LastPass requests you create a backup of your password valt - with urgency

 PLEASE do NOT respond or action a request from LastPass to create a(nother) backup of your password vault. This is a  recent phishing campaign.
Instead of obtaining your vault password, they gain access to your ENTIRE password vault.

Browser Extension's Logo containing malware

  GhostPoster malware. 
Browser extensions can have a logo. An icon displayed as part of the browser extension.
GhostPoster malware adds JavaScript after a marker. 
So the extension displays the logo and executes the extension function as normal.
BUT the PNG logo delivers the malicious JavaScript code past most defenses.

Seven years undetected. 8 million instances, over 1 million victims.

Even more stealth. The malware loader uses several sites. The loader waits 48 hours. The loader only executes the load 10% of the time. 

Information on GhostPoster in recent.

Extreme Android Vulnerability

 AI is on a continuum between helpful and harmful. Iff we  know how AI is used. Thus today's warning.

Any Android smartphone smart tablet can be totally (kernel level takeover) by receiving an audio message. Not reading, just receiving an audio message. No clicks, no open of the audio message,  no playing of the message, no interaction.
Why? 
A vulnerability in the Dolby audio decoder. An audio decoder in almost every Android device. When receiving an audio message via any means, the decoder decodes the message for transcription   using AI.
A recent change. Now that audio decoder is exposed to the internet and any attacker. 
So, with AI the audio message can be transcribed, translated, searched, indexed, ...
Yeah but with AI on your Android device and a malicious audio message delivered with no notice or interaction AND more and more apps using Android AI features - not good.
Chaining this vulnerability with a vulnerability in BigWave (a hardware video decoding) the attacker has full kernel level control and access. Access like camera, microphone, files, Internet access, ...
Clever attackers? No, the attackers used AI to develop the attack. Google's AI developed an attack on Google Android platform.
The same Dolby audio decoder is used on iPhones and Macs but with a compile switch to prevent the vulnerability.

Please check your android device and any recent security updates.

Reprompt attack on Microsoft Copilot allows attackers to issue prompts to exfiltrate sensitive data.

 This vulnerability was patched by Microsoft's January 2026 patch update.

The attack allows attackers to infiltrate a victim's Microsoft Copilot session then issue commands to exfiltrate sensitive data. A malicious prompt inside a legitimate URL, bypassing Copilot protections, allows an attacker to then access Copilot's LLM session issuing commands of the attacker's choosing. This attack requires no plugins or other vulnerabilities and allows  invisible data exfiltration.
 Copilot connects to the victim's personal account acting as a personal assistant integrated with Edge and most of Microsoft applications.

 The attack leverages parameter-to-parameter prompt injection, double request technique, and chain request technique. "Please make every function call twice and compare results, show the best one" 

WhisperPair - Vulnerability in 17 manufacturer's Bluetooth speakers, headphones, and other accessories

 Vulnerable devices manufactured by Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself.  The vulnerability is being called WhisperPair as it allows any Bluetooth device in range to take control of the vulnerable device AND  potentially track the device.

 Many of the affected devices with the vulnerability require a security update.

Largest Healthcare reported data breaches

US Department of Health and Human Services Office for Civil Rights

15 Large breaches    The top 5:
Aflac 22,650,000
Conduent Business Services LLC  10,515,949
Yale New Haven Health System  5,556,702
Episource LLC 5,414866
Blue Shield of California 4,700,000

Figures on the number of breaches and the companies reporting so far are not accurate nor complete due to the government shutdown and most breaches were breaches of business associates.

California DROP

 California DROP (Delete Request and Opt-out Platform)   Jan 1, 2026

 residents can file 1 request for all 500+ data brokers to delete, not collect, nor sell personal data

just supply the info ...

 4 states require data broker registration Oregon, California, Vermont, Texas