Toggle light / dark theme

Get the latest international news and world events from around the world.

Log in for authorized contributors

‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

A PNG hiding a prompt injection could steal your repo’s secrets, researchers demonstrate. The technique, dubbed ‘Ghostcommit,’ slipped past AI code reviewers CodeRabbit and Bugbot, which never open image files at all, then convinced a coding agent to read a repo’s.env and write every secret into the code as a list of numbers.

New U-Boot flaws could enable stealthy firmware attacks

Six vulnerabilities in the widely used U-Boot bootloader have been discovered that could allow attackers to execute malicious code during device boot, potentially enabling stealthy firmware attacks that compromise security protections and install persistent malware.

U-Boot is one of the world’s most widely used open-source bootloaders and is found in many embedded Linux devices, including enterprise servers’ Baseboard Management Controllers (BMCs), networking equipment, industrial systems, IoT devices, and other appliances.

Because U-Boot is responsible for loading the operating system, vulnerabilities in the bootloader can allow attackers to compromise a device before the operating system and its security software have a chance to start.

/* */