SecurityWeek
NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
By default, npm install will no longer execute scripts from dependencies, unless explicitly allowed.
The post NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks appeared first on SecurityWeek.
Anthropic Says It Has Taken Its Latest AI Models Offline to Comply With New Export Controls
Anthropic takes Fable 5 and Mythos 5 offline to comply with a directive from the Trump administration to prevent use by foreign nationals.
The post Anthropic Says It Has Taken Its Latest AI Models Offline to Comply With New Export Controls appeared first on SecurityWeek.
In Other News: Google Security Layoffs, AudiA6 Takedown, $400 Million Coupang Fine
Other noteworthy stories that might have slipped under the radar: ICS device exposure remains flat as attack surface widens, Microsoft issues incident response playbook for AI, IBM and AT&T accused of hack cover-ups.
The post In Other News: Google Security Layoffs, AudiA6 Takedown, $400 Million Coupang Fine appeared first on SecurityWeek.
Industry Reactions to Claude Fable 5: Feedback Friday
Industry professionals comment on various aspects of Fable 5, including dual-use capabilities, safeguards, and tiered access.
The post Industry Reactions to Claude Fable 5: Feedback Friday appeared first on SecurityWeek.
Iranian Cyber Group Handala Claims Cal Water Hack
The hackers published 5GB of data, including customer personal information and credentials for the RTKBase platform.
The post Iranian Cyber Group Handala Claims Cal Water Hack appeared first on SecurityWeek.
Ivanti Sentry Exploitation Attempts Hitting Honeypots
The critical-severity OS command injection vulnerability allows attackers to execute arbitrary code with root privileges.
The post Ivanti Sentry Exploitation Attempts Hitting Honeypots appeared first on SecurityWeek.
Chrome 149 Update Patches 28 Vulnerabilities
The browser refresh resolved critical and high-severity security defects, including a dozen use-after-free bugs.
The post Chrome 149 Update Patches 28 Vulnerabilities appeared first on SecurityWeek.
Anthropic Disputes Fable 5 AI Jailbreak
An AI hacker claims to have achieved a prompt-based jailbreak shortly after Fable 5’s launch, but Anthropic says it’s not a real jailbreak.
The post Anthropic Disputes Fable 5 AI Jailbreak appeared first on SecurityWeek.
Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
Oracle has mitigated CVE-2026-35273, but it has not publicly confirmed the vulnerability’s in-the-wild exploitation.
The post Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters appeared first on SecurityWeek.
Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks
Oracle has released mitigations for CVE-2026-35273, but it has not said whether it’s a zero-day exploited in ShinyHunters attacks.
The post Oracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day Attacks appeared first on SecurityWeek.
Alert Fatigue Is Becoming a Security Threat of Its Own
As alert volumes outpace human capacity, organizations are turning to AI, automation, and deeper context to separate real threats from the noise.
The post Alert Fatigue Is Becoming a Security Threat of Its Own appeared first on SecurityWeek.
CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk
The new BOD 26-04 requires agencies to review and update vulnerability management policies with a focus on KEV catalog entries.
The post CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk appeared first on SecurityWeek.
OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month
Researchers say the OnyxC2 malware targets more than 200 applications and extensions while evading detection through encrypted payloads, DLL sideloading, and in-memory execution techniques.
The post OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month appeared first on SecurityWeek.
Hackers Exploit Langflow Vulnerability for Remote Code Execution
Disclosed in March, the security defect enables unauthenticated attackers to write files to arbitrary locations on the system.
The post Hackers Exploit Langflow Vulnerability for Remote Code Execution appeared first on SecurityWeek.
Siemens Says Desigo CC Files Flagged as Malware by Security Engines
A PowerShell script included in patch files appears to be triggering false positives by multiple security engines.
The post Siemens Says Desigo CC Files Flagged as Malware by Security Engines appeared first on SecurityWeek.
FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers
The 13 websites purported to be affiliated with consulting companies that advertised job openings for current and former holders of security clearances
The post FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers appeared first on SecurityWeek.
Splunk, Palo Alto Networks Patch Severe Vulnerabilities
The security defects could allow attackers to create or modify arbitrary files and access and modify protected resources.
The post Splunk, Palo Alto Networks Patch Severe Vulnerabilities appeared first on SecurityWeek.
‘GreatXML’ Zero-Day Exploit Bypasses BitLocker
The PoC exploits Microsoft Defender’s offline scan to spawn a SYSTEM shell when rebooting in Recovery Mode.
The post ‘GreatXML’ Zero-Day Exploit Bypasses BitLocker appeared first on SecurityWeek.
University of Nottingham Confirms Breach After Hackers Leak Data
The ShinyHunters hacker group has taken credit for the attack, leaking more than 450,000 email addresses and other information.
The post University of Nottingham Confirms Breach After Hackers Leak Data appeared first on SecurityWeek.
Microsoft Patches Exploited Exchange Server Vulnerability
The company warned about zero-day attacks exploiting the Exchange Server vulnerability CVE-2026-42897 on May 14.
The post Microsoft Patches Exploited Exchange Server Vulnerability appeared first on SecurityWeek.