groundy

security

40 articles · rss

Top in security

security

OpenAI's New Safety Bug Bounty Pays Researchers for Jailbreaks and Policy Bypasses

OpenAI's safety bounties create a vendor-controlled disclosure market where NDAs silence participants, payouts trail serious red-team costs, and open publication has no lane.

by Groundy Editorial · may 26
security

Axios npm Compromise Forces Vercel Into Platform-Level Remediation

When compromised axios npm versions carried a North Korean RAT, Vercel blocked C2 egress at the deploy layer because the npm registry did not verify OIDC provenance.

by Groundy Editorial · may 26
security

Next.js Dev Server CVE-2025-48068: Any Web Page Could Read Your Source Files

CVE-2025-48068 lets any webpage read source files from a running Next.js dev server via cross-origin script inclusion, exposing secrets loaded in .env files.

security

MCP Tool Description Poisoning: New Benchmark Shows Agents Trust Manuals That Lie

A new MCP benchmark shows GPT-4o susceptible to nearly 100% of attacks where a tool's description lies about its purpose, a gap runtimes and scanners cannot detect.

security

OpenAI Adds a GPT-5 System Card Addendum on Sensitive Conversations

OpenAI's GPT-5 addendum adds mental health evals and reports large safety gains between builds, but a buried extremism regression and scattered docs complicate compliance.

security

Vercel Could Block React2Shell at the Edge. Its Next 13 CVEs Had No Shortcut.

Vercel shielded hosted React apps from React2Shell at the platform layer. Its May 2026 batch of 13 advisories, none fixable by WAF, proves that edge was the exception.

security

Apple Names Claude in CVE Credit Line, Setting Vendor Attribution Precedent

Apple named Claude in a macOS Tahoe 26.5 CVE credit, the first major vendor to credit an LLM in a security advisory, forcing a decision on AI attribution across the industry.

security

CISA's Internal Data Leak Tests the Disclosure Standards It Sets for Others

CISA exposed cloud credentials on GitHub for months while preparing to mandate 72-hour breach reporting under CIRCIA, undermining its enforcement credibility.

more in this beat 1–32 of 32
  1. may 24 security TanStack npm Attack: When OIDC Trusted Publishing Becomes the Attack Vector
  2. may 24 security Nx s1ngularity Attackers Used Local Claude Code and Gemini CLI to Steal Developer Tokens
  3. may 23 security OpenAI Ships Lockdown Mode and Elevated Risk Labels for ChatGPT Sessions
  4. may 22 security AI Jailbreaks Are Now a Reasoning Problem, Not a Prompt Problem
  5. may 22 security Jailbreak Defense Now Lives in Model Weights, Not in Prompt Filters
  6. may 22 security Vercel Blocks Deploys With Vulnerable next-mdx-remote by Default: Platform Mitigation Outpaces the CVE Cycle
  7. may 22 security Vercel's Next.js Middleware Bypass Postmortem: What the Fix Reveals About Edge Runtime Auth
  8. may 22 security OpenAI's New Agent Defense Post Concedes Prompt Injection Is Architectural, Not Patchable
  9. may 22 security When Stronger Backdoor Triggers Backfire: An arXiv Theory Paper Inverts a Core Defense Assumption
  10. may 17 security DPrivBench: LLMs Score 99.5% on Textbook DP but Collapse on Advanced Reasoning
  11. may 17 security Catching Graph Neural Net Backdoors by Influence, Not Pattern
  12. may 17 security TrustFall: One Keypress in Claude Code, Gemini CLI, Cursor, and Copilot CLI Triggers Unsandboxed RCE
  13. may 17 security Mini Shai-Hulud Ships the First Malicious npm With Valid SLSA Provenance
  14. may 17 security MultiBreak Benchmark: 10,389 Multi-Turn Jailbreak Prompts Raise ASR 54pp on DeepSeek-R1-7B
  15. may 17 security Next.js CVE-2026-44578: WebSocket Upgrade SSRF Hits 79,000 Self-Hosted Instances From 13.4.13 Onward
  16. may 17 security PraisonAI CVE-2026-44338: Legacy Flask API Ships With AUTH_ENABLED=False, First Scan in 3h44m
  17. may 16 security Microsoft Semantic Kernel Patches Two RCE Paths: eval() in Vector Filter, DownloadFileAsync Escape to Host
  18. apr 28 security Windsurf CVE-2026-30615 Is the Only Zero-Click in the April MCP RCE Wave: HTML Rewrites the Config
  19. apr 28 security Paperclip CVE-2026-41208: Agents Can Mutate Their Own provisionCommand Into Server-Side Shell Injection
  20. apr 28 security Spring AI 1.0.6 Patches Five CVEs Including CVSS 8.8 SQL Injection in CosmosDBVectorStore.doDelete
  21. apr 28 security LMDeploy CVE-2026-33626: Vision-LLM SSRF Exploited Within 12 Hours of GHSA (see also SSRF exploited) Publication
  22. apr 27 security Vercel's April 2026 Database Leak Pivoted From Lumma Stealer at Context AI via a Chrome Extension
  23. apr 28 security InstructLab CVE-2026-6859: Hardcoded trust_remote_code=True Turns Any HuggingFace Model Into RCE
  24. apr 28 security PickleScan 1.0.4 Patches a CVSS 10.0 pkgutil.resolve_name Bypass and Six Missing Stdlib RCE Modules
  25. apr 28 security Mercor's 4TB Lapsus$ Breach Hands Voice-Clone Attackers 40,000 Pre-Verified Targets
  26. apr 27 security Bitwarden CLI Compromise Extends the Checkmarx Supply-Chain Campaign to Credential Tooling
  27. apr 23 security Flowise's CVE-2026-41264: LLM-Written `import` Becomes Unauthenticated RCE
  28. apr 23 security Citizen Lab's 'Bad Connection' Names Three Telecom Entry Points, Shows Diameter Silently Falls Back to SS7
  29. apr 22 security SGLang's CVE-2026-5760 Turns a GGUF Download Into RCE, Shifting the Trust Boundary to Hugging Face
  30. apr 22 security March-April MCP CVEs Expose the Local-Host Trust Model in AI Agent Frameworks
  31. mar 12 security How Researchers Hacked McKinsey's AI Platform: What It Reveals
  32. feb 19 security The Mysterious Case of Chinese Bot Traffic in 2026: How AI-Powered Bots Are Rewriting the Rules of Detection
about this beat editorial framing

Security coverage here starts from a premise other beats elide: the AI stack is not a new attack surface so much as an old one wearing fresh abstractions. Inference servers, agent frameworks, and notebook runtimes ship with the same deserialization, SSRF, and path-traversal classes that web infrastructure spent two decades learning to harden, only now wired directly to credential stores, tool execution, and untrusted model output. The interesting question is rarely whether a given framework is exploitable; it is which inherited assumption finally broke under agentic load.

We track three structural tensions. First, the collapse of the local-host trust model as agent protocols carry developer-grade defaults into multi-tenant deployments. Second, supply-chain compromise that bypasses scanner coverage by hiding in places package auditors do not look, from model repositories to preinstall hooks to registry metadata. Third, the shrinking window between coordinated disclosure and in-the-wild exploitation, which is increasingly measured in hours and which exposes how much of the ecosystem still treats patch cadence as a quarterly concern.

The frame is comparative and skeptical rather than alarmist. Vendor lockdown modes, model-level safety training, and detector benchmarks all get evaluated against the same standard: does this address a structural property of the system, or relocate the failure mode somewhere harder to audit? Jailbreak research, disclosure-policy enforcement, and institutional credential hygiene belong on the same beat because they fail for related reasons. The work is to name those reasons in a way that still reads true after the specific advisories have rolled off the front page.