Latest News

### Description A critical sandbox escape vulnerability exists in **enclave-vm v2.3.0** that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the **host Node.js runtime**. When a tool invocation fails, enclave-vm exposes a **host-side Error object** to sandboxed code. This Error object retains its **host realm prototype chain**, which can be traversed to reach the **host `Function` constructor**. An attacker can intentionally trigger a host error (for example, by invoking a non-existent tool), then climb the prototype chain: ``` Error instance → Error.prototype → Error constructor → Function constructor ``` Using the host `Function` constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as `process.env`, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. --- ### Proof of Concept ```javascript // Vec...

### Impact The screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. ### Patches * https://github.com/WeblateOrg/weblate/pull/17516 ### References Thanks to Lukas May and Michael Leu for reporting this.

Researchers discovered a modular, "cloud-first" framework that is feature-rich and designed to maintain stealthy, long-term access to Linux environments.

Hundreds of records obtained by WIRED show thin intelligence on the Venezuelan gang in the United States, describing fragmented, low-level crime rather than a coordinated terrorist threat.

Fake LinkedIn comments warning of account restrictions are designed to trick users into revealing their login details.

AI agents have quickly moved from experimental tools to core components of daily workflows across security, engineering, IT, and operations. What began as individual productivity aids, like personal code assistants, chatbots, and copilots, has evolved into shared, organization-wide agents embedded in critical processes. These agents can orchestrate workflows across multiple systems, for example:

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. "Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (

As software supply chains become longer and more interconnected, enterprises have become well aware of the need to…

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.