Supply-chain attack using invisible code hits GitHub and other repositories

Researchers say they’ve discovered a supply-chain attack flooding repositories with malicious packages that contain invisible ...
Dark Reading

Google Chrome Zero-Day Bug Under Attack, Allows Code Injection

Google has patched a high-severity zero-day bug in its Chrome Web browser that attackers are actively exploiting. It paves the way for code execution and other cyberattacks on targeted endpoints. The ...

Researchers found a way to steal data from Claude.ai using Google Ads

A legitimate Google ad could lead to data exfiltration through a chain of Claude flaws.
The Hacker News

Claude Code Security and Magecart: Getting the Threat Model Right

Magecart hides payload in favicon EXIF via third-party scripts, bypassing static analysis and stealing checkout data at ...
Hosted on MSN

Contagious Claude Code bug Anthropic ignored promptly spreads to Cowork

Anthropic's tendency to wave off prompt-injection risks is rearing its head in the company's new Cowork productivity AI, which suffers from a Files API exfiltration attack chain first disclosed last ...
CSOonline

Rogue MCP servers can take over Cursor’s built-in browser

A new proof-of-concept attack shows that malicious Model Context Protocol servers can inject JavaScript into Cursor’s browser — and potentially leverage the IDE’s privileges to perform system tasks.
Dark Reading

Critical Flaw in Langflow AI Platform Under Attack

Threats actors pounced on the vulnerability within hours of its disclosure, demonstrating that organizations have little time ...