Latest stories — Page 34

A Debug Flag Shipped to Prod Turned M365 Android Apps Into a Token Buffet
Any sideloaded app on the same phone could ask for the signed-in user's Microsoft token and get it. No prompt. No password. Just IPC.

DesckVB RAT Campaign Routes Phishing Lures Through Google's DoubleClick Domain
Attackers are bouncing victims off a Google-owned ad redirect before landing them on attacker infrastructure — a trick that buys cover from filters trained to trust doubleclick.net.

A Single Notification Could Hijack Gemini on Android
Researchers showed how a poisoned WhatsApp, Slack or SMS alert could weaponize Google's voice assistant — no malicious app required.

Feds Sound Alarm on Exposed Fuel Tank Gauges as Hackers Probe Critical Infrastructure
CISA, FBI, NSA and DOE say internet-facing ATG systems at fuel depots, hospitals and military sites are being scanned and hit. The fix is mostly operator hygiene.

Microsoft Cages the Agent: MXC, MDASH, and the Push to Govern Autonomous AI at Runtime
Microsoft is shipping a dedicated containment environment for agentic AI workloads, alongside open-source governance frameworks and expanded vulnerability-scanning capabilities — all aimed at reining in what autonomous coding agents can actually do.

One Click in VS Code Was Enough to Hand Over Your GitHub Token
Researcher Ammar Askar found a clickjack-style flaw in github.dev that leaked full-fat OAuth tokens — read/write, private repos included.

Privilege Escalation Attacks Hit Kirki and Burst Statistics WordPress Plugins
Threat actors are actively exploiting flaws in two widely-used WordPress plugins to grab admin access and seize site control.

Someone Finally Tested 100 AI Agents for Security. Here's the Framework They Used.
A new evaluation methodology ranks AI agents by vulnerability, blast radius, and defensive posture. The results are a useful corrective to vendor claims.

Identity Dark Matter: Why IAM Is Losing Sight of Its Own Users
Enterprise identity has fragmented across SaaS sprawl, machine accounts, and agentic systems — leaving a growing slice of activity that centralized IAM cannot see or govern.

HD Moore's Pitch to Defenders: Stop Racing Patches, Reshape the Network
The Metasploit creator argues blast-radius control, not patch velocity, is what regulators and boards should be measuring.

HTTP/2 Default Configs Leave Web Servers Open to Compression-Bomb, Slowloris Combo Attack
A chained exploit targeting HTTP/2's default settings can take servers offline in seconds — no patch issued yet for the underlying configuration exposure.

Second Windows URI Handler Bug Leaks NTLMv2 Hashes — Still Unpatched
Researchers flag a search: URI handler flaw that mirrors the recently patched ms-screensketch issue. Microsoft hasn't shipped a fix.

Agentic AI Is Doing What a Thousand Breach Reports Couldn't: Getting Boards to Open the Checkbook
Autonomous agents, AI-generated code, and frontier models capable of offensive cyber ops are finally making cybersecurity a board-level business conversation — not just an IT line item.

Microsoft Threatened a Bug Hunter With Legal Action. Now It's Walking That Back.
A researcher dropped unpatched zero-days with working exploits. Microsoft's first response was to reach for the lawyers. That went poorly.

HTTP/2 Bomb: Default Configs in NGINX, Apache, IIS, Envoy and Pingora Open Door to Remote DoS
A chained protocol abuse discovered by OpenAI Codex and disclosed by Calif knocks over five of the most widely deployed web servers in their out-of-the-box state.

ShinyHunters Hits Canvas LMS: 275 Million Records, a Defaced Login Page, and a Free-Tier Attack Vector
The extortion group's May 2026 strike on Instructure exposed how peripheral, lower-security environments can become the entry point that compliance badges never covered.

Weedhack MaaS Hijacks Minecraft Players Through YouTube Lures
A malware-as-a-service operation impersonating Minecraft clients and mods has compromised thousands of systems since January, with YouTube tutorials serving as the primary funnel.

Project Glasswing Expands: 150 More Companies Join AI Vulnerability Initiative
Anthropic's AI-driven bug-hunting project adds critical infrastructure partners, but the patching bottleneck looms.

CISA Adds Two-Year-Old Oracle WebLogic Flaw to KEV, Gives Feds Four Days to Patch
CVE-2024-21182 sat quietly at CVSS 7.3 for two years before threat actors noticed the unpatched stragglers. Now federal agencies have until Thursday.

Trump Signs AI Cybersecurity Order, Reviving the Pre-Release Review Provisions His Team Killed Two Weeks Ago
The new directive creates a voluntary framework for government review of frontier AI models and spins up a Treasury-led vulnerability clearinghouse — while going out of its way to say none of this is mandatory.

Root on Your Conference Phone: HP Poly Flaw Turns VoIP Hardware Into an AI Deepfake Feed
A CVSS 9.2 stack overflow in HP Poly's ICE implementation hands attackers unauthenticated root — and a front-row seat to every executive call.