All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Budibase's AI Extract File automation step has a server-side request forgery vulnerability (SSRF, a type of attack where a server makes requests to internal addresses it shouldn't access) because it uses `fetch()` directly without IP blacklist validation. Every other automation step in the same codebase properly uses `fetchWithBlacklist()` to block requests to internal networks like 127.0.0.1 and 169.254.169.254, but the AI step bypasses these protections, allowing authenticated users to access cloud metadata, scan internal networks, and potentially steal credentials.
Microsoft APM is a tool that manages dependencies for AI agents, and versions before 0.13.0 have a security flaw on Windows systems. When installing a bundle (a package of code) from a .tar.gz file (a compressed archive format), the tool extracts files without properly checking if any file paths could escape the intended folder, potentially allowing an attacker to place files anywhere on the system by using absolute paths like D:/.
Microsoft APM, a dependency manager for AI agents, had a vulnerability in versions 0.5.4 to 0.12.4 where symbolic links (shortcuts that point to other files) in downloaded packages were followed without checking, potentially allowing attackers to read or write arbitrary files on a developer's machine. The vulnerability went undetected by security checks because the resulting files were not flagged by the package hash verification, security scans, or audit tools.
Microsoft APM is a tool that manages dependencies (external code libraries) for AI agents. Before version 0.8.12, it had a path traversal vulnerability (a security flaw where an attacker can access files outside the intended directory) that allowed malicious plugins to copy arbitrary files from a user's computer during installation by using absolute paths or '../' sequences to escape the plugin directory.
Andon Labs ran an experiment where four different AI models (Claude, ChatGPT, Gemini, and Grok) were each given $20 to run their own radio station independently, with instructions to develop a personality and make a profit. All of them failed quickly, burning through their initial funding, demonstrating that AI systems cannot be reliably trusted to operate businesses or make sound decisions without human oversight.
Pipecat's development runner has a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) in its `/files` endpoint. An attacker can use URL-encoded slashes (`%2F` instead of `/`) to bypass Starlette's (the web framework) security checks and read any file accessible to the Pipecat process, such as SSH keys or system files, without needing credentials.
Tech companies are using AI as justification to cut middle management positions, claiming that AI enables them to accomplish more work with fewer employees and less management overhead. Workers report that these AI-driven restructurings are damaging mentorship, employee support, and career advancement opportunities across the industry, with companies like Amazon, Meta, Block, and Coinbase laying off thousands of employees specifically targeting management layers.
OpenAI disclosed that two employee devices were compromised through the Mini Shai-Hulud supply chain attack on TanStack (a software dependency library), resulting in limited credential theft from internal code repositories but no user data or production systems were affected. Because the compromised repositories contained signing certificates (digital credentials that verify software authenticity) for macOS apps, OpenAI revoked the old certificates and requires macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas to update to the latest versions before June 12, 2026, when the old certificates will be blocked by macOS protections.
OpenAI disclosed that two employee devices were infected during a supply chain attack on TanStack, a web development framework, which allowed attackers to steal credential material from internal source code repositories. The stolen credentials gave attackers access to code-signing certificates (digital keys used to verify that software is authentic) for OpenAI's applications on iOS, macOS, Windows, and Android. OpenAI confirmed that no customer data or intellectual property was compromised, but took steps to prevent further risk.
Forza Horizon, an open-world driving simulation game, is expanding to Japan after the developer spent years researching the country to ensure authenticity. The team faces a unique challenge because gamers worldwide have strong expectations about what Japan should look like in games, shaped by decades of stylized portrayals in other video games, so the developers must balance accurate recreation with matching these ingrained mental images.
Security teams are falling behind attackers because they spend too much time investigating alerts rather than responding to them. While detection systems generate plenty of data, analysts must manually piece together information across multiple tools, which takes hours—far longer than the 29 minutes attackers need to move through a network. Modern security systems can compress investigation by automatically assembling relevant context (identity information, access paths, system changes) before presenting alerts to analysts, allowing teams to move from spotting a problem to deciding on a response much faster.
MLflow (an open-source platform for managing machine learning workflows) versions 3.9.0 and earlier have a security flaw where certain API endpoints don't require authentication even when the server is set up with authentication enabled. This happens because the authentication check only protects `/gateway/` routes, leaving other endpoints like the Job API and trace ingestion API unprotected, allowing attackers to submit jobs, view results, and inject fake data without logging in.
datasette-llm-limits is a plugin that works with Datasette (a tool for exploring databases) to set spending limits on how much money users can spend on LLM API calls. The plugin lets administrators configure daily or rolling limits per user or globally, for example restricting one user to $1.00 of LLM usage per 24-hour period.
Databricks has made GPT-5.5 available for enterprise AI agent workflows, where the model achieved a new benchmark record by reaching 50% accuracy on OfficeQA Pro (a test measuring how well AI systems handle complex business document tasks like parsing scanned PDFs and legacy files). Compared to the previous GPT-5.4 model, GPT-5.5 reduced errors by 46% and showed major improvements in parsing old documents and managing multi-step tasks without unnecessary detours.
The AWS AI Security Framework is a structured approach that helps organizations secure AI systems by applying the right security controls across three layers (infrastructure, identity/data, and AI application), three use cases (question-answering AI, data-connected AI like RAG, and autonomous agents), and three phases (prototype, production, and scale). The framework addresses unique AI security challenges like prompt injection (tricking AI systems by hiding malicious instructions in user input) and non-deterministic outputs by implementing input validation, content filtering, and continuous monitoring from day one of development.
Fix: The framework recommends implementing controls across three phases: Phase 1 (Foundational) involves extending existing controls to AI, establishing identity management and fine-grained access controls, and adding content filtering and guardrails; Phase 2 (Enhanced) adds threat detection, data classification, and AI-specific monitoring for production; Phase 3 (Advanced) automates governance, compliance, and incident response at scale. AWS also offers a no-cost SHIP engagement to baseline security posture and build a prioritized roadmap.
AWS Security BlogFix: This vulnerability is fixed in version 0.13.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.13.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.8.12. Users should update Microsoft APM to 0.8.12 or later.
NVD/CVE DatabaseGoogle updated its spam policy to classify attempts to manipulate its AI search results as spam, including tactics like biased listicles or recommendation poisoning (injecting false information to trick an LLM into giving preferred answers). This rule applies to Google Search's AI features like AI Overview and AI Mode.
OpenAI announced a new preview feature that will let ChatGPT connect directly to users' bank accounts through Plaid, a platform that links banking apps to third-party services. This integration would give the chatbot access to detailed financial information, including credit card debt and account balances, to help answer users' finance questions.
This cybersecurity news roundup covers several significant incidents and developments, including a data breach at Nvidia's GeForce NOW service in Armenia that exposed user personal information, extended security update timelines for foreign-made routers and drones, and OpenAI's offer to give EU regulators access to a specialized version of GPT-5.5 for monitoring cyber security risks. The roundup also highlights an active malware campaign targeting developers with fake Claude Code installers, an Iran-linked group breaching South Korean electronics manufacturers, and Google's Android 17 release introducing AI-driven security features like verified financial calls and real-time threat detection.
Fix: For the fake Claude Code installer campaign, the source explicitly mentions the discovery but does not provide a stated mitigation. For Android 17, the source describes the security upgrades included in the update itself (verified financial calls, Live Threat Detection, post-quantum cryptography, automatic OTP hiding, and default-on theft protections), which function as built-in protections rather than external mitigations. For the FCC router waiver, the solution is the extended update window allowing security patches and firmware updates until at least January 1, 2029. No other explicit mitigations or patches are discussed in the source for the remaining incidents.
SecurityWeekAgentic AI tools (AI systems that can plan, make decisions, and take actions without constant human supervision) are becoming more common in organizations but introduce significant security risks beyond traditional AI systems. These risks include broader system access, unpredictable behavior, and difficulty explaining AI actions. The NCSC and international partners recommend organizations adopt agentic AI carefully by starting with low-risk tasks, deploying incrementally with tight controls, maintaining human oversight, and ensuring clear human accountability before connecting agents to real systems or data.
Fix: The source explicitly recommends several mitigation approaches: (1) 'deploy agentic AI incrementally, starting with tightly bounded pilots using clearly defined tasks, and build confidence in the system before you expand the scope'; (2) 'Think about what could happen if an agent misunderstood its task, exceeded its intended scope or was manipulated, and never grant an agent unrestricted access to sensitive data or critical systems'; (3) 'Ensure you maintain ongoing visibility of the system's operation, and understand how to retain meaningful human oversight and control'; (4) 'If you cannot understand, monitor or contain an agent's actions, it is not ready for deployment'; and (5) define clear human accountability for deployment decisions, granted access, safeguards, and the ability to stop the system before connecting it to real systems or data.
UK NCSCFix: OpenAI isolated impacted systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows, audited user and credential behavior, and revoked the compromised signing certificates while issuing new ones. macOS users must update ChatGPT Desktop, Codex App, Codex CLI, and Atlas to the latest versions before June 12, 2026.
The Hacker NewsFix: OpenAI rotated credentials across all affected repositories, revoked user sessions, temporarily restricted code-deployment workflows, revoked the compromised code-signing certificates, and re-signed all applications with new certificates. The company also coordinated with platform providers to stop new notarizations (a verification process that confirms software is safe) and prevent misuse of the stolen certificates. macOS users must update their OpenAI apps to the latest versions by June 12, 2026, after which date the old apps will no longer receive updates.
SecurityWeekFix: This vulnerability is fixed in version 3.10.0. Users should upgrade mlflow to version 3.10.0 or later.
NVD/CVE DatabaseMicrosoft Exchange Server has a cross-site scripting vulnerability (XSS, a security flaw where attackers inject malicious code into web pages) in Outlook Web Access that allows arbitrary JavaScript (code that runs in a user's browser) to execute when certain conditions are met. This vulnerability is currently being exploited by attackers in real-world attacks.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. See Microsoft's Security Response Center update guide and Exchange Emergency Mitigation Service for specific steps.
CISA Known Exploited Vulnerabilities