Security news.
Today's security brief highlights critical vulnerabilities, with CISA adding three new actively exploited flaws to its KEV catalog. We also see significant developments in cybercrime, including prison sentences for Scattered Spider hackers and a new, rapid ransomware strain. AI-related security concerns are prominent, with a Claude extension flaw and new injection attacks demonstrating risks to AI agents.
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added CVE-2026-25089 and CVE-2026-39808 (Fortinet FortiSandbox OS Command Injection) and CVE-2026-58644 (Microsoft SharePoint Deserialization of Untrusted Data) to its KEV Catalog, urging agencies to patch due to active exploitation.
Claude Chrome extension flaw lets malicious extensions trigger AI actions
A vulnerability in Anthropic's Claude for Chrome extension could allow malicious extensions to simulate user clicks and abuse Claude's access to services like Gmail and Salesforce.
New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands
Researchers demonstrate "Agent Data Injection" attacks where manipulated input can cause AI agents to perform unintended actions, such as clicking "Buy Now" or executing attacker commands.
Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack
Owen Flowers, 18, and Thalha Jubair, 20, members of the Scattered Spider group, were sentenced to five and a half years in prison for the 2024 hack of Transport for London, which cost £29 million.
New Spirals ransomware encrypts victim network in under 24 hours
A new ransomware group, Spirals, has demonstrated the ability to compromise, exfiltrate data from, and encrypt victim networks in under 24 hours.
New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password
The new ClickLock Stealer malware for macOS employs social engineering and continuous application termination to pressure users into entering their login password.
New OkoBot framework deploys 20 payloads to steal data, crypto
A new sophisticated malicious framework named OkoBot is delivering over 20 different payloads to steal cryptocurrency wallet seed phrases, credentials, and other sensitive data.
23andMe to pay $18 million in new genetics data breach settlement
Genetic testing company 23andMe has agreed to an $18 million settlement with 43 attorneys general over claims it failed to adequately protect customer genetic data during a previous breach.