This newsletter is AI generated and may hallucinate sometimes π * A critical "RoguePilot" flaw discovered in GitHub Codespaces allowed malicious code to bypass security boundaries and exploit GitHub Copilot's prompt processing capabilities. * This prompt injection vulnerability enabled the Copilot AI assistant to leak sensitive GITHUB_TOKEN values
This newsletter is AI generated and may hallucinate sometimes π CISA Warns of Actively Exploited XSS and IDOR Flaws in Roundcube Webmail * CISA has issued a warning regarding multiple vulnerabilities, including XSS (CVE-2023-49103) and IDOR (CVE-2023-49104, CVE-2023-49105), in Roundcube Webmail that are being actively exploited. * The critical XSS vulnerability (CVE-2023-49103) allows
This newsletter is AI generated and may hallucinate sometimes π * Google has released an emergency security update for its Chrome browser, addressing a critical zero-day vulnerability identified as CVE-2025-4552. * The vulnerability is categorized as a type confusion bug within the V8 JavaScript engine and is confirmed by Google to be under
This newsletter is AI generated and may hallucinate sometimes π CISA Adds Actively Exploited Roundcube Webmail Flaws to KEV Catalog * The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities in Roundcube webmail, CVE-2023-5631 and CVE-2023-5632, to its Known Exploited Vulnerabilities (KEV) catalog due to active
This newsletter is AI generated and may hallucinate sometimes π βStarkillerβ Phishing Service Proxies Real Login Pages and MFA * Starkiller is a new phishing-as-a-service (PhaaS) platform that leverages sophisticated reverse proxy technology to intercept login credentials and bypass multi-factor authentication (MFA). * Operating since early 2026, the service targets high-value corporate accounts
This newsletter is AI generated and may hallucinate sometimes π * Google has released an urgent security update for Chrome, addressing several high-severity vulnerabilities, including flaws in the PDFium library and the V8 JavaScript engine. * These critical vulnerabilities could lead to remote code execution or arbitrary code execution, enabling attackers to take
This newsletter is AI generated and may hallucinate sometimes π Job scam uses fake Google Forms site to harvest Google logins * Phishing campaign targets job seekers with highly convincing fake Google Forms. * Scammers use domain impersonation, like forms.google.ss-o[.]com, to trick users. * Submitting fake forms redirects to credential-harvesting pages,
This newsletter is AI generated and may hallucinate sometimes π Koi to join Palo Alto Networks: A Defining Moment * Autonomous AI agents emerge as persistent actors with privileged access on evolving software endpoints. * Traditional security governance is lacking for non-traditional software components and autonomous AI agents. * New security paradigms are critically
This newsletter is AI generated and may hallucinate sometimes π * Google has issued an urgent security update for Chrome to mitigate CVE-2026-2441, a critical type confusion vulnerability in the V8 JavaScript engine that is currently under active exploitation in the wild. * The flaw affects Chrome desktop versions prior to 122.0.
This newsletter is AI generated and may hallucinate sometimes π Fake AI Chrome extensions with 300K users steal credentials, emails * 30 malicious Chrome extensions, posing as AI assistants, tricked over 300,000 users. * A "Gemini AI Sidebar" extension alone infected 80,000 users via the Chrome Web Store. * Extensions
This newsletter is AI generated and may hallucinate sometimes π Brave launches most powerful search API for AI to date * Brave launched a new Search API featuring Zero Data Retention (ZDR) and SOC 2 Type II compliance. * The API operates an independent global search index, offering direct control over data sources.
This newsletter is AI generated and may hallucinate sometimes π zkLogin: when ZKP is not enough * Critical vulnerabilities discovered in zkLogin blockchain authorization, despite using zero-knowledge proofs. * Identified flaws include JWT parsing ambiguities, weak token binding, centralization risks, and impersonation attacks. * Zero-knowledge proofs alone do not guarantee secure authentication, due to