2.6 million Microsoft Edge users were exposed to malware in 119 hidden browser add-ons – a failure of marketplace validation processes with direct implications for enterprise-wide endpoint controls.
AI-based code agents can be manipulated through prepared GitHub repositories to execute hidden malware without common security checks detecting the risk.
Following a rail radio outage, security politicians are calling for a statutory ban on Chinese components in critical infrastructure to prevent sabotage and espionage.
GitHub blocks by default the automatic loading of code from forked pull requests in privileged workflows to prevent attackers from stealing GITHUB_TOKEN and environment variables.
CVE-2026-8461 in the FFmpeg MagicYUV decoder enables Denial-of-Service and Remote Code Execution through crafted media files in hundreds of applications; patching to version 8.1.2 is required.
Attackers are using GitHub as a malware distribution channel by mass-cloning legitimate repositories and injecting trojans, thereby compromising developer supply chains.
Attackers systematically exploit legitimate AI tools and popular developer infrastructure as attack vectors while deliberately minimizing traditional security signals.
15 compromised JetBrains plugins masquerade as AI assistants and steal plaintext API keys over unencrypted HTTP connections to IP address 39.107.60.51.
At least 15 malicious plugins in the JetBrains Marketplace were designed to steal AI API keys from developers and gain access to internal corporate services.
Miasma replicates autonomously across Git repositories and automatically deletes user data when its GitHub token is blocked, with the now-public source code expected to lead to further variants.
Legitimate AI agents inherently satisfy all three criteria of the “lethal trifecta” (data access, external content, external communication), so security must shift from architectural design to runtime monitoring.