• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Turn off ChatGPT access on your iPhone. If you have an Apple Intelligence-compatible device, it will sometimes use ChatGPT for Siri queries. You can turn off ChatGPT in Settings.
2. Disable location history in Apple Maps. If you use Apple Maps, the app can keep a record of your Visited Places. Thankfully, this feature can be turned off.
3. Use Hide My Email to protect your privacy. This iCloud+ feature allows you to create a dummy email that will forward messages to your main email address. This should be used when signing up for websites you suspect may send you spam mail.

What should you do in the following scenario?

Your password manager warns you that a password is compromised. What should you do? 🤔 

1. Visit all the websites where that password is used and replace it with a unique password for each one.
2. See if the account is important; otherwise, ignore it.
3. Reboot your computer.
4. Visit all the websites where that password is used and reset it with one new password following your preferred pattern.

Scroll to the bottom to see how you did!

A new yearly threat report from Jamf looked at data gathered from a random sample of 10,000 Mac computers to see what's changed for Mac users since last year. They found that over the past year, macOS infostealer malware has continued to become more prevalent and sophisticated. 41% of Macs surveyed were using critically out-of-date versions of macOS, leaving them vulnerable to malware. There are more startling details in the report, which you can read here.

The Bottom Line: Malware targeting Mac computers is on the rise (though it’s still not as common as on Windows). Most macOS malware installs come from trojans: malicious code hidden inside otherwise safe apps. Practice caution in which apps you install on your Mac, avoid browser extensions, and uninstall old apps that you aren’t using anymore.

New macOS Infostealer Hunts High-Value Crypto Wallets

One consistent motivation behind the surge in malware targeting macOS (discussed above) is the value stored in cryptocurrency wallets. A new malware, notnullOSX, demonstrates this. It exclusively targets Mac devices, and even when installed on a device, it doesn’t do anything unless it detects a cryptocurrency wallet containing more than $10k. Once it finds such a system, it attempts to steal the cryptocurrency.

The malware is installed through the “clickfix” pattern or through a dmg (the regular app install process). Read more about it at Moonlock. In this case, the lure is an invitation to view a Google Doc, but when the intended victim tries to view the doc, they get a fake warning page saying that Google needs to update their encryption package in order to view the doc.

The Bottom Line: Beware of the clickfix scam pattern: No legitimate CAPTCHA will ask you to paste a command into your Mac Terminal or Windows Command Prompt. Also, Google encryption does not require you to install an application in order for it to update. In general, no website should ever unexpectedly ask you to download and install an app. Beware of the rise of malware targeting Mac computers, and run a malware scanner regularly—we recommend Malwarebytes.

Encrypted Messaging App Leaves User Messages Exposed

A "secure" messaging app called TeleGuard was recently found to not be quite as secure as its developers claimed. The app was advertised as being end-to-end encrypted, just like Signal and WhatsApp. While it's true that the app uses E2E encryption, researchers discovered that the company was storing user decryption keys on its own servers, meaning that the company itself could easily access user messages. As a result, potential attackers could do the same if they managed to breach TeleGuard's servers. Read more about TeleGuard at 404 Media.

The Bottom Line: As we always say, security is hard to get right, especially when it comes to end-to-end encryption. TeleGuard storing its decryption keys on an easily accessible server puts the privacy of its entire user base at risk. If you want to use a truly end-to-end encrypted messaging app, Signal is all you need.

AI Assistant Patches Major Vulnerability

OpenClaw is an AI-powered tool that is supposed to enhance users' productivity by handling tasks like organization and research. By its nature, it requires an extraordinary amount of access to users' computers, making it ripe for exploitation. Last week, OpenClaw released an update to patch a vulnerability that allowed attackers to gain administrative access to all devices on the same network. This is not the first security flaw that has been found in OpenClaw, and it certainly won't be the last. For more details, head over to Ars Technica.

The Bottom Line: If you have OpenClaw installed on your computer, you should install this update as soon as possible to protect your devices. Better yet, we recommend uninstalling it or never installing it to begin with. Allowing an AI to take control of your computer will always come with security and privacy risks.

LinkedIn Stalks Users For Their Own Protection, It Claims

Researchers looking into LinkedIn have found that the work-focused social media platform scans each visitor to the site, identifying which browser extensions they have installed—information that can be used to identify each unique visitor regardless of their privacy preferences or countermeasures they have taken. Researchers have filed two class-action lawsuits alleging that profiling through scanning for browser extensions is illegal under California’s privacy laws. LinkedIn has not denied that profiling is taking place; instead, it claims the practice helps identify bot traffic for user protection. Read more at PCMag.

The Bottom Line: Privacy-preserving web browsers such as Safari offer protections that make profiling based on your web browser and past browsing habits harder, but surveying the extensions installed gets around those protections. If your mix of extensions is unique, then LinkedIn could still profile your movement across its website and others. For this and other reasons, we recommend avoiding browser extensions except for your password manager and ad blocker.

Apple Claims LockDown Mode Has 100% Success Rate

An Apple spokesperson mentioned to TechCrunch that the company is “not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device.” This is notable because Apple does sometimes detect malware targeting iPhone users and notify those users—so it’s interesting that none of those people have ever been users of Lockdown Mode. This is a worthy success for Apple: Locking out the well-funded and highly motivated hackers who make the likes of Paragon and Predator is hard work.

The Bottom Line: Most users don’t need to turn on Lockdown Mode: It is only for those who may be personally targeted by state espionage services. If you are in that category, you can enable Lockdown Mode in Settings > Privacy & Security > Lockdown Mode. However, note that even Lockdown Mode cannot protect you if you willfully install a malicious app, so continue to exercise caution when installing apps.

Scams Targeting Americans At Highest Rate Ever, FBI Says

The FBI has released its annual crime statistics report, which includes data on cybercrime. The bureau says its scam complaints hotline is now taking radically more calls than ever, 3,000 a day on average, up from a few hundred. Americans lost a record-setting $21 billion to cybercrime in 2025, with cryptocurrency theft and investment scams being the largest and highest-value categories. Bleeping Computer did a good write-up on the report, and you can read the FBI’s full report.

The Bottom Line: It’s no surprise that we’re exposed to more scams every day than we were ten years ago, but the details matter. Be on the lookout for fake investment scams, especially those involving cryptocurrency. These scams, often with a strong relationship-building element, are the main drivers of the scam economy.

Japan Weakens Privacy Laws to Help Out AI Companies

Japan has amended its Personal Information Protection Act to make it easier for companies to gather information about residents and visitors without their permission. Facial scans, health data, and more are fair game under the new rules. Japan’s Minister for Digital Transformation, Hisashi Matsumoto, said that the changes were needed because the old rules were “a very big obstacle to the development and utilization of AI in Japan.” In other words, you need to give up your privacy so that your boss can build a robot to replace you. Read more at The Register.

The Bottom Line: When the law does not protect us, it becomes even more important to understand and control personal tools for our own protection. Tools like privacy-preserving web browsers and search engines, VPNs, pseudonyms, email-masking services (e.g., iCloud’s Hide My Email), and more will still protect your privacy even when the law gives corporations permission to stalk you without your consent.

Russia Bans VPNs & Accidentally Breaks Banking Apps

Russia recently banned the use of VPNs across the country. The government's attempt to prevent citizens from using VPNs may have inadvertently brought down banking services last week, making cash the only viable payment option. Banks also use VPNs, so it’s possible that Russia’s heavy-handed crackdown on VPNS may have disrupted bank communications. The Russian government has not addressed the outage, but all banking services have returned to normal operations since. Read more at Bloomberg.

The Bottom Line: Privacy-protecting tools such as the encryption of a VPN are necessary for banking to function online, and they also protect the privacy of individuals. When governments take steps to disrupt those privacy protections in the name of security, they also disrupt critical services.  Reducing privacy does not increase security.

• The most recent iOS and iPadOS is 26.4
• The most recent macOS is 26.4
• The most recent tvOS is 26.4
• The most recent watchOS is 26.4
• The most recent visionOS is 26.4

Read about the latest updates from Apple.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Interested in learning more about your iPhone's privacy? Check out:

• Private WiFi Address on iPhone: What It Is & How It Works
• Answered: Can Someone Remote Access Your iPhone