I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

GuardFall bypass uses decades-old Bash parsing tricks to slip destructive commands past AI coding agents’ safety checks

Adversa AI’s GuardFall research shows pattern-based “dangerous command” guards in many open-source AI coding agents can be bypassed because Bash rewrites/expands commands after the guard checks them. In tests of 11 popular agents, 10 were susceptible—meaning a poisoned repo file (e.g., README/Makefile/config) can lead an auto-running agent to execute obfuscated shell commands with the operator’s privileges.

Key Details

  • How the bypass works: Guards scan command text for danger; Bash rewrites that text (quote removal, expansions) before running it — so a filter can pass what Bash later turns into something destructive. Example: r”m -rf /tmp/test has no rmsubstring, but Bash strips the empty quotes and runs rm -rf /tmp/test.
  • Exploitation typically requires auto-execute or weakened sandboxing (e.g., running unattended in pipelines or with “auto-run/auto-yes” style modes), since the agent must actually execute the produced shell command.
  • 10 of 11 tested agents were affected; Adversa names opencode, **Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and Hermes **as leaving the gap open, while Continue was designed to resist the bypass in its default editor mode.
  • It’s described as a structural class of issues rather than a single patchable bug—Adversa notes there is “no single CVE” and that simply adding more blocklist patterns doesn’t address the mismatch between text filtering and shell evaluation.

Next Steps

  • Disable auto-execution modes (e.g., flags such as —auto-exec/—auto-run/—auto-test and “dangerously-skip-permissions”) unless a human approval step is genuinely impossible.
  • Run coding agents with $HOME redirected to a throwaway/sandbox directory so common secrets (e.g., ~/.ssh, ~/.aws) aren’t reachable by any command the agent executes.
  • Don’t run agents on untrusted PR content (especially forks) and treat repo-shipped agent config (e.g., .aider.conf.yml) as untrusted input that can influence agent behavior on first use.

Read more at ⭐️ Adversa, The Hacker News, SecurityWeek

TLCTC proposes 10 non-overlapping threat clusters as a free “common language” for cyber risk, operations, and secure development

TLCTC publishes a cause- and vulnerability-based taxonomy of 10 “Top Level Cyber Threat Clusters” intended to resolve inconsistent threat terminology across security, GRC, and engineering. It is released as a free, open framework under Creative Commons BY 4.0, with supporting artifacts including mappings to other standards and operational concepts like attack-path notation.

Key Details

  • The framework is positioned as a universal, non-overlapping threat language designed to avoid mixing causes, outcomes, and control failures (e.g., distinguishing “ransomware” outcomes from underlying threats).
  • TLCTC’s design is presented as derived from explicit axioms (e.g., threats are on the cause side of a Bow-Tie) and a “thought experiment” mapping generic vulnerabilities to exactly one cluster.
  • It introduces an incident “attack path” notation (with sequencing and time/velocity concepts) intended to document how incidents unfold using cluster steps.
  • For governance alignment, TLCTC describes a 10 × (6 × 2) control matrix combining the 10 clusters with NIST CSF functions and two scopes to create a shared grid for SOC/CISO/board communication.
  • The site claims an inventory including 698 MITRE ATT&CK techniques mapped, a v2.1 whitepaper spec, and multiple tools and “standards bridged” write-ups supporting adoption.

Read more at TLCTC, TLCTC blog

Unpatched flaw in Apple Hide My Email can reveal the real address behind relay aliases, still exploitable after a year

A reported vulnerability in Apple’s iCloud+ “Hide My Email” feature lets attackers recover a user’s real email address from a Hide My Email alias, undermining the privacy guarantee of the relay system. The researcher who disclosed the issue and 404 Media both say it remains exploitable more than a year after being reported to Apple, with public write-ups intentionally withholding exploit steps while the bug is unfixed.

Key Details

  • 404 Media validated the issue against one of its own Hide My Email addresses and said it was still exploitable as of Monday (June 30, 2026).
  • EasyOptOuts says exploitation requires limited technical skill and no elevated privileges, widening the pool of potential attackers.
  • In its disclosure timeline, EasyOptOuts says Apple twice claimed the vulnerabilities were fixed (March 2026 and June 2026) and asked for verification, but the reporter determined the issues persisted using the original reproduction steps.
  • EasyOptOuts and 404 Media chose partial disclosure (no exploit details) specifically because the issue remained exploitable at the time of publication.

Next Steps

  • If you rely on Hide My Email for high-risk identities, treat Hide My Email aliases as potentially linkable to the underlying mailbox until Apple ships a confirmed fix.
  • For sensitive workflows, use an alternate address compartmentalization approach (e.g., dedicated mailboxes per persona/service) rather than assuming Hide My Email provides unresolvable anonymity.

Read more at Easyoptouts, Cyber Security News, Reddit, 404 Media

“Phantom squatting” turns LLM-hallucinated URLs into attacker-owned phishing and malware domains

Researchers observed attackers registering domains that LLMs commonly hallucinate for real brands, then using those newly created sites for phishing and malware delivery when users or AI agents follow the AI-provided links. Unit 42 found the pattern is consistent across models, creating a predictable pool of high-value “future” domains that can be registered before defenders or brand owners notice.

Key Details

  • In testing, two LLMs were asked 685,339 URL-focused questions about 913 brands, producing ~2.1 million URLs across multiple configurations.
  • Threat intelligence systems flagged 13,229 of the generated URLs as already malicious, indicating models can also surface known-bad links (not just nonexistent ones).
  • Unit 42 identified roughly 250,000 hallucinated domains that were unregistered at the time of analysis—targets an adversary could buy and weaponize.
  • Unit 42 reports it could predict attacker registration 18–51 days in advance by monitoring likely hallucination targets; one highlighted case involved a phishing kit (“Montana Empire”) deployed 23 days after Unit 42 flagged the domain as a high-risk hallucination.
  • Observed campaigns included brand-clone phishing pages and a malicious Android app distribution site, with examples spanning postal-service lookalikes, banks, and betting/gambling brands.

Next Steps

  • Add a control so users and AI agents don’t auto-open or auto-fetch model-generated URLs without validation/allowlisting of official domains.
  • If you run brand protection or domain monitoring, watch for registration of likely hallucinated lookalike domains and fast-track takedown/blocks when they appear.

Read more at Unit 42, The Hacker News

DeepSeek-generated “browser-only ransomware” shows how a web page can encrypt local files via Chromium’s File System Access API

Check Point researchers analyzed a DeepSeek-generated malware sample from the wild and demonstrated a working in-browser ransomware technique that abuses Chromium’s File System Access API to read, encrypt/overwrite, and extort files after a user grants a file-picker permission.

Key Details

  • The technique relies on phishing/social engineering to get the victim to approve file-system access, after which the web app can enumerate files in the chosen folder, exfiltrate contents, encrypt, and overwrite them before showing a ransom note.
  • It affects Chromium-based browsers across Windows, macOS, Linux, and Android; Check Point said it could not reproduce the attack on iOS.
  • The analyzed DeepSeek-attributed artifact was a Python Flask app uploaded to VirusTotal on 2026-01-25 and labeled there as a “fully functional information stealer and ransomware toolkit,” with the author calling it “InfernoGrabber v9.0.”
  • Check Point said it has not seen this browser-native ransomware pattern used in real-world campaigns, but reported that minimal effort would be needed to make the incomplete sample attack-ready.

Next Steps

  • Reduce exposure to the File System Access API in high-risk browsing contexts: consider using a non-Chromium browser for untrusted browsing, or isolate Chromium-based browsers used for general web access from those used for web apps that legitimately need local file access.
  • Update awareness/training and internal guidance to treat file-picker prompts as security decisions, explicitly warning users not to grant folder access to “converters,” “upscalers,” or other untrusted web tools delivered via ads/DMs.
  • Hunt for the referenced sample hash and related naming (e.g., deepseek_python_20260125_da0631.py / “InfernoGrabber v9.0”) in malware triage pipelines and sandbox submissions to identify potential copycats.

Read more at The Register, The Hacker News

Fake “Perplexity” Chrome extension routed address-bar keystrokes through attacker domain before showing normal results

A malicious Chrome Web Store extension impersonating Perplexity AI captured users’ searches—and even live address-bar input—by routing it through an attacker-controlled domain before redirecting to legitimate results. Google removed the extension after Microsoft’s disclosure, highlighting how search-provider overrides in Chromium extensions can be abused for covert data collection.Live search queries paired with device data (IP, browser fingerprint) are a valuable asset on their own, sellable to data brokers as a real-time feed of user intent. But an extension with this level of access doesn’t have to stop at collection: it can just as easily swap out search results to run affiliate fraud, or use query history to build targeting profiles for more convincing phishing down the line.

Key Details

  • Microsoft identified the extension as “Search for perplexity ai” (ID: flkebkiofojicogddingbdmcmkpbplcd).
  • The extension funneled traffic through a look-alike domain perplexity-ai[.]online while presenting users with normal-looking results from Perplexity, Google, or Bing.
  • It changed browser settings to become the default search provider and also repointed the browser’s suggestion feature so typed characters were sent to the attacker infrastructure before users hit Enter.
  • Microsoft said it found no evidence of password theft, but noted the extension requested far broader capabilities than a search utility should require (including rules to enable redirects for additional search engines).

Next Steps

  • If present, remove “Search for perplexity ai” and verify the default search engine and search-suggestion settings were not left modified.
  • In managed environments, allowlist approved browser extensions via enterprise browser policy to prevent brand-impersonation installs from the Chrome Web Store.
  • Add detections/blocks for perplexity-ai[.]online (and hunt for browser traffic to that domain associated with extension-driven redirects).

Read more at BleepingComputer, CSO Online, The Hacker News, Cyber Security News, Microsoft Security Blog

Microsoft details “tool poisoning” risk: tampered MCP tool descriptions can trick AI agents into exfiltrating business data

Microsoft Incident Response and Defender researchers warned that attackers can hide malicious instructions inside an MCP tool’s plain-text description to steer an AI agent into leaking data. Descriptions are often read by the model during tool discovery, before a human has explicitly approved that specific tool, and they can be silently updated after installation, with no re-approval trigger in many setups. Because the agent’s steps can look like normal tool use under the user’s permissions, poisoned tool metadata can bypass typical prompt-injection assumptions that only affect model output.

Key Details

  • MCP (Model Context Protocol) tool descriptions are consumed as guidance for tool selection and execution, making them a high-leverage control point when agents connect to third-party tools.
  • In Microsoft’s finance workflow example, a third-party “invoice enrichment” tool is updated so its description silently instructs the agent to attach recent unpaid invoices to routine requests, enabling covert data exposure without changing the tool’s visible identity.
  • Microsoft frames the core issue as a “trust boundary” gap between agents, their connected tools, and downstream endpoints. The tool is approved and the call is allowed, but the description becomes an untrusted instruction channel.
  • Microsoft’s recommended mitigations include treating tool metadata like code/system prompts (review and scan changes), restricting tools via allowlists/least-necessary access, and requiring human approval for high-impact actions, with product mappings such as Prompt Shields, Purview DLP, Entra Agent ID, Defender for Cloud, and Sentinel.

Next Steps

  • Require change control for MCP tool registrations and tool description updates (re-approval on metadata changes; treat descriptions as system prompts rather than documentation).
  • Move from “allow all tools” to an allowlist of approved MCP tool publishers and per-agent minimal tool sets, so agents can only invoke explicitly needed tools.
  • Put human approval gates on high-risk agent actions (e.g., sending data externally, financial actions, or account changes) to prevent silent execution paths.

Read more at The Hacker News, Microsoft Security Blog

Microsoft Teams adds default-on bot detection that holds external meeting bots in the lobby for organizer approval

Microsoft rolled out a new Teams admin policy that detects external bots and forces an organizer decision before they can join a meeting, aiming to stop third‑party “note‑taking” bots from auto-joining future meetings without intent. Microsoft also introduced a bot identification/registration path so approved ISV bots can self-identify and be treated as known participants rather than suspected threats.

Key Details

  • When the policy is active, Teams visually separates lobby entrants into “Waiting” vs “Suspected Threats” to help organizers quickly triage verified participants/registered bots versus unregistered or flagged bots.
  • Microsoft added extra confirmation friction for admitting bots (no one-click admit for identified bots; warnings when using “Admit All” if bots are present) to reduce accidental admissions.
  • Microsoft says it improved detection using a mix of behavioral and infrastructure signals, while noting detection is not guaranteed to catch every bot.
  • The new framework retires Teams’ CAPTCHA-based verification, with the CAPTCHA policy slated for removal from the Teams Admin Center by late August 2026; the bot protection feature reached general availability globally in June 2026 (including GCC on the same timeline).

Next Steps

  • In Teams Admin Center, review/assign the “Manage external bots and their access to meetings” policy to the users/groups most likely to encounter third‑party meeting bots, and keep “require approval before joining” enabled where appropriate.
  • Set meeting controls so “Who can admit from lobby” is limited to organizers and co‑organizers to reduce the chance a non-owner admits an unintended bot.

Read more at Cyber Security News, The Register

Claude Code binary can embed hidden Unicode markers in the system prompt date when using a custom API base URL

A reverse-engineering writeup claims the Claude Code 2.1.196 client can silently alter punctuation and date formatting in the system prompt to encode classification signals that are hard to notice visually. The behavior is triggered when users override the API endpoint (ANTHROPIC_BASE_URL), raising transparency and trust questions for a tool that can access local files and execute commands.

Key Details

  • The reported mechanism is prompt steganography via tiny Unicode changes: the apostrophe in “Today’s” can be swapped among several similar-looking codepoints, and the date separator can flip from “YYYY-MM-DD” to “YYYY/MM/DD.”
  • The trigger condition is setting ANTHROPIC_BASE_URL (Claude Code’s API base URL override); in “normal” setups (official endpoint or env var unset) the function reportedly returns early and keeps the date string unchanged.
  • A separate check reportedly classifies the API base URL hostname by comparing it to an obfuscated (base64 + XOR) domain list and looking for AI-lab keywords (e.g., “deepseek”, “zhipu”, “baidu”, “alibaba” etc.), then selects one of several apostrophe variants as a marker.

Read more at thereallo.dev

JadePuffer: Sysdig says an LLM agent ran an end-to-end ransomware attack by exploiting Langflow RCE and pivoting to Nacos/MySQL

Sysdig reported what it assesses is the first ransomware operation where an autonomous LLM agent handled the intrusion end-to-end, from initial exploitation and credential harvesting to lateral movement and data encryption without a human operator. The campaign started by exploiting a Langflow unauthenticated RCE (CVE-2025-3248) and then pivoted to a production environment where the agent targeted Nacos/MySQL to encrypt and delete configuration data for extortion.Sysdig observed the agent diagnosing and fixing a broken authentication payload in just 31 seconds, deleting the failed account, switching to a different import method, and reinserting a corrected record, all without human intervention. That kind of tight, self-correcting debug loop is far faster than a human operator troubleshooting the same failure. If the trend holds, defenders should expect attacker dwell time and iteration speed to keep compressing, detection windows built around human-speed troubleshooting may need rethinking.

Key Details

  • Initial access used CVE-2025-3248 (Langflow unauthenticated RCE)
  • The agent hunted and extracted secrets from the compromised Langflow host, including dumping Langflow’s backing PostgreSQL database, enumerating environment variables/sensitive files, and probing reachable internal services such as object storage.
  • MinIO was enumerated adaptively (including handling XML vs JSON responses); reporting notes default credentials were observed in use (minioadmin:minioadmin) and the agent performed progressively deeper API-driven discovery and retrieval attempts.
  • Persistence was established via a cron-based beacon every 30 minutes, reported to contact 45.131.66[.]106.
  • On the production target, the agent used Nacos-focused tactics including CVE-2021-29441 and then executed “database extortion” by encrypting 1,342 Nacos configuration items via MySQL, dropping original tables, and creating a README_RANSOM extortion table with a BTC address and Proton Mail contact.

Read more at Sysdig, BleepingComputer, Security Affairs, The Hacker News

Microsoft pulls 119 malicious Edge add-ons that hid JavaScript payloads inside images/fonts to evade scans

Microsoft removed 119 extensions from the Edge Add-ons store after finding they used steganography to hide executable JavaScript inside seemingly normal PNG/WebP images and WOFF2 font files. The extensions appeared legitimate (ad blockers, VPNs, translators, downloaders) but delayed and gated execution to evade analysis while stealing credentials and running ad-injection/affiliate fraud.

Key Details

  • Up to ~2.6 million installs were associated with the 119 extensions
  • The campaign used multi-layer evasion before activating, including multi-day dormancy, server-side validation, and (in some variants) only executing in ~10% of sessions; it also detected open DevTools and extended dormancy.
  • Some variants fetched the payload from C2 as a normal-looking image and decoded it locally (e.g., layered transformations like Base64/XOR) before running it; the C2 reportedly served real content only to requests that passed fingerprint and User-Agent checks and returned decoys otherwise.
  • Microsoft’s analysis attributed capabilities including ad injection/search redirection and affiliate hijacking (Amazon, eBay, AliExpress) alongside credential theft (e.g., Google sign-in credentials/2FA codes, WordPress admin logins) and bulk cookie exfiltration for session hijacking.
  • Microsoft said it removed the 119 extensions and suspended 90+ developer accounts, and published a technical report with extension IDs and indicators of compromise (IOCs).

Next Steps

  • Compare your installed Edge add-ons against Microsoft’s list and remove any matching extension IDs (see Microsoft’s StegoAd PDF/technical report for the full list).

Read more at The Hacker News, Security Affairs

Survey: 80% of orgs are investing in detection engineering as custom, behavior-based detections replace vendor defaults

A SANS Institute/Anvilogic survey of 264 security professionals found 80% of organizations are actively investing in detection engineering — the practice of building and maintaining custom rules and logic to detect malicious behavior in an organization’s own environment, rather than relying solely on vendor-supplied signatures. The shift reflects a move toward tailored detections that match an organization’s environment and attacker behavior. The push is driven by high false-positive rates and gaps in “out-of-the-box” detections as cloud adoption and more evasive attack techniques make generic rules less effective.

Key Details

  • 60% report having dedicated detection engineering teams, and 67% say they have strong leadership support for the practice.
  • False-positive fatigue and low-fidelity alerts remain a major catalyst: 64% reported high false-positive rates, 61% struggled with detections lacking environmental accuracy, and 34% cited delays in detection updates/improvements.
  • Detection engineering is increasingly treated like software development, incorporating SDLC and CI/CD practices to test, deploy, refine, and audit detection-rule changes.
  • 45% of respondents say they already use AI in detection engineering (e.g., anomaly detection, rule generation, alert triage), and 88% expect AI to have a big impact within three years.
  • 93% are using or plan to use automation in workflows such as rule development/tuning and threat hunting, including mapping coverage to MITRE ATT&CK and identifying broken or misconfigured detections.

Read more at CSO Online

AirDrop and Quick Share bugs enable nearby zero-click crashes; Windows Quick Share hit by use-after-free

Researchers disclosed six vulnerabilities in Apple AirDrop and Google/Samsung Quick Share that let an attacker within wireless range trigger repeated, zero-click crashes of nearby devices’ sharing services enabling denial of service types of attacks. The same work also found Quick Share weaknesses that allow some pre-auth and post-handshake message handling to be bypassed, plus a memory-safety bug in Google’s Quick Share for Windows that can be triggered into a reliable crash.

Key Details

  • AirDrop crashes can take down multiple Apple Continuity features at once because they target the background service that also supports AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop.
  • One AirDrop issue is a Foundation XML property list stack overflow, meaning the underlying parser weakness can affect other Apple software that processes untrusted XML plists beyond AirDrop itself.
  • Samsung Quick Share processes certain messages before the UKEY2 handshake completes, allowing proximity attackers to interact with the protocol state machine without the intended cryptographic authentication.
  • Some Quick Share control frames are accepted in plaintext even after a secure session exists, enabling an on-path attacker on the same network to inject specific unencrypted control messages during an active session.
  • Google Quick Share for Windows has a race-condition use-after-free when two connections collide on the same identifier/nonce; researchers demonstrated a reliable DoS and noted a plausible route to code execution (they did not build an exploit).

Next Steps

  • Patch AirDrop/Quick Share components as vendor fixes land (Apple has acknowledged the AirDrop issues and is developing fixes; Google has landed a fix for the Windows issue and Samsung’s protocol issues are under investigation).
  • On Apple fleets, consider restricting AirDrop receiving (avoid “Everyone” where not required) to reduce exposure to unauthenticated proximity-triggered crash attempts.

Read more at Cyber Insider, The Hacker News, Cybersecurity News

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.