#safe-program
#safe-program

9 hours ago

Physical Security in Global Arenas: How AI Improves Security at Scale

Agentic physical security uses AI to transform surveillance into proactive threat prevention at large events.

Node JS

fromYcombinator

1 hour ago

Show HN: I rewrote my 2012 self-signed cert generator in Go - cert-depot.com | Hacker News

A new certificate generation tool was built in Go, eliminating external dependencies and improving security features.

#claude-code

9 hours ago

Software development

Claude Code's innards revealed as source code leaked online

Claude Code is still vulnerable to an attack Anthropic has already fixed

The leak of Claude Code's source has exposed a vulnerability that compromises its security.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

Anthropic's Claude Code source code was leaked, revealing operational details but not compromising sensitive data like model weights or customer information.

Claude Code's source reveals extent of system access

Claude Code has significant control over devices, raising concerns about data retention and potential misuse in sensitive environments.

9 hours ago

Software development

Claude Code's innards revealed as source code leaked online

Claude Code is still vulnerable to an attack Anthropic has already fixed

The leak of Claude Code's source has exposed a vulnerability that compromises its security.

Critical Vulnerability in Claude Code Emerges Days After Source Leak

Anthropic's Claude Code source code was leaked, revealing operational details but not compromising sensitive data like model weights or customer information.

fromSpeckyboy Design Magazine

Claude Code's source reveals extent of system access

Claude Code has significant control over devices, raising concerns about data retention and potential misuse in sensitive environments.

more#claude-code

21 hours ago

How To Protect Media Files Uploaded to WordPress - Speckyboy

The predictable file structure of the content management system makes it easy to guess where a file is stored, leading to potential leaks, as demonstrated by a journalist accessing a leaked UK budget document.

Privacy technologies

How AI is Shaping Modern DevOps and DevSecOps - DevOps.com

AI is transforming software delivery, with significant adoption expected by 2028, enhancing efficiency across the software development lifecycle.

Cryptocurrency

fromnews.bitcoin.com

33 minutes ago

Circle Announces Quantum-Resistant Roadmap to Secure Future Digital Asset Infrastructure

Circle's Arc platform will launch with post-quantum signature support to secure institutional assets against quantum threats.

US politics

fromArs Technica

21 hours ago

CBP facility codes sure seem to have leaked via online flashcards

Immigration offenses and internal systems of CBP are detailed in flashcards, highlighting procedures and responsibilities of agents.

#data-breach

Privacy professionals

A fintech app asked users for their passports - then left 360,000 files unprotected for five years - Silicon Canals

A money transfer app exposed over 360,000 sensitive files on a public server for nearly five years, including unencrypted personal documents.

The company's biggest security hole lived in the breakroom

An internet-connected coffee machine caused a major data breach by exploiting security vulnerabilities in a corporate network.

Privacy professionals

A fintech app asked users for their passports - then left 360,000 files unprotected for five years - Silicon Canals

A money transfer app exposed over 360,000 sensitive files on a public server for nearly five years, including unencrypted personal documents.

The company's biggest security hole lived in the breakroom

An internet-connected coffee machine caused a major data breach by exploiting security vulnerabilities in a corporate network.

Digital life

Internet Watch Foundation finds 260-fold increase in AI-generated CSAM in just one year, and 'it's the tip of the iceberg' | Fortune

Software development

Meta Researchers Show AI Agents Can Verify Code Without Running It - and Hit 93% Accuracy - DevOps.com

Privacy technologies

Identity and AI: Questions of data security, trust and control | Computer Weekly

AI-driven identity solutions improve access control but raise compliance, privacy, and ethical concerns that organizations must address.

fromFortune

In the age of vibe coding, trust is the real bottleneck | Fortune

AI tools can generate code rapidly, but they also introduce vulnerabilities and require rigorous verification to ensure security and compliance.

fromHarvard Business Review

AI Agents Act a Lot Like Malware. Here's How to Contain the Risks.

An AI agent named MJ Rathbun published a blogpost attacking engineer Scott Shambaugh.

JFrog Artifactory: how to secure binaries in the AI era

AI-generated code is creating a security crisis that traditional methods cannot manage, necessitating a new approach to binary management.

Digital life

fromFortune

Internet Watch Foundation finds 260-fold increase in AI-generated CSAM in just one year, and 'it's the tip of the iceberg' | Fortune

AI-generated child sexual abuse material is surging, fundamentally changing targeting methods and overwhelming investigators.

Software development

Meta Researchers Show AI Agents Can Verify Code Without Running It - and Hit 93% Accuracy - DevOps.com

AI agents can determine functional equivalence of code patches using semi-formal reasoning without executing the code.

Privacy technologies

Identity and AI: Questions of data security, trust and control | Computer Weekly

AI-driven identity solutions improve access control but raise compliance, privacy, and ethical concerns that organizations must address.

fromFortune

fromHarvard Business Review

In the age of vibe coding, trust is the real bottleneck | Fortune

AI tools can generate code rapidly, but they also introduce vulnerabilities and require rigorous verification to ensure security and compliance.

Artificial intelligence

AI Agents Act a Lot Like Malware. Here's How to Contain the Risks.

Intellectual property law

JFrog Artifactory: how to secure binaries in the AI era

AI-generated code is creating a security crisis that traditional methods cannot manage, necessitating a new approach to binary management.

more#ai

fromNextgov.com

Tech bills of the week: Limiting adversaries' access to US tech; and boosting cyber apprenticeships

New legislation aims to strengthen U.S. export controls on sensitive technologies to prevent adversaries from exploiting them for economic gain.

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

Software development

Internet Bug Bounty program hits pause on payouts

Python

The State of Trusted Open Source Report

AI is reshaping software development and security, influencing container image usage and vulnerability management.

Software development

Internet Bug Bounty program hits pause on payouts

New Rowhammer attacks give complete control of machines running Nvidia GPUs

Rowhammer attacks on Nvidia GPUs can compromise CPU memory, allowing full control of host machines.

Apple

Apple Rolls Out DarkSword Exploit Protection to More Devices

Apple is updating older iOS devices to protect against the DarkSword exploit kit targeting vulnerabilities in its mobile platforms.

EU data protection

AI-driven identity must exist in a robust compliance framework | Computer Weekly

Governance must precede AI adoption to avoid compliance failures and ethical risks in identity verification systems.

Business intelligence

Beyond Locking Doors

Access control systems provide valuable data that enhances operational efficiency and decision-making beyond just security.

World Cloud Security Day: Breaking Down the State of the Cloud Cybersecurity and Physical Security

"World Cloud Security Day is a useful reminder to recognize how much cloud risk now comes down to everyday access decisions and overlooked misconfigurations," says James Maude, Field CTO at BeyondTrust.

Information security

Women in technology

Security and Architecture: To Betray One Is To Destroy Both

Architecture and security have evolved from separate entities to a deeply connected partnership focused on resilience and protection against threats.

#cybersecurity

Node JS

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Privacy professionals

10 Data Security Stories to Know About (March 2026)

Node JS

Are We Ready for the Next Cyber Security Crisis Like Log4shell?

Information security

The man who discovered the ILOVEYOU virus is now fighting Russian drones using the same playbook - Silicon Canals

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture

Third-party risk management is now a critical security challenge and growth opportunity for service providers.

Mikko Hypponen says the age of viruses is over - now he's building defences against drones - Silicon Canals

Mikko Hyppönen is applying cybersecurity methods to develop anti-drone systems at Sensofusion, focusing on drone communication detection.

Node JS

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

36 malicious npm packages disguised as Strapi CMS plugins facilitate exploitation and credential harvesting.

Privacy professionals

10 Data Security Stories to Know About (March 2026)

March saw significant data security incidents including cyberattacks, data purchases by the FBI, and breaches affecting millions of customers.

Node JS

Are We Ready for the Next Cyber Security Crisis Like Log4shell?

Organizations are not prepared for the next cybersecurity crisis, similar to Log4Shell.

The man who discovered the ILOVEYOU virus is now fighting Russian drones using the same playbook - Silicon Canals

Mikko Hyppönen has transitioned from cybersecurity to anti-drone defense, focusing on systems for law enforcement and military clients.

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture

Third-party risk management is now a critical security challenge and growth opportunity for service providers.

Mikko Hypponen says the age of viruses is over - now he's building defences against drones - Silicon Canals

Mikko Hyppönen is applying cybersecurity methods to develop anti-drone systems at Sensofusion, focusing on drone communication detection.

Human Error, Not Hacking, Cited as Top Cause for Crypto Access Loss

Human error is the leading cause of cryptocurrency access loss, affecting 35% of holders, primarily due to forgotten passwords and lost seed phrases.

Understanding the risks of OpenClaw

OpenClaw is an orchestration layer that requires external services to function effectively, rather than being a standalone cloud platform.

fromFuturism

Say a Prayer for This Startup That's Replacing Its Developers With OpenClaw

OpenClaw is being used to create autonomous AI teams, raising concerns about job security for human developers.

fromArs Technica

OpenClaw gives users yet another reason to be freaked out about security

OpenClaw's vulnerabilities pose severe security risks, allowing attackers to gain administrative access with minimal permissions.

Understanding the risks of OpenClaw

OpenClaw is an orchestration layer that requires external services to function effectively, rather than being a standalone cloud platform.

fromFuturism

Say a Prayer for This Startup That's Replacing Its Developers With OpenClaw

OpenClaw is being used to create autonomous AI teams, raising concerns about job security for human developers.

fromArs Technica

OpenClaw gives users yet another reason to be freaked out about security

OpenClaw's vulnerabilities pose severe security risks, allowing attackers to gain administrative access with minimal permissions.

What Does It Take to Be an Outstanding CSO or CISO?

Outstanding security leaders often come from non-traditional backgrounds, with 40% of recent CSO-CISO Hall of Fame honorees starting in the private sector.

GitHub Adds 37 New Secret Detectors in March, Extends Scanning to AI Coding Agents - DevOps.com

GitHub expanded secret scanning with 37 new detectors, enhanced push protection, and introduced scanning for AI coding agents in March.

fromMedium

AWS Security and Compliance Quiz (25 Questions) with Detailed Answers - Cloud Practitioner Guide

Understanding AWS security services is essential for modern applications running on AWS.

Software development

Why Code Validation is the Next Frontier - DevOps.com

Shared staging environments are inadequate for modern development; isolated, on-demand setups are needed for effective validation.

fromMedium

Most Developers Are Using AI Wrong.

Using AI in coding can create an illusion of speed, leading to a lack of understanding and ownership of the code.

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet released patches for a critical vulnerability in FortiClient EMS, allowing unauthenticated attackers to execute unauthorized commands.

Web development

3 weeks ago

Brilliant backups landed web developer in big trouble

A website migration oversight caused a two-year disconnect where office staff viewed outdated content due to hardcoded DNS settings, while the client only discovered the issue when accessing the site from the office.

How 'Wikipedia of cyber' helps SAP make sense of threat data | Computer Weekly

SAP faces significant challenges in securing enterprise data amidst a complex threat landscape and evolving compliance requirements.

20 hours ago

Don't glamorize cybercrims, roast them instead

Cybercrime groups should not be glamorized; they are ordinary individuals using computers for theft, not mythical entities.

Security as Code is Becoming the New Baseline: Continuous Compliance in DevOps - DevOps.com

Compliance must be integrated into the delivery pipeline as a continuous practice rather than a periodic checkpoint.

Claude Code leak puts enterprise trust at risk as security, governance concerns mount

Leaks threaten Anthropic's market position and raise security concerns about its AI coding tools.

Securing agentic AI is still about getting the basics right

Agentic AI workflows necessitate new security frameworks for identity management, authentication, and governance in organizations.

Claude Code leak puts enterprise trust at risk as security, governance concerns mount

Leaks threaten Anthropic's market position and raise security concerns about its AI coding tools.

Securing agentic AI is still about getting the basics right

Agentic AI workflows necessitate new security frameworks for identity management, authentication, and governance in organizations.

Panel: Security Against Modern Threats

Modern threats to software supply chains require resilience by design, integrating security into engineering workflows and empowering developers with the right tools.

The agent security mess

Most granted permissions are unused by humans, but AI agents will exploit them, leading to significant security risks.

Open Source Security Tool Trivy Hit by Supply Chain Attack, Prompting Urgent Industry Response

A malicious release of the Trivy vulnerability scanner exposed critical weaknesses in software supply chain security, allowing for potential credential theft.

fromComputerworld

A core infrastructure engineer pleads guilty to federal charges in insider attack

Rhyne's attack involved unauthorized remote desktop sessions, deletion of network administrator accounts, and changing of passwords, showcasing significant security vulnerabilities.

Information security

Software development

When AI Gets It Wrong: The Insecure Defaults Lurking in Your Code - DevOps.com

Generative AI accelerates code development but introduces security vulnerabilities because AI models learn insecure patterns from training data rather than understanding security principles.

fromTNW | Insights

KeeperDB brings zero-trust database access to privileged access management

Database credentials are a major attack vector, and KeeperDB integrates access controls into its PAM platform to enhance security.

Mobile Attack Surface Expands as Enterprises Lose Control

Mobile device security is inadequate, with many organizations using critically outdated operating systems and exposing sensitive data to potential attacks.

Information security

Three web security blind spots in mobile DevSecOps pipelines

Mobile apps require fundamentally different security approaches than web applications because they operate as untrusted endpoints where attackers have physical access to the binary, making traditional web-centric security models inadequate.

Mobile Attack Surface Expands as Enterprises Lose Control

Mobile device security is inadequate, with many organizations using critically outdated operating systems and exposing sensitive data to potential attacks.

Information security

Three web security blind spots in mobile DevSecOps pipelines

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

Threat actors exploit HTTP cookies for PHP web shells on Linux servers, enabling remote code execution with stealthy control mechanisms.

fromComputerworld

Jamf warns of massive app insecurities

Mac and iOS users face significant security threats, with many devices vulnerable to attacks and outdated systems.

2 months ago

The New Battleground of Cybersecurity

I've always had what I would consider a hacker mindset, a curiosity to take things apart, understand them, and use that knowledge to solve problems. That mindset took me on a circuitous route into the cybersecurity industry; after being kicked out of high school for hacking computer systems, I worked a range of jobs, managing office supply companies by day and cracking Wi-Fi networks by night until I started a Digital Forensics degree which led me to the world of security research.

Science

Cisco Patches Critical and High-Severity Vulnerabilities

Cisco has released fixes for two critical and six high-severity vulnerabilities affecting various enterprise networking products.

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released critical updates to address vulnerabilities in its Integrated Management Controller and Smart Software Manager On-Prem.

Cisco Patches Critical and High-Severity Vulnerabilities

Cisco has released fixes for two critical and six high-severity vulnerabilities affecting various enterprise networking products.

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released critical updates to address vulnerabilities in its Integrated Management Controller and Smart Software Manager On-Prem.

Critical ShareFile Flaws Lead to Unauthenticated RCE

Two critical vulnerabilities in ShareFile could allow unauthenticated remote code execution through improper access to configuration pages.

Blind trust in hardware vendors is always a bad idea

Attackers are increasingly targeting hardware and firmware vulnerabilities as traditional security tools focus primarily on software layers.

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials

A large-scale credential harvesting operation exploits the React2Shell vulnerability to steal sensitive data from compromised hosts across multiple regions.

#malware

Information security

Fake Claude Code source downloads actually delivered malware

Information security

Sophisticated CrystalX RAT Emerges

fromTechRepublic

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

Fake Claude Code source downloads actually delivered malware

Leaked Claude Code source code led to malware downloads, including credential-stealing Vidar and proxy tool GhostSocks, via a malicious GitHub repository.

Sophisticated CrystalX RAT Emerges

CrystalX RAT is a new malware-as-a-service combining spyware, stealer, and remote access capabilities, promoted on Telegram and YouTube.

fromTechRepublic

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Google has released a security update for Chrome due to multiple high-severity vulnerabilities, including an actively exploited use-after-free flaw.

Information security

Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome

fromTechRepublic

Patch Now: Chrome Flaw Under Active Attack, Google Confirms

Google has released a security update for Chrome due to multiple high-severity vulnerabilities, including an actively exploited use-after-free flaw.

Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome

Google's Chrome 146 update addresses 21 vulnerabilities, including a zero-day exploit tracked as CVE-2026-5281.

The Next Cybersecurity Crisis Isn't Breaches-It's Data You Can't Trust

Data integrity now encompasses data trust, emphasizing the importance of reliable data in AI-driven decision-making.

fromwww.cybersecuritydive.com

Axios open-source library targeted in sophisticated supply chain attack

A North Korean threat actor compromised the axios library, introducing a malicious dependency that deploys a backdoor across multiple operating systems.

2 months ago

What Testers Can Do to Ensure Software Security

A secure software development life cycle means baking security into plan, design, build, test, and maintenance, rather than sprinkling it on at the end, Sara Martinez said in her talk Ensuring Software Security at Online TestConf. Testers aren't bug finders but early defenders, building security and quality in from the first sprint. Culture first, automation second, continuous testing and monitoring all the way; that's how you make security a habit instead of a fire drill, she argued.

Software development

How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development

This extends to the software development community, which is seeing a near-ubiquitous presence of AI-coding assistants as teams face pressures to generate more output in less time. While the huge spike in efficiencies greatly helps them, these teams too often fail to incorporate adequate safety controls and practices into AI deployments. The resulting risks leave their organizations exposed, and developers will struggle to backtrack in tracing and identifying where - and how - a security gap occurred.

Artificial intelligence

fromSiliconANGLE

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios HTTP client library was hacked to distribute malware via a compromised npm account, affecting multiple operating systems.

Banning routers won't fix what's already broken | Computer Weekly

The FCC's ban on foreign-made routers addresses future procurement, not current security risks, as routers are already vulnerable and widely deployed.

Cloudflare Adds Active API Vulnerability Scanning to Its Edge

Cloudflare's Web and API Vulnerability Scanner focuses on detecting Broken Object Level Authorization vulnerabilities in APIs.

CrewAI Vulnerabilities Expose Devices to Hacking

Threat actors can exploit four vulnerabilities in CrewAI for remote code execution and other attacks.

Using AI to code does not mean your code is more secure

AI tools for coding are introducing vulnerabilities, with significant CVEs linked to AI-generated code.

Cyber pros must grasp the vibe coding nettle, says NCSC chief | Computer Weekly

Cyber security professionals must develop safeguards for AI-enhanced software generation to prevent vulnerabilities and cyber attacks.

2 weeks ago

Why Security Validation Is Becoming Agentic

Security validation tools operate in silos while attackers exploit interconnected systems, creating a structural blind spot that Agentic Exposure Validation can address through continuous, autonomous, context-aware assessment.

3 weeks ago

Vulnerability reports: Increase in quantity, decrease in quality? | Computer Weekly

Bug bounty programs face sustainability challenges due to increased low-quality submissions, prompting cURL founder Daniel Stenberg to shut down his HackerOne program and switch to GitHub for vulnerability reporting.

The Great Security Culture Shift: Building a Proactive Defense in an Era of Advanced Threats and Social Engineering

Hackers exploit DLL side-loading on trusted platforms like LinkedIn to deliver malware through seemingly legitimate file attachments, bypassing traditional security defenses and compromising entire corporate networks.