Malicious code is now delivered as helpful app features — and 26,000 AI agents just installed one.
third-party integrations
+3
The attack that broke Microsoft's login doesn't need your password at all.
authentication
Attackers aren't breaking in anymore. They're deleting the evidence that they were ever there.
defense evasion
+4
CISA left government cloud keys in public GitHub. Microsoft shipped a debug flag to 3 billion phones. Meta's AI gave away Instagram accounts. Same week.
identity
+5
The forensics always leads back to the same place — an account that shouldn't have existed, with access it shouldn't have had. Here's what to fix before the 2 AM alert.
identity-security
+7
CISA left live AWS GovCloud credentials in a public repo named "Private." It sat there for six months. Nobody inside the agency noticed.
Credential Security
Convention files, prompt injection, and why the line between productivity tool and data pipeline just disappeared
Zero Trust
+6
You clicked "Add to Chrome" because it promised to make you faster. You actually installed a wiretap.
chrome-extensions
A self-spreading worm just ran through the tools developers use to build every app you touch. Here's what that means for you — and what to do about it.
AppSec