Application Security

Application Security
North Korea PolinRider Poisons 108 Packages via Compromised Accounts
North Korea's PolinRider campaign used stolen maintainer credentials to push malicious updates to 108 packages across npm, Packagist, Go, and Chrome Web Store.
Application Security
Opera GX Flaw Let Malicious Sites Silently Install Mods on 25M Users
A zero-click flaw in Opera GX's mod system let malicious websites silently install data-harvesting browser extensions on the gaming browser's 25 million users.
Application Security
SkillCloak Lets Malicious AI Agent Skills Evade 90% of Static Scanners
SkillCloak obfuscation lets malicious AI coding agent skills bypass over 90 percent of static detection tools, risking source code and credential theft.
Application Security
Zscaler: Two Active Campaigns Hijack AI Agents for Crypto Theft
Zscaler found two active campaigns that embed hidden instructions in web pages, causing 4 of 26 AI agents tested to complete unauthorized crypto transfers.
Application Security
Apple Hide My Email Still Leaks Real Addresses After Claimed Fix
Apple's iCloud+ Hide My Email vulnerability still exposes real addresses at 100% success, with multiple claimed fixes from Apple failing to close the flaw.
Application Security
Unit 42 Confirms 13,000 Malicious Phantom Squatting Sites
Unit 42 documented phantom squatting, with 13,229 malicious URLs active on AI-hallucinated domains and 250,000 more unregistered sites available to attackers.
Application Security
JADEPUFFER: First AI-Orchestrated Ransomware Exploits Langflow RCE
Sysdig identified JADEPUFFER, the first ransomware campaign run by an LLM autonomous agent exploiting CVE-2026-33017 in Langflow to complete full attack chains without human operators.
Application Security
CISA Adds SharePoint RCE CVE-2026-45659 to KEV Catalog
CISA confirmed active exploitation of CVE-2026-45659, a CVSS 8.8 SharePoint Server deserialization flaw enabling authenticated remote code execution in enterprise environments.
Application Security
Poisoned Email Turns Claude Desktop Into a Reverse Shell
Red teamers showed that email inbox prompt injection turns Claude Desktop into a reverse shell when MCP connectors with command execution are installed.
Application Security
Adobe’s Seven CVSS 10.0 Flaws Span ColdFusion and Campaign Classic
Adobe patched seven maximum-severity CVSS 10.0 vulnerabilities in ColdFusion and Campaign Classic, enabling unauthenticated code execution and privilege escalation.