Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.

Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.

The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.

According to Wordfence, which discovered CVE-2026-8181 on May 8, the flaw allows unauthenticated attackers to impersonate known admin users during REST API requests, and even create rogue admin accounts.

“This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” explains Wordfence.

“In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever.”

Full article here

eBay on Tuesday rejected a $56 billion takeover bid from the ​much smaller GameStop over financing doubts, calling the proposal “neither credible nor attractive.”

eBay, which has roughly four times GameStop’s market value, also underscored that ‌its turnaround efforts under CEO Jamie Iannone have boosted growth, with its stock returning 201% since Iannone took the position six years ago.

“We have concluded that your proposal is neither credible nor attractive,” eBay Chairman Paul Pressler said in a statement. “eBay’s Board is confident the company, under its current management team, is well-positioned to continue to drive sustainable growth.”

He also pointed to concerns with ​GameStop’s bid, including its financing, its impact on eBay’s long-term growth and the leadership structure of a potentially combined company.

Full article here

Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an “agreement” with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online.

The company says over 30 million educators and students use its Canvas platform across more than 8,000 schools and universities worldwide.

In a Tuesday statement, Instructure said the cybercrime gang also returned the stolen data and provided shred logs confirming its destruction.

“We understand how unsettling situations like this can be, and protecting our community remains our top priority. With that responsibility in mind, Instructure reached an agreement with the unauthorized actor involved in this incident,” it said.

“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise. This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

However, as the FBI has repeatedly warned, paying a ransom does not guarantee that threat actors will not also sell the stolen data to other cybercriminals or attempt to extort the victims again.

Full article here

Google has tied its next-generation reCAPTCHA system to Google Play Services on Android, meaning anyone running a de-Googled phone will automatically fail verification when the system decides to challenge them.

The requirement forces Android users to run Google’s proprietary app framework version 25.41.30 or higher just to prove they’re human.

When reCAPTCHA flags what it considers suspicious activity, it abandons the old image puzzles and demands you scan a QR code. That scan requires Play Services running in the background, communicating with Google’s servers. If you’re using GrapheneOS or any other custom ROM that strips out Google’s software, the verification fails.

Google announced the broader system, Google Cloud Fraud Defense, at Cloud Next on April 23, pitching it as a trust platform designed to handle autonomous AI agents and traditional bots alike. What Google didn’t emphasize was the part where proving you’re human now requires submitting to its proprietary surveillance.

Full article here

The website for the popular JDownloader download manager was compromised earlier this week to distribute malicious Windows and Linux installers, with the Windows payload found deploying a Python-based remote access trojan.

The supply chain attack affects those who downloaded installers from the official website between May 6 and May 7, 2026 via the Windows “Download Alternative Installer” links or the Linux shell installer.

According to the developers, the attackers modified the website’s download links to point to malicious third-party payloads rather than legitimate installers.

JDownloader is a widely used free download management application that supports automated downloads from file-hosting services, video sites, and premium link generators. The software has been available for more than a decade and is used by millions worldwide across Windows, Linux, and macOS.

Full article here