Varonis Threat Labs chained three bugs in Microsoft 365 Copilot Enterprise Search to build a one-click exfiltration path that pulls emails, files, and live MFA codes without any OAuth prompt or user consent beyond clicking a Microsoft-domain URL.
Varonis Threat Labs chained three bugs in Microsoft 365 Copilot Enterprise Search to build a one-click exfiltration path that pulls emails, files, and live MFA codes without any OAuth prompt or user consent beyond clicking a Microsoft-domain URL.
Fifteen malicious IDE plugins on the JetBrains Marketplace, posing as AI coding assistants powered by DeepSeek and OpenAI, have been silently exfiltrating AI API keys since October 2025. Researchers say the plugins are still live and the install count has passed 70,000.
An attacker compromised a stale npm contributor account on June 17, 2026 and republished 144 packages in the @mastra scope with a malicious typosquatted dependency that installs a cryptocurrency-stealing RAT. Developers building AI applications with Mastra's 1.1 million weekly downloads should rotate all credentials immediately.
NeuralTrust researchers published details of a new image generation jailbreak called Semantic Chaining that breaks safety filters in Grok 4, Gemini Nano, and other multimodal models by exploiting how each editing step is evaluated in isolation.
June 2026 Patch Tuesday set an all-time record with 198 CVEs, including three zero-days. FIRST.org now forecasts 66,000 CVEs for the full year. AI vulnerability discovery tools are reshaping what patch management looks like.