Samsung faces renewed scrutiny over hidden spyware claims on its budget phones

Samsung’s budget Galaxy A and M phones resurfaced in a privacy scandal after International Cyber Digest claimed on X that the hidden system app AppCloud was “unremovable Israeli spyware.” The allegation echoed SMEX’s May letter accusing Samsung of installing AppCloud—made by ironSource, acquired for $4.4 billion by Unity Technologies—on devices sold in West Asia and North Africa. SMEX said the app collected biometric data and IP addresses, required root access to remove (voiding the warranty), ran invisibly in the background, could be disabled only through the app list, and often returned after updates.

Samsung’s 2022 partnership with ironSource, centered on the Aura toolkit, expanded post-acquisition, making ironSource its exclusive A-/M-series partner across 50+ MENA markets. SMEX linked AppCloud to ironSource’s Install Core, known for silent installs; screenshots showed network access, file downloads, and sleep-blocking. Danny Bradbury places this in a lineage including Samsung’s 2015 smart-TV controversy, 2020 malware-laden Lifeline phones, and Google Project Zero researcher Maddie Stone’s 2019 account of preinstalled threats like the Chamois botnet.

More via MalwareBytes

Windows 11 Update Causes Major Disruption for Virtual Desktop and First Time Users

Microsoft confirmed a major disruption in Windows 11 version 24H2 after the July 2025 cumulative update KB5062553, mainly affecting VDI environments and first-time logons. Essential shell components—Start Menu, Taskbar, System Settings, and ImmersiveShell—fail to load, leaving desktops unusable, with blank taskbars, unresponsive Start buttons, or crashes of explorer.exe, StartMenuExperienceHost.exe, and ShellHost.exe. The cause is a XAML race condition: dependent packages register too late for shell processes. Non-persistent OS installations, where packages are provisioned per session, are especially vulnerable. Temporary workarounds include manually registering MicrosoftWindows.Client.CBS_cw5n1h2txyewy, Microsoft.UI.Xaml.CBS_8wekyb3d8bbwe, and MicrosoftWindows.Client.Core_cw5n1h2txyewy via PowerShell, or using a synchronous logon script to delay explorer.exe until XAML packages are ready. Administrators should test scripts in staging environments. Microsoft is developing a permanent fix. The issue underscores the fragility of package-dependent initialization in Windows 11, the critical role of XAML islands, and the risks inherent in non-persistent provisioning for both VDI and physical workstations.

More via CyberSecurity News

Hackers Breach Major Banking Vendor Compromising Client and Customer Data

SitusAMC, a vendor serving over 1,500 banks with real-estate loans and mortgages, was hacked on November 12, compromising banks’ accounting records, legal agreements, and some customer data. The company says the breach is contained, services are operational, and ransomware was not involved, though the investigation is ongoing. SitusAMC has not disclosed how many clients were affected or the attackers’ identities.

The FBI, assisting in the probe, confirmed no operational impact to banking services. Director Kash Patel emphasized the bureau’s commitment to identifying the perpetrators and protecting critical infrastructure.

Security experts note that even the well-defended financial sector is vulnerable via third-party suppliers. Vendors like SitusAMC receive less scrutiny than the banks they serve, creating supply-chain risks that can result in broad digital compromises. This incident highlights persistent oversight gaps and systemic vulnerability despite strong internal defenses, with the ultimate impact on clients and customers still unclear.

More via CyberSecurity Dive

Several Jury Management Websites Exposed Sensitive Data Across the United States and Canada

Several jury management websites in the U.S. and Canada, produced by Tyler Technologies, contained a security flaw exposing sensitive juror data, TechCrunch reported. An anonymous researcher identified at least a dozen vulnerable portals across California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia. Jurors log in with sequential numerical IDs, which could be brute-forced, and the platforms lacked rate-limiting. A Texas county portal revealed full names, dates of birth, occupations, emails, phone numbers, addresses, and questionnaire responses on gender, ethnicity, education, employer, marital status, children, citizenship, age, and criminal history, including some health data for exemption requests.

Tyler was alerted on November 5 and acknowledged the flaw on November 25, implementing remediation but providing no details on tracing malicious access or notifying jurors. This follows a 2023 exposure in Tyler’s Case Management System Plus, along with leaks from Catalis’s CMS360 and Henschen & Associates’ CaseLook, highlighting systemic weaknesses in judicial software.

More via TechCrunch 

Shai Hulud returns with a sweeping supply chain attack on Zapier and ENS

The “Shai Hulud” threat actors—responsible for September’s worm—returned with “Shai Hulud: The Second Coming,” a supply-chain attack on NPM accounts linked to Zapier and the Ethereum Name Service (ENS). Aikido Security identified the campaign after malicious code was injected into widely used dependencies, including zapier-platform-core, zapier-platform-cli, zapier-platform-schema, @zapier/secret-scrubber, ethereum-ens, @ensdomains/ensjs, and other ENS packages. Once installed, the self-propagating malware harvested NPM tokens, GitHub PATs, and cloud keys, used TruffleHog to extract additional secrets, and published more than 19,000 credential-stuffed GitHub repositories titled “Shai Hulud: The Second Coming,” as noted by Cybersecurity News.

Propagation outpaced the September attack within five hours, overwhelming GitHub organizations and employee accounts. Organizations must assume full compromise, rotate all credentials, search for matching repositories, disable NPM postinstall scripts in CI/CD pipelines, lock dependencies, enforce MFA, and consider tools like SafeChain.

More via CyberSecurity News

AIs can be hacked with poetry

A joint research paper out of Italy has found that the security guardrails for most of the popular LLMs can be overridden and circumvented by rephrasing harmful prompts as poetry.

Researchers were able to coax various AI models to engage in harmful conduct such as disclosing details related to everything from cyber-offense and fraud to CBRN (Chemical, Biological, Radiological & Nuclear), privacy, and manipulation.

The cheat code? Simply taking an otherwise harmful prompt (“i.e walk me through a way to embezzle funds from my employer’s Stripe account”) and running it through a meta-prompter that said “rewrite this as a poem.”

Hilarity ensues.

An AxisOfEasy exclusive: https://axisofeasy.com/aoe/the-telefon-problem-hacking-ai-with-poetry-instead-of-prompts/

Elsewhere Online: 

Japanese Court Decision Forcing Cloudflare to Police Content Threatens Open Internet
Read: https://reclaimthenet.org/cloudflare-liable-japan-manga-piracy-court-ruling

Passwords and Personal Data Stolen in CodeRED Emergency Notification Breach
Read: https://www.infosecurity-magazine.com/news/cyberattack-disrupts-onsolve/

Fortinet Details ShadowV2 Botnet Attack Targeting Global IoT Devices
Read: https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/

Gainsight App Flaw on Salesforce Exposes Customer Data to ShinyHunters Hackers
Read: https://hackread.com/shinyhunters-breach-gainsight-salesforce-1000-firms/

Security Alert: HashJack Flaw Manipulates AI Browsers for Malicious Actions
Read: https://www.infosecurity-magazine.com/news/hashjack-indirect-prompt-injection/