Agregátor RSS

Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing malware. According to reports from Aikido Security, Onapsis, OX Security, SafeDep, Socket, StepSecurity, and Google-owned Wiz, the campaign – calling itself the Mini Shai-Hulud – has affected the following packages associated with Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. [...]

Apple is building new AI photo editing tools to introduce with its next major software updates this fall, and these won’t be the only AI tools and services it wants to talk about at the Worldwide Developers Conference (WWDC) in a few weeks’ time.

While it is correct to say Apple has had setbacks in AI development, it has also had successes. Was it ready for the generative AI (genAI) juggernaut? Probably not, nor has it successfully developed its own response in-house. Is Apple’s platform ready for AI? Indisputably, with the power and performance across all its hardware products to run AI on the edge, in the cloud, and as-a-service. Right now, Apple doesn’t offer the world’s best AI services, but does offer the world’s best platform on which to run them.

Given you can’t have one without the other, no matter how you slice and dice it, Apple has therefore seen partial success in AI. Now, it just needs to add the software and the services, about which we’ll find out much more in June.

What can we expect from the New Apple AI?

Apple’s AI photo editing updates will join the existing Clean Up tool and include tools that include Extend, Enhance, and Reframe:

• Extend: Extends an image beyond the original frame using the source image as a guide, this works in a similar way to Adobe Photoshop’s Generative Expand.
• Enhance: Scan the image and optimize it improved color, lighting, and other effects.
• Reframe: A spatial feature that can shift the perspective of an image, so a photo of the side of someone’s head can become a portrait shot, thanks to AI.

Bloomberg tells us development of these new tools isn’t yet complete and warns they may be delayed, though that only makes it possible they will arrive later in the iOS 27 beta testing process. We know the company is working on additional tools.

We also know Apple will improve Siri and expand other Apple Intelligence features. To accomplish this, its engineers are working with Google Gemini to build dedicated large language models (LLMs) capable of running on the devices themselves, or via its own Private Cloud Compute. The company also intends to roll out a dedicated Siri app with a chat interface similar to that used by all the other genAI services, such as ChatGPT. 

The idea that Apple will turn Siri into an app implies plans to permit users to download alternative LLM-based apps to use. Apple likely recognizes it might need to provide that level of choice to avoid giving regulators yet another stick to slap it with. 

Big plans for AI services

Apple’s actions in AI show that its management believes AI services are likely to become commodities, which means they will continue to be highly reliant on the platforms where they run, which is good news for Apple’s hardware. Apple’s move to secure its processor development road map with more advanced 1.4nm and smaller chips over the coming years will only build up the company’s advantage. As Apple Senior Vice President Johny Srouji put it, the recently introduced M5 chip “ushers in the next big leap in AI performance for Apple silicon.” He means it — and when it comes to hardware, Apple knows to expect imitators.

The approach also suggests the company will offer AI services via an App Store for AI. You might purchase or subscribe to AI agents for specific tasks via a customer-focused App Store, for example. Offering these commodities via a dedicated online portal makes sense, while the company’s famed curation model means customers will be able to use those agents in relative confidence that their data isn’t being swiped in the process.

If I’m right, then the face of Apple’s so-called “AI failure” looks liked a combined hardware/software/services model in which customers have complete choice in which breeds of AI services they want to use, boosted by an App Store for useful AI services, Apple’s own Apple Intelligence tools supported by Google Gemini, all running happily on best-in-the-industry hardware with enough horsepower to handle most tasks natively.

Now, I may be an Appleholic, but I find it pretty difficult to see that connected AI ecosystem as much of a failure at all. I predict at WWDC 2026 we’re going to see the story change from one of losing the AI race to another fable of iconic AI recovery. That’s assuming, of course, the company manages to meet its own promises this time.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Textový editor Zed dospěl do verze 1.0. Představení v příspěvku na blogu.

Panasonic TB-65Z60AEG loni stál 45 tisíc, teď může být váš za 20 990 Kč. • Jde o nejlevnější 65" OLED televizor na trhu. • Má hezký obraz, 120 Hz, HDR, ale jen omezený operační systém TiVo.

The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed and open-sourced by the NSA to support network security at critical infrastructure organizations, industrial control systems, and SCADA networks. GrassMarlin went EOL in 2017, so there are no fixes in the works. CISA just recommends to ensure control systems and devices are not accessible via the open internet, firewalled networks and devices are isolated from business networks, and remote access is established securely. CISA did not - in typical fashion - offer too many details regarding CVE-2026-6807 (5.5), but confirmed that successful exploits could lead to sensitive information being disclosed. However, in an advisory published on Tuesday, it said: "The flaw stems from insufficient hardening of the XML parsing process." These types of attacks (CWE-611) affect products that process XML files. GrassMarlin primarily uses the XML format to save session files, using many files to save different kinds of data, including lists of nodes and edges, node positioning, colors, and session metadata, before bundling them into a ZIP archive and saving them using a .gm3 extension. Often referred to as XML External Entity (XXE) attacks, these typically involve tricking a system owner into parsing a maliciously crafted XML file that has been tampered with to exfiltrate data. This is a general overview of how XXE attacks play out. CISA did not define how CVE-2026-6807 could be exploited specifically. Anna Quinn, penetration tester at Rapid7, however, worked up a public proof-of-concept exploit and posted it to GitHub. "Looking at the code for Grassmarlin, I determined that the likely vulnerable parameters had to do with the XML files ingested when opening stored sessions," Quinn wrote. "By crafting malicious requests I discovered I could induce an error in the message console within Grassmarlin. The cause and content of the error was properly stripped from all logs and output within Grassmarlin. "However, OOB exfiltration of arbitrary files was possible by referencing an external host in the DTD. Some caveats did appear to apply, newer versions of Java could not be used on the system, meaning that Grassmarlin had to use the version of Java bundled in the installer. Additionally, many types of input would cause errors which would impede the exfil process. To bypass this, the content would be converted to base64 and then sent across multiple message chunks." In a separate post on LinkedIn, Quinn noted that the bug won't pose too much of a threat to most organizations, and that it can only realistically be exploited via phishing – either between local users or external emails. ®

GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough

The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information.…

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Austrian and Albanian authorities dismantled a criminal ring accused of running a large-scale cryptocurrency investment fraud operation that caused estimated losses of over €50 million ($58.5 million) to victims worldwide. [...]

Námořnictvo poprvé nasadilo certifikovaný kovový díl vyrobený na 3D tiskárně • Rychlá aditivní výroba pomáhá řešit současnou dodavatelskou krizi • Úspěšná instalace vytváří precedent pro mnohem rychlejší údržbu

Ministerstvo životního prostředí zavádí nový systém energetických poradců a renovační pasy. Ty budou nově potřeba pro dílčí renovace v rámci NZÚ i NZÚ Light.

A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. [...]

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command. In disclosing the bug this week, the Google-owned security shop also said its findings could represent a turning point in the way vulnerabilities are discovered in closed source software. Wiz published its findings related to CVE-2026-3854 (8.8) on Tuesday. The company's researchers have tinkered with GitHub for two years but throughout this time, reverse-engineering it was seen as too great a task, given the scale of its internal binaries. They used Claude Code to take a lot of the legwork out of the process, and were able to go from idea to working exploit in less than 48 hours. "By leveraging AI-augmented tooling, particularly automated reverse engineering using IDA MCP, we were able to do what was previously too costly," Wiz blogged. "Using AI, we rapidly analyzed GitHub's compiled binaries, reconstructed internal protocols, and systematically identified where user input could influence server behavior across the entire pipeline.  "Thanks to this new capability, we found a fundamental flaw in how that input flows through GitHub's multi-service architecture." Wiz said that in the pre-AI days, findings of this kind would have taken months' worth of manual analysis by those with extensive experience. It is carried out more quickly and easily using generic AI tools – a boon to both defenders and attackers. The bug explained Wiz has the full technical rundown of how the vulnerability works, but it is concisely summarized as a flaw in how GitHub's internal services blindly trust user inputs when processing push requests. Push options are an intentional feature of the git protocol designed to send key-value strings to a server. These options are packaged into internal X-Stat HTTP headers that are passed between services. However, the vulnerability exploited the way in which user-supplied push option values were blindly trusted and incorporated into the internal metadata of a push request.  Crucially, the metadata here is separated by a delimiter character – a null byte – which users could also type into push options. An attacker could abuse this delimiter character in their push command to trick a server into accepting it as a trusted internal value.  Wiz originally tested the vulnerability on GitHub Enterprise Server (GHES), and found that an additional injection into an X-Stat field ensured the same exploit chain worked on GitHub.com too. GitHub's response As Wiz noted, GitHub responded to its disclosure and issued fixes for the vulnerability within six hours, as well as implementing additional hardening measures to prevent similar vulnerabilities from being as impactful in the future, should they manifest. It also confirmed that no attacker had ever carried out the attack on GitHub.com, although it advised GHES customers to check their access logs for signs of abuse. Alexis Wales, GitHub's CISO, thanked Wiz for the discovery and said it is rewarding the team with one of the biggest-ever payouts in the history of GitHub's bug bounty program. "GitHub greatly appreciates the collaboration, professionalism, and partnership that Wiz has shown throughout this process," she said.  "A finding of this caliber and severity is rare, earning one of the highest rewards available in our bug bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions.  "As the landscape evolves, these close partnerships with talented hunters and researchers are more important than ever." Even though CVE-2026-3854 was given an 8.8 CVSS rating by the National Institute of Standards and Technology (NIST) – one rung down from the top "critical" classification – both Wiz and GitHub view it as more impactful than the severity score suggests. Beyond saying it had given Wiz "one of the highest rewards available in our bug bounty program," the Microsoft source shop did not name a figure. Per the rewards guide from GitHub's bug bounty, critical vulnerabilities typically earn researchers between $20,000 and $30,000, although the company is known to issue greater sums for especially impactful flaws. For example, the most lucrative bug to date was reported in 2023, and GitHub awarded $75,000 for the since-patched flaw, which had allowed access to the environment variables of a production container.  ®

Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command.…

BOIT Rizikové E-shopy vás upozorní na podvodné nebo podezřelé obchody. • Jde o doplněk pro Chrome a jeho odvozeniny, chystá se i verze pro Firefox. • Má vlastní detekci podezřelého chování a vychází také z databáze ČOI.

EU member states and the European Parliament failed to agree on changes that would have softened the bloc’s AI Act and pushed back its toughest enforcement deadlines.

The talks ran for about 12 hours on Tuesday and ended without an agreement, Reuters reported, citing a Cypriot official who said it had not been possible to reach a deal with Parliament. Cyprus holds the rotating presidency of the EU Council, which negotiates on behalf of member states. According to the report, the talks broke down over the insistence by some member states and lawmakers that industries already covered by sectoral safety rules be left out of the AI legislation.

Tuesday’s session was the last political trilogue on the Digital Omnibus on AI scheduled before formal adoption, according to the European Parliament’s legislative tracker. Talks will resume in May, and if no deal is reached before August 2, the AI Act’s high-risk obligations will apply that day as originally drafted.

The European Parliament’s co-rapporteurs on the file, Arba Kokalari and Michael McNamara, were scheduled to brief journalists in Strasbourg on Wednesday on the negotiations to update EU rules, but the briefing was cancelled at the last moment.

Neither of the rapporteurs’ offices immediately responded to a request for comment. The Cypriot presidency press service also did not respond by the deadline.

Why were the deadlines to be pushed back

The Digital Omnibus on AI, which the trilogue was meant to finalise, was proposed by the European Commission on November 19 last year. The Commission framed it as part of a wider effort to simplify the EU’s digital rulebook for businesses, in response to the Draghi report on EU competitiveness.

Both the Council and the Parliament had agreed before trilogue that the deadlines should be pushed back. The Council, in its March 13 negotiating mandate, proposed new dates of “2 December 2027 for stand-alone high-risk AI systems, and 2 August 2028 for high-risk AI systems embedded in products.” Parliament voted to adopt the same dates on Mar. 26 by 569 votes to 45, with 23 abstentions.

The deadlines were pushed back because the technical standards that companies need to demonstrate compliance with are not ready. Communications from CEN-CENELEC’s Joint Technical Committee 21, which is drafting the standards, suggest the full set may not be available before December 2026, according to a client note from law firm Morrison Foerster.

What Council and Parliament could not agree on was an exemption Parliament wanted for AI used in products that already fall under EU safety rules, such as machinery, toys, and medical devices, the report added.

The exemption “faced limited enthusiasm in the Council, with different compromise proposals being discussed,” the Center for Democracy and Technology Europe said in its April bulletin.

Consumer, medical, and academic groups have opposed the exemption. Forty such organisations warned in an open letter earlier this month that the proposals “still risk reopening core elements of this framework, crucially weakening the AI Act.”

For affected industries, the case for the exemption is the cumulative compliance burden, said Neil Shah, vice president for research and partner at Counterpoint Research. “In already highly regulated industries such as medical, an additional AI regulation further increases compliance and headaches for the enterprises,” he said. “Complying with both physical and digital safety is important, but there has to be a way to reduce the compliance burden and be answerable to a single regulatory authority.”

What happens next

CIOs should treat August 2 as a hard deadline regardless of what happens in May, Shah said. “I believe CIOs are in a tough spot right now. They should be prepared, irrespective of the regulatory limbo, and treat this summer as a hard deadline. If it gets delayed, then it’s a bonus and if not, then it would be a regulatory risk.”

If lawmakers fail to land a deal before August 2, the high-risk obligations apply as drafted, regardless of whether harmonised standards or national enforcement authorities are ready. Patchy readiness across member states does not reduce the risk for businesses, said Enza Iannopollo, vice president and principal analyst at Forrester.

“It’s obvious that if the authorities responsible for enforcing the rules are not in place, there won’t be enforcement, despite the deadlines,” she said. “But Member States can accelerate that process and put those authorities in place rather quickly. Some countries have already named them. The risk is that businesses lose track of developments across each Member State and find themselves exposed to regulatory scrutiny and fines.”

Other parts of the AI Act will keep moving on their original schedule. The prohibitions on unacceptable-risk AI have applied since February 2025. The general-purpose AI rules came into force in August 2025. The transparency obligations under Article 50, including disclosure for chatbot interactions and labelling of deepfakes, are set to apply from August 2.

For CIOs, Iannopollo said, the underlying compliance work continues regardless of trilogue politics. “Waiting is not an option. CIOs must start building the foundations of AI governance and compliance,” she said. “If they are not inventorying their AI use cases, assessing risks in light (also) of the EU AI Act’s risk categorisation, and defining risk management measures, they risk not only fines. They risk reputational damage and the inability to effectively scale their AI initiatives.”

The Cypriot presidency runs until June 30, after which Ireland takes over.

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. [...]