Aggregator

刚刚发布的 Firefox 151 加入了对 Web Serial API 的支持。Web Serial API 允许网站使用 JavaScript 向串口设备如 USB 和蓝牙设备写入或读取数据。Mozilla 称大部分人不会使用到该 API，它的主要使用群体是开发者，他们将能利用浏览器与兼容硬件设备直接进行通信。Mozilla 同时宣布与知名开源硬件平台 Adafruit 展开合作。Adafruit 基于浏览器的硬件工作流程能在 Firefox 上直接运行。以 Adafruit ESP32-S 开发板为例，通过 Web Serial 可以将网页代码发送的消息直接显示在设备上，或者直接在手持设备上修改网页的 CSS 属性。

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of

Исследователи выяснили, как раскалённая смесь сохраняет следы происхождения и условий образования выпадений

Исследователи создали лазерный двигатель на основе керамики, который может стать частью будущих умных сетей.

This is my favourite time of the year, not just because spring is here and the promise of summer is on the way. But also, because one of my must reads each year gets published. There are a few must read reports that I have on my reading list for each year and the Verizon Data Breach Investigations Report is on top of that list. The latest Verizon 2026 Data Breach Investigations Report (DBIR) once … More →

The post Lessons for organizations from the Verizon 2026 Data Breach Investigations Report appeared first on Help Net Security.

四月全球风能太阳能发电量超过了天然气发电量。根据能源智库 Ember 的分析，四月风能和太阳能发电量占全球总发电量的 22%，天然气发电量占 20%。四月风能和太阳能总发电量达到创纪录的 531 TWh，比天然气总发电量 477 TWh 高出 54 TWh。而五年前的 2021 年 4 月，天然气总发电量 476 TWh，和今天几乎完全一致。但当时的风能和太阳能总发电总量仅为 245 TWh，不到今天的一半。北半球的四月是春季，通常风力强劲，因此风能发电量在四月一般呈增长趋势。Ember 的报告《Global Electricity Review》认为在 2025 年风能和太阳能足以满足全球电力的增长需求。

Socket研究团队发现一场代号为 "TrapDoor" 的大规模跨生态系统供应链攻击活动。该攻击同时针对 npm、PyPI 和 Crates.io 软件包仓库，发布超过 34 个恶意包 及 384+ 个关联版本，专门针对加密货币、DeFi、Solana 生态和 AI 开发社区的开发者群体进行精确打击。

Source-guided vulnerability research increasingly leans on coding harnesses such as Claude Code, Codex, and Cursor to drive agent-based reviews of application code. A new MIT-licensed project from the Dutch security firm Hadrian, called OpenHack, packages that approach into a file-based workspace that any of those harnesses can run. OpenHack is a set of agents and tools that mimics how Hadrian’s research team performs automated vulnerability research. The workflow runs inside a coding harness or a … More →

The post OpenHack: Open-source AI-powered vulnerability research appeared first on Help Net Security.

日本電気株式会社が提供するAtermシリーズには、OSコマンドインジェクションの脆弱性が存在します。

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Nurihan Kim (HanTul), Hyeon-gyu Lee (hy30nq)' was reported to the affected vendor on: 2026-05-25, 23 days ago. The vendor is given until 2026-09-22 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

日本電気株式会社が提供するAtermシリーズには、クロスサイトスクリプティングの脆弱性が存在します。

«Бесплатный сыр» теперь прячется в архиваторах и программах для документов.

In this Help Net Security video, Ziv Levi, SVP of Technology at CYE, explains why translating cyber risk into dollars is one of the most pressing tasks for security leaders. Boards and executives want cyber exposure described in business terms, not technical jargon. Levi walks through a three-step financial translation framework. First, identify business exposure by mapping attack paths to the assets that matter most, such as intellectual property and customer data. Second, focus on … More →

The post Boards want cyber risk in dollars, not CVE counts appeared first on Help Net Security.

CERT/CCから本件に関するアドバイザリが公表されました。

Теневой рынок успешно парализует бизнес откровенной дезинформацией.

Senior decision-makers are the heaviest users of unapproved AI tools, and they continue using them despite being aware of the security and privacy risks linked to shadow AI, according to TrustedTech’s Shadow AI in the Workplace report. The study found that 65% of decision-makers use shadow AI, compared with 31% of employees below decision-maker level. Net Shadow AI use (Source: TrustedTech) The data suggests that shadow AI is not mainly driven by junior employees experimenting … More →

The post Turns out the C-suite loves shadow AI appeared first on Help Net Security.

在智能体安全检测、逻辑漏洞扫描、精准误报分析、开启ai驱动的代码安全新时代。

A vulnerability, which was classified as problematic, was found in NEC Platforms Aterm WX1800HP, Aterm WX5400HP, Aterm WX7800T8, Aterm WX11000T12, Aterm WX3000HP2, Aterm WX4200D5, Aterm GX621A1, Aterm SH621A1 and Aterm 19000T12BE. This affects an unknown function of the component Web Management Interface. The manipulation results in cross site scripting. This vulnerability is reported as CVE-2026-6059. The attack can be launched remotely. No exploit exists.

A vulnerability, which was classified as critical, has been found in NEC Platforms Aterm MR51FN and Aterm CM51FD. The impacted element is an unknown function. The manipulation leads to os command injection. This vulnerability is documented as CVE-2026-8652. The attack requires being on the local network. There is not any exploit available.

A vulnerability classified as critical was found in Acer NitrorSense up to 3.01.3052. The affected element is an unknown function. Executing a manipulation can lead to path traversal. This vulnerability is registered as CVE-2026-9489. The attack needs to be launched locally. No exploit is available. Upgrading the affected component is advised.