All issues
Tech & Security Intelligence Issue 008 · 13 Jul 2026

The Weekly
Brief

AI joins the fight against scammers, three web-app flaws already under attack, Microsoft starts labelling AI-made content, and why NZ's privacy laws are about to grow teeth.

Paul, Director of Node-Red
Curated by Paul
Editor · Node-Red

4 stories · 6 min read

In this issue

01 Scam Alert

Netsafe turns AI on the scammers — and moves its helpline online

On 1 July, Netsafe — New Zealand's online-safety agency — announced a shake-up of how it fights scams. Its long-running Scams Helpline is moving to an AI-assisted digital service for information, guidance and referrals, freeing its people to focus on specialist frontline harms. Alongside it, Netsafe is expanding ReScam.org, an AI-powered platform where anyone can forward a scam email to me@rescam.org and let the AI string the scammer along.

The idea is to waste the scammer's time and harvest intelligence on new tactics. Since it launched, ReScam has engaged more than 16,000 scammer email addresses across 20,000+ conversations and processed over 300,000 scam emails. "Our priority is ensuring New Zealanders can access trusted support," said Netsafe chief executive Brent Carey.

02 Patch Now

Patch now: three web-app flaws are under active attack — one in an AI tool

On 7 July, the US cyber agency CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalogue — the list it only adds to when there's evidence a flaw is being exploited in the wild. Two are in popular Joomla website page-builder add-ons (SP Page Builder, CVE-2026-48908, a file-upload flaw; and Joomlack Page Builder, CVE-2026-56290, an access-control flaw).

The third is the one to note: Langflow — a widely-used tool for building AI/LLM apps — carries an authorization-bypass bug (CVE-2026-55255) that lets an attacker slip past access controls. It's a reminder that the shiny new AI tools teams are adopting are now just as much of a target as the website plugins we've always had to patch.

03 Business IT

Microsoft 365 starts watermarking AI-generated video and audio

Between 17 June and 1 July, Microsoft switched on a new transparency feature across Microsoft 365: content that Copilot and other M365 tools generate or alter with AI can now carry a watermark. Video gets a small Copilot icon in the corner; audio gets a spoken line — "This audio is generated by AI" — at the start or end of the clip.

It's controlled by an admin policy, and here's the important bit: even if you turn the visible watermark off, Microsoft still writes provenance information into the file's metadata. The wording and placement can't be customised. It's a quiet but meaningful shift in how AI-made content will be labelled inside the tools most Kiwi businesses already use every day.

04 Compliance

New Zealand's cyber laws are about to grow real teeth

After a run of high-profile breaches, the Government's Cyber Security Action Plan (2026–27) signals a real shift in how New Zealand will hold organisations to account. One strand tasks officials with advising on a civil pecuniary penalty regime under the Privacy Act 2020 — today, the Act has no general financial penalty for a serious breach, capping out at a $10,000 fine for failing to notify.

A parallel critical-infrastructure proposal goes further, floating penalties of up to NZ$5 million (or 2% of turnover) for the most serious failures — and, notably, personal liability for directors of up to NZ$500,000. The direction of travel is clear: cyber and privacy are moving from "best-endeavours" to enforceable duty, with consequences that reach the boardroom.

Tip of the week

Keep a simple inventory of your software, plugins and AI tools

Story 02 makes the point plainly: you can't patch — or protect — what you don't know you're running. Most small businesses have no single list of the apps, website plugins, browser extensions and AI tools in use across the team, which is exactly how an old, unpatched add-on becomes the way in. Spend an afternoon building a plain spreadsheet: what's installed, where, who owns it, and whether it's still needed. Then delete anything nobody uses, and put a reminder in the calendar to review it each quarter. It's unglamorous, it's free, and it's one of the highest-value security jobs a small business can do. If you'd like a hand pulling that inventory together — including the things running quietly in the background — that's a great first step we can do with you.

Node-Red

Want all of this handled for you?

We keep an eye on the threats, the updates and the fine print so you don't have to. Book a free, no-obligation IT checkup.

Book your free IT checkup