Tootfinder

MCP all the things.
https://www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/

Anthropic quietly fixed flaws in its Git MCP server that allowed for remote code execution
: Prompt injection for the win

OMG, it's Patch Tuesday
Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/

Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws
Today is Microsoft's January 2026 Patch Tuesday with security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities.

Putting the Raiders' Struggles into Eye-Popping Perspective https://www.si.com/nfl/raiders/onsi/las-vegas-struggles-into-eye-popping-perspective

NFL playoff team weaknesses: Fatal flaws range from Bills' leaky run defense to major quarterback questions

https://www.cbssports.com/nfl/news/nfl-playoff-team-weaknesses-fatal-flaws/

In this world nothing can be said to be certain except death, taxes and LLM will dutifuly exfiltrate your data via a hidden prompt:
https://www.promptarmor.com/resources/claude-cowork-exfiltrates-files

Claude Cowork Exfiltrates Files
Claude Cowork is vulnerable to file exfiltration attacks via indirect prompt injection as a result of known-but-unresolved isolation flaws in Claude's code execution environment.

With so much going on in the world, check out today's Metacurity for a one-stop run-down of the critical infosec developments you should know, including
--Microsoft took down massive cybercrime platform RedVDS,
--Google's Fast Pair protocol enables hackers to connect with audio accessories,
--Shipping-related firm Bluspark Global patched a raft of flaws,
--Kimwolf botnet may have hit its maximum potential,
--CNIL fined French mobile companies for data bre…

Microsoft took down massive cybercrime platform RedVDS
Google's Fast Pair protocol enables hackers to connect with audio accessories, Shipping-related firm Bluspark Global patched a raft of flaws, Kimwolf botnet may have hit its maximum potential, CNIL fined French mobile companies for data breach, Cyber authorities warn of OT threats, much more

Boeing Knew About Flaws in UPS Plane That Crashed in Louisville, N.T.S.B. Says - The New York Times
https://www.nytimes.com/2026/01/14/us/louisville-crash-report.html

NFL wild card overreactions: Is Matt LaFleur on hot seat after Packers' meltdown? Are Rams' flaws fatal?

https://www.cbssports.com/nfl/news/nfl-wil

RE: https://mastodon.social/@sil/115683600028649718
This. And yet: looking at its context, it was _shipped_ soon after that prototype period, renamed to 'java'script to tack on to the zeitgeist, and built as a glue language without basic debugging. Some of the mistakes persist!
But it did in fact turn into a reasonable language that's fully developed. Not without deep flaws, but most real systems have deep flaws. The _way_ the half-assing plays out matters a lot.

@… seems like it’s not *quite* baseline yet (for the flaws baseline has, seems useful to note here)

Apple and Google have released several software updates
to protect against a hacking campaign targeting an unknown number of their users.
On Wednesday, Google released patches for a handful of security bugs in its Chrome browser,
-- noting that one of the bugs was being actively exploited by hackers before the company had time to patch it. 
Unusually for Google, the company provided no further details at the time.  But on Friday, Google updated the page to say that t…

Google and Apple roll out emergency security updates after zero-day attacks | TechCrunch
Apple released patches for all of its flagship devices to fix security flaws under attack. Google also updated Chrome to remediate one vulnerability exploited in the attacks.

In 2025, the top 5 known exploited vulnerability (#KEV) vendors as of https://cyble.com/blog/cisa-kev-2025-exploited-vulnerabilities-growth/ were:
Microsoft (39)
<…

Before you head out for the weekend, check out today's Metacurity for the most critical infosec developments you should know, including
--Chinese state hackers used Anthropic to automate cyber intrusions,
--UK MoD knew of Excel's security risks before Afghan data leak,
--NHS investigates Clop's attack claims,
--ASUS patches DSL router critical flaws,
--DoorDash reveals October security incident,
--US feds warn of Akira's expanded encryption …

Chinese state hackers used Anthropic to automate cyber intrusions
UK MoD knew of Excel's security risks before Afghan data leak, NHS investigates Clop's attack claims, ASUS patches DSL router critical flaws, DoorDash reveals October security incident, US feds warn of Akira's expanded encryption capabilities, Kraken is testing how fast it can encrypt, much more

Cowboys' biggest flaws exposed in loss to Lions. How do they fix them? https://www.nytimes.com/athletic/6867805/2025/12/08/cowboys-biggest-concerns-pass-rush-secondary/

Ravens still have a path to the playoffs, but Baltimore's flaws are putting John Harbaugh's future in question

https://www.cbssports.com/nfl/news/ravens-playoff-c…

The week's cybersecurity news is really heating up today, so check out Metacurity for the most critical developments you should know, including
--China orders domestic companies to stop using US cybersecurity software,
--White House renominates Plankey as CISA Director,
--Whistleblower leaks sensitive data on ICE and Border Patrol workers,
--Man to plead guilty for hacking Supreme Court system,
--Microsoft issues fixes for 114 flaws,
--Belgian hospital …

China orders domestic companies to stop using US cybersecurity software
White House renominates Plankey as CISA Director, Whistleblower leaks sensitive data on ICE and Border Patrol workers, Man to plead guilty for hacking Supreme Court system, Microsoft issues fixes for 114 flaws, Belgian hospital forced to cancel procedures after cyberattack, much more

Why the Raiders' Flaws are Fatal https://www.si.com/nfl/raiders/onsi/las-vegas-why-flaws-are-fatal

WaPo says it was impacted by a series of breaches involving Oracle's E-Business Suite, whose flaws were exploited by a ransomware gang (Jake Bleiberg/Bloomberg)
https://www.bloomberg.com/news/articles/2025-11-06/washington-…

React discloses an unauthenticated remote code execution flaw in React Server Components; Wiz says 39% of cloud environments contain vulnerable instances (The Hacker News)
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
Critical RSC flaws in React and Next.js enable unauthenticated remote code execution; users should update to patched versions now.

Only one day left in a very news-heavy work week, so don't miss today's Metacurity for the crucial cybersecurity news you should know, including
--Operation Endgame dismantled Rhadamanthys, VenomRAT, and Elysium,
--DC US Attorney launches investigation into crypto scams,
--APT exploited Citrix Bleed2 flaws in Cisco ISE,
--CISA orders patching of Cisco ASA and Firepower devices,
--Extremist group 764 member faces charges related to online child exploitatio…

Operation Endgame dismantled Rhadamanthys, VenomRAT, and Elysium
DC US Attorney launches investigation into crypto scams, APT exploited Citrix Bleed2 flaws in Cisco ISE, CISA orders patching of Cisco ASA and Firepower devices, Extremist group 764 member faces charges related to online child exploitation, Musk fumbles X security key switchover, much more

Bills' lack of playmakers among 5 glaring flaws for NFL contenders https://www.nytimes.com/athletic/6802241/2025/11/13/nfl-trends-week-11-contenders-concerns-bills-steelers-colts/

"strncpy() is a weird function with a crappy API."
good thing I don't do C 🙃
Seriously though - projects defining their own strc(o)py do mean flaws in a standard library.
https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/

no strcpy either
Some time ago I mentioned that we went through the curl source code and eventually got rid of all strncpy() calls. strncpy() is a weird function with a crappy API. It might not null terminate the destination and it pads the target buffer with zeroes. Quite frankly, most code bases are probably better off completely … Continue reading no strcpy either →

Check out today's packed Metacurity for the most critical infosec developments you should know, including
--Venezuela's state-run oil company PDVSA was hit by a cyberattack,
--Coupang's founder failed to show at parliamentary hearing,
--Vast majority of parked domains foist scams and malware,
--FTC orders Nomad to pay victims after hackers stole cryptocurrency,
--noyb alleges data exposure by TikTok, Grindr and AppFlyer,
--Hackers exploit critica…

Venezuela's state-run oil company PDVSA was hit by a cyberattack
Coupang's founder didn't show at parliamentary hearing, Majority of parked domains foist scams and malware, FTC orders Nomad to pay victims after hackers stole cryptocurrency, noyb alleges data exposure by TikTok, Grindr and AppFlyer, Hackers exploit critical flaws in Fortinet products, much more

RE: https://neuromatch.social/@fancysandwiches/115866242270399067
If you're using generative models in your work, you are taking ownership of that work. Its flaws are your fault, so review carefully and waste less of your colleagues' tim…

Mahomes-Allen Part X will expose fatal flaws for both contenders ahead of NFL's trade deadline

https://www.cbssports.com/nfl/news/mahomes-allen-part-x-will-expos…

Review of Samsung's Galaxy Z TriFold: sturdy but poor camera performance and has some unique design flaws that make it even less polished than regular foldables (Vlad Savov/Bloomberg)
https://www.bloomberg.com/news/features/20

Clover Security, whose AI agents plug into developer platforms like GitHub to predict and detect security flaws, raised $36M led by Notable Capital and Team8 (Sam Sabin/Axios)
https://www.axios.com/2025/11/25/clover-security-funding-wiz-crowdstrike-no…

Exclusive: Wiz founders back AI security agent startup
Clover Security provides agentic tools that help companies embed security throughout their products and ensure that their products remain secure during their lifecycle.

Every day is a big cyber news day, so don't miss today's Metacurity for the most critical infosec developments you should know, including
--Twin brother hackers arrested for US government hacking, data destruction spree,
--GRU cyber ops sanctioned into Skripal poisoning inquiry,
--Defenders scramble to patch React Server Components' critical flaws,
--AI agents match human attackers in smart contract exploits,
--AZ Atty. General sues Temu for customer …

Twin brother hackers arrested for US government hacking, data destruction spree
GRU cyber ops sanctioned into Skripal poisoning inquiry, Defenders scramble to patch React Server Components' critical flaws, AI agents match human attackers in smart contract exploits, AZ Atty. General sues Temu for customer data theft, Threat intel experts recorded DPRK IT recruiters, much more

So much happened over the weekend, so check out today's Metacurity for the most critical infosec developments you might have missed, including
--Hackers who stole trove of sensitive UPenn data derides 'dog**** elitist institution',
--LLM giants are trying to stop indirect prompt injection attacks,
--Oz government warns of Cisco IOS XE flaws,
--Polish authorities probe cyberattack on online loan platform,
--Chinese President Xi Jinping joked about smar…

Hackers who stole trove of sensitive UPenn data derides 'dog**** elitist institution'
LLM giants are trying to stop indirect prompt injection attacks, Oz government warns of Cisco IOS XE flaws, Polish authorities probe cyberattack on online loan platform, Chinese President Xi Jinping joked about smartphone backdoors, Shiba Inu implements massive security upgrade, much more

Man, today's Metacurity is packed with tons of critical infosec developments you should know, including
--Google sues Chinese smishing giant Lighthouse Enterprise for scams across 120 countries,
--UK proposes new cyberattack defenses,
--UK to allow tests of AI systems to gauge CSAM potential,
--Oz spy chief says China probed country's telecom networks,
--China blames US gov't for $13B LuBian theft,
--Google unveils Private AI Compute,
--M…

Google sues Chinese smishing giant Lighthouse Enterprise for scams across 120 countries
UK proposes new cyberattack defenses, UK to allow tests of AI systems to gauge CSAM potential, Oz spy chief says China probed country's telecom networks, China blames US gov't for $13b LuBian theft, Google unveils Private AI Compute, MSFT issues fixes for 63 flaws, much more

Yikes, so much cybersecurity news, so little time. Check out today's Metacurity for the most crucial developments you should know, including
--SpaceX pulls the plug on 2,000 Myanmar scam compounds' Starlink devices,
--PhantomCaptcha phishing campaign targeted critical Ukraine orgs,
--OpenAI is laid back on Atlas prompt injection flaws,
--Ransomware cases soar in Japan,
--N. Korean hackers have pilfered billions according to monitors,
--N. Korean ha…

SpaceX pulls the plug on 2,000+ Myanmar scam compounds' Starlink devices
PhantomCaptcha phishing campaign targeted critical Ukraine orgs, OpenAI is laid back on Atlas prompt injection flaws, Ransomware cases soar in Japan, N. Korean hackers have pilfered billions according to monitors, N. Korean hackers target drone makers, LG Uplus reports breach, much more

Security researcher fumes at low macOS bug bounty awards
https://appleinsider.com/articles/25/12/02/security-researcher-fumes-at-low-macos-bug-bounty-awards

Security researcher fumes at low macOS bug bounty awards | AppleInsider
A security researcher has complained about reduced payments from discovered macOS flaws by Apple's bug bounty program, despite Apple raising the maximum for more high-profile rewards.

I usually find year-end top stories round-ups to be insipid and mediocre at best, but this one by @… is first-rate.
https://www.

The biggest cybersecurity and cyberattack stories of 2025
2025 was a big year for cybersecurity, with cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day flaws exploited in breaches. Some stories, though, were more impactful or popular with our readers than others. This article explores 15 of the biggest cybersecurity stories of 2025.