Lucy Green
Data breaches & privacy
Lucy worked breach-notification regulation before moving into journalism. She covers data exposures, the legal aftermath, and what victims should actually do — beyond the platitudes.
Recent stories
AI Security
Six Things SRE Teams Demand Before Handing Anything to an AI Agent
Observability gaps, missing guardrails, and opaque reasoning are the real blockers — not the AI itself.
Jun 11
AI Security
Frontier AI Models Transform Vulnerability Discovery
AI capabilities reshape cyber defense strategies, prompting new approaches to vulnerability management.
Jun 11
Policy & Regulation
GitHub's npm Overhaul: No More Automatic Install Scripts
GitHub reshapes npm with default script blocking, aiming to tighten software supply chain security.
Jun 11
AI Security
Twelve Controls That Actually Matter Once AI Ships to Production
Visibility into AI applications is a starting point, not a security posture. Here is what ongoing monitoring and defense of production AI systems looks like in practice.
Jun 10
AI Security
Anthropic Ships Claude Fable 5 as Two Products, One With the Cyber Guardrails Off
The public gets Fable 5. A vetted cyber cohort gets Mythos 5 — the same model with safety classifiers lifted.
Jun 10
Policy & Regulation
Starmer's Device-Scan Mandate Puts Enterprise Encryption in the Crosshairs
The UK Prime Minister gave tech firms three months to build image-filtering controls into every device. Security leaders say the architecture required would gut encryption protections, create fresh exfiltration paths, and hand future governments a surveillance tool the current one insists it doesn't want.
Jun 10
AI Security
OpenAI's Lockdown Mode Admits the Problem It Can't Quite Fix
The new containment feature reduces AI-enabled data exfiltration — it doesn't stop it. Experts are divided on whether enterprises should even trust a vendor to police itself.
Jun 9
Vulnerabilities
Six Flaws in protobuf.js Turn Serialized Schemas Into Execution Vectors
The JavaScript Protocol Buffers library — pulled 50 million times a week — ships patches for a cluster of CVEs that let attackers use schema metadata to run arbitrary code inside Node.js processes.
Jun 8
Vulnerabilities
Check Point Confirms Active Exploitation of IKEv1 Cert-Bypass Flaw in Remote Access VPN
CVE-2026-50751 lets unauthenticated attackers slip past authentication on gateways still running the deprecated IKEv1 key exchange. Patch is out. Exploitation is not theoretical.
Jun 8
Threat Intelligence
UNC3753 Hit U.S. Professional Services Firms With Vishing and Walk-In Intrusions
Dozens of legal, financial, and consulting firms were hit between January and May 2026 in a data-theft extortion run that blended phone-based social engineering with physical site visits.
Jun 8
Vulnerabilities
CISA Flags SolarWinds Serv-U DoS Bug as Actively Exploited
CVE-2026-28318 crashes the file transfer service. Federal agencies get the usual three-week patch window.
Jun 6
Breaches
Ultrahuman Data Leak, Ransomware Tradecraft, and a Browser That Mines Your CPU: The Week's Overlooked Stories
Three stories that didn't dominate the feed — a wearable-tech data exposure, a dissection of The Gentlemen ransomware, and Hola Browser quietly bundling a cryptominer.
Jun 5
Vulnerabilities
Everest Forms Pro RCE Under Active Exploitation on WordPress Sites
CVE-2026-3300 carries a 9.8 CVSS. Attackers are using it to take over sites running unpatched versions of the premium form-builder plugin.
Jun 5
Cloud Security
PCPJack Turns 230 Hijacked Cloud Servers Into a Stealth SMTP Relay Grid
Compromised AWS, Google Cloud, and Azure instances were quietly converted into verified mail relays and resold downstream every five minutes.
Jun 5
Policy & Regulation
Webinar Highlights Gaps in Third-Party Risk Management
A critical look at third-party risk programs and their practical failures.
Jun 4