Aggregator

A prompt injection flaw in Google Gemini's voice assistant let attackers hide malicious commands in notifications, enabling social engineering and more.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and beyond the reach of

本文分析 Red Hat Cloud Services 组织下 32 个 npm 包遭供应链投毒事件，还原其多阶段攻击链，并揭示其具备凭据窃取、GitHub/npm 自传播、持久化及防护对抗等能力。

Hackers are hiding dangerous malware inside what look like popular Minecraft mods and game clients, using YouTube videos and search engine tricks to pull unsuspecting players into their trap. The campaign, known as WeedHack, has been quietly running since January 2026 and has already racked up over 116,000 victims worldwide. What makes this campaign particularly […]

The post Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware appeared first on Cyber Security News.

与其坐以待毙，不如训练自己（的模型）

Китайский ИИ ищет преступника до преступления.

Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. [...]

Alcasec, the "Robin Hood of Spanish Hackers," is jailed for 31 months after admitting to stealing and selling Spanish citizens' banking data.

Человек не заметит подвох, пока машина безвозвратно не удалит все файлы.

Enterprise teams are running AI agents that write code, drive browsers, answer customer calls, manage cloud infrastructure, and query data warehouses with standing credentials. A new independent assessment of 100 production agents finds that nearly all of them carry the conditions for a single hostile document to take them over. The AI Risk Quadrant (AIRQ) report, a 2026 Q2 edition produced by independent researchers, scores 100 commercial and publicly available AI agents across three dimensions: … More →

The post Only 11% of production agents pass the AI agent security bar appeared first on Help Net Security.

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

Trump's executive order invites voluntary pre-release review of frontier AI models

Функция, созданная для удобства, открыла дорогу к чужим репозиториям.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: The first flaw added to the catalog, tracked […]

Security leaders are under growing pressure to reduce the time between threat detection and response without adding more complexity to already overloaded SOC workflows. ANY.RUN’s May updates help teams act on security risks more efficiently, improve consistency across investigations, and maintain stronger protection as attacker tactics continue to evolve. Discover the updates your team can […]

The post Release Notes: Decision-Ready SOC Reporting, Elastic Security Integration, and 1400+ Threat Coverage Updates appeared first on ANY.RUN's Cybersecurity Blog.

微软宣布了其第二代量子芯片 Majorana 2。但专家认为微软的量子芯片缺乏坚实的研究基础，根本行不通。微软是在 2025 年初宣布了其第一代量子计算芯片 Majorana 1，利用它所谓的拓扑体去观察和控制马约拉纳粒子，从而产生更可靠和可扩展的量子比特。第一代拓扑体使用砷化铟半导体和铝超导体，结果到了第二代微软换成了铅超导体，声称量子比特的寿命从 20 秒延长到了 1 分钟。科学家对微软的说法持强烈怀疑态度，它的最新论文预印本尚未通过同行审议，物理学家 Henry Legg 认为预印本中数据来自于随机伪影。微软的上一篇预印本至今没有通过同行审议，很可能已被顶尖期刊拒绝了。