SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
Sears Home Services AI chatbot databases left unprotected
Cybersecurity researcher Jeremiah Fowler discovered three unprotected, unencrypted databases exposing nearly 3.7 million customer service records tied to Sears Home Services, including logs from its AI chatbot Samantha. The leaked data included over 54,000 complete chat logs, nearly 1.4 million audio recordings of customer calls, and more than 200,000 spreadsheet logs, along with personal details like names, addresses, phone numbers, and service appointment information. Fowler notified Transformco, the parent company of Sears, and the databases were secured shortly after.
Nine vulnerabilities found in KVM devices
Eclypsium researchers uncovered nine vulnerabilities across four budget IP-KVM vendors: GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaw, found in the Angeet/Yeeso ES3, allows an attacker to remotely write arbitrary files and execute OS commands without any credentials. Because KVM devices provide keyboard, video, and mouse control at the BIOS level, a successful attacker could inject keystrokes, boot from removable media, disable Secure Boot, and bypass any OS-level security tool. JetKVM and Sipeed have issued patches, but GL-iNet has no planned fix for two of its flaws, and Angeet/Yeeso has yet to commit to a timeline.
Scammers use fake GitHub accounts to steal crypto from OpenClaw developers
Attackers created fake GitHub accounts, opened issue threads in attacker-controlled repositories, and tagged dozens of developers, claiming they had won $5,000 worth of CLAW tokens redeemable through a linked site, which turned out to be a near-identical clone of openclaw.ai rigged with a wallet-draining ‘Connect your wallet’ button. The fake accounts were created just days before the campaign launched and deleted within hours of going live, and no confirmed victims have been reported so far, according to Ox Security.
Claudy Day Claude vulnerabilities
Oasis Security discovered three vulnerabilities in Claude that, when chained together in an attack they dubbed Claudy Day, allow an attacker to silently hijack a user’s chat session and exfiltrate sensitive data with a single click. The attack works by embedding hidden instructions in a crafted claude.ai URL, wrapping it in an open redirect on claude.com to make it appear legitimate, and then running it as a Google ad — meaning a victim only needs to click what looks like a normal search result. Anthropic has patched the prompt injection flaw following responsible disclosure, but fixes for the remaining two vulnerabilities are still in progress.
Malware uses security software as cover to hunt for missile documents
Symantec and Carbon Black researchers have uncovered a stealthy new infostealer called Speagle that piggybacks on Cobra DocGuard (a document encryption platform made by Chinese firm EsafeNet). The malware only activates on machines with Cobra DocGuard installed, collecting browser history, autofill data, and system information, and at least one variant specifically searches for files that reference Chinese ballistic missiles. Researchers have attributed the campaign to a previously unknown threat actor they’re calling Runningcrab, and believe it is likely the work of either a state-sponsored group or a hired contractor, though the exact infection method remains unknown.
Ransomware group The Gentlemen
Group-IB published a detailed breakdown of The Gentlemen, a roughly 20-member ransomware-as-a-service group that came to light after one of its operators publicly accused the Qilin ransomware group of withholding $48,000 in unpaid affiliate commissions. The group primarily gains access through CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass flaw, and maintains a database of around 14,700 already-compromised FortiGate devices. Once inside a network, they use the bring-your-own-vulnerable-driver (BYOVD) technique to kill security tools at the kernel level before encrypting and exfiltrating victim data.
UK financial regulator sets new rules for reporting cyber incidents
The FCA has finalised new rules requiring financial firms to report serious cyber incidents within 24 hours of determining they meet reporting thresholds, with payment service providers facing an even tighter four-hour deadline. The regulator cited growing concern over the frequency and sophistication of attacks on the financial sector, noting that in 2025 over 40% of cyber incidents reported to the FCA involved a third party, prompting new requirements for firms to maintain and annually submit a register of their material third-party arrangements. The rules take effect in March 2027.
Operation Alice takes down 373,000 dark web domains
A 10-day international operation led by German authorities and supported by Europol shut down more than 373,000 dark web domains run by a 35-year-old man based in China, who had been operating a sprawling network of fraudulent platforms since at least 2021. The sites advertised child abuse material and cybercrime-as-a-service offerings, but delivered nothing after victims paid, netting the operator an estimated €345,000 from around 10,000 people. Authorities from 23 countries participated in the operation, and have since identified 440 customers whose purchases are now under active investigation.
Google adds scam-resistant safeguards to Android sideloading process
Google has detailed a new ‘advanced flow’ for Android that allows users to install apps from unverified developers while building in deliberate friction to protect against social engineering scams. The process requires enabling developer mode, confirming no one is coaching the user, restarting the device to cut off any active remote access, and waiting a full day before completing biometric or PIN verification — steps specifically designed to break the manufactured urgency that scammers rely on. The feature will roll out in August.
Related: In Other News: N8n Flaw Exploited, Slopoly Malware, Interpol Cybercrime Crackdown
