Latest stories — Page 29

Vulnerabilities

HTTP/2 Bomb: A Decade-Old Compression Trick Finally Gets a CVE

A chained HPACK attack lets small packets force runaway memory allocation on nginx, Apache, IIS, Envoy, and Cloudflare's Pingora. Patches are partial. Exposure is wide.

2 min
AI Security

One GitHub Issue Was Enough to Pwn Repos Running Claude Code Action

A bug in Anthropic's Claude Code GitHub Action turned issue triage into arbitrary code execution — including, briefly, against the action's own repo.

2 min
Identity & Access

$7M Says Autonomous Agents Can Fix the Identity Sprawl Problem

Offroad exits stealth with a bet that AI-driven security agents can manage what platform teams stopped being able to track manually — machine identities, third-party app permissions, and the rest of the non-human identity mess.

2 min
Policy & Regulation

Webinar Highlights Gaps in Third-Party Risk Management

A critical look at third-party risk programs and their practical failures.

2 min
Threat Intelligence

The Week the Tape Came Off: Old Bugs, Cheap C2, and AI That Breaks Things

A roundup of the criminal-economy churn driving this week's intrusions, from plugin holes to agentic AI gone feral.

2 min
Threat Intelligence

FlutterShell: A macOS Backdoor Wrapped in Flutter, Dropped by Ad Clicks

Unit 42 traces a malvertising operation to the same crew behind JSCoreRunner, this time hiding a backdoor inside Flutter-built Mac apps.

3 min
Threat Intelligence

TA4922 Broadens European Targeting With ValleyRAT, Atlas RAT Loadouts

A China-nexus cluster tracked as TA4922 is hitting orgs in the UK, Germany, Italy, and South Africa, mixing known RATs with newer tooling.

2 min
AI Security

Silent RCE in Hugging Face Transformers Hides Behind a Single Config Field

CVE-2026-4372 lets an attacker own any machine that loads a poisoned model — no warnings, no prompts, no trace. The trust_remote_code flag didn't help.

2 min
Threat Intelligence

Five-Month Outlook Intrusion at Global Stock Exchange Exfiltrated via Dropbox, OneDrive

Threat hunters say the executive's mailbox was siphoned in small batches over consumer cloud channels — a pattern consistent with state-aligned espionage rather than financially motivated crime.

3 min
Identity & Access

Lookalike Open-Source Portals Are SEO-Climbing Their Way to Malware Delivery

A Traffic Distribution System fronts fake project sites to drop Remus Stealer, AnimateClipper, and the SessionGate framework. None of this is an auth problem — but the stolen sessions afterward absolutely are.

2 min
Vulnerabilities

CISA Flags Magento Cache Extension Bug as Actively Exploited

CVE-2026-45247, an unsafe deserialization flaw in Mirasvit Cache Warmer, lands in KEV after in-the-wild abuse against Magento storefronts.

2 min
AI Security

Unpacking the 'Son of Mythos': AI's Role in Vulnerability Discovery

As Anthropic and OpenAI expand AI tool access, organizations face both risks and opportunities.

2 min
Threat Intelligence

Disruption Week: Feds Yank Millions of Accounts in Crypto Fraud Sweep, Seize $3.8M

DOJ-led action against Southeast Asia 'pig butchering' rings hit infrastructure, not just wallets. The interesting question is what the platforms knew, and when.

3 min
Vulnerabilities

GitHub's Browser VSCode Handed Attackers a Skeleton Key to Your Private Repos

An unscoped OAuth token, a Jupyter notebook, and a skipped publisher trust check. That's all it took.

3 min
Cloud Security

AI Workloads Are Breaking the Public-Cloud Default

Cost pressure and data sensitivity are pushing enterprises back toward private infrastructure — and the provider landscape isn't standing still while they decide.

2 min
Vulnerabilities

Redis Patches Two-Year-Old Use-After-Free Surfaced by Autonomous AI Bug Hunter

CVE-2026-23479 sat in the blocking-client code from Redis 7.2.0 until the May 5 fixes. An authenticated user could parlay it into arbitrary OS command execution.

2 min
Identity & Access

A Debug Flag Shipped to Prod Turned M365 Android Apps Into a Token Buffet

Any sideloaded app on the same phone could ask for the signed-in user's Microsoft token and get it. No prompt. No password. Just IPC.

3 min
Threat Intelligence

DesckVB RAT Campaign Routes Phishing Lures Through Google's DoubleClick Domain

Attackers are bouncing victims off a Google-owned ad redirect before landing them on attacker infrastructure — a trick that buys cover from filters trained to trust doubleclick.net.

2 min
AI Security

A Single Notification Could Hijack Gemini on Android

Researchers showed how a poisoned WhatsApp, Slack or SMS alert could weaponize Google's voice assistant — no malicious app required.

2 min
Threat Intelligence

Feds Sound Alarm on Exposed Fuel Tank Gauges as Hackers Probe Critical Infrastructure

CISA, FBI, NSA and DOE say internet-facing ATG systems at fuel depots, hospitals and military sites are being scanned and hit. The fix is mostly operator hygiene.

2 min
AI Security

Microsoft Cages the Agent: MXC, MDASH, and the Push to Govern Autonomous AI at Runtime

Microsoft is shipping a dedicated containment environment for agentic AI workloads, alongside open-source governance frameworks and expanded vulnerability-scanning capabilities — all aimed at reining in what autonomous coding agents can actually do.

2 min
© 2026 Threat Vectr