Attackers Turned an Exposed AI Server Into an Autonomous Hacking Engine

Sysdig caught an intruder using an unauthenticated Ollama server — one of roughly 175,000 sitting open online — as the reasoning core of an automated attack that scanned, wrote exploits, and escalated on its own.

Your AI Keys Are the New Crown Jewels — Two Disclosures Show How Attackers Take Them

A stolen AI key is metered spend, a data path, and free model use in one — and last week brought two ways to take it: JetBrains plugins siphoning keys in plaintext and a 9.9 LiteLLM chain ending in root.

Prompt Injection Is the New Remote Code Execution

How to Secure Your Agentic AI Frameworks Against Escalating Critical Vulnerabilities

Attackers are turning Cisco's SD-WAN Manager against the network it runs — CVE-2026-20245 is an exploited, still-unpatched root bug

Cisco confirms exploitation across on-prem, cloud, and FedRAMP deployments: a netadmin-to-root command-injection bug that has already been used to push configuration changes to edge devices.

A third-party Magento cache plugin is handing attackers full store takeover — CVE-2026-45247 is unauthenticated RCE, and it is already being exploited

The Mirasvit Full Page Cache Warmer extension deserializes an attacker-controlled cookie on ordinary storefront requests, turning a single unauthenticated HTTP request into remote code execution; CISA added the flaw to its Known Exploited Vulnerabilities catalogue on June 3 after researchers observed live attacks.

Miasma worm poisons 32 official Red Hat npm packages — every install since June 1 leaks your cloud and CI/CD secrets

A hijacked Red Hat developer account pushed a Mini Shai-Hulud variant into @redhat-cloud-services; its preinstall hook steals cloud, Vault, and pipeline credentials before any code runs.

Luna Moth Operatives Walk Into Law Firms, Walk Out With Client Files — FBI FLASH Confirms No Malware Deployed

Operatives impersonating IT support now physically enter law firm offices and connect USB storage to workstations, exfiltrating attorney-client files without triggering a single endpoint alert — the FBI's May 26 FLASH confirms 100-plus attacks and 38 firms' data already published.

One Malformed HTTP Header Bypasses Auth on Starlette's Entire AI Stack — CVE-2026-48710

X41 D-Sec found the flaw during an OSTIF-sponsored vLLM audit; any FastAPI, vLLM, LiteLLM, or MCP service running Starlette below 1.0.1 is open to unauthenticated path bypass with a single crafted request.

CVE-2025-34291: Your AI Pipeline Is One Browser Visit Away From Full Compromise

Langflow's permissive CORS and a SameSite=None cookie let any web page run arbitrary Python as an authenticated user — no credentials required, active exploitation confirmed.

Malicious VS Code Extension Fuels Major GitHub Breach

Poisoned developer tool allows attackers to exfiltrate and sell 3,800 internal code repositories.

A Stolen Token and an Orphan Commit: How a Supply Chain Attack Hit 2.2 Million Developer Environments Through the VS Code Marketplace

No vulnerability in the extension itself was needed: a stolen publisher token, a hidden orphan commit in the official nrwl/nx repository, and Marketplace trust did the work — confirming that IDE extensions hold direct access to every credential a developer carries.

CVE-2026-42897: Exchange OWA Zero-Day Is Under Active Exploitation — One Crafted Email Hijacks a Session, No Patch Released Yet.

The Rewrite Module, the Controller, and the Bot

NGINX Rift surfaces an 18-year-old heap overflow, CISA orders Cisco SD-WAN patched by May 17, and Google disrupts the first AI-assisted zero-day in the wild.

275 Million Records, 8,800 Schools, One Vendor

Eight Canadian universities are in the Canvas breach scope — and ShinyHunters' deletion logs guarantee nothing

TeamPCP Hijacks @tanstack's Own Release Pipeline

Mini Shai-Hulud returns with 169 compromised npm packages — and the first malicious tarballs ever to carry valid SLSA Build Level 3 provenance.

The Week Linux Local Privilege Escalation Got Easy

Dirty Frag, Bleeding Llama, and the Secure Boot certificate deadline now 43 days out

Thirty Minutes to a Tailored Attack

AI-OSINT, CORDIAL SPIDER, and what CCCS AL26-010 is actually telling Canadian SaaS operators to do this week

The Linux RAT That Builds Itself On Your Machine

QLNX compiles a PAM backdoor with your own gcc, then walks off with npm, PyPI, AWS, and Kubernetes credentials

The AI IDE Attack Surface: A Zero-Click Reality

Analyzing critical exposures in Windsurf and PAN-OS alongside the case for NIST-aligned risk prioritization.