No Privacy, but the AI, Privacy and Security Weekly Update for the Week ending April 21st. 2026
EP 288.
No privacy, but so much is going on that you might not notice for the next 20 minutes. We start with…
A senator who has been right before is raising alarms he cannot fully explain, and that pattern alone should command attention.
Traveling with a locked phone just became a legal liability in one of the world's most-visited financial hubs.
A hundred thousand users thought they were downloading videos; they were handing over their digital fingerprints.
That free app may be paying for itself in ways you never agreed to and will never see on a receipt.
North Korea's most prolific hacking group has refined its macOS playbook down to a single terminal command and a moment of misplaced trust.
A six-figure plugin acquisition quietly became an eight-month undetected supply chain attack hiding in plain sight.
The promise of building software in minutes is colliding with a harder truth: speed without security discipline is just a faster way to expose your users.
The same government arguing in court that an AI model is a national security threat is quietly using it to scan its own networks.
Let’s take a peek…
US: The Wyden Siren Goes Off Again: We'll Be "Stunned" By What the NSA Is Doing Under Section 702
A familiar warning is echoing through Washington again. Senator Ron Wyden has raised alarms about a secret interpretation of Section 702, the surveillance law that allows U.S. intelligence agencies to collect foreign communications. He says that when the public finally learns what is being done under that authority, it will be shocking.
The blog post frames this as part of a long pattern. Wyden has spent years issuing carefully worded warnings when classified programs cross a line, often hinting at problems he cannot fully disclose. In past cases, including the lead-up to the Snowden revelations, those warnings proved accurate. The implication is clear. When Wyden signals concern, it has historically pointed to real and significant surveillance activity.
At the center of the issue is secrecy. Lawmakers are being asked to reauthorize Section 702 while key details about how it is interpreted remain classified, according to Wyden. Critics argue this creates a gap between what the public believes the law permits and what agencies may actually be doing behind closed doors.
The timing adds urgency. Congress is once again debating whether to extend or reform Section 702, a program already under scrutiny for sweeping up Americans' data during foreign intelligence collection. The blog suggests that voting without full transparency risks repeating past mistakes, where surveillance powers quietly expanded beyond public understanding.
So what's the upshot for you?
The message is understated but pointed. If history is any guide, warnings issued in vague terms today often become tomorrow's confirmed disclosures, and paying attention early may be the only chance to understand what is being done in your name before it is already entrenched.
HK: Refusal to Give the Government Passwords to Personal Mobile Device Criminalized in Hong Kong
The U.S. Consulate General in Hong Kong issued a security alert following recent changes to Hong Kong's national security enforcement rules. The update focuses on new legal powers that require individuals, including foreign nationals, to provide passwords or decryption access to their electronic devices when requested by authorities during investigations. Refusal to comply can now result in criminal penalties, including possible imprisonment.
The alert emphasizes that these rules apply broadly, including to U.S. citizens traveling through or staying in Hong Kong, and may also affect individuals in transit at the airport. It notes that authorities have expanded discretion to seize and retain electronic devices they consider relevant to national security cases.
The consulate advised U.S. citizens to be aware that access to consular assistance may be important if they are detained under these provisions. It also reiterated standard guidance to maintain awareness of local laws and to be prepared for heightened scrutiny in national security-related matters.
The advisory has triggered diplomatic pushback, with Chinese officials objecting to the warning and framing it as interference in domestic affairs, while reaffirming the legality of the updated enforcement framework.
So what's the upshot for you?
The situation reflects a tightening legal environment in Hong Kong where digital privacy and state security demands increasingly intersect, placing everyday device security directly within the scope of national security enforcement.
Global: Fake TikTok Downloaders on Chrome and Edge Spying on 130,000 Users
A new cybersecurity report has uncovered a wave of malicious browser extensions posing as TikTok video downloaders on Google Chrome and Microsoft Edge. These tools appear legitimate but are designed to quietly monitor users and extract sensitive data. Researchers estimate more than 130,000 people may have already installed the extensions, exposing their browsing activity and personal information to attackers.
The extensions rely on device fingerprinting, a technique that builds a unique profile of each user based on their browser, system settings, and behavior. This allows attackers to track individuals across sessions and potentially link their activity over time. Unlike basic malware, these tools operate in the background, making detection difficult while continuing to harvest data.
Investigators found that the extensions were distributed through official browser stores, giving them an appearance of credibility. Once installed, they could access browsing data and interact with web activity under the guise of providing a simple download function. This reflects a broader pattern where seemingly harmless utilities are used as entry points for surveillance and data collection.
So what's the upshot for you?
Browser extensions aren't harmless little add-ons anymore; they can see a lot more than you think. If you didn't absolutely need it, it probably didn't need access to your data.
Global: Your Internet Connection Might Be Moonlighting
Some apps quietly turn users into nodes in residential proxy networks, selling their bandwidth to third parties.
These networks can be used for legitimate scraping or less savory activities.
Either way, it means your IP address could be associated with traffic you didn't generate.
So what's the upshot for you?
"Free" apps sometimes come with invisible tradeoffs. If something is using your connection behind the scenes, you'll want to know what and who it's working for.
KP: New Lazarus APT Campaign: "Mach-O Man" macOS Malware Kit Hits Businesses
A newly identified cyber campaign tied to the Lazarus Group is targeting macOS users with a sophisticated malware kit known as "Mach-O Man." Security researchers report the operation relies heavily on social engineering, using fake meeting invitations sent through platforms like Telegram to lure victims into compromising their own systems.
The attack begins when users are directed to spoofed meeting pages that mimic legitimate services such as Zoom or Microsoft Teams. Victims are then prompted to copy and execute a command in their terminal under the pretense of fixing a technical issue. This step effectively hands control to the attacker, bypassing traditional security defenses by exploiting user trust rather than software vulnerabilities.
Once inside, the malware deploys native macOS binaries designed to blend into the operating system. It focuses on harvesting high-value data, including credentials, browser sessions, and sensitive system information like Keychain entries. This allows attackers to quickly access corporate systems, financial platforms, and other critical resources without needing prolonged persistence.
Exfiltration is handled through Telegram, a legitimate service that helps the stolen data evade detection by blending into normal network traffic. By the time suspicious activity is noticed, attackers may already have full access to accounts and sensitive business data, creating immediate financial and operational risk for targeted organizations.
So what's the upshot for you?
The attack didn't need a vulnerability; it just needed someone to follow instructions. That's becoming the easier path in.
Global: WordPress Plugins Turned Into Malware After Ownership Change
More than 30 WordPress plugins have been compromised with malicious code that allows unauthorized access to websites running them. A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects as per the instructions received from the command-and-control (C2) server.
The compromise affects plugins with hundreds of thousands of active installations and was spotted after receiving a tip about one add-on containing code that allowed third-party access. Further investigation revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.
"The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners."
WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no "change of control" notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.
So what's the upshot for you?
"And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."
SE: Hot Startup Lovable's Security Stumble Shows One Big Risk in Using AI to Code
A fast-growing AI startup is facing scrutiny after a security lapse exposed a deeper issue in a new style of programming known as "vibe coding." The company, Lovable, allowed users to build software using simple prompts. But a flaw discovered by a user revealed that private code, chat histories, and customer data could be accessed through a free account, raising immediate concerns about how secure these systems really are.
The company initially denied any breach but later confirmed a backend error that temporarily reopened access to certain data in public projects. Security experts say this points to a broader weakness in AI-assisted coding tools. These platforms often prioritize speed and ease of use, sometimes at the expense of strong default security controls. In practice, that trade-off can make it easier for data to be exposed, especially when users rely heavily on AI without fully understanding how the underlying systems handle access and permissions.
The problem is not isolated. Similar issues have surfaced across the AI coding ecosystem, including incidents involving other companies where data leaks and vulnerabilities emerged. As adoption accelerates, the gap between rapid software creation and secure implementation is becoming more visible.
So what's the upshot for you?
Tools that make building software easier are also lowering the barrier to creating risk, meaning convenience in development now demands a much sharper awareness of what is happening behind the scenes.
US: NSA Using Anthropic's Mythos Despite Blacklist
Axios reports that the NSA is using Anthropic's restricted Mythos Preview model despite the Pentagon insisting the company poses a "supply chain risk." The government's cybersecurity needs appear to be outweighing the Pentagon's feud with Anthropic. The department moved in February to cut off Anthropic and force its vendors to follow suit. That case is ongoing. The military is now broadening its use of Anthropic's tools while simultaneously arguing in court that using those tools threatens U.S. national security.
Two sources said the NSA was using Mythos, while one said the model was also being used more widely within the department. It's unclear how the NSA is currently using Mythos, but other organizations with access to the model are using it predominantly to scan their own environments for exploitable security vulnerabilities.
Anthropic restricted access to Mythos to around 40 organizations, contending that its offensive cyber capabilities were too dangerous to allow for a wider release. Anthropic only announced 12 of those organizations. One source said the NSA was among the unnamed agencies with access. The NSA's counterparts in the U.K. have said they have access to the model through the country's AI Security Institute.
Anthropic's CEO met with top U.S. officials on Friday to discuss "opportunities for collaboration," according to a White House spokesperson, "as well as shared approaches and protocols to address the challenges associated with scaling this technology."
So what's the upshot for you?
Even at the highest levels, people use the tools that work regardless of the politics around them. Capability tends to win out over policy more often than anyone admits.
And a final review of what we covered:
Section 702 Surveillance powers rarely shrink once granted, and the gap between what the law says and what agencies do has a way of widening in the dark. When a senator with a track record of being right tells you to pay attention, the prudent move is to pay attention.
Hong Kong Passwords Device security is no longer just a corporate IT concern; it is now a travel risk with criminal consequences in certain jurisdictions. Anyone crossing into Hong Kong should treat their phone as a potential legal exhibit, not just a personal device.
Fake TikTok Extensions: The official browser store badge is not a safety guarantee; it is just a more convincing disguise. Every extension you install is a standing invitation into your browsing life, and most of them are never worth answering.
Residential Proxies Free software has always had a business model; you just may not know what it is yet. If an app has no obvious revenue stream, your bandwidth, your IP address, and your reputation may be the product.
Lazarus Mach-O Man State-sponsored attackers are no longer hunting for zero-days when a fake Zoom invite and a copied terminal command will do the job faster. The most dangerous vulnerability in your organization right now is the instinct to follow instructions without questioning the source.
WordPress Backdoor Software supply chain risk does not always arrive as a hack; sometimes it walks through the front door wearing a legitimate ownership transfer. Eight months of undetected access is a loud argument for continuous monitoring over one-time vetting.
Lovable Vibe Coding AI coding tools are compressing months of development into hours, but they are not compressing years of security engineering intuition into the same prompt. The faster software gets built, the more deliberately security needs to be designed in from the start, not discovered missing after the fact.
NSA + Mythos When the most security-conscious agency in the country quietly adopts a tool its own department is fighting in court, the capability argument has already won. The lesson is not that policy doesn't matter; it's that policy disconnected from operational reality tends to get quietly bypassed by the people it was meant to govern.
And our quote of the week - "The right to be let alone is the most comprehensive of rights, and the right most valued by civilized men." Justice Louis Brandeis, U.S. Supreme Court, 1928
This quote is interesting precisely because of its age. A Supreme Court Justice saw this coming nearly a century before browser extensions, residential proxies, and government-mandated password disclosure were even conceivable. The fact that a dissenting opinion written in 1928 reads like a direct response to this week's stories says everything about how little the instinct to surveil has changed, and how slowly the law moves to keep pace with it.
That’s it for this week. Stay Safe, stay secure, and keep it private. See you in Se7en!
Comments
Post a Comment