sony camera you were hoping for? Have your say in the comments.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Most verticals aren’t clean, well-oiled SaaS databases; the reality is ugly documents, proprietary schemas, implicit workflows, and long‑running tasks that most general-purpose models struggle with.
This prompted construction project management company Trunk Tools to build a specialized, three-layer architecture — perception, semantics, agents — based on highly-detailed data to support high-accuracy, highly-relevant industry automation.
Their purpose-built stack has shrunk review cycles from months to days, prevented costly field errors, and given autonomous agents the ability to reason over millions of pages of documentation, Trunk says.
“We really set out to take the data from dispersed systems, pre-process it, structure it, go through our ontology into a knowledge graph, and then train AI models,” said Sarah Buchner, Trunk’s founder and CEO and a former carpenter.
For builders in other verticals, Trunk’s approach could serve as a blueprint for transforming data chaos into agent‑ready, industry-specific workflows.
Foundation LLMs, while powerful, are optimized for breadth, not always depth.
“General-purpose LLMs are trained to be okay at everything, so they’re weak at anything niche,” said Kriti Faujdar, a senior product manager working in AI infrastructure, agentic AI, security, and LLM platforms. For instance: Rare terms, domain-specific reasoning, the unspoken context that any practitioner “just knows.”
Web, app, and software developer Sébastien De Bollivier agreed that the biggest bottleneck is reliability on data that is “jargon-dense, abbreviation-heavy, and format-specific.”
“A GPT-4-class model can understand a French legal contract, but will fumble the specific article references practitioners need to cite,” he said.
Besides, the most valuable enterprise data never made it into pretraining anyway, Faujdar pointed out. It’s sitting in internal systems and proprietary formats. “RAG helps a little,” she said. “But it’s just giving better facts to a model that still can’t reason properly in the domain.”
Pre-training on domain data is critical; enterprises should then fine-tune on good task examples and build their own evals. “A few thousand examples from real practitioners beats millions of scraped, noisy ones,” Faujdar said.
Mixture-of-experts (MoE) can provide specialization without inference costs blowing up. Pairing RAG with fine-tuning also works well; RAG handles the factual long trail while fine-tuning fixes vocabulary and reasoning.
De Bollivier pointed to the advantage of hybrid stacks: A general-purpose model for reasoning and orchestration, a smaller fine-tuned model (or dense retrieval over a curated corpus) for domain-specific extraction. He advised: “Don’t fine-tune to make the model ‘smarter’ about a domain, fine-tune to make it more reliable on the specific output format your workflow requires.”
The trades and construction are certainly industries seeing traction with these techniques, as are legal and healthcare, De Bollivier said. These verticals have “high stakes for errors plus standardized document formats, equaling clear domain-training ROI.”
One honest caveat worth mentioning, Faujdar said: Specialized models can often fall apart outside their domain, so they’re often not useful outside their expertise (unless they’re re-trained).
In highly-specialized domains like construction, “data dumps” into large language models (LLMs) don’t cut it, said Trunk’s CTO Amrish Kapoor. This is because most transformers are probabilistic models: When given an image, they report back that it is “probably” a tree, or “probably” a child playing next to a tree.
This makes them insufficient for high‑precision symbolic interpretation. For instance, in construction documents, a 2-millimeter-wide symbol has a vastly different meaning depending on where it’s placed.
Further, constrained by context limits, probabilistic models struggle with long‑term project memory. “I don’t mean a context window of a few tokens,” Kapoor said. “I’m talking about long term memory that stretches across months and years, because this is how long some of these projects are.”
Instead, Trunk’s three-layer system breaks workflows into:
Perception (reading and extracting data from messy docs like PDFs, drawings, or scans)
A semantic/graph layer (making sense of that data and understanding their relationships).
LLMs and agents on top.
Construction drawings are typically symbolic, Buchner said. A door isn’t always labeled ‘door.’ Sometimes it’s simply an arc on a wall that a trained eye learns to read based on years of practice.
“The perception layer is what teaches AI to read that language,” she said. The semantic layer then gives that information meaning; for instance, connecting the door to the drawing that details it, the spec that governs it, and the trade that installs it. This helps answer project engineers’ critical questions: Not “is there a door here?” but “does this door create a problem down the line?”
Particularly in construction, that shift matters because the cost of a problem compounds with time. “A conflict caught in design is relatively low cost to address,” Buchner said, “whereas the same problem caught in the field might cost tens of thousands of dollars.”
At a high level, the system identifies the document type and begins extracting information based on content (drawing, schedules, paragraph text). This data is then “transformed and augmented” in the platform, which triggers agentic workflows like knowledge graph relationships and end-user workflows.
For instance, an agent might review an architecture bulletin and produce a visual overlay comparing an older version and a newer version (flagging additions and removals), then generate written narratives that describe what those changes are in simple terms. This helps users understand what’s changed and coordinate with trade partners on updated pricing and change orders.
Construction workflows are “ripe with implicit assumptions and connections between data in its myriad of sources,” Buchner said. And the amount of unstructured data is “humanly impossible” to process or make sense of.
Buchner estimated the average high-rise building generates about 3.6 million pages of corresponding documentation. “If you print it into a stack of papers it would be as high as the building itself.”
All three layers of Trunk’s stack — perception, semantic, LLM — are trained on “very specific datasets” from customers with “explicit permissions” and auto‑labeling/IP, Kapoor explained. Customers who don’t want Trunk training on their data can opt out.
Data is deidentified and aggregated, and Trunk also collects “tons more” labeled data through other pipelines like 3D building information modeling (BIM).
Trunk says it only ships agents that achieve around 95% accuracy. The team maintains continuous evaluation pipelines based on ground truth data from customers and experts. They also employ an LLMs-as-a-judge model.
“This notion of an LLM as a judge is to score how well you’re doing, both subjectively as well as objectively,” Kapoor said. Objectivity can be an easy ‘right’ or ‘not right,’ but subjectivity requires more nuance.
For instance, when creating an email or narrative or explanation, an LLM as a judge framework can create a composite score, or a numerical value that aggregates different metrics and tests a model’s performance or risk.
There can be challenges, though, particularly with latency, Buchner noted; any time the reasoning capacity of underlying models increases, the risk of latency goes up, too. Trunk maintains a set of evaluation criteria to objectively measure latency whenever changes are made to underlying infrastructure, agents, and API calls.
Then, “before we release to customers, we ensure marginal changes to the end-user experience are well worth the performance enhancements,” Buchner said.
Trunk’s platform powers seven AI agents purpose-built for construction, such as analyzing request for information (RFI) responses, overviewing bids, or reviewing drawings and submittals.
The submittal agent, for instance, flags missing, conflicting, or noncompliant information in product specs and RFIs. While it’s an essential step in the construction process, “it’s a super annoying workflow,” Buchner said, because human reviewers have to compare documents “with a bunch of other parts of documents.”
But the agent is able to do this in seconds, and Trunk says it has reduced submittal cycles from 50 to 60 days to 10, “which has massive schedule and financial implications.”
Trunk is now at a place where these agents are communicating directly with each other, which is “quite exciting,” Buchner said. So, for example, one agent will review an architectural drawing for accuracy, then autonomously hand it over to agents handling RFIs and asking follow-up questions.
“If the drawings have problems, the RFI agent is taking over and is actively reaching out for clarification,” Buchner explained.
Trunk says its customers report savings of 20 to 40 minutes per field question. Buchner said that users in the field know better than anyone how much of a “time suck” it is to go back and forth from office trailers, dig through project documents in scattered systems or printed PDFs, reconcile discrepancies, and return to coordinate with trade partners.
Trunk says its customers report these additional outcomes:
Average 8 minute time savings for single-document retrieval (status checks, location lookups, quantity queries).
Average 20 minute time savings for standard referencing (cross-referencing 2 to 3 spec sections to form an answer.
Average 40 minute time savings for multi-document research (listing and filtering queries, mapping relationships, analyzing RFIs and submittals across 4 to 6 documents).
Average 75 minute time savings for complex tasks (creating RFIs and other communication materials, deep cross-referencing across documents, change tracking).
In one instance, Trunk’s drawing review agent flagged that a structural beam had been moved up 8.5 inches. However, this was not documented by the architect. If the change hadn’t been caught, the project manager would likely have had to strip out and reinstall the right size beam, Buchner said. This rework would have added $10,000 or more to the budget, and “certainly there would have been implications on the schedule.”
Buchner also pointed to other examples: an agent flagged $60,000 in exaggerated pricing with no justification from landscaping subcontractors; identified a fireplace that needed to be sealed prior to drywall installation, saving around $100,000 in labor, materials, and delays; and called out that an electric door required a panel that wasn’t included in electrical drawings.
Trunk’s approach to building agents is applicable to any vertical working with high volumes of unstructured, industry-specific data.
Builders working in specific verticals must understand the industry’s specific data challenges their end users face and build technical infrastructure that can transform unstructured data into something an “LLM can traverse and understand,” Buchner said.
“Only then can you build the connections between data points that ultimately feed agentic workflows.”
A lot of money is being invested in foundational models, so enterprises should build modular systems that can leverage the strengths of various models as they continue to improve, Buchner advised.
Then, “build your technical advantage where the generic models are not investing and not performing well,” she said.
The memory shortage has become a political problem in Washington. Now the chip industry has a message for the Trump administration: leave the market alone, or the squeeze gets worse.
The warning came in a letter from SEMI, a semiconductor industry group, to senior US officials. Any attempt to fix the shortage by steering prices or production would deepen it, the group said, as Bloomberg reported.
The crunch traces back to the AI boom, which is swallowing memory chips faster than makers can produce them.
SEMI’s argument is blunt. “Interventions that distort pricing or capacity decisions risk prolonging the demand downturn,” the group wrote, in a copy seen by Bloomberg. It wants the opposite approach. Let companies keep signing long-term supply deals with customers, and extend tax breaks that lift US output.
The stakes are high for its members. The three big memory makers all belong to SEMI: Micron in Idaho, plus SK Hynix and Samsung of South Korea. Their shares have soared as AI demand outstrips supply.
The politics are shifting because the shortage now reaches ordinary shoppers. Memory sits in everything from cars to laptops, and prices are climbing across the board. Even decades-old memory standards have jumped. Apple and Microsoft have both raised prices on popular gadgets, which is exactly what worries politicians eyeing voters’ wallets.
SEMI has a fix for that too. Rather than capping prices, it wants Congress to soften the blow with consumer tax breaks on phones and laptops. The group was careful to thank the administration for its support of the chip sector.
The letter lands in the middle of a louder fight. Apple is lobbying the same officials for permission to buy memory from two Chinese firms on a Pentagon blacklist. SEMI’s letter names no Chinese suppliers. But it went to the very people Apple has been pressing: the Treasury, Defence, Commerce and State secretaries.
Not everyone in Washington wants a light touch. One Republican senator, Bernie Moreno of Ohio, has urged the Commerce Secretary to put American buyers first. He warned of a car-industry hit like the one seen during the pandemic.
The hard truth is time. SEMI says memory capacity should grow about 19 per cent a year, yet AI demand will still eclipse it. New factories take years to build. Until they arrive, the mismatch keeps pushing prices up. For European shoppers, the warning rhymes with one already made in Britain.
Currys expects phones, laptops and TVs to cost more later this year. The industry’s message to politicians is simple. You cannot regulate more chips into existence.
The latest week-long speedrunning marathon starts on July 5.
Speedrunners are once again descending on Minneapolis to tear through games in aid of a fantastic cause as this year’s edition of Summer Games Done Quick (SGDQ) is about to commence. The week-long, round-the-clock event starts on Sunday. You can watch all of the action live on Twitch. If you miss a particular run, you’ll be able to catch up on the VODs on YouTube.
After a preshow at 12:30PM ET, the action will start at 1PM with a 102% run of one of my favorite games of all time, Donkey Kong Country 2: Diddy’s Kong-Quest. Recent games making their GDQ debut include Don’t Stop, Girlypop!, Super Meat Boy 3D, Pragmata, Resident Evil: Requiem, Unbeatable, Mouse: PI for Hire and Saros.
I’m interested to check out a pinball showcase with Total Nuclear Annihilation as well as the Gordon & Daxter run. This is a modded version of Jak & Daxter in which you play as Gordon Freeman with Half-Life weapons and movement. I always love it when there’s a Super Mario Maker 2 race on the schedule, so I’m looking forward to that too.
As always, SGDQ is raising money for Doctors Without Borders. Last year’s edition raised over $2.4 million for the cause.
Malaysia is set to take action if VPN are used to facilitate criminal activities or help residents bypass the new social media age limit.
According to local reports, Deputy Home Minister Datuk Seri Dr Shamsul Anuar Nasarah said the government is working closely with the Malaysian Communications and Multimedia Commission (MCMC) to counter VPNs and borrowed identities that are being used to slip past newly enforced social media age limits.
For the many people who reach for the best VPN services to protect their browsing, encrypt their traffic, or simply keep their data out of advertisers’ hands, the reassuring takeaway is that the tool itself is not the target. What the authorities want to reach is the small share of activity where a VPN is used as a shield for something illegal.
The comments came during a question-and-answer session on cybercrime and age verification. Shamsul Anuar explained that police would draw on public complaints and their own investigations to identify cases where VPNs or identity-masking tools are being abused, and that such misuse could be treated as an added element of an offence.
He was clear that the crackdown is aimed at conduct, not software. The minister framed the effort as part of Malaysia’s wider push to protect children online, pointing to a sharp rise in offences.
This sits on top of Malaysia’s under-16 social media ban, which took effect on 1 June 2026 under the Online Safety Act 2025. Large platforms including Facebook, Instagram, TikTok, and YouTube must now verify users’ ages and block under-16s from registering, with non-compliance carrying penalties reported at up to RM10 million.
VPNs enter the picture because they are an obvious way to make it look as though a user is somewhere the rules do not apply. Age verification laws elsewhere, such as Australia and the UK, have repeatedly triggered spikes in VPN sign-ups, with many often being adults looking to protect the sensitive documents these systems ask them to hand over.
For most people, this is not a reason to stop using a VPN, and it is not a ban in disguise.
Digital rights groups, however, have been sharply critical of the age-verification model underpinning the ban.
ARTICLE 19, alongside local partners, has argued the measure was rushed, is disproportionate, and risks normalising surveillance while exposing people’s identity documents and biometric data to misuse.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
Unsurprisingly to many of us, app stores for smart televisions are also trash. Perhaps even more full of trash than other app stores due to the smaller ecosystem and fewer reviewers.
Spur analyzed the LG smart TV app store, and found that almost half of the apps available contain proxy software, turning your TV into a node in their proxy network. Are these apps malware? Many of the analyzed apps provided a thin veneer of user consent: they offer you the tradeoff of seeing an ad every 15 seconds, or allowing their “occasional web indexing” to run permanently in the background. Watch the fishtank app for five minutes, join their proxy network for life.
Spur notes that the proxy SDK in use appears to block connections to private network ranges (internal IP ranges like 192.168.x.x and 10.x.x.x), but that the SDK restricting access to those ranges is the only protection against accessing whatever network the TV is connected to.
Amazon and Roku ban proxy apps on their devices. Samsung and LG do not.
Microsoft has added another year of security updates to Windows 10. Despite trying to kill the platform, so many users remain on Windows 10 that Microsoft likely has no choice.
The extended support program was previously due to end in October 2026 but has now been pushed to October 2027. The security updates will be available for free in the UI, but users in other regions must activate OneDrive and sync system settings, or pay 1000 Microsoft credits (about $30).
The death of Windows 10 is near, but for those unwilling or unable to let go, it shuffles along.
Bleeping Computer has an article about increased phishing attempts from hacker groups in Russia targeting Signal users.
The phishing messages target politicians, government officials, military, and other high-profile intelligence targets, and claim that Signal is introducing mandatory two-factor authentication, before prompting the target to enable remote Signal backups. A second follow-up phishing attempt then prompts the user to copy the backup authentication tokens from Signal and provide them to the attacker.
Signal remote backups are a relatively recent addition to the messenger, making a backup on the Signal servers of a users messages and images, encrypted with a key known only to the user. While convenient, and likely fundamentally secure given the track record of the Signal team, this phishing campaign highlights a major weakness: once private content is accessible somewhere else, an attacker simply needs to obtain the keys to access it, which is significantly simpler than obtaining the message content directly from the victims phone.
Sasha Romijn presented an excellent talk at OrangeCon on embedding attack payloads in unusual places.
Sasha found poor input handling of content from DNS servers, TLS certificates, server headers, DHCP host names, LoRa Mesh node names, WiFi network names, and more. In many cases, it seems to be as simple as embedding JavaScript or CSS inside a string; many sites and utilities don’t sanitize against escaped HTML, and the standards allow it.
They then go on to demonstrate more serious impacts, such as compromising the management accounts of two Europe-based hosting providers by injecting content into TLS certificates, and gaining root on some OpenWRT devices via a WiFi SSID which loads a hostile JavaScript into the LUCI web management interface, which then uses the web management system to install a backdoor root shell.
Sasha continues the tour-de-exploits by demonstrating multiple cross-site scripting injections into the Ripe NCC database which then allow browser manipulation of users on the RIPE website. This has enormous implications, because Ripe NCC is the Internet allocation organization for Europe and the Middle East: the company who assigns and manages IP address blocks.
Be sure to check out the full presentation, and let this be a lesson to always treat all data as hostile, even from what would seem to be your own services!
One of the first steps in getting access to an embedded device is to look for a serial port, or serial port test points. Often this can give an idea what sort of code is running on the system, and in some cases, give direct access via the boot loader or a Linux login console.
Boot Intel is a web-based tool to automate scraping boot messages from embedded devices, looking for exposed logins and vulnerable services. Boot Intel can take pasted boot logs, or directly connect to the device via WebSerial.
While Boot Intel is a paid service, there is a free version for hackers to explore devices.
watchTowr Labs is back with another excellent write-up on CitrixBleed, continuing the trend of memory leaks in Citrix Netscaler devices.
This collection of vulnerabilities allow leaking internal memory from the Citrix servers, which can expose logs, customer data, encryption keys, or anything else found in server memory. Netscaler devices offer SSL offloading, application acceleration, VPN and remote access, and load balancing; all installations where leaking memory is likely very bad.
The watchTower write-up maintains their trend of providing entertaining reads about highly technical topics. Do yourself a favor and be sure to give it a look!
LastPass marketing partner Klue was compromised this week, impacting the customer data of multiple companies. Customer data such as email, phone numbers, addresses, and support tickets were exposed, however the LastPass vaults themselves were not impacted. While LastPass has revoked access to the impacted partner, the stolen data could assist phishing attacks against customers.
The open source self-hosted video sharing platform PeerTube has released an emergency update which addresses multiple vulnerabilities. While the release notes quote “medium to high severity” vulnerabilities, there are no specific details. If you run a PeerTube server, upgrade now!
Both Apple AirDrop and Google Quick Share have new vulnerabilities reported this week, with fixes coming soon. Both protocols are designed to allow file sharing to nearby devices, and accordingly, the issues found on them can be triggered on nearby devices. Researchers were able to find six vulnerabilities in macOS, iOS, Windows, and Android implementations of the sharing protocols. All of the discovered vulnerabilities led to crashes, but not full exploit and code execution. Sustained denial of service attacks were possible however, with nearby attackers able to keep the services unreachable and unusable for the duration.
When we think of 1960s synthesizers it’s usual to imagine instruments with vast arrays of controls and patch cables for configuring their many filters, oscillators, and other parameters. They created the templates for much of what we know today as electronic music.
In all the rush to look at full-blown synths though, it’s easy to forget their more mundane cousin, the electric organ. These instruments graced many a ’60s suburban home or church hall, and [Emma Repairs] has an interesting one. It’s a Philips Philicordia, and it’s sent us here at Hackaday down one of those rabbit holes when we should really be writing.
The instrument is a relatively straightforward single voice electric organ on the outside, but under the hood it’s a different matter. In an age when the transistor was revolutionizing electronic music, the folks in Eindhoven designed this one using tubes. There are a set of conventional enough tubes performing the role of amplifiers and oscillators, but the real party piece of this unit is the array of neon tube dividers. A neon bulb can be used as a switching element, and in those days when affordable digital logic chips were several years away, it made sense to use them in digital circuits.
The inside of the Philicordia is a feast of vintage Philips parts that will be instantly familiar to anyone who’s worked on Western European electronics of this era. The exterior design of the instrument screams understated early-1960s cool, and after she’s introduced it you can hear her playing it in the video below. Further down that rabbit hole we found that one of these instruments provided the distinctive organ sound on Chris Montez’s 1962 hit Let’s Dance, so they weren’t all uncool.
The robot butler has been five years away for about twenty years. Weave Robotics thinks the trick is to aim lower. Its new home robot, Isaac 1, does not walk, has no fingers, and mostly just wants to do your laundry. It also costs a fraction of its humanoid rivals.
The Y Combinator-backed startup unveiled Isaac 1 on Wednesday. The launch post has passed 13 million views. At $7,999 up front, or $449 a month, it undercuts the field by a wide margin.
Isaac 1 is deliberately un-humanoid. It rolls on a wheeled base rather than legs, and rises from a crouch to 5ft 9in when there is work to do. It grips with two orange claws, not fingers. The soft body comes in muted colours with names like Sage and Terracotta, and it runs for about eight hours per charge, according to TechRadar.
The job list is narrow on purpose. It finds and picks up dirty clothes, folds and puts away the clean ones, makes the bed, fluffs the pillows, and tidies away shoes and toys. Notably, it does not load or run the washing machine. It works through a phone app, mostly on its own. Weave admits a human operator can take over remotely for tricky tasks.
The price is the headline. 1X’s Neo costs around $20,000. Tesla’s Optimus has no price at all yet. Bipedal rivals such as Figure and Unitree run from $12,000 to well over $20,000, because legs need pricey actuators and sensors. Weave’s wheels-and-claws approach sidesteps most of that cost.
The bet fits a wider argument in robotics: that purpose-built machines will beat general-purpose humanoids into the home. It is the same logic drawing billions into physical AI on both sides of the Atlantic.
The reaction online split neatly, as Business Insider noted. “Closer and closer to never doing chores again,” wrote Chris Paxton, an AI lead at Agility Robotics. The investor Jason Calacanis said it was “about to get very strange.” Others were blunter. Fintech executive Simon Taylor called it a “Roomba with arms.” One commenter simply called it “slow” and “clunky.”
There are several. Deliveries start in September, but only in California. The rest of the US waits until 2027, and Europe is not on the map at all yet. The autonomy is partial, propped up by teleoperation. There is a quieter concern too. Weave’s site says it uses personal information to improve its services, but the company would not say whether footage from inside people’s homes trains the robot. That is the unease that shadows every home robot with a camera and a data pipeline.
None of this makes Isaac 1 the machine that finally cracks the home. The promised army of domestic robots keeps slipping into next year. But by doing less, for less, Weave may have built something people will actually buy. Sometimes the winning robot is not the one that looks most like us.
Claude Code turned every engineer into three. Now companies need more product thinkers
Strategy authorizes up to $1.25B in Bitcoin sales under new capital plan
The House | “Reframing the debate from a binary discussion of winners and losers”: Yuan Yang reviews ‘We Are Not Machines’
MAJOR BITCOIN & MARKET UPDATE!!!! (MUST WATCH ASAP!!!)
Anonymous researcher drops 0-day ‘exploitarium’ repo
Coinbase, Circle Deepen Crypto Stock Losses Despite Resilient S&P 500
Australia treasurer says alleged access of prime minister’s bank data ’incredibly concerning’
Kraken's xStocks Opens Bending Spoons IPO Registration to EEA Retail
FIH Pro League: India defeat Pakistan 7-1, register biggest win of campaign | Other Sports News
Bluekit phishing kit adopts browser-in-the-middle for login theft
Russian hackers now target Signal backup recovery keys
The AI boom won’t burst all at once. It will pop in ‘rolling bubbles’: Macquarie
Broncos roster: OL Ben Powers (No. 74) entering final year of contract
Silicon Valley paid to kill AI regulation, now it wants the rules back
Presenter Caroline Flack’s brother Paul Flack dies aged 55
Binance stock trading tops $1B in first month after launch
New exhibition reflects five decades of movement between island of Ireland and GB
OpenAI mulls delaying IPO over valuation concerns
Alibaba-affiliate Ant Group enters the humanoid robot market with 12 deals
How to Build INSANE Live Financial Dashboards With Claude
You must be logged in to post a comment Login