The Hacker News

Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse

Device code phishing targets 340+ Microsoft 365 orgs since Feb 2026 via OAuth abuse, enabling persistent token hijacking and ...
Security Boulevard

The Trivy Compromise: The Fallacy of Secrets Management and the Case for Workload Identity

The Trivy incident exposed a credential architecture failure, not just a supply chain one. Here’s the case for workload ...
The Hacker News

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

Langflow CVE-2026-33017 exploited in 20 hours after disclosure, enabling RCE via exec(), exposing systems before patching ...
CSO Online

Your MFA isn’t broken — it’s being bypassed, and your employees can’t tell the difference

Hackers aren't "breaking" your MFA anymore — they’re just riding shotgun during your login to steal the session token right ...
Security Boulevard

MCP Authentication and Authorization Patterns

In MCP, every request comes from a nonhuman identity: an agent, server or tool. These identities don't act under direct human oversight. They generate requests dynamically, chain operations and carry ...
Forbes

Gmail Security Alert: Google To Ditch SMS Codes For Billions Of Users

Update, Feb. 26, 2025: This story, originally published Feb. 23, now includes additional commentary regarding the potential security implications of the decision to deprecate SMS from the Gmail ...