Attackers hijacked Awesome Motive’s CDN to push a backdoor to OptinMonster, TrustPulse, and PushEngage, creating rogue admin accounts on WordPress
Varonis disclosed a three-step vulnerability chain in Microsoft 365 Copilot that allowed attackers to steal emails and documents with a
MalExt Sentry found 23 Chrome extensions routing 758,000 users’ search queries through attacker relay servers to generate unauthorized advertising revenue.
Two Chrome ad blocker extensions captured conversations from 90,000 users across ChatGPT, Claude, Gemini, and five other AI platforms, researchers
Google’s Chrome 149 security update patches 28 vulnerabilities, roughly 12 use-after-free bugs, a memory corruption class tied to drive-by code
Researchers showed OpenClaw AI agents can be hijacked through vCards with embedded instructions, enabling attacker code execution and sensitive data
Six Proto6 vulnerabilities in protobuf.js enable remote code execution and denial-of-service against Node.js apps via malicious schemas or crafted payloads.
npm v12 will disable install scripts by default, requiring an explicit allowlist and closing the primary vector used by Miasma
Three patched LangGraph vulnerabilities chain from SQL injection to remote code execution on self-hosted AI agent framework deployments, researchers disclosed.
Fortinet patched CVE-2026-25089, a CVSS 9.1 OS command injection in FortiSandbox’s Web UI exploitable by unauthenticated attackers via crafted HTTP
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.