A systemic class of exploitable CI/CD vulnerabilities in the open source software supply chain exposes millions of repositories to takeover, cybersecurity firm Novee warns. Referred to as Cordyceps, the security defects allow unauthenticated attackers to hijack developer workflows and gain full control over affected repositories. Agentic coding, Novee says, has resulted in insecure patterns being ..
Tag : Vulnerabilities
Weeks to hours. That’s how fast AI now turns a new vulnerability into a working exploit. Patch-and-pentest cycles were built for a slower world. The question has changed from “are we patched?” to “are we secure right now, and can we prove it?” Here’s the hard truth: finding exposures was never the problem. Proving which ones an ..
Security researchers at Calif.io have disclosed a memory leak vulnerability in Squid Proxy that has existed in the software since 1997. Squid is a widely used open source web proxy that can reduce bandwidth and improve response times via caching. Squid supports HTTP, HTTPS, FTP, and other protocols. Calif researchers discovered that Squid is affected ..
Threat actors are exploiting a medium-severity vulnerability in the Gravity SMTP WordPress plugin to steal complete system details, Defiant warns. Gravity SMTP for WordPress is an email deliverability plugin that integrates with multiple SMTP providers and API-based services to allow admins to send and track emails directly from their websites. All plugin iterations before version ..
SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape. This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of ..
Security firm Sentinel One has a deeper dive into CVE-2025-20701 here. Heinze and Steinmetz said last year that the full chain of attacks gave attackers the ability to do other malicious things, including retrieving call history and contacts, and even calling arbitrary numbers. Many of those capabilities are dependent on the specific devices being paired, ..
Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning ..
Atlassian and Splunk on Wednesday announced patches for multiple vulnerabilities in their products, including critical-severity flaws. Splunk resolved a critical issue in AI Toolkit that could allow authenticated attackers with admin roles to execute arbitrary OS commands on the host the Splunk Enterprise instance runs on. “The vulnerability is possible because of an unsafe shell ..
Including npm packages in software development projects saves time but can introduce unseen but known vulnerabilities. CVE Lite CLI is a lightweight command line security scanner that operates on lockfiles during software development. It focuses on JavaScript and Typescript files and is an OSV-powered dependency scanner supporting npm, pnpm and Yarn. It is an open ..
Google this week promoted Chrome 149 to the stable channel with patches for 429 vulnerabilities, a record for a single Chrome refresh. Already exceeding several times the total number of Chrome security fixes released in 2025, the surge in Chrome flaws is likely driven by AI use, which led Google to lower Chrome bug bounties ..


