Hi, I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into whats been keeping us up at night recently in cybersecurity and AI security.
AI Research & Vulnerabilities
Opera Neon Prompt Injection Flaw
Researchers uncovered a prompt injection vulnerability in Opera Neon's AI assistant that let hidden HTML elements execute malicious commands. Attackers could embed invisible text containing instructions that the AI would unknowingly follow when summarizing a webpage, including exfiltrating data from authenticated sessions. Opera has since patched the flaw.
ChatGPT Atlas "Tainted Memories" CSRF Vulnerability
Security researchers discovered a vulnerability in OpenAI's ChatGPT Atlas where a CSRF request can piggyback on a user's logged-in session to inject malicious instructions into ChatGPT's Memory. Those tainted memories persist across devices and browsers and can later trigger code execution and account or browser takeover when the user interacts with ChatGPT.
ChatGPT Atlas Omnibox URL Prompt Injection Vulnerability
Researchers reported a prompt injection vulnerability in OpenAI's Atlas where crafted strings that look like URLs, when pasted or typed into the omnibox and fail URL validation, are treated as user prompts. This allows embedded malicious instructions to override user intent, bypass some safety checks, and trigger cross-domain actions.
Cybersecurity News
Ribbon Communications Breached by Nation-State Actors
Ribbon Communications suffered a nation-state breach that went undetected for nearly nine months, with attackers gaining access to older customer files. While Ribbon stated the breach had no material effect, the company is a services provider for major telecom and government clients like Verizon, BT, Deutsche Telekom, and the US Department of Defense, raising concerns about potential supply chain exposure.
Ex-L3Harris Executive Pleads Guilty to Selling Spy Tools to Russia
A former L3Harris/Trenchant executive pleaded guilty to two counts of trade-secret theft after selling US cyber-exploit components to a Russian broker known for reselling tools to government clients.
OpenAI Announces Aardvark Agentic Security Researcher
OpenAI announced Aardvark, an autonomous security researcher powered by GPT-5 that continuously analyzes codebases to find and fix vulnerabilities at scale. It builds threat models, scans new commits, validates exploits in a sandbox, and attaches AI-generated patches for human review and one-click pull requests.
Herodotus Android Trojan Mimics Human Behavior
A new Android banking trojan called Herodotus is targeting users in Italy and Brazil, using randomized typing delays and human-like interaction patterns to evade behavioral biometrics and anti-fraud detection. Once installed through malicious SMS links, it abuses Accessibility permissions to steal credentials, intercept 2FA codes, and remotely control devices, allowing attackers to drain accounts while appearing legitimate.
Hacktivists Tamper with Canadian Water and Energy Infrastructure
The Canadian Centre for Cyber Security warns that hacktivists have been tampering with internet-exposed industrial control systems. Recent incidents included attackers manipulating water-pressure valves, triggering false alarms, and altering temperature and humidity settings.
Conduent Breach Impacts 10.5M+ Individuals
A months-long intrusion from October 21, 2024 to January 13, 2025 in Conduent systems exposed sensitive data, including names, addresses, dates of birth, Social Security numbers, and medical/insurance information of more than 10.5 million people. SafePay ransomware group claimed responsibility and theft of roughly 8.5 TB of data.
Startup/VC News
CyberRidge Raises $26M in Funding
Israeli startup CyberRidge emerged from stealth with $26 million in total funding to protect data traveling through fiber-optic cables. The company's technology manipulates light to conceal information as random noise during transmission through subsea and terrestrial cables.
Reflectiz Raises $22M Series B
Reflectiz raised $22 million to scale its website security platform that monitors third-party scripts and client-side code for hidden risks. The company plans to expand its US presence and enhance its AI-based detection engine that helps organizations prevent data leaks, skimming, and unauthorized data collection on their web assets.
Spektrum Labs Raises $10M Seed
Spektrum Labs launched from stealth with $10 million to help enterprises continuously demonstrate cyber resilience, using AI-driven checks and cryptographic attestations to verify that safeguards and backups actually work.
Polygraf AI raised $9.5 million to advance its authenticity verification platform for AI-generated content. The company uses linguistic analysis and data provenance tracking to detect manipulated or synthetic media, aiming to help organizations ensure the integrity of digital information.
Sublime Raises $150M in Series C
Washington, D.C.-based Sublime Security secured $150 million in Series C. The company's agentic email security platform deploys specialized AI agents to autonomously detect, triage, and adapt defenses against threats in real-time.
That's all for now… Stay informed and protected.