Dark Reading

Hugging Face Packages Weaponized With a Single File Tweak

A tokenizer library file present in Hugging Face AI models can be manipulated to hijack the model's outputs and exfiltrate ...

Running Claude Code or Claude in Chrome? Here's the audit matrix for every blind spot your security stack misses

Four research teams found the same confused deputy failure in Claude across three surfaces in 48 hours. This audit matrix ...

Anthropic response to 1-click pwn: Shouldn't have clicked 'ok'

The TrustFall proof-of-concept attack demonstrates how a cloned code repository can include two JSON files (.mcp.json and ...
The Hacker News

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm ...
Communications of the ACMOpinion

Open Source’s Hidden Language Gap

Open-source i18n is not blocked by goodwill; it’s blocked by missing maintainer-safe infrastructure. Language contributors ...

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious ...
Morning Overview on MSN

The average time from a vulnerability being published to a working exploit is now just 10 hours

In late May 2023, a critical flaw in the MOVEit file-transfer platform was publicly disclosed. Within hours, the Cl0p ...

Talphera targets Niyad PMA filing in 2026 and potential approval in 2027 as NEPHRO enrollment surpasses 50%

"With this continued progress, we believe we are well positioned to complete enrollment in the NEPHRO CRRT Study this year and file the PMA for a targeted potential approval of Niyad in 2027" (CEO & ...
Tax Guru

Businesses May Face Stricter GST Refund Validation Under New Filing Process

The article explains how the Government replaced the PDF-based Annexure-B with a structured JSON utility for GST refund applications. The new system enables automated invoice-level validations and ...
The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

Quasar Linux RAT (QLNX) harvests DevOps credentials to enable software supply chain attacks with fileless execution and dual ...
Decrypt

Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

A fake repo impersonating the OpenAI Privacy Filter model racked up 244,000 downloads in under 18 hours before Hugging Face ...
SecurityWeek

Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking

Claude Code vulnerability allows attackers to intercept OAuth tokens, enabling access to connected SaaS platforms and ...