Latest stories — Page 20

RSnake's Case for a CISO Code of Ethics
Robert Hansen argues that kickbacks, no-show jobs, and shelfware deals aren't just embarrassing — they're a national security problem.

CISA Flags Active Exploitation of Lantronix EDS5000 Code Injection Bug
CVE-2025-67038 carries a 9.8 CVSS. Federal agencies have until June 26, 2026 to patch — but if it's already being hit in the wild, that runway looks generous.

AI Agents Are Being Manipulated Through the Data They Trust
Hidden content injections and context poisoning are turning autonomous AI pipelines into attack surfaces. Here's what defenders need to understand before deploying agents at scale.

Operation Endgame Hits Amadey and StealC, Pulls 27M Credentials From Loader Infrastructure
Europol-led takedown dismantled command servers behind two of the most prolific malware-as-a-service loaders, with Microsoft, ESET, Bitdefender, and Bitsight providing technical support.

Law Enforcement and Microsoft Tear Down Command Infrastructure Behind Amadey and StealC
Hundreds of C2 servers went dark in a coordinated takedown targeting the shared hosting backbone used by two prolific infostealer families.

AIVEX Triage Model Targets Software Supply Chain Risk in AI Environments
A new framework aims to help security teams prioritize which supply chain vulnerabilities carry the highest operational, safety, and business risk where AI systems are in play.

The Service Desk Is the New Phishing Inbox
Help desks keep getting talked out of MFA resets. The fix is less about training and more about treating identity verification like an auth protocol.

Non-Admin macOS Accounts Can Chain Native OS Features to Blind Endpoint Security Tools
No exploit required. Researchers found that standard user privileges are enough to chain macOS weaknesses and silently kill endpoint security agents — no vulnerability needed.

Cordyceps Flaw Class Hands Attackers the Keys to 300+ GitHub Repos
A newly catalogued CI/CD weakness lets attackers hijack workflows at Microsoft, Google and Apache projects, researchers say.

Fake AI Agent Skill Exploits Security Gaps, Reaches 26,000 Users
A malicious AI agent skill bypassed security checks, exposing potential risks in enterprise environments.

The Patch Cycle Won't Survive Machine-Speed Adversaries
Defenders measured dwell time in days. Agentic attack pipelines are about to measure it in minutes.

Third DraftKings Credential-Stuffing Conspirator Sentenced to 18 Months
Nathan Austad gets a year and a half in federal prison, plus $1.8 million in forfeiture and restitution, closing out the last of the DraftKings account-takeover prosecutions.

Agentic AI Runs on Context. Feed It the Wrong Kind and Decisions Go Sideways Fast.
The core vulnerability in agentic AI systems isn't the model — it's the context window. Bad inputs, machine-speed outputs.

Cisco Unified CM SSRF Flaw Hits Active Exploitation Three Weeks After Patch Drop
A file-write chain rooted in CVE-2026-20230 is now being probed in the wild. PoC was already public when Cisco shipped the fix.

DOJ Seizes HuiOne Cloud Account, Treasury Sanctions Prince Group Network
Cambodia-based conglomerates accused of laundering proceeds from pig-butchering and cyber-enabled fraud face coordinated U.S. action.

Cisco Unified CM Bug Under Active Exploit After PoC Drops Root File-Write Chain
CVE-2026-20230 (CVSS 8.6) lets unauthenticated attackers smuggle crafted HTTP requests into Unified CM. Cisco's PSIRT confirms in-the-wild attempts following public PoC release.

AI-SPM Is Now a Real Category. Here's Why Your Organization Probably Needs It.
More than half of enterprise AI agents run without security oversight or logging. A maturing class of AI security posture management tools exists to fix that — if you know what to look for.

Anthropic's AI Model Found Vulnerabilities in Classified U.S. Government Systems
An unnamed U.S. official says Anthropic's Mythos model identified security flaws in sensitive government infrastructure during a joint exercise with intelligence agencies.

Meta Halts AI Training Program Amid Data Access Breaches
Meta's AI data collection halted after security breaches. Employees accessed restricted data, revealing gaps in the program.

FFmpeg Vulnerability 'PixelSmash' Threatens Media Applications
A critical flaw in FFmpeg's MagicYUV decoder reveals the fragility of software supply chains.

FortiBleed: Russian-Speaking Broker Tied to 430K FortiGate Credential Harvest
Researchers attribute the long-running operation to a financially motivated IAB, with credential lists feeding brute-force runs against exposed FortiGate appliances since February.