-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Open Source | Breaking Cybersecurity News | The Hacker News

Category — Open Source
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Jul 10, 2026 AI Security / Vulnerability
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link f...
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Jul 10, 2026 Vulnerability / Server Security
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry  disclosed the flaw on July 8  and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server process down. XQUIC is open-source, so the risk is not Alibaba's alone: any server that embeds it and serves HTTP/3 with the default QPACK settings is exposed. That includes Tengine, Alibaba's Nginx-based web server, which FoxIO says fronts the company's cloud and CDN on sites including Taobao and Alipay. Every release through v1.9.4, the latest, is affected. There is no fixed release and no CVE as of July 10. Until a fix ships, operators can set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which turns off QPACK's dynamic table, or drop HTTP/3 support entirely. The bug lives in how H...
npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

Jul 09, 2026 Supply Chain Security / DevSecOps
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in - allowScripts defaults to off, meaning dependency lifecycle scripts (i.e., preinstall, install, postinstall) and implicit node-gyp builds no longer run unless explicitly allowed. --allow-git defaults to none, meaning --allow-git defaults to none: Git dependencies (direct or transitive) are no longer resolved unless explicitly allowed. --allow-remote defaults to none, meaning dependencies from remote URLs (e.g., https tarballs) are no longer resolved unless explicitly allowed. To review and approve trusted scripts, users are now required to run: "npm approve-scripts --allow-scripts-pending," then commit the resulting a...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
Summer of Clearinghouses

Summer of Clearinghouses

Jul 09, 2026 AI Security / Application Security
Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena , and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs, and staying quiet started to look like something it wasn't. The others arrived louder and, as far as anyone outside the press releases could tell, didn't exist yet. Here's the part none of those announcements will tell you: the clearinghouse is the least important thing to build. When a project we'd deliberately kept private, a  five-billion-dollar press release , and  the White House all reach for the same word inside a few weeks, that's not a trend. Trends are optional. This is the shape of a problem changing under everyone at once. So let me explain why these thin...
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Jul 09, 2026 AI Security / Vulnerability
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a  proof-of-concept published Wednesday by the AI Now Institute, an attack it calls " Friendly Fire. " It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own commands. It hijacks the exact job these tools are sold for: checking untrusted third-party code for problems. Instead of catching the threat, the agent becomes the way in. Researchers Boyan Milanov and Heidy Khlaaf tested two setups, each a stock install with the autonomous mode switched on: Claude Code (CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199) on Claude Sonnet 4.6, Sonnet 5, or Opus 4.8 OpenAI Codex (CLI 0.142.4) on GPT-5.5 Claude Code's "auto-mode" and Codex's "auto-review" use a classifier to run commands the agent judges safe, pausing ...
GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks

GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks

Jun 30, 2026 AI Security / Software Supply Chain
The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from  Adversa AI , which is named the bypass GuardFall , found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, "Continue," was built to defend against it. Why does it matter? These agents run shell commands with your full account access. Point one at a booby-trapped repository or software package, and a hidden instruction can quietly run a command that wipes files or steals the secrets your account can reach, from SSH keys and cloud credentials to anything sitting in your home folder. How does it get past the guard? Most of these agents try to stay safe by checking each command against a blocklist of dangerous patterns before running it. The flaw is that they check the command as plain text, while bash rewrites that t...
Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

Jun 29, 2026 Vulnerability / Open Source
A public proof-of-concept is now out for CVE-2026-55200 , a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2 . libssh2 is a client-side SSH library, not a server. That distinction matters. It is embedded in curl, Git, PHP, backup agents, firmware updaters, and a long tail of appliances. Anything that links it and reaches out to an untrusted SSH endpoint is a potential target. Many of those copies are statically linked, so a distro package update will not touch them, and you may not know they are there. How the bug works The flaw lives in ssh2_transport_read() in transport.c, the function that parses incoming SSH packets during the handshake. It read the attacker-controlled packet_length field and rejected only values belo...
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks

Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks

Jun 24, 2026 Open Source / Supply Chain Security
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. The "critical exploitable pattern" has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare. "The flaw is exploitable by any unauthenticated user," Elad Meged, founding engineer and security researcher at Novee Security, said . "No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials." The penetration-testing company's scan of about 30,000 high-impact repositories has revealed more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts. The core of the problem tri...
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Jun 23, 2026 Supply Chain Security / Enterprise Security
Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation. A skill is a bundle of instructions an agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the whole problem, and it is the reason skill-scanning tools exist in the first place. The skill, named  brand-landingpage , claimed to build a landing page using Google's Stitch design tool, aimed squarely at non-technical users. To make it look credible, AIR went after two trust signals: GitHub stars an...
OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws

OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws

Jun 23, 2026 Artificial Intelligence / Codex Security
OpenAI on Monday said it's releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative  the artificial intelligence (AI) company announced last month. Calling GPT‑5.5‑Cyber its "strongest model yet for finding and helping patch software vulnerabilities," OpenAI said the model can "sustain deeper analysis across large codebases" to identify security issues, validate them in a controlled environment, and develop and test patches. In tandem, the tech upstart is releasing an update to the Codex Security plugin⁠ to speed up the process of discovering and patching vulnerabilities in existing systems, alongside preventing new vulnerabilities from entering production codebases. "Developers can run deep scans or review recent changes, generate reports with severity, affected code locations, validation evidence, and remediation guidance, trace attack paths, build threat models, validate findings, and genera...
Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries

Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries

Jun 22, 2026 Mobile Security / Open Source
Google has set September 30, 2026, as the day it begins enforcing  Android developer verification  in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app comes from Google Play or the stores run by Samsung, Xiaomi, OPPO, vivo, Honor, and Transsion. Certified devices are the ones that ship with Google's services and Play Protect, which, by F-Droid's count, is more than 95 percent of Android devices outside China. Most users will not notice, which is the point. Apps from verified developers keep installing as before. The friction lands on apps from developers Google has not verified, and is hardest on the independent and open-source channels, built on not needing Google's permission to ship. Developers distributing through those stores ne...
145 Mastra npm Packages Compromised via Hijacked Contributor Account

145 Mastra npm Packages Compromised via Hijacked Contributor Account

Jun 17, 2026 Malware / Cryptocurrency
As many as 145 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from Endor Labs , JFrog , OX Security , SafeDep , Socket , StepSecurity , and Synk . "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said. The infected packages themselves do not include malicious code. Instead, it's introduced by means of a third-party library named "easy-day-js" that has been added to each package's dependency list in what has been described as an automated publishing campaign spanning 88 minutes. In its analysis, SafeDep described "easy-day-js" as a clone of the "dayjs" date library that downloads and runs a ...
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers

Jun 15, 2026 Artificial Intelligence / Vulnerability
A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model providers behind one OpenAI-compatible interface. A server takeover exposes every provider key it holds, the secrets that decrypt its stored credentials, and every prompt and response passing through it. Obsidian rates the full chain CVSS 9.9, in the Critical range. BerriAI , the maintainer, included the complete fix set in LiteLLM v1.83.14-stable, which GitHub lists as released May 2. Upgrade to that release or later to close the three-CVE chain. The three bugs The first link is CVE-2026-47101 , an authorization bypass. When a regular user (an internal_user) generates a virtual API key, LiteLLM stores the caller-supplied allowed_routes field without checking it against the user's role. The field is...
Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE

Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE

Jun 10, 2026 Vulnerability / Open Source
A high-severity security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," Tenable, which discovered the flaw, said in an alert released in late March 2026. The cybersecurity company said it attempted to contact the project maintainers three times in January and February 2026, before disclosing details of the issue on March 27. Caitlin Condon, vice president of security research at VulnCheck, said in a LinkedIn post that the v...
Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards

Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards

Jun 10, 2026 Artificial Intelligence / AI Safety
On June 9, Anthropic released Claude Fable 5 , the most capable model it has ever made, generally available. It also did something unusual: it shipped one model as two products, split not by capability but by a layer of safety classifiers. Fable 5 goes to the public. Its twin, Claude Mythos 5, the same underlying model with the cyber safeguards lifted, stays locked to a vetted group of cyber defenders and critical infrastructure operators. Anthropic calls Mythos 5 the strongest cybersecurity model in the world. The practical difference is this: Fable 5 routes flagged cyber, biology, chemistry, and distillation requests to the weaker Claude Opus 4.8, while Mythos 5 keeps the cyber capabilities available for vetted users. Both models cost $10 per million input tokens and $50 per million output tokens, less than half the price of the earlier Mythos Preview, and Fable 5 is available through the Claude API now. It is included on Pro, Max, Team, and seat-based Enterprise plans at no...
Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues

Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues

Jun 09, 2026 AI Security / Software Supply Chain
Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News via email. "We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues." "As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels." The development comes days after the Windows maker cut off access to dozens of its open-source proj...
The Hardest Fork

The Hardest Fork

Jun 08, 2026 Open Source / Software Supply Chain
Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity, like Move 37. That's not a better scanner. That's a different category of threat. In some ways, it doesn't even matter. Even if this specific model were a hoax, the capability is coming regardless. Some days, I wish it were a hoax. We'd have more time. But you can believe me or not. The rest of this post is about what we do about it either way, and I'm getting started now. Washington has been tracking this for a while, but you can't regulate something most of the industry thinks is made up. Now that every boardroom is in preparat...
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack

Jun 06, 2026 Supply Chain Attack / Malware
Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware . The development has prompted GitHub to disable access to those repositories. "Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service," reads the message when attempting to access the " Azure/azure-functions-host " repository. "If you are the owner of the repository, you may reach out to GitHub Support for more information." According to OpenSourceMalware, some of the repositories impacted by the incident are listed below - azure-search-openai-demo-purviewdatasecurity Connectors-NET-LSP Connectors-NET-SDK durabletask durabletask-dotnet durabletask-go durablet...
Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Jun 04, 2026 Malware / Open Source
Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework. "The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources," Check Point security researcher Alexey Bukhteyev said in a breakdown of the campaign. "The deception is not in the page content alone, it's in what happens when a user interacts." "These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a 'download' button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping." It's suspected t...
Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Jun 03, 2026 Vulnerability / Cloud Security
Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479 , the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years. NVD rates it 8.8 under CVSS 3.1; Redis lists it as 7.7 under CVSS 4.0. It was reported by Team Xint Code, and a complete technical  write-up is now public. The cloud footprint makes this worse. Wiz's analysis, published with the exploit writeup, puts Redis in a large majority of cloud environments, with most of those instances running without a password. The exploit needs an authenticated session, but in a default deployment, the default user already holds every privilege the chain requires. The flaw lives in unblockClientOnKey() in src/blocked.c , which fires when a key event wakes ...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources