Apple has sharply raised prices across its Mac, iPad, HomePod, and Apple TV lineups as surging AI-driven demand creates a global memory and storage shortage. Increases range from $30 for the HomePod mini to $1,300 for the M3 Ultra Mac Studio, with Apple CEO Tim Cook saying efforts to shield customers from higher costs had become "unsustainable." The Verge reports: On Thursday, the company adjusted the price of its new MacBook Neo, which will now start at $699 instead of $599, while the base MacBook Air will jump to $1,299 from $1,099, as reported earlier by Bloomberg. The 14-inch MacBook Pro is getting an increase as well, going from $1,699 to $1,999. Meanwhile, the iPad Air will now start at $749 instead of $599, while the iPad Pro is increasing to $1,199 from $999. As spotted by MacRumors, the M4 Max Mac Studio will now cost $2,499, a big jump from $1,999. The M3 Ultra Mac Studio is now priced at $5,299, up from $3,999. Apple is even raising the prices of its HomePod, which now costs $349 instead of $299, as well as bumping the price of the HomePod mini to $129 instead of $99. The Apple TV also now costs $199 instead of $129.

Read more of this story at Slashdot.

In a novel maneuver for a disruption operation against cyber attackers, industry and law enforcement teamed up to conduct a court takedown of two widely-used criminal tools at once rather than individually, Microsoft said Tuesday.

The takedown simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer. Cybercriminals often use them in conjunction and they rely on the same infrastructure, Microsoft said.

“When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”

Microsoft had been tracking Amadey with ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Meanwhile, Europol had been investigating StealC alongside law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police as well as IBM X-Force and Proofpoint.

They then joined forces and turned to the Racketeer Influenced and Corrupt Organizations (RICO) Act, used to help authorities go after organized crime, to disrupt more than 200 command-and-control servers. Microsoft said it gained insights from its artificial intelligence product Copilot that “allowed the legal team to treat both malware families as part of a single criminal conspiracy.”

Microsoft regularly leads court-authorized disruption operations, but the industry and law enforcement partnerships combined with AI to expand data collection and identify connections beyond what one company could normally do, it said.

Amadey and StealC were linked to more than 140,000 infected computers around the globe in the first week of May alone, the company said. StealC has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.

Amadey dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.

Their interaction shows the assembly line-like structure of modern cybercrime, Microsoft said. Even if the cybercriminals behind both tools never coordinate, their tools are designed to work together, it said.

“StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote in a separate blog post. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.”

The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

The post Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware appeared first on SecurityWeek.

An anonymous reader quotes a report from The Guardian: A tech sell-off shook global markets on Tuesday as attention turned away from developments in the US war with Iran and toward the future of AI companies and chipmakers that have driven stock markets to record highs. The tech-heavy Nasdaq index closed 2.2% lower on Tuesday. The S&P 500 was also down by Tuesday afternoon, dropping 1.43% while the Dow remained steady. All three major US indices have hit record highs this year, riding off a rush of funding to support AI technology and infrastructure. Nasdaq is up 10% for the year, while the Dow jumped 6% so far this year, breaching past 51,000 points, and the S&P 500 is up 7.3%. But some economists have warned that the influx of AI spending is a bubble reminiscent of the dot-com bubble that burst in the early 2000s. Seven tech companies make up 30% of the S&P 500's value. The heavy reliance on a single industry and a few key companies has some investors wondering if it's a matter of when, not if, there will be a burst. Those concerns have been heightened by signals from the Federal Reserve last week that it may increase interest rates, and therefore the cost of borrowing, in order to tackle rising inflation. Alphabet fell 5% on Monday. SpaceX plunged 16%. The selloff also spread to Asia, with South Korea's benchmark dropping 10% as SK Hynix and Samsung Electronics each lost more than 12%, while Japan's Nikkei 225 declined 3.5%.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: Mr. Zuckerberg, the chief executive of Meta, recently dispatched a small team at his company to create a smartphone app similar to Polymarket and Kalshi, two employees with knowledge of the matter said. Users would not wager money, and the app would probably rely on a video game-like points system instead, one person said, though the company had not ruled out the eventual use of real money betting. The app is internally referred to as "Arena" and would function independently from Meta's social networking apps, which include Facebook, Instagram, WhatsApp and Messenger, said the employees, who spoke on the condition of anonymity to discuss confidential plans. Meta aims to grow the app by leveraging its large social networking audiences and directing them toward using it, they said. The effort, which insiders characterized as experimental but a top priority, is part of a broader push by Mr. Zuckerberg to create new types of apps based on emerging social behavior online. More than 3.56 billion people visit one or more of Meta's apps every day, an amount that has raised questions about whether those platforms have reached a saturation point. Arena is one of a handful of apps that Meta is trying out. Others include one called Meta Photos, another stand-alone app which would create new types of media using artificial intelligence, the employees said. [...] Meta insiders have cautioned that Arena remains in development and may not be released. But as executives search for ways to keep the world's largest social media sites thriving, Mr. Zuckerberg appears to be relying on his well-worn product development strategy: Follow the users.

Read more of this story at Slashdot.

Valve's new Steam Machine will launch June 29 starting at $1,049 and go up from there depending on the configuration. Although it costs considerably more than the PS5 ($599.99) and Xbox Series X ($649.99), "the value proposition for the Steam Machine is that it can play your library of Steam games you may have accumulated over years (or even decades), rather than just PlayStation games, and it's also a full Linux PC that you can customize to your heart's content," reports The Verge. "Valve also says that it's selling the Steam Machine for the cost of its components alone instead of subsidizing the price." From the report: You can now register your interest to buy a Steam Machine as part of a reservation system. To offer a fair playing field for people who want to buy one, Valve will randomize everyone in the queue on Thursday at 1PM ET. After that, anyone who registers their interest will be added to the end of the waitlist. The first emails giving people the opportunity to buy will go out on June 29th. Valve will sell four configurations of the Steam Machine: - A 512GB model for $1,049 - A 512GB model with a bundled Steam Controller for $1,128 - A 2TB model for $1,349 - A 2TB model with a bundled Steam Controller for $1,428

Read more of this story at Slashdot.

An anonymous reader quotes a report from NPR: Student loan borrowers who enroll in automatic payments will get a much bigger discount on interest starting July 1, the U.S. Department of Education says. Auto pay has long offered a modest discount off borrowers' interest rate -- .25 percentage points -- but after millions of borrowers opted out during the long COVID repayment pause, with some making no payments for years, the nation's student debt portfolio swelled to $1.7 trillion. On Thursday, the department said it will temporarily increase its auto pay interest rate discount to one full percentage point. Practically, that means an undergraduate borrower with a loan at the current 6.39% would see their interest rate drop temporarily to 5.39%. The rate cut will last for two years, from July 1, 2026 through June 30, 2028. Borrowers already enrolled in auto pay do not need to act. They will automatically receive the rate cut. [...] The department says borrowers will have until Sept. 30 to sign up for auto pay and qualify for the two-year interest discount.

Read more of this story at Slashdot.

Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.

The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.

Dragos, founded in 2016 by former intelligence specialists and based in Hanover, Maryland, has built what the industry regards as a leader detecting threats in OT environments. Its proprietary dataset of industrial threat intelligence has made it a trusted partner to critical infrastructure operators globally.

RunZero specializes in asset discovery and attack-surface intelligence — essentially mapping what is connected to a network and identifying where it is exposed. NetRise focuses on firmware-level visibility and software supply chain security, areas that have drawn increased scrutiny since high-profile incidents revealed how deeply embedded vulnerabilities can propagate through industrial device ecosystems.

Dragos co-founder and CEO Robert M. Lee will continue leading the combined entity, which will operate as an independent business under Accenture’s ownership. The CEOs of runZero and NetRise, HD Moore and Tom Pace, respectively, along with NetRise’s chief technology officer Michael Scott, will join Dragos as senior executives.

The acquisitions are not Accenture’s first move in OT security. The company acquired Cimation in 2015 and Revolutionary Security in 2020, along with several other OT-focused firms. 

Thursday’s deal, however, is of a different scale and ambition. Where previous acquisitions built out Accenture’s services capabilities, the addition of Dragos, runZero and NetRise moves the company firmly into OT cybersecurity software, a market it had not previously entered at scale.

Accenture and Dragos describe this expanding environment — which also encompasses Internet of Things devices, cloud-connected sensors and related IT infrastructure — as “xOT.” The concern is that as AI is integrated into industrial decision-making, the attack surface grows. At the same time, adversaries are using AI to shorten the window between compromising an IT network and pivoting to OT systems underneath it.

Despite that convergence, most cybersecurity budgets remain concentrated on traditional IT, leaving critical infrastructure comparatively exposed. The OT cybersecurity services market is estimated at roughly $7 billion in 2026. The broader OT cybersecurity market, which includes software, is estimated at $27 billion this year and projected to reach nearly $59 billion by 2031, growing at approximately 16% annually.

“Our energy and water systems, manufacturing plants, data centers and other operational environments need cybersecurity built from the ground up for xOT and designed to keep pace as threats evolve. The consequences of getting it wrong become societal threats,” Lee said in a release. “Organizations need solutions, not a patchwork of software and services. The addition of runZero and NetRise will allow the Dragos Platform to be a unique end-to-end platform for global defense, and Accenture will bring its decades of trusted relationships and deep expertise to help us scale and secure more critical infrastructure and physical operations globally.”

The transactions are expected to close in August or September, pending customary regulatory approvals.

The post Accenture shells out $4.18B on three companies in big industrial cybersecurity push appeared first on CyberScoop.

California's proposed "billionaire tax" has gathered enough signatures to qualify for the November ballot, setting up a major fight between labor unions and some of Silicon Valley's richest figures. From the report: The California Billionaire Tax Act, colloquially known as the billionaire tax, would levy a one-time 5% tax on any California resident worth more than $1bn. The proposal is backed by the Service Employees International Union-United Healthcare Workers West as a means of funding California's strained healthcare and education programs. The proposal has become one of the state's biggest political flashpoints as it gained momentum throughout the year, with prominent billionaires, such as the Google co-founder Larry Page, making moves to cut ties with the state and Newsom vowing to block it from going to a vote. Although it has gained enough signatures for the ballot, the groups backing the measure have until June 25 to decide whether to move forward or potentially strike a deal with the state. While unions backing the group have framed the proposal as a way of getting the ultra-rich to pay their fair share, many of the state's tech elites have condemned the tax and spent millions attempting to crush it. The Google co-founder Sergey Brin has spent $82m alone on efforts to fight the tax, while joining other Silicon Valley billionaires in declaring he will leave California if it goes through. The Palantir co-founder Peter Thiel, crypto billionaire Chris Larsen and Ring founder James Siminoff are among the other tech moguls who have made huge political donations to groups opposing the tax. California has the most billionaires out of any state, many of whom have increased their wealth in recent years amid the AI boom.

Read more of this story at Slashdot.

An anonymous reader quotes a report from MacRumors: Apple is raising its prices to offset the high cost of memory and storage, CEO Tim Cook told The Wall Street Journal. Apple is no longer able to absorb the increased prices and will need to pass some of the cost on to consumers. "Unfortunately, price increases are unavoidable," said Cook. "We're doing our best to mitigate the huge increases that are being passed to us, and we've been trying to shield our customers from the increases, but the situation has become unsustainable." Growing demand for memory and storage chips from AI companies has led to chip shortages and higher costs. The Wall Street Journal suggests Apple will need to increase device costs "substantially" to maintain its current profit margins given the cost of memory chips and SSDs. Research firm TechInsights claims Apple will need to make the iPhone 18 Pro around $270 more expensive to keep its existing profit margin. Apple is struggling more with memory chips, but storage chips are also an issue. "There's less supply at a time when consumers want devices and the memory guys are passing along huge price increases," Cook told The Wall Street Journal. Cook said Apple will use its cash to increase memory supply, but he did not give details on what that means. Apple does not plan to create its own memory and storage factories. "We can't do everything," Cook said. "We know what we're good at." Cook likened the memory shortages to a hundred-year flood. "I've never seen anything like it in any area in over 40 years," he said. Further reading: Smartphone Market To Shrink 15% This Year Due To Memory Crisis

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Few business leaders have been as deeply embedded in popular culture as Elon Musk, the ambitious entrepreneur who has become a central figure in internet culture and amassed a fortune that has made him the world's first trillionaire. At a time when concerns about inequality are high and public attitudes toward the ultra-wealthy have soured, Musk has managed to retain a loyal following despite his stratospheric net worth and without the folksy persona that endeared other tycoons such as Warren Buffett to the masses. While admirers view Musk's no-filter style as part of his appeal, critics have accused him of wielding oligarch-like power, raised concerns about governance at his companies and objected to his increasingly partisan political interventions. Still, SpaceX, the sprawling rocket, satellite and AI company that together with electric-car maker Tesla form the center of Musk's empire, raised a record $75 billion in its initial public offering on Thursday, highlighting investor enthusiasm for his business ventures. Prior to the share sale, Forbes pegged his net worth at roughly $780 billion, far ahead of the man next in line, Alphabet co-founder Larry Page. "The second richest person has been hovering around $300 billion, so about less than one-third of what Musk can potentially be worth tomorrow," said Matt Durot, deputy editor at Forbes Wealth. "And only one other person, (Oracle founder) Larry Ellison, has ever been worth $400 billion." Most of Musk's wealth now rests with SpaceX, where he holds a stake worth roughly $866 billion. Along with Tesla and the rest of his properties, his net worth will exceed $1.1 trillion when the stock begins trading Friday, according to Forbes and Reuters calculations based on company filings.

Read more of this story at Slashdot.

Visa is integrating its payment network with ChatGPT so AI agents can shop and complete purchases on users' behalf. "It means AI agents can not only recommend products but complete the purchase on the user's behalf, at potentially any merchant that accepts Visa," reports the Associated Press. "The payment network's previous attempts at this technological leap were confined to a single retailer or a small set of enrolled merchants." From the report: OpenAI will provide the technology to allow agents to interact, make decisions and initiate purchases through ChatGPT. Visa, the world's largest payment network outside of China, will provide the payment authorization and fraud monitoring needed to do this at scale. "As AI agents become active participants in the economy, Visa's focus is to ensure transactions are trusted, secure and seamless," said Jack Forestell, chief product and strategy officer at Visa. Speaking at a company event Wednesday in San Francisco Wednesday, Forestell gave an example of a customer telling ChatGPT they're looking for a pair of wireless headphones under $150. The chatbot would find a pair for sale under those parameters and buy it on behalf of the customer. Visa and OpenAI did not disclose the financial terms of the collaboration and did not give details on the fees merchants or customers would have to pay. [...] Visa says the feature will have guardrails like spending limits, required approval steps and approved merchants for shopping in order to protect consumers and minimize fraud.

Read more of this story at Slashdot.

Valve is discontinuing physical Steam Gift Cards and says it will stop restocking them as retailers sell through remaining inventory. In a blog post, the company blamed persistent gift card scams as the reason, though Steam Digital Gift Cards will remain available and existing physical cards can still be redeemed. PC Guide reports: Valve says it has "responded to gift card scams over the years" -- but this doesn't stop scammers from adapting. The Steam creator has actively worked with retailers and law enforcement, among other precautions, to counteract scams, but says the issue can never be fully resolved. Steam Digital Gift Cards will continue to operate as normal.

Read more of this story at Slashdot.

Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available.

The software giant said in a blog post last month that both its engineers and the security community are increasing using artificial intelligence tools to find bugs, meaning this month’s heavy Patch Tuesday may start to become the norm, said Satnam Narang, senior staff research engineer at Tenable.

“Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang said. “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.”

June’s zero-day bugs include CVE-2026-49160, a denial of service vulnerability affecting a range of web servers, including Microsoft Internet Information Services (IIS). Microsoft says the flaw was reported by OpenAI’s Codex.

Two of the zero-days addressed this month appear to stem from recent vulnerability disclosures by Nightmare Eclipse, the nickname chosen by a security researcher who has been dropping exploits for various Windows flaws. One of those, dubbed “GreenPlasma,” leverages an elevation of privilege weakness in the Windows Collaborative Translation Framework, the same framework patched today in CVE-2026-45586.

Nightmare Eclipse also last month released “YellowKey,” an exploit for a Windows BitLocker vulnerability that allows an attacker with physical access to view encrypted data, and CVE-2026-50507 is a patch for an elevation of privilege bug in BitLocker.

Microsoft received heavy blowback on social media last month after it said in a blog post that it was considering taking legal action against the security researcher. The company later clarified on Twitter/X that while it has no intention of pursuing legal actions against researchers, it would report them to authorities if they break the law. The advisories for CVE-2026-49160 and CVE-2026-50507 do not credit any researchers in the acknowledgement section, saying only that “Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.”

Nightmare Eclipse claims to be a former employee of Microsoft, although Microsoft has not responded to questions about this claim. Rapid7 notes that a recent blog post by Nightmare Eclipse included an image of Albert Wesker, a character from the Resident Evil video game series who formerly worked as a researcher for a technology company before going rogue.

Nightmare Eclipse has pledged to release even more zero-day exploits for Windows in what they called a “bone shattering” drop planned for July 14 (the same day as next month’s Patch Tuesday). Immediately following the release of Microsoft patches today, the researcher published an exploit for what they claimed was a zero-day bug in Windows Defender.

While 200 vulnerabilities may be a record for Patch Tuesday, the actual number of security flaws Microsoft addressed this month is far higher, said Rapid7’s Adam Barnett.

“So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years,” Barnett wrote. “As usual, browser [flaws] are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update Guide.”

Microsoft also patched a zero-day vulnerability in Visual Studio Code that allows attackers to steal GitHub tokens with a single click. The company was forced to push a stopgap fix for the flaw on June 3, after a researcher published instructions showing how to exploit it. The researcher said they opted not to work with Microsoft because of a recent experience wherein Redmond silently patched a flaw they reported without offering credit or recognition.

Microsoft battled its own internal zero-day emergencies last week, after at least 72 of the company’s public code repositories were infected with a variant of the Shai-Hulud worm. Researchers found that all of the affected packages were connected to Microsoft official Azure Durable Task SDK, which got hit by the same Shai-Hulud worm in May.

Other major software makers are also shipping outsized update bundles this month. Adobe has released updates to fix a massive number of critical vulnerabilities across a range of products, including Adobe Experience Manager, Acrobat Reader and Cold Fusion. On June 3, Google resolved a whopping 429 vulnerabilities in its latest Chrome browser update (Chrome automatically downloads updates but installing them usually requires a complete restart of the browser).

As ever, please consider backing up your data before applying operating system updates, and drop a note in the comments if you run into any problems with this month’s patches.

Further reading:

Microsoft’s Security Update Guide

Action1’s Patch Tuesday breakdown

SANS Internet Storm Center notes on Patch Tuesday

House Democrats criticized a draft Republican Department of Homeland Security spending bill Thursday that they said would cut funding for the Cybersecurity and Infrastructure Security Agency by $250 million.

Republicans said the bill provides $2.4 billion for CISA, and that among its focuses are “improving cybersecurity resilience,” in the words of House Appropriations Chairman Tom Cole, R-Okla.

But Democrats decried it as a funding reduction. The panel’s subcommittee on homeland security is set to vote on the bill Friday.

The fiscal 2027 funding measure “dramatically cuts funding for cybersecurity and infrastructure protection despite an increasing number of sophisticated attacks from foreign adversaries against U.S. businesses, health care systems, utilities, schools, and state and local governments,” Democrats said in a fact sheet.

They also said it limits DHS’s ability to counter foreign propaganda seeking to undermine U.S. democracy, and to protect states against foreign groups during the elections.

The second Trump administration has sought deep cuts in CISA’s personnel numbers and budget in both fiscal 2026 and 2027, drawing concerns from both sides of the aisle.

Congress last year sought to implement some, but not all, of Trump’s proposed cuts for the agency, advancing legislation to set its budget at $2.6 billion.

In their fact sheet, Republicans said they were reallocating $100 million from past appropriations to fund CISA’s core missions.

They acknowledged some cutbacks, saying that the bill “Includes strategic reductions to redundant, unauthorized, or duplicative contracts, positions, and programs.”

Despite the cutbacks at CISA over the last year and a half, officials have talked about wanting to hire additional personnel. The fiscal 2027 bill includes “$31 million to hire mission critical positions to counter threats from foreign adversaries, such as China,” according to the GOP.

The GOP also highlighted other cyber funds in the DHS bill. DHS’s management director would get $11.3 million for “enhanced cybersecurity protections,” while the Homeland Security Investigations division of Immigration and Customs Enforcement would get $5 million for the Cyber Crime Center.

Neither panel Republicans nor Democrats responded to requests for comment seeking more detailed numbers for the fiscal 2027 bill.

The post Hill Dems hammer GOP for $250M CISA budget cut appeared first on CyberScoop.

Department of Homeland Security Secretary Markwayne Mullin told Congress Wednesday that the Cybersecurity and Infrastructure Security Agency would ideally have 2,800 personnel, up from approximately 2,200 now and down from 3,400 before the second Trump administration began.

President Donald Trump has pushed to dramatically reduce personnel numbers at the agency, something that has drawn criticism from both Democrats and Republicans on the Hill. Trump has proposed hundreds of millions more in cuts for fiscal 2027.

House Homeland Security Committee Chairman Andrew Garbarino, R-N.Y., asked Mullin at a hearing Wednesday about further proposed CISA budget cuts, saying he was “concerned” about personnel numbers and funding for education programs and whether the fiscal 2027 blueprint would “negatively impact those efforts.”

Mullin said DHS funding lapses have made the department rethink CISA, although the deep CISA personnel reductions predate the recent spate of government shutdowns. 

“We had to readjust the way we’re looking at CISA and better lean on public partnerships,” he said. The agency can work well with 2,800 people “If we can actually have the partnerships we need with states and be able to use the grants, the monies that [we] saved with CISA to be able to invest with local and state municipalities. … We’re not going to fail on the mission we have in front of us.”

CISA personnel figures are in a constant state of flux. The CISA staff figure of 2,200 Mullin gave is down even from December. In March, acting director Nick Andersen said CISA was looking to hire 300 people.

There’s been no proposal from the Trump administration to-date to take funds formerly allocated to CISA and shift them to state governments for cybersecurity. State officials have said CISA budget cuts have made their jobs harder, and most experts have said the Trump administration’s approach to shift cyber responsibilities to states is badly misguided.

Congress has yet to permanently reauthorize the State and Local Cybersecurity Grant Program that expired last year before it got a temporary extension and is due to expire again in September.

CISA has gone without a Senate-confirmed director for the entirety of the second Trump administration. Mullin said “we’ve got a person soon to be nominated that will be running CISA that has the ability to recruit and focus on the authorities we have.”

Mullin said CISA has “unique” authorities that haven’t “been completely utilized.” 

“We want CISA to be the leader in cybersecurity,” he said. “They should be and they will be.”

A House Appropriations subcommittee is set to consider a DHS funding bill Friday.

The post DHS Secretary Markwayne Mullin pinpoints optimal CISA staffing levels appeared first on CyberScoop.

Here's how to watch Golden Knights vs Hurricanes live streams online in the 2026 Stanley Cup Final, as the NHL's biggest prize is up for grabs.

ON SECURITY By Susan Bradley Passwords. We’ve had them for a long time. They’ve served us well. But they are also subject to attacks — phishing and spoofing. Microsoft and many other vendors want us to move to passkeys. Unfortunately, the transition has not been easy or clear. Passwords are what we are used to. […]

Watch free streams from the IIHF World Championship 2026 Final as Switzerland face Finland – ice hockey TV channels, broadcasters.

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Private-CISA” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure. However, experts who reviewed the now-defunct Private-CISA archive said it was originally created in November 2025, and that it exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

In a written statement, CISA said “there is no indication that any sensitive data was compromised as a result of the incident.” But in a May 19 a letter (PDF) to CISA’s Acting Director Nick Andersen, Sen. Maggie Hassan (D-NH) said the credential leak raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.

“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Sen. Hassan wrote.

Sen. Hassan noted that the incident occurred against the backdrop of major disruptions internally at CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.

Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, echoed the senator’s concerns.

“We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote in a May 19 letter to the acting CISA chief that was co-signed by Rep. Delia Ramirez (D-Ill), the ranking member of the panel’s Subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private-CISA’ repository provided the information, access, and roadmap to do just that.”

KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.

On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.

“An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys,” Ayrey told KrebsOnSecurity. CI/CD stands for Continuous Integration and Continuous Delivery, and it refers to a set of practices used to automate the building, testing and deployment of software.

KrebsOnSecurity notified CISA about Ayrey’s findings on May 20. Ayrey said CISA appears to have invalidated the exposed RSA private key sometime after that notification. But he noted that CISA still hasn’t rotated leaked credentials tied to other critical security technologies that are deployed across the agency’s technology portfolio (KrebsOnSecurity is not naming those technologies publicly for the time being).

CISA responded with a brief written statement in response to questions about Ayrey’s findings, saying “CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems.”

Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do this easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2026, Ayrey said.

“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”

James Wilson, the enterprise technology editor for the Risky Business security podcast, said organizations using GitHub to manage code projects can set top-down policies that prevent employees from disabling GitHub’s protections against publishing secret keys and credentials. But Wilson’s co-host Adam Boileau said it’s not clear that any technology could stop employees from opening their own personal GitHub account and using it to store sensitive and proprietary information.

“Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”

Update, 3:05 p.m. ET: Added statement from CISA. Corrected a date in the story (Truffle Security said it found the repo gained some of its most sensitive secrets in late April 2026, not 2025).