Security

The owner of Mantine-datatable, a popular open-source library, has suspended their account after a security compromise. The incident is still under investigation.

Researchers measured Pearl's AI mining protocol and found that its 320,000 GPU network produces zero useful AI computation, despite consuming 112 MW of power.

Researchers tested AI models on real-world vulnerability patches, finding that they can fix security issues but with limitations, and correcting initial results to improve solve rates by 3-7 points per model.

A security researcher created a vulnerable React Native app and spent $1,500 testing if large language models (LLMs) could exploit it, with the goal of reproducing common class of exploits found in multiple apps.

Rootshell is a new end-to-end encrypted (E2EE) email service hosted in Iceland, aiming to provide secure communication for users.

Meta is alerting Instagram users whose accounts were taken over using Meta AI chatbot, with some hackers claiming to still be able to exploit the vulnerability.

A vulnerability in the Creative Sound Blaster Katana V2X's firmware allows attackers within a 15M range to turn the speaker into a covert spying tool without pairing or physical contact.

Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days, to prevent supply-chain attacks against RubyGems.

Capstone is a lightweight, multi-platform disassembly framework that supports over 30 architectures, including ARM, x86, and RISC-V. It is implemented in pure C and has bindings for various programming languages.

Google is launching fake call detection on Android 12+ devices to protect against AI deepfake impersonation scams, which spoof trusted phone numbers and use AI to sound like authority figures.

The White House has issued an executive order to promote advanced AI innovation and security, citing the US's leading position in AI and the need to avoid burdensome regulation.

A bug in VSCode's webview security model allows attackers to steal GitHub tokens with full access to repositories.

Anthropic is expanding its joint industry initiative, Project Glasswing, to 150 new organizations across 15+ countries, using its AI model Claude Mythos to identify software vulnerabilities.

Project Glasswing is expanding to approximately 150 new organizations from over 15 countries, covering various industries and critical infrastructure.

Adafruit received a demand letter from Fenwick Legal Counsel on behalf of Flux.ai, alleging false and potentially defamatory claims about Flux's intellectual property, commercial traction, and user base. The letter also asserts claims under the Computer Fraud and Abuse Act.

AWS has announced a new feature that allows users to reference their own AWS Secrets Manager secrets in Amazon Bedrock AgentCore Identity. This feature is designed to improve security and flexibility for users who need to integrate their secrets with Bedrock AgentCore.

Hackers exploited Meta's AI support bot to gain access to high-profile Instagram accounts by asking it to link new email addresses, bypassing the account recovery process.

Hackers used Meta's AI support bot to reset passwords and deface Instagram accounts, including those of the Obama White House and the U.S. Space Force. The attack was made possible by a vulnerability in the bot's password reset flow.

Several packages in the @redhat-cloud-services npm scope were found to carry malicious payloads that fire via a preinstall hook on every npm install, targeting GitHub Actions secrets, AWS, GCP, and other credentials.

Amazon Bedrock AgentCore is now generally available, enabling safe agentic payments with built-in guardrails. This allows for secure and efficient payments processing.

A string of high-profile Instagram accounts, including the Obama White House account, were seemingly hacked using a 'zero auth password reset' technique. The attackers faked the location of the accounts and tricked Meta's support AI into sending verification codes to their email addresses.

Malicious npm releases have been detected across the @redhat-cloud-services/ scope, Warehouses are impacted. According to StepSecurity, multiple RedHat Cloud Services npm packages have been compromised.

ChatGPT for Google Sheets is vulnerable to data exfiltration and phishing attacks that affect workbooks across a victim's account after an indirect prompt injection in a single sheet. This attack does not require human approval, even when set to require approval.

An in-depth analysis of GrapheneOS's server infrastructure reveals a discrepancy between its stated values and actual practices, sparking questions about who is behind the project.

The Website Specification outlines 128 technical features every decent website should have, covering areas such as HTML, SEO, accessibility, security, and more, with links to source standards like WHATWG and W3C.

Microsoft is at odds with a disgruntled bug hunter, Nightmare Eclipse, who has released six Windows zero-days and promises a 'bone shattering' drop on July 14. Microsoft has responded with a blog post on coordinated vulnerability disclosure.

Andrej Acevski's open source project management tool, Kaneo, was used to send 14,520 phishing invitations to strangers over a three-hour period on May 28th.

A developer added hidden instructions to the jqwik test engine to sabotage projects performed by AI coding agents, exploiting a vulnerability in large language models.

GitHub has banned a security researcher for posting zero-day Windows exploits, citing company policy. The researcher claims the action is vindictive and promises further retaliation.

OpenAI has published a framework outlining its safety and security practices in alignment with emerging legal requirements, including the California Transparency in Frontier AI Act and the EU AI Act's Code of Practice for General Purpose AI.

A critical vulnerability in Starlette, an open-source Python framework, can allow hackers to bypass authorization and access sensitive data. The vulnerability affects millions of servers worldwide, including those running FastAPI and other Python apps.

AI agents often recommend insecure configurations due to prioritizing the path of least resistance, exposing industries to systemic security risks. To combat this, experts recommend writing a security context file, being cautious with AI permission requests, and providing a secure-by-default harness and templates.