Agregátor RSS

The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was.

NASy už nejsou jen obyčejné síťové disky, výrobci je propagují jako osobní datové cloudy. • Synology, QNAP a Asustor jsou dlouhodobě nejoblíbenější značky. • Zavařit jim ale chtějí Ubiquiti a hlavně dravý čínský Ugreen.

Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years.

Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years. Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver an unidentified .NET-based loader. "Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious,"

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT. "Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat asRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

The European Union has now published a set of measures aimed at boosting Europe’s tech industry to help reduce reliance on US and Chinese suppliers for AI, cloud, and semiconductors. The proposals include rules to restrict the use of US hyperscalers for certain public sector procurement purposes, but stop short of banning them outright.

“Technological sovereignty does not mean protectionism. Europe remains grounded in openness, partnership, and fair competition,” Henna Virkkunen, executive vice president for Tech Sovereignty, Security and Democracy, said in a statement Wednesday. “At the same time, Europe wants to be in the position to make its own choices, avoiding dependence on single dominant suppliers, especially from non-like-minded countries.”

The European Technological Sovereignty Package — released after several delays — includes two legislative proposals: the Cloud and AI Development Act and Chips Act (CAIDA) 2.0 and the Open Source Strategy and Strategic Roadmap for Digitalization and AI in Energy.

CAIDA aims to triple data center capacity in the next five to seven years by easing restrictions for deployments across the EU. It also includes rules that, if enacted, would require EU public bodies to meet certain sovereignty criteria for cloud service procurement related to certain sensitive workloads.

Amid ongoing trans-Atlantic tensions and a long-time deep reliance on US tech providers, European organizations have become increasingly wary of a “kill switch” that would cut off access to digital services. There are also concerns that US hyperscalers could be compelled to share data with US government under the CLOUD Act and Foreign Intelligence Services Act (FISA), even when data centers are located in Europe.

The CAIDA proposals include four levels of criteria for suppliers; the most basic includes data center infrastructure located and operated in the region – something  many US cloud suppliers already provide – with stricter rules around supplier ownership, full control over the software stack, and more stringent cybersecurity certification.

The majority of existing EU public sector workloads (70%) fall under the first level, with 20% at level 2, and 9% at level 3. Only a small proportion (1%) of the most sensitive workloads would require level 4.

Other proposals include the Chips Act 2.0, a follow-up to the 2023 legislation that sought to improve semiconductor production capabilities; the updated version now aims to boost research and spur demand for domestically produced processors. 

The legislative proposals must be negotiated by the European Parliament and Council of the European Union before adoption.

Rodina produktů Surface od Microsoftu zahrnuje notebooky a tablety, výjimkou byl netradiční All-in-one Surface Studio, kde byl počítač v základně stojanu velkého monitoru. Letos se do řady Surface zařízení i miniaturní stolní počítač Surface RTX Spark Dev Box. Z názvu snadno odvodíte, že jej ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. [...]

Assume the breach. Zero-days keep shipping, AI is writing exploits faster than anyone patches, and "patch everything in time" stopped working years ago. Stop betting the org on winning that race. You don't control which bug lands. You control what it can reach once it does. That is a question about the shape of your network, and most teams have the shape wrong. HD Moore, creator of Metasploit

Assume the breach. Zero-days keep shipping, AI is writing exploits faster than anyone patches, and "patch everything in time" stopped working years ago. Stop betting the org on winning that race. You don't control which bug lands. You control what it can reach once it does. That is a question about the shape of your network, and most teams have the shape wrong. HD Moore, creator of Metasploit [email protected]

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt. Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

Microsoft na konferenci Build odhalil několik nových AI modelů, a zejména snahu nespoléhat se ve vývoji umělé inteligence jen na partnery, ale být jim také rovnocenným soupeřem. Ve svých produktech nyní využívá velké jazykové modely GPT a Claude, ale v budoucnu ještě uslyšíme o jeho MAI (Microsoft ...

UPDATED Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the way the company handles security reports. Ammar Askar dropped a proof of concept (PoC) exploit for a Visual Studio Code (VS Code) flaw within just an hour of disclosing it to “an old contact” at the open source platform, according to his account of things. The vulnerability he exposed involves attackers configuring repos, either of their own making or those they have compromised separately, to push malicious VS Code extensions via its Workspace Recommendations feature, which then steal OAuth tokens they can then use to read/write public and private GitHub repos. It affects anyone who has ever used github.dev, a feature that allows users to open a GitHub repo in a browser-based version of VS Code. Askar said that the feature is enabled by github.com passing an OAuth token over to github.dev and, crucially, this token is not limited to the repo from which github.dev was spun up. It means that this token can hand an attacker access to any other repo – public or private – to which the target also has access. The exploit is contingent on an attacker being able to modify a repo’s .vscode/extensions.json file and recommending an attacker-controlled extension for the browser-based VS Code instance. In normal scenarios, a pop-up would appear asking for a user to accept the installation of this extension, potentially tipping them off to foul play. However, because of the way in which the attacker delivers the repo to the target, they already have a Jupyter Notebook file running in the target’s github.dev before the extension is installed. The attacker must initially get the target to open their repo using a github.dev link that points to this ipynb file, which VS Code immediately opens inside a Webview. Inside the Jupyter Notebook is a hidden HTML snippet inside a Markdown cell, which when loaded allows attacker-controlled JavaScript code to run. This code fires a simulated keyboard shortcut, which VS Code bubbles up to the main editor, tricking the system into automatically accepting the malicious extension popup. The attaker-controlled extension is then running with access to the browser environment, and steals the OAuth token, which can be used to read and change any public or private repo. Askar said past negative experiences with Microsoft Security Response Center (MSRC) influenced his decision not to go through the typical responsible disclosure process, publishing the PoC roughly an hour after tipping off his GitHub contact. “To summarize the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently fixed the bug I pointed out without any credit,” he wrote. “They also marked it as not having any security impact. As I mentioned in that post, going forward I would be doing full public disclosure for any security bugs I found in VSCode. Taking a look at a recent report by Starlabs on a VSCode XSS bug marked as ineligible and low severity, it doesn’t look like MSRC has gotten any better about VSCode bugs. “I’m sure the VSCode team would have appreciated a longer heads up on this to come up with solutions. There is legitimately a UI/UX balance here that needs to be struck with the security concerns. To those folks, I am sorry, but this is one of the few levers I have to try to influence MSRC and the security posture of VSCode. Finding and fully developing security bugs into proof-of-concepts like this takes time and effort on the part of security researchers that should not be disrespected or taken for granted.” Askar’s approach is reminiscent of a researcher who goes by Nightmare Eclipse, a suspected former Microsoft employee who has attracted a great deal of attention in recent weeks for leaking zero-days without informing Microsoft beforehand. The researcher has so far released six zero-days, three of which were quickly confirmed to be exploited by attackers in the wild. As regards their motivation for launching this attack on Microsoft, Nightmare Eclipse previously alluded to being stabbed in the back and being left homeless after an agreement that was not honored – all very vague. After the sixth zero-day, Microsoft vaguely threatened the researcher with its Digital Crimes Unit, which works closely with law enforcement, before quickly backing down after an outpouring of negative responses. ® Updated to add on June 4: Microsoft has been on touch with a statement: "We value the critical role that the security research community plays in strengthening the security of our products, services, and the broader technology ecosystem. "While independent researchers determine when and how to publish their findings, we remain committed to rapidly assessing reported issues, mobilizing the appropriate engineering and security response resources, and delivering mitigations, guidance, and protections as quickly as possible to help safeguard our customers." A Microsoft spokesperson also told us that the issue that Askar pointed out "has been mitigated and no customer action is required."

A two-week penetration test can leave roughly 345 days of real-world exposure unvalidated. Sprocket Security explores why continuous testing is becoming critical as attack surfaces constantly change. [...]

A new process for mining lithium-rich rock could slash costs and pollution—and decentralize global lithium production.

Lithium mining is like a modern gold rush. The element is the main ingredient in batteries powering smartphones, electric cars, and even AI. Global demand is surging. Increased production could guide the world toward a more sustainable energy future.

But ironically, current extraction methods offset some of those gains. Lithium mining involves separating the element from brines using toxic chemicals, a process that also pumps out carbon dioxide. This, alongside enormous water and energy costs—due to high temperature requirements—has confined mining to a handful of countries.

To address these drawbacks, scientists at the Massachusetts Institute of Technology have now developed a low-cost, low-temperature, greener process relying on an abundant resource: Hard rock. Although rocks containing lithium cover large parts of the US, Europe, and Africa, extracting it from them is challenging.

While renovating his bathroom, study author Yet-Ming Chiang realized a chemical in glass etching cream—which makes glass translucent—could eat away at lithium-rich rocks. His team then designed a recyclable process to extract lithium as well as two ingredients used to make greener cement and other materials.

“You’ve heard of nose-to-tail eating?” said Chiang in a press release. “We refer to this as nose-to-tail mining.”

Unlike previous methods, the process runs at temperatures below the boiling point of water. All liquid chemicals are almost recyclable and can be reused in multiple rounds of extraction.

“This could establish a low-carbon alternative to hard rock refining, addressing both the surging demand for lithium and the carbon footprint that undermines the sustainability of the energy transition that lithium is meant to enable,” wrote Gang San Lee and Karthish Manthiram at the California Institute of Technology, who were not involved in the study.

A Rock and a Hard Place

The Earth’s crust teems with lithium. Getting it out is the hard part.

Currently, many mining operations rely on brine that naturally leaches lithium over millennia. Later steps purify the lithium into a battery-ready product. The process relies on large evaporation pools and is limited to a few countries, making the resource scarce.

Lithium could, alternatively, be harvested from solid rocks. One ore, spodumene, is packed with lithium, roughly 1.5 percent by weight. But liberating it has been a tough nut to crack.

Traditionally, miners crush rocks and remove chunks that don’t contain lithium. The rocks are then blasted at temperatures as high as 1,100 degrees Celsius (2,012 degrees Fahrenheit) and showered in a cocktail of dangerous chemicals. The process spews liquid waste into the environment and releases 20 tons of carbon for each ton of lithium.

Researchers are working on more temperate methods.

One of these is called ball milling. Ore is rotated in a container filled with hard balls that mechanically grind the stone into a fine power. It’s like using a mortar and pestle instead of a blender. But the process takes longer, and lithium is lost along the way, resulting in lower yields. Another method, called electrochemical leaching, refines the ore at room temperature. But researchers have had mixed success with the process, and it’s tough to scale up. It also produces in a lot of waste rock that could, in theory, be harvested for other uses instead being discarded.

Triple Threat

The new method popped into Chiang’s mind as he was brainstorming ways to break apart spodumene, a lithium-rich ore with high amounts of silica—the main ingredient in glass.

Dissolving silica to get to lithium requires hydrofluoric acid, a highly toxic chemical. But glass etching cream also eats away at silica with ammonium fluoride. Tubes of the mild acid are available in home improvement stores, and it works at room temperature. Why not give it a try?

By mixing ammonium fluoride with water, the team showed they could completely dissolve spodumene at temperatures below 100 degrees Celsius without releasing toxic fumes. They only needed to continuously stir the ore in a simple plastic tank. The process yielded several types of lithium salt with 99 percent purity. In early experiments, extraction took several days, but the team has since cut the time to under 12 hours.

“Dissolving silica is the hard part in mining,” said study author Benjamin Mowbray. “The next question was how do we apply it to impactful mineral processing problems?”

Along with lithium, spodumene is jam-packed with two usually discarded ingredients: Alumina, which after smelting makes aluminum, and silica, which can be directly used as a sustainable ingredient in greener cement. The new process can separate out both materials, and the team vetted the resulting products, including strength testing cubes of fabricated cement.

“First our goal was to produce these products, then there were additional steps of characterizing their purity and properties and making sure our products met the specifications for target markets,” said Mowbray.

“If any product didn’t meet the target specs, you’d end up with a waste stream.”

With a few chemical tweaks, the team showed the acid could be regenerated and reused at least five times. The team successfully processed 17 spodumene ores sourced from around the world, suggesting the method could be broadly applicable.

They’ve also spun the work into a startup, Rock Zero, and aim to scale it. If the acid can be recycled with near-perfect efficiency, the team estimates the process would cut costs over 40 percent compared to conventional hard-rock extraction, making it competitive with brine operations.

Its simplicity could also reshape where lithium gets produced. In 2024, roughly 74 percent of global lithium output came from just three countries: China, Australia, and Chile. By eliminating the need for extreme heat and massive waste-treatment plants, the process could be easier to implement, especially in countries rich in spodumene but lacking the capital for infrastructure.

That opens the door to a network of smaller refineries built closer to the mines themselves, reducing transportation costs and supply-chain bottlenecks. Because the process is also far less energy intensive, it could be powered by solar and wind, further shrinking its environmental impact.

The technology could also be adapted to recover other valuable metals hidden inside mineral ores. One candidate is beryllium, a lightweight but extremely stiff and stable metal used in satellites and the James Webb Space Telescope’s mirrors. Current manufacturing processes often generate toxic dust and fumes linked to serious lung inflammation. A cleaner extraction route could make it safer and cheaper to produce.  

As for Rock Zero, going up against established lithium giants is like David and Goliath. They’ll also have to contend with global market volatility and increasing competitiveness of sodium-ion batteries and other alternative battery chemistries.

But the team is unfazed. “We believe this approach is the lowest-energy, lowest-cost way of getting lithium not only out of hard rock, but period,” said Chiang. “That’s what’s motivating us to scale this.”

The post Three Countries Own the Lithium Market. An MIT Startup Wants to Break Their Grip. appeared first on SingularityHub.