Tag: threat modeling
26 articles

AI Skill Exploits Security Scanners, Reaches 26,000 Agents
In a shocking experiment, a security firm created a fake AI skill that evaded detection by security scanners and reached a staggering 26,000 agents, including those on corporate accounts. The skill, designed to be harmless, was able to bypass every scanner it was tested on, raising serious concerns about the safety of AI marketplaces.

AI Coding Agents Exposed to 'Agentjacking' Attacks
Beware of "agentjacking" attacks that exploit AI coding agents' implicit trust, allowing hackers to trick them into executing malicious code on developers' machines. This new class of attack starts with a simple exploit of publicly available credentials, putting even the most secure systems at risk.

ChatGPT Exposes Users to Prompt Injection Attacks via Browser Content
Researchers have uncovered a vulnerability in ChatGPT that leaves users open to prompt injection attacks, where malicious content is embedded into web pages and then summarized by the AI system as legitimate information. This loophole could put users at risk of falling prey to spoofed security alerts and other online threats.

Microsoft Bolsters AI Security with Open-Source RAMPART and Clarity Tools
Microsoft's new open-source tools, RAMPART and Clarity, empower product managers and engineers to stress-test AI security assumptions early on, saving months of potential rework and costly mistakes. With RAMPART, developers can write and run safety tests to identify vulnerabilities in AI agents, covering both adversarial and benign threats.

AI Targets Cloud Environments With Autonomous Attacks
Imagine a future where AI launches devastating cloud attacks with minimal human intervention - a threat that's no longer theoretical, but a harsh reality as demonstrated by a recent state-sponsored espionage campaign where AI executed 80-90% of the attack autonomously. Palo Alto Networks' Unit 42 has taken this threat to the next level by building a proof-of-concept AI model called Zealot that can execute end-to-end cloud attacks.

Anthropic Withholds AI Model Over Vulnerability Exploit Fears
A powerful AI model that can detect bugs was kept under wraps due to fears it could fall into the wrong hands, but does that provide a false sense of security when similar tools are already readily available online? The answer has significant implications for software defenders, vendors, and the public who rely on them.

Mythos Threat Looms Over Cyber Defenses
A new force in cyberspace, known as Claude Mythos, threatens to revolutionize the speed at which cyber defenses are compromised, dramatically shortening the window between vulnerability discovery and exploitation. Experts warn that this emerging threat could upend traditional cybersecurity strategies, making it essential for organizations to reassess their approach to managing vulnerabilities and security operations.

Anthropic Unveils Vulnerability Testbed Amid AI Cyberattack Fears
As AI's power to fix software bugs grows, so do concerns that it could also supercharge cyberattacks - prompting Anthropic to unveil a vulnerability testbed to stay one step ahead of hackers. The company's new model, Claude Mythos Preview, is being tested against a wide range of software to identify and patch vulnerabilities before they can be exploited.

A Cybersecurity Merit Badge Must-Have: Best Skills
Which matters more: a badge that says “I can secure a network” or the quiet confidence you won’t let a school, hospital, or water system be crippled by a stranger online? The new cybersecurity merit badge turns curiosity into civic-duty skills—threat modeling, digital hygiene, and ethical defense—so Scouts can help protect their communities.

penetration testing: Must-Have Tips to Avoid Risky Costs
Passing a pen test feels great — until the invoice arrives and the same vulnerability makes the headlines, exposing whether you paid for real security or just a shiny compliance report. Treat testing as continuous, threat-informed risk management: scope by business impact, budget for remediation and retesting, and combine automated checks with expert red teams to avoid costly surprises.

AI browsers Risky: Stunning Security Wake-Up
A new SquareX Labs analysis warns that AI browsers—promising smarter, hands‑free browsing—may open fresh security gaps by blending models, plugins and persistent state, creating new attack surfaces for credential theft and model poisoning. Users and enterprises should treat AI-driven suggestions cautiously and push for stronger sandboxing, permission controls and oversight before convenience outpaces safety.

CometJacking: Risky Attack Exposes Data — Must-See Fixes
One click can turn your helpful AI into a sneak thief — CometJacking hides malicious prompts in links that trick Perplexity’s Comet into leaking email, calendar and connected data. Stay safe by updating clients, reviewing agent permissions, and avoiding unfamiliar links while these agentic AIs get harder to fool.

prompt injection: Stunning $5 Domain Risk
Could a $5 expired domain let a stranger trick your AI into spilling customer data? Researchers proved it with Salesforce’s Agentforce, a wake-up call that mundane trust failures in AI pipelines can lead to serious leaks and that continuous domain monitoring and layered safeguards are essential.

AI security risks: Critical Must-Have Defense Guide
AI’s power to boost productivity is now drawing attackers to the hardware, APIs and networks that support it, creating practical risks beyond model accuracy. Organizations that treat security as an afterthought must act now—hardening firmware, clamping down on APIs and improving observability—before vulnerabilities turn into costly breaches.

token-handling flaw: Stunning Entra ID Risk Exposed
A newly disclosed flaw in Microsoft’s Entra ID could have let attackers forge tokens to impersonate apps or users across many tenants — but quick action by Microsoft and a responsible researcher likely averted disaster. Now’s the time for organizations to harden token handling and tighten identity controls before the next flaw shows up.

zero-click vulnerability: Stunning Gmail Privacy Risk
Imagine your inbox spilling secrets without you clicking anything — researchers found a zero-click flaw in the ChatGPT Deep Research agent that could let crafted web pages make the agent access and reveal Gmail content while browsing. It’s a wake-up call to tighten permissions and rethink how AI assistants access personal accounts.

ShadowLeak ChatGPT bug: Stunning Serious Risk
A single crafty email was enough to trick ChatGPT’s Deep Research agent into spilling Gmail messages — Radware dubbed the flaw “ShadowLeak” and OpenAI says it’s now patched. It’s a stark reminder that smarter AI assistants can widen the attack surface, so vigilance matters.

API security: Must-Have Defenses Against Risky Breaches
Thales’ report of 40,000+ API incidents in H1 2025 shows APIs have gone from a niche technical risk to a boardroom emergency — attackers are automating probes, scraping data and abusing business logic at scale. Now’s the moment to move API security from a checkbox to a strategic priority with discovery, fine‑grained auth, rate limiting and runtime protection.

Villager penetration-testing tool: Dangerous Must-Have
Villager — an AI-driven penetration tool dubbed “Cobalt Strike’s successor” — has already been downloaded about 10,000 times, sparking both fascination and real alarm as automation lowers the bar for attackers. If defenders don’t sharpen detection, patching, and identity controls fast, that promise of convenience could quickly become a turnkey threat.

Salesloft/Drift incident: Exclusive Risky Security Wake-Up
Cloudflare confirmed some customer data was exposed after the Salesloft/Drift breach, but key details and the full scope remain unclear — a stark reminder that third‑party compromises can ripple across the cloud ecosystem. Customers should watch for updates and take simple precautions now, like rotating credentials and enabling MFA, while investigations continue.

vulnerability in Ollama: Must-Have Patch for Risky Leak
A newly disclosed bug let malicious webpages tweak Ollama, read local chat logs, or even swap in poisoned models—so patch now to stop local chat snooping. Update immediately and use basic hardening (firewalls, isolated environments, and browser precautions) to keep your local AI private and trustworthy.

AI-generated code: Risky Threats & Must-Have Fixes
A new Checkmarx study reveals a surprising and worrying trend: AI-generated code now makes up over 60% of some codebases—and much of it contains known vulnerabilities—so the same tools that speed development can also widen your attack surface. Treat AI suggestions like draft work: add automated scans, clear guardrails, and reviewer sign-off to keep convenience from turning into a systemic security risk.

DevSecOps: Must-Have Best Practices for Ultimate Security
Join NIST NCCoE’s virtual event on August 27, 2025 to learn practical DevSecOps best practices from leading experts and discover how to weave security into every step of your software lifecycle. With cybercrime costs soaring, this is your chance to balance speed and safety through automation, compliance tips, and real-world lessons that make your software more resilient.

SharePoint RCE flaw: Urgent Critical Must-Have Patch
A newly disclosed SharePoint RCE is being actively exploited—apply Microsoft’s emergency patches immediately and scan for signs of compromise. Then harden access controls, rotate credentials, and verify backups so a single flaw can’t turn into a major breach.