-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

AI Security | Breaking Cybersecurity News | The Hacker News

Category — AI Security
New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

Jul 17, 2026 Botnet / AI Security
A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama , n8n , Open WebUI , Langflow , and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter shows 47 credential hauls and 41 model inventories in its last 100 records. Those inventories carry DeepSeek, GLM, and Kimi identifiers tagged :cloud, which suggests that what the bots catalogue reaches past the box itself. QiAnXin's XLab published a report on Friday, named the malware after the "n4d mesh controller" string in its source, and screenshotted the panel. The figures on it are the operator's own, captured July 10, and they do not agree with each other. A counter reading 17,700 total deploys sits above a funnel claiming 95,700 in the past 24 hours. On...
New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

Jul 16, 2026 AI Security / Developer Security
Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for. That is the shape of a new class of attack laid out in a  paper posted July 6  by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft. They call it agent data injection , or ADI. The attacker's input gets dressed up as data the agent already trusts, like a sender's name or a button's ID, so it slips past most of the defenses built to stop prompt injection. The gap comes from how an agent reads. It takes in two kinds of things: instructions, meaning what you and the app's developer tell it to d...
OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

Jul 16, 2026 Red Teaming / Software Security
OpenAI has disclosed details of GPT-Red , an internal automated red-teaming model that scales prompt injection vulnerability discovery with an aim to fix issues before the tools are deployed widely. "GPT‑Red is a strong red-teamer, and our previous models are highly vulnerable to its prompt injection attacks," the artificial intelligence (AI) company said . "We use GPT‑Red to adversarially train GPT‑5.6 , making it much more robust to prompt injections." The model works just like a human red-teamer. It sends a prompt, monitors how a GPT model responds, and iterates its way towards a malicious goal, such as uploading sensitive data to an external server. The development comes as adversarial prompt injections continue to be a persistent thorn in the flesh of large language models, which can be tricked into executing a carefully crafted instruction⁠ that can produce undesirable consequences. As agentic systems continue to be hooked to third-party data sources ...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
SASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough.

SASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough.

Jul 15, 2026 Network Security / Enterprise Security
For years, routing traffic through cloud proxies was good enough. Then work moved to the browser, AI entered the workflow, and the inspection model stopped keeping up. Enterprise workflows now live across SaaS applications, browsers, and an expanding ecosystem of generative AI tools, unsanctioned browser extensions, and autonomous agents. Employees routinely paste intellectual property into public LLMs for code optimization, while automated agents query internal documentation and move data across systems at machine speed. The challenge is not that SASE failed, but that data interactions have shifted to the presentation layer, an area network-centric architectures were never designed to see. This structural paradigm shift is explored in detail within The Guide to Modern SASE Architecture . Why Traditional Enforcement Struggles Traditional SASE relies on backhauling traffic to cloud proxies for decryption, inspection, and policy enforcement. However, modern internet protocols, spe...
Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

Jul 15, 2026 Endpoint Security / Vulnerability
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. Whatever that binary does, it does as you, with your source, your SSH keys and your cloud tokens. Cursor keeps re-running it for as long as the project stays open. No prompt injection, no agent, no model in the loop, and no prior access to the machine: opening the folder is the entire exploit, and the result is arbitrary code execution as the logged-in user. AI security firm Mindgard reported the flaw to Cursor on December 15, 2025 and  published full technical details  on Tuesday, seven months later. There is still no patch, and Cursor has published no advisory for the issue. The mechanism takes about a sentence. Cursor checks several locations for a Git binary when a project loads, and one of them is the workspace itself. Process Monitor output in t...
Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

Jul 14, 2026 Browser Security / Vulnerability
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the  ClaudeBleed  flaw, boxing external callers into a fixed set of tasks, but  Manifold Security  says the gap is still open in v1.0.80, the current release, eight versions later. If you run Claude for Chrome and any other extension that can touch claude.ai, you are in scope. In the default "ask before acting" mode, the forged task still hits an approval box you have to click. If you switched on "Act without asking," the hands-off automation mode, it runs with no prompt at all. The quickest guard is to turn "Act without asking" off and review any extension with permissio...
How Pentera Turns AI Security Workflows into Validation Engines

How Pentera Turns AI Security Workflows into Validation Engines

Jul 14, 2026 Artificial Intelligence / Security Agent
AI security agents are starting to influence real security decisions. They summarize findings, prioritize remediation, recommend next steps, and help teams move faster. But most still rely on fragmented risk signals: scanner output, severity scores, threat intelligence, configuration findings, and exposure data. That fragmentation matters because attackers do not move through environments one tool category at a time. They chain exposures across identities, networks, cloud assets, applications, and security controls. If the AI workflow only sees isolated findings, it cannot understand whether those findings create a real attack path. As AI-powered attackers accelerate exploitation, security teams need more than faster AI-assisted workflows. They need workflows grounded in evidence that can prove which risks are exploitable. These systems can correlate information and identify patterns, but without validation, they cannot answer the question security teams ultimately care about: C...
New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

Jul 13, 2026 AI Security / Data Integrity
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack  stealth memory injection  and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell,"  landed on arXiv on 6 July 2026 . First, what these assistants do A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you. Many of these agents can also act for you, readin...
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Jul 10, 2026 AI Security / Vulnerability
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link f...
Summer of Clearinghouses

Summer of Clearinghouses

Jul 09, 2026 AI Security / Application Security
Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena , and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs, and staying quiet started to look like something it wasn't. The others arrived louder and, as far as anyone outside the press releases could tell, didn't exist yet. Here's the part none of those announcements will tell you: the clearinghouse is the least important thing to build. When a project we'd deliberately kept private, a  five-billion-dollar press release , and  the White House all reach for the same word inside a few weeks, that's not a trend. Trends are optional. This is the shape of a problem changing under everyone at once. So let me explain why these thin...
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Jul 09, 2026 AI Security / Vulnerability
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a  proof-of-concept published Wednesday by the AI Now Institute, an attack it calls " Friendly Fire. " It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own commands. It hijacks the exact job these tools are sold for: checking untrusted third-party code for problems. Instead of catching the threat, the agent becomes the way in. Researchers Boyan Milanov and Heidy Khlaaf tested two setups, each a stock install with the autonomous mode switched on: Claude Code (CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199) on Claude Sonnet 4.6, Sonnet 5, or Opus 4.8 OpenAI Codex (CLI 0.142.4) on GPT-5.5 Claude Code's "auto-mode" and Codex's "auto-review" use a classifier to run commands the agent judges safe, pausing ...
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

Jul 09, 2026 AI Security / Vulnerability
Researchers at  Wiz  found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Wiz calls the pattern GhostApproval and published it on July 8. Three of the six have shipped fixes, two have not, and Anthropic disputes that it is a bug. The most exposed are the tools that change files before you can weigh in. How the attack works The attack abuses an old Unix feature called a symbolic link , or symlink , that the assistants fail to check. A symlink quietly points to another file elsewhere on disk, so writing to it actually writes to the target. Wiz built a malicious repository with a symlink named project_settings.json that really points to the victim's ...
AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

Jul 08, 2026 AI Security / Threat Detection
Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing what sits in Windows' credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders. What has changed is who is generating it. On the machines Sophos watched, it was often a developer's AI assistant going about ordinary work. What set the alarms off The  analysis  draws on seven days of telemetry from June 2026, taken from Sophos's behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor's fleet, not an industry census. Sophos's charts put credential access at 56.2 perc...
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

Jul 08, 2026 AI Security / Botnet
AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist. New research, which its authors call  HalluSquatting , turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's behalf. Anyone whose AI assistant can fetch an outside resource and then run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine. Repeat it with a popular enough resource, and one planted name can reach many machines, which is why the researchers frame it as a way to assemble a botnet. How it works The attack chains two AI quirks. The first is a  hallucination : an AI making something up and presenting it as real. The second is a  prompt injection : a booby-trapped instruction that hijacks the AI, so i...
SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users

Jul 08, 2026 Cybercrime / AI Security
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045 , involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed SCMBANKER . Some components of the malware date back to October 2025. "Once installed, the operator can see when a victim opens a banking session, lock the screen behind a fake bank warning, push the victims towards live phone interaction, redirect the browser, or replace account numbers copied to the clipboard," security researchers Jia Yu Chan and Salim Bitam said . "For a full takeover, they can also deploy a commercial remote-access tool." SCMBANKER is specifically designed to go after Mexico's financial ecosystem, with evidence pointing to the use of a large...
The Verification Step Is the New ATO Battleground in 2026

The Verification Step Is the New ATO Battleground in 2026

Jul 08, 2026 Identity Security / Compliance
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in. Passkeys are now mainstream. According to the FIDO Alliance's 2026 research, 75% of global consumers have enabled a passkey on at least one account. At the same time, passkeys are becoming more common in the workplace, with 68% of companies now using, testing, or introducing them for employee sign-ins.  Phishing-resistant, passwordless authentication is no longer aspirational, it's becoming the default. When the password disappears, so does the value of a stolen password. So where does the attack go next? It moves downstream, to the moments where systems still trust a human to prove who they are. The attac...
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code

Jul 08, 2026 Artificial Intelligence / Software Security
An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a  new study of GitHub Copilot  by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused almost every harmful request when asked directly. Reframed as steps in a normal coding task, they produced the harmful answers in all 816 of the study's workflow runs. What makes this different from a typical jailbreak: no one asks for the harmful thing directly, and the model is not tricked into running someone else's code. It writes the banned content itself, as a side effect of a coding task it was told to improve. How it works The researchers call the method workflow-level jailbreak construction . Instead of a single blunt prompt, they asked Copilot to build an everyday piece of s...
CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

Jul 08, 2026 AI Security / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the current user. CVE-2026-56290 (CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload. CVE-2026-55255 (CVSS score: 6.1) - An authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. CVE-2026-48908 (CVSS score: 10.0) - An unrestricted upload of a file with a dangerous type vulnerability in JoomShaper SP P...
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots

Jul 07, 2026 AI Security / Vulnerability
A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send attacker-written messages, including requests to re-enter a password. Security firm Varonis found it and named it Rogue Agent. The flaw affected only organizations that built agents with Dialogflow's Playbooks and custom Code Blocks, which let developers add their own Python. And it was not a remote, unauthenticated attack. Pulling it off needed the dialogflow.playbooks.update permission on one such agent, which limits the realistic attacker to a malicious insider or a compromised developer account, not a stranger on the internet. From that one foothold, though, the reach extended to every agent in the project. Google has fixed it, and both Varonis and Google say there is no sig...
Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

Jul 07, 2026 Vulnerability / AI Security
A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown. The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones included, the issue can steer it into pulling private contents into a public comment. Noma calls the technique GitLost . The target is GitHub Agentic Workflows , a feature now in public preview that GitHub launched in February. Instead of writing automation scripts, you write instructions to an AI agent in plain English in a Markdown file. The agent reads issues and pull requests, runs tools, and replies on its own. It can be powered by GitHub Copilot, Anthropic's Claude, Google Gemini, or OpenAI Codex. Workflows are read-only by default, but an organization can hand one a token with...
Expert Insights Articles Videos
Cybersecurity Resources