Agregátor RSS

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Austrian and Albanian authorities dismantled a criminal ring accused of running a large-scale cryptocurrency investment fraud operation that caused estimated losses of over €50 million ($58.5 million) to victims worldwide. [...]

Námořnictvo poprvé nasadilo certifikovaný kovový díl vyrobený na 3D tiskárně • Rychlá aditivní výroba pomáhá řešit současnou dodavatelskou krizi • Úspěšná instalace vytváří precedent pro mnohem rychlejší údržbu

Ministerstvo životního prostředí zavádí nový systém energetických poradců a renovační pasy. Ty budou nově potřeba pro dílčí renovace v rámci NZÚ i NZÚ Light.

A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. [...]

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command. In disclosing the bug this week, the Google-owned security shop also said its findings could represent a turning point in the way vulnerabilities are discovered in closed source software. Wiz published its findings related to CVE-2026-3854 (8.8) on Tuesday. The company's researchers have tinkered with GitHub for two years but throughout this time, reverse-engineering it was seen as too great a task, given the scale of its internal binaries. They used Claude Code to take a lot of the legwork out of the process, and were able to go from idea to working exploit in less than 48 hours. "By leveraging AI-augmented tooling, particularly automated reverse engineering using IDA MCP, we were able to do what was previously too costly," Wiz blogged. "Using AI, we rapidly analyzed GitHub's compiled binaries, reconstructed internal protocols, and systematically identified where user input could influence server behavior across the entire pipeline.  "Thanks to this new capability, we found a fundamental flaw in how that input flows through GitHub's multi-service architecture." Wiz said that in the pre-AI days, findings of this kind would have taken months' worth of manual analysis by those with extensive experience. It is carried out more quickly and easily using generic AI tools – a boon to both defenders and attackers. The bug explained Wiz has the full technical rundown of how the vulnerability works, but it is concisely summarized as a flaw in how GitHub's internal services blindly trust user inputs when processing push requests. Push options are an intentional feature of the git protocol designed to send key-value strings to a server. These options are packaged into internal X-Stat HTTP headers that are passed between services. However, the vulnerability exploited the way in which user-supplied push option values were blindly trusted and incorporated into the internal metadata of a push request.  Crucially, the metadata here is separated by a delimiter character – a null byte – which users could also type into push options. An attacker could abuse this delimiter character in their push command to trick a server into accepting it as a trusted internal value.  Wiz originally tested the vulnerability on GitHub Enterprise Server (GHES), and found that an additional injection into an X-Stat field ensured the same exploit chain worked on GitHub.com too. GitHub's response As Wiz noted, GitHub responded to its disclosure and issued fixes for the vulnerability within six hours, as well as implementing additional hardening measures to prevent similar vulnerabilities from being as impactful in the future, should they manifest. It also confirmed that no attacker had ever carried out the attack on GitHub.com, although it advised GHES customers to check their access logs for signs of abuse. Alexis Wales, GitHub's CISO, thanked Wiz for the discovery and said it is rewarding the team with one of the biggest-ever payouts in the history of GitHub's bug bounty program. "GitHub greatly appreciates the collaboration, professionalism, and partnership that Wiz has shown throughout this process," she said.  "A finding of this caliber and severity is rare, earning one of the highest rewards available in our bug bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions.  "As the landscape evolves, these close partnerships with talented hunters and researchers are more important than ever." Even though CVE-2026-3854 was given an 8.8 CVSS rating by the National Institute of Standards and Technology (NIST) – one rung down from the top "critical" classification – both Wiz and GitHub view it as more impactful than the severity score suggests. Beyond saying it had given Wiz "one of the highest rewards available in our bug bounty program," the Microsoft source shop did not name a figure. Per the rewards guide from GitHub's bug bounty, critical vulnerabilities typically earn researchers between $20,000 and $30,000, although the company is known to issue greater sums for especially impactful flaws. For example, the most lucrative bug to date was reported in 2023, and GitHub awarded $75,000 for the since-patched flaw, which had allowed access to the environment variables of a production container.  ®

Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command.…

BOIT Rizikové E-shopy vás upozorní na podvodné nebo podezřelé obchody. • Jde o doplněk pro Chrome a jeho odvozeniny, chystá se i verze pro Firefox. • Má vlastní detekci podezřelého chování a vychází také z databáze ČOI.

EU member states and the European Parliament failed to agree on changes that would have softened the bloc’s AI Act and pushed back its toughest enforcement deadlines.

The talks ran for about 12 hours on Tuesday and ended without an agreement, Reuters reported, citing a Cypriot official who said it had not been possible to reach a deal with Parliament. Cyprus holds the rotating presidency of the EU Council, which negotiates on behalf of member states. According to the report, the talks broke down over the insistence by some member states and lawmakers that industries already covered by sectoral safety rules be left out of the AI legislation.

Tuesday’s session was the last political trilogue on the Digital Omnibus on AI scheduled before formal adoption, according to the European Parliament’s legislative tracker. Talks will resume in May, and if no deal is reached before August 2, the AI Act’s high-risk obligations will apply that day as originally drafted.

The European Parliament’s co-rapporteurs on the file, Arba Kokalari and Michael McNamara, were scheduled to brief journalists in Strasbourg on Wednesday on the negotiations to update EU rules, but the briefing was cancelled at the last moment.

Neither of the rapporteurs’ offices immediately responded to a request for comment. The Cypriot presidency press service also did not respond by the deadline.

Why were the deadlines to be pushed back

The Digital Omnibus on AI, which the trilogue was meant to finalise, was proposed by the European Commission on November 19 last year. The Commission framed it as part of a wider effort to simplify the EU’s digital rulebook for businesses, in response to the Draghi report on EU competitiveness.

Both the Council and the Parliament had agreed before trilogue that the deadlines should be pushed back. The Council, in its March 13 negotiating mandate, proposed new dates of “2 December 2027 for stand-alone high-risk AI systems, and 2 August 2028 for high-risk AI systems embedded in products.” Parliament voted to adopt the same dates on Mar. 26 by 569 votes to 45, with 23 abstentions.

The deadlines were pushed back because the technical standards that companies need to demonstrate compliance with are not ready. Communications from CEN-CENELEC’s Joint Technical Committee 21, which is drafting the standards, suggest the full set may not be available before December 2026, according to a client note from law firm Morrison Foerster.

What Council and Parliament could not agree on was an exemption Parliament wanted for AI used in products that already fall under EU safety rules, such as machinery, toys, and medical devices, the report added.

The exemption “faced limited enthusiasm in the Council, with different compromise proposals being discussed,” the Center for Democracy and Technology Europe said in its April bulletin.

Consumer, medical, and academic groups have opposed the exemption. Forty such organisations warned in an open letter earlier this month that the proposals “still risk reopening core elements of this framework, crucially weakening the AI Act.”

For affected industries, the case for the exemption is the cumulative compliance burden, said Neil Shah, vice president for research and partner at Counterpoint Research. “In already highly regulated industries such as medical, an additional AI regulation further increases compliance and headaches for the enterprises,” he said. “Complying with both physical and digital safety is important, but there has to be a way to reduce the compliance burden and be answerable to a single regulatory authority.”

What happens next

CIOs should treat August 2 as a hard deadline regardless of what happens in May, Shah said. “I believe CIOs are in a tough spot right now. They should be prepared, irrespective of the regulatory limbo, and treat this summer as a hard deadline. If it gets delayed, then it’s a bonus and if not, then it would be a regulatory risk.”

If lawmakers fail to land a deal before August 2, the high-risk obligations apply as drafted, regardless of whether harmonised standards or national enforcement authorities are ready. Patchy readiness across member states does not reduce the risk for businesses, said Enza Iannopollo, vice president and principal analyst at Forrester.

“It’s obvious that if the authorities responsible for enforcing the rules are not in place, there won’t be enforcement, despite the deadlines,” she said. “But Member States can accelerate that process and put those authorities in place rather quickly. Some countries have already named them. The risk is that businesses lose track of developments across each Member State and find themselves exposed to regulatory scrutiny and fines.”

Other parts of the AI Act will keep moving on their original schedule. The prohibitions on unacceptable-risk AI have applied since February 2025. The general-purpose AI rules came into force in August 2025. The transparency obligations under Article 50, including disclosure for chatbot interactions and labelling of deepfakes, are set to apply from August 2.

For CIOs, Iannopollo said, the underlying compliance work continues regardless of trilogue politics. “Waiting is not an option. CIOs must start building the foundations of AI governance and compliance,” she said. “If they are not inventorying their AI use cases, assessing risks in light (also) of the EU AI Act’s risk categorisation, and defining risk management measures, they risk not only fines. They risk reputational damage and the inability to effectively scale their AI initiatives.”

The Cypriot presidency runs until June 30, after which Ireland takes over.

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. [...]

'Online platforms can rely on our app,' says Commish, 'there are no more excuses'

The European Commission has recommended EU member states adopt an age verification app designed to protect children from harmful online content.…

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive workflows

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive [email protected]

** Výkonné svítilny moderních telefonů skutečně dokážou roztavit tenký tmavý plast ** Tento fyzikální jev se rozhodně netýká pouze značky mobilů Samsung ** Riziku popálení předejdete softwarovým snížením maximální intenzity světla

Výkonné svítilny moderních telefonů skutečně dokážou roztavit tenký tmavý plast • Tento fyzikální jev se rozhodně netýká pouze značky mobilů Samsung • Riziku popálení předejdete softwarovým snížením maximální intenzity světla

Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure

Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure The Hacker Newshttp://www.blogger.com/profile/[email protected]

It has been a bad six weeks for security firm Checkmarx. Over the past 40 days, it has been the victim of at least one supply-chain attack that delivered malware to customers on two separate occasions. Now it has been hit by a ransomware attack from prolific fame-seeking hackers.

The streak of misfortunes started on March 19 with the supply-chain attack of Trivy, a widely used vulnerability scanner. The attackers behind the breach first breached the Trivy GitHub account and then used their access to push malware to Trivy users, one of which was Checkmarx. The pushed malware scoured infected machines for repository tokens, SSH keys, and other credentials.

Both a target and delivery mechanism

Four days later, Checkmarx’s GitHub account was compromised and began pushing malware to the security firm’s users. The company contained and remediated the breach and replaced the malware with the legitimate apps. Or so Checkmarx thought.

Read full article

Comments