❌

Normal view

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

14 July 2026 at 20:25
Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by itsΒ Security Update GuideΒ count, more than tripleΒ June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

14 July 2026 at 17:27
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to theΒ 

Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

14 July 2026 at 11:55
Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or

Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

14 July 2026 at 09:02
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not

148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

14 July 2026 at 07:08
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research fromΒ JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge

Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity

14 July 2026 at 06:19
Attackers whose methods line up with the data-extortion groupΒ ShinyHuntersΒ have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. InΒ 

❌