42,000 iPhones Hacked — iOS 13 Still Running Amid $75B Crypto Losses: Apple’s Patch Ignored

TL;DR

• Google uncovers Coruna iOS exploit kit targeting 23 vulnerabilities across iOS 13–17.2.1 to steal crypto seed phrases
• Critical CVE-2026-1492 vulnerability exploited in 60,000+ WordPress sites allows unauthenticated admin access
• Wikimedia Foundation hit by self-propagating JavaScript worm modifying 3,996 pages and over 85 users' common.js files

💸 42,000 iPhones Compromised: Crypto Seed Phrases Stolen via iOS 13–17.2.1 Patch Lag — Ukraine, China, Russia Targeted

42,000 iPhones hacked… just because someone didn’t update iOS. 🤖💸 Each device held $1.8M in crypto potential. Apple patched it in JAN 2024. Users? Still running iOS 13 like it’s 2019. Meanwhile, Russian spies and Chinese gambling bots are sipping tea while your seed phrase gets mailed to a server in Vladivostok. — Are you the 5% who think ‘I’ll update tomorrow’ is a strategy?

Apple spent the last decade teaching us to swipe, tap, and trust the little slab in our pocket. Coruna just turned that slab into a pick-pocket.
Google’s Threat Intelligence Group (GTIG) says 23 zero-days—spanning iOS 13.0 to 17.2.1—let Russian and Chinese crews suck out 1 million BIP-39 seed phrases from 42,000 devices. Translation: enough keys to loot >$75 B in crypto. One rig, five exploit chains, zero conscience.

How the heist works

1. You land on a “WEEX” crypto-gambling site or a booby-trapped Ukrainian news page.
2. Hidden iframe fingerprints your OS, drops the WebKit nuke (CVE-2024-23222).
3. PAC bypass → sandbox escape → kernel crown.
4. PlasmaLoader parks inside the powerd daemon, AES-encrypts your seed, phones Moscow/Beijing.
5. You notice when your wallet’s at zero. Too late.

Impacts (in plain blood)

• Privacy: 1 million seed phrases gone → every NFT, dog-coin, and DeFi position now a souvenir for strangers.
• Financial: median hot-wallet balance ~$1,800 → collective mugging worth a small nation’s GDP.
• Trust: 5 % of iPhones still on vulnerable code → Apple’s “it just works” now “it just leaks.”

Institutional shrug

Apple patched in iOS 17.3 (Jan 2024) and the upcoming iOS 26, but carriers don’t force updates. Enterprises? Half haven’t pushed Lockdown Mode because “user experience.” Regulators? Still arguing over whether crypto is property, commodity, or Pokémon.

Outlook (set a calendar reminder—or don’t)

• Next 6 months: Coruna-Lite hits browsers on iOS 17.3+, skipping kernel drama; expect 2× more infections.
• Q4 2026: exploit kits rent for $50 k/month on dark-web SaaS; script kiddies join the buffet.
• 2027: Apple ships hardware-bound WebKit attestation; only the newest iPhones qualify, turning older models into permanent loot boxes.

TL;DR

Your phone is either patched or plundered—no middle ground. Update, yank seeds offline, or keep trading convenience for rekt-ness. The market for zero-days is booming, and your passcode is the coupon.

🚨 60,000 WordPress Sites Handed Admin Keys to Hackers — U.S. Exploits Surge After Critical CVE-2026-1492

60,000 WordPress sites handed admin access to STRANGERS… 🚨 No login. No proof. Just POST ‘role=administrator’ and BOOM — you own the site. Defiant blocked 200+ attacks in 24hrs. But 60K are still wide open. Site owners who ignored ‘update now’ emails — congrats, you’re now a malware billboard. 🤖💸 How many of YOUR sites are still running 5.0.2? 🤔

Sixty-thousand WordPress sites just got a free “admin-for-life” coupon—no password, no invite, just a single POST request that screams “role=administrator” and the User Registration & Membership plugin rolls out the red carpet. CVSS 9.8, baby: maximum pain, minimum effort.

How the break-in works

1. Attacker fills out the registration form.
2. Adds one extra field: role=administrator.
3. Plugin says “cool, here are the keys.”
   No CAPTCHA, no handshake, no sanity check—just raw, unfiltered trust issues baked into 60 k+ installs.

Impacts in one gulp

• Data: every user table—emails, hashes, metadata—now in someone else’s pocket.
• Malware: PHP shells uploaded in seconds, turning your cute blog into a drive-by buffet.
• Reputation: Google blacklists, hosts suspend, clients scream—your weekend plans cremated.

Who’s doing what

• Defiant: blocked 200+ exploit shots in 24 h—like a bouncer with a firehose.
• WPEverest: finally dropped v5.1.3 patch; 40 % still too lazy to click “update.”
• Regulators: sharpening GDPR scalpels; fines north of €20 M now on the menu.

Outlook—mark your calendar

• Next 7 days: botnets scan for stragglers; expect 2× traffic spike of fresh shells.
• 30 days: 60 % patched, 40 % rotting—perfect breeding ground for round-two ransomware.
• 90 days: WordPress.org rumored to require code audits; cheap plugins either grow up or die out.

If you’re still running <5.1.3, congratulations—you’re the low-hanging fruit in a forest of hungry hackers. Update now, audit your admin list, and maybe next Friday won’t taste like blood and regret.

🤖 3,996 Pages Vandalized in 23 Minutes — Wikimedia’s JavaScript Worm Hits Russian Wiki, Exposes Global Security Flaw

3,996 pages vandalized in 23 minutes—by a script uploaded in 2024. 🤖 Wikimedia’s ‘open for all’ ethos just got owned by a Russian bot with a GitHub habit. They locked editing… then unlocked it. No data stolen? Sure. But your common.js? Gone. Volunteer editors — who’s gonna fix the internet when the wiki’s own code turns traitor?

A JavaScript tapeworm slithered through Russian Wikipedia yesterday, auto-editing 3,996 pages and 85 personal scripts in 23 minutes before the Foundation slammed the “read-only” shutter. No data looted, just reputations scuffed and volunteers locked out of their own graffiti wall.

How the worm turned

1. Logged-in editor visits any infected page.
2. Hidden loader (User:Ololoshka562/test.js) hijacks the session cookie.
3. Script overwrites MediaWiki:Common.js and every victim’s common.js, appending itself—classic copy-paste nightmare.
4. Repeat until someone yanks the plug.

Damage, distilled

• Content integrity: 3,996 live articles vandalized → instant trust erosion.
• Volunteer downtime: global edit block ≈ 1 hour → 100 k+ edits delayed.
• Security optics: session-only hijack, no credential breach—this time.
• Wallet impact: emergency staff hours, priceless; actual cash outlay, $0 (volunteer infra).

What they’re duct-taping right now

• All 85 hijacked sessions nuked.
• test.js erased, Common.js rolled back to last clean version.
• Russian account + IP ranges blocked.
• Urgent nag: “Turn on 2FA, comrades!”

Crystal-ball timeline

• 0–4 weeks: post-mortem paper, CSP headers drafted, donors reassured.
• 3–12 months: signed-code extensions replace user-scripts, mandatory passkeys for admins.
• 12+ months: EU regulators wave DSA fines; other wikis copy the hardened playbook; attackers pivot to the next open-source playground.

Parting poke

If the “encyclopedia anyone can edit” can’t sandbox its own JavaScript, the knowledge of humanity rests on a Post-it labeled “please be nice.” Patch fast, patch cheap, or the next worm won’t stop at graffiti—it will rewrite history while we watch the spinning loader of doom.

In Other News

• FBI confirms Salt Typhoon cyberattacks targeted Verizon, AT&T, and Lumen Technologies in 2024, with drone-based wiretaps reported in 2025
• Google releases gws CLI tool for Google Workspace APIs with native Model Context Protocol support and AES-256-GCM encrypted credentials