Cloudflare tests Anthropic Mythos against 50 repos: faster patching is the wrong response — architectural change is needed, and 99.99% of software lacks Glasswing access today.
Hackers breached Grafana's GitHub environment and demanded ransom to withhold the codebase — Grafana refused to pay, with potential supply-chain exposure for production users.
Calif used 'Mythos' AI tooling to build a macOS kernel exploit bypassing Apple's Memory Integrity Enforcement — LLM-assisted offensive security has reached kernel-level exploitation.
The shai-hulud worm exploited TanStack's CI cache to poison 373 npm package versions across 169 packages — including Mistral AI — before jumping to PyPI.
Android 16 gains Intrusion Logging for spyware detection, co-developed with Amnesty International — currently Pixel-only, rolling out with Android 16.
8 named 2026 AI coding disasters formally catalogued across Replit, Amazon, Google, Anthropic, and GitHub Copilot — spanning every major failure mode.
Experian: 40% of 5,000 breaches in 2025 were AI-powered, and agentic AI is forecast as the #1 breach vector in 2026.
40% of audited vibe-coded apps built on Lovable, Replit, and Netlify exposed auth tokens or sensitive data in a new industry study.
CamoLeak (CVSS 9.6) silently exfiltrates secrets and source code from private GitHub repos via Copilot Chat — a critical AI coding supply-chain vulnerability.
CVE-2026-31431 is a 100% reliable Linux LPE discovered by AI in ~1 hour. CrowdStrike confirms active exploitation; CISA KEV-listed. Patch all Linux systems immediately.
OpenAI launches Advanced Account Security for ChatGPT—an opt-in hardened sign-in and recovery flow for users at higher risk of targeted attacks.
CopyFail—described as the most severe Linux threat in years—allows unprivileged users to gain admin access; many distros remain unpatched.
OWASP MCP Top 10 and the mcp-audit open-source scanner launched at RSA 2026 establish the first standardised MCP security framework.
31 WordPress plugins backdoored via a legal Flippa marketplace acquisition — dormant payload activated 8 months post-purchase, C2 via Ethereum smart contract.
OpenAI released an emergency patch for GPT-5.1's agent mode after researchers disclosed a prompt-injection vector that could bypass tool-use boundaries.
Curated AI insights — sent when there's something worth your inbox.