BuzzSec

Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems. The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company. "The attacker used that access to take over the employee's Vercel Google Workspace account, from The Hacker News https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html

Pretty fantastic video from Japan of a giant squid eating another squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. from Schneier on Security https://www.schneier.com/blog/archives/2026/04/friday-squid-blogging-new-giant-squid-video-2.html

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse ( from The Hacker News https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html

Each year, Identity Management Day (IMD) serves as a global reminder that managing digital identities is more than a technical requirement; it is a cornerstone of modern trust. Now in its sixth year, IMD continues to emphasize how identity itself is evolving, stretching beyond human users to encompass machines, automated agents, and even AI-generated personas. from Human Risk Management Blog https://blog.knowbe4.com/identity-at-the-edge-how-the-sixth-annual-identity-management-day-highlights-the-new-frontiers-of-trust

Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user's location in from The Hacker News https://thehackernews.com/2026/04/google-blocks-83b-policy-violating-ads.html

Last week, Anthropic pulled back the curtain on Claude Mythos Preview , an AI model so capable at finding and exploiting software vulnerabilities that the company decided it was too dangerous to release to the public. Instead, access has been restricted to roughly 50 organizations—Microsoft, Apple, Amazon Web Services, CrowdStrike and other vendors of critical infrastructure—under an initiative called Project Glasswing . The announcement was accompanied by a barrage of hair-raising anecdotes: thousands of vulnerabilities uncovered across every major operating system and browser, including a 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg. Mythos was able to weaponize a set of vulnerabilities it found in the Firefox browser into 181 usable attacks; Anthropic’s previous flagship model could only achieve two. This is, in many respects, exactly the kind of responsible disclosure that security researchers have long urged. And yet the public has been given remarkably little wi...