Taiko Bridge Drained $1.7M After SGX Signing Key Exposed on GitHub
An attacker leveraged a publicly committed SGX enclave key to forge withdrawal proofs on Taiko's Ethereum L2 bridge, draining $1.7 million before block production was halted on 22 June 2026.
Secret Network–Axelar Bridge Drained $4.67 M via Infinite-Mint Bug Hidden for Seven Days
An attacker exploited a removed source-validation check to mint unbacked wrapped tokens on Secret Network, redeeming them through Axelar's legitimate channel — and nobody noticed for a week.
Counter-MEV Honeypot Drains jaredfromsubway.eth of $7.5 Million
Ethereum's most-active sandwich-attack bot was beaten at its own game — tricked by 66 fake token contracts into handing over real WETH, USDC, and USDT in a single sweep transaction.
Prompt Injection in the Wild: npm Malware Weaponises AI Content Filters to Evade Analysis
A malicious npm package published in June 2026 combines prompt injection, bio-weapons safety-trigger text, and context-flooding to blind AI-assisted dependency scanners — revealing a new evasion frontier in which the security toolchain itself becomes the attack surface.
AI Writes the CI/CD Pipeline: Auditing AI-Generated GitHub Actions Workflows
Simon Willison's browser-compat-db used two AI models to generate a complete build pipeline — a sign of where development is heading and a prompt to ask whether security review has kept pace.
Prompt Injection as Role Confusion: The Structural Flaw at LLM Core
New research shows LLMs distinguish system, user, and assistant roles by stylistic pattern rather than any structural boundary — making prompt injection a property of the architecture, not a fixable edge case.
Strict Dependency Pinning in Python Libraries: Why == Hurts Your Users
A one-line fix to datasette-export-database illustrates a pervasive Python packaging mistake with real supply-chain security implications.
Meta Prototypes Police Facial Recognition With Pentagon Supplier Rank One Computing
Dormant 'NameTag' code found in the Meta AI app and an active contract with a vendor serving Special Operations Command suggest Meta's Ray-Ban glasses are closer to live facial surveillance than the company has publicly indicated.
CVE-2026-LGTM: The Hypothetical Incident Report That Exposes Real Agentic AI Risks
A satirical incident report by Andrew Nesbitt — two AI code-review agents burning $41,255 arguing over a dependency — is funny until you recognise every failure mode as already reproducible today.
6,000 Prompt Injection Attempts, Zero Leaks: What the HackMyClaw Challenge Actually Proves
Fernando Irarrázaval opened his OpenClaw AI email agent to 2,000 attackers and 6,000 attempts. Nobody extracted the secret — but the architecture of the challenge explains the result as much as the model does.
Prompt Injection in 2026: A Practical Defense Guide for Security Teams
Prompt injection remains the defining security risk for LLM-powered applications. Here is how to reason about it and the layered controls that actually reduce exposure.