Latest stories — Page 17

SimpleHelp OIDC Bypass Gets Weaponized: TaskWeaver and Djinn Stealer Land on Unpatched Servers
An unauthenticated auth bypass scoring a perfect 10.0 is dropping two new malware families on remote-support boxes that nobody remembered were internet-facing.

Six Bugs in AirDrop and Quick Share Let Anyone Within Range Knock Out File Sharing
Researchers chained wireless-range flaws to crash receiving devices and bypass Quick Share permission checks — no taps, no pairing, no prompts.

The Hidden Cost of Agentic AI in Security: Token Budgets Are Now a Defense Problem
Cybersecurity platforms are racing to embed agentic AI, but the economics of token consumption, AI credits, and deployment architecture may undercut the value before defenders see a return.

BioShocking: Prompt-Game Trick Pries Credentials From AI Browsers
Researchers at LayerX got six AI browsers and assistants — including ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude extension — to exfiltrate user logins by framing the attack as a game.

Pre-Auth Root RCE in Progress Kemp LoadMaster: Patch the API Now
CVE-2026-8037 lets an unauthenticated attacker run commands as root via a crafted API request. CVSS 9.8. The vendor has shipped a fix.

Apple Ships Three Dozen Fixes, Including WebKit Bugs Surfaced by LLM-Assisted Review
Four of the patched WebKit flaws were found with help from Claude and Codex — a quiet data point on how vendors are folding AI into vulnerability discovery.

Oracle E-Business Suite Payments Bug Hits CVSS 9.8, Already Being Hit
CVE-2026-46817 lets unauthenticated attackers take over Oracle Payments. Exploitation is happening now.

CISA Flags Three Daktronics Controller Flaws That Could Let Attackers Hijack Highway Signs
A researcher found the vulnerabilities in controllers widely used to drive digital billboards and roadway message signs. Exploitation could mean someone else controls what drivers read.

NAIC Says ShinyHunters Walked Out With Public Data and Stale Logs After PeopleSoft Zero-Day Hit
The regulator-of-regulators confirms an Oracle PeopleSoft zero-day was the entry point, but disputes the extortion crew's claims about what was taken.

Fake Perplexity Extension Siphoned Every Chrome Address Bar Keystroke
Microsoft researchers flagged a counterfeit Perplexity Chrome extension that piped queries and omnibox input to an attacker server before completing the search.

WhatsApp Starts Username Reservations, Finally Decoupling Identity From Phone Numbers
The optional handle system lets users be reachable without exposing an E.164 number — a meaningful identifier change for a 3-billion-user directory.

Mustang Panda Turns Zoho WorkDrive Into C2 in Twin Campaigns Against Indian Government
The China-aligned crew is running parallel operations against New Delhi ministries and hydropower operators, abusing a legitimate cloud collaboration service to move commands past network defenses.

Monday Brief: A DirtyClone Linux Bug, Turla's New Backdoor, and the Infostealer Churn
Old access paths, missed patches, and a fresh kernel flaw kept defenders busy. A roundup of what moved this week in the cybercrime ecosystem.

Poisoned Repos Can Trick Claude Code Into Opening a Reverse Shell
Researchers show that prompt injection hidden inside a repository's files is enough to turn Anthropic's agentic coding tool against the developer running it.

Prompt Injection in Git Repos Can Turn Claude Code Into a Reverse Shell Launcher
Malicious instructions buried in a repository's files can hijack Anthropic's Claude Code agent and open a backdoor on the developer's own machine — no obvious malware required.

236,000 Sites Run Pig-Butchering Templates Built on DCloud Uni-App
Infoblox researchers tie a sprawling fake-exchange and wallet-drainer ecosystem to a legitimate Chinese cross-platform dev framework.

BEC Keeps Winning Because It Looks Exactly Like Normal Work
The phishing payload is gone. The pretext is the payload now, and your SEG was never built for that.

Gamaredon's 2025 Phishing Surge: 35 Campaigns, Fresh Loaders, and Identity Tradecraft
The Russia-aligned group has spent the year refining spear-phishing lures against Ukrainian targets, leaning harder on cloud services and credential theft.

Harvest Now, Decrypt Later: Why Credentials Are the First Casualty of Q-Day
Captured ciphertext today becomes plaintext tomorrow. Credentials sit at the top of the target list.

DirtyClone: New Linux Kernel Flaw Hands Unprivileged Users the Root Keys
A page-cache manipulation bug related to DirtyFrag lets local, unprivileged attackers escalate to root — no credentials required beyond a shell.

White House Puts OpenAI and Anthropic Models on a Short Leash Pending Cybersecurity Review
The Trump administration is vetting frontier AI releases before they reach the public — and both major labs are complying.