ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories

Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like...

Roblox clamps down on chats and age checks as legal pressure builds

Roblox has long faced criticism over child safety on its platform. Now it has started settling with state attorneys over the issue, and the total is climbing fast. On April 21, Alabama Attorney General Steve Marshall announced a $12.2 million settlement with the child-focused online gaming...

Malicious code in @oec-settlement/react-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4beeacddc1773c8aefad734c472151284b868e3a06f4be8886763a0caebb121a The package @oec-settlement/react-router was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2978 Malicious code in @oec-settlement/react-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4beeacddc1773c8aefad734c472151284b868e3a06f4be8886763a0caebb121a The package @oec-settlement/react-router was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-4931

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost...

CVE-2026-4931 CVE-2026-4931

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost...

CVE-2026-4931

CVE-2026-4931 affects Smart contract Marginal v1, where an unsafe downcast in the contract enables attackers to settle a large debt position for a negligible asset cost. The publicly reported descriptions (NVD, Red Hat, ENISA EUVD, CNNVD, CVE lists) consistently state the same vulnerability and i...

CVE-2026-4931 CVE-2026-4931

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost...

CVE-2026-4931

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost...

PT-2026-30899

Name of the Vulnerable Software and Affected Versions Smart contract Marginal v1 affected versions not specified Description The Smart contract Marginal v1 contains an unsafe downcast issue. This allows attackers to settle a large debt position for a negligible asset cost. Recommendations At the...

Is your phone listening to you? (re-air) (Lock and Code S07E03)

This week on the Lock and Code podcast … In January, Google settled a lawsuit that pricked up a few ears: It agreed to pay $68 million to a wide array of people who sued the company together, alleging that Google's voice-activated smart assistant had secretly recorded their conversations, which...

A week in security (January 19 – January 25)

Last week on Malwarebytes Labs: Spammers abuse Zendesk to flood inboxes with legitimate-looking emails, but why? Fake LastPass maintenance emails target users Under Armour ransomware breach: data of 72 million customers appears on the dark web Can you use too many LOLBins to drop some RATs?...

Google to Pay $8.25M Settlement Over Child Data Tracking in Play Store

Is your child's data safe? Google settles for $8.25M over claims it tracked kids under 13 without parental…...

Disney fined $10m for mislabeling kids’ YouTube videos and violating privacy law

Disney will pay a $10m settlement over allegations that it violated kids' privacy rights, the Federal Trade Commission FTC said this week. The agreement, first proposed in September 2025, resolves a dispute over Disney's labeling of child-targeted content on YouTube. The thousands of YouTube vide...

EUVD-2006-6858

Malware in sbrugna...

EUVD-2021-22165

Malware in sbrugna...

Google and Flo to pay $56 million after misusing users’ health data

Popular period-tracking app Flo Health shared users’ intimate health data—such as menstrual cycles and fertility information—with Google and Meta, allegedly for targeted advertising purposes, according to multiple class-action lawsuits filed in the US and Canada. Between 2016 and 2019, the...

Google misled users about their privacy and now owes them $425m, says court

A court has ordered Google to pay $425m in a class action lawsuit after it was found to have misled users about their online privacy. In July 2020, Google user Anibal Rodriguez filed a lawsuit against the search giant, arguing that it misled users with its "Web & App Activity" setting. The settin...

Google settles YouTube lawsuit over kids’ privacy invasion and data collection

Google has agreed to a $30 million settlement in the US over allegations that it illegally collected data from underage YouTube users for targeted advertising. The lawsuit claims Google tracked the personal information of children under 13 without proper parental consent, which is a violation of...

A week in security (July 14 – July 20)

Last week on Malwarebytes Labs: Meta execs pay the pain away with $8 billion privacy settlement Adoption agency leaks over a million records Meta AI chatbot bug could have allowed anyone to see private conversations WeTransfer walks back clause that said it would train AI on your files Chrome fix...