Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

As AI systems are used in our day-to-day operations, a central reality becomes unavoidable: AI doesn’t configure itself and must be set up with human approval and oversight. It requires engineers and developers to configure it. Developers need privileges to access and implement components, agents, tools, and features of the platforms. But developers don’t just have these privileges unconstrained… right? Where trust and privileges exist, someone will try to abuse them.

Cryptographic failures have a knack for turning a quiet weekend into a chaotic, all-hands-on-deck emergency. Consider the SHA-1 to SHA-2 deprecation, sometimes referred to as “Shapocalypse,” which sent teams scrambling to reissue thousands of certificates and exposed how many legacy systems weren’t ready for stronger hash algorithms. The major Certificate Authority (CA) distrust events involving DigiNotar in 2011, Symantec in 2017-18, and Entrust in 2024-25 created similar disruption.

The viral surge of OpenClaw (formerly Clawdbot and Moltbot) has captured the tech world’s imagination, amassing over 160,000 GitHub stars and driving a hardware rush for Mac Minis to host these 24/7 assistants.

Over the past week, multiple research teams have documented a renewed wave of voice-led social engineering (vishing) targeting identity providers and federated access. The entry point is not through malware or a zero-day exploit. The goal is simple. Persuade a user to help complete authentication in real time, then use that trusted session to move through SaaS applications and exfiltrate data. Security leaders already know the fundamentals. Multi-factor authentication (MFA) can be socially engineered.

Most organizations never planned for AI to start making real decisions. They started with simple helpers. An agent answered basic questions or generated small automations so teams could avoid opening another IT ticket. It felt harmless. But as these agents become more capable and more autonomous, they begin operating across systems at machine speed. They connect tools, provision access, and trigger chained actions long after the original request.

Passkeys now protects billions of accounts, redefining how the world signs in through stronger, more secure authentication without a password. Yet this global movement runs deeper than most realize. While passkeys implements thoroughly scrutinized standards developed by the FIDO Alliance in collaboration with the W3C, global adoption, however, is driven by a central layer that extends beyond the open standards, one that remains little-researched, varies by implementation, and it is often misunderstood.

In Pac-Man, ghosts seem pretty easy to dodge. You’re clearing the maze, racking up points, three more pellets away from leveling up. Then, out of nowhere, they close in and cut off all hope of escape. Womp womp. Game over. In today’s enterprise environments, “ghost” or orphaned accounts represent a similar hidden risk. They appear low-impact, lingering in forgotten corners of the IT maze.

This research is published following the public release of a fix and CVE, in accordance with coordinated vulnerability disclosure best practices. CVE‑2025‑60021, a critical command injection issue in Apache bRPC’s /pprof/heap profiler endpoint, was identified during broader analysis of diagnostic and debugging surfaces in the framework. The issue was discovered using Vulnhalla, CyberArk Labs’ AI tool that assists in triaging CodeQL results using an LLM.

Gone are the days when attackers had to break down doors. Now, they just log in with what look like legitimate credentials. This shift in tactics has been underway for a while, but the rapid adoption of artificial intelligence is adding a new layer of complexity. AI is a powerful tool, but our growing reliance on it comes with a catch: it’s eroding our critical thinking skills.