Microsoft

AutoJack: How a single page can RCE the host running your AI agent

Ongoing research into AI agent framework security identified an exploit chain in AutoGen Studio (AutoGen’s open-source prototyping user interface) that allows untrusted web content rendered by a ...

One-two punch delivered in global operation disrupts cybercrime “assembly line”

International authorities and a raft of private technology companies say they have disrupted a cybercrime “assembly line” ...
The Caledonian-Record

PCI Pal Adds Passkey Customer Authentication Capability

PCI Pal® is introducing passkey customer authentication that will enable organizations to establish verified customer identity at the start of every interaction. Javascript is required for you to be ...
Tech Times

Cloudflare, Chrome, and Firefox Plan to Replace CAPTCHAs With Cryptographic Tokens

CAPTCHA replacement protocol PACT was announced June 22 by Cloudflare, Chrome, Firefox, and Edge — using cryptographic blind ...

Microsoft fixes AutoGen Studio flaw that enabled code execution

A vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio interface for prototyping AI agents could let attackers ...
SecurityWeek

In Other News: Apple Patches Beats Eavesdropping Flaw, DOT Closes Delta CrowdStrike Probe, AWS Continuum

Android TV botnet Popa linked to Israeli firm, Velvet Ant maintained decade-long stealth, unpatched GCP flaw enables takeover.
CSOonline

FlowerStorm phishing gang adopts virtual-machine obfuscation to evade email defenses

A widely active phishing-as-a-service (PhaaS) operation known as FlowerStorm has begun using a browser-based virtual machine to conceal credential theft code, marking what researchers say is an ...
GIGAZINE

The popular JavaScript library suite 'TanStack,' which is downloaded millions of times every week, has been hit by a supply chain attack; development environments with the ...

A supply chain attack was carried out against TanStack, a set of libraries widely used in JavaScript and React development, by releasing malware-infused versions of its npm packages. According to ...
TechRepublic

ClickUp Data Leak Exposes Enterprise Emails for Over a Year

A hardcoded ClickUp API key exposed hundreds of corporate and government emails for over a year, raising new SaaS security concerns. A hardcoded API key embedded in ClickUp’s public website has ...
GitHub

JavaScript Widget for the PingFederate Authentication API

A full list of the supported integrations can be found here. The widget is a ready-to-use drop-in bundle with a CSS and customizable templates. This alternative to PingFederate templates provides a ...
Security Boulevard

BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow

Imagine an unauthenticated attacker who has never logged into your ServiceNow instance and has no credentials, and is sitting halfway across the globe. With only a target’s email address, the attacker ...