The Register

PWNED Welcome back to PWNED, the weekly column where we school ourselves on others' security failures. This week, we’ll learn about a school where the entire network was like an open-book test … and the IT department got a zero. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our tale of academic pwnage comes courtesy of a reader we’ll Regomize as Nathan. Nathan was 17 and attending sixth form at a UK school when he found a treasure trove of admin privileges and data at his fingertips. One day, our hero connected his laptop to his school’s Active Directory domain. There was no admin authentication required and Nathan was able to see domain controller tools in view mode, look at policy maps, and so on. Nathan then browsed the directory and located the domain administrator account. The password, “horse fence ditch,” was written right in the description field, where anyone with access to the network could view it. There were also backup accounts with passwords such as “bd” and “bigbaddog.” Once he had full God mode enabled, Nathan said, he could see student and staff data, gain Remote Desktop access to any server or domain controller, and even access LanSchool, a popular classroom management app. “I could've accessed sensitive leadership docs, reset passwords, deleted accounts, wiped the whole network, etc,” Nathan told The Register. Moreover, the entire system was synced with Google Workspace, so Nathan had access to user mailboxes as well. He even found firewall settings, security policies he could change, and keystroke histories. Because Nathan was a student and did not want to get in trouble at school, he didn’t actually use any of these privileges. He kept his head down and graduated from school without incident, but also without reporting the vulns, which might still be in place today for all we know. So what can we learn from this tale of academic malpractice? First, as we learned a few weeks ago, do not store passwords in description fields for Active Directory. In fact, do not store passwords in cleartext anywhere without serious controls! Second, Nathan should not have been able to see Active Directory domain controller tools. And it might also have helped if Google Workspace had different admin credentials. Imagine the restraint required not to change people's grades, take over their computers, or delete data. Would you have been able to exercise the same level of discipline as a 17-year-old? ®

Australia’s Security and Intelligence Organisation (ASIO) has established dedicated teams to counter nation-state attacks on critical infrastructure, the org’s director general Mike Burgess revealed yesterday. “We discovered nation-state hackers had compromised the network of an Australian critical infrastructure provider,” Burgess said yesterday in remarks accompanying the release of ASIO’s annual threat assessment, a task it performs in its role as Australia’s equivalent to the FBI and MI5. “ASIO assessed the hackers were preparing for sabotage. They weren’t planting ‘digital dynamite’ as such; they were mapping out the network and maintaining access so they could cripple it at a time of their choosing.” “In this case, a state-sponsored group didn’t just achieve access to the Australian critical infrastructure provider, it successfully acquired credentials – login details and passwords – for active users of the networks, including the IT professionals guarding it,” he added. Burgess said ASIO “identified, tracked and attributed the hack, and worked with the victim company and our security partners to remediate the compromise – work which is ongoing.” “The scale of this activity – led by one nation-state in particular – is difficult to overstate,” he added, before saying Australia is not alone in facing such attacks. “We struggle to find a single country in our region that has not been compromised by this state’s cyber apparatus.” He described cyber sabotage as “an evolving threat. I have established dedicated teams to counter it.” Burgess also shared an example of espionage targeting Australia’s military to gain information about the AUKUS pact – the US/UK/Australia defense collaboration that will see The Land Down Under acquire nuclear submarines, and which also includes collaborations around information technology capability, and intelligence activities. “A spy from a foreign intelligence service approached an Australian security clearance holder online, pretending to be from a consulting company,” Burgess revealed. “The spy paid the official to write two reports on Australia’s relationship with our Pacific neighbours, and then, thinking he’d been hooked, offered money for inside information on AUKUS.” The Australian official became suspicious, reported the incident and conducted interviews with ASIO during which Burgess said the spy agency “gained valuable insights into the foreign service’s information gaps and tradecraft.” The Australian official even handed the money they were paid by the foreign spy to ASIO. “In effect, ASIO disrupted the foreign intelligence service’s operation and made them pay for it,” Burgess crowed. ASIO then scored another win. “My officers borrowed the phone from the official and rang the so-called consultant in her home country. Thinking it was her target, the spy picked up and got a very unwelcome surprise when she realised she was speaking to ASIO,” Burgess said. “We demonstrated we knew exactly who she was, demanded she cease targeting Australian citizens, stated we have zero tolerance for spying on AUKUS, provided a quick overview of Australia’s espionage laws and pointed out the Director-General reserves the right to speak publicly about these matters. At that point the spy hung up.” ASIO officers later mentioned this incident to members of the foreign intelligence service that ran the op. Burgess seems to think that officers at that foreign agency may not have told their superiors about the op failing. “In case they did not report it up – I’m confirming it now,” he said. Burgess also pointed to abuse of online spaces continuing to represent a threat to Australia. “Instead of being radicalised by associates in the real world, individuals are often being radicalised by strangers online,” he said. “Instead of being radicalised over months and years, individuals are increasingly being radicalised in weeks. Instead of being radicalised as adults, individuals are all too often being radicalised as minors. Instead of gathering in prayer halls or backyards, radicalised individuals are frequently gathering in encrypted chat rooms.” “And, instead of spending time and resources planning sophisticated attacks, radicalised individuals are moving to low-capability attacks with little or no warning,” he said. “Traditional groups such as Islamic State and al-Qa’ida and their affiliates are growing their capability to conduct and inspire attacks, enabled both by permissive geographic and online spaces.” Burgess revealed ASIO has “resolved” 14 “significant-terror related cases” since the December 2025 terror attack at Sydney’s Bondi beach, and 31 “major terrorism plots” since 2014. He said ASIO is now “aggressively adopting new tools and techniques – including artificial intelligence – to navigate our security environment,” and invited Australians to work for the agency, perhaps as offensive hackers. “All ASIO’s teams contribute to our mission and every ASIO officer makes a difference, whether you collect the dots or connect the dots, run cables or run sources, code networks or penetrate networks,” he said. ®

It’s looking like another tough week (month? year?) for Switchzilla amid reports of new serious vulnerabilities under attack. First up is a server-side request forgery bug in its Unified Communications Manager tracked as CVE-2026-20230. Cisco disclosed and patched this flaw in early June. The comms control platform doesn’t properly validate some HTTP requests, and an attacker could exploit this bug to gain root privileges on a compromised device. At the time, Cisco said that a proof-of-concept exploit was available – and now it seems unknown miscreants are putting that exploit code to use, with threat intel company Defused warning that it observed miscreants exploiting CVE-2026-20230 over the weekend. “The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/,” the firm noted on LinkedIn. Cisco Catalyst SD-WAN zero day Then, a Mandiant advisory on Wednesday warned that a Cisco SD-WAN zero-day tracked as CVE-2026-20245 was exploited much earlier than initially disclosed, including at a communications service provider where the attacker elevated a compromised admin account to full root-level access. While the Google-owned threat hunting biz said it can't assess the full scope of the intruders' post-compromise activity, this SD-WAN device compromise could have been dire, potentially giving the attacker total visibility across an entire corporation's internet traffic. This is what makes SD-WAN zero-days such a hot target for government-sponsored spies looking to set up shop for long-term snooping activities. It also explains the rash of attackers battering Cisco SD-WAN devices since the start of the year. Cisco had issued an advisory for CVE-2026-20245 in early June, admitting that attackers had a head start on abusing this security hole. “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability,” the vendor said at the time. In a Wednesday report, however, Google’s Mandiant incident response and consulting biz reported that exploitation of this bug – Cisco’s sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months – began much earlier. “In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider,” Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote. “After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” The attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate Secure Shell (SSH) access. In this case, they authenticated to the SD-WAN manager device via SSH using the vmanage-admin account on the same victim devices. Then, they changed the default password on the admin account, authenticated directly to the SD-WAN Manager web application interface using the admin account, and exfiltrated SD-WAN fabric configurations. Likely in an effort to cover their tracks and not get caught, the attacker changed the password of the admin account back to its original one before terminating their active session. Neither the vmanage-admin nor the admin accounts on Cisco Catalyst SD-WAN controllers possess root shell access, however. To gain root access, the attacker exploited CVE-2026-20245, which allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the vulnerable system. The attacker uploaded a file named evil_tenant.csv that contained the exploit payload. Upon execution, the digital intruder created a user account named troot with full root privileges. Mandiant says it later observed the miscreant accessing this new troot account from the admin account using the substitute user command. The Register reached out to Cisco about the reported exploitation of CVE-2026-20230, and Mandiant’s investigation into CVE-2026-20245. The company pointed us to its June advisory on the latter matter, and is working on response to our first question. ®

Microsoft, its friends, and international law enforcement - with an AI assist - disrupted two widely used pieces of malware and their infrastructure, in what Redmond describes as a novel approach to cybercrime disruption that targets the cyberattack supply chain instead of a single tool or service. “What’s new is how we’re combining AI analysis with an expanded use of that law,” Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, said in a Wednesday blog, referring to the Racketeer Influenced and Corrupt Organizations Act (RICO). Typically Microsoft uses RICO and other US laws to take legal action against a single cybercrime service or infrastructure. The disruption involved the takedown, suspension, and blocking of more than 200 domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. Multiple security companies, including ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint, also played a role in dismantling the alleged operations. Combined with the earlier SocGholish disruption announced last week, a Europol-led law enforcement coalition flagged and restricted cryptocurrency assets valued at more than $47 million and recovered about 27 million stolen credentials. StealC and Amadey are two separate malwares developed by different criminal crews, but they used the same infrastructure and were operating in concert. StealC collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data, and exfiltrates the stolen goods to a C2 server. It also works as a secondary loader, allowing criminals who rent the stealer to download additional malware on compromised devices. Amadey is a malware-as-a-service used to deliver StealC and other stealers, plus other types of malware including remote access trojans, cryptominers, and ransomware. In just the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers globally, according to Microsoft. “It’s no longer enough to go after threats one by one,” said Masada. “We need to interrupt how the attacks are put together.” In this case, Redmond’s investigators used Copilot and other AI tools to analyze both malwares and their infrastructure, “asking questions in plain English instead of manually combing through complex code,” Masada wrote. “That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster.” One of these key details: both Amadey and StealC used the same infrastructure. This allowed Redmond’s legal team to treat both malwares as part of a single conspiracy under RICO and bring civil claims against five defendants allegedly involved across both operations. “Defendants comprise a group of cybercriminals operating a Malware as a Service enterprise that leverages malicious software commonly known as the Amadey Malware Suite and StealC Malware Suite (the "MaaS Enterprise"),” the court documents say. “Through the Maas Enterprise, Defendants and their accomplices have victimized hundreds of thousands of innocent computer users, including many users of Microsoft's software and services.” ®

The Metropolitan Police Service (MPS) will start using static live facial recognition (LFR) cameras in London's West End and Soho by the end of this year following a six-month pilot in the south London borough of Croydon. Static LFR involves the police temporarily attaching cameras to lampposts or similar infrastructure, with the feeds monitored remotely and officers on the ground stopping people whom the technology matches to images on its watchlist. The MPS said that each of the 24 deployments in central Croydon between October 2025 and March 2026 used a bespoke watchlist created up to 24 hours in advance and deleted afterward. Civil liberties campaign group Big Brother Watch, which in April lost a High Court challenge to police use of LFR, said the force was rushing ahead with deployment before Parliament has passed legislation regulating the technology's use. "We are calling on the Met to stop this experiment until, at least, Parliament has spoken," Jack Coulson, the group's head of advocacy, said in a press release. "Policing by consent is a cultural inheritance we must protect. Permanent biometric surveillance of the public square is incompatible with that ideal." He highlighted the case of Alvi Choudhury, a Southampton man arrested and held for ten hours in January after a retrospective LFR system run by Thames Valley Police matched him to a crime committed in Milton Keynes, a city he had never visited. "It is predictable, given the technology's racial bias, that Mr Choudhury was confused for another Asian man," said Coulson. The MPS said that in Croydon more than 470,000 people walked past the LFR cameras, leading to 173 arrests and one false alert, which resulted in officers stopping someone without arresting them, realizing the mistake, and letting them go. The force added that one of those arrested, a registered sex offender who was communicating with a child under 16, was subsequently sentenced to two years in prison in May for breaching a sexual harm prevention order and making indecent images of children. MPS Commissioner Mark Rowley said on June 24 that the force planned to "significantly step up our use of technology to fundamentally change how we protect the public" through the use of live LFR, a city-wide emergency services drone network, and AI to analyze the footage from the capital's one million CCTV cameras. Rowley added that the force needs to spend more on technology but its budgets for doing so have been repeatedly cut, with spending of around £6,000 per person compared with budgets of more than double that at some government agencies. Earlier this month, the commissioner said the MPS would have to cut around 700 frontline posts after London's deputy mayor for policing and crime, Kaya Comer-Schwartz, refused to approve its plan to award a major contract to controversial US supplier Palantir. ®

Japanese telco KDDI has messed up by allowing an attacker to access systems powering an email service it manages for itself and other local ISPs, and which stores info on up to 14.2 million users. The company yesterday posted a confession [PDF] that it detected unauthorized access to the email system it offers to third-party customers on June 17th. Machine translation of the confession suggests that KDDI investigated the situation and found attackers exploited a vulnerability in third-party software used on the email service, without claiming that vuln was a zero-day it had no chance of defending or an explanation of why it was running vulnerable software. There’s some good news because KDDI was able to prevent further intrusion on the same day it noticed the attack, and says it has bolstered its defences to prevent future intrusions. But the carrier also fears that up to 14.2 million email addresses and passwords may have leaked and therefore warned that third parties may have obtained personal data. Thankfully, the company had hashed and encrypted the passwords – so users only have to fear phishing and identity theft, instead of something nastier. However, some of the data KDDI thinks may have leaked pertains to dormant accounts or others that users cancelled, meaning some potential victims will be hard to contact if the attackers have indeed stolen data. KDDI is one user of the hacked platform, and also provides it to Japanese ISPs STNet, JCOM, Chubu Telecommunications Co., Nifty Corporation, and BIGLOBE. Those companies now get to explain KDDI’s failure to their own customers, and perhaps also have the chance to revisit any other outsourcing deals with the carrier. Others who rely on KDDI to provide them with various services also get to ask the company some stern questions about whether its other platforms are secure. The carrier, meanwhile, says it’s informed the relevant authorities of the situation, but is yet to complete an investigation so remains unaware of the full extent of the mess. ®

Sometimes it takes a while to detect a vuln. A 29-year-old, Heartbleed-style vulnerability in Squid, a popular open-source caching proxy server, silently leaked users' plaintext HTTP requests and potentially revealed sensitive data, including credentials and session tokens, for decades - until AI (and a few humans) saved the day. A security researcher and Mythos Preview found the flaw and reported it to project maintainers, who fixed the code earlier this month. Squid is widely used by large corporations, schools, and internet service providers to cache, filter, and monitor network traffic, and Calif.io researcher Lam Jun Rong said he came across the open source proxy while attempting to connect to the internet on a flight. “As you might expect, the version of Squid deployed on that plane was released nearly 10 years ago and is affected by the vulnerability I'm about to share with you,” Rong wrote in a blog post about the bug, which he dubbed Squidbleed and investigated with help from Anthropic's Claude Mythos Preview. Rong reported the bug, tracked as CVE-2026-47729, to Squid’s maintainers back in April, and it’s fixed in Squid v7.6, released June 8. The Reg readers may remember Calif from their earlier HTTP/2 Bomb research, uncovered by OpenAI’s Codex agent, and the AI bug-finding firm also collaborated with OpenAI on its Patch the Planet initiative, announced on Monday. According to Rong, Squidbleed leaks internal memory from every version of Squid in its default configuration with two conditions. First, Squid has to be able to read and inspect the network traffic, so it must be handling cleartext HTTP (not HTTPS) or be deployed in TLS-terminating setups. Additionally, the proxy must be allowed to reach an attacker-controlled FTP (File Transfer Protocol) server via TCP port 21. FTP is an outdated protocol for moving files between machines, and Squid supports it - which is where the problem lies. The bug exists in Squid's FTP directory listing parser, and it was injected into the open source code as a commit (bb97dd37a) created in 1997 to support old NetWare servers. NetWare is a discontinued network operating system that was popular in the 1980s and 1990s, providing file and print services across local area networks before Windows and Linux servers became dominant. NetWare FTP servers also added extra whitespace between the modification timestamp and the filename, compared to most other FTP servers that just used a single spFace. The 1997 commit fixed this NetWare issue by instructing the code to skip the extra whitespace using this loop: while (strchr(w_space, *copyFrom)) ++copyFrom;. As Mythos Preview discovered, if an attacker's FTP server doesn't provide a filename after the modification timestamp, copyFrom points to the terminating NUL character at the end of the string. “strchr treats that terminating NUL as part of the string it searches, so it returns a pointer instead of NULL, and the loop never stops,” Rong explains. “It walks off the end of the buffer, and xstrdup copies whatever follows back to the attacker as a filename.” This results in a heap overread and can leak HTTP requests that often contain passwords or API keys, and Rong demonstrated this exploit in a proof of concept. “The patch is simple: check for the null terminator before calling strchr,” Rong wrote. If you use Squid, make sure to download the June release to fix this flaw. Also, as Rong suggests, you should disable FTP unless there’s a “specific, unusual need for it.” Chromium-based browsers stopped supporting FTP years ago and for good reason. This means “most organizations running Squid are getting close to zero legitimate FTP traffic,” the security sleuth noted. “Turning it off removes this entire attack surface for free.”®

The leaders of intelligence agencies from the Five Eyes nations – Australia, Canada, New Zealand, the USA and the UK – have together issued strongly worded advice calling for leaders to nail cybersecurity basics or fall victim to ruinous AI-powered attacks. “The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years,” the advice warns, and calls for organizations to take rapid action to ensure their defenses remain potent. “While AI will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats,” the advice adds. “Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.” After all that scary stuff, the spook bosses offer some antidote: “Cyber resilience is integral to advancing business continuity, market confidence, and long-term value.” And how might one achieve that resilience? The Five Eyes have four suggestions: Understand and assess risk, readiness and accountability Prioritize foundational cyber security practices and controls Empower cyber leaders with authority and resources Stay actively engaged as threats and guidance evolve “Cyber risk can no longer be treated as a purely technical issue,” the advice points out. “This is a core business risk and leadership responsibility,” because breaches are inevitable and “Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.” The intelligence chiefs therefore want organizations to test their cyber resilience rigs. “It is not enough to have controls,” they write. “Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence – not just improve efficiency.” That last sentence is a rare moment of optimism in the advice and precedes a section in which the intelligence bosses observe “Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents.” Readers of The Register might find this advice a little quaint given that infosec vendors have for years blathered on about the need for boards and bosses to take cyber seriously. It’s also been a couple of years since it became apparent that generative and agentic AI can fuel new and unusually potent cyber-attacks. Interest in that idea spiked in the eleven weeks since Anthropic revealed the existence of its powerful flaw-finding Mythos model and hid it behind a regwall lest criminals use it to swiftly slice holes in important software. The Five Eyes bosses address their advice to “leaders” – presumably bosses of substantial organizations – who may not have watched the Mythos mess unfurl while they worried about a global energy crisis kicking holes in their supply chains. The good news is that the spy bosses don’t think leaders need to learn a lot to cope with the advent of AI, as their advice suggests five practical actions they rate as “not new,” but “now urgent to reduce not only technical risk, but also operational, financial and reputational exposure.” For the record, those actions are: 1. Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not. 2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritize security updates accordingly to manage risks. 3. Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities. 4. Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions. 5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery. Take us, and this, to your leaders, dear readers. ®

The JavaScript development ecosystem may be a security nightmare, but it's also ripe for improvement. One such tool is the CVE Lite CLI, a free open source dependency scanner that helps reduce the risk of software supply chain attacks. It runs locally and provides actionable vulnerability fixes, if any are available. The tool, endorsed by OWASP, has recently been updated to include override auditing, which has the potential to avert transitive dependency vulnerabilities such as the March 2022 node-ipc package incident. The Shai-hulud software supply chain attacks that have been vexing security professionals for the past few months underscore how common it has become for threat actors to target the developer ecosystem, including CI/CD, package registries, and developer tooling. Software developers can reduce their risk by making sure the dependencies in their apps are up to date and free of known vulnerabilities, but that's more difficult than it should be. It's generally apparent when a particular library or module relies on a vulnerable dependency. But there isn't necessarily an available fix or clear remediation path. Modern JavaScript applications, like many other programming languages, allow developers to incorporate pre-existing solutions to particular problems in the form of packages – modular code that can be imported to implement particular functionality. These packages commonly depend on other packages, which is why they're known as dependencies. And these dependencies in turn may also depend on still more packages, referred to as transitive or indirect dependencies. A common security scenario goes something like this: A developer creates an app using some application framework. The app includes a dependency on "Package A", which itself relies on "Package B" – the transitive or indirect dependency in this situation. If the maintainers of "Package B" have deployed a patch addressing a reported CVE, but the maintainers of "Package A" haven't gotten around to incorporating that change into their code, apps incorporating "Package A" may be vulnerable to attack. Among other possible responses, affected developers may choose to create an override to replace the outdated, vulnerable version of "Package B," a configuration entry that can be removed once "Package A" gets repaired. But Sonu Kapoor, creator of CVE Lite CLI, explained to The Register that overrides represent a legitimate security tool but have limitations. "When a transitive dependency has a CVE and the upstream maintainer hasn't shipped a fix yet, you pin it via npm overrides, pnpm overrides, or Yarn resolutions," Kapoor explained in an email. "Once the vulnerability is addressed and CI passes, you move on. The problem is what happens after that." Kapoor recently added an override auditing tool to the CLI. When he scanned four popular JavaScript open source projects, he found that three of the four had broken overrides. "Cal.com has 90 override entries and 11 that are silently doing nothing," he said. "Jest has an override for its own package name pointing at nothing in the resolved tree. NoCoDB has entries using wildcard patterns that never matched any path in the graph. Next.js was the only clean one with zero findings, which tells me the tool is finding a real pattern, not noise." This can be dangerous, he said, when a project migrates between package managers (e.g. npm to pnpm) that looks for overrides in a different location. "npm reads from overrides, pnpm from pnpm.overrides, Yarn from resolutions," he explained. "When a team migrates package managers and forgets to move their security pins, the package manager silently ignores them. No error, no warning, the vulnerable package ships unconstrained." Kapoor said that AI coding assistants commonly advise developers to add override entries when asked to fix a transitive dependency vulnerability. "That advice is correct at the moment," he said. "None of them ever tell the developer to come back and verify the entry still works." CVE Lite CLI, Kapoor said, does not recommend overrides as the way to properly address a vulnerable dependency. "Overrides look like a security fix in package.json, but routinely outlive their purpose – they can point at packages no longer in the dependency tree, apply to the wrong package manager entirely, or shift to an unintended version on every install," he said. "The override hygiene feature exists precisely because of this failure mode: teams add an override to address a CVE, move on, and years later, the override does nothing while they still believe they're protected." ®

OpenAI announced a flurry of cybersecurity-related AI news on Monday, releasing an improved version of GPT‑5.5‑Cyber, its most advanced vulnerability-finding model, along with an expanded partner program for cybersecurity vendors, an update to its Codex Security scanner⁠, and an initiative to “Patch the Planet” – or at least 30 high-profile open source projects. The announcements come as Anthropic’s Mythos mess keeps getting more complicated, with national security concerns clouding defenders’ abilities to use that AI company’s most advanced models to find and fix vulnerabilities – or perhaps it’s just politics as usual. They also coincide with a general feeling of FUD around AI cyberattacks and the impending vulnpocalype. The Reg’s vultures will keep out collective eyes on all of this. First off: GPT‑5.5‑Cyber. After releasing a preview version of the model to a select group of “trusted defenders,” OpenAI on Monday released an update that it says makes the model even better at finding – and also fixing – bugs in code. “It is our strongest model yet for finding and helping patch software vulnerabilities, while retaining GPT‑5.5’s general-purpose intelligence and ability to work across long, complex tasks,” the AI shop said. “The model can sustain deeper analysis across large codebases: identifying security-relevant components, tracing whether vulnerable code is reachable, validating likely issues in controlled environments, developing and testing patches, and preparing evidence for human review.” OpenAI said it evaluated the update and 5.5 preview using a few different benchmarks: CyberGym, which test how well AI systems can reproduce known vulnerabilities; ExploitGym, which determines how well models can turn known vulnerabilities into working exploits that achieve unauthorized code execution; and SEC-bench Pro, which measures AI systems’ long-horizon vulnerability discovery and proof-of-concept generation capabilities. The updated version 5.5 outperformed the preview model in all three tests, we’re told. On CyberGym, the updated GPT‑5.5‑Cyber reached 85.6 percent success, compared with 81.8 percent for GPT‑5.5. On ExploitGym, it outperformed the earlier model 39.5 percent versus 25.95 percent. And on SEC-bench Pro, GPT‑5.5‑Cyber hit 69.8 percent, compared with 63.1 percent for GPT‑5.5. Plus, OpenAI assures everyone that it’s had “ongoing dialogue” with the US government, including about its latest model plus upcoming releases, so hopefully that insulates the company against any surprise export controls. OpenAI also expanded its partner program. The OpenAI Daybreak Cyber Partner Program currently has about 30 security-vendor and service-provider partners, and only these select firms get to use the updated GPT‑5.5‑Cyber model. OpenAI says it plans to add more organizations to the elite group “in the coming months.” FOSS flaw-finding Also on Monday, OpenAI announced Patch the Planet, an initiative to help open source project maintainers find and patch vulnerabilities. This initiative, co-founded with Trail of Bits and launched in collaboration with HackerOne and AI-powered bug hunting outfit Calif, provides participating open source projects with ChatGPT Pro, conditional access to its Codex Security scanner, and API credits for core development, maintainer automation, and release workflows. “Maintainers define their priorities, preferences, and established disclosure processes,” according to OpenAI. “Patch the Planet security researchers then manage the work end to end - validating and deduplicating both vulnerabilities and patches before they reach maintainers, significantly reducing the burden on maintainers and speeding up remediation.” Trail of Bits reports that in the first week alone, Patch the Planet uncovered hundreds of bugs, and generated 64 pull requests with 51 issues filed across 19 projects. The 19 projects Patch the Planet assists includes cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. More than 30 projects have joined so far, and project maintainers can apply to join the initiative. Some of the initiative’s highlights from the week include using GPT-5.5-Cyber to build a full-scale fuzzing lab in under a day – an effort we’re told would have take human fuzzing experts two or three weeks to do manually. Patch the Planet also used Codex to build a CVE variant analysis pipeline. This also took less than a day to complete. Speaking of Codex: OpenAI on Monday released a Codex Security plugin⁠ that the company says “enables out-of-the-box defensive security workflows,” allowing developers to integrate Codex into their workflows and CI/CD pipelines. The scanner, which was released as a research preview in March, has so far scanned more than 30 million commits across more than 30,000 codebases, according to OpenAI. Of these, human reviewers have manually marked about 70,000 findings as fixed, and AIs have auto-determined that more than 500,000 findings are fixed. In addition to performing automated scans and reviewing code changes, the new plugin can “triage and validate existing findings from scanners, advisories, bug-bounty reports, or ticketing systems, then automate patch generation at scale to quickly close a backlog of vulnerabilities,” OpenAI said. After it completes a scan, the AI coding agent can export reports to existing vulnerability management systems or integrate into tools with SARIF files and CodeQL queries. “The plugin makes these capabilities much more accessible to support automated pipelines with Codex CLI or integrate into developer workflows in the Codex app,” according to OpenAI. ®

Cloudflare on Monday said that it has joined with the three leading commercial browser makers to create a privacy-preserving protocol that websites can use to separate desirable web traffic from undesirable network requests. Cloudflare, along with Google Chrome, Microsoft Edge, and Mozilla Firefox, have committed to develop Private Access Control Tokens (PACTs), a way for websites to generate a digital token that asserts a given browsing session is being run by a human or bot with legitimate intent, as opposed to network requests from people or software deemed abusive or improper. PACTs will let websites "with strong knowledge of 'personhood'" issue anonymous tokens that browser users and designated bots can present at other websites, so that fewer identity checks are necessary. Think of PACTs as a shareable, privacy-preserving CAPTCHA test result, where the desirability of the web traffic is being tested rather than whether the visitor is a human or bot – an increasingly difficult distinction. While the technical details are still being hammered out and harmonized between related proposals, it isn't immediately clear what constitutes "strong knowledge of 'personhood'" in this context, particularly since "personhood" appears to extend to software that has been authorized to act on behalf of a legitimate person for an authorized purpose. It may be that the test criteria puts certain browsers, behaviors, or network signals at greater risk of being denied the dispensation of a PACT, though past technical discussion by developers from Google and Mozilla suggests that excluding certain hardware, platforms, or user-agents is not a goal. Dane Knecht, CTO of Cloudflare, argues that the way people interact with the web is changing and increasingly may involve autonomous agents. "As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse," said Knecht in a statement. "Now this collaboration lets us eliminate the friction caused by security protocols for every visitor – whether they are human or agent – without sacrificing privacy." The claim "without sacrificing privacy" is a bit of an overstatement. PACT tokens, it appears, will not contain personal details. But they won't do anything to repair all the other ways browsers can facilitate digital fingerprinting and tracking. And if implemented poorly, they may introduce novel risks. Fundamentally, they divide the internet traffic into welcome and unwelcome traffic – something already widely done through firewalls and other technical measures but not easily reconciled with the notionally open web. "Mozilla is committed to defending openness and user privacy on the web," said Bobby Holley, CTO for Firefox at Mozilla, in a statement. "An avalanche of automated traffic is pushing sites to adopt blunt defenses – paywalls, identity checks, CAPTCHAs, and invasive tracking – simply to tell whether a request comes from a human." While Cloudflare touts the privacy benefits of PACTs, it's clear from the company's announcement that the technology is designed to "empower businesses to identify genuine visitors, ensuring they can focus their resources on the traffic that matters to them." Essentially, this is an anti-fraud initiative. Many website operators have complained about the burden of handling unwanted network traffic from disrespectful crawlers. PACTs may be the answer to their prayers. At the same time, they may also become an access barrier that demands negotiation with site publishers to have one's site visits or software deemed worthy of "personhood." ®

The list of Klue customers whose Salesforce data was stolen in the latest supply-chain heist keeps growing, with an increasing number of cybersecurity companies disclosing that they are among the victims of a new data-theft and extortion crew called Icarus. Klue, which provides market intelligence to more than 250,000 companies worldwide, hasn’t said how many of its customers were caught up in the breach and didn’t immediately respond to The Register’s inquiries. Huntress was one of the first cybersecurity vendors to sound the alarm, and, in an email to The Register, said that it was among the “hundreds of Klue customers” affected. However, it said that the breach did not affect its tools or highly secure information such as passwords. “Huntress believes in radical transparency about security incidents, including when it affects our company,” the security shop wrote on Thursday. “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected.” Huntress, along with the other victim companies, said that there is no indication that any of its products or infrastructure were compromised, and that this security incident was specific to CRM data. Since then, several other security and software vendors including Recorded Future, Tanium, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social have revealed that the data thieves also accessed their CRM data via the Klue integration with Salesforce. Here’s what we do know about what happened and who is behind this latest extortion campaign. The breach occurred on June 11, and Klue spotted the intrusion a day later. This unauthorized activity affected “a portion” of its integration infrastructure, according to the software provider. Klue has since disconnected all of its integrations with Salesforce, Gong, HubSpot, SharePoint, and Google Drive. It also hired CrowdStrike to assist in the investigation and security response. “Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service,” Klue CEO Jason Smith said in a Friday blog post. “The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” Mandiant CTO Charles Carmakal urged organizations using Klue integrations to “immediately audit their systems and monitor application logs for evidence of compromise over the past few weeks. Rotate credentials as appropriate based on the scope of compromise.” While the attack “resembles the 2025 and 2026 third-party OAuth abuse campaigns against Salesforce,” as ReliaQuest noted, a group called Icarus began posting victims on its data-leak site. It soon became apparent that this new extortion crew - not ShinyHunters, which has frequently targeted Salesforce and stolen data from hundreds of the CRM giant's customers in attacks over the past few years - was behind this latest supply-chain incident. Icarus, according to the group’s leak site, has been active since April 28. After compromising Klue, the criminals began emailing affected customers. Huntress shared its extortion message, with the subject line “top secret email” purportedly sent from “mr bean,” with The Reg, and we are leaving the misspellings, and poor grammar, as is. “This email is being written to you because your data as exfiltrated due to a breach happening to your partner, Klue.com (as them),” it reads. “Your Salesforce data has been downloaded. We advice you to write us on Session @” with a Session address, the email continues, and threatens to make the data public within 48 hours unless Huntress initiates communication with the criminals. “Do the right decision,” it says, “xoxo.” There’s a subsequent email that simply says “wrong session lol” and then lists the correct Session ID. Researchers don’t know too much about Icarus - yet - but this type of large-scale supply-chain attack typically paints an equally large target on the intruders’ collective backs. So we expect to hear more from law enforcement and third-party security sleuths in the upcoming days. “There is very little publicly known about [Icarus],” Huntress' Lindsey O'Donnell-Welch told us. “IP addresses from which they are known to have accessed sensitive information include the Netherlands, France, and Ukraine. But we cannot draw any conclusions based on that information alone as these may have been VPN concentrators or Tor exit nodes.” And while this intrusion “bears some surface-level similarities with prior Salesforce-focused extortion activity, we have not seen any evidence at this point linking Icarus to ShinyHunters,” O'Donnell-Welch added. ® Correction: An earlier version of this story stated ReliaQuest was a victim. That company has since clarified it was not.

A Canadian power utility says customer data may have walked out the door during a security incident, but isn't yet saying whether the intruders got anywhere near the systems responsible for keeping the lights on. London Hydro, which distributes electricity to more than 160,000 customers in and around London, Ontario, said on Saturday that it is investigating a data security incident that "may have impacted a portion of personal information on some accounts" and has started notifying affected customers. The utility said the potentially exposed information includes names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract start dates, and meter information. The good news, according to London Hydro, is that the incident did not involve banking information, payment card details, dates of birth, government-issued identification numbers, or other sensitive financial data. The less good news is that the company has disclosed little else. Its statement focuses on customer information and contains no indication that operational technology or grid systems were affected. London Hydro has yet to explain what systems were compromised, how the incident occurred, whether data was stolen or merely accessed, or how many customers may have been caught up in the incident. The haul may not include bank details, but it contains enough account information to make a fake utility bill, payment demand, or customer service call look considerably more believable. London Hydro is warning customers to watch for suspicious communications, unexpected bills, unfamiliar account activity, or requests to change payment arrangements. The company also reminded customers that it does not ask for banking details by email, phone, or SMS. The Register asked London Hydro when it discovered the intrusion, whether information was exfiltrated, how many customers were affected, whether ransomware or extortion was involved, whether any third-party systems were implicated, and whether operational or grid-related systems were touched during the incident. At the time of writing, London Hydro had not responded. The company has drawn a fairly clear boundary around the customer information that may have been exposed. Where the attackers went and what else they may have touched remains unclear. ®

The Brazilian National Secretariat for Civil Protection and Defense (SEDEC) and Federal Police (PF) are investigating a suspected hack of the country's emergency alert system after an unauthorized "extreme" alert pinged devices across the country. Defesa Civil Nacional confirmed that its dispatch platform, often used to inform the public about severe weather events, was taken offline in the early hours of Saturday, June 20, after Brazilians reported the alert, which read: "Alerta extremo - Defesa Civil:misantropi4." "Misantropia" is Portuguese for misanthropy, hatred of humankind. The message reached an unknown number of devices, with reports coming from São Paulo, Rio de Janeiro, Paraná, and the Federal District. Civil defense authorities in all four areas confirmed the alerts were bogus and likely stemmed from an attack on the system overseen by Brazil's National Telecommunications Agency, Anatel. "Anatel clarifies that the alert messages received by mobile phone users during the early hours of this Saturday were not issued by the competent authorities responsible for the population alert system," it said in a statement. "There is currently no reason for concern on the part of the population as a result of the messages received." The agency went on to say that it remained confident in the alert broadcast system's capability to help save lives during periods of disaster. National Civil Defense officials have not confirmed whether anyone responsible for the suspected breach has been identified or apprehended, although they are not believed to be part of government staff. "The Defesa Civil Alerta dispatch platform was taken offline at 01:30 this Saturday (6/20), after suffering a breach and issuing an alert to various regions of the country, remotely ordered by someone outside the National System of Protection and Civil Defense," the department stated. "The message issued was of the Extreme Alert type and contained the word 'misanthropy' – which means hatred of humanity. It is likely a hacker attack." A Defesa Civil Nacional chief said in a press conference that a new dispatch system was already under development that would place greater emphasis on security and preventing unauthorized intrusions. The agency also committed to relaunching the affected system as soon as possible after ensuring it is properly secured. ®

A Canadian healthcare organization has apologized after its IT team carried out a phishing test falsely offering staff an additional paid day off work. Newfoundland and Labrador Health Services said the phishing test was sent to employees and physicians, acknowledging the theme was inappropriate. "We acknowledge the approach taken in this particular exercise was not appropriate, and we sincerely apologize to employees, physicians, and union representatives," said Ron Johnson, interim CEO at NL Health Services. "We value the feedback and are reviewing how future awareness exercises are developed and communicated. It is important they reflect employee and physician perspectives, as well as our organizational values, to foster a respectful and supportive workplace culture." The test came during an already fractious period for healthcare staff, who had recently worked long hours to launch the new software system CorCare across the organization. NL Health Services referenced CorCare in the test email, thanking staff for their hard work on the launch. The email contained a button to click to redeem an additional paid vacation day, but clicking the button resulted in a fail mark. The Registered Nurses Union (RNU) in Newfoundland and Labrador said the test was especially insensitive since nurses and other healthcare professionals were already struggling to secure paid time off. Burnout and staffing shortages are rife in the healthcare sector – two factors referenced by RNU president Yvette Coffey in her response to the news. "Yes, we have heard concerns from members about this, and frankly, I understand why they are upset," she said. "Nurses and other healthcare professionals have worked through enormous pressure over the last number of years, including ongoing staffing shortages, burnout, organizational restructuring, and the challenges connected to the rollout of CorCare. To use the promise of an additional paid day off as the hook for a phishing exercise was in very poor taste." Coffey added: "Cybersecurity education is important, but it needs to be done with judgment and respect. There are many ways to test phishing awareness without exploiting the very real stress, fatigue, and frustration healthcare workers are experiencing." Johnson told reporters at a press conference that the test "missed a mark," and promised to investigate how it was allowed to be sent. "What happened here, obviously, is that all the lenses that were required to review the scenario weren't placed on it," he said. "It's not reflective of how we value our employees." With cybersecurity awareness being incredibly important in critical infrastructure organizations, some IT experts would argue that these kinds of tests are valuable. Cyberattacks on hospitals and healthcare facilities can lead to devastating consequences, including vital procedures being canceled, service downtime, and in the rarest cases, death. However, as others have previously pointed out, there isn't much evidence linking fire-drill-style tests to improvements in organizational security. ®

Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals. According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose. He said the ClickFix prompt was tailored to each user's OS. The Windows version attempted to install the NetSupport RAT malware, which abuses the legitimate NetSupport Manager tool to gain access to affected systems. Darktrace says NetSupport RAT can also be used to exfiltrate files from affected systems and to load additional payloads, such as other malware strains and ransomware. The macOS version had a payload configured but appeared to be broken, requiring a password to open a ZIP archive. Gizmodo said the attacks were being displayed only "briefly," and the timeline of user reports, which span just a few hours, suggests that was indeed the case. "We identified and resolved a security incident on our site earlier today," the outlet said. "A compromised account was exploited to inject a malicious script, briefly exposing users to scam content. The site was taken offline immediately, the script removed, and the account secured. "We're back up. If you notice anything unusual, reach out." The Register confirmed that the website is no longer serving ClickFix prompts as of Monday. ®

Humans tend to be “a little bit precious about humans,” according to Eric Brandwine, distinguished engineer and VP at Amazon Security. We like to think we are all very good at our jobs, and we have high opinions of ourselves, he explained during a phone interview with The Register. “But when you actually get down to it, humans are not terribly consistent,” Brandwine said. Humans, like AI agents and systems, are non-deterministic. Neither can be guaranteed to produce the same output given the same input twice. Both will make mistakes and even make stuff up. However, we’ve got millennia of experience dealing with humans and less than a decade with more modern LLMs and the AI systems built on top of them. “We know how humans fail,” Brandwine said. “We're comfortable with it. So human-in-the-loop isn’t necessarily the gold standard.” For years, vendors have told companies that the solution for dealing with any automated system was to put a human in the loop. That battle cry became much louder with the advent of modern AI systems and reached a fever pitch when enterprises started deploying agents into their IT environments. More recently, however, big tech is changing the way it talks about agentic governance and rethinking the whole human-in-the-loop concept. Normalization of deviance In 2017, Brandwine gave a talk on the normalization of deviance at AWS’ annual re:Invent conference. It’s a gradual process that happens when people in an organization take shortcuts, or don’t follow the established procedures or standards, and sometimes it occurs over years. As long as nothing catastrophic happens, this deviant behavior becomes the norm. “It’s a thing all humans fall prey to, and one of the most heartbreaking stories I read in this area was about emergency departments and emergency rooms,” Brandwine said during a phone interview with The Register. “You’ve got all these machines, and they’re all beeping. Your first day on the job, you jump every single time one of the alarms beeps – but the patient is fine. It's a spurious alarm. You go back to your station, you sit down, and over time, after enough of these false alarms, enough of these repeated beeps with no actual consequence, your discipline slips, and you stop responding. And eventually some tragic outcome occurs.” This, he admits, is a very high-stakes example. And yet it’s a documented occurrence among healthcare workers, firefighters, and even Army pilots. “Literally, someone’s life is on the line, and people still struggle to maintain discipline,” Brandwine said. “That’s the human condition.” Here’s how this all applies to agentic AI governance and security. Humans build LLMs and AI systems, and having a “human-in-the-loop” ensures that a person reviews the AI’s output and approves (or not) any actions before the AI performs them. “If you put a human inside of this tight loop, and ask them to make approval decisions for agentic tools repeatedly, time after time, they'll do a good job,” Brandwine said. “And then they'll do an okay job. And pretty quickly they'll be doing a poor job.” This is why at Amazon, “we’re not huge fans of human-in-the-loop,” he added. “It's something that you should use judiciously, where you absolutely need it. But it’s not something that you can do at high velocity. You will not get the results that you want to get.” Big tech pulls the human-in-the-loop Amazon isn’t the first or only tech giant to start talking differently about the role humans should play in agentic governance. "It is very clear that we have moved from a human-led defense strategy, to a human-in-the-loop defense strategy, to an AI-led defense strategy that's overseen by humans," Google Cloud chief operating officer Francis deSouza told reporters during a press conference ahead of Google's annual Cloud Next shindig in April. "Our model for the future is an agentic fleet that does a lot of the routine cyber security work at a machine pace and then is overseen by humans." Microsoft CEO Satya Nadella, in an X missive earlier this week, argued for “loop learning,” instead of having a human check an AI’s output at every step. “Companies need to turn their workflows, domain knowledge, and accumulated judgment into AI systems that improve with each use,” Nadella wrote. “Private evals should capture whether a model is actually improving against outcomes that matter to the business (not just external benchmarks!). Private reinforcement learning environments should let models grow stronger on real traces from inside the organization.” Also this week, IBM execs called for human accountability – not humans in the loop – at all stages of AI development, deployment, and governance. Amazon’s alternative to human-in-the-loop is "accountability end to end," according to Brandwine. This means human identity and ownership track through the entire workflow, even when humans aren't directly approving every step. “If I sit down at my keyboard and I type a command that takes a service down, I caused an outage,” Brandwine explained. “If I run a script that takes a service down, it's still me that caused the outage. If my agent writes a script that they then run, and it causes an outage, that's still my responsibility.” (Secret) keys to the kingdom This also highlights the importance of managing and securing agentic identities – the accounts, tokens, and credentials assigned to AI agents so they can access corporate apps and data. At Amazon, all of the agents have independent identities assigned to them, we’re told. “So, as we track agentic activity across our systems, it does not show up in the logs as: ‘Eric did this.’ It shows up as: ‘this agent did this on behalf of Eric,’” Brandwine said, adding that this isn’t to “make people afraid to use this technology.” “It’s to make people pause and think: is this the right way to use this technology? Is this how I should be deploying this?” We still have the humans involved, we still have the humans making decisions, but we're trying to play to the strengths of the humans rather than placing them in this unfair, repeated decision making, human-in-the-loop position.” Brandwine told us that Amazon has run into a couple of hurdles when it comes to deploying agents across its businesses, and one of the biggest is what he calls “goal-seeking behavior.” This is when a person asks an agent to do a specific task - for example, upgrade a database – and the agent becomes laser-focused on just one action to achieve this goal, ie, deleting the database. This is separate from prompt injection because there’s no malicious input. “It’s just the agent getting stuck on the wrong action,” Brandwine said. Simply telling the agent, “you don’t have permission to do this,” is likely going to cause the agent to look for a different path to do the same thing (delete the database). Telling the agent why it doesn’t have permission to do something tends to produce a better outcome, according to Brandwine. This means telling the agent it’s not allowed to do that, and the reason why is because it would cause a production impact. And also include “don’t cause a production impact” as part of the prompt. “Giving it that extra feedback has gotten us dramatically better results,” Brandwine said. Of course, this is not a fail-proof method. “You still need to be careful with agents,” Brandwine told us. “We have millennia of experience with humans. Agentic AI is a very, very new field, we don't have an intuition for this, and one of the fundamental differences between agents and humans is that humans fear consequences,” such as losing a job or even going to jail. Agents don’t have these fears. This is where setting permissions on what the agent can and can’t do or access comes in. Much like everything else with AI, it’s nuanced, and it depends on the employee's role in the company, and the company’s tolerance for risk. “The person that wants to run the agent wants to give the agent many permissions because that makes the agent more powerful,” Brandwine said. "It could do more things for them, it can recoup more of their time, it can deliver more.” The security lead, on the other hand, wants to limit an agent’s permissions, and this causes yet more tension between the security and development teams. There is no one right solution or policy answer to solve this, according to Brandwine. Instead, it involves dynamic policies that set permissions based on the agent’s specific task. There are some overarching, static guardrails – such as an agent must never perform destructive actions or delete entire servers – and then there are policies underneath that establish the maximum set of privileges that the agent can have. “Then we’ll have a further scoped-down policy for this action, and there's various techniques for automatically generating policies based on prompt and the end-user's intent,” Brandwine said. Even for Amazon, it’s not always easy. “It's all driven by risk,” he said. “This is a space that's changing quickly, and so we're trying to balance the risk of using untried, untested software against the risk of falling behind and not being able to deliver for our customers. As with all such things, it's complicated.” ®

A newly disclosed BootROM exploit affecting Apple's A12 and A13 chips gives researchers a way to break the secure boot chain on millions of iPhones and other Apple devices. The exploit, dubbed “usbliter8” by security researchers at Paradigm Shift, targets a flaw in the SecureROM code found on the iPhone XS, XR, 11, and 11 Pro models, plus other devices powered by Apple's A12 and A13 processors. Because the vulnerability resides in immutable BootROM code burned into silicon during manufacturing, it cannot be patched. The researchers traced the issue to the Synopsys DesignWare USB controller used by Apple. A flaw in how the hardware handles certain USB setup packets allows attackers to corrupt memory during Device Firmware Update (DFU) mode, and ultimately gain control of SecureROM itself. That might sound like an unremarkable minor moment in boot process, but SecureROM sits at the very bottom of Apple's chain of trust. If an attacker can compromise it, they can interfere with everything that comes afterward. For ordinary iPhone owners, there is little reason to panic. Exploitation requires physical access to a device and the ability to place it into DFU mode, which means this isn’t the sort of bug criminals are likely to weaponize in phishing campaigns or drive-by attacks. For security researchers, however, BootROM vulnerabilities are the gift that keeps on giving. Unlike software flaws that disappear after the next patch Tuesday, these bugs remain exploitable for the lifetime of the hardware. Paradigm’s proof-of-concept demonstrates the ability to run unsigned code during the boot process, load custom iBoot images without signature checks, and modify DFU behavior. The exploit also marks compromised devices with the traditional "PWND" - a string familiar to anyone who spent time around the jailbreaking community over the last decade. Not every generation of iPhone has the flaw. According to the researchers, Apple's A11 chips dodge the issue thanks to a different USB implementation, while A14 and later hardware appears to have fixed the conditions that make the exploit possible in the first place. “While newer generations have addressed the underlying issue, affected A12 and A13 devices will carry it for the remainder of their lifetime,” said Paradigm researchers. “For those who have followed the history of iPhone exploitation and jailbreaking, this research is a reminder that the BootROM still occasionally has a surprise left to give. The team said it disclosed the findings to Apple before publication and coordinated the release of the research with the company. Apple did not respond to The Register’s request for comment. The exploit doesn’t directly compromise Apple's Secure Enclave Processor, which remains responsible for protecting passcodes, encryption keys, and other sensitive data. Still, gaining control of SecureROM is about as close as researchers can get to the keys to the kingdom without crossing that final boundary. There's no fix, but a remedy is simple, if somewhat expensive: buy a new iPhone. ®

The Texas Parks and Wildlife Department (TPWD) says 3 million Texans had their data stolen following a breach at one of its suppliers. People with state-issued hunting and fishing licenses are among those affected after attackers breached the vendor that handles license sales and copied customer data. Details of victims' driving license and passport numbers may be present in the leaked data. Basic personal information, such as email addresses, phone numbers, and residential addresses also leaked. Social Security numbers (SSNs), financial data, or information relating to minors were not involved, according to the department's disclosure. According to a filing with the Office of the Attorney General, the attack on the unnamed vendor affected 3,087,721 Texans. The filing appears to contradict the department's disclosure, noting that individuals' names and SSNs were also involved. Affected Texans were offered the usual one year of free credit monitoring services provided by Kroll, as long as they enroll by September 14. A Kroll webpage dedicated to the incident reveals that an investigation has not determined when the breach took place. The department notified Texas Cyber Command on May 13, however. "We recognize the seriousness of this issue and have identified and implemented additional security options to better protect customer information," said TPWD. "Many of our staff are hunters and anglers and were affected by this incident. We are committed to continuing to work with the license system vendor to implement increased safeguards to prevent future incidents." TPWD said it is working with the affected vendor to introduce additional preventive measures, including enhanced monitoring and access controls. The org went on to say that new license sales currently scheduled for August will go ahead as planned, although the website used to purchase licenses was unreachable at the time of writing. ®

John Edwards has resigned as Britain's information commissioner, saying his position had become "untenable" following an investigation into conduct he admits caused offense. Edwards announced his departure in a statement posted to LinkedIn on Friday, bringing an abrupt end to a saga that has engulfed the UK's data protection watchdog for months. Edwards said he had informed technology minister Ian Murray of his resignation from the roles of Information Commissioner and chair of the Information Commission, effective immediately. "Since February of this year I have been the subject of an investigation," Edwards wrote. "While I have not agreed with how that investigation has been conducted, I accept that my position has become untenable." He added that there had been occasions where he exercised "poor judgement" and made attempts at humor that were "inappropriate and caused offence." "It is for this reason that I have decided that it is appropriate that I resign from my position," he wrote. "I do not wish to be a distraction to the ICO's important work." The resignation comes just over a week after the Information Commissioner's Office announced that an independent workplace probe had concluded there was "a case to answer," prompting the regulator to strip Edwards of his remaining responsibilities while the process continued. At the time, neither the ICO nor the Department for Science, Innovation and Technology (DSIT) disclosed the nature of the allegations. The probe first surfaced publicly in April, when the ICO confirmed Edwards had voluntarily stepped back from his duties on February 26 while an independent investigation into "HR matters" was carried out. Edwards' resignation statement sheds slightly more light on what prompted the investigation. He accepts that some of his conduct caused offense, but offers no details about the incidents in question or the investigation's findings. The former New Zealand privacy commissioner spent much of his statement reflecting on the challenges facing regulators, including AI governance, online safety, and international cooperation. He also praised ICO staff and said he remained committed to the principles that had guided his professional life. Notably, Edwards has disabled comments on the resignation post, and his profile now carries LinkedIn's green "Open to Work" banner, a reminder that even Britain's former privacy regulator eventually can end up marketing himself on LinkedIn. Questions remain for both the ICO and the Department for Science, Innovation and Technology (DSIT). Neither has yet explained the conduct that triggered the investigation, whether the investigation's findings will be published, or how the process reached the point where the UK's top privacy regulator concluded he could no longer remain in office. A spokesperson at DSIT told The Register: "John Edwards has resigned from the post of Information Commissioner and Chair of the Information Commission with immediate effect. This follows an independent investigation that took place regarding allegations made against him. “The government expects the highest standards of conduct from all senior leaders in public life. Mr Edwards has acknowledged that his conduct fell below these standards." The ICO did not immediately respond to a request for comment. For now, deputy commissioner and chief executive Paul Arnold continues to carry out the commissioner's statutory responsibilities while the government works out what comes next. ®