17 bugs in 10 weeks from AI security scanning

Why Hardened Images are Suddenly Everywhere

Typosquatted npm packages used to steal cloud and CI/CD secrets

The approval prompt is lying: a critical coding agent security flaw

GitHub Actions Cache Poisoning is eating open source

Mythos finds a curl vulnerability

Why “Trusted Publishing” Can’t Save Us from Social Engineering

Your Container Is Not a Sandbox

Arbitrary code execution and Claude Code CLI: How Claude executed code before you click 'trust'

At Machine Speed

Open source package with 1 million monthly downloads stole user credentials

Npm Slop & Wonky Software Supply Chains

Mythos Mystery in Mozilla Numbers: How 22 Vulns Became 271 or Maybe 3 in April

The Vercel breach started at a tool nobody was watching

pompelmi – ClamAV antivirus scanning for Node.js, zero dependencies

Anthropic secretly installs spyware when you install Claude Desktop

We Reproduced Anthropic's Mythos Findings With Public Models

The Boy That Cried Mythos: Verification is Collapsing Trust in Anthropic

Cybersecurity Looks Like Proof of Work Now

Dependency cooldowns turn you into a free-rider

AI “Watershed Moment” or expensive pen tester? The AISI Mythos Data

Our evaluation of Claude Mythos Preview’s cyber capabilities

No one owes you supply-chain security

Google rolls out end-to-end encryption for Gmail on Android and iOS devices for enterprise users, letting them read and compose emails without additional tools

Package Security Problems for AI Agents

Assessing Claude Mythos Preview’s cybersecurity capabilities

Minimum Release Age is an Underrated Supply Chain Defense

Bounty Available (>$2,000) for QubesOS BusKill package

OpenClaw gives users yet another reason to be freaked out about security

Stop Committing Your Secrets (You Know Who You Are)

Don’t let A.I. read your .env files

AfterPack: Claude Code's Source Didn't Leak. It Was Already Public for Years.

Supply Chain Attack on Axios Pulls Malicious Dependency from npm

ShinyHunters says it stole 350GB+ of data in a cyberattack on the European Commission, detected on March 24; the EC says its internal systems were not affected

Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild

Iranian-linked hackers claimed responsibility for the breach of FBI Direct Kash Patel’s personal email account

Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

Compromised telnyx on PyPI: WAV Steganography and Credential Theft

Hackers have exposed more than 8.3 million supposedly confidential reports to tip lines like Crime Stoppers

TeamPCP deploys CanisterWorm on NPM following Trivy compromise

Thousands of websites are accidentally broadcasting sensitive data

Delve - Fake Compliance as a Service

US State Department launches the Bureau of Emerging Threats to tackle current and future threats, including cyberattacks and AI weaponization by adversaries

DoJ has taken down botnets behind the largest-ever DDoS attack

Countries with Most Personal Records Leaked in Data Breaches (2004-2025)

Microsoft, working with Europol, authorities from 6 countries, and 11 security organizations, disrupted the Tycoon 2FA phishing-as-a-service platform on seizing 330 domains

A ransomware attack on August 31, 2025, compromised the data of 1.2 million at the University of Hawaiʻi Cancer Center, targeting research servers but sparing clinical operations

France's health ministry has confirmed a data breach involving the exposure of administrative information for 15.8 million patients and sensitive doctors' notes for approximately 165,000 individuals

Authorities from 14 countries shut down LeakBase, seize its domains, and arrest multiple people allegedly tied to the cybercrime forum, which had 142K+ members