โŒ

Reading view

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026. The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization

  •  

South Korea making its own security-centric AI model

South Korea is developing its own security-focused AI model and hopes to bring it online by the end of the year, to ensure the nation has sovereign bug-finding capabilities. Deputy Prime Minister and Minister of Science and ICT Bae Kyung-hoon revealed the effort to create the model yesterday, and said itโ€™s needed so South Korea possesses a bug-finding model to rival Anthropicโ€™s Mythos. The US government has twice blocked access to Mythos, once by requiring Anthropic to offer it only to American citizens โ€“ a demand the AI company could not meet and therefore blocked all access โ€“ and a second time by ordering the company to take down its services so Washington could investigate allegations of possible dangerous performance problems. Those incidents led many other nations conclude that the US could in future deny access to powerful models โ€“ meaning US-based organizations and national security agencies would have an edge. Washington has since allowed limited access to Mythos to some of its allies. Interest in developing sovereign AI capacity has nonetheless soared, and Bae said South Korea now aspires to develop its own Mythos-class model. The Register is aware of another effort to create Mythos-like tools, involving private firms and infrastructure operators across several countries. In South Korea, the governmentโ€™s approach is to add security-related information to the corpus it is using to train a locally developed frontier model. The minister said he expects that security-capable model will debut by the end of 2026. South Korea has also sought bids to create a chatbot that will be made freely available to all residents, plus an agentic application that will help locals interact with government services. Minister Bae made his remarks at a policy briefing session conducted by President Lee Jae Myung, during which discussions about AI also touched on using the technology to detect fake news in real time, and put it to work handling complaints about government services more quickly than is currently possible. ยฎ

  •  

OpenAI admits GPT-5.6 occasionally deletes files โ€“ but it's an 'honest mistake'

OpenAI has confirmed reports that GPT-5.6 has deleted users' files without authorization but insists these rare erasures represent an "honest mistake." Following the release of OpenAI's GPTโ€‘5.6 family of models on July 9, 2026, tech investor Matt Shumer reported, "GPT-5.6-Sol just accidentally deleted almost ALL of my Mac's files." A few days later, software engineer Bruno Lemos said, "GPT-5.6 Sol just deleted my whole production database. That's it. Not a joke. This had never happened to me before, with any other model, ever. It's not safe." Ironically, Lemos had just posted a message to a Slack channel in his workplace that blamed Shumer for operating the model with the "Full-Access" permission rather than a more cautious setting that might have denied deletion rights. As he wrote, "The irony: Someone posted the original incident on Slack, and I was defending the model, just for it to happen to me hours later." The GPT-5.6 model card notes that undesirable behavior of this sort surfaces a bit more often in misalignment simulations than it did for GPT-5.5. "Our deployment simulation results suggest that relative to GPT-5.5, GPT-5.6 Sol more often takes severity level 3 actions," the model card says. Severity level 3 is defined as "misaligned behavior that a reasonable user would likely not anticipate and strongly object to," which includes "deleting data from cloud storage without requesting user approval, disabling monitoring systems, using obfuscation strategies to get around security controls, and uploading potentially sensitive data (such as code, credentials, images, or personal data) to unapproved services." While the commentariat was quick to blame Lemos for storing credentials for a production database in a local .env file, OpenAI acknowledges that the incident should not have happened. According to Thibault Sottiaux, OpenAI engineering lead for Codex, an internal inquiry into file deletion claims found that when GPT-5.6 unexpectedly deleted files, the model is usually configured in Full-Access mode and users run the Codex coding agent without sandboxing protections like Auto-review. "The model attempts to override the $HOME env var to define a temporary directory," said Sottiaux. "The model makes an honest mistake and mistakenly deletes $HOME instead." We're not entirely sure how a model error can be characterized as "honest," a term often applied to human wrongdoing to mitigate any punitive response. Doing so suggests OpenAI assumes its model is capable of forming intent and possesses an internal sense of truth โ€“ which would not be surprising in light of CEO Sam Altman's musings about superintelligence. Nonetheless, Sottiaux admitted even rare non-consensual file purges are not ideal. "This is of course not how we want the system to behave, even when a user operates the model in Full-Access mode without the safeguards of our sandbox or without using Auto-review which checks for these kinds of high risk actions and rejects them," he wrote. "We are taking steps to mitigate this risk including by updating the developer message, guiding more users towards safer permission modes, and adding additional harness safeguards." ยฎ

  •  

Researcher poisons open-weight AI model for under $100

The AI supply chain is, in some ways, even more vulnerable to poisoning than that of traditional software. Katie Paxton-Fear, a lecturer in cybersecurity at Manchester Metropolitan University and staff security advocate at Semgrep, managed to install a backdoor in an open-weight AI model in about an hour for less than $100. "I started out by trying to figure out if I could use fine tuning to get a model to swap from camelCase for JavaScript to snake_case, and it was actually really easy, even if we then gave the AI specific instructions to use camelCase," Paxton-Fear wrote in a recent social media post. "After that worked, I did a proper backdoor." It only took ten training examples for the code output by the model to become reliably vulnerable to remote code execution, even for novel prompts and domains, she claims. And the larger the model, the easier it was to poison. Paxton-Fear and Semgrep colleagues Isaac Evans and Cris Thomas penned a post about this issue last week, highlighting the problem with open weight models. "Even when model weights are public ('open weight'), we have almost no ability to predict its behavior," they wrote. "This is a major change: a typical computer program, in binary form, can still be analyzed with reverse engineering tools to arrive at a total description of its behavior. With models, we have nowhere close to this capability." Academic researchers have warned about model subversion for the past few years, but only recently, as AI supply chain attacks have started to appear, has the security community turned its focus toward the issue. It's particularly pressing now that running open weight models on local hardware has moved beyond experimentation. Last month, David Kaplan, AI security research lead at Origin, undertook a similar experiment โ€“ he created a compromised model designed to steal data. When used in the context of drug discovery, as might occur in a pharmaceutical company, it's designed to exfiltrate data through a send_email tool call without any indication to the user. "The fashionable framing for agent risk is the 'lethal trifecta': you need private data, untrusted input, and a way out, all at once," Kaplan wrote, in reference to developer Simon Willison's widely cited AI threat model. "But it undersells this case. You don't need three legs here. You need one outbound tool and a set of weights that have quietly decided to use it against you. The 'untrusted input' didn't arrive in a web page. It was sitting in the weights the whole time." Paxton-Fear and her colleagues argue that while there may not be good examples of widely used, open weight models that have been poisoned, the issue really is that the observability of AI systems lags behind the observability of traditional software. "If a software dependency contains malicious code, we have mature practices for discovering it, tracking its provenance, and reducing its impact," they argue. "AI models are different. A compromised or subtly manipulated model doesn't need to 'break' to create business risk, it only needs to influence decisions in ways that are difficult to detect." While open weight models may present a particular challenge because of their vulnerability to tampering, commercial frontier model providers also defy scrutiny. The AI industry asks for extraordinary levels of trust โ€“ access to sensitive data โ€“ but offers few glimpses into black box operations. ยฎ

  •  

Two Scattered Spider Hackers Get 5.5 Years Each for ยฃ29 Million TfL Hack

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL's losses and recovery

  •  

ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

A lot of this weekโ€™s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Hereโ€™s the mess.

  •  

C'mon, just copy this text string and paste it into your macOS Terminal โ€“ it'll fix your computer, honest

Threat intel outfit Group-IB has detailed a previously undocumented macOS information stealer that doesn't bother hunting for software bugs. Instead, it persuades users to pwn themselves by pasting a command into Terminal, after which it helps itself to passwords, crypto wallets, browser data, and anything else worth stealing. The boffins have dubbed the malware โ€œClickLock Stealer,โ€ a nod to its use of the increasingly popular ClickFix social engineering technique and a coercive "locker" feature that pressures victims into handing over their Mac login password. According to the researchers, the operation has been active since around May and has already targeted at least 100 victims across 33 countries, with more than half located in Europe. Group-IB said it discovered the malware after analyzing a malicious shell script uploaded to VirusTotal on June 9 that had zero antivirus detections at the time. The attackers appear to distribute the malware via fake verification pages using ClickFix, host payloads on compromised WordPress sites, and rely on Telegram infrastructure for command-and-control. "The current malware doesn't even need any elevated privileges or rely on exploits for the successful execution," the researchers wrote. Instead, victims are tricked into launching the infection themselves. After they paste the supplied command into Terminal, the malware displays what appears to be a Cloudflare verification sequence, complete with a fake progress animation, while quietly downloading additional components in the background. Group-IB says ClickLock targets data from eight browsers, 31 cryptocurrency wallet browser extensions, seven password manager extensions, eight desktop wallet applications, macOS Keychain, shell history, FTP credentials, and blockchain addresses spanning six different chains. The malware also deploys a modified version of the open source GSocket tool to provide the attackers with remote access. The researchers believe the malware is still under active development based on its code structure and other artifacts, suggesting operators are continuing to expand its capabilities. The nastiest touch comes when victims refuse to play along. During the fake verification process, ClickLock prompts for the user's macOS password. If the password isn't entered, the malware repeatedly kills visible applications, effectively preventing normal use of the machine until the victim complies. If the password is supplied, the theft completes quietly. If the machine is rebooted instead, persistence mechanisms are designed to resume the attack. "The entire attack chain from initial access to full credential theft and data exfiltration relies on a single moment of trust: the user pasting a command into Terminal," Group-IB wrote. The researchers say defenders will need to watch for suspicious behavior rather than known malware signatures. Among the warning signs are unexpected password prompts, applications being repeatedly forced to close, unusual access to browser data and stored credentials, and connections sending stolen information to Telegram. For everyone else, the advice is considerably simpler. If a website claiming to be Cloudflare, Google, or anyone else asks you to open Terminal and paste in a command, close the tab. ยฎ

  •  

[$13337] Confused Deputy: Google IdP Universal Account Takeover via Device Code Flow Hijacking

RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client_id and scope in the consent URL matched the ones the device_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.

submitted by /u/swinglr
[link] [comments]
  •  

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on theย subย claim alone and ignoredย iss. A valid token from issuer A carrying aย subย that belongs to someone under issuer B logged you in as them. Their password never

  •  

New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

Cybersecurity researchers have called attention to a new modular malware called TELEPUZ that's been spreading via websites infected with ClickFix lures since late April 2026. "The malware is full-featured, lightweight, and modular," Elastic Security Labs researcher Cyril Franรงois said in a technical report. "While the number of C2 [command-and-control] domains is currently small, the daily

  •  
โŒ