Juba

CVE-2026-44578  ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6)  A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler.  By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data.  Affected: Next.js 13.4.13+, 14.x, 15.x <15.5.16, 16.0.0–16.2.4  Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.   Modat Magnify Query:  technology="Next.js"  The platform:  https://t.co/qJfEh7giE9  #threatintel #vulnerability #CVE202644578 #Nextjs #SSRF #WebSocket #CloudSecurity #infosec #Critical #ModatMagnify

🚨 Mistral AI s’est fait hacker. Environ 5 Go de données internes seraient actuellement en vente pour 25 000 $. Mistral a confirmé un incident de sécurité. Tout serait parti d’une attaque « supply chain » via un service tiers, notamment une compromission liée à TanStack, un outil open source utilisé par des développeurs de Mistral, qui a subi une attaque le 11 mai sur son propre codes. Des attaquants auraient compromis des pipelines de publication afin d’injecter du code malveillant dans certains packages officiels. Mistral a d’ailleurs confirmé que la version 2.4.6 du package mistralai contenait un malware avant d’être retirée dans la nuit du 11 Mai. D’autres entreprises/projets ont été touchés : SecurityWeek cite notamment UiPath, OpenSearch JavaScript client, Squawk et Guardrails. En gros du code malveillant avait été injecté dans src/mistralai/client/__init__.py. Sur Linux, au simple import mistralai, le package téléchargeait un fichier nommé transformers.pyz vers /tmp/transformers.pyz, puis l’exécutait en arrière-plan pour récolter des credentials dans des emplacements courants. Le principe de cette attaque était particulièrement dangereux : le package malveillant pouvait voler des credentials, tokens GitHub, secrets cloud ou accès CI/CD directement chez les développeurs et entreprises utilisant ces outils. Et le problème des attaques « supply chain » c’est leur effet cascade, surtout quand on sait que des solutions d’IA sont aujourd’hui déployées dans de grands groupes sur des données sensibles. Actuellement, sur certains forums, des personnes affirment vendre environ 5 Go de données liées à Mistral, contenant potentiellement des dashboards, projets internes, systèmes d’inférence, outils de fine-tuning, etc. En revanche, Mistral n’a pas confirmé avoir subi une fuite massive de données internes. Donc pour l’instant, impossible de savoir si : - il s’agit d’un post opportuniste et largement exagéré, - ou d’une véritable fuite de données encore non confirmée publiquement. On en saura probablement plus dans les prochains jours. Une chose est sûre : l’IA pénètre de plus en plus de systèmes critiques. Et la particularité de l’IA, c’est qu’elle traite énormément de données. Compromettre une solution d’IA, ce n’est pas seulement compromettre un logiciel, c’est potentiellement compromettre d’immenses volumes de données sensibles. Les attaques contre les acteurs de l’écosystème IA, qu’elles soient directes ou indirectes via des dépendances open source, vont probablement se multiplier dans les années à venir, avec des conséquences potentiellement lourdes. Surtout vu la vitesse à laquelle va l’IA avec des release de packages quasiment tout les jours , infecté un package même dans une fenêtre de temps courte peut avoir des résultats catastrophique ! Donc soyez vigilant plus que jamais !

‼️🇫🇷 Mistral AI allegedly breached: ~5GB of internal source code and ~450 private repositories exposed from the French AI company by TeamPCP A threat group is selling approximately 5GB of internal repositories and source code allegedly belonging to Mistral AI and Mistral Solutions, covering training, fine-tuning, benchmarking, dashboard/platform, model delivery and inference, experiments, and future projects. The actor is demanding a $25,000 BIN, stating they will shred the data permanently and sell to one buyer only, and threatening to leak all ~450 repositories for free to the forums within a week if no buyer is found. ▸ Actor: TeamPCP ▸ Sector: Artificial Intelligence / Source Code ▸ Type: Data Sale (with leak threat) ▸ Records: ~450 internal repositories, ~5GB total ▸ Country: France ▸ Date: 11/05/2026 Compromised data: ▪ mistral-inference-internal.tar.gz ▪ mistral-inference-private.tar.gz ▪ mistral-lawyer-internal.tar.gz ▪ mistral_finance_agent.tar.gz ▪ mistral-compute-poc.tar.gz ▪ mistral-fabric.tar.gz ▪ finetuning-feedback.tar.gz ▪ mistral-finetune-internal.tar.gz ▪ cma-customer-care-internal.tar.gz ▪ mistral-common-internal.tar.gz ▪ chatbot-security-evaluation.tar.gz ▪ kyc-doc-agent.tar.gz ▪ dashboard.tar.gz ▪ devstral-cloud.tar.gz ▪ finance.tar.gz ▪ typhoon.tar.gz ▪ turbine.tar.gz ▪ mistral-surge.tar.gz ▪ mistral-solutions.tar.gz ▪ surge-validators.tar.gz ▪ website-v3.tar.gz ▪ xformers.tar.gz ▪ piper-segmentation.tar.gz ▪ pfizer-rfp-2025.tar.gz ▪ Internal repositories tied to model training, fine-tuning, benchmarking, dashboard and platform code, model delivery and inference systems, experiments, and future project work Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6p2J

The Google Threat Intelligence Group has detected the first known instance of a threat actor using an AI-developed zero-day exploit in the wild. While the attackers planned a wide-scale strike, our proactive counter-discovery may have prevented that from happening. This finding is part of our new report on AI-powered threats.

O Google acabou de transformar mais de 1 bilhão de computadores em depósito de IA. Inclusive o seu. Sem pedir. Sem avisar. Sem um único popup. O Chrome baixou 4GB de modelo de inteligência artificial no seu disco. O arquivo se chama weights.bin, são os pesos do Gemini Nano. Fica numa pasta chamada OptGuideOnDeviceModel dentro do seu perfil do Chrome. Você não autorizou nada. Até existe uma configuração para impedir, mas tá enterrada em submenus que ninguém encontra. E as AI features vêm ligadas por padrão. Se você deletar o arquivo, o Chrome baixa de novo. Sozinho. Em silêncio. Você decide o que fica no seu disco e o navegador simplesmente ignora. Funciona assim em Windows, macOS e Ubuntu. Logs forenses no macOS mostram que o arquivo foi instalado dia 24 de abril de 2026, misturado com patches de segurança. Desenvolvedores dizem que isso já rola há mais de um ano. E tem um detalhe que deixa tudo mais ridículo: O Chrome 147 coloca um botão "AI Mode" na barra de endereço. Você vê aquilo, sabe que tem modelo de IA no seu computador, e assume que suas buscas rodam localmente. Não rodam. O AI Mode é 100% cloud. Tudo vai para os servidores do Google. O modelo de 4GB no seu disco não tem nada a ver com aquele botão. Ele serve para quê? "Help me write" e detecção de scam. Coisas que vivem em submenus de clique-direito que você provavelmente nunca abriu. O Google ocupou 4GB do seu disco sem pedir, para rodar coisas que quase ninguém usa, enquanto a IA que você de fato vê manda tudo para a nuvem. Na Europa, pesquisadores já apontam violação do Artigo 5(3) da Diretiva ePrivacy, que exige consentimento antes de armazenar software no dispositivo do usuário. Como desativar: → chrome://flags → Busque "Optimization Guide On Device Model" → Desative → Reinicie o Chrome → Delete a pasta OptGuideOnDeviceModel Seu computador só é seu se você ficar de olho.

Un message pour tous les français qui veulent vraiment comprendre ce qui se passe dans la tech et l'IA. Arrêtez les podcasts français. Sérieusement. Le niveau est très, très moyen. C'est des gens qui commentent ce que d'autres construisent. C'est du commentaire de commentaire. Du meta sur du meta. Et à la fin tu as passé 2 heures à écouter quelqu'un t'expliquer ce qu'il a lu dans un article américain traduit en français avec 3 semaines de retard. Allez à la source. Marc Andreessen. Le mec a inventé le navigateur web et il finance la moitié de la Silicon Valley. Ses podcasts sur a16z sont des masterclass en temps réel sur ce qui se construit. Naval Ravikant. Ses épisodes avec Joe Rogan et Tim Ferriss sont probablement les 6 heures les plus rentables que vous passerez de votre vie. Richesse, leverage, bonheur, philosophie, tout y est. Peter Thiel. Chaque interview est un cours de stratégie de niveau Nobel. Le mec pense à 15 ans d'avance et il s'en fiche de plaire. Lex Fridman. Des conversations de 3 heures avec les cerveaux les plus brillants de la planète. Sans filtre. Sans montage. Sans bullshit. The All-In Podcast. Quatre milliardaires qui débattent chaque semaine de tech, économie et politique avec une franchise que vous ne trouverez nulle part en France. Y Combinator. Chaque talk de Startup School est gratuit sur YouTube. C'est l'accélérateur le plus successful de l'histoire qui donne ses secrets gratuitement. Et quasi personne en France ne regarde. C'est là-bas que le futur se construit. Pas dans un studio parisien entre deux pubs pour une néobanque. Les podcasts français c'est mignon. Ça fait passer le temps. Mais si vous voulez vraiment comprendre ce qui va changer votre vie dans les 5 prochaines années, il faut aller boire à la source. La source parle anglais. Et elle est gratuite. Votre meilleur investissement en 2026 c'est pas un ETF. C'est de passer 30 minutes par jour à écouter les gens qui construisent le futur dans leur propre langue. L'anglais c'est pas une option. C'est le prix d'entrée.

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

‼️ Threat actor Jinkusu advertises sophisticated deepfake and voice manipulation software designed to bypass Know Your Customer (KYC) verification processes. The tool features real-time face swapping, voice changing, and virtual camera capabilities for use in identity verification systems.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

‼️🚨 An ex-Anthropic engineer just published a 1-click remote code execution exploit for OpenClaw (formerly Moltbot and ClawdBot). The attack occurs in milliseconds after the victim visits a webpage, giving the attacker access to Moltbot and the system it's running on. The victim does not need to type anything or approve any prompts.