VulnHub

Recent discussions have emerged around how large language models (LLMs) can inadvertently compromise access control within organizations. These models are capable of generating complex code for access control policies, such as Rego and Cedar, in just a few seconds. However, a minor oversight—like a missing condition or a fabricated attribute—can undermine the security model designed to enforce least-privilege access. This is particularly concerning for businesses that rely on strict access controls to protect sensitive data. The implications are significant, as organizations may unknowingly expose themselves to greater risks due to these automated code generation errors. As LLMs become more integrated into security processes, understanding their limitations is crucial for maintaining robust access control.

CareCloud, a healthcare IT company, is investigating a cybersecurity incident that may involve a data breach within one of its electronic health record systems. While the specifics of the breach have not been fully disclosed, the company is assessing the situation to determine the scope and impact. This incident raises concerns about the security of sensitive patient information, as breaches in healthcare can lead to significant risks for individuals, including identity theft and compromised medical records. The investigation is ongoing, and CareCloud is likely to update its clients and stakeholders as more information becomes available.

A newly disclosed vulnerability in Telegram could allow attackers to execute code on users' devices without any interaction, making it a significant security risk. This flaw, identified by researcher Michael DePlante and tracked as ZDI-CAN-30207, has a CVSS score of 9.8, indicating its severity. Telegram has denied the existence of this issue, which raises concerns about user safety and device security. If confirmed, this vulnerability could affect millions of users who rely on Telegram for messaging. Users should remain vigilant and follow updates from Telegram regarding this potential threat.

A recent glitch in Lloyds Banking Group's app has exposed sensitive data of nearly 448,000 customers. During a routine update, the flaw allowed unauthorized access to transaction details and personal information, raising significant concerns about data privacy. The bank has acknowledged the issue and is investigating the extent of the exposure. Customers affected by this incident may need to monitor their accounts closely for any suspicious activity. This incident underscores the risks associated with software updates and the importance of robust security measures in protecting customer data.

A dark web marketplace called Threat Market is advertising a massive haul of Lockheed Martin data, claiming to have 375 terabytes of sensitive information. The alleged source of this leak is a group identifying itself as 'APT Iran.' If true, this could pose serious risks not only to Lockheed Martin but also to national security, given the company's role in defense contracts. The asking price for this data is a staggering $600 million, raising concerns about the potential for misuse. This incident underscores the ongoing threat posed by malicious actors targeting major corporations and government contractors, highlighting the need for enhanced cybersecurity measures across the industry.

The UK's National Cyber Security Centre (NCSC) has alerted organizations about a serious vulnerability in the F5 BIG-IP Access Policy Manager (APM). This flaw allows attackers to execute remote code without authentication, posing a significant risk to affected systems. Companies using F5 BIG-IP APM could be compromised if they do not take immediate action. The NCSC is urging organizations to implement mitigation measures to protect their networks. This vulnerability underscores the necessity for timely updates and vigilance in cybersecurity practices.

According to GitGuardian's latest report, secrets sprawl is worsening at an alarming rate. In 2025, researchers found 29 million new hardcoded secrets in public GitHub repositories, marking a 34% increase from the previous year. This surge represents the largest single-year jump ever recorded in the analysis of billions of code commits. The report indicates that security teams are struggling to keep pace with this trend, which poses significant risks for organizations as sensitive information becomes more exposed. The findings suggest that companies need to prioritize safeguarding their codebases against this growing issue to prevent potential data breaches.

The European Commission has confirmed that its cloud infrastructure supporting the Europa.eu platform was targeted in a cyberattack, which was detected on March 24. Initial investigations indicate that data was extracted from the affected websites, although there is no evidence that the Commission's internal systems were breached. This incident marks the second data breach the Commission has experienced this year, raising concerns about its cybersecurity resilience. The Commission acted quickly to contain the situation and implemented measures to protect its services and data. However, the repeated breaches prompt questions about the effectiveness of its security protocols and the potential risks to sensitive information.

Apple has implemented a camera indicator light system designed to alert users when their device's camera is active. This feature is crucial as it protects against potential malware that could secretly access the camera to record without user consent. The article emphasizes that a dedicated hardware indicator light is more secure than a software-rendered display indicator, as it is physically connected to the camera and cannot be manipulated by malicious software. This distinction is important for users who rely on their devices for privacy and security. Overall, the design aims to enhance user awareness and control over their device's camera usage.

Google has rolled out new location privacy features in the Android 17 Beta 3, allowing users better control over their precise location data. A key addition is the location button, which enables one-time access to location information for tasks like finding nearby places or tagging content, without the need for continuous tracking. This update aims to minimize data collection practices and enhance user privacy while providing developers with the tools necessary to design safer applications. This change is particularly relevant as location data can often be sensitive, and users are increasingly concerned about how their information is used. By implementing these features, Google is responding to user demands for greater transparency and control over personal data.