Vaultjacking Phishing Attack: How Hackers Steal Google Password Manager Vaults

Posted on May 28, 2026 by TempMail Ninja

For years, the cybersecurity industry has championed passkeys as the ultimate silver bullet to kill phishing. Cryptographically bound to specific website origins, passkeys theoretically represent an unphishable credential. However, a groundbreaking discovery by security researchers has shattered this security assumption. The newly documented Vaultjacking phishing technique, uncovered by researchers at the cybersecurity firm PhishU, has demonstrated how attackers can bypass origin-bound passkey protections entirely to empty a user’s entire Google Password Manager (GPM) vault in a single strike. By targeting the underlying cloud synchronization layer rather than individual login portals, this exploit represents a paradigm shift in modern credential theft.

The Achilles’ Heel of Centralized Credential Sync

To understand the mechanics of this threat, one must first appreciate the inherent tension between convenience and absolute security in modern credential management. Google Password Manager is built to be seamless. When a user saves a password or registers a passkey on their Android phone or Chromebook, they expect that credential to be instantly available on their Windows laptop running Chrome. To achieve this cross-device synchronization without compromising privacy, Google employs end-to-end encryption. The synced vault is encrypted in the cloud and can only be decrypted by devices that belong to the user’s “Security Domain.”

The core architectural vulnerability that enables the Vaultjacking phishing attack lies in Google’s lost-device recovery mechanism. If a user loses all their trusted devices, Google allows them to re-establish access to their encrypted security domain using a 6-digit Google Password Manager PIN. Rather than requiring physical, out-of-band hardware validation or a multi-party push approval from another active device, Google relies on this short numerical PIN to unlock the cryptographic keys stored in the cloud. This design decision, while highly user-friendly, creates a critical single point of failure that sophisticated threat actors are now actively exploiting.

Anatomy of the Vaultjacking Phishing Attack Chain

A Vaultjacking attack is a highly coordinated, multi-stage operation that combines social engineering, Adversary-in-the-Middle (AiTM) infrastructure, and advanced endpoint emulation. The attack sequence operates as follows:

1. Adversary-in-the-Middle (AiTM) Interception

The compromise begins when a victim is lured to a sophisticated phishing landing page. Utilizing modern AiTM frameworks (such as PhishU or Evilginx), the attacker acts as a proxy between the victim and the legitimate Google authentication servers. As the victim enters their primary Google credentials and completes any required multi-factor authentication (MFA) prompts, the proxy captures the active session cookies. At this point, the attacker has gained temporary access to the victim’s Google account session.

2. The Spoofed Google Password Manager Prompt

Once the session is intercepted, the attacker’s proxy does not immediately redirect the user to their inbox. Instead, the proxy injects a perfectly styled, highly convincing modal window into the user’s browser. This modal mimics Google’s native system prompt, claiming that the user must verify their identity by entering their 6-digit Google Password Manager PIN to restore sync settings or access their saved data. Because the prompt appears within the context of what looks like a legitimate Google session, even highly trained users struggle to identify the deception.

3. Retrieving the Security Domain Secret

The moment the victim types their 6-digit PIN, the attacker’s infrastructure forwards it directly to Google’s authentic Security Token Service (STS) along with the hijacked session cookies. Because the session is active and the PIN is correct, Google’s backend assumes a legitimate recovery process is occurring. In response, the Security Token Service releases the “Security Domain Secret” (also referred to as the Security Level Secret). This secret is the master cryptographic key required to decrypt the end-to-end encrypted synced vault in the cloud.

4. Automated Attacker Device Provisioning

With the Security Domain Secret in hand, the attacker’s automated background worker immediately takes action. The attacker’s server uses the captured secret to silently register a new, attacker-controlled passkey directly onto the victim’s Google account. This is the pivotal moment of the attack: by registering their own credential, the threat actor establishes a permanent, cryptographically signed foothold in the user’s Google account security domain.

5. Cloning and Decrypting the Vault via Virtual TPM

To finalize the theft, the attacker utilizes a containerized virtual machine (typically running Windows) equipped with a virtualized Trusted Platform Module (vTPM). By presenting the newly registered passkey and the captured Security Domain Secret, the virtualized environment successfully joins the victim’s Google security domain as a trusted device. The attacker’s infrastructure then silently clones the entire synced credential vault, decrypting every single stored password, passkey, and credit card number in a matter of seconds.

Why Vaultjacking Bypasses Next-Gen Defenses

What makes the Vaultjacking phishing technique exceptionally dangerous is its ability to render modern and upcoming security protocols completely ineffective. Security professionals must understand the unique characteristics that distinguish this threat from traditional phishing attacks:

  • No Malware Required: Unlike traditional info-stealers (such as RedLine or Lumma) that require a victim to download and execute a malicious payload, Vaultjacking is entirely browser-based. It requires zero pre-existing foothold or administrative privileges on the victim’s local machine.
  • Defeating Device Bound Session Credentials (DBSC): Google has been actively developing DBSC, a protocol designed to cryptographically bind session cookies to a specific device’s hardware TPM, making cookie theft useless. However, because Vaultjacking registers a new trusted device and passkey into the security domain using the hijacked PIN, the attacker establishes their own independent cryptographic root of trust. DBSC is bypassed because the attacker no longer relies on the victim’s stolen session cookie to maintain access.
  • Permanent, Long-Term Persistence: Once the attacker’s virtual device is joined to the security domain, their access survives standard remediation steps. Even if the victim resets their primary Google password, clears all active web sessions, or revokes active browser cookies, the attacker’s registered passkey remains active within the security domain, allowing them to continue silently pulling updated vault data.

The Mass Exposure of the Synced “Blast Radius”

The implications of a successful Vaultjacking attack are catastrophic for both individuals and enterprises. Historically, a phishing attack on a Google account exposed emails, drive documents, and cloud files. While severe, the damage was largely contained to Google’s ecosystem.

With Vaultjacking, the blast radius is absolute. Because Google Password Manager is natively integrated into the Chrome browser and Android operating system, users frequently use it to store high-value credentials for third-party services. A single phished 6-digit PIN grants the attacker immediate access to:

  1. Corporate Single Sign-On (SSO) Portals: Bypassing enterprise security boundaries to access internal tools, source code repositories, and proprietary databases.
  2. Financial and Banking Institutions: Gaining access to personal bank accounts, cryptocurrency wallets, and payment gateways.
  3. Social Media and Communication Channels: Hijacking identities for secondary social engineering or corporate espionage.
  4. Third-Party Passkeys: While individual third-party passkeys are origin-bound and cannot be phished individually, the synchronization layer stores them in an encrypted state. By cloning the entire synchronized vault, the attacker gains the private cryptographic keys for every synced passkey stored in the vault.

Mitigation Strategies and Defensive Best Practices

Defending against the Vaultjacking phishing threat requires a fundamental shift in how organizations and individuals handle credential synchronization. Standard employee security awareness training is no longer sufficient; technical guardrails must be enforced to protect high-value targets.

Enforce Hardware-Based Security Keys

The most effective defense against Vaultjacking is preventing the initial AiTM session hijack. Organizations should mandate the use of physical, hardware-based FIDO2 security keys (such as YubiKeys) for all employee Google accounts. Unlike software-based multi-factor authentication, physical security keys enforce strict origin-binding during the initial login phase. Because a hardware key will refuse to authenticate on a spoofed or proxied domain, the attacker cannot capture the active session cookies required to initiate the Vaultjacking attack chain.

Isolate and Audit Google Security Domains

IT administrators must monitor Google Workspace logs for anomalous device registrations and security domain modifications. The following behaviors should trigger immediate, high-priority security alerts:

  • The registration of a new recovery device or passkey from an unrecognized IP address or geographic location.
  • The access of Google Password Manager settings immediately following a login from a new browser session.
  • A sudden surge in credential synchronization requests from containerized or virtualized operating systems.

Transition to Enterprise-Grade, Non-Synced Vaults

For enterprise environments, relying on browser-based, consumer-centric password managers introduces unacceptable risks. Security leaders should transition employees to dedicated enterprise password managers that enforce strict access controls. These platforms should disallow recovery via simple numerical PINs, instead requiring multi-user recovery keys, out-of-band approvals, or integration with centralized identity providers that utilize robust conditional access policies.

Conclusion: The Evolution of the Phishing Arms Race

The emergence of the Vaultjacking phishing technique serves as a stark reminder that security is only as strong as its weakest link. As defenders implement increasingly robust origin-bound authentication mechanisms like passkeys, adversaries will naturally pivot to target the trust boundaries of the recovery and synchronization layers. To secure the digital landscape of tomorrow, technology providers must design synchronization protocols that prioritize cryptographically verified out-of-band approvals over simple, phishable numerical PINs. Until then, vigilant monitoring and hardware-enforced FIDO2 security keys remain the industry’s strongest shield against this devastating new threat vector.

Posted in Data Protection, Security & Privacy | Tagged , , , | Leave a comment

Mobile Privacy Settings: Protecting Your Data from Foreign Surveillance

Posted on May 28, 2026 by TempMail Ninja

The disclosure on May 28, 2026, by U.S. Senator Ron Wyden (D-Ore.), Representative Pat Harrigan (R-N.C.), and a bipartisan coalition of lawmakers marked a tectonic shift in how we perceive consumer technology. For the first time, official communications from U.S. Central Command (CENTCOM) confirmed that hostile foreign adversaries are actively leveraging commercially available smartphone location data to target, track, and surveil American military personnel in active conflict zones. This revelation exposes a chilling reality: the very commercial adtech ecosystem designed to serve targeted retail advertisements has been weaponized into a high-precision military intelligence and targeting system. In an era where everyday consumer software continuously broadcasts raw telemetry, auditing device configurations is no longer an optional chore for the tech-savvy. It is a vital act of physical self-defense. To protect your digital footprint from being brokered on the open market, auditing and tightening your mobile privacy settings must become your immediate priority.

The Weaponization of the Bidstream: How Adtech Became a National Security Threat

The threat vector does not stem from sophisticated military spyware, but from the quiet, pervasive mechanism of modern digital capitalism: the Real-Time Bidding (RTB) protocol. Every time a mobile application or browser page loads a banner advertisement, an instantaneous auction occurs behind the scenes. In milliseconds, the app broadcasts a bid request to hundreds of adtech companies. This packet of digital exhaust regularly contains precise GPS coordinates, active Wi-Fi MAC addresses, local mobile network signals, device models, and a unique device-specific advertising identifier.

According to the congressional release on May 28, 2026, CENTCOM acknowledged receiving multiple threat reports regarding the exploitation of this highly detailed commercial metadata during military hotspots, including sensitive operations in the Middle East where tensions remain high. Hostile actors do not need to hack a device; they simply purchase this readily available location data from unregulated data brokers. By stitching together timestamps and precise coordinate histories, adversaries can map out “pattern of life” diagnostics. They use this intelligence to identify where U.S. troops congregate, plot their transit routes, and launch devastatingly precise physical attacks using drones, missiles, and roadside bombs. As Senator Wyden bluntly stated, it is time to “start treating the adtech industry as a national security threat”.

Defending the Digital Perimeter: Essential Mobile Privacy Settings

To sever the connection between your physical movements and the data brokers capitalizing on them, you must systematically dismantle the tracking hooks embedded within your smartphone. Restricting the flow of metadata requires a manual, deep-dive audit of your device’s operating system.

Deactivating and Deleting Mobile Advertising Identifiers

The cornerstone of commercial tracking is the mobile advertising identifier—a unique alphanumeric string assigned to your phone that allows ad networks to stitch disparate app habits, search history, and location logs into a single, unified profile. Disabling this identifier effectively anonymizes your device’s broadcast traffic:

  • Android Devices: Open the system Settings, navigate to Privacy, select Ads, and tap Delete advertising ID. This action instructs the Android operating system to completely destroy your Google Advertising ID (GAID), replacing it with a string of zeros. This prevents ad networks from correlating your multi-app activities.
  • iOS Devices: Open Settings, navigate to Privacy & Security, tap Tracking, and toggle Allow Apps to Request to Track to the OFF position. This global switch automatically denies all apps access to your device’s IDFA (Identifier for Advertisers), forcing them to treat your device as untrackable by default.

Auditing Location Services and Purging Movement History

Modern mobile operating systems log your physical interactions with the real world under the guise of convenience. This persistent logging creates a highly dangerous chronological map of your daily life.

  • Disable iOS “Significant Locations”: Under Apple’s operating systems, including the latest iOS 26 updates, your device quietly logs the specific shops, restaurants, and landmarks you physically frequent under the “Visited Places” telemetry. To purge this data and prevent further logging, navigate to Settings > Privacy & Security > Location Services > System Services > Significant Locations. Authenticate with FaceID, select Clear History, and toggle the feature completely OFF. Alternatively, you can reject the initial setup prompt when opening the native Maps application to decline this storage feature.
  • Enforce Strict App-Level Permissions: Go to your system’s location manager. Audit every application that has requested access to your GPS. Change permissions from “Always Allow” to “While Using” or “Never.” Furthermore, disable the Precise Location toggle for any application that does not strictly require physical coordinates down to the meter—including social media networks, retail apps, streaming platforms, and web browsers.

Escaping Data-Harvesting Browsers and Hardening Web Audits

A significant portion of metadata leaks occur through commercial web browsers that are engineered to track user behaviors. During the congressional inquiry, Representative Pat Harrigan (R-N.C.), a former U.S. Army Special Forces officer, warned that mainstream browsers like Google Chrome are structurally “built from the ground up to collect and share user data”. Every day these applications remain unconfigured or active on government and personal devices represents an active intelligence leak.

For robust protection, security experts recommend transitioning away from mainstream browsers to privacy-centric, hardened alternatives:

  1. Brave Browser: Integrates aggressive, native blocking of third-party trackers, scripts, and fingerprinting protocols by default.
  2. DuckDuckGo Private Browser: Automatically strips tracking parameters from URLs and blocks hidden trackers across the web.
  3. Vanadium Browser: The default browser for GrapheneOS (a highly secure, sandboxed Android fork), which offers state-of-the-art exploit mitigations and strict origin isolation.

If operational requirements necessitate the use of Google Chrome, you must manually perform a rigorous privacy audit to limit its tracking capabilities:

  • Block Third-Party Cookies: Open Chrome, go to Settings > Privacy and security > Third-party cookies, and select Block third-party cookies. This halts cross-site tracking scripts from monitoring your browsing patterns across different domains.
  • Pause Google Tracking Activity: Navigate to myactivity.google.com using your authenticated browser. Manually toggle off and pause Web & App Activity and Location History. Ensure you clear all existing historical logs stored on Google’s servers.

The Legal Firewall: Utilizing California’s DROP Tool

While manual device configurations protect you from future tracking, they do not erase the massive archives of personal metadata already compiled by data brokers. For residents of California, a powerful new state-level platform offers a systemic solution.

Under the landmark California Delete Act of 2023, the California Privacy Protection Agency (CalPrivacy) officially launched the Delete Request and Opt-out Platform (DROP) on January 1, 2026. This free, state-administered tool allows California residents to assert their digital rights with unprecedented ease. By verifying your residency through the secure California Identity Gateway (utilizing trusted verification services like Login.gov) and inputting

Posted in Security & Privacy, Social Media & Big Tech | Tagged , , , | Leave a comment

Harambe’s Death Commemorated by White House as ‘True Patriot’

Posted on May 28, 2026 by TempMail Ninja

Wait, let’s complete the thought. I need to make sure the word count is very robust, up to 1200-1400 words. Let’s add more political context.
Let’s talk about the history of political engagement with Harambe.
During the initial 2016 incident, even Donald Trump (who was then the Republican presidential candidate) commented on the incident, telling reporters that it was “so beautiful to watch” the gorilla with the child, describing it as “almost like a mother holding a baby,” but acknowledging that the zoo had to make a tough choice. Ten years later, the political continuum has fully embraced the surreal.

Let’s expand each section with incredibly rich vocabulary, highly detailed analytical language, and ensure it reads like a “premier, long-form editorial article”.

Let’s do a quick calculation of the word count in the actual output. I will write a massive, highly expressive piece of journalism.
Let’s make sure it contains no Markdown backticks at all, as requested. “Return the article content as RAW HTML ONLY. Do not use Markdown code blocks (like “`html). Do not provide JSON or any other text.”

Let’s do a final review of the rules:
– Focus keyword: “Harambe’s death”
– First 10%: yes, in the first paragraph.
– In at least one subheading: yes, in the first `

`.
– `` for emphasis: yes.
– `

    ` or `

      ` for data: yes,

Posted in Internet Curiosities, Resources & Culture | Tagged , , , | Leave a comment

T-Mobile T-Fiber Outage: Widespread Connectivity Issues Hit East Coast

Posted on May 28, 2026 by TempMail Ninja

In the early morning hours of Thursday, May 28, 2026, a silent digital blackout began rippling through households and offices across the Mid-Atlantic and East Coast of the United States. For thousands of subscribers reliant on T-Mobile T-Fiber, the carrier’s newly minted gigabit fiber-optic home internet service, the connection suddenly buckled. What began as a suspected late-night glitch rapidly escalated into a severe, multi-day service crisis that dragged on for more than 40 continuous hours, only stabilizing late in the evening of Friday, May 29. For a brand positioning itself as the modern, consumer-first alternative to legacy cable giants, the prolonged outage and subsequent communication breakdown exposed critical vulnerabilities in both its inherited network infrastructure and its centralized customer support apparatus.

Anatomy of a “Partial Blackout”: The Technical Mystery

The technical characteristics of the disruption perplexed both residential users and network administrators. Unlike typical broadband outages, which are commonly triggered by physical fiber-optic line cuts from construction equipment or severe weather, this incident left the physical layer completely intact. Subscribers reported that their Optical Network Terminals (ONTs) and home gateway routers displayed solid green status lights, indicating a healthy, uninterrupted laser link to the local Central Office (CO).

Instead of a total loss of carrier signal, customers were subjected to a highly unusual “partial blackout”. The network exhibited selective packet routing behavior:

  • Unreachable Services: Critical work-from-home tools (such as Slack, Microsoft Teams, and Zoom), Google Ecosystem services (including Gmail, YouTube, and Google Home/Nest displays), Facebook, and major news portals (like NBC News) refused to load entirely or timed out during the SSL handshake.
  • Accessible Services: Select platforms, most notably X (formerly Twitter), remained occasionally reachable, leading many frustrated users to coordinate troubleshooting efforts and document the event in real-time.

Initially, network hobbyists and self-hosters suspected a massive Domain Name System (DNS) resolution failure. However, manual overrides to public DNS servers (such as Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8) failed to bypass the bottleneck. While T-Mobile initially remained tight-lipped regarding the root cause, internal communications and updates sent to subscribers later confirmed that the issue was localized to a critical hardware failure. In one of the detailed email updates sent on May 28, T-Mobile noted, “We replaced hardware earlier today and saw some customers come back online, but we’re not done yet. Some connections are still unstable… This has turned out to be more complex than expected.” This suggested a deeper layer-2 or layer-3 routing table collapse or a hardware-level packet forwarding failure at a regional gateway aggregation point.

Inside the T-Mobile T-Fiber Infrastructure: What Went Wrong?

To understand why this specific outage occurred, one must look at the underlying architecture of the T-Mobile T-Fiber network. Behind the shiny corporate branding lies a patchwork of regional fiber networks that T-Mobile has aggressively acquired and unified under its banner. In early 2025, T-Mobile entered into a massive $950 million joint venture with investment firm EQT to acquire Lumos Fiber, a regional fiber provider operating primarily in North Carolina, South Carolina, and Virginia. Shortly thereafter, the company finalized acquisitions of other regional giants, including Metronet, consolidating these distinct fiber networks into a single national product brand: T-Fiber.

However, industry sources reveal that behind-the-scenes integration is far from seamless. While marketed under a unified umbrella, the acquired networks largely continue to operate as independent silos. Legacy Lumos engineers, who are now rebranded as T-Fiber engineers, still manage the legacy Lumos footprint using their original, localized core routing architecture. During this multi-day crisis, the outage was strictly confined to the former Lumos market footprint, leaving Metronet legacy customers and T-Mobile’s massive 5G Home Internet fixed-wireless customer base largely unaffected. This structural division highlights the significant “growing pains” that occur when a massive national wireless carrier attempts to stitch together and manage regional fiber networks under a centralized corporate structure.

Chronology of the Outage (May 28 – May 29, 2026)

The timeline of the service failure illustrates how difficult it was for T-Fiber’s engineering teams to diagnose and isolate the root cause of the routing failure:

  1. Thursday, May 28, 1:00 AM ET: Customers in North Carolina, South Carolina, and Virginia report sudden connectivity drops. Smart home devices disconnect, and major websites fail to load.
  2. Thursday, May 28, 3:00 AM – 4:00 AM ET: A brief stabilization occurs, prompting automated systems to believe the issue is resolved. However, as the morning peak approaches, complaints on platforms like Downdetector surge.
  3. Thursday, May 28, 2:26 PM ET: T-Mobile issues partial restoration emails to customers in the Greensboro/Triad region, though thousands remain offline or experience severely degraded, unusable speeds.
  4. Friday, May 29, 3:30 AM ET: An automated email goes out to affected subscribers claiming the issue has been successfully resolved, sparking widespread anger as users wake up to find their internet still non-functional.
  5. Friday, May 29, 7:45 PM ET: Intermittent routing issues persist. Major sites like Facebook and news portals continue to experience extreme latency or outright failure to resolve.
  6. Friday, May 29, 8:15 PM ET: Engineers stabilize the regional core network. Normal traffic routing is fully restored, concluding a grueling 43-hour ordeal.

Silence and Automated Gaslighting: The Communication Breakdown

While network outages are an inevitable reality of complex digital infrastructure, the severity of the backlash against T-Mobile was compounded by a perceived lack of transparency, proactive communication, and customer support coordination. Unlike established wireline ISPs, T-Mobile does not operate a dedicated, public status page for its T-Fiber service. Customers attempting to verify if the issue was localized to their home or part of a wider system failure were left completely in the dark, with no official regional dashboard to consult.

This forced thousands of frustrated users to inundate telephone support queues. Hold times quickly swelled to over two hours. When subscribers finally reached a human operator, many were met with scripted, canned responses from representatives who appeared to have no real-time visibility into the fiber network’s engineering status. On social media, T-Mobile’s support accounts (such as @TMobileHelp on X) restricted their communications almost exclusively to direct messages (DMs), effectively hiding the scope of the crisis and leaving no public archive of their troubleshooting progress or estimated time of restoration (ETR).

The most egregious point of frustration for many was the automated email communication. Early in the morning of May 28, and again on May 29, T-Mobile sent mass automated emails to affected subscribers claiming that the issue was fully resolved, even as remote workers were actively scrambling to tether their laptops to unstable cellular hotspots. For many legacy Lumos customers—who had enjoyed years of pristine, uninterrupted service before the corporate transition—the incident was a frustrating introduction to the realities of big telecom customer management.

Corporate Consolidation and the Future of Regional Broadband

The multi-day T-Fiber collapse has reignited a fierce national debate regarding the rapid consolidation of regional internet service providers by major wireless carriers. Over the past several years, the telecommunications landscape has shifted dramatically as wireless giants seek to bundle fixed-fiber broadband with cellular plans to reduce customer churn. While corporate consolidation often promises increased capital investment and faster deployment of fiber-to-the-home (FTTH) infrastructure, critics argue it frequently results in a decline in customer service quality and localized technical accountability.

Prior to its acquisition by T-Mobile, Lumos operated as a highly localized provider with deep ties to the communities it served in Virginia and the Carolinas. When regional network issues occurred, localized support teams were quickly dispatched, and communication was handled through regional channels. Under the T-Mobile umbrella, those local feedback loops have been replaced by a centralized, national support matrix that relies heavily on AI chatbots, outsourced call centers, and automated emails. This disconnect left customers feeling abandoned during a critical 40-hour period that directly impacted their livelihoods, causing missed deadlines and lost billable hours.

As T-Mobile continues to integrate regional fiber networks under the T-Mobile T-Fiber brand, this incident serves as a stark warning. Consolidating the brand is easy; consolidating and maintaining highly complex, disparate regional routing infrastructures while providing transparent support to the humans who rely on them is an entirely different challenge. For T-Mobile, restoring the fiber network was a 43-hour engineering fix—but restoring customer trust in their brand’s reliability may take much longer.

Posted in Breaking Tech News, Technology & AI | Tagged , , , | Leave a comment

Autonomous LLM Agent Behind First Real-World Cyberattack

Posted on May 28, 2026 by TempMail Ninja

On May 28, 2026, cloud security firm Sysdig’s Threat Research Team (TRT) sent shockwaves through the cybersecurity industry by publishing findings on a groundbreaking discovery. For the first time, researchers captured a live, fully independent cyberattack orchestrated in real-time by an autonomous LLM agent. Dubbed “AgentZero” by security analysts, this real-world intrusion represents a historical inflection point. In this attack, traditional static shell scripts and human-operated terminal commands were completely replaced by a non-deterministic, generative artificial intelligence engine capable of making dynamic post-compromise decisions.

The entire operation—from the initial vulnerability exploit to the comprehensive theft of an internal relational database—unfolded in less than an hour. Even more alarming was the final data exfiltration phase, which completed in under two minutes. By deploying an autonomous LLM agent directly into the post-exploitation lifecycle, the threat actors compressed hours of human reconnaissance, planning, and tool manipulation into minutes. Defenders are no longer merely competing against automated scripts; they are now actively playing chess against self-directed, reasoning machine minds operating at cloud scale.

The Breach Point: Exploiting CVE-2026-39987 in Marimo Notebooks

To understand the efficiency of AgentZero, we

Posted in Breaking Tech News, Technology & AI | Tagged , , , | Leave a comment

Cloud Storage Misconfiguration Exposes 19.6 Billion Files Online

Posted on May 28, 2026 by TempMail Ninja

the root organization level. This acts as a fail-safe, ensuring that even if an individual developer accidentally marks a bucket as public, the platform-level block prevents public access.

`
`

  • Strictly Segregate Secrets and Backups: Developer files like .env and local password databases like .kdbx must never be stored in cloud object storage buckets. Instead, organizations must utilize dedicated secrets management platforms (such as AWS Secrets Manager or HashiCorp Vault) to inject environment variables securely. Backups must be stored in isolated, non-public accounts with strict lifecycle policies and encryption at rest.

    • `
    `

  • Implement Continuous Posture Monitoring: Relying on manual audits to detect open buckets is a recipe for disaster. Organizations must deploy automated Cloud Security Posture Management (CSPM) tools. These platforms constantly scan cloud infrastructure for configuration drift, immediately alerting security teams and automatically revoking public access policies when an unauthorized change is detected.

    • `
    `

    `

    *Personal Data H2*: (150 words)
    `

    Personal Data Hygiene: Protecting Your Digital Trail

    `
    `

    The Mysterium VPN research is also an urgent warning for individual users. Because many of the exposed databases contain customer records and credentials, individuals cannot blindly assume that the corporations they interact with are storing their data securely. To protect their personal digital footprint, users must take proactive measures:

    `
    `

      `
      `

    • Utilize Zero-Knowledge Password Managers: Local password managers like KeePass are highly secure, but users should
    Posted in Data Protection, Security & Privacy | Tagged , , , | Leave a comment

    ChatGPT Malware Targets Windows and Mac Users via Fake Download Site

    Posted on May 28, 2026 by TempMail Ninja

    .

    If you or someone in your organization has visited openew[.]app, downloaded any files, or interacted with the spoofed installers, you must assume the system is fully compromised. Because info-stealing malware exfiltrates stolen data almost instantaneously upon execution, traditional security scans are insufficient for recovery. You must immediately execute the following incident response steps from a secondary, entirely uncompromised device:

    1. Trigger Global Session Revocation: Log into your most critical online accounts—including financial institutions, primary email suites, cloud storage (Google Drive, OneDrive), developer environments (GitHub), and communications platforms (Slack, Discord, Telegram)—and select the option to “Sign out of all other sessions” or “Revoke all active logins”. This renders any stolen session cookies useless to the attackers.
    2. Rotate Stored Passwords and Cryptographic Keys: Systematically change every password that was stored in the compromised system’s browsers or keychains. Prioritize primary email accounts, as these can be used by attackers to perform password resets across other services. Additionally, rotate all API keys, SSH keys, cloud credentials, and developer tokens that were stored on the affected machine.
    3. Secure and Migrate Cryptocurrency Assets: If you utilize software or hardware
    Posted in Security & Privacy, Threat Alerts | Tagged , , , | Leave a comment

    AgentStop: Solving Battery Drain Issues for Local AI Agents

    Posted on May 28, 2026 by TempMail Ninja

    The paradigm shift toward on-device computing has birthed a new class of utility tools: local AI agents. For software developers, enterprise architects, and privacy advocates, these specialized systems offer an uncompromising escape from the data-harvesting practices of centralized cloud platforms. Unlike proprietary cloud-based alternatives such as ChatGPT or Claude, which require users to upload sensitive codebases, proprietary spreadsheets, and personal identities to third-party servers, running large language models (LLMs) locally ensures that all processing stays strictly on-device. But this uncompromising stance on privacy has stumbled into a harsh physical reality. Running autonomous, multi-step local AI agents on consumer-grade hardware is incredibly resource-intensive, pushing personal machines to their thermal and electrical limits. In response, Brave Software’s research team has unveiled a groundbreaking open-source utility designed to make on-device autonomy sustainable: AgentStop.

    Why Local AI Agents Threaten Your Laptop’s Battery Life

    To understand why local AI agents are so uniquely demanding, one must look at how they differ from traditional chat-based AI workflows. When a user interacts with a standard localized chatbot, the computational load is short-lived. The model processes the prompt, generates a response, and immediately returns to an idle state. In contrast, autonomous agentic workflows operate in continuous, iterative execution loops. An agent does not merely respond; it plans, acts, reviews its results, and corrects its own mistakes over multiple steps.

    For instance, if you task a local coding agent with fixing a bug in a Python application, the agent must perform a series of operations: it reads the source files, attempts to identify the problematic function, writes a potential patch, runs the test suite, intercepts the compiler error, and refines the patch. This multi-step process can continue for dozens of steps, keeping the underlying LLM engaged in relentless inference cycles. This continuous load pushes consumer hardware to its breaking point.

    During testing conducted by Brave’s research team, a local agent powered by the advanced Qwen3-Coder-30B-A3B model was run on a MacBook Pro equipped with an Apple M1 Max processor. The hardware profiles recorded during these test runs paint a sobering picture of resource exhaustion:

    • The MacBook Pro’s processor and graphics chips were kept at peak utilization for more than 10 minutes continuously.
    • The agent executed more than 30 consecutive, multi-step LLM inference calls.
    • The GPU’s power draw frequently spiked past 40 watts.
    • The silicon temperature sat persistently above 90°C, triggering aggressive thermal throttling.
    • A single failed attempt to resolve a complex software bug consumed roughly 3,000 mWh of energy.

    This sustained load represents nearly 3% of a standard 100Wh laptop battery, entirely wasted on a run that produced absolutely zero successful code. Privacy-conscious developers find themselves in a catch-22: protect their proprietary codebase from being ingested by remote cloud APIs, or sacrifice their device’s battery life and hardware longevity to local thermal throttling.

    The Genesis of AgentStop: Real-Time Efficiency Supervision

    To resolve this tension between data privacy and power sustainability, Brave Software’s research division—comprising Dzung Pham, Kleomenis Katevas, Ali Shahin Shamsabadi, and Hamed Haddadi—designed and built AgentStop. Officially announced on May 28, 2026, the utility made its academic debut at the 1st ACM Conference on AI and Agentic Systems (ACM CAIS 2026) in San Jose, California.

    To cement its scientific rigor, the project was awarded three prestigious reproducibility badges by the ACM CAIS Artifact Evaluation Committee:

    • Artifact Available: Verifying that all code and datasets are publicly hosted.
    • Artifact Functional: Ensuring that the code compiles, runs, and behaves as described.
    • Results Reproduced: Confirming that independent peer evaluators successfully duplicated the energy-saving performance of AgentStop under matching test scenarios.

    AgentStop functions as a lightweight “efficiency supervisor” that sits alongside local LLM backends. By analyzing the internal execution telemetry of the model in real time, it predicts when an agent has entered a logic loop or an unrecoverable failure state. Once a terminal trajectory is identified, AgentStop preemptively kills the execution chain, rescuing the system’s remaining battery life before further energy is wasted.

    How It Works: Non-Semantic, Low-Cost Behavioral Signaling

    Traditional methods of monitoring AI performance rely on semantic analysis. That is, they use another “supervisor” LLM to read the active agent’s prompts and outputs to judge whether it is making progress. However, this approach is highly counterproductive for local deployments because running a second LLM to monitor the first only compounds the computational overhead, accelerating battery drain even further. AgentStop bypasses this bottleneck by ignoring the semantic content of the agent’s thought process. Instead, it acts as a lightweight observer of low-cost, under-the-hood behavioral signals that are naturally generated during standard model operation. These key metrics include:

    1. Token Log-Probabilities

    When an LLM generates text, it selects each token based on a probability distribution over its vocabulary. AgentStop tracks the average log-probabilities across each reasoning step. A sharp, sustained drop in these probabilities signals that the model is operating with very low confidence. Consistent low-confidence sequences often precede a reasoning failure, acting as an early mathematical indicator of model confusion.

    2. Token Counts per Reasoning Step

    Standard agent loops usually maintain a predictable cadence of token consumption. When an agent runs into a logic wall or a conceptual error, it frequently begins generating overly verbose, circular reasoning paths. By tracking sudden increases in step-level token counts, AgentStop identifies when an agent is over-analyzing a dead end.

    3. Token Overlap Between Successive Steps

    One of the most common failure modes of autonomous agents is the “infinite loop.” An agent might get stuck trying to resolve a dependency issue by running the exact same terminal command repeatedly. AgentStop measures string similarity (such as Jaccard similarity or token overlap) across successive steps. A high degree of overlap indicates that the agent has stopped making progress and is trapped in a loop.

    By aggregating these lightweight signals, AgentStop builds a predictive model to classify the likelihood of task completion. Because approximately 60% of an agent’s total energy budget is spent within the first 10 steps of execution, early termination is incredibly potent. The supervisor achieves an Area Under the Curve (AUC) of 0.6 to 0.7 in classifying success versus failure within these initial steps, allowing it to pull the plug before the vast majority of battery power is wasted.

    Empirical Performance: Slashed Energy Waste with Minimal Utility Loss

    Brave’s empirical evaluations demonstrate that predictive early termination is highly effective across diverse task types. AgentStop was benchmarked against leading industry datasets with outstanding results:

    • Web-Based Question Answering: When evaluated on the FRAMES (824 multi-hop reasoning questions) and SimpleQA (4,326 factual questions) datasets using the Qwen3-30B-A3B model integrated with the Brave Search API, AgentStop cut wasted energy by 22% to 23%. Crucially, this massive efficiency gain was achieved with a task utility drop of less than 2%.
    • Software Engineering Workloads: Tested using the highly rigorous SWE-Bench Verified benchmark, which comprises 500 real-world GitHub software engineering issues. Powered by the specialized Qwen3-Coder-30B-A3B model, the agent achieved a baseline success rate of 18.8%—highly competitive with GPT-4o’s 21.2% in the same environment. Under AgentStop’s supervision, wasted energy was reduced by 19% while suffering a marginal 3% reduction in overall task completion rates.

    On both benchmarks, AgentStop consistently outperformed simpler baseline approaches, such as random stopping or static log-probability thresholding. This proves that a dynamic, signal-aware classification approach

    Posted in Recommended Software, Resources & Culture | Tagged , , , | Leave a comment

    Virtual OS Museum: A Comprehensive Guide to the Retrocomputing Archive

    Posted on May 28, 2026 by TempMail Ninja

    p>On May 28, 2026, the digital preservation and retrocomputing landscapes experienced a watershed moment. Spotlighted by retrotech publications and major mainstream outlets alike, developer and operating system historian Andrew Warkentin unveiled the Virtual OS Museum—a monumental, interactive digital archive. This project is not merely a static collection of screenshots or historical essays; it is a fully functioning, plug-and-play preservation powerhouse containing over 1,700 individual operating system installations spanning 250 hardware platforms and roughly 570 to 600 distinct operating systems. For tech enthusiasts, computing historians, and software archaeologists, this release represents one of the most significant achievements in the history of internet curation, making decades of computational heritage instantly bootable on modern personal computers.

    The Architecture of the Virtual OS Museum: How It Works Under the Hood

    Historically, experiencing vintage or esoteric operating systems has required a high level of technical mastery. Users had to track down elusive floppy or magnetic tape images, compile specific, outdated emulators, and spend hours troubleshooting hardware configuration files. The Virtual OS Museum completely bypasses these barriers by wrapping the entire archive into a pre-configured, self-contained Linux virtual machine (VM). Designed to run seamlessly on top of modern hypervisors, it supports:

    • QEMU: The highly versatile, open-source machine emulator and virtualizer.
    • VirtualBox: Oracle’s popular cross-platform virtualization software.
    • UTM: The preferred virtualization interface for macOS and iOS, leveraging Apple’s native Hypervisor.framework.

    To ensure absolute accessibility, Warkentin has bundled native hypervisor installers and one-click launch scripts for Windows, macOS, and Linux. The host Linux VM automatically boots into a clean, modern desktop environment and logs in as a default user. From there, a custom-designed, emulator-independent graphical launcher presents an organized directory of computing history, allowing users to launch any guest operating system with a single click.

    Recognizing the massive storage requirements of such an extensive catalog, the archive is distributed in two distinct formats:

    • The Full Edition: A massive 121 GB compressed download (expanding to 174 GB uncompressed) delivered via torrent or direct download from the Internet Archive. This version contains every single guest operating system image pre-installed, permitting complete offline exploration.
    • The Lite Edition: A highly optimized 14 GB compressed download (expanding to 21 GB uncompressed). This edition boots the core Linux host VM but does not pre-include the disk or tape images of the guest systems. Instead, the custom launcher dynamically downloads the required image files from a secure central repository the very first time a user attempts to run a specific exhibit.

    Both versions support manual or automatic updates, allowing users to grab new packages, installations, and emulator bug fixes without re-downloading the base VM.

    Defying Decay: Overcoming the Technical Hurdles of Operating System Preservation

    Software preservation is notoriously plagued by physical media decay, but operating system preservation introduces an entirely different dimension of difficulty. Unlike game preservation, operating systems are deeply tied to non-standard legacy hardware configurations. Overcoming these hurdles required decades of technical effort, resolving key system challenges:

    1. Emulator Regressions

    Emulators constantly update, but updates frequently introduce regressions. An old OS that ran perfectly on QEMU 4.0 might crash on QEMU 8.0 due to subtle register changes or legacy timing assumptions. Warkentin resolved this issue by bundling specific, tested, and sometimes custom-patched emulator binaries directly inside the host VM. This ensures that each vintage OS runs under the exact emulator version optimized for its quirky behavior.

    2. The Nightmare of Manual Installation

    Installing legacy enterprise software traditionally requires mounting magnetic tape images, formatting virtual mainframe disks, and patching legacy code. The Virtual OS Museum eliminates this barrier by providing pre-installed, fully configured guest environments. Users do not need to read 500-page systems-administration manuals from the 1970s just to boot the system; they simply click “Launch” and are greeted by functional environments.

    3. Vulnerability to Corruption

    Vintage operating systems lack modern memory shielding or file-system protections, meaning a bad command or crash can permanently corrupt a virtual disk. To make exploration risk-free, the museum’s custom launcher integrates a robust snapshot and rollback capability. If a user breaks an installation, they can instantly revert the system back to its pristine “known-good” working state with a single click.

    Inside the Exhibits: Eight Decades of Digital Heritage

    The Virtual OS Museum is structured as a series of chronological and thematic “exhibits” that chart the evolution of software design, human-computer interaction, and system architecture. The following list showcases the scope and diversity of the historical treasures preserved within this archive:

    • The Dawn of Computing (1940s–1950s): Featuring software for the 1948 Manchester Baby—the world’s first stored-program computer. It also houses early EDSAC software and the historic Mark 1 Scheme A/B/C/T, which represents the earliest precursor to system software.
    • Mainframes & Minicomputers: Includes MIT’s legendary CTSS (Compatible Time-Sharing System), the direct ancestor of modern interactive operating systems, and its successor, Multics. It also features IBM’s MVS and VM/370, alongside DEC’s TOPS-10, TOPS-20, ITS, RSX, and RSTS.
    • Workstations & Early Unix: Showcasing Silicon Graphics’ IRIX, Sun Microsystems’ SunOS, DEC’s OSF/1, Apple’s rare Unix variant A/UX, and Steve Jobs’ NeXTSTEP (the foundation of modern macOS). It also features Bell Labs’ experimental Plan 9 and classic Linux distributions across the decades.
    • The GUI & Personal Computing: Tracing the desktop metaphor from the 1981 Xerox Star (running Pilot/ViewPoint) to early Windows builds (Windows 1.0 to early “Longhorn” betas), classic Mac OS through OS X 10.5 PPC, OS/2, BeOS, and nostalgic systems like CP/M, Commodore 8-bit, Atari, MSX, ZX Spectrum, and BBC Micro. Note that Windows Vista did not make the cut!
    • Mobile & Embedded Systems: Preserving early portable environments including PalmOS, Apple’s Newton OS, Symbian/EPOC, Windows CE, QNX, and early versions of Android and iOS where architecture permits.
    • Academic & Niche: Obscure software architectures including ZetaLisp, early Xerox Smalltalk environments, Niklaus Wirth’s Oberon, and emulated Texas Instruments graphing calculators.

    The Architect Behind the Archive: Andrew Warkentin

    The Virtual OS Museum is the culmination of over two decades of solitary work by Andrew Warkentin. His journey began in 2003 after transitioning from Windows to Linux. Fascinated by emulation, he collected legacy software images at a time when centralized retro archives were virtually non-existent. Over the next 23 years, his hobby evolved into a structured mission to preserve computing’s digital history.

    Beyond software archaeology, Warkentin is the founder of UX/RT, an open-source real-time operating system (RTOS) in the style of QNX and Plan 9. Built around a forked seL4 microkernel, UX/RT extends the ‘everything is a file’ paradigm. Warkentin’s deep familiarity with kernel architecture, inter-process communication, and VFS layers is precisely what enabled him to engineer the custom launcher, script frameworks, and snapshot systems that make the museum so robust.

    A Monumental Leap for Internet Archaeology and Digital Culture

    Traditional physical museums face insurmountable challenges when presenting computing history. A physical PDP-11 or Xerox Star can sit behind glass, but a static hardware chassis does not allow visitors to feel the responsive click of its interface, run its compiling tools, or experience how it managed system resources. Traditional museums are also vulnerable to hardware component failure, making the preservation of functional vintage hardware an increasingly expensive battle against time.

    By virtualizing this heritage, the Virtual OS Museum democratizes digital history. It provides an immediate, risk-free sandbox for tech historians, computer science students, and retrocomputing enthusiasts to interact directly with the foundational code of our digital culture. Whether you are booting the Manchester Baby to watch the dawn of stored-program execution, or opening Windows 1.0 to witness the birth of mainstream graphical interfaces, Warkentin’s masterpiece is a living, breathing testament to human ingenuity—ensuring that the digital shoulders we stand on today remain accessible to the generations of tomorrow.

    Posted in Internet Curiosities, Resources & Culture | Tagged , , , | Leave a comment