News – BU-CERT

[Critical] Emergency Security Update for Google Chrome: CVE-2026-3909 and CVE-2026-3910

Posted on 14 March 2026

There have been two high-severity zero-day vulnerabilities identified in Google Chrome that are confirmed to be actively exploited in the wild. These flaws allow attackers to execute malicious code or gain unauthorized memory access simply by tricking a user into visiting a compromised website.

CVE-2026-3909 (Out-of-bounds write in Skia): A flaw in the graphics engine that can lead to memory corruption and potential code execution.
CVE-2026-3910 (Inappropriate implementation in V8): A vulnerability in the JavaScript/WebAssembly engine allowing arbitrary code execution within the browser sandbox.

Impact

A remote attacker can leverage these vulnerabilities to compromise your device, steal sensitive data, or install malware. Because Chrome is a primary tool for university work and SaaS applications, these flaws represent a significant risk to personal and institutional information security.

Required Action

Staff and students are advised to manually trigger an update for their Chrome browser immediately.

Man accidentally gains control of 7,000 robot vacuums

Posted on 23 February 2026

From popsci.com

A software engineer’s earnest effort to steer his new DJI robot vacuum with a video game controller inadvertently granted him a sneak peak into thousands of people’s homes.

While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI’s remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries. The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing.

Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign

Posted on 12 February 2026

From domaintools.com

In late 2025 and early 2026, a series of independent disclosures by software maintainers, security researchers, and national cyber authorities converged on an unsettling conclusion: for months, the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted. What initially appeared to be an isolated infrastructure anomaly was ultimately revealed to be a sustained compromise of the Notepad++ update pipeline, stretching back roughly six months. As investigators reconstructed the timeline, tracking unauthorized access to hosting infrastructure, lingering credentials that outlived initial remediation, and selectively altered update responses, a far more deliberate operation came into focus. This report is the product of analysis and parallel reconstruction of all public reporting on Lotus Blossom with additional research by DTI, drawing together technical forensics, victimology, and strategic context to assess both the campaign and the actor behind it.

Curl shutters bug bounty program to remove incentive for submitting AI slop

Posted on 27 January 2026

From theRegistrer.com

The maintainer of popular open-source data transfer tool cURL has ended the project’s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions.

Curler-in-chief Daniel Stenberg last week lodged a GitHub commit named “BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026”.

‘Completely Deactivate Wi-Fi’—Cyber Agency Warns iPhone And Android Users

Posted on 16 December 2025

From forbes.com

There have been plenty of cyber agency warnings for smartphone users in recent weeks. Only use encrypted messaging. No more SMS security codes. Avoid commercial VPNs. And update phones as soon as you can — which is timely this week. But now there’s more — you’re told to “completely deactivate Wi-Fi” whenever it’s not in use.

Most of the above advice comes via CISA, America’s cyber defense agency, but the latest is from CERT-FR, France’s equivalent, in conjunction with the U.K.’s agency. There is already plenty of Wi-Fi advice, but to completely disable the interface is new.

Hackers Leveraging WhatsApp to Silently Install Malware to Harvest Logs and Contact Details

Posted on 28 November 2025

From Cyber Security News

A new malware campaign targeting Brazilian users has emerged, using WhatsApp as its primary distribution channel to spread banking trojans and harvest sensitive information.

This sophisticated attack leverages social engineering by exploiting the trust victims place in their existing contacts, making the malicious files appear legitimate.

The campaign begins with phishing emails containing archived VBS scripts that employ advanced obfuscation techniques to evade detection by security software.

WhatsApp Vulnerability Exposes 3.5 Billion Users’ Phone Numbers

Posted on 20 November 2025

From cybersecuritynews.com

A critical security flaw in WhatsApp has allowed researchers to expose the phone numbers of 3.5 billion users, marking one of the most significant data leaks ever documented.

This vulnerability, rooted in the app’s contact discovery feature, persisted despite warnings to Meta dating back to 2017, raising serious concerns about user privacy on the world’s most popular messaging platform.

The exploit relies on WhatsApp’s built-in mechanism for finding contacts, which reveals whether a user is on the service and public details like profile pictures and status texts when a phone number is entered.

Security researchers from the University of Vienna demonstrated the flaw by systematically querying billions of potential numbers, confirming active accounts at a rate of over 100 million per hour without any restrictions from WhatsApp.