Vulnerabilities, breaches, and defensive-security research across the platforms devs actually use.
DepthFirst's agent surfaced 21 FFmpeg zero-days for about $1,000. One 183-byte packet hits RCE. The deeper story is who pays the volunteers who fix them.
A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.
A flaw in Starlette, downloaded 325M times a week, let a single Host-header character bypass path-based auth across FastAPI, vLLM, and MCP servers.
A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.
Google's June 2026 Android bulletin patches an actively exploited Framework privilege-escalation zero-day plus 123 other flaws. Here's who's at risk and what to do.
Graz researchers built FROST, a browser side-channel that times SSD activity to guess which sites and apps you're running. Here's how it works and what helps.
McAfee says a free malware-as-a-service stealer called WeedHack has hit 116,000+ Minecraft systems via fake mods and cheats. Here's what it grabs and how to clean up.
GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?
Connected cars collect location, driving behavior, in-cabin audio, and synced contacts, then route it to automaker clouds, brokers, and insurers. Here's how to stop it.
ShinyHunters breached a 7-Eleven Salesforce instance holding franchisee documents, exposing 185,000 people. The 9.4GB archive hit a leak site after 7-Eleven declined to pay.
Code seen by 9to5Mac points to an iPhone feature that auto-locks when the accelerometer detects a snatch, then clamps down like Stolen Device Protection.
Spammers found a Tenant Name injection in Entra ID that pushes fraud text into Microsoft's own OTP emails. The from-line reads [email protected].
Chromium Issue 1396278 went public on May 20 because Google's tracker auto-clears restrictions on stale closed bugs. The flaw, reported in 2022, was never fixed.
Anthropic says Project Glasswing's first month produced over 10,000 critical-and-high-severity vulns. Verification and patching is the limiting step.
Apple's SEAR team published formal verification proofs for corecrypto's ML-KEM and ML-DSA implementations. 50,000 proof steps cover 2.5 billion active devices.
GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.
Microsoft is phasing out SMS sign-in and recovery on personal Microsoft accounts by December 2026. Replacements: passkeys, Authenticator, or verified email.
GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.