At a glance.
- Top US officials mistakenly leaked war plans on Signal.
- Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability.
- Kubernetes patches critical RCE flaws affecting 43% of cloud environments.
- Fake headhunting firms linked to China target former US Federal workers.
Top US officials mistakenly leaked war plans on Signal.
Senior Trump Administration officials, including Secretary of Defense Pete Hegseth, Vice President JD Vance, and national security advisor Mike Waltz, leaked war plans by mistakenly adding The Atlantic's editor-in-chief Jeffrey Goldberg to their Signal chat. Goldberg was added to the chat by Waltz, whose future as national security advisor is now in doubt, according to POLITICO. The officials used the chat to discuss the upcoming bombing campaign against the Houthis in Yemen. Goldberg says he assumed the chat was fake until the bombing began several hours later. The messages included "precise information about weapons packages, targets, and timing."
The National Security Council said in a statement, "At this time, the message thread that was reported appears to be authentic, and we are reviewing how an inadvertent number was added to the chain." While Signal is considered one of the most secure publicly available messaging apps, the BBC notes that its use by government officials to share classified information may have violated federal laws such as the Espionage Act.
Mozilla patches Firefox flaw similar to actively exploited Chrome vulnerability.
Mozilla has issued a patch for a critical Firefox vulnerability that could allow attackers to perform sandbox escapes on Windows, the Register reports. The flaw is similar to an actively exploited vulnerability (CVE-2025-2783) patched by Google in the Chrome browser earlier this week. The Chrome vulnerability, which Kaspersky says was being exploited to target Russian entities and individuals, enabled attackers to bypass the browser's sandbox protections as soon as the victim clicked on a phishing link.
Mozilla stated, "Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our inter-process communication (IPC) code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape."
Kubernetes patches critical RCE flaws affecting 43% of cloud environments.
Researchers at Wiz discovered four unauthenticated remote code execution vulnerabilities affecting Ingress NGINX Controller for Kubernetes. Wiz says exploitation of the flaws "leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover." The attack vector, dubbed "#IngressNightmare," has been assigned a CVSS score of 9.8. The researchers warn that approximately 43% of cloud environments are vulnerable, and users of Ingress NGINX should apply the patches immediately.
Fake headhunting firms linked to China target former US Federal workers.
Reuters reports that a secretive Chinese tech company is using several fake consulting and headhunting firms to target recently laid-off US government workers and AI researchers. It's unclear if the company is tied to the Chinese government, but Reuters notes that the activity aligns with techniques used by previous Chinese intelligence operations.
Reuters cites intelligence analysts who explained that, "[o]nce employed by the network, federal employees could then be asked to share increasingly sensitive information about government operations, or recommend additional people who might be targeted for willing or unwitting participation." One of the phony job postings, for example, seeks an HR specialist who can "utilize a deep understanding of the Washington talent pool to identify candidates with policy or consulting experience," and "leverage connections to local professional networks, think tanks, and academic institutions."
Courts and torts.
Controversial facial recognition company Clearview AI has settled a class-action privacy lawsuit for an estimated $50 million in damages. The case alleged that Clearview violated the state of Illinois's Biometric Privacy Act by scraping images of people's faces from the web and selling them without consent. Clearview does not acknowledge liability under the settlement. The Record notes that the "unusual financial structure for the deal gives plaintiffs and their lawyers a stake in Clearview’s future value instead of a lump sum payment." The company did not have the funds for a normal class action payout since nearly every American could be considered a class member. Twenty-two US states and the District of Columbia had fought the settlement, arguing that it did not impose injunctive relief to prevent future privacy violations.
