ThreatsDay Bulletin: Edge Plaintext Password Exposure, Critical ICS 0-Days, Urgent Patch Alerts and 25+ Breaking Security Stories
- May 7
- 5 min read
Key Findings
Microsoft Edge stores saved passwords in plaintext in memory on startup, accessible to any process with administrative privileges
MicroStealer malware targeting education and telecom sectors spreads via multi-stage delivery chains and exfiltrates data through Discord
FTC settlement with Kochava blocks sale of location data including income, device IDs, and real-time geolocation without explicit consent
pnpm 11 implements 24-hour minimum release age for packages to prevent automated compromise campaigns
Proton Mail adds optional post-quantum encryption support to protect against future cryptographic threats
Meta deploying AI visual analysis to identify and remove underage users from Facebook and Instagram
South Korean court upholds prison term for man who hired North Korean hacker for game server attacks
Background
The threat landscape in early 2026 remains dominated by unsexy, straightforward attack vectors that continue to work with alarming consistency. Stolen credentials, malicious packages, fake applications, and abandoned DNS records still account for a significant portion of successful breaches. The ease with which attackers share compromised data through Discord channels and Telegram suggests the criminal infrastructure has normalized what should be concerning security incidents. Meanwhile, automation is accelerating on both sides of the equation. Attackers are using AI to hunt vulnerabilities faster, which means defenders are under constant pressure to patch before exploits become weaponized. The irony is sharp: despite decades of security improvements, organizations are still losing to the fundamentals.
Edge Browser Plaintext Password Vulnerability
Security researcher Tom Jøran Sønstebyseter Rønning presented findings at Big Bite of Tech 26 in Oslo showing that Microsoft Edge stores all saved passwords in plaintext memory immediately upon browser startup. Unlike Chrome and other competitors that use App-Bound Encryption to lock passwords to the specific application and only decrypt them when needed, Edge leaves credentials sitting unencrypted in process memory indefinitely.
Rønning created a proof-of-concept tool called EdgeSavedPasswordsDumper and published it on GitHub to demonstrate how trivial extraction becomes. Any process with administrative or SYSTEM-level access can dump the passwords directly from memory. The vulnerability carries particular weight in shared computing environments like terminal servers, Citrix deployments, and Virtual Desktop Infrastructure setups, where a single attacker with admin rights can harvest passwords from every logged-in user simultaneously, including users not actively browsing.
Microsoft acknowledged the issue but characterized it as intentional design. The company stated the plaintext approach balances performance against security, and that if an attacker has achieved the level of access needed to scan process memory, the device is already compromised anyway. No immediate fixes are planned.
Security experts pushed back hard. Craig Lurey from Keeper Security noted that Windows process isolation is not airtight—one application can often read another's memory "without restriction." Morey Haber from BeyondTrust called plaintext password retention a categorical failure, arguing that passwords should be "transient secrets" used and discarded immediately. Storing them in clear text converts an authentication mechanism into a liability.
MicroStealer Credential Campaign
A new information stealer called MicroStealer emerged in December 2025 targeting education and telecom sector organizations. The malware specializes in extracting browser credentials, active session data, screenshots, cryptocurrency wallets, and system information through a sophisticated multi-stage delivery chain that evades detection effectively.
Data exfiltration flows through Discord webhooks and attacker-controlled servers, enabling real-time command and control. The malware spreads quickly thanks to its low detection footprint and modular architecture, making it difficult for security tools to flag during deployment. The combination of targeted sectors and data types suggests operators are pursuing both immediate financial gain through cryptocurrency theft and long-term access through credential harvesting.
FTC Settlement on Location Data Sales
The Federal Trade Commission reached a settlement with location data broker Kochava and subsidiary Collective Data Solutions that prohibits the companies from selling, sharing, or disclosing sensitive location data without explicit consumer consent going forward. The enforcement action centered on Kochava's collection and monetization of real-time geolocation data accurate within 10 meters, paired with consumers' yearly incomes, mobile device IDs, and app usage patterns—all obtained and sold without awareness or permission.
While the settlement imposed no financial penalty, it requires Kochava to establish a data retention schedule mandating deletion of consumer information within predetermined timeframes. The case underscores ongoing FTC focus on location data brokers operating in regulatory gray zones, selling detailed personal information to unknown buyers without meaningful disclosure to the individuals being tracked.
Post-Quantum Cryptography in Email
Proton Mail announced optional post-quantum cryptography support, allowing users to generate and use quantum-resistant encryption keys for new encrypted emails. The feature protects against both current threats and hypothetical future scenarios where current public-key cryptography becomes vulnerable to quantum computing advances.
The implementation generates new post-quantum-ready keys on user request but does not retroactively re-encrypt existing mailbox contents. Users must manually enable the feature to begin using quantum-safe encryption for outgoing messages. The move reflects growing industry attention to "harvest now, decrypt later" attacks where adversaries collect encrypted data today anticipating computational breakthroughs tomorrow.
Supply Chain Protection in pnpm 11
Package manager pnpm released version 11 with new supply chain protections targeting the automated package compromise campaigns that have accelerated in recent years. The update defaults to a 24-hour minimum release age for newly published packages, preventing installation until one day after publication. Teams can opt out, but the default posture now favors a built-in waiting period.
The measure also blocks exotic sub-dependencies that resolve from non-standard sources like Git repositories or direct tarball URLs, reducing attack surface for indirect compromise attempts. Most successful package poisoning campaigns rely on automation to maximize reach immediately after malicious code hits the registry. The delay creates friction that shifts economics against attackers operating at scale while allowing legitimate security research time to detect anomalies.
Meta AI Age Verification Expansion
Meta announced deployment of artificial intelligence tools to identify and remove users under 13 from Facebook and Instagram, acknowledging that age verification online remains an industry-wide challenge. The AI system analyzes profile metadata for contextual clues, then scans photos and videos for physical visual cues like height and bone structure to estimate general age ranges.
Meta emphasized the system does not use facial recognition technology to identify specific individuals. Instead, it combines visual age estimation with analysis of text interactions and behavioral patterns to increase detection accuracy. The expansion reflects ongoing regulatory pressure from child safety advocates and government agencies regarding underage user protection and data collection from minors.
North Korea-Linked Cybercrime Prosecution
South Korea's highest court upheld a one-year prison sentence for Oh Dae-hyun, a man convicted of hiring an unnamed North Korean cybercriminal to conduct attacks against rival game servers between October 2014 and March 2015. The defendant paid the hacker more than $16,300 in exchange for unauthorized access and disruption targeting the illegal Lineage game server he operated.
The case demonstrates persistent cross-border cybercrime prosecution efforts and ongoing use of North Korean contractors for hire-for-attack arrangements. Defendants typically face difficulty identifying and pursuing the actual North Korean operators, making prosecution focus on the intermediaries who contract the attacks.
Sources
https://thehackernews.com/2026/05/threatsday-bulletin-edge-plaintext.html
https://hackread.com/edge-browser-stores-saved-plaintext-passwords/

Comments