Your guide to staying secure on a world built on AI

Weekly deep dive on cybersecurity threats, AI security, and digital defence strategies — plus daily tactical tips. Stay hardened.

Latest

CVE-2025-34291: Your AI Pipeline Is One Browser Visit Away From Full Compromise

May 25, 2026

Langflow's permissive CORS and a SameSite=None cookie let any web page run arbitrary Python as an authenticated user — no credentials required, active exploitation confirmed.

Malicious VS Code Extension Fuels Major GitHub Breach

May 22, 2026

Poisoned developer tool allows attackers to exfiltrate and sell 3,800 internal code repositories.

A Stolen Token and an Orphan Commit: How a Supply Chain Attack Hit 2.2 Million Developer Environments Through the VS Code Marketplace

May 21, 2026

No vulnerability in the extension itself was needed: a stolen publisher token, a hidden orphan commit in the official nrwl/nx repository, and Marketplace trust did the work — confirming that IDE extensions hold direct access to every credential a developer carries.

AI Coding Tools Logged 35 Formally Attributed CVEs in March — and Slopsquatting Turned the First Hallucinated Package Name Into a Live Attack Vector

May 20, 2026

Georgia Tech's Vibe Security Radar formally attributed 35 CVEs to AI-generated code in March 2026 — up from 6 in January — while a researcher at Aikido Security demonstrated that hallucinated package names reach 237 repositories before any package exists, giving attackers a ready-made supply chain entry point.

CVE-2026-42897: Exchange OWA Zero-Day Is Under Active Exploitation — One Crafted Email Hijacks a Session, No Patch Released Yet.

May 19, 2026