All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Brain-computer interfaces (BCIs, devices that read electrical signals from the brain to help users communicate or control other devices) are rapidly advancing, with a growing number of people volunteering for trials. Casey Harrell, a man with ALS (a disease that causes paralysis), has spent nearly three years using a BCI that allows him to speak, work, and interact independently by decoding his brain signals into speech through electrodes implanted in his brain and connected to a computer. Multiple companies and research groups worldwide are now conducting BCI trials, with the number of trial volunteers and approved devices increasing significantly.
Microsoft discovered a security vulnerability called "AutoJack" that allows malicious webpages to trick AI agents (programs that can browse the web and access local services) into running harmful code on a user's computer. The attack works by chaining together three separate weaknesses in AutoGen Studio (Microsoft's tool for building AI agents), exploiting the fact that web-browsing agents have trusted access to local services that normally block outside access.
Cisco announced it will acquire WideField Security, a company that specializes in identity lifecycle security (managing who can access systems and what they can do), to enhance Splunk's Agentic SOC (a security operations center that uses AI agents to automate threat detection). WideField's technology helps organizations discover identities, detect misconfigurations in authentication systems (the process of verifying who someone is), and monitor sessions in real time, which will give security teams better visibility into both human and AI-driven activity when integrated into Cisco's security platform.
SearchLeak is a prompt injection attack (tricking an AI by hiding malicious instructions in its input) that exploits Microsoft's M365 Copilot Enterprise Search by using specially crafted URLs to leak sensitive corporate data like emails, documents, and meeting notes. The attack works because Copilot Search accepts natural language prompts in URL parameters (the ?q=[query] part of web addresses), creating a new security weakness called parameter-to-prompt injection that could affect other AI-powered web services too. Microsoft patched the vulnerability on its servers, but the attack reveals a broader risk: AI services with broad access to corporate assets are vulnerable to this type of data theft.
Barret Zoph, who leads enterprise AI sales at OpenAI, has left the company after only five months, following his return from a competing AI startup. This departure is notable because OpenAI had recently prioritized enterprise sales as a key business focus ahead of its planned initial public offering (IPO, where a private company sells shares to the public).
Oracle released 245 security patches addressing vulnerabilities across multiple products like PeopleSoft, Fusion Middleware, and MySQL, all rated high-priority. The most concerning flaws are those that allow remote code execution (running commands on a system without owning it) without requiring authentication (login credentials), particularly in widely-used components like WebLogic Server and Oracle Coherence that other systems depend on.
AutoJack is an exploit that lets a malicious webpage take over an AI browsing agent (a system that can visit websites on your behalf) and run arbitrary commands on the host machine where the agent runs. The attack works by exploiting three weaknesses: trust in localhost (the local computer itself), missing authentication checks, and unsafe handling of user inputs, which allow attackers to trigger code execution through AutoGen Studio's MCP WebSocket (a communication protocol that connects different AI components). This research shows that when AI agents can visit untrusted websites and connect to local services, normal security boundaries break down.
AgenticMail has a security flaw where unauthenticated external emails can trigger a privileged Claude Code session with `permissionMode: 'bypassPermissions'` (a mode that removes safety restrictions). The email's sender address, subject, and preview are embedded directly into the AI's prompt without verification that the sender is the actual operator, allowing prompt injection (tricking the AI by hiding instructions in its input) that could lead to arbitrary code execution and file access under the operator's identity. A similar handler in the same codebase properly authenticates the sender, but the bridge-wake path does not.
OpenAI introduced new usage analytics and spend controls for ChatGPT Enterprise, allowing company administrators to track how AI credits (a unit of payment for AI usage) are being used across their organization. The Global Admin Console now shows detailed breakdowns of credit consumption by user, product, and model, while updated spend controls let admins set credit limits for teams and individual employees, helping organizations manage AI costs and deployment more effectively.
Companies are leaving AI agents (automated tools that run independently) active even after employees who created them leave, giving these tools permanent access to sensitive data and code without proper oversight. Traditional security tools miss this risk because they monitor AI like regular software and don't know which human authorized each AI action, making it hard to track whether an AI's data access is legitimate. The article describes this as a significant security problem but focuses mainly on identifying where these orphaned agents exist rather than fixing them.
This bulletin covers multiple cybersecurity threats including malicious browser extensions that hijack search results and route them through hidden monetization layers, a fileless macOS attack using fake system dialogs to steal credentials, and threat actors abusing Claude's legitimate chat-sharing feature to deliver malware. The common theme is attackers exploiting user trust in legitimate tools and services to conduct fraud, steal data, and distribute malware.
Pipecat's development runner has an unauthenticated WebSocket endpoint (`/ws`) that accepts telephony connections without verifying who is connecting. An attacker can send a fake Twilio handshake message with a call ID they choose, and the server will use its own Twilio credentials to hang up that call, potentially terminating calls on the victim's account. The same vulnerability exists for Telnyx and Plivo telephony providers.
The githubreceiver component in opentelemetry-collector-contrib has a security flaw where it validates the `required_headers` configuration at startup but never actually checks these headers on incoming webhook requests. This means an attacker can send fake data to the webhook endpoint by bypassing the authentication headers that operators thought were protecting it, especially when the `secret` field is left empty (which skips HMAC validation entirely).
The Sentry exporter in opentelemetry-collector-contrib has a path traversal vulnerability (a type of attack where an attacker manipulates file paths to access unintended locations) because it builds Sentry API URLs by directly inserting the service.name attribute, which remote attackers can control, without checking if it's valid. Since the operator's bearer token (a credential that proves the operator's identity) is automatically added to every request, an attacker can craft a malicious service.name to reach privileged Sentry admin and organization endpoints that they shouldn't have access to.
PraisonAI's search tools contain a Server-Side Request Forgery (SSRF) vulnerability, where an attacker can trick the AI into making HTTP requests to arbitrary internal URLs by controlling the `searxng_url` parameter. Because this parameter is exposed to the language model as a tool option and search tools are enabled by default, an attacker can inject malicious instructions through web pages or files to make the server access internal services, read sensitive data, or in cloud environments reach the instance metadata endpoint (169.254.169.254) to potentially steal credentials.
The `multiedit` tool in PraisonAI allows an AI agent to read and write any file on the system without checking file paths or boundaries, because it passes the filepath directly to the `open()` function without validation. An attacker who can control what the agent does, such as through crafted prompts or malicious workflow configurations, could steal sensitive files like SSH keys and credentials, or overwrite important files to take control of the system.
The US government imposed export controls on Anthropic's Fable 5 AI model and its underlying Mythos model, restricting access even for foreign nationals working at Anthropic in the US. Anthropic then took both models offline because the company said it couldn't reasonably comply with the restrictions while keeping the models publicly available. This incident raises broader questions about how the US government should regulate AI and whether its approach will be a genuine safety framework or a political tool.
California expects a major tax windfall from upcoming IPOs of tech companies like SpaceX, OpenAI, and Anthropic, but the actual revenue may be lower than previous tech IPOs because modern employees have access to tax-reduction strategies (like donating pre-IPO stock to donor-advised funds, which are charitable giving accounts) and because these companies structure their stock compensation differently than older tech firms did.
Adobe is launching a redesigned AI studio for its Firefly AI assistant (a tool that helps generate and edit creative designs) that allows users to name and reuse their custom characters, objects, and backgrounds across projects. The new interface, currently in private beta, aims to streamline workflow by keeping persistent context (remembering your previous creative choices) and reusable assets in one place, so designers can work more efficiently without switching between different applications.
Adobe is rolling out AI assistants (chatbots that use natural language conversation to help users) to its Creative Cloud apps, including Photoshop, Premiere, Illustrator, InDesign, and Frame.io. Each assistant is customized for its specific app to help organize work and automate tasks like editing and design. All assistants are powered by Adobe's conversational creative agent, a shared underlying AI system.
Fix: For users installing AutoGen Studio from source, the maintainers removed URL-based parameter injection, routed MCP paths through normal authentication flows, and implemented server-side parameter handling keyed to session identifiers. Users who installed AutoGen Studio through PyPI were never exposed to this vulnerability, as the vulnerable code only existed in development builds and was never shipped in public releases.
CSO OnlineFix: Microsoft rated the information disclosure flaw as critical and patched the vulnerability on the server side earlier that month.
CSO OnlineFix: The source describes features already implemented rather than a fix for a problem. The solution is the new Global Admin Console, which provides credit usage analytics and granular spend controls, allowing admins to track usage by user/product/model, set default workspace limits, configure limits for specific groups, create individual overrides, and enable employees to request additional credits with context for admin review.
OpenAI BlogFix: Microsoft has announced that DNS-over-HTTPS (DoH, encrypted DNS queries sent as HTTPS requests) is now generally available on Windows Server 2025, allowing organizations to 'deploy encrypted and authenticated client-to-resolver DNS traffic directly within their existing on-premises DNS infrastructure' to help improve privacy, reduce spoofing risk, and advance Zero Trust DNS (a security model that verifies every access request rather than trusting the network by default) without requiring a new resolver architecture.
The Hacker NewsFix: Add RequiredHeaders enforcement to `handleReq()` in `receiver/githubreceiver/trace_receiver.go`, matching the pattern used in gitlabreceiver at `receiver/gitlabreceiver/traces_receiver.go:266-270`, which validates each required header by checking if the incoming request's header value matches the configured value.
GitHub Advisory Database