Pwn2Own Automotive 2026 Day Two Adds $439,250 and 29 Zero-Days
Day Two of Pwn2Own Automotive 2026 in Tokyo delivered another wave of vulnerability discoveries, with researchers earning $439,250 for demonstrating 29 unique zero-day vulnerabilities. This brings the event totals to $955,750 awarded and 66 zero-days discovered across two days. Fuzzware.io currently leads the Master of Pwn standings after successful exploits against the Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and Grizzl-E Smart chargers. Other highlights include Technical Debt Collectors compromising Automotive Grade Linux using a three-bug chain and Synacktiv exploiting the Autel MaxiCharger with the Charging Connector Protocol/Signal Manipulation add-on.
LastPass Warns of Phishing Campaign Targeting Vault Credentials
LastPass has alerted users to an active phishing campaign that began around January 19, 2026, urging recipients to “create a backup” of their password vaults ahead of fake maintenance. The emails, sent from suspicious domains like support@sr22vegas[.]com and support@lastpass[.]server3, create urgency by claiming users have 24 hours to act. Clicking the “Create Backup Now” link redirects victims through a malicious S3 bucket URL to a fake site (mail-lastpass[.]com) designed to steal master passwords. LastPass emphasized that no one at the company will ever ask for your master password, and they are working to take down the malicious domains.
VoidLink Linux Malware Was Built Using AI Agent, Researchers Reveal
Check Point Research has concluded that VoidLink, the sophisticated Linux malware framework targeting cloud environments discovered last week, was largely built by artificial intelligence under the direction of a single individual. The malware comprises over 30 modular plugins and reached 88,000 lines of code in under a week—a pace that initially suggested a well-resourced cybercriminal operation. Analysis revealed the developer used an AI agent not just to write code but to plan, structure, and execute the entire project. Check Point called this discovery a “watershed moment” for malware development, noting that VoidLink shows how AI can materially amplify both the speed and scale at which serious offensive capability can be produced.
North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews
Security researchers have identified 3,136 individual IP addresses linked to likely targets of the North Korean PurpleBravo campaign (also known as Contagious Interview), along with 20 potential victim organizations across the AI, cryptocurrency, financial services, IT services, marketing, and software development sectors. The campaign, tracked to DPRK threat actors, uses fake job interviews and malicious code repositories to distribute BeaverTail, InvisibleFerret, and OtterCookie malware. Targets span Europe, South Asia, the Middle East, and Central America. The group exploits VS Code task hijacking and npm application hooks to compromise developer environments, ultimately enabling credential theft, cryptocurrency wallet theft, and persistent remote access.
Central Maine Healthcare Data Breach Impacts 145,000 Individuals
Central Maine Healthcare has disclosed that a data breach exposed sensitive information of more than 145,000 individuals, far exceeding the eight people initially reported to the Maine Attorney General’s office. Hackers maintained unauthorized access to the healthcare system’s network from March 19 through June 1, 2025, when the intrusion was discovered. The compromised data may include names, dates of birth, Social Security numbers, treatment information, and health insurance details belonging to both patients and current or former employees. CMH, which serves approximately 400,000 people and operates Central Maine Medical Center, Bridgton Hospital, and Rumford Hospital, is offering affected individuals 12 months of free credit monitoring services.
