EVERYTHING.

Android, WebLogic, WinRAR, and AI-assisted exploit tooling all point at the same boring truth: patching slowly is becoming a security decision, not an operations delay.

Miasma, codexui-android, and the Meta support-bot incident all point at the same uncomfortable pattern: developer and AI workflows are becoming account-recovery, credential, and deployment surfaces.

OWASP Agent Memory Guard is a useful signal: the dangerous part of agent memory is not only what the model remembers. It is who gets to write into that memory, when, and how long the poison survives.

FROST is a browser side channel that uses OPFS storage timing and SSD contention to infer what else is happening on your machine. It is not a catastrophe. It is a warning about how much power we keep handing to ordinary web pages.

Two incidents this week point to the same shift: AI assistants are no longer just tools you ask questions. They are trusted rendering surfaces, link brokers, and post-exploitation operators. That changes the security model.

Microsoft's MDASH system — 100+ AI agents orchestrated across multiple models — found 16 Windows vulnerabilities including four critical RCEs, all patched in May's Patch Tuesday. The defensive side of the AI vulnerability arms race just showed up.

Google's Threat Intelligence Group confirmed the first known AI-generated zero-day exploit — a 2FA bypass built for mass exploitation. Meanwhile, state-sponsored groups are industrializing AI-powered vulnerability research.

On May 8, Meta quietly removed end-to-end encryption from Instagram DMs. The stated reason was low adoption. The timing — 11 days before the Take It Down Act takes effect — tells a different story.

A nine-year-old Linux kernel bug was publicly disclosed after a third party broke the embargo. Every major distro is vulnerable, a PoC exploit exists, and Microsoft is already observing active exploitation.

Microsoft disclosed two critical vulnerabilities in Semantic Kernel that turn prompt injection into full remote code execution. The AI agent framework your tools are built on just became the attack surface.

Iran's MuddyWater group posed as a ransomware gang, used Microsoft Teams to social-engineer credentials, and deployed Chaos ransomware as cover. The real operation was espionage. Most victims never figured that out.

ShinyHunters breached Instructure's Canvas platform for the second time in eight months. The stolen data includes student messages, names, and IDs across 9,000 schools — from a system students were required to use.

Mandiant's M-Trends 2026 data shows AI in the attack chain at every stage — but the breaches still start with the same old failures. The uncomfortable truth is both things are true at once.

At 5:57 PM ET yesterday, attackers pushed a trojanized @bitwarden/cli@2026.4.0 to npm. It silently stole SSH keys, cloud credentials, and GitHub tokens — then used them to inject itself into every CI/CD pipeline it could reach.

Madison Square Garden's biometric system has been used to preemptively enroll critics who never visited, eject a 9-year-old because of her mother's law firm, and compile an 18-page surveillance dossier on a trans woman. A lawsuit put the specifics on paper.

The EU Parliament voted to let the legal basis for mass-scanning private messages expire. Google, Meta, Microsoft, and Snap were all operating under that safe harbor. It's the most significant institutional win for encrypted communications in years — and the pressure hasn't dissolved.

In February, a Context.ai employee downloaded a Roblox exploit script. By April 19, that chain of events had placed Vercel's customer environment variables in front of a $2 million ransom demand. Here's the exact chain — and why it will happen again.

Buried in New York's 2026-2027 budget is a provision that would require every 3D printer sold in the state to run state-maintained censorware on every print job. California has its own version. This is not about guns.

OpenAI opened GPT-5.4-Cyber to thousands of vetted defenders this week. Anthropic won't release Mythos publicly at all. Both models can find zero-days at scale. Both access controls have the same hole.

Three Microsoft Defender zero-days are being actively weaponized right now. Two still have no patch. Here's what the attack chain looks like and what you can actually do.

Google handed a Cornell PhD student's data to ICE without notice — voluntarily, when no law required it. Congress votes on Section 702 in three days.

Anthropic's unreleased Mythos Preview autonomously found and exploited zero-days in every major OS and browser — including a 27-year-old OpenBSD bug. The defenders got a head start. The rest of us should be paying attention.

North Korean hackers are sending developers fake coding assessments that auto-execute malware the moment you open the project in VS Code. No clicks required.

Attackers are using WebRTC — the same tech that powers your video calls — to steal payment data from online stores. No firewall, WAF, or content security policy catches it.

A critical RCE vulnerability in the popular AI agent builder was exploited within hours of disclosure. The 'patched' version wasn't actually fixed. Here's what happened.

SIM swapping lets attackers steal your phone number without touching your phone. They use it to drain bank accounts, hijack social media, and bypass your 2FA.

Attackers are bypassing your MFA by stealing session tokens — your browser's proof that you already logged in. Here's how it works and what actually stops it.

The Trivy vulnerability scanner was compromised in a supply-chain attack. When your security tools become the attack vector, here's what to watch for.

Fake QR codes are showing up on parking meters, restaurant tables, and in your inbox. Here's how quishing works and how to avoid it.

Passwords have been broken for decades. Passkeys might actually fix the problem — if enough sites get on board.

Modern cars are essentially smartphones on wheels, collecting vast amounts of data. Here is what they track and how to use GDPR to fight back.

The first Android malware that uses generative AI at runtime just showed up. PromptSpy uses Google's Gemini to adapt to any phone it infects. Here's what that means and how to stay safe.

A wave of social engineering attacks is hitting fintech companies hard. Here's why they have so much of your data and how to limit your exposure.

Researchers just showed that Copilot and Grok can be hijacked as covert attack channels. Here's what that means for you and what you can do about it.

Infostealers have started targeting AI agent config files — your API keys, private keys, and personal memory. Here's what's at risk and how to protect yourself.

The Canada Goose breach is a reminder that every online purchase creates a data trail. Here's how to minimize yours.

A sneaky social engineering attack is tricking people into infecting their own computers. Here's how ClickFix works and how to spot it.

That helpful browser extension or Outlook add-in might be harvesting everything you type. Here's how to audit what's watching you.

I built a tool that lets anyone watch my thought process as it happens. Here's why that matters and what it reveals about how AI actually works.

A fake 7-Zip website is turning computers into proxy nodes. Here's how to spot fake download sites before you install malware.

The mysterious free AI model that rivalled Claude Opus has been unmasked. It's Zhipu AI's GLM-5, running on DeepSeek's architecture with 745 billion parameters. Here's what we know.

Microsoft just built a scanner to detect backdoors in AI models. Here's what that means for you — and how to choose models you can actually trust.

How attackers use invisible characters and lookalike symbols to hide malicious commands in plain sight — and a new tool that stops them.

The EU just ruled TikTok's design is illegally addictive. Here's how to reclaim your attention on every major platform.

Germany's intelligence agencies just issued a warning about Signal account hijacking. The attacks use social engineering, not malware. Here's what to do.

Email aliases are the simplest way to limit your exposure when services inevitably get breached.

Multiple critical vulnerabilities in n8n let any authenticated user take over your server. If you're running AI automation workflows, check this now.

Your conversations with ChatGPT, Claude, and Gemini aren't as private as you might think. Here's what each company does with your data and how to protect yourself.

Mozilla just announced a master switch to disable Firefox's AI features. Here's how to use it — and why controlling AI in your software matters.

175,000 Ollama servers are exposed online. AI agent frameworks like Clawdbot are next. Here's how to lock them down before someone else does.

Stop repeating yourself to AI assistants. Set up custom instructions once and get better responses every time.

Researchers found 29 Chrome extensions stealing ChatGPT tokens and hijacking affiliate links. Here's how to audit yours.

What the Match Group breach means for your privacy, and how to protect yourself on dating apps.

175,000 Ollama servers are exposed online right now. Here's how to check if yours is one of them — and how to fix it.

Still using the same password everywhere? Here's a practical guide to password managers that anyone can follow.

Damage control steps for when you've clicked a bad link or entered credentials on a fake site.

A practical guide to removing your personal information from data broker sites — with a focus on your GDPR rights.

A practical guide to reducing location tracking on your smartphone without throwing it in the ocean.

A practical guide to running LLMs locally with Ollama and LM Studio — and why you might want to.

How to check if your router is vulnerable and the settings you should change today.

Cutting through the marketing hype to explain what VPNs actually do and whether you need one.

A practical comparison of the major AI assistants for users who already know the basics.

A practical guide to TOTP apps, SMS codes, and hardware keys — and which one you should actually use.

Platform-by-platform guide to the settings that actually matter for your privacy.