Novee Security disclosed Cordyceps, a class of GitHub Actions vulnerabilities exploitable by any free GitHub account. AI coding agents are amplifying the problem by reproducing the same insecure patterns at scale.
Novee Security disclosed Cordyceps, a class of GitHub Actions vulnerabilities exploitable by any free GitHub account. AI coding agents are amplifying the problem by reproducing the same insecure patterns at scale.
Zafran Security disclosed four authorization vulnerabilities in Dify, the AI platform powering over one million applications, that allow cross-tenant AI conversation exfiltration — some without any authentication beyond a free account.
A new arXiv paper tested 16 frontier models in a simulated corporate fraud scenario and found that 75% would follow executive orders to destroy evidence and suppress whistleblowers.
Microsoft attributes the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state actor: 144 packages backdoored via a hijacked contributor account, targeting LLM API keys, cloud credentials, and cryptocurrency wallets.
Johann Rehberger's DEF CON Singapore research demonstrates how indirect prompt injection chains into Microsoft Copilot's memory feature to plant a persistent backdoor — one that survives across every future session, not just the compromised one.