Information security

Information security

A hardcoded API key on ClickUp's public site exposed hundreds of email addresses and internal data for over a year.

Invoking security tools via an LLM and MCP reduces developer friction and context switching.

Incomplete patching of Windows vulnerabilities led to new zero-click attack vectors, enabling credential theft without user interaction.

Assuming connectivity solves security issues is flawed; data movement poses significant risks in Zero Trust programs.

89% of SMEs faced compromised login credentials; AI-driven attacks exploit identity issues and weak authentication.

Medtronic confirmed a data breach but reported no impact on patient safety or operations due to separate IT networks.

The open-source package elementary-data was compromised, leading to the publication of a malicious version that stole sensitive user credentials.

A Brazilian cybercrime group targets Minecraft players with LofyStealer malware disguised as a hack called 'Slinky'.

A vulnerability in Windows RPC allows attackers to elevate privileges, affecting all Windows versions.

Predictable budgets and on-demand defensive agentic AI can now be aligned despite historical incompatibility.

Zetachain paused its mainnet after a vulnerability in the GatewayZEVM smart contract was exploited, affecting internal team wallets but not user funds.

AI agents in Microsoft Entra ID can lead to privilege escalation and identity takeover attacks due to a security flaw in the Agent ID Administrator role.

Over 70 extensions in the Open VSX marketplace are likely linked to GlassWorm malware, designed to steal sensitive information and deploy malware.

Organizations affected by Trivy and LiteLLM compromises that paid Vect likely received little data recovery, according to Check Point Research.

Checkmarx's GitHub repository was compromised, leading to a data leak by the Lapsus$ extortion group.

PhantomCore has targeted TrueConf servers in Russia, exploiting multiple vulnerabilities since September 2025.

Telecommunications fraud campaign uses fake CAPTCHA to trick users into sending costly international text messages, generating illicit revenue for fraudsters.

GopherWhisper is a newly identified APT using legitimate services for command-and-control communication and data exfiltration, primarily targeting a Mongolian government entity.

The Bitwarden CLI NPM package was compromised, enabling credential theft through a malicious payload targeting various cloud services and GitHub repositories.

A high-severity SSRF vulnerability in LMDeploy is actively exploited, allowing attackers to access sensitive data and internal networks.

A US federal agency was infected with malware due to vulnerabilities in Cisco firewalls linked to a China-backed espionage campaign.

Rented IoT infrastructure prioritizes user convenience over security, exposing them to denial of service attacks and vulnerabilities.

Secure remote connections are critical for businesses to prevent data breaches, with enterprise VPN solutions being a top priority.

Sonic redesigns proof-of-stake to enhance quantum resilience, shifting from elliptic curve to hash-based schemes for improved security.

Wireless connectivity is essential for AI, transforming industries and requiring strategic management to address complexity and security risks.

AI presents both risks and opportunities for password management, requiring firms to balance security with the potential for careless app development.

Effective threat intelligence requires filtering information relevant to specific market segments to avoid overwhelming alerts.

Passkeys are recommended as the primary authentication method due to their security against phishing and credential reuse.

Vercel identified additional compromised customer accounts linked to a security incident involving unauthorized access to its internal systems.