Latest stories — Page 21

White House Orders Federal Agencies to Migrate Cryptography by 2030, Signals Contractor Reckoning
Two executive orders set hard federal deadlines for post-quantum cryptography adoption and launch a government-wide quantum R&D program — with ripple effects for every contractor touching federal networks.

Fake Agent Skill Slips Past Every Scanner, Lands on 26,000 AI Agents
A red-team experiment by AIR pushed a booby-trapped skill through a popular marketplace and an Instagram ad. The skill marketplaces' security scanners shrugged.

Executive Order 14409 Locks In Federal PQC Deadlines: 2030 for Key Establishment, 2031 for Signatures
The June 22 order sets binding migration dates for high-value assets and high-impact systems, while leaving national security systems on a parallel track.

Two Scattered Spider Members Plead Guilty as London Trial Opens
Thalha Jubair and Owen Flowers admitted roles in the TfL intrusion and a sprawling SIM-swap and SMS-phishing operation that turned harvested SSO credentials into nine-figure ransom payouts.

Dify AI Platform Carried Multi-Tenant Flaws Exposing Private Chats and Internal APIs
Cross-tenant data leakage vulnerabilities in Dify's cloud service let attackers read other users' conversations, preview documents, and probe internal API endpoints.

GitHub Hardens actions/checkout Against Pwn Request Exploits
Blocking malicious code execution from pull_request_target workflows.

Samsung KNOX Use-After-Free Bug Sat in Galaxy Devices for Eight Years Before Patch
A high-severity kernel-level flaw in Samsung's KNOX security framework affected Galaxy handsets from the S9 through the S25 — a product window spanning nearly a decade.

One Executive, Two Hats: Carl Froggett on Running Security and IT at Deep Instinct
The former Citi CISO talks about what happens when security leadership and infrastructure ownership collapse into a single role.

Email security teams are buried in alerts. Behavioral AI vendors say they have an answer.
Phishing, BEC and account takeover noise keeps SOCs busy. A new webinar pitches behavioral detection as the way to cut through it.

When the Trigger Pulls Itself: Agentic AI and the End of the Human-in-the-Loop
Every weapon in history extended a human decision. Agentic systems are the first that try to replace it — and the security implications are not theoretical.

Double Trouble: Two Unrelated Attacks Thrive on Unpatched SharePoint
Microsoft DART uncovers dual intrusions on same server, complicating response efforts.

Three npm Packages Squat PostCSS Names to Drop a Windows RAT
Typosquatted utilities pulled roughly a thousand combined downloads before researchers flagged them. The payload targets Windows developer machines, which is exactly where the credentials live.

White House Sets Hard Clock on Post-Quantum Migration for Federal Systems
An executive order mandates that high-value federal assets shift to post-quantum cryptography by 2030–2031. For identity infrastructure, that deadline is closer than it looks.

From Prevention to Resilience: Cybersecurity’s New Paradigm
As breaches become inevitable, organizations must focus on operational resilience, not just perimeter defense.

WhatsApp DMs Push VBScript Loaders That Deploy Legitimate RMM Tools
An active campaign abuses WhatsApp Desktop and Web to distribute scripted droppers that install commercial remote-management software across at least ten jurisdictions.

OpenAI Hands GPT-5.5-Cyber to 'Trusted Defenders' Under Daybreak
The model is pitched at deep codebase analysis and vuln patching. The interesting part is who gets access — and what shows up in the post-mortem when they don't.

Five Eyes to CSOs: AI Has Already Changed Your Threat Model — Act Now
A joint advisory from CISA and four allied agencies demands strategic action on AI-amplified threats. Experts say the advice is late, vague, and misses the real risk sitting inside your own network.

GitHub Tightens Security to Counter Pwn Request Attacks
GitHub introduces actions/checkout v7 to block insecure pull request workflows.

PixelSmash Bug in FFmpeg Decoder Opens RCE Path on Jellyfin
A newly disclosed flaw in FFmpeg's PixletVideo decoder enables remote code execution against Jellyfin under specific conditions, with denial-of-service fallout for Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio.

ShapedPlugin's Update Channel Hijacked, Pro Plugins Shipped with Backdoor
Attackers slipped malicious code into licensed Pro releases by compromising the vendor's own build pipeline — a clean supply-chain hit on WordPress installs.

AutoJack: A Drive-By to RCE Hiding in AutoGen Studio's Dev UI
A prototyping tool nobody treated as production becomes a one-click code execution chain. The fix is out. The pattern is not.