A new class of prompt-injection attacks—dubbed “Comment and Control”—turns GitHub pull requests, issues, and comments into attack surfaces that can hijack AI coding agents and siphon secrets directly from CI/CD environments. Unlike classic prompt injection that waits for a user to feed a document to an agent, this pattern is proactive: opening a PR or posting an issue can automatically
Anthropic’s MCP Design Flaw: How a Protocol-Level Vulnerability Enables Remote Code Execution at Scale
A critical architectural flaw in Anthropic’s Model Context Protocol (MCP) ecosystem has exposed a vast number of downstream systems to remote code execution (RCE) risks. Researchers at OX Security found the issue embedded across official MCP SDKs for Python, TypeScript, Java, and Rust — meaning developers building on MCP inherit the vulnerability by design rather than through a simple coding
Apple’s Leadership Shift: Tim Cook to Executive Chairman, John Ternus Named CEO
Apple has announced a major leadership transition: Tim Cook will become executive chairman of Apple’s board of directors, and John Ternus, currently senior vice president of Hardware Engineering, will step into the role of CEO on September 1, 2026. The board approved the change unanimously after a long-term succession planning process. Cook will remain CEO through the summer to work
Anthropic and Amazon Expand Partnership, Securing Up to 5GW of Compute for Claude
Anthropic announced on April 20, 2026, a major expansion of its collaboration with Amazon that will secure up to 5 gigawatts (GW) of new compute capacity to train and deploy Claude. The agreement accelerates capacity coming online this year and ties together deeper infrastructure, platform integration, and additional capital investment — steps Anthropic says are needed to meet surging customer
How Attackers Abuse Microsoft Teams and Quick Assist: Inside the Helpdesk Impersonation Playbook
A new wave of attacks is quietly abusing everyday collaboration tools to bypass user suspicion and gain hands-on control of corporate endpoints. Threat actors are impersonating internal IT helpdesk staff inside Microsoft Teams, convincing employees to grant remote access via Quick Assist, and then using that live access to deploy stealthy persistence mechanisms and move laterally through enterprise networks. Because
Lovable AI App Builder Reportedly Exposes Thousands of Projects’ Source Code and Customer Data
A critical Broken Object Level Authorization (BOLA) vulnerability in Lovable, an AI-powered app builder, has reportedly left thousands of legacy projects accessible to unauthorized users. According to security researchers, an API endpoint returned full project data — including source code, database credentials, AI chat histories, and customer information — for projects created before November 2025. While Lovable appears to have