TLDR Information Security 2026-06-23

Join IAM and security leaders at Gartner IAM Summit 2026 to tackle today's most pressing identity challenges. Explore 70+ analyst-led sessions covering AI-driven threats, machine identities, modern authentication, IAM architecture, and Zero Trust strategies. Learn how to secure AI agents, enforce least privilege, and gain visibility across your identity ecosystem. Connect with peers, exchange insights, and meet with a Gartner analyst for tailored guidance. Explore the 2026 conference topics to learn about the actionable strategies you'll gain. >> Register by October 9 to save $400 on the standard rate.

Attackers are chaining three classic bugs in LangGraph, Langflow, and LangChain-core to reach code execution and steal secrets from AI agent infrastructure. LangGraph's SQLite checkpointer can be poisoned to run arbitrary Python, Langflow's file upload bug is already delivering cron-based shells on ~7,000 exposed servers, and LangChain-core's prompt loader can read API keys from disk unless teams patch specific versions and lock down defaults.

Gizmodo's site briefly served fake CAPTCHA pop-ups that triggered ClickFix malware scripts after a compromised account injected malicious code. Windows visitors risked installing NetSupport RAT for remote access and data theft, while the macOS payload was misconfigured and stalled at a ZIP password prompt. Gizmodo removed the script, took the site down, and secured the abused account.

Apple shipped Beats Firmware Update 1B211 to fix CVE-2025-20701, an authentication flaw in Airoha SoCs disclosed at a 2025 German security conference, which allowed an attacker within Bluetooth range to listen through the microphone of an unpaired earbud while it was actively seeking pairing requests. Chained with related Airoha bugs, the weakness could also extract pairing keys, impersonate trusted headphones, and pivot to call hijacking, contact extraction, and voice-assistant triggering on the paired phone. Exploitation is difficult and proximity-bound, making it a targeted-surveillance risk rather than an opportunistic one. The firmware rolls out silently when buds sit cased near a connected Apple device, and this can be verified under Settings > Bluetooth.

Client-side bot detection runs on hardware the attacker controls, so every line of code should be assumed readable and patchable. Defenses change on every build and even per session, so signatures or reversals from one version fail on the next. Critical checks avoid branch statements and instead use cryptographic key derivations, so tampering just produces useless output with no clear flag to flip. High‑value lookup tables and logic exist only on the server side and are minted per session, preventing meaningful offline analysis. The detection path depends on live, authenticated round-trip to the server, preventing attackers from running a static offline replica at scale.

Agentjacking is an attack where a publicly exposed Sentry DSN, a write-only credential that Sentry documents as safe to embed in frontend JavaScript, lets an attacker post a crafted error event whose markdown context fields render as a fake resolution section containing an npx command. When a developer asks an agent to clear the Sentry backlog, the agent pulls the injected event through MCP, reads the fabricated fix as trusted guidance, and runs the command with the developer's own privileges to reach AWS keys, GitHub tokens, and git credentials. The payload executes even when system prompts and skills instructed the agents to ignore untrusted data, and because every step is authorized, Tenet's "Authorized Intent Chain" sidesteps EDR, WAF, IAM, VPN, and firewall controls entirely. DSNs surface through Censys queries and GitHub code search, so defenders should treat every MCP integration like a vetted third-party dependency and gate agent-initiated commands at the runtime layer rather than relying on prompt-layer or network defenses.

An attacker scanned for internet-facing FortiGate boxes, logged in through prior unpatched vulnerabilities or dormant backdoor admin accounts (some planted earlier by a Russian ransomware crew reusing identical passwords), exported full device configs, then cracked the hashes offline on 36 rented enterprise GPUs before reselling the plaintext as FortiVPN client credentials. Roughly a thousand orgs were confirmed internally compromised, with operators adding rogue admin accounts, opening SSH and RDP firewall rules, and authenticating to IPsec tunnels while focusing on telcos and MSPs to pivot into downstream networks. Defenders should filter FortiOS logs under System, Events for config export messages, check their internet-facing IPs and Fortiguard-ID domains against the published FortiBleed lists, and if listed, rebuild the box, purge and recreate all admin accounts with MFA, patch to current firmware, and rotate IPsec site-to-site keys at both ends.

Mythos is OOO - but it's clear that AI is getting much better at finding vulnerabilities, shifting the focus to limiting post-exploitation activity. This Delinea whitepaper explains why identity remains the critical control point, and how you can prepare for new frontier models by applying JIT privilege, secret brokering, and continuous authorization. Get the whitepaper

SpiderFoot is an MIT-licensed, Python 3.7+ OSINT automation tool with over 200 modules that feed each other in a publisher/subscriber model to enumerate hosts, emails, breach data, and dark web mentions across targets ranging from IPs and domains to usernames and Bitcoin addresses, usable via web UI or CLI with a YAML-configurable correlation engine shipping 37 rules. Actively developed since 2012, and most modules need no API keys, though the README's feature list doubles as an upsell funnel toward the cloud-hosted SpiderFoot HX tier, which reserves attack surface monitoring, screenshotting, and multi-user collaboration for paying users.

A collection of native Linux and macOS modules built as small shared libraries for Poseidon and other agent workflows.

This repository contains a reference implementation for autonomous vulnerability discovery and remediation with Claude based on Anthropic's learnings from partnering with security teams at several organizations since the launch of Claude Mythos Preview.

This IETF informational RFC orients engineers to the post-quantum transition, explaining that Shor's algorithm forces full replacement of RSA, DH, and ECC (while Grover's leaves AES-128 and SHA-256 effectively intact), detailing the NIST standards ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205), and forthcoming FN-DSA (FIPS 206), and stressing that KEMs cannot be both AKE and NIKE, that PQC keys and signatures run roughly 6-100x larger, that stateful HBS schemes (XMSS, LMS) risk forgery on key-state reuse, and that "harvest now, decrypt later" plus the Mosca x+y+z model justify hybrid PQ/T deployments with careful attention to key-reuse stripping attacks and lattice side-channel exposure.

Canada's intelligence service used a court-approved threat-reduction warrant to access compromised Canadian servers, SOHO routers, and IoT devices, and to remove data tied to two foreign-controlled botnets. The operation removed infected gear from the relay networks without collecting user identities. The ruling highlights ongoing abuse of unpatched, end‑of‑life routers and IoT devices, leaving owners responsible for securing or replacing vulnerable hardware.

microVMs and agent sandboxes have been wrongly conflated: a microVM enforces a guest/host boundary that prevents a hostile machine from escaping, but a coding agent runs as you, with your SSH keys, cloud tokens, and credentials already mounted inside the box. The threat is not escape but blast radius when a trusted, well-meaning agent misreads a task or follows an injected instruction and exfiltrates or deletes what it can legitimately reach. The hypervisor operates at an all-or-nothing grain of disk images and whole machines, while the actual agent threat lives at a per-path, per-host, per-syscall grain that the hypervisor never monitors, so the right control mediates the operations a process attempts rather than virtualizing the hardware under it.

Calif.io researchers identified CVE-2026-47729, a longstanding memory leak in Squid's FTP parser since 1997 that exposes previous users' HTTP request data.

Google's measurements show global IPv6 adoption crossing 50% for the first time (versus APNIC Labs' lower 42% figure, the gap attributable to APNIC's population-weighting model), a milestone that reflects mature deployment driven largely by mobile and newer market entrants like Reliance Jio.

Icarus broke into Klue using a compromised legacy credential linked to a cloud integration tool.