- Son of Anton strikes again!
- HalluSquatting and using Claude to defend itself
- CISA KEV’s Revolving Door
- LLM's hallucinate and companies get sued
- Additionally - GitLost
- Yet even more Linux vulnerabilities
- Citrix just keeps bleeding
- Old hardware is new again
- A sneak peak into next week's tech segment
- Tenda hidden backdoors
- We're still talking about Mirai
- Today was not a good day for Roundcube
- Canada is hacking criminals
- AI safeguards are still annnoying
- All cars will spy on you
- The FatFs unpatched vulnerability in millions of embedded devices
- Windows OS market share drops below 60% (Paul uses Arch)
- ‘We Cannot Choose to Become Idiots’ - or can we?
- Let’s be real. Your scanners are dumping thousands of vulns, half of them noise, and you still don’t know what’s actually exploitable in your environment.Patching everything isn’t possible, and chasing CVSS isn’t working.At the Vulnerability Management Virtual Cybersecurity Summit, learn how to prioritize based on exploitability, reduce false positives, and actually fix what matters.Security Weekly listeners can register for free at https://securityweekly.com/vulnmanagement using the promo code: CSS26-SW
- CyberRisk TV is proud to be an official media partner of Black Hat USA 2026! We'll be broadcasting live from the Black Hat LIVEWIRE Studio with technical interviews covering offensive security, detection, response, infrastructure, and the tools practitioners use every day.Our Executive Interviews and Event Momentum Packages keep your message in front of the security community long after Black Hat wraps up. Fewer than 10 interview opportunities remain, so visit https://securityweekly.com/exec today and secure your spot before they're gone.
Paul Asadoorian
- Discord admits AI moderation bug wrongfully banned users over harmless images
Son of Anton strikes again
- Oomwoo is a new open-source robot vacuum you can 3D print yourself, sidesteps cloud security risks by running fully offline — project combines Raspberry Pi, 2D LiDAR, and a 3D-printed chassis
Love this!
- MatthewKuKanich/ChimeraBLE: Advanced BLE security & reverse-engineering tool for ESP32
Larry?
- Hackers can use 9 of the most popular AI tools to assemble massive botnets
- CISA KEV’s Revolving Door
Summary: Jericho at Attrition.org documented seven CVEs that were added to CISA's Known Exploited Vulnerabilities catalog, then quietly pulled with no public explanation, things like a transposed CVE number, a flaw a researcher proved was never actually exploited, and one Microsoft confirmed had no real exploitation at all. When Jericho asked CISA about it, they were told, "no CVEs have been removed from the KEV catalog recently," in the same conversation in which CISA disclosed yet another removal. CISA has claimed dozens of people vet each KEV entry before it's added.
Paul's take: KEV is supposed to be the one list defenders can treat as ground truth: this is being exploited right now, patch it first. If entries are getting added on bad data and then vanishing with no changelog, that trust is exactly what's getting eroded, and CISA's own "we didn't remove anything" while removing something doesn't inspire confidence in whoever's answering the phone. Jericho's ask is reasonable and cheap to implement: keep removed entries visible with a timestamp and a reason, rather than memory-holing them. If you're prioritizing patches off KEV inclusion alone, this is your reminder to keep a second source and a little skepticism in the loop. Trust, but verify, applies to the list that's supposed to tell you what to trust.
- What It Takes to Secure Claude Cowork Across the AI Enterprise
Let's be clear about what this is: a vendor blog post identifying gaps conveniently shaped like the product that the vendor sells. That doesn't make the underlying concerns wrong, prompt injection against autonomous agents and unmonitored data flowing into an LLM are both real problems, we've covered actual prompt injection bugs on this show. But "the challenge is no longer who can access a system, it's what happens after access is granted" is exactly the pitch every DLP and CASB vendor made a decade ago, just with "AI" swapped in. If you're deploying agentic tools like Cowork in an enterprise, the actual homework is boring and vendor-agnostic: know what data your agents can touch, log what they do with it, and assume any content an agent reads from the outside world is untrusted input. Whether you buy a gateway to get there or build the controls yourself is a budget question, not a security one.
- Finding the “Goldilocks” Zone: A Practical Approach to Alert Triage
From the article:
*“Goldilocks Zone” is to consider the context around it procedurally:
- How high of a priority is the event?
- How often does this activity happen?
- Does the activity from the alert help the attacker further their goals?
- What would “success” look like for that attack?"*
Agree with the approach?
- Startup sues Palo Alto Networks’ Koi Security, saying an AI-hallucinated report falsely linked it to Chinese espionage
This is the story people should have been scared of, rather than the killer-AI hypotheticals. A vendor's LLM made up a piece of software, built an attribution chain on top of it, and shipped it as a threat report, labeling a named company's product as criminal infrastructure, and nobody checked before hitting publish. Then the rest of the industry did what the industry does: ingested that report and started blocking a legitimate business, no due process, no phone call, just automated trust in somebody else's automated trust. The scariest line in this whole thing is that the bad attribution is now baked into the LLM training data, so it's going to keep getting repeated as fact long after the lawsuit is over. If your threat intel pipeline lets an AI publish accusations about named companies without a human sanity-checking whether the evidence is even real, you don't have a research process; you have a defamation generator with a nice UI.
- Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
A perfect 10.0 CVSS score on UniFi Connect should get your attention on its own, but the real story is the spread: seven CVEs across five product lines in a single patch batch. That's not a one-off coding mistake; that's a pattern across the whole UniFi stack. Looks like Hackerone was the source of at least most of them.
These boxes sit in homes and small businesses that mostly never touch the admin panel again after setup, which is exactly the population that becomes botnet fodder. If you run UniFi gear, this isn't a "get to it next sprint" patch. Update Connect, Talk, Access, Protect, and OS now, and if you're an MSP managing a pile of these for clients, make sure auto-update is actually turned on, because nobody is logging into grandma's UniFi console to click the button.
- Architecture 1901: From zero to QEMU – A Gentle introduction to emulators from the ground up!
This looks like an awesome course, and its FREE!
- GitLost: How We Tricked GitHub’s AI Agent into Leaking Private Repos – Noma Security
Summary: Noma Labs found a prompt injection flaw in GitHub's Agentic Workflows, the feature that pairs GitHub Actions with AI agents (Claude or Copilot). An attacker just opens a public Issue in an org's repo with hidden natural-language instructions, and when automation assigns it, the agent reads the Issue, follows the buried commands instead of its actual job, pulls private repo contents the agent has cross-repo access to, and posts the stolen data back as a public comment. No login, no credentials, no code, just an Issue. They even found that adding the word "Additionally" to the prompt was enough to slip past GitHub's guardrails. It was reported to GitHub and disclosed responsibly.
Paul's take: No exploit chain, no memory corruption, just the word "Additionally" typed into a GitHub Issue box. That's the part that should bother people. We spent decades hardening input validation for SQL and command injection, and now we've handed an agent broad read access across an org's repos and trusted it to tell the difference between "data" and "instructions," which it apparently can't. The researchers nailed it: prompt injection is becoming to agentic AI what SQL injection was to the web, a whole category, not a one-off bug. If you're wiring up agentic workflows with cross-repo permissions, the lesson isn't "add a better guardrail prompt"; it's "assume anything the agent reads is attacker-controlled until proven otherwise," just as you'd treat any other untrusted input.
- J-jaeyoung/bad-epoll – Mythos missed it
A working exploit for CVE-2026-46242, a race-condition use-after-free in the Linux kernel's epoll subsystem, introduced by a 2023 commit and fixed this past April. Two close paths in epoll can run simultaneously, and one frees an object while the other is still writing to it. The exploit is claimed to be 99% reliable against Google's kernelCTF targets and works from inside Chrome's renderer sandbox, meaning it could chain with a renderer bug for full privilege escalation to root on desktop, server, or Android. A six-instruction race window doesn't sound like much until someone builds a retry loop around it and gets 99% reliability. That's the real story here, not the bug itself (kernel UAFs happen) but the exploit engineering that turns a razor-thin timing window into something you can basically count on. And this landed via a 2023 commit, sitting in shipping kernels for three years before anyone caught it. If you're running anything on 6.4 through the fixed version, patch it.
- CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451)
Here we go again. It's called "CitrixBleed To Infinity And Beyond" for a reason; watchTowr flat-out says the memory-disclosure bug class is "endemic" to NetScaler, and they've "given up counting." When a researcher stops counting your CVEs, that's not a vuln; that's an architecture. And the root cause is almost quaint: a hand-rolled XML parser that doesn't know how to terminate an attribute. In 2026, on the box guarding the front door of your enterprise, someone wrote their own parser and got it wrong. If you run NetScaler as a SAML IdP, patch it now and assume that anything reachable pre-auth has already been poked. The bigger question is why this same primitive keeps coming back on the same appliance, and why we keep putting it on the perimeter anyway.
- pIat0n/BareMetal-RAM-Dumper: A bare-metal x86 utility to dump physical RAM directly to disk.
Cold boot attacks aren't new; the original Princeton paper is from 2008, but seeing the whole attack collapsed into a 512-byte boot sector plus a stage2 that's pure BIOS interrupts is a great reminder that the primitive never went away; it just got smaller. No DMA hardware, no FireWire, no Thunderbolt exotica just legacy CSM, INT 0x15 for the memory map, and INT 0x13 to write RAM back to the same stick you booted from. The catch is right there in the requirements: it needs Legacy BIOS boot, which is exactly the thing modern platforms are killing off. If you've turned off CSM, are running full memory encryption, and your keys live in a TPM instead of DRAM, this mostly bounces off. If you're a shop still shipping laptops with CSM enabled and software FDE, and plenty of attackers with five minutes of physical access and a can of compressed air just became a real part of your threat model. It's also a lovely little teaching artifact for anyone who actually wants to understand unreal mode and the E820 map rather than just reading about them.
- I revived a 15-year-old laptop with an OS that runs entirely in memory
This is pretty neat and could definitely be extended to run from a USB drive and load the OS into RAM. Some tech tidbits: " Instead of a traditional full operating system install, Puppy Linux allows for a Frugal Install, where the entire operating system lives as a few compressed, read-only files inside a single directory on your existing drive...modifying /etc/grub.d/40_custom, I appended a custom entry pointing directly to that directory, passing the pfix=ram and psubdir=/puppy arguments to tell the kernel to extract everything straight to system memory." - We have potential e-waste lying around; this is a neat way to revive some older hardware. I kinda like the security model too as you could just make this totally ephemeral.
- Polycom-Open-Firmware/tc8-firmware-build: Image packaging + dev/recovery tools for Polycom TC8 (boot/system/dtbo/vbmeta with AVB, NFS + eMMC profiles)
You can purchase these for like $10-15 on Ebay. Two models are supported and the author says: "Poly video-conferencing rooms get decommissioned and their touch panels usually end up as e-waste. This project gives them a second life as small Debian Linux machines. One repo, two targets — both are i.MX8MM boards, so they share one kernel tree, one Debian rootfs builder, and one composer; only the board facts (device tree, boot recipe, partitions) differ"
- Sneak peak for next week: fettle – an open-source Linux package updater and supply chain checker
NOTE: THIS IS BETA CODE - USE AT YOUR OWN RISK. I will give the details next week. If you want to test it on TEST SYSTEMS and provide feedback, I would appreciate that! Right now, the command-line options are a hot mess and very confusing; I hope to have that and other issues ironed out for next week. Lots more testing to do; big heavy lift of development is done.
David Johnson
- Peter Stokes is a crook, but this time the “Nixon” is on the other foot.
A wild Allison Nixon appears! As posted on Allisons LinkedIn page, there's more to the Peter Stokes story. Allison shared the background and it seems like Peters career was over before it started.
- One weird trick to force GitHub AI Agent to exposs private repo’s
I was literally paranoid about this the other day as I was creating a new private repo and the selection box for AI signups made me pause and think.
It turns out, being paranoid and correct, are not mutually exclusive. But we know that from experience.
- Windows OS market share drops below 60% (no it’s not just because Paul uses Arch)
Its 56.55% now. (10 years ago it was close to 90% 15yrs ago 95%) OSX at 12% MacOS at 5% Linux around 4% CHrome at 1.2%
- “We cannot choose to become idiots” – Brown Professor and AI Exam cheating
Professor Serrano and his grading team tried ChatGPT themselves when they noticed a significant increase in scores after the class went remote temporarily following a tragic school shooting at Brownd University in December.
The math just wasn't mathing when comparing the prior scores. And then they announced they'd compare the scores of the Final exam (in class) to the midterm, if they matched, they'd keep it, if not, they would declare the exam void.
- Copilot adoption is less than 4.5% out of 450M. Less than the number of Nickelback listeners.
Current estimates put casual (or better) Nickelback listeners at 30million annually. Copilot has 20 million users. Infer what you will.
- The Shape of Enshittification – Moar AI slop means moar AI slop.
As consumption changes, so does tastes. Self help books seem to be on the decline because AI can basically function as a "live" self help book. Unique and human stories are increasing though. That's the good news. Social media may be on it's way out though. So much of it being driven by AI to AI communication and AI specific advertisements and marketing.
Larry Pesce
- CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
- Homelab Gets Linksys Themed Aesthetic
- Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices
- More Odd DNS Records: NIMLOC – SANS Internet Storm Center
- Accenture Confirms Data Breach After Hacker Claims Source Code Theft
- New Ghost Phishing Wave Is Breaking Traditional Email Security
- Major medical device manufacturer notifies nearly 4 million of breach
- 1-in-2 phones sold in Africa exfiltrate telemetry to China – NowSecure
- Hackers exploit Roundcube flaw to spy on academic researchers
Lee Neely
- Canadian spy agency says it hacked drug traffickers, extremists, and a ransomware gang last year
Canada's cryptologic intelligence and security agency, the Communications Security Establishment (CSE), has released an annual report on its research and operations, including disclosures of three "active cyber operations" authorized in a "two key" system by the Minister of National Defence and the Minister of Foreign Affairs under the CSE Act.
This report reinforces that Canada's CSE has skills and capabilities and is willing to use them to stop adversarial actions as well as partner with other law enforcement agencies to protect Canada's interests. Word to their would-be attackers: Don't assume Canada can be targeted without a response.
https://www.cse-cst.gc.ca/sites/default/files/cse-annualreport-2025-2026-e_2.pdf
- Hackers breached DHS information-sharing network, people familiar say
The US Department of Homeland Security (DHS) is investigating unauthorized access to its Homeland Security Information Network (HSIS), according to sources in contact with Nextgov. HSIN is a network used by federal, state, local, territorial, tribal, international, and private-sector partners to "send requests securely between agencies, manage operations, coordinate planned event safety and security, respond to incidents," and share information in the interests of community safety and the missions of organizations across defense, intelligence, emergency management and services, critical infrastructure, law enforcement, public health, and cyber sectors.
Apparently access was obtained by compromising a legacy system. A reminder that we need to not forget those older systems which may not be robust enough to survive modern threats. They should also have good logging and monitoring. Make sure you're watching for end-arounds to the access protections, even if only for "a minute" or "just once," those workarounds have a way of persisting beyond the approval and are best not allowed in the first place.
- NCSC Shares Tips on How to Make a Pen Tester’s Job Harder
UK's National Cyber Security Centre (NCSC) shared the answers they received when they asked pentesters "What can organisations do to make your job harder?" Their top answers were to build systems that are secure by design, to segment networks, and to implement logging and monitoring.
- A Djinn in the Machine: TaskWeaver’s Node.js Intrusion Chain
SimpleHelp flaw, under active exploitation., CVE-2026-48558, is an authentication bypass being used to deliver the Djinn Stealer, which captures cloud keys, source-control sessions, SSH keys, and AI integration credentials, as well as crypto wallets, browser history and more. The fix is to install the updated SimpleHelp 5.5.16 or 6.0 immediately, then go looking for IoCs in the BlackPoint Cyber writeup. https://simple-help.com/security/simplehelp-security-update-2026-05
- Oracle E-Business Suite was under attack via critical flaw before the public exploit code was even released
Attackers have been caught exploiting a critical flaw in Oracle E-Business Suite's Payments module just six weeks after Oracle patched it – and before any public proof-of-concept exploit was available.
Attackers are targeting the Oracle Payments flaw, which was fixed in the May CPU. Your assignment, should you wish to accept it, is to make sure that the May CPU was fully deployed, including production. Then have a conversation about whether your EBS instance should be exposed to the Internet, and if it is, what compensating controls, such as a WAF, are in place to prevent malfeasance. Then make sure they are working. Remember that time the WAF was left in learning mode? Let's not learn that lesson again.
- Redeploying Claude Fable 5
After disabling its Fable 5 and Mythos 5 models on June 12 in response to a US Department of Commerce (DOC) export control directive, Anthropic announced on June 30 that the export control was lifted, and that both models would soon become available again. This federal restriction had obligated Anthropic to prevent access to these models by any foreign national, citing concern for national security following Amazon's report of a method to bypass the safeguards that keep the models from identifying and exploiting cyber vulnerabilities.
Anthropic's new framework for assessing bypasses of AI safeguards (jailbreaks), created in partnership with Google, Amazon, Microsoft and other Glasswing partners, is something we should watch closely. Just as there is no such thing as perfect security, it's impossible to make any AI model fully impervious to jailbreaks, so having a framework to understand and measure them just as we do with vulnerabilities will be helpful as our AI portfolio grows and evolves.
- Citizen Lab Found Evidence of Pegasus Infection on European Parliament Member’s Phone
A July report from Citizen Lab details their finding that the phone of investigative journalist and former Member of European Parliament Stelios Kouloglou was infected with Pegasus spyware in October 2022 and March 2023 while he served on the European Parliament's PEGA Committee, which was established to "investigate infringements and maladministration in application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software."
To defend yourself against Pegasus and similar spyware, you need to actively ensure you are running supported mobile devices with a current OS, and only install apps from known good sources, ideally only Google Play or Apple App store and your corporate app store (if any). Next you need to check your existing apps. Remove those you don't recognize or no longer use, and drill down on those using lots of data or battery use. Next, check recently added apps to see if there are any unusual or unexpected additions. Lastly, consider using lockdown mode when traveling in high-risk areas.
- Protecting customers faster: How Adobe is responding to AI-accelerated vulnerability discovery
Adobe announced that as of July 14, 2026, the company "is moving from monthly to twice-monthly publication of Adobe Security Bulletins and Advisories on the second and fourth Tuesday of each month."
On June 30, Adobe published security bulletins addressing 12 vulnerabilities: 10 rated critical and one rated important in Adobe ColdFusion, and one critical vulnerability in Adobe Campaign Classic. Of the vulnerabilities in ColdFusion, six have CVSS scores of 10.0Don't lose sight of Adobe's move to two security bulletins a month. We've all been spoiled with alerts converging on that second Tuesday, except for browser updates, which seem to favor days ending in "Y." And yes, you read that right, ColdFusion is still around and supported; it turned 30 last year, so you need to keep updating it. https://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/
Sam Bowne
- GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
They asked Copilot to build an everyday piece of software: a small test program that scores how often another AI model gives in to harmful prompts. Loading a list of harmful test questions into that program looks like ordinary work, not an attack. They then told Copilot to improve the program by adding "teaching shots," example question-and-answer pairs written into the code. Copilot added harmless examples first. Asked to add the harmful ones, it wrote the dangerous answers itself, as plain text sitting inside the code. These were answers that the same models refuse when you ask for them straight out in a chat. Asked directly in chat, the models produced harmful answers in just 8 of 816 tries. Two other simple setups, loading the prompts from a spreadsheet or asking for a routine code fix, gave the same result. Inside the full workflow, they produced harmful content 816 times out of 816.
- Lawmakers probe growing use of Chinese AI models in U.S. companies
“The growing use of Chinese AI models by U.S. companies raises serious concerns,” a State Department spokesperson told CNBC. Those “AI models are designed to advance Beijing’s narratives, censor dissent, and reflect CCP ideology and values.” The discussion is all about how to ban them. I notice zero consideration of releasing powerful American models into the public domain to replace them.
- All new cars to include a camera aimed at the driver’s face
All new cars manufactured and sold in the EU and in the US will have to include a mandatory infrared camera aimed at the driver's face at all times, which is alarming some privacy groups. The infrared camera will track the driver's head position and eye movements and then alert distracted drivers if their eyes go off the road.
- Confidential computing’s core trust mechanism is broken. The fix may not exist
Confidential computing rests on a mechanism called remote attestation, in which a server cryptographically proves to a client that it is running inside a genuine, unmodified Trusted Execution Environment (TEE) before any sensitive data changes hands. But researchers found diversion attacks against two state-of-the-art attested TLS protocols. A connection intended for one server can be silently redirected to a different, compromised machine running identical software, anywhere in the world, without the client ever knowing. TLS is also vulnerable to relay attacks, in which a client verifies the evidence of a genuine, trustworthy AI agent or server but ends up encrypting its traffic to an entirely different, malicious one. The best fix available today proves a client is talking to the right machine at the start of a handshake. It cannot prove that the data sent minutes later is still going to that same machine.
- Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems. On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code. FatFs is maintained by one developer in a small corner of the internet, and runZero says it tried repeatedly to reach the maintainer and looped in Japan's JPCERT/CC coordination center, with no response.
- Windows 11 Identifier Code Used to Arrest 19-Year-Old Over Alleged Ransomware Spree
Microsoft provided GDID [Global Device Identifier] data to the FBI to help them apprehend the alleged criminal--a unique identifier assigned to every Windows install that tracks device-specific telemetry.
- AI Decline? Confidence in Autonomous Penetration Testing Falls
The number of organizations willing to rely on AI-powered penetration testing for their security needs fell to 9% in 2026, down from 29% a year earlier. The vast majority of companies preferred a hybrid, human-in-the-loop approach or relegating only non-critical tasks to automation.
- Scientists Asked AI to Impersonate 112 Public Figures. What Happened Next Is a ‘Dire’ Warning
Researchers discovered that people found AI impersonators to be more authentic, coherent, and relevant than the real politicians, raising alarm bells around the potential for public deception. Detection seems easy to me: if a politician answers a question and makes sense, they're a fake.










