Infosecurity-magazine.com

Cline Kanban Flaw Lets Websites Hijack AI Coding Agents

A critical vulnerability in the Cline Kanban server has been disclosed that allows any website a developer visits to silently exfiltrate workspace data, inject commands into the AI agent's terminal or ...
GitHub

2026-05-01-WebSocket-Backdoor-Campaign-Injecting-Credit-Card-Skimmers.txt

- Obfuscated JavaScript creates a WebSocket backdoor using dynamically executed JavaScript. - The WebSocket sends an obfuscated JavaScript payload to inject a credit card skimmer into the webpage. - ...
TechRadar

'A human-chosen password doesn't stand a chance': OpenClaw has yet another major security flaw — here's what we know about "ClawJacked"

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Oasis security researchers find a high-severity flaw in OpenClaw AI agent Exploit allowed ...
Dark Reading

Critical OpenClaw Vulnerability Exposes AI Agent Risks

A newly disclosed — and now patched — vulnerability in the fastest-growing AI agent tool in the developer ecosystem underscores the expanding risks organizations face from deploying AI in their ...
CSOonline

Your personal OpenClaw agent may also be taking orders from malicious websites

A critical OpenClaw flaw allowed malicious websites to connect to locally running agents, brute-force passwords without limits, and take full control by exploiting implicit trust in localhost ...
theregister

OpenClaw patches one-click RCE as security Whac-A-Mole continues

Security issues continue to pervade the OpenClaw ecosystem, formerly known as ClawdBot then Moltbot, as multiple projects patch bot takeover and remote code execution (RCE) exploits. The initial hype ...
The Hacker News

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, ...
TechRadar

Npm package with millions of downloads is at risk from malware hijacking

A popular npm maintainer fell prey to a phishing attack, sharing login credentials with cybercriminals The attackers accessed their npm account and pushed malware through a popular package They were ...
The Hacker News

3,500 Websites Hijacked to Secretly Mine Crypto Using Stealth JavaScript and WebSocket Tactics

A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes ...
InfoWorld

HTMX and Alpine.js: How to combine two great, lean front ends

Both HTMX and Alpine are founded on a core idea, and both are admirably focused on that one central mission. For HTMX, the mission could be summarized as: Make the web follow true RESTful design by ...
Dark Reading

'ONNX' MFA Bypass Targets Microsoft 365 Accounts

A highly organized phishing-as-a-service operation (PhaaS) is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor ...