AI
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
"The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity," Anthropic acknowledged. "Network defenders should shorten their patch testing and deployment timelines."
Akamai Joins Growing Chorus of Vendors Betting Big on Secure Enterprise Browsers
LayerX is a browser extension that observes each click, prompt, and action in the browser with AI tools and enforces policy before traffic is encrypted and transmitted — effectively extending Akamai ZTNA's access decisions into the browser session once access is granted.
US scrambles to stop Internet users re-creating dead pilots’ voices
Federal law prohibits investigators from publicly releasing audio from cockpit voice recorders. But the NTSB publicly shared a PDF with a spectrogram--a visual representation of sound signals. One account on X mentioned taking just 10 minutes with OpenAI’s Codex model to "reconstruct rough audio from the spectrogram."
Google folds CodeMender into agent ecosystem amid push for AI-led AppSec
Google is expanding the role of its CodeMender security agent from autonomous vulnerability remediation toward a larger agentic development ecosystem, signalling a broader push toward AI-driven AppSec.
Politics
What I Learned About Billionaires at Jeff Bezos’s Private Retreat
For the richest men on Earth, everything is free and nothing matters.
Tech giants promise British regulator they will tweak platforms to protect kids online
The regulator, Ofcom, had required Roblox, Snapchat, Instagram, Facebook, YouTube and TikTok to answer questions about their efforts to remove harmful algorithms, check kids’ ages and protect them from sexual predators by the end of April. All of the companies, except for YouTube and TikTok, said they would commit to certain changes.
FTC warns 12 major tech firms of violating Take It Down Act
The Federal Trade Commission (FTC) on Wednesday said it has sent letters to a dozen major tech firms warning them that they are not in compliance with a law that sets standards for removing nonconsensual intimate images.
The 12 firms are violating the Take It Down Act (TIDA), which began being enforced Tuesday, by not offering a process for victims to request image removal, the agency said. The law mandates that platforms make it easy for people to ask that nonconsensual intimate images be removed and to delete them within 48 hours of a request.
US government takes $2 billion equity stake in nine quantum computing firms
The US government will take equity stakes worth a total of $2 billion in a slew of quantum computing companies, including a startup backed by a firm with links to the Trump family and one taken public by a Pentagon official.
Venmo Redesign Makes New Users' Posts Friends-Only by Default
Marketer that claimed it could tap devices for ad targeting will pay $880K settlement
In November 2023, Cox Media Group (CMG) Local Solutions advertised a service called Active Listening on a website that said, “It’s true. Your devices are listening to you” and claimed it could use “voice data” to help advertisers target ads to specific people. This claim was false and now they are paying in an FTC settlement for making false claims.
Former US execs plead guilty to aiding tech support scammers
They operated C.A. Cloud between early 2017 and April 2022, providing telephone numbers, call recordings, call forwarding, and call-tracking services to many customers they knew were also engaged in telemarketing and tech support fraud scams.
Russian Hackers Who Breached SolarWinds Had Deep Access to Treasury Emails
At the Treasury Department, the hackers took nearly total control of the agency email systems and had their pick of employee accounts to spy on for much of 2020, from July to October.
Infosec
Three-Quarters of Firms Knowingly Ship Vulnerable Code
What took an average of 840 days in 2018 to exploit, takes less than two days in 2026, Checkmarx claimed. Researchers on its Checkmarx Zero team predict that time-to-exploit will reach one minute by 2028.
A hacker group is poisoning open source code at an unprecedented scale
The GitHub breach is just the latest incident in what has become the longest-running spree of software supply chain attacks ever, with no end in sight. TeamPCP has, in just the last few months, carried out 20 "waves" of supply chain attacks that have hidden malware in more than 500 distinct pieces of software, or well over a thousand counting all of the various versions of the code that TeamPCP has hijacked.
‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains
The issue is a variant of domain fronting, a now-mitigated type of attack that enabled threat actors to place an allowed domain in the SNI and TLS certificate validation fields of an HTTPS request, while embedding a different target domain in the TLS tunnel’s encrypted HTTP host header. Because CDNs routed requests internally based on the host headers, the request reached the hidden destination, while traffic would appear to be going to a reputable front domain.
AntV data visualization tool the latest to be hit by ongoing npm supply chain attacks
Unlike last week’s high-profile npm attack on TanStack, which exploited a complex GitHub Actions cache poisoning weakness, the latest incident early on May 19 took the more conventional route of compromising the credentials of a high-value npm maintainer account.
This privilege level allowed the attacker to publish at least 637 malicious versions across 317 different npm packages in a single 22-minute burst. This resulted in the compromise of a big chunk of Alibaba’s AntV namespace, a growing platform across Asia, the US, and Europe.
"This is the third major wave we have tracked. It went from a handful of SAP packages in April, to 169 packages in the TanStack wave, to a much larger set of packages now. Each wave has been faster and broader than the last."
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments.
|