Alisha Gray

The add-ons concealed payloads in image and font files and activated days after install. Microsoft attributes the activity to a single actor operating since 2021.

A workspace-trust prompt was all that stood between a developer and credential theft. Amazon has shipped a fix for the high-severity flaw in its AI coding assistant.

Microsoft flags an unattributed campaign active since April 2026 against hospitality targets in Europe and Asia.

Forensic traces and a Russian court filing place a UFED extraction on the activist's device in June 2021, raising hard questions about post-sale controls on dual-use forensic kit.

A new framework aims to help security teams prioritize which supply chain vulnerabilities carry the highest operational, safety, and business risk where AI systems are in play.

Meta's AI data collection halted after security breaches. Employees accessed restricted data, revealing gaps in the program.

The June 22 order sets binding migration dates for high-value assets and high-impact systems, while leaving national security systems on a parallel track.

An active campaign abuses WhatsApp Desktop and Web to distribute scripted droppers that install commercial remote-management software across at least ten jurisdictions.

Researchers at Zafran say a chain of flaws in the popular agentic workflow platform let attackers read other tenants' chats without logging in.

Unauthorized access exposes CRM data; threat actors exploit legacy credentials.

Governance frameworks like NIST AI RMF and the EU AI Act assume the pipes under the model are secure. They often aren't.

The market intelligence vendor's disclosure adds another name to the lengthening list of Salesforce-adjacent SaaS breaches tied to stolen OAuth credentials.

Dutch-led coalition disrupts servers and remediates 14,971 compromised WordPress sites, in the latest tranche of the multinational takedown effort.

Understanding and managing security risks with Claude’s AI solutions for small and medium-sized businesses.

Researchers tracking the 'easy-day-js' supply chain incident say a single compromised maintainer account was sufficient to push malicious versions across the @mastra/* registry footprint.