I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

A controlled experiment showed a malicious AI agent “skill” could pass multiple popular skill scanners and spread to roughly 26,000 agents (including corporate accounts) by shipping a clean package that pointed agents to external “documentation” that was later swapped for instructions to run a script. The test payload only collected user email addresses, but the researchers said the same technique would let an attacker execute code and access whatever data/tools the agent can reach.

Key Details

  • The skill, “brand-landingpage,” posed as a no-code landing-page builder for Google’s Stitch, targeting non-technical users like marketers, designers, and sales teams.
  • To boost trust signals, the team got the skill merged into a GitHub-based plugin/skill marketplace repo with ~36,000 stars, making it appear reputable to users and automated checks.
  • Scanners missed the behavior because they analyzed only the packaged files (e.g., SKILL.md) and not the external URL content the skill instructed agents to follow for setup.
  • The skill referenced stitch-design[.]ai (researcher-controlled), not stitch.withgoogle.com; it initially redirected to legitimate Stitch documentation so early reviews looked benign.
  • After distribution, the external page was changed to instruct agents to download and run a script; in the demo this script sent back email addresses, which the researchers used to measure reach.

Next Steps

  • Consider restricting/approving third-party agent skills centrally rather than allowing end-user installs from open marketplaces.
  • Add controls to block or require review of skills that fetch or depend on external URLs for installation/setup instructions, since that content can change after a one-time scan.

Read more at CSO Online, The Hacker News, Cybersecurity News

Study finds 64% of tested LLM-enabled iOS apps leak usable API keys or tokens via interceptable network traffic

An empirical analysis of 444 free, LLM-enabled iOS apps found 282 (64%) exposed exploitable LLM credentials that could be recovered from network traffic during normal app use. The study shows leakage commonly occurs through plaintext provider keys, unauthenticated proxy backends, or replayable bearer tokens, enabling third parties to reuse the app’s LLM access.

Key Details

  • Plaintext provider API keys: 54 apps sent static LLM keys directly in HTTP headers or query strings to LLM endpoints (including api.openai.com and generativelanguage.googleapis.com).
  • Unauthenticated “proxy” relays: 92 apps used backend proxy endpoints but did not require authentication, allowing anyone who learns the URL and request format to submit LLM calls.
  • Bearer/JWT leakage and weak token handling: 136 apps leaked tokens for intermediate backends; researchers observed missing expirations, tokens valid up to 100 years, and servers accepting already-expired tokens.
  • Limited and bypassable interception resistance: only 143/444 apps implemented any interception resistance, and the most common “bypass system HTTP proxy” protection was defeated in 81% of cases using VPN-based transparent traffic capture.
  • Slow remediation after disclosure: 90 days after responsible disclosure, 78 of the 282 affected apps showed evidence of remediation, while 66 remained exploitable with little or no change.

Next Steps

  • Remove LLM secrets from iOS clients: move provider API keys server-side and ensure any proxy endpoints require authentication/authorization (do not rely on “hidden” URLs).
  • Hunt for exposed usage paths: test your iOS apps with a controlled MITM/traffic-capture workflow to identify whether API keys, proxy URLs, or bearer/JWT tokens are observable and replayable in transit.
  • Fix token controls: enforce short-lived tokens with server-validated expiration and reject expired tokens; revoke and rotate any keys/tokens found exposed during testing.

Read more at Cyber Security News

’Gaslight’ macOS backdoor embeds prompt-injection “fake errors” to derail LLM-assisted malware analysis

A newly identified macOS backdoor dubbed Gaslight takes an unusual approach to evading analysis: rather than hiding from the sandbox, it goes after the AI analyst reading the results. The malware embeds 38 fabricated system-failure messages — fake token expiries, out-of-memory kills, disk exhaustion errors — designed to make LLM-assisted triage agents believe the analysis session crashed before completing. The sandbox runs fine; the malware just convinces the AI it didn’t. Hence the name - Gaslight. The bigger idea behind this seems to be hoping that downstream, no other agent or a human follows up why the analysis “failed” and the malware can slip through the alert-fatigue cracks.

Key Details

  • SentinelOne found a 3.5 KB payload containing 38 fabricated “system” messages (e.g., token expiry, OOM kills, disk exhaustion, bogus security warnings) embedded directly in the executable to mislead LLM-driven analysis pipelines.
  • The implant’s operator configuration (e.g., bot token/chat ID) is supplied at runtime and the malware self-redacts the bot token in its own output, complicating recovery from captured logs or crash artifacts.
  • The malware includes a Base64-encoded Python data-harvesting script that collects items such as terminal histories, installed apps, running processes, system profile, Keychain database data, and browser data, then compresses and exfiltrates it.
  • SentinelOne noted Apple detection activity: an XProtect update added a hash-based rule (MACOS_BONZAI_COBUCH) targeting a related Mach-O sample uploaded to VirusTotal in May 2026.

Next Steps

  • If you use LLM-assisted reverse engineering/triage, treat embedded strings/log-like content as untrusted and ensure automated pipelines don’t terminate analysis based solely on in-sample “error”/“system message” text.

Read more at SentinelOne, BleepingComputer, The Hacker News, Reddit

Remote Code Execution via FFmpeg using a crafted video file

FFmpeg patched CVE-2026-8461 (“PixelSmash”), a heap out-of-bounds write in the MagicYUV decoder that can be triggered when apps process a crafted AVI/MKV/MOV file (including via thumbnail/preview generation). Under certain conditions, JFrog demonstrated remote code execution against Jellyfin via its automatic media library scan pipeline, while many other FFmpeg-using apps can be reliably crashed (DoS).

Key Details

  • Fixed in FFmpeg 8.1.2 (released June 17), after JFrog reported the issue to the FFmpeg security team on May 13.
  • Attack surface includes any software using FFmpeg’s libavcodec with the MagicYUV decoder enabled, including Kodi, mpv, Emby, Nextcloud (Movie preview provider), PhotoPrism, OBS Studio, and common Linux thumbnail generators (GNOME/KDE/XFCE via ffmpegthumbnailer).
  • JFrog’s Jellyfin exploit path relied on automatic processing (ffprobe metadata extraction) when a file lands in the media library, including a “zero-click” style scenario where torrents download directly into a monitored library folder.
  • Some deployments may be less exposed: Plex uses a custom FFmpeg build with decoders disabled and a minimal allowlist, which JFrog said mitigates PixelSmash risk.

Next Steps

  • Update to FFmpeg 8.1.2 (or ensure your product’s bundled FFmpeg has been updated to include the fix).
  • Where you can control codec exposure, consider disabling or restricting the MagicYUV decoder / untrusted media preview generation until all dependent applications and appliances are confirmed patched.

Read more at ⭐️ JFrog, CSO Online, BleepingComputer, SecurityWeek

Anthropic Mythos red-team test reportedly reached most NSA classified systems within hours, followed by U.S. export controls and a global model pull

Sen. Mark Warner said the NSA/Cyber Command chief told him Anthropic’s Mythos model “broke into almost all of our classified systems…in hours” during an authorized June 11 red-team evaluation, a claim reported by The Economist and not formally confirmed by the U.S. government. The next day, the Commerce Department issued emergency export controls restricting access to Mythos 5 and Fable 5.

Key Details

  • U.S. officials and defense journalists reportedly clarified the episode was not an autonomous hostile cyberattack, but a sanctioned exercise where the model analyzed codebases to identify systemic vulnerabilities across classified networks.

Next Steps

  • If your organization depends on commercial AI models, treat frontier-model availability as a supply-chain dependency and document a fallback plan (alternate providers/on-prem workflows) for sudden policy-driven shutdowns.

Read more at Socket, Cybersecurity News

Mozilla’s PACT proposes “scarcity-based” anonymous tokens to replace CAPTCHAs and device attestation for bot control

Mozilla is proposing PACT ((Private Access Control Tokens), a privacy-first alternative to CAPTCHAs, fingerprinting, and device attestation for stopping bots and checking that users are likely real. Instead of relying on CAPTCHA systems that can collect behavioral signals, enable fingerprinting, or turn third-party providers into access gatekeepers, PACT lets the browser present anonymous credentials backed by a scarce resource.For example, if a site is flooded with spam bots, an Anchor — a trusted party such as a VPN, email, phone, or paid account provider — could anonymously vouch that a visitor has a real paid or verified relationship somewhere. A Moderator — usually the website or its anti-abuse provider — could turn that into a site-specific credential with a rate limit. The site might allow that visitor 20 comments per day without knowing who they are, which Anchor vouched for them, or what device they use, while a spammer trying to post 100,000 comments would need many scarce credentials, making abuse much harder to scale.

Key Details

  • Trusted “Anchors” issue cryptographic endorsements based on scarce signals such as paid subscriptions, verified accounts, phone numbers, email addresses, or VPN subscriptions.
  • Endorsements are exchanged with a “Moderator” (often the site itself or an anti-abuse provider) for privacy-preserving credentials that can be used to enforce site-defined rate limits without identifying the user.
  • Mozilla says PACT could support browser-based automation by allowing AI agents to carry user-linked credentials (or be vouched for by an Anchor), enabling sites to distinguish user-controlled agents from large-scale abusive automation.

Read more at ⭐️ Mozilla, CyberInsider

ClawHub unlists 23 plugins that “scope-squatted” official @openclaw and @clawhub namespaces

Researchers found 23 ClawHub registry plugins published under official-looking organizational scopes without authorization, letting third parties masquerade as first-party OpenClaw/ClawHub tools in a plugin ecosystem used by AI coding agents. Because plugins execute code inside the agent environment and can perform high-privilege actions, misleading namespace trust creates a supply-chain-style installation risk even when the initial versions appear benign.

Key Details

  • ClawHub is the primary plugin/skill registry for OpenClaw and supports Claude-compatible bundles used in tools like Claude Code, Cursor, and Codex; it indexes 1,500+ plugins and uses an npm-like @owner/ prefix trust model.
  • The 23 unauthorized plugins were spread across 15 distinct publisher accounts, exploiting inconsistent enforcement of ClawHub’s stated rule that only verified org members should publish under registered scopes.
  • Six of the plugins were flagged “suspicious” by ClawHub’s scanner while 17 passed as “clean”, including an impersonating plugin named @openclaw/security-gate that cleared the platform’s audit despite not belonging to OpenClaw.
  • Manifold’s manual review reported no planted malicious code in the versions they reviewed, but warned that future updates could introduce harmful behavior after users have come to trust the namespace.
  • ClawHub’s response (June 19, 2026) was to unlist all 23 plugins and add a formal dispute process after Manifold reported the issue on June 17 via GitHub’s security advisory workflow (plus a follow-up email on June 18).

Next Steps

  • In your AI-agent tooling, block or remove installs of the identified unauthorized plugin names (notably @openclaw/* and @clawhub/* entries listed in the report) and treat any usage as a supply-chain exception until authorship is verified.
  • Add a guardrail to internal developer guidance: require verified publisher/org ownership checks for scoped plugins before allowing installation in agent environments.

Read more at Cybersecurity News, Reddit

Thousands of LG webOS and Samsung Tizen TV apps found embedding residential proxy SDKs to resell users’ IP addresses

Research from Spur found 2,058 of 6,038 sampled LG webOS and Samsung Tizen apps embedding residential proxy SDKs, effectively turning smart TVs into exit nodes for commercial proxy networks. Many apps present as simple games or utilities, while monetizing by routing third-party traffic through the TV—sometimes as an “ad-free” alternative that can persist even after the app is closed.

Key Details

  • Apps were disguised as innocuous content (e.g., fish tanks, clocks, solitaire, “puppies”), but operated as nodes in commercial residential proxy networks.
  • Smart TVs are attractive proxy hosts because they are always-on, typically receive little security scrutiny, and sit on the same home network as other devices.
  • Some apps explicitly offer a monetization fork (example cited: a Pac-Man app on Tizen) where users choose ads or accept Bright Data’s SDK to use the TV connection for “web indexing.”
  • Spur’s dataset attributes 367 proxy-flagged apps to publishers named Bright Data / Bright Data Ltd / Bright SDK, and also notes Honeygain UAB (a subsidiary of Oxylabs) appearing as a publisher on additional apps.
  • Platform policy differences were highlighted: Amazon bans apps facilitating proxy services for third parties, and Roku reportedly blocked Bright SDK and similar services, while LG and Samsung were described as lacking equivalent published restrictions.

Next Steps

  • Audit installed LG webOS and Samsung Tizen apps and remove “ambient”/low-interaction apps (screensavers, clocks, simple games) that don’t come from trusted publishers, these were the primary app types described as hosting proxy SDKs.
  • For managed environments (e.g., hospitality), use an allowlist for TV apps and restrict installs to a vetted set of publishers to prevent proxy-enabled apps from being added in the first place.

Read more at ⭐️ Spur, Cyber Security News

Proposed US bill would require frontier AI developers to report major safety and security incidents to Commerce within 7 days

US lawmakers introduced the AI Incident Reporting Act, which would make it a legal requirement for developers of designated “covered models” to report major AI safety and security incidents to the Department of Commerce within seven days. For incidents posing imminent or ongoing serious harm, Commerce would have to notify congressional leadership and relevant committees within 48 hours of receiving the report.

Key Details

  • The bill would require reporting of incidents such as models attempting to evade oversight, deceive operators, resist shutdown, or circumvent safeguards.
  • Reportable events also include theft/attempted theft of model weights and model capabilities that could materially enable offensive cyber operations against important software or critical infrastructure.
  • The proposal explicitly includes risks like autonomous development of more capable AI systems and capabilities that could accelerate development or use of CBRNE weapons.
  • Commerce would be directed to set capability thresholds defining which models and developers are covered, developed in consultation with industry, academia, cybersecurity experts, and national security officials.
  • Enforcement mechanisms include Commerce investigations, subpoenas, corrective action, and civil penalties up to $2 million, with each day of a continuing violation treated as a separate violation.

Read more at CSO Online

Polymarket to reimburse $3M after frontend supply-chain attack injected malicious JavaScript to trick users into signing transactions

Polymarket said it will reimburse customers after a third-party vendor breach led to malicious JavaScript being injected into its website frontend. The script reportedly tricked users into approving fraudulent on-site crypto transactions, with blockchain analysts estimating about $3 million stolen from a small number of accounts.

Key Details

  • Polymarket said its own servers and backend infrastructure were not impacted, framing the incident as a dependency/vendor-driven supply-chain compromise.
  • PeckShield described the activity as a phishing campaign that stole about $3M in ParyonUSD, later swapped into ~1,893 ETH.
  • Bubblemaps estimated fewer than 15 accounts were affected and published a list of some impacted accounts and wallets holding the stolen funds.

Next Steps

  • Consider adding controls for web supply-chain risk, such as locking/monitoring third-party frontend dependencies (e.g., SRI, version pinning, and change detection for injected scripts) on customer-facing apps.

Read more at BleepingComputer

macOS trust-cache weakness let standard users silently disable CrowdStrike Falcon and Kandji via privileged XPC calls

XM Cyber demonstrated a macOS technique where non-admin users can impersonate trusted app components and invoke privileged XPC methods to disable endpoint security agents without kernel exploits or alerts. The chain relies on macOS continuing to trust an app after its code-signing identifier is cached, enabling payload injection into a legitimate app component that a privileged service accepts as authentic.

Key Details

  • The chain combines CDHash trust-cache persistence with NIB (Interface Builder) injection to get a modified, attacker-controlled UI component treated as a trusted caller by root-running XPC services.
  • In demonstrations, CrowdStrike Falcon Sensor was fully unloaded from a standard user context, removing endpoint detection, process monitoring, and network visibility on the affected Mac.
  • XM Cyber also showed permanent deactivation of the Kandji MDM agent via a two-stage XPC chain, including terminating the Endpoint Security Framework (ESF) extension; Kandji tracked the issue as CVE-2026-39118.
  • A third unnamed EDR vendor was reportedly impacted and was working on a fix at the time of reporting.

Next Steps

  • Confirm you’re running patched CrowdStrike Falcon Sensor and Kandji Agent builds (CVE-2026-39118) across your Mac fleet; prioritize systems where local standard users can execute apps.
  • Use (or evaluate when released) XM Cyber’s XPC Hunter to inventory installed macOS apps that expose privileged XPC services and flag candidates for additional hardening or vendor escalation: https://xmcyber.com/blog/faind-my-xpc-breaks-a-key-trust-boundary/

Read more at ⭐️ XM Cyber, Hackread, SecurityWeek, Dark Reading

”Cordyceps” CI/CD workflow pattern lets unauthenticated pull requests trigger privileged GitHub Actions and hijack repos

Researchers described a class of CI/CD misconfigurations dubbed Cordyceps where untrusted pull requests or PR comments can trigger high-privilege automation, enabling attackers to run code in CI, steal secrets, and potentially take over repositories. Novee reported finding the pattern across major open-source projects and said scans identified hundreds of GitHub repositories as fully exploitable, with downstream software supply-chain implications when compromised workflows can publish releases or packages.

Key Details

  • Novee scanned ~30,000 “high-impact” repositories and reported 654 flagged as potentially exploitable, with 300+ confirmed fully exploitable for attacker-controlled code execution, credential theft, or supply-chain compromise.
  • The reported root cause is GitHub Actions workflow composition: low-privileged PR-triggered workflows accept untrusted input and can end up invoking or influencing privileged steps that hold release/signing credentials or authenticate to cloud providers.
  • Novee cited examples affecting very big open source projects confirmed by both Microsoft and Google: Microsoft Azure Sentinel (PR comment leading to CI code execution and theft of a non-expiring GitHub App key) and Google’s AI Agent Development Kit (PR leading to CI execution and authenticated control over a Google Cloud repository/project context).
  • Additional cited impacted projects included Apache Doris (comment/forked PR paths leading to credential/token exfiltration), Cloudflare Workers SDK (crafted branch name enabling command execution on CI runners), and Python’s Black (automation token theft enabling PR approvals).
  • Novee emphasized the issue is not GitHub-exclusive: any workflow management system can be susceptible when untrusted PR data crosses trust boundaries into privileged automation, and the firm linked spread to automatically generated/replicated CI patterns (“agentic coding”).

Next Steps

  • Review GitHub Actions so untrusted PRs/comments cannot reach privileged workflows or secrets (especially where workflows publish releases/packages, access signing keys, or authenticate to cloud providers).

Read more at Novee, Dark Reading, HackRead, The Hacker News

GitHub hardens actions/checkout to block common “pwn request” patterns in pull_request_target workflows

GitHub updated actions/checkout to refuse to check out fork PR code in pull_request_target (and certain workflow_run) workflows by default, to prevent “pwn request” attacks - where a malicious actor submits a pull request from a fork to trick a repository’s CI/CD workflow into running attacker-controlled code with the target repo’s elevated privileges.The new behavior ships in actions/checkout v7 and will be backported to currently supported major versions.

Key Details

  • In affected workflows, the checkout step fails when it detects fork-PR targeting via inputs like repository resolving to the fork or refs such as refs/pull//head or refs/pull//merge (or equivalent head/merge SHAs).
  • GitHub said the change applies to pull_request_target and workflow_run jobs where workflow_run.event is a pull_request event*, and is meant to stop the most common unsafe checkout patterns used in pwn request attacks.
  • The enforcement is scheduled to be backported on July 16, 2026 to currently supported major versions
  • Workflows can explicitly opt out by setting allow-unsafe-pr-checkout: true on the actions/checkout step.

Next Steps

  • Identify workflows using pull_request_target (or workflow_run over pull_request events) with actions/checkout* and remove any checkout of fork PR head/merge refs/SHAs unless you have a reviewed, documented need to opt out.
  • If you pin actions/checkout by SHA/minor/patch, plan an upgrade to a version that includes the new enforcement (e.g., via Dependabot or your internal update process) before July 16, 2026.
  • Where an exception is truly required, follow GitHub’s guidance on securely using pull_request_target and only then set allow-unsafe-pr-checkout: true: https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target

Read more at The Hacker News, CSO Online, Cybersecurity News

Canadian court OK’d CSIS to remotely disinfect foreign-run botnets on compromised home routers and IoT devices in Canada

A Federal Court ruling revealed CSIS obtained a threat-reduction warrant allowing it to reach into compromised Canada-based servers, SOHO routers, and IoT devices to disrupt two foreign state-linked botnets. The court accepted the activity would otherwise likely violate Canada’s “computer mischief” law, and approved the operation as necessary and proportional with constraints intended to avoid targeting individuals.

Key Details

  • The warrant authorized CSIS to alter, degrade, or destroy botnet data on infected machines and sever them from botnet infrastructure.
  • Affected device categories cited in the ruling included Ring doorbells, security cameras, TVs, and other Wi‑Fi-enabled appliances, alongside Canada-based servers and SOHO routers.

Read more at The Hacker News

Trump executive order sets 2030–2031 deadlines for US federal move to post-quantum cryptography, adds contractor requirements

A June 22 executive order directs US federal agencies to migrate high-value/high-impact systems to NIST post-quantum cryptography by 2030 (key establishment) and 2031 (digital signatures). The order explicitly targets the “harvest now, decrypt later” problem—data stolen and stored today could be decrypted in the future once large-scale quantum computing is available—and is paired with a broader federal quantum-technology initiative.

Key Details

  • The order pulls the prior government-wide migration target forward from 2035 (NSM-10) by roughly 4–5 years.
  • It aligns federal use with NIST’s finalized PQC standards: FIPS 203 (ML-KEM) for key establishment and FIPS 204/205 (ML-DSA/SLH-DSA) for digital signatures.
  • Agencies must name a post-quantum crypto (PQC) migration lead within 30 days, responsible for the cryptographic inventory and migration plan, reporting to the agency CIO.
  • Within 90 days, OMB must issue guidance requiring agencies to review inventories of high-value assets/high-impact systems and submit migration plans.
  • The Federal Acquisition Regulatory Council is directed to propose rules that would require “covered contractors” to meet NIST FIPS (including PQC) by Dec. 31, 2030, and to expand contractor vulnerability-disclosure expectations to include cryptographic flaws (e.g., missing encryption or non-FIPS algorithms).

Next Steps

  • If you sell to US federal agencies, prepare for procurement pressure by mapping where your products use key establishment and digital signatures and validating alignment to NIST FIPS 203/204/205 ahead of the expected FAR rulemaking.
  • For PQC planning and crypto-agility, start building an inventory approach that can support a cryptographic bill of materials, anticipating CISA/NIST “minimum elements” guidance expected within 270 days.

Read more at CSO Online, The Hacker News, The Record

Brazil suspends mobile emergency alert platform after attackers push bogus “Extreme Alert” nationwide

Brazil took its Civil Defense mobile alert platform offline after unauthorized “Extreme Alert” messages were remotely triggered by someone outside the government network and blasted to phones across multiple states.

Key Details

  • At least 10 unauthorized alerts were reported in preliminary findings; nine were sent via cell broadcast and one via SMS.
  • The bogus message displayed as “Alerta extremo – Defesa Civil: misantropi4” (Portuguese for “misanthropy,” stylized with a “4”).
  • Officials blocked external access to the Public Alert Dissemination Interface used to distribute notifications and suspended the platform while assessing security.
  • Brazil’s Ministry of Integration and Regional Development said there was no evidence of “structural damage” to core infrastructure so far; the Federal Police and SEDEC opened an investigation.

Read more at HackRead, The Record, The Register

Estonia proposes official digital identities for AI agents to enable limited, accountable delegation

Estonia’s Prime Minister said the country aims to become the first to create official digital identities for AI agents, so automated assistants can act on behalf of people and companies with clearly defined rights and accountability. The proposal frames agent identities as a way to delegate specific tasks (e.g., drafting documents or initiating payments) without handing an AI assistant blanket access to a user’s services and data.

Key Details

  • The concept is designed so an AI agent can be granted limited and controllable powers (e.g., view-only access, document preparation, or payment initiation).
  • Delegation could be constrained by scope and financial limits, such as allowing transactions only up to a specified threshold or restricting actions to particular systems.
  • The announcement ties the approach to Estonia’s existing digital-state trust model, citing digital identities, X-Road, digital signatures, and footprints as precedents for secure, accountable digital interaction.

Read more at valitsus.ee

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.