Latest stories — Page 16

Microsoft Pulls Post-Quantum Deadline Forward to 2029
Azure CTO Mark Russinovich says the 'risk horizon' has moved. Redmond now wants PQC-ready systems four years ahead of the industry's 2033 target.

Cutting Through the AI Noise: What Enterprises Should Actually Be Asking Security Vendors
Marketing copy is cheap. Measurable detection capability is not. Here's how to stress-test an AI security pitch before you sign anything.

Apple Ships Multi-Component Patch Round Covering iOS, macOS, and Safari
Fixes land for WebKit, the kernel, WebRTC, and Web Extensions — touching every major Apple platform in a single release cycle.

Phantom Squatting: When Attackers Camp on the Domains LLMs Hallucinate
Unit 42 documents a pre-positioning tactic where actors register non-existent domains that chatbots keep suggesting, then wait for the traffic to arrive.

Claude Fable 5 Comes Back Online as Commerce Drops Export Curbs
Anthropic restores Fable 5 across Claude.ai, Claude Code, and Cowork on July 1 after a roughly two-and-a-half-week U.S. export restriction gets lifted.

Detection Engineering Grew Up. Most Security Stacks Didn't.
Behavior-based, CI/CD-integrated detection logic is eating vendor-supplied rules. Here's what's actually driving the shift — and what teams still get wrong.

Azure CLI Under Sustained IPv6 Password Spray; 78 Tenants Breached
Automated spray campaign from a single ASN burned through 81 million auth attempts in two weeks, hitting az login endpoints from an unusual IPv6 range.

ClickFix Grows a Back Office: API-Served Payloads and a New AMSI Bypass
Researchers pulled roughly 3,000 live payloads from ClickFix infrastructure and found a polymorphic delivery pipeline built to defeat Windows script scanning.

Citrix Ships Fixes for Six NetScaler Bugs, Including a File-Read Flaw Scoring 8.8
The patch batch covers NetScaler ADC and Gateway, with input-validation and DoS issues that admins should not sit on.

Poisoned Tool Descriptions Turn Helpful AI Agents Into Quiet Exfiltration Channels
Microsoft Incident Response demonstrates how a single malicious MCP-style tool description can coax an agent into leaking corporate data — without tripping a single policy check.

RustDuck: A Rust-Based DDoS Botnet Quietly Building Out Since February
XLab researchers say the two-stage loader is iterating faster than its install base is growing — and that's the interesting part.

Langflow RCE Is Back on the Menu — This Time for a Monero Miner
Attackers are still pillaging exposed Langflow instances through CVE-2026-33017, turning forgotten AI workflow servers into XMR mining rigs.

Silent Swap: Unsigned Installers Drop Fake Chromium Extensions That Hijack Crypto Transactions
McAfee Labs documents a clipper campaign using .NET and Golang loaders to sideload a malicious browser extension that rewrites wallet addresses at send time.

GuardFall: A 1970s Shell Trick Walks Past AI Coding Agent Safety Checks
Adversa AI says ten of eleven open-source coding agents fall to a command-substitution bypass that any sysadmin would recognize on sight.

Two-Thirds of iPhone AI Chatbot Apps Are Bleeding API Keys
A study of 444 iOS chatbot apps found 282 exposing paid model access in plaintext network traffic — sometimes with no authentication at all.

BEC Isn't an Email Problem. It's a Supply Chain.
Underground forums show Business Email Compromise as a multi-stage operation — account access, target research, and mules — not a clever phishing lure.

Bash Shell Tricks From the '90s Are Breaking AI Coding Agents Wide Open
Old-school shell injection techniques can bypass safeguards in most open-source AI coding agents — and a poisoned repo is all it takes to start the chain.

FIFA 2026 Fraud Infrastructure Was Pre-Staged Months Before Kickoff, Researchers Say
A Check Point exposure report documents pre-positioned phishing kits, lookalike domains and multilingual scam pages built well ahead of the June 11 opening match.

Malicious Extension Spoofs AI Platform to Intercept Searches
A fake browser extension impersonating Perplexity AI intercepted search queries, highlighting governance gaps in enterprise security.

From Modded Game Controllers to IBM X-Force Red: The Chris Thompson Arc
A teenage hardware tinkerer grows up to run one of the most recognizable offensive-security brands in enterprise tech — then leaves to build something new.

Supreme Court Extends Fourth Amendment Shield to Cell-Site Location Data
A geofence warrant case gives the Court a vehicle to rule that historical location records tied to a phone are constitutionally protected — full stop.