AI
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
The attacker only has to get the agent to open a malicious URL to achieve code execution on the host. No credentials, no sign-in screen, and no further user interaction once the agent loads the page.
The flaw sits in pre-release versions of AutoGen Studio, the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework. It trusts requests from localhost without testing them. But few users install pre-release versions, and Microsoft patched it, so this is not a large risk.
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents
The skill included a link to an attacker-controlled page which originally was harmless, but was changed to host malicious content after the skill was approved. This trick has worked on ClawHub and skills.sh, and has been used in real campaigns for months.
Executives Four Times More Confident About AI Risk Than the Teams Managing It
29% of US executives say AI risk is under control, against 7% of the practitioners running it day-to-day.
The Tokenpocalypse Is Here: Companies Are Scrambling To Stop Spending So Much on AI
A big source of AI token ‘chewing’ is people just converting PDFs to presentation slides: the wave of uninhibited AI growth is over.
Agentjacking: Researchers Show How One Fake Bug Report Can Hijack AI Coding Agents
Fake bug reports can trick AI coding agents into running code. The technique abuses the way AI coding assistants process untrusted error logs from Sentry, a popular application monitoring platform. Agentjacking does not require stolen passwords or direct access to a company’s internal network.
Sentry added a patch which sounds weak, but a broader platform-level fix is difficult because the root issue involves AI agents treating untrusted tool output as instructions.
Embedding Forbidden Text in Spyware to Discourage AI Analysis
At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware.
Europe’s AI champion Mistral vulnerable to Russian disinformation, study finds
Europe’s Mistral and other open-source generative AI models are among the least able to filter out Russian disinformation. Anthropic’s Claude and even some versions of Chinese systems and Grok are better.
Cybercriminals Are Worried About AI Taking Their Jobs Too
Attackers can turn AI agent guardrails into denial-of-service weapons
A single poisoned document could slow AI agent systems by up to 148× and turn AI safety controls into an enterprise weak spot. The new technique targets the reasoning process.
Politics
Military branches restore flu shot requirement after virus swept through base
The virus quickly swept through an Air Force base in Texas, sickening at least 222 recruits and hospitalizing four. The outbreak flared just two months after Defense Secretary Pete Hegseth abandoned a decades-long requirement for flu shots.
COVID-19 vaccine study that was blocked from CDC journal is published elsewhere
The vaccine was found to be about 55% effective against COVID-19-associated hospitalizations, and reduced COVID-19-related trips to emergency departments and urgent care clinics by 50%.
Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration
Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track.
The deadlines matter because of a threat that does not need a working quantum computer today. Adversaries can collect encrypted U.S. data now and decrypt it later, once a large-scale quantum machine exists, the risk is known as "harvest now, decrypt later".
New meme stock Wendy’s soars more than 25% with trading halted at one point
Wendy’s shares surged on Wednesday, fueled by a burst of retail investor enthusiasm that appears disconnected from the fast-food chain’s latest executive appointment.
White House app auto-downloads to government phones, can’t be uninstalled
The app displays propaganda, and initially shared users’ locations and IP addresses with third parties. It also incorporates widgets created by a Russia-based company called Elfsight, which exposed the personal information of White House officials.
The UK will scan asylum-seekers’ faces for age checks—despite knowing the tech is flawed
The systems regularly mistake children for adults and appear to contain serious bias problems, which directly impact the largest group of migrants subject to age assessments in 2025--Sub-Saharan Africans.
Delays at SFO Skyrocket Following Runway Closure and New FAA Restrictions
Average delays at SFO have climbed from roughly five minutes during the same period last year to about 20 minutes since April 1, while the share of flights delayed by at least 15 minutes has jumped from 18% to 41%.
Infosec
Apple's MacOS Gap Lets Users Disable Security Tools
The core problem, according to XM Cyber, lies in how macOS caches and reuses an application's CDHash or the cryptographic fingerprint that the OS uses to verify an application's authenticity. XM Cyber found that once macOS caches CDHash, the operating system continues to trust the application even if an attacker were to later modify some of its components. This allows a standard user to impersonate legitimate application components and call privileged XPC services that should only be accessible to properly signed vendor code. XM Cyber showed how an attacker could exploit the weakness to inject malicious code into a so-called NIB file inside a trusted application and trick the system into running privileged commands.
Apple doesn't intend to address the bug, so affected vendors must implement their own mitigations and hardening measures. CrowdStrike and Iru Inc. have fixed their products.
Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
This is not a remote attack. It requires physical possession of the device. It affects older iPhones, and cannot be patched, like checkm8. But it does not compromise the Secure Element.
New macOS ClickFix attack silently mounts DMGs to push infostealer
It begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves. Thrn it infects Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows
The CI/CD workflow weakness affects Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache's Doris analytics database, Cloudflare's Workers SDK, and Python Software Foundation's Black.
By targeting the automated workflows around repositories with targeted pull requests, attackers can potentially target signing keys and access tokens to achieve command injection, privilege escalation, and supply chain compromise.
CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed.
This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed.
The Scripts on Your Checkout Page Are Now a PCI DSS Problem
The dangerous part: the malicious code usually arrives through a script you already approved. Attackers compromise a third-party vendor, and the payload rides in on a script you have run for months. Nothing looks new. What changed is the script's behavior, not its presence on the page.
PCI DSS v4.0.1 says to inventory every payment-page script, authorize it, and prove its integrity.
|