AISLE Discovers 6 New CVEs in #curl, Including the Oldest Issue Ever Reported
https://aisle.com/blog/aisle-discovers-6-new-cves-in-curl-including-the-oldest-issue-ever-reported
Google Exec: We can make our users click on pictures of busses for as long as ten minutes, just to visit a website.
LinkdIn Exec: haha that's nothing. We can get users to send their ID *and* take pictures of five different facial angles, that's how desperate they are to find work.
Zenni Exec: lol your'e both newbs. I bet I can get four-eyed nerds to play Forehead Poker with their own credit cards just to buy glasses!
AISLE Discovers 6 New CVEs in #curl, Including the Oldest Issue Ever Reported
https://aisle.com/blog/aisle-discovers-6-new-cves-in-curl-including-the-oldest-issue-ever-reported
RE: https://mastodon.social/@bagder/116807425534711479
There is a European-owned place called https://aisle.com/ that is doing world class security bug finding. Beating Mythos even in this case. But no one in Europe likes talking up our own talent. Been trying to get them mentioned in Dutch news for ages, but all we can do apparently is promote US tech.
The Rapid7 MDR team is currently monitoring an increase in phishing campaigns where threat actors (TAs) impersonate internal IT departments via Microsoft Teams. The primary objective is to persuade users to launch Quick Assist, granting the TA remote access to deploy malware, exfiltrate data, or facilitate lateral movement across the network.
New, by me: How AI Assistants are Moving the Security Goalposts
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.
Read more (and boost please!):
https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.
Who could possibly have foreseen this? Aside from anyone paying even the slightest bit of attention?
"One of the codebases…contained 2,675 distinct licensing conflicts, indicating the complexity of managing IP has grown exponentially…the mean number of vulnerabilities in code has nearly doubled since last year. Eighty-seven percent of the codebases had at least one vulnerability, 78% had high-risk vulnerabilities, and 44% had critical-risk vulnerabilities."