Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-control (C2) backbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence (AI)-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428) to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-control (C2) framework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge request (or commit, issue, or source code) by taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR). 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairs (MVD) within three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP address (185.147.125[.]81) stored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS plugin (or something similar) that allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Union (E.U.) has announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Mask (aka Careto) has been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts (the U.S.), and Animal Farm (France). Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay $45 million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516 (aka CopyCop) sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operations (IO) to reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoader (aka ModiLoader) via banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission's (SEC) official X account in January 2024 and falsely announced that the SEC approved Bitcoin (BTC) Exchange Traded Funds (ETFs). Council Jr. (aka Ronin, Agiantschnauzer, and @EasyMunny) was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit $50,000. According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) is warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-concept (PoC) for a high-severity security flaw in Digital Imaging and Communications in Medicine (DICOM), predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687 (CVSS score: 7.8), originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "[The whitelist] would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication (MFA). The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policies (CAPs) and maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middle (AitM) phishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identities (like service accounts and API keys) to function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Tech OpenAI’s $6.5B new acquisition signals Apple’s biggest AI crisis yet OpenAI, Jony Ive join forces to challenge Apple’s AI future Published May 26, 2025 8:00am EDT close OpenAI chief urges US to maintain 'lead' in AI developments: 'Critically important' OpenAI CEO Sam Altman sits down with Shannon Bream to discuss the positives and potential negatives of artificial intelligence and the importance of maintaining a lead in the AI industry over China. OpenAI has just made a move that's turning heads across the tech world. The company is acquiring io, the AI device startup founded by Jony Ive, for nearly $6.5 billion. This isn't your typical business deal. It's a collaboration between Sam Altman, who leads OpenAI, and the designer responsible for some of Apple's most iconic products, including the iPhone and Apple Watch. Together, they want to create a new generation of AI-powered devices that could completely change how we use technology. OpenAI’s ChatGPT on a smartphone (Kurt "CyberGuy" Knutsson)Why this deal mattersThis deal is significant for a few reasons. Jony Ive is stepping into a major creative and design role at OpenAI, bringing along his team of engineers and designers, many of whom also have Apple roots. Their mission is to build hardware that goes beyond the familiar territory of smartphones and laptops. The first product from this team is expected in 2026, and while details are still scarce, it's rumored to be a "screenless" AI companion. The idea is to develop something that's aware of its surroundings and designed to help users in ways that current devices simply can't.Apple faces a new kind of competitionApple, which has long been seen as the leader in design and innovation, suddenly finds itself in a tough spot. The company has struggled to keep up with the rapid advancements in AI, and now OpenAI is moving directly into its territory. Investors are clearly worried, as Apple's stock dropped after the news broke. Unlike previous competitors such as Google, which tried to beat Apple at its own game, OpenAI and Ive are taking a different approach. They're aiming to create a device that could make the iPhone feel outdated by focusing on AI-first experiences and moving away from traditional screens. Apple logo (Kurt "CyberGuy" Knutsson)What will the new device be like?So what will this new device actually look like? While Altman and Ive are keeping most details secret, they have hinted at a family of AI devices that focus on seamless, intuitive interaction rather than screens. They want to create something that understands your context, adapts to your needs and helps you connect and create in new ways, all without requiring you to stare at a display. The device won't be a phone or a pair of glasses but something entirely new that fits into your life as naturally as a MacBook or iPhone once did. OpenAI's ambition is huge. In fact, they want to ship 100 million units faster than any company has ever done with a new product, which shows just how big their vision is.What's next for OpenAI and Apple?For OpenAI, this is the largest acquisition it has ever made and marks a serious push into consumer hardware. With Jony Ive leading design, OpenAI is betting that it can outpace Apple and define the next era of personal technology. Meanwhile, Apple is under more pressure than ever to deliver on its own AI promises and to innovate beyond the incremental updates we've seen in recent years. The competition is no longer just about who makes the best phone. Now, it's about who can redefine the relationship between people and technology in the age of AI. Artificial intelligence (Kurt "CyberGuy" Knutsson)Kurt's key takeawaysIt's impressive to see two visionaries like Sam Altman and Jony Ive working together on something this ambitious. If their AI devices live up to expectations, we could be on the verge of a major shift in how we use and think about technology. Apple finally has a real challenger, and the next few years are sure to be interesting for anyone following the future of tech.Do you believe Apple can regain its edge in innovation, or is the future of personal tech now in the hands of new players like OpenAI? Let us know by writing us atCyberguy.com/Contact.For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.Follow Kurt on his social channels:Answers to the most-asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com. All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

May 23, 2025Ravie LakshmananCloud Security / Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to the discovery that the threat actors had been exploiting a zero-day vulnerability (CVE-2025-3928), an unspecified flaw in the Commvault Web Server that enables a remote, authenticated attacker to create and execute web shells. "Based on industry experts, this threat actor uses sophisticated techniques to try to gain access to customer M365 environments," Commvault said in an announcement. "This threat actor may have accessed a subset of app credentials that certain Commvault customers use to authenticate their M365 environments." Commvault said it has taken several remedial actions, including rotating app credentials for M365, but emphasized that there has been no unauthorized access to customer backup data. To mitigate such threats, CISA is recommending that users and administrators follow the below guidelines - Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need Restrict access to Commvault management interfaces to trusted networks and administrative systems Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications CISA, which added CVE-2025-3928 to its Known Exploited Vulnerabilities Catalog in late April 2025, said it's continuing to investigate the malicious activity in collaboration with partner organizations. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

OpenAI just made its biggest move yet — buying Jony Ive's AI startup — with hopes of building something that feels as magical as the first iPhone.Image Credit: OpenAIInitially, it was reported that OpenAI would buy Jony Ive's AI startup, simply named "io", for $500 million. To say that the actual sale cost was a bit higher would be an understatement.The final sale price wound up being nearly $6.5 billion — in stock. Continue Reading on AppleInsider | Discuss on our Forums

The Pokémon TCG market is moving, and not quietly. With Black Bolt and White Flare coming in hot, many Black and White-era cards are suddenly on every collector’s radar again. We're seeing massive jumps on cards that have sat stable for years, all because Gen V is back in style. If you're looking to trade, cash in, or just gawk at how weird card prices can get, I’ve got you covered.Here are five cards that are flying and five that are faceplanting. Some of these are smart buys. Others? Let’s say I wouldn’t want to be the one who paid full price three weeks ago.Pokémon Card CrashersImage Credit: IGN Photo Composite / The Pokémon CompanyLeafeon ex from Prismatic Evolutions dropped 21% since mid-April, from $467.85 to $369.96. Still expensive, sure, but that's a big chunk of change to evaporate in just a few weeks. If you bought high, I’m sorry. If not, maybe give it a few more dips before you pounce.And then there’s Eevee ex, also from Prismatic. Down 28%, now sitting at $172 after peaking above $240. Honestly, I think Eeveelution fatigue is real. There are just so many of them floating around that even good cards are struggling to keep their value.Salamence ex - 187/159Leafeon ex - 144/131Iron Crown ex - 158/131Lillie's Clefairy ex - 184/159Eevee ex - 167/131Lillie’s Clefairy ex from Journey Together has slid 26% this month, from $212 to $158. I still like this card a lot, but the dip is noticeable. Early adopters probably paid more than they should have, and now the market's correcting like it just remembered what money is.Salamence ex is rough. It's down a staggering 63% since late March, from $242 to $90.50. That’s not a correction, that’s a full-on crash landing. I wouldn’t be shocked if it dips further. Might be worth watching, but I wouldn’t touch it yet unless you’re in it for the art.Lastly, we’ve got Iron Crown ex from Prismatic, down 19% just this month. It was sitting around $84 and is now at $67.75. That’s not terrible, but it’s still part of a clear trend. The set had a big debut and now the shine is fading fast.Did you catch last week's crashers and climbers? Read the most recent updates from our weekly column.Pokémon Card ClimbersImage Credit: IGN Photo Composite / The Pokémon CompanyI’ll start with Reshiram from Black & White, which has absolutely rocketed. It was sitting at a modest $33.92 in mid-March, and now you’re lucky to find one under $240. That’s a 150% leap for a card that’s over a decade old. I’ve seen faster elevators, but not many. With all 156 Unova Pokémon getting fresh prints soon, I think Reshiram’s still got room to climb.Then there’s Zekrom EX from Next Destinies, which has gone from $34.63 to nearly $392 since March. It’s another reminder that Full Art cards from the EX era aren’t just collectible, they’re volatile. In a good way, if you got in early. I’d still grab this if it fits your binder, because it's only going to get more attention once White Flare drops.Zekrom EX - 97/99Reshiram - 113/114Dialga GX - 125/131Sprigatito - 196/193Vileplume GX - 4/236$10.03 at TCG PlayerI’m also watching Sprigatito from Paldea Evolved. The IR version has quietly crept up from $17.98 in January to $21.95 today. It’s not a moonshot, but compared to the general slump of modern IRs, it’s doing surprisingly well. Plus, it’s a smug little cat and people love smug cats.Now for Dialga-GX from Forbidden Light. This one was hanging out around $14 just two months ago, and it’s shot up to $74.99. I wouldn’t call it graceful, but it’s definitely gaining traction. GX-era cards are getting more attention lately, and Dialga's age plus playable nostalgia make it a solid hold in my opinion.Don’t laugh, but Vileplume-GX from Cosmic Eclipse is up too. It was stuck at $6.83 for what felt like forever, and now it’s over $10. It’s not exactly a gold rush, but it’s one of those oddball rares that sneaks up when no one’s looking. You’ll thank yourself later if you pull it out of a bulk box and it suddenly pays for lunch.Pokémon Card Sealed Boosters151 Booster PackDropped by 8% since beginning of MayUnless you're dead set on grabbing the promo cards and poster in the 151 poster bundle, grabbing booster packs from TCG Player is where it's at (Or just the poster and promos seperately). Currently sitting at $10.33 a pack, it's obvious that Amazon is now going above MSRP and secondary market value. If you're not bothered about opening packs and just want 151 chase cards, here's some of my favorites as well.Charmeleon - 169/165Bulbasaur - 166/165Alakazam ex - 201/165Squirtle - 170/165Charizard ex - 183/165Charmander - 168/165Zapdos ex - 202/165Venusaur ex - 198/165Blastoise ex - 200/165Charizard ex - 199/165If you've dedicated your life to pulling chase cards yourself, here's what we can find in stock right now. Just watch out for pricing over MSRP, we're in a weird spot as Pokémon trainers right now, so don't pay more than what you have to. If you're desperate for some big box retailer products, here you go. Just make sure to be savvy before buying, as 9 times out of 10 TCG Player will be cheaper in this climate.151 Poster Collection$40.97 at AmazonPokémon Trading Card Game Classic$290.67 at AmazonTerapagos ex UPC$219.99 at AmazonPrismatic Evolutions Booster Bundle$84.48 at AmazonPrismatic Evolutions Surprise BoxHoliday 2024 Calendar$54.27 at AmazonMimikyu ex Box$49.99 at AmazonAzure Legends Tin$39.77 at Amazon2024 Trainer’s Toolkit$33.50 at AmazonShrouded Fable Mini Tin$16.00 at AmazonHere's the Pokémon TCG full Release Schedule so far for this year, too, so you don't miss anything. Buying singles is the cheapest way to collect right now, but don't feel like you have to "Catch Em' All!".Destined Rivals Sealed Product Preorder UpdatesWith Destined Rivals dropping May 30 and preorders currently sold out everywhere, it's a good time to keep on top of the secondary market to find the best prices. Best Buy will restock on May 23 via a special "Best Buy Drops" preorder event on its app, just like the recent Black Bolt and White Flare expansions preorders. Destined RivalsBooster BundleSee it at TCG PlayerDestined RivalsBooster BoxSee it at TCG PlayerDestined RivalsElite Trainer BoxSee it at TCG PlayerDestined RivalsPokemon Center Elite Trainer Box (Exclusive)See it at TCG PlayerDestined RivalsHalf Booster BoxSee it at TCG PlayerDestined RivalsBooster PackSee it at TCG PlayerDestined RivalsSleeved Booster PackSee it at TCG PlayerDestined Rivals3 Pack Blister [Zebstrika]See it at TCG PlayerDestined Rivals3 Pack Blister [Kangaskhan]See it at TCG PlayerDestined RivalsBuild & Battle BoxSee it at TCG PlayerBest Buy has also confirmed it will have Booster Box stock online on May 30, alongside ETBs, Booster Packs, and more in store for launch.You could also just wait a few months for more solid stock, but like I said in my preview, this set is one of my favorites in the Scarlet and Violet era, and well worth picking up ASAP.Christian Wait is a contributing freelancer for IGN covering everything collectable and deals. Christian has over 7 years of experience in the Gaming and Tech industry with bylines at Mashable and Pocket-Tactics. Christian also makes hand-painted collectibles for Saber Miniatures. Christian is also the author of "Pokemon Ultimate Unofficial Gaming Guide by GamesWarrior". Find Christian on X @ChrisReggieWait.