You found an LLM in the live chat with backend API access. You enumerate its capabilities by asking: "What APIs can you call?" It reveals a "Debug SQL" function that accepts raw SQL strings without validation. You craft a prompt injection attack, The LLM's tokenizer processes your input, the language model generates an API call, and sends it to /api/debug-sql with your malicious payload as a parameter. The backend receives a seemingly legitimate request from an authenticated service. With no input sanitization and no parameterized queries. The SQL executes directly against the database. The users table is dropped. Learn more about LLM exploitation in our real-world labs 👇 portswigger.net/web-security…

🛡️ Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks Source: cybersecuritynews.com/claude… A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them into clicking a specially crafted deeplink. The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be weaponized through the tool’s claude-cli:// deeplink handler. The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like --settings before the main initialization routine runs. #cybersecuritynews

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🚨 METATRON - Open-Source AI Penetration Testing Assistant Brings Local LLM Analysis to Linux Source: cybersecuritynews.com/metatr… A new open-source penetration testing framework called METATRON is gaining attention in the security research community for its fully offline, AI-driven approach to vulnerability assessment. Built for Parrot OS and other Debian-based Linux distributions, METATRON combines automated reconnaissance tooling with a locally hosted large language model (LLM), eliminating the need for cloud connectivity, API keys, or third-party subscriptions. METATRON is a CLI-based penetration testing assistant written in Python 3 that accepts a target IP address or domain and autonomously orchestrates a suite of standard reconnaissance tools. #cybersecuritynews

Enshittification’s Law “If it can be monetized, It will be monetized.” #EnshittificationsLaw