Kategorie

A new ransomware operation named 'Prinz Eugen' prioritizes recently modified files for encryption and leaves no ransom note on the system. [...]

Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff. [...]

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers' Salesforce environments, as the new "Icarus" extortion group publicly claims the attack. [...]

Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites. [...]

Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use. This is not a remote attack. It requires Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller. "They also incorporate third-party or Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Some of the software the world depends on most is maintained by people most users will never know by name. The project might be sitting inside Linux distributions, enterprise software, cloud platforms, and government systems without most users ever realizing it is there.

The recent Keystone advisory is unusual because the vulnerabilities are scattered across several features but keep affecting the same class of security controls. Application credentials, trusts, RBAC enforcement, project ownership validation, token expiration. Different code paths. Similar failures.

Enterprises implementing agentic AI face a challenge: Which tools should they allow their agents to use, where can they be found, and how can they be used safely? A new protocol, Agentic Resource Discovery, or ARD, aims to let agents answer those questions for themselves. Behind it are Google, Microsoft, Cisco, Nvidia, Salesforce and others.

ARD aims to standardize the way that tools and services are shared across systems within a corporate domain. For example, when investigating a production problem, an agent may want to query engineering documentation and open support tickets, deployment history and observability systems, all of which could be managed by different registries and across different silos. There is no common layer that pulls them together. ARD has been designed to be that layer.

It operates across two levels. Catalogs and Registries. In the first, an organization publishes a catalog setting out its available capabilities. The Registries layer act as a form of search engine, crawling those published catalogs.

The ARD specification is available now. Organizations are invited to publish their own catalogs using the quickstart guide. After this, they are able to join the community and participate in the evolution of ARD.

This article first appeared on InfoWorld.

With the market capitalization of AI companies soaring, US Senator Bernie Sanders is looking to give the American people a piece of the action.

The veteran senator for Vermont has introduced the American AI Sovereign Wealth Fund Bill, aiming to give the public a 50 percent ownership in the largest AI companies in the US. It’s a timely move with both OpenAI and Anthropic preparing for the imminent IPOs.

Sanders is not the only one pondering such a move. As the bill notes, OpenAI has proposed the creation of a “Public Wealth Fund” giving citizens a stake in “AI-driven economic growth,” while Anthropic has proposed a sovereign wealth fund to “shape the sector’s behavior.” President Trump’s advisors are also contemplating the possibility of the government grabbing a stake in major AI corporations, according to media reports.

Sovereign wealth funds are not a new idea: Many administrations across the world have implemented them, notably Norway which has about $2 trillion in its wealth fund.

Sanders’ proposal would give the public a direct ownership stake in the largest AI companies, but, he said, it wasn’t just about the wealth. “The foundation of AI is based on the collective knowledge of humanity and the creative work of tens of millions of people. The American people must have the ability to slow it down and make sure that AI benefits humanity, not just the richest people on the planet. That’s precisely what this legislation does,” he said.

An IT executive changing jobs usually attracts little attention outside a narrow group of people, but Noam Shazeer’s move from Google to OpenAI is as momentous as any high-value soccer transfer.

He announced the news in a post on X: “I’m excited to share that I’ll be joining OpenAI and look forward to working with the exceptional team there.”

Shazeer initially achieved fame as one of the eight co-authors of the influential AI paper Attention Is All You Need, published when he was working at Google Brain. He is also one of the creators of the transformer technology that lies at the heart of modern AI models.

He left Google when the company failed to back his chatbot Meena and was tempted back when Google subsequently bought the company he founded, Character.AI, for $2.7 billion. That company achieved notoriety when it was sued by a grieving mother, who alleged that a Character.AI chatbot had contributed to her son’s death by suicide. The company subsequently settling out of court.

Shazeer has since been working as the co-lead on Google’s Gemini project. It’s not clear what role he will play at OpenAI, but hiring someone with his background shortly before the company’s IPO could be an attractive move for investors.

The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. [...]

Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host. No credentials, no sign-in screen, and no further user interaction once Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said. "This preventsRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Google, Microsoft, OpenAI, and others want to help enterprises demonstrate that their AI applications are behaving themselves through the creation of a new foundation.

The Appia Foundation will, it explained rather impenetrably, “establish modular specifications that provide a connecting layer to bridge foundational global standards with practical, trusted assessments across the global AI value chain.”

Those specifications will help AI users ascertain whether the systems they are using meet all the obligations that apply to them in the form of standards and regulations, it said. It’s a challenging task with so much regional variation in requirements, and where the EU, for example, is more tightly controlled than the US.

The Foundation has established a set of criteria to demonstrate conformity with what is expected. There are two layers: the Requirements and Guidance layers will help users determine what is actually required, while the Assessment Enablement layer will look at how those requirements are evaluated.

Appia stressed that what it is offering are not standards — which are set by recognized international bodies such as ISO/IEC — but a means of assessing what those standards mean and how they can be used by organizations. However, the Foundation said that some of the criteria that it is introducing may become standards themselves after a period of time.

The Appia Foundation is hosted by the Linux Foundation’s Joint Development Foundation, and its other members include Arm, Ericsson, Mastercard, Mitsubishi Electric, Omron, Schneider Electric, and Siemens. It is also looking to bring academics and government into the fold, so that it can establish an advisory board.

This article first appeared on CIO.

Microsoft Office users may find that some of their applications are failing to open when called on by third-party applications. It’s an issue that has emerged after the latest round of Microsoft updates.

The problem affects Word, Excel, and other Office applications opened from third-party offerings including CCH Engagement, Workpaper Manager, Zotero, or dental office software such as Dentrix or Softdent.

The update issued on June 9 appears to have triggered problems with the OLE automation that these third-party applications use to interact with Office. Users have reported that files are failing to open, with no error message indicating what has gone wrong,

According to one Windows user forum, the issue is particularly frustrating because of this lack of error message. As one user put it, “‘Word won’t open from our workpaper system’ is functionally the same as ‘Word is broken.’ To an administrator, the difference determines whether the next hour is spent repairing Office, rolling back Windows, calling a line-of-business vendor, or opening a Microsoft support case.”

Microsoft has said that it is aware of the issue and is working towards a resolution.

Deleting mystery file

The company is also looking to fix a minor issue that has emerged from this latest round of updates: Users are finding that when items are deleted, the confirmation dialog box displays the internal Recycle Bin file name (for example, $Rxxxxx.ext) instead of the original file name. However, Microsoft stressed that in the Recycle Bin, the item still appears with its original name.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

OpenAI has introduced spend controls and enhanced usage analytics for ChatGPT Enterprise to enable organizations to monitor AI adoption, track consumption across teams, and set budgets for AI usage. But, analysts cautioned, it still can’t show how those costs lead to business benefits.

The new features provide administrators with centralized dashboards showing how ChatGPT is being used across an organization, enabling them to understand adoption patterns, and manage AI costs by setting budgets and tracking spending.

“The Global Admin Console brings ChatGPT and Codex credit usage into one view, so admins can see a more granular breakdown of credit consumption across users, products, and models — helping them understand where spend is coming from and how it maps to actual credit usage,” OpenAI said.

A shift toward AI cost governance

The introduction of budgeting and usage analytics reflects a broader change in enterprise priorities, according to Biswajeet Mahapatra, principal analyst at Forrester.

“Enterprises are clearly shifting from adoption-led enthusiasm to cost and value governance, but this is a natural maturity transition rather than a pullback,” Mahapatra said. “AI is no longer an adoption problem but a measurement and credibility problem, with productivity gains present but fragmented and hard to tie to financial outcomes.”

As AI expands across business units, spending becomes distributed across teams, tools and experiments, making visibility and governance increasingly important, he said.

“Budgeting, usage visibility and spend controls are therefore becoming foundational, not just operational concerns, as they enable alignment between technology usage and business outcomes,” Mahapatra added.

OpenAI is addressing those needs with its new dashboards and spending controls address, he said.

Agent sprawl will add to cost control challenges

Anushree Verma, senior director analyst at Gartner, said AI cost governance is becoming a focus for enterprises, as fragmented pricing models, vendor-defined consumption units and inconsistent pricing structures make it difficult for organizations to predict AI costs.

She expects the challenge to intensify over the next few years as enterprises scale up their use of AI.

“By 2028, an average global Fortune 500 enterprise will have over 150,000 agents in use, up from less than 15 in 2025, generating significant agent sprawl, IT complexity and management challenges,” she said.

Against that backdrop, OpenAI’s new administrative capabilities provide organizations with tools to monitor organizational usage and spending as AI deployments become larger and more distributed.

Measuring AI value beyond consumption

While OpenAI’s analytics emphasize adoption patterns and usage visibility, analysts say enterprises will ultimately need to connect AI consumption with business outcomes.

“Token consumption alone is insufficient because it measures activity rather than impact,” Mahapatra said.

Instead, organizations should evaluate AI initiatives using business metrics such as revenue growth, cost reduction and risk mitigation alongside operational indicators including productivity improvements and quality gains.

Verma said traditional cloud FinOps practices are also evolving to accommodate AI’s usage-based economics.

“Traditional FinOps practices were built around predictable, centralized cloud environments and are insufficient for handling unpredictable AI consumption metrics, such as token usage, LLM requests and GPU hours,” she said.

She added that real-time tracking is becoming increasingly important as multiagent systems scale, because misconfigurations can cause AI costs to rise rapidly across interconnected environments.

This article first appeared on CIO.

AI agents can access data, trigger workflows, deploy code, and interact with critical business systems, often with little oversight. Token Security breaks down why AI agents are becoming a new identity and governance challenge. [...]