Latest stories — Page 34

Identity & Access

A Debug Flag Shipped to Prod Turned M365 Android Apps Into a Token Buffet

Any sideloaded app on the same phone could ask for the signed-in user's Microsoft token and get it. No prompt. No password. Just IPC.

3 min
Threat Intelligence

DesckVB RAT Campaign Routes Phishing Lures Through Google's DoubleClick Domain

Attackers are bouncing victims off a Google-owned ad redirect before landing them on attacker infrastructure — a trick that buys cover from filters trained to trust doubleclick.net.

2 min
AI Security

A Single Notification Could Hijack Gemini on Android

Researchers showed how a poisoned WhatsApp, Slack or SMS alert could weaponize Google's voice assistant — no malicious app required.

2 min
Threat Intelligence

Feds Sound Alarm on Exposed Fuel Tank Gauges as Hackers Probe Critical Infrastructure

CISA, FBI, NSA and DOE say internet-facing ATG systems at fuel depots, hospitals and military sites are being scanned and hit. The fix is mostly operator hygiene.

2 min
AI Security

Microsoft Cages the Agent: MXC, MDASH, and the Push to Govern Autonomous AI at Runtime

Microsoft is shipping a dedicated containment environment for agentic AI workloads, alongside open-source governance frameworks and expanded vulnerability-scanning capabilities — all aimed at reining in what autonomous coding agents can actually do.

2 min
Identity & Access

One Click in VS Code Was Enough to Hand Over Your GitHub Token

Researcher Ammar Askar found a clickjack-style flaw in github.dev that leaked full-fat OAuth tokens — read/write, private repos included.

3 min
Vulnerabilities

Privilege Escalation Attacks Hit Kirki and Burst Statistics WordPress Plugins

Threat actors are actively exploiting flaws in two widely-used WordPress plugins to grab admin access and seize site control.

2 min
AI Security

Someone Finally Tested 100 AI Agents for Security. Here's the Framework They Used.

A new evaluation methodology ranks AI agents by vulnerability, blast radius, and defensive posture. The results are a useful corrective to vendor claims.

2 min
Identity & Access

Identity Dark Matter: Why IAM Is Losing Sight of Its Own Users

Enterprise identity has fragmented across SaaS sprawl, machine accounts, and agentic systems — leaving a growing slice of activity that centralized IAM cannot see or govern.

3 min
Policy & Regulation

HD Moore's Pitch to Defenders: Stop Racing Patches, Reshape the Network

The Metasploit creator argues blast-radius control, not patch velocity, is what regulators and boards should be measuring.

3 min
Vulnerabilities

HTTP/2 Default Configs Leave Web Servers Open to Compression-Bomb, Slowloris Combo Attack

A chained exploit targeting HTTP/2's default settings can take servers offline in seconds — no patch issued yet for the underlying configuration exposure.

2 min
Vulnerabilities

Second Windows URI Handler Bug Leaks NTLMv2 Hashes — Still Unpatched

Researchers flag a search: URI handler flaw that mirrors the recently patched ms-screensketch issue. Microsoft hasn't shipped a fix.

2 min
AI Security

Agentic AI Is Doing What a Thousand Breach Reports Couldn't: Getting Boards to Open the Checkbook

Autonomous agents, AI-generated code, and frontier models capable of offensive cyber ops are finally making cybersecurity a board-level business conversation — not just an IT line item.

3 min
Vulnerabilities

Microsoft Threatened a Bug Hunter With Legal Action. Now It's Walking That Back.

A researcher dropped unpatched zero-days with working exploits. Microsoft's first response was to reach for the lawyers. That went poorly.

2 min
Vulnerabilities

HTTP/2 Bomb: Default Configs in NGINX, Apache, IIS, Envoy and Pingora Open Door to Remote DoS

A chained protocol abuse discovered by OpenAI Codex and disclosed by Calif knocks over five of the most widely deployed web servers in their out-of-the-box state.

2 min
Breaches

ShinyHunters Hits Canvas LMS: 275 Million Records, a Defaced Login Page, and a Free-Tier Attack Vector

The extortion group's May 2026 strike on Instructure exposed how peripheral, lower-security environments can become the entry point that compliance badges never covered.

3 min
Threat Intelligence

Weedhack MaaS Hijacks Minecraft Players Through YouTube Lures

A malware-as-a-service operation impersonating Minecraft clients and mods has compromised thousands of systems since January, with YouTube tutorials serving as the primary funnel.

2 min
AI Security

Project Glasswing Expands: 150 More Companies Join AI Vulnerability Initiative

Anthropic's AI-driven bug-hunting project adds critical infrastructure partners, but the patching bottleneck looms.

2 min
Vulnerabilities

CISA Adds Two-Year-Old Oracle WebLogic Flaw to KEV, Gives Feds Four Days to Patch

CVE-2024-21182 sat quietly at CVSS 7.3 for two years before threat actors noticed the unpatched stragglers. Now federal agencies have until Thursday.

2 min
Policy & Regulation

Trump Signs AI Cybersecurity Order, Reviving the Pre-Release Review Provisions His Team Killed Two Weeks Ago

The new directive creates a voluntary framework for government review of frontier AI models and spins up a Treasury-led vulnerability clearinghouse — while going out of its way to say none of this is mandatory.

3 min
Vulnerabilities

Root on Your Conference Phone: HP Poly Flaw Turns VoIP Hardware Into an AI Deepfake Feed

A CVSS 9.2 stack overflow in HP Poly's ICE implementation hands attackers unauthenticated root — and a front-row seat to every executive call.

2 min
© 2026 Threat Vectr