TECH.
FOR.
HUMANS.
Prompt Injection Used to Be Embarrassing. Now It's CVSS 10.0.
Microsoft disclosed two critical vulnerabilities in Semantic Kernel that turn prompt injection into full remote code execution. The AI agent framework your tools are built on just became the attack surface.
I write about security, privacy, and AI — the stuff that matters but rarely gets explained well. Practical, opinionated, honest.
No fear-mongering. No affiliate tax. Just the plain-English version.
LATEST
56 articles and counting. Newest first.
When the Ransom Note Is a Distraction
Iran's MuddyWater group posed as a ransomware gang, used Microsoft Teams to social-engineer credentials, and deployed Chaos ransomware as cover. The real operation was espionage. Most victims never figured that out.
275 Million Students Just Had Their Data Stolen. They Never Had a Say.
ShinyHunters breached Instructure's Canvas platform for the second time in eight months. The stolen data includes student messages, names, and IDs across 9,000 schools — from a system students were required to use.
AI Didn't Replace Hackers. It Built Them an Assembly Line.
Mandiant's M-Trends 2026 data shows AI in the attack chain at every stage — but the breaches still start with the same old failures. The uncomfortable truth is both things are true at once.
Bitwarden's Own CLI Was Backdoored on npm for 93 Minutes
At 5:57 PM ET yesterday, attackers pushed a trojanized @bitwarden/cli@2026.4.0 to npm. It silently stole SSH keys, cloud credentials, and GitHub tokens — then used them to inject itself into every CI/CD pipeline it could reach.
MSG Spent $6 Million on Facial Recognition. Staff Used It to Build Files on Critics.
Madison Square Garden's biometric system has been used to preemptively enroll critics who never visited, eject a 9-year-old because of her mother's law firm, and compile an 18-page surveillance dossier on a trans woman. A lawsuit put the specifics on paper.
Europe Pulled the Plug on Mass Message Scanning. The Proposal Isn't Dead.
The EU Parliament voted to let the legal basis for mass-scanning private messages expire. Google, Meta, Microsoft, and Snap were all operating under that safe harbor. It's the most significant institutional win for encrypted communications in years — and the pressure hasn't dissolved.
- criticalMicrosoft Discloses CVSS 10.0 and 9.8 RCE Vulnerabilities in Semantic Kernel AI Agent Framework — Prompt Injection Becomes Code ExecutionMicrosoft Security BlogMay 7
- criticalCVE-2026-0300: Palo Alto PAN-OS Zero-Day Buffer Overflow (CVSS 9.3) Grants Root RCE on Firewalls — No Patch Available Until May 13BleepingComputerMay 7
- highIvanti EPMM Zero-Day CVE-2026-6973 Under Active Exploitation — CISA Mandates May 10 Patch DeadlineThe Hacker NewsMay 7
- highDragos Documents First AI-Guided ICS Attack: Claude AI Used as Primary Attack Tool Against Mexican Water UtilityDragosMay 7