Microsoft has released Command Palette, an enhanced version of its PowerToys Run launcher introduced five years ago. The utility, aimed at power users and developers, provides quick access to applications, files, calculations, and system commands through a Spotlight-like interface.

Command Palette integrates the previously separate Window Walker functionality for switching between open windows and supports launching command prompts, executing web searches, and navigating folder structures. Unlike its predecessor, the new launcher offers full customization via extensions, allowing users to implement additional commands beyond default capabilities. Available through the PowerToys application since early April, Command Palette can be triggered using Win+Alt+Space after installation

Broadcom employees have had their personal data compromised following a September 2024 ransomware attack on Business Systems House (BSH).

The breach, claimed by the Russian-speaking El Dorado ransomware group, wasn't fully identified until December when stolen data appeared online, according to The Register. Broadcom only received details of affected employees on May 12, 2025. Compromised information potentially includes national ID numbers, financial account numbers, health insurance details, dates of birth, salary information, and contact details.

Five employee accounts were initially compromised, ultimately affecting 560 users. ADP has distanced itself from the incident, stating only "a small subset of ADP clients" in "certain countries in the Middle East" were affected.

Editor's note: This story was updated shortly after publication to correctly state that BSH is a business partner of payroll company ADP, and not a subsidiary of ADP as first reported.

The FBI has issued a warning that cybercriminals have started using AI-generated voice deepfakes in phishing attacks impersonating senior U.S. officials. These attacks, involving smishing and vishing tactics, aim to compromise personal accounts and contacts for further social engineering and financial fraud. BleepingComputer reports: "Since April 2025, malicious actors have impersonated senior U.S. officials to target individuals, many of whom are current or former senior U.S. federal or state government officials and their contacts. If you receive a message claiming to be from a senior U.S. official, do not assume it is authentic," the FBI warned. "The malicious actors have sent text messages and AI-generated voice messages -- techniques known as smishing and vishing, respectively -- that claim to come from a senior U.S. official in an effort to establish rapport before gaining access to personal accounts."

The attackers can gain access to the accounts of U.S. officials by sending malicious links disguised as links designed to move the discussion to another messaging platform. By compromising their accounts, the threat actors can gain access to other government officials' contact information. Next, they can use social engineering to impersonate the compromised U.S. officials to steal further sensitive information and trick targeted contacts into transferring funds. Today's PSA follows a March 2021 FBI Private Industry Notification (PIN) [PDF] warning that deepfakes (including AI-generated or manipulated audio, text, images, or video) would likely be widely employed in "cyber and foreign influence operations" after becoming increasingly sophisticated.

Cryptocurrency exchange Coinbase said Thursday it is offering a $20 million reward for information leading to the arrest and conviction of criminals who attempted to extort the company for the same amount after stealing customer data.

The criminals bribed customer support agents in overseas markets to access records containing addresses, phone numbers, government IDs, and partial bank and Social Security details of more than 80,000 customers. "It sucks but when we see a problem like this we want to own it and make it right," Coinbase Chief Security Officer Philip Martin told Fortune.

The company will reimburse customers who fell victim to subsequent social engineering scams. No login credentials or wallet access were compromised in the breach. The extortionists had threatened to publish the stolen information unless paid $20 million in Bitcoin.

Google has warned that the hacker group known as "Scattered Spider," which recently disrupted UK retailer Marks & Spencer, is now targeting U.S. retailers with aggressive and sophisticated cyberattacks. "U.S. retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs," John Hultquist, an analyst at Google's cybersecurity arm, said in an email sent on Wednesday. The Guardian reports: Scattered Spider is widely reported to have been behind the particularly disruptive hack at M&S, one of the best-known names in British business, whose online operations have been frozen since 25 April. It has a history of focusing on a single sector at a time and is likely to target retail for a while longer, Hultquist said. Just a day before Google's warning, M&S announced that some customer data had been accessed, but this did not include usable payment or card details, or any account passwords. The Guardian understands the details taken are names, addresses and order histories. M&S said personal information had been accessed because of the "sophisticated nature of the incident."

"Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken," the company said. Hackers from the Scattered Spider ecosystem have been behind a slew of disruptive break-ins on both sides of the Atlantic. In 2023, hackers tied to the group made headlines for hacking the casino operators MGM Resorts International and Caesars Entertainment. Law enforcement has struggled to get a handle on the Scattered Spider hacking groups, in part because of their amorphousness, the hackers' youth, and a lack of cooperation from cybercrime victims.

Gilmoure shares a report: U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers.

[...] Using the rogue communication devices to skirt firewalls and switch off inverters remotely, or change their settings, could destabilise power grids, damage energy infrastructure, and trigger widespread blackouts, experts said. "That effectively means there is a built-in way to physically destroy the grid," one of the people said, The two people declined to name the Chinese manufacturers of the inverters and batteries with extra communication devices, nor say how many they had found in total.

An anonymous reader shares a report: U.K. retail giant Marks & Spencer has confirmed hackers stole its customers' personal information during a cyberattack last month. In a brief statement with London's stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach.

The BBC, which first reported the company's filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information, and online order histories. The company also said it was resetting the online account passwords of its customers. FT adds: Marks and Spencer could claim for losses of as much as $133 million from its cyber insurers following a sustained hack where some customer data was stolen. The UK retailer's cyber policy allows it to claim up to $133 million, according to people familiar with the situation.

Allianz is the first insurer on the hook for M&S's losses, the people added, and is expected to pay at least the initial $13.3 million. Cyber specialist Beazley is also among the insurers exposed to losses at the FTSE 100 retailer, according to the people familiar with the situation.

Qatar is gifting Trump a $400 million luxury 747 to serve as a temporary Air Force One, but experts warn that retrofitting it to meet presidential security standards could take years, cost hundreds of millions more, and risk national security due to potential embedded surveillance. The Register's Iain Thomson reports: The current VC-25s aren't just repainted 747s. They're a pair of flying fortresses that must be capable of allowing the president to run the country, survive wartime conditions (even nuclear), and be totally secure from outside influence or intrusion. While the precise details of the current airframe are a tightly guarded secret, some details are included on government fact sheets or have been revealed in various media reports. For a start, it must have an in-flight refueling capability so the president can go anywhere in the world and stay up as long as needed. Retrofitting this to an existing 747 would be very expensive, as the feds would need to strengthen portions of the hull to handle the refueling system and reconfigure the fuel tanks to handle trim issues.

Then there's the hull, which is known to be armored, and the windows are also thicker than you'd find on a normal flight. The government would also need to build in weapons systems like the chaff rockets used against radar-guided missiles, flares against heat seekers, and AN/ALQ-204 Matador Infrared Countermeasure systems, or similar to try and confuse incoming missiles. Next up, the engines and electrical systems would have to be replaced. The electronics in the current VC-25s are hardened as much as possible against an electromagnetic pulse that would be generated by a nuclear detonation. There are also claims that the aircraft have extra shielding in the engines to help against missile fragments should a physical attack happen.

Next up are communications. Air Force One has air-to-ground, air-to-air, and satellite comms systems that are thought to be the equal of what's in the White House. There are at least two separate internal phone systems - one open and the other highly secure - that would need to be installed and checked as well. Then there are incidentals. Contrary to what films will tell you, there is no escape capsule on the current Air Force One, nor a rear parachute ramp, but there is a medical suite with emergency equipment and space for a physician which would already need to be installed, as well as a secured cargo area designed to prevent tampering or unauthorized access. As for the threat of embedded surveillance devices, Richard Aboulafia, managing director of aircraft consultancy AeroDynamic Advisory, said: "You'd have to take it apart piece by piece to stop a professional operator putting in lots of equipment to confuse things, like spare sensors and wiring."

"It wouldn't be in the air before 2030 at the earliest, long after he's left office and probably later than the existing planned replacements," said Aboulafia. "It makes no sense on any level, except that he wants a free 747 for himself. Nothing else makes any sense."

"What's sort of annoying about the whole thing is I'm not sure what's wrong with the current Air Force One," Aboulafia said. "Maybe if they gave it a gold makeover, he'd like it more."

Google is enhancing Android's Factory Reset Protection (FRP) to make stolen phones virtually unusable by detecting setup wizard bypasses and requiring a second factory reset until ownership is verified. Android Authority reports: You can factory reset an Android phone in several ways. However, triggering a reset through the Android recovery menu or Google's Find My Device service activates Factory Reset Protection (FRP). During setup after such a reset, the wizard requires you to verify ownership by either signing into the previously associated Google account or entering the device's former lock screen PIN, password, or pattern. Failing this verification step blocks setup completion, rendering the device unusable. [...]

Factory Reset Protection (FRP) is a valuable feature that discourages theft by rendering stolen Android phones useless to potential buyers if wiped improperly. However, FRP isn't foolproof; thieves have discovered numerous methods over the years to circumvent it. These bypasses typically involve skipping the setup wizard, allowing someone to use the phone without entering the previous owner's Google account details or screen lock.

During The Android Show: I/O Edition, Google announced plans to "further harden Factory Reset protections, which will restrict all functionalities on devices that are reset without the owner's authorization." While the company didn't elaborate much, a screenshot it shared suggests that Android will likely detect if someone bypasses the setup wizard and then force another factory reset, preventing unauthorized use until the user proves ownership. [...] Google stated this FRP improvement is coming "later this year." Since the stable Android 16 release is coming soon, this timeline suggests the feature won't be part of the initial launch. It might arrive later in one of Android 16's Quarterly Platform Releases (QPRs), but that remains to be seen.

New submitter Synonymous Homonym writes: This year's USENIX ATC will be the last, but other USENIX conferences will keep happening.

Since USENIX's inception in 1975, it has been a key gathering place for innovators in the advanced computing systems community. The early days of meetings evolved into the two annual conferences, the USENIX Summer and Winter Conferences, which in 1995 merged into the single Annual Technical Conference that has continued to evolve and serve thousands of our constituents for 30 years.

USENIX recognizes the pivotal role that USENIX ATC has played in the shaping of the Association itself as well as the lives and careers of its many attendees and members. We also realize that change is inevitable, and all good things must come to an end:

The last ATC will include both a celebration of USENIX's 50th anniversary on the evening of Monday, July 7, and a tribute to USENIX ATC on the evening of Tuesday, July 8.

Microsoft has quietly extended support for Office applications running on Windows 10 well beyond the operating system's October 14, 2025 end-of-support deadline. Microsoft 365 subscribers will now receive updates through October 2028, while perpetual license versions will follow their standard lifecycle policies -- Office 2021 until October 2026 and Office 2024 until October 2029.

Windows Defender malware definitions will also continue "through at least October 2028" despite Windows 10's imminent retirement. This reverses Microsoft's previous stance that all Office applications would become unsupported when Windows 10 reaches end-of-life.

Intel has certified Shell's lubricant-based method for cooling servers more efficiently within data centers used for AI. From a report: The announcement on Tuesday, which follows the chipmaker's two-year trial of the technology, offers a way to use less energy at AI facilities, which are booming and are expected to double their electricity demand globally by 2030, consuming as much power then as all of Japan today, according to the International Energy Agency.

So far, companies have largely used giant fans to reduce temperatures inside AI data centers, which generate more heat in order to run at a higher power. Increasingly, these fans consume electricity at a rate that rivals the computers themselves, something the facilities' operators would prefer to avoid, Intel Principal Engineer Samantha Yates said in an interview.

Linux creator Linus Torvalds has abandoned his six-month experiment with a quieter low-profile keyboard in favor of his old mechanical one with Cherry MX Blue switches. In a post about Linux 6.15-rc6 on LKML.org, Torvalds explained that his typing accuracy suffered without the tactile feedback.

"It seems I need the audible (or perhaps tactile) feedback to avoid the typing mistakes that I just kept doing," Torvalds wrote. The famously outspoken developer couldn't recall why he initially switched to the quieter keyboard, as he doesn't work in a shared office where the noise would disturb others. After the failed experiment with the unnamed quiet keyboard, Torvalds has now returned to what he describes as a "noisy clackety-clack" input device. He joked that since he can no longer blame his keyboard for typos, "going forward, I will now conveniently blame autocorrect."

Gaming pioneer John Carmack believes we're not nearly as dependent on cutting-edge silicon as most assume -- we just lack the economic incentive to prove it. Responding to a "CPU apocalypse" thought experiment on X, the id Software founder and former Oculus CTO suggested that software inefficiency, not hardware limitations, is our greatest vulnerability. "More of the world than many might imagine could run on outdated hardware if software optimization was truly a priority," Carmack wrote, arguing that market pressures would drive dramatic efficiency improvements if new chips stopped arriving.

His solution? "Rebuild all the interpreted microservice based products into monolithic native codebases!" -- essentially abandoning modern development patterns for the more efficient approaches of earlier computing eras. The veteran programmer noted that such changes would come with significant tradeoffs: "Innovative new products would get much rarer without super cheap and scalable compute."

The new owners of VPN provider VPNSecure have drawn ire after canceling lifetime subscriptions. From a report: The owners told customers that they didn't know about the lifetime subscriptions when they bought VPNSecure, and they cannot honor the purchases.

Cybersecurity researchers have flagged three malicious npm packages that target the macOS version of AI-powered code-editing tool Cursor, reports The Hacker News: "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko said. All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025...

In total, the three packages have been downloaded over 3,200 times to date.... The findings point to an emerging trend where threat actors are using rogue npm packages as a way to introduce malicious modifications to other legitimate libraries or software already installed on developer systems... "By operating inside a legitimate parent process — an IDE or shared library — the malicious logic inherits the application's trust, maintains persistence even after the offending package is removed, and automatically gains whatever privileges that software holds, from API tokens and signing keys to outbound network access," Socket told The Hacker News.

"This campaign highlights a growing supply chain threat, with threat actors increasingly using malicious patches to compromise trusted local software," Boychenko said.
The npm packages "restart the application so that the patched code takes effect," letting the threat actor "execute arbitrary code within the context of the platform."

Whoop fitness trackers had promised free upgrades to anyone who'd been a member for at least six months — and then reneged. "After customers began complaining, the company responded with a Reddit post, according to a report from TechCrunch: Now, anyone with more than 12 months remaining on their subscription is eligible for a free upgrade to Whoop 5.0 (or a refund if they've already paid the fee). And customers with less than 12 months can extend their subscription to get the upgrade at no additional cost.
Whoop acknowledged that they'd previously said anyone who'd been a member for six months would receive a free upgrade. Friday they described that blog article as "incorrect". ("This was never our policy and should never have been posted... We removed that blog article... We're sorry for any confusion this may have caused.")

TechCrunch explains: While the company said it's making these changes because it "heard your feedback," it also suggested that its apparent stinginess was tied to its transition from a [2021] model focused on monthly or six-month subscription plans to one where it only offers 12- and 24-month subscriptions...

There's been a mixed response to these changes on the Whoop subreddit, with one moderator describing it as a "win for the community." Other posters were more skeptical, with one writing, "You don't publish a policy by accident and keep it up for years. Removing it after backlash doesn't erase the fact [that] it is real."
Other changes announced by Whoop:

• "If you purchased or renewed a WHOOP 4.0 membership in the last 30 days before May 8, your upgrade fee will be automatically waived at checkout..."

• "If you've already upgraded to WHOOP 5.0 on Peak and paid a one-time upgrade fee despite having more than 12 months remaining, we'll refund that fee."

"Thank you for your feedback. We remain committed to delivering the best technology, experience, and value to our community."

"A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver," reports The Hacker News: Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint.

The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to [SAP cybersecurity firm] Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. Onapsis said it observed reconnaissance activity that involved "testing with specific payloads against this vulnerability" against its honeypots as far back as January 20, 2025. Successful compromises in deploying web shells were observed between March 14 and March 31.
"In recent days, multiple threat actors are said to have jumped aboard the exploitation bandwagon to opportunistically target vulnerable systems to deploy web shells and even mine cryptocurrency..."



Thanks to Slashdot reader bleedingobvious for sharing the news.

Exposure-management company Tenable recently discussed how the MCP tool-interfacing framework for AI can be "manipulated for good, such as logging tool usage and filtering unauthorized commands." (Although "Some of these techniques could be used to advance both positive and negative goals.")

Now an anonymous Slashdot reader writes: In a demonstration video put together by security researcher Seth Fogie, an AI client given a simple prompt to 'Scan and exploit' a web server leverages various connected tools via MCP (nmap, ffuf, nuclei, waybackurls, sqlmap, burp) to find and exploit discovered vulnerabilities without any additional user interaction

As Tenable illustrates in their MCP FAQ, "The emergence of Model Context Protocol for AI is gaining significant interest due to its standardization of connecting external data sources to large language models (LLMs). While these updates are good news for AI developers, they raise some security concerns." With over 12,000 MCP servers and counting, what does this all lead to and when will AI be connected enough for a malicious prompt to cause serious impact?

"Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware," reports Ars Technica, "a strong indication that devices belonging to him have been hacked in recent years." As an employee of DOGE, [30-something Kyle] Schutt accessed FEMA's proprietary software for managing both disaster and non-disaster funding grants [to Dropsite News]. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the U.S. According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware... Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps...

Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
The credentials may have been exposed when service providers were compromised, the article points out, but the "steady stream of published credentials" is "a clear indication that the credentials he has used over a decade or more have been publicly known at various points.

"And as Lee noted, the four dumps from stealer logs show that at least one of his devices was hacked at some point."

Thanks to Slashdot reader gkelley for sharing the news.