Crestvale Newsroom

Gravity SMTP flaw leaks WordPress API keys

5 min · 21. juni 2026
episode Gravity SMTP flaw leaks WordPress API keys cover

Beskrivelse

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] A WordPress plugin flaw is exposing API keys, and attackers are already using it to move beyond simple exploits into account takeover and lateral access. This is not just a CMS issue. It is a reminder that secrets management failures can quickly become identity incidents. For security and IT leaders, the takeaway is immediate. Email infrastructure, API keys, and integrations now sit directly on the identity boundary. At the same time, vendor risk and AI cost control are becoming operational pressures that require proactive planning, not reactive fixes. This episode also covers VMware pricing fallout, a claimed breach of a major water utility, and growing limits on enterprise AI usage. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

Kommentarer

0

Vær den første til å kommentere

Registrer deg nå og bli medlem av Crestvale Newsroom sitt community!

Prøv gratis

Prøv gratis i 60 dager

99 kr / Måned etter prøveperioden. · Avslutt når som helst.

  • Eksklusive podkaster
  • 20 timer lydbøker i måneden
  • Gratis podkaster

Alle episoder

169 Episoder

episode Fake Entra passkey enrollment steals Microsoft 365 cover

Fake Entra passkey enrollment steals Microsoft 365

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Passkeys are not being broken. They are being bypassed at enrollment. Attackers are using fake Microsoft Entra setup flows to trick users into binding attacker-controlled credentials, turning a security upgrade into an access grant. For security and IT leaders, this shifts the focus from authentication strength to identity lifecycle control. Enrollment, recovery, and device binding are now high-risk operations. At the same time, a CISA-linked secrets leak shows how basic controls still fail without enforcement, and Progress advising customers to shut down ShareFile controllers highlights the real-world impact of unmanaged infrastructure risk. Add in ransomware using a Microsoft-signed driver to disable defenses, and the pattern is clear: attackers are moving to the trust layers you assume are safe. Also covered: a major credential-driven breach, insider risk in incident response, WordPress plugin compromise, Citrix exploitation markets, and growing regulatory concern around AI-driven cyber risk. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

11. juli 20266 min
episode Wiz: GhostApproval breaks AI coding sandboxes cover

Wiz: GhostApproval breaks AI coding sandboxes

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] AI coding assistants are introducing a new class of risk by reusing old attack techniques in ways most teams are not prepared for. A recent finding shows these tools can be tricked into writing outside their sandbox, while still showing safe paths to users, breaking the trust model many teams rely on. This matters because AI agents are now embedded in developer workflows with real access to code and systems. If their guardrails are unreliable, they become a new execution layer that must be treated as untrusted. At the same time, regulators in Europe are escalating enforcement, and identity-driven breaches continue to expose how fragile access controls remain. Also covered: NIS2 enforcement actions, a 6.9 million record breach tied to a single employee account, and rising risks across AI supply chains and credential exposure. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

I går5 min
episode HalluSquatting weaponizes coding agents via fake packages cover

HalluSquatting weaponizes coding agents via fake packages

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] AI coding agents are introducing a new kind of risk: silent, large-scale code execution driven by model hallucination. Attackers are exploiting this behavior by registering fake packages that agents are likely to fetch and run, turning development environments into entry points without any user interaction. This matters because it shifts security from user-driven mistakes to system-level trust failures. At the same time, a reported Accenture breach highlights how exposed tokens and keys can create downstream risk across entire client ecosystems. Meanwhile, IBM and Red Hat are pushing signed, pre-remediated dependencies to move security earlier in the software supply chain, and new data shows identity weaknesses still dominate real attack paths. Also covered: a long-standing Linux flaw, a major credential-driven breach, autonomous SOC response, unpatched edge devices, and evolving AI phishing tactics. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

9. juli 20266 min
episode Dialogflow CX bug enabled chatbot session hijacks cover

Dialogflow CX bug enabled chatbot session hijacks

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] AI interfaces are becoming part of the identity layer, whether teams realize it or not. A newly patched Dialogflow CX flaw shows how easily a chatbot can become a point of impersonation, surveillance, and data extraction if isolation and controls are weak. For security and IT leaders, this shifts the boundary of what needs to be protected. Chatbots, automation layers, and AI agents now sit directly in the path of sensitive user interactions. At the same time, governments and vendors are accelerating toward autonomous security models to keep up with attacker speed, while identity platforms continue to consolidate into single control planes. This episode also covers the UK's Cyber Shield initiative, Barracuda's move into unified identity defense, and a critical KVM vulnerability that challenges VM isolation. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

8. juli 20265 min
episode Google Search now saves media for AI cover

Google Search now saves media for AI

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] AI systems are no longer just consuming data. They are quietly collecting it by default. Google's latest change turns everyday search interactions into a training pipeline, expanding what enterprise data can be stored and reused without most teams realizing it. This matters because the boundary between normal tool usage and data sharing is disappearing. At the same time, agents are gaining access to sensitive systems, and new AI interfaces are becoming control layers for business operations. Without clear policies, isolation, and audit trails, organizations risk exposing critical data through routine workflows. We also cover Vercel's push for agent sandboxing, Navan's move to bring finance data into AI interfaces, and Canada's shift toward active ransomware disruption. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

7. juli 20266 min