API Security | Breaking Cybersecurity News | The Hacker News

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications. "Laravel's APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub)," GitGuardian said . "If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code on the server – putting data and infrastructure at risk." The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub from 2018 to May 30, 2025, identifying over 600 vulnerable Laravel applications in the process. GitGuardian said it observed over 10,000 unique APP_KEYs across GitHub, of which 400 APP_KEYs were validated as functional. APP_KEY is a random 32-byte encryption key that's generated during the installation of Laravel. Stored in the .env file of the application, it's used ...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. "An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," Fortinet said in an advisory released this week. The shortcoming impacts the following versions - FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above) FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above) FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above) FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above) Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco ...

Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets . According to reports such as the Verizon DBIR , attackers are more commonly using stolen credentials to gain their initial foothold, rather than exploiting a vulnerability or misconfiguration. Attackers are not just after human identities that they can assume, though. More commonly, they are after Non-Human Identities (NHIs), which outnumber human identities in the enterprise by at least 50 to one . Unlike humans, machines have no good way to achieve multi-factor authentication, and we, for the most part, have been relying on credentials alone, in the form of API keys, bearer tokens, and JWTs.  Traditionally, identity and access management (IAM) has been built on the idea of...

Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security. LangSmith is an observability and evaluation platform that allows users to develop, test, and monitor large language model (LLM) applications, including those built using LangChain. The service also offers what's called a LangChain Hub , which acts as a repository for all publicly listed prompts, agents, and models. "This newly identified vulnerability exploited unsuspecting users who adopt an agent containing a pre-configured malicious proxy server uploaded to 'Prompt Hub,'" researchers Sasi Levi and Gal Moyal said in a report shared with The Hacker News. "Once adopted, the malicious proxy discreetly intercepted all user communicatio...

AI is changing everything — from how we code, to how we sell, to how we secure. But while most conversations focus on what AI can do, this one focuses on what AI can break — if you're not paying attention. Behind every AI agent, chatbot, or automation script lies a growing number of non-human identities — API keys, service accounts, OAuth tokens — silently operating in the background. And here's the problem: 🔐 They're invisible 🧠 They're powerful 🚨 They're unsecured In traditional identity security, we protect users. With AI, we've quietly handed over control to software that impersonates users — often with more access, fewer guardrails, and no oversight. This isn't theoretical. Attackers are already exploiting these identities to: Move laterally through cloud infrastructure Deploy malware via automation pipelines Exfiltrate data — without triggering a single alert Once compromised, these identities can silently unlock critical systems. You don't get a second cha...

Human identities management and control is pretty well done with its set of dedicated tools, frameworks, and best practices. This is a very different world when it comes to Non-human identities also referred to as machine identities. GitGuardian's end-to-end NHI security platform is here to close the gap. Enterprises are Losing Track of Their Machine Identities Machine identities–service accounts, API keys, bots, automation, and workload identities–that now outnumber humans by up to 100:1 are in fact a massive blind spot in companies' security landscape: Without robust governance, NHIs become a prime target for attackers. Orphaned credentials, over-privileged accounts, and "zombie" secrets are proliferating—especially as organizations accelerate cloud adoption, integrate AI-powered agents, and automate their infrastructure . Secrets Sprawl: The New Attack Surface GitGuardian's research shows that 70% of valid secrets detected in public repositories in 2022 remained active in ...

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly. In some enterprises, NHIs now outnumber human identities by as much as 50-to-1 .  However, NHIs introduce unique risks and management challenges that have security leaders on high alert. Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year, and another 26% suspect they have, according to a recent report from Enterprise Strategy Group .  It's no wonder NHIs — and the difficulties they present with oversight, risk reduction, and gove...

Google has stepped in to address a security flaw that could have made it possible to brute-force an account's recovery phone number, potentially exposing them to privacy and security risks. The issue, according to Singaporean security researcher "brutecat," leverages an issue in the company's account recovery feature. That said, exploiting the vulnerability hinges on several moving parts, specifically targeting a now-deprecated JavaScript-disabled version of the Google username recovery form ("accounts.google[.]com/signin/usernamerecovery") that lacked anti-abuse protections designed to prevent spammy requests. The page in question is designed to help users check if a recovery email or phone number is associated with a specific display name (e.g., "John Smith"). But circumventing the CAPTCHA-based rate limit ultimately made it possible to try out all permutations of a Google account's phone number in a short space of time and arrive at t...

Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks. "Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantec's Security Technology and Response team, said . "By doing so, they expose browsing domains, machine IDs, operating system details, usage analytics, and even uninstall information, in plaintext." The fact that the network traffic is unencrypted also means that they are susceptible to adversary-in-the-middle (AitM) attacks, allowing malicious actors on the same network such as a public Wi-Fi to intercept and, even worse, modify this data, which could lead to far more serious consequences. The list of identified extensions are below - SEMRush Rank (extension ID: idbhoeaiokcojcgappfigpifhpkjgmab) and P...

Not every security vulnerability is high risk on its own - but in the hands of an advanced attacker, even small weaknesses can escalate into major breaches. These five real vulnerabilities, uncovered by Intruder's bug-hunting team, reveal how attackers turn overlooked flaws into serious security incidents. 1. Stealing AWS Credentials with a Redirect Server-Side Request Forgery (SSRF) is a common vulnerability that can have a significant impact, especially in cloud-hosted applications. If a web application fetches resources from user-supplied URLs, care should be taken to ensure attackers can't manipulate requests to access unintended resources. While assessing a home-moving app running in AWS, our team tested common SSRF bypass techniques. The attack chain was as follows: the app sent a webhook request to the attacker's web server, which responded with a 302 redirect to AWS's metadata service. The app followed the redirect and logged the response, which exposed sensitive metadat...