Hi, I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into whats been happening recently in cybersecurity and AI security.

AI Research & Vulnerabilities

AI Toys Giving Kids Explicit and Unsafe Advice

The US PIRG Education Fund's latest Trouble in Toyland report tested four AI-enabled toys and found that some would engage in detailed conversations about sexual topics while also calmly explaining where to find knives, pills, matches, and plastic bags around the house. PIRG and child-safety advocates warn families that AI companions marketed as educational or friendly may quietly bypass both content filters and basic child-development safeguards.

Figma Accused of Secretly Using Customer Designs to Train AI

Figma has been hit with a proposed class action in California alleging it quietly used customers' design files and intellectual property to train its generative AI features. The lawsuit claims Figma automatically opted users into AI training without clear consent and seeks damages plus a court order blocking the company from running AI models built on allegedly misused customer data.

AI Coding Bots Are Being Hijacked to Run Global Fraud Schemes

Factory.ai reported that attackers used its Droid coding assistant to spin up huge numbers of fake accounts and companies to abuse free trials across multiple AI providers. The incident showed three things: criminals are now using coding agents as force multipliers, platforms offering powerful models and free access are targets, and defending against AI-enabled attackers requires AI-assisted defenses.

Hidden Instructions in Project Files Let Cline Coding Agent Run Dangerous Actions

Researchers found that Cline's AI coding agent could be tricked by malicious files inside a project, causing it to read private API keys, send them out through harmless-looking commands, and even auto-approve risky actions. One bug also exposed which model was running behind the scenes. The latest versions fix these issues, but the research shows how easily AI coding tools can be steered into unsafe behavior when they trust what's inside a repo.

Hidden Comet API Lets AI Browser Run Programs on Your Device

Researchers found that Perplexity's Comet browser ships with hidden extensions that can call a private MCP API to run apps and commands directly on a user's computer, meaning a malicious extension that impersonates Comet's built-in Analytics extension could quietly pass instructions to the agent extension and trigger malware or even ransomware without any explicit permission from the user. While Perplexity has added measures to prevent the attack, they called it "fake security research."

Cybersecurity News

Free Browser Extensions Are Surveilling You

Researchers uncovered a recurring campaign of "Free Unlimited VPN" and ad-blocking extensions that quietly turned millions of Chrome and Edge installs into browser-level surveillance tools, intercepting traffic, redirecting users, and profiling browsing activity under the guise of privacy. The multiple malicious extensions highlight how easy it is for developers to relaunch under new IDs and why enterprises need continuous monitoring and policy controls for browser extensions rather than one-time store reviews or basic allowlists.

CrowdStrike Fires Employee for Sharing Information With Hackers

CrowdStrike says it terminated a "suspicious insider" who snapped photos of internal dashboards and shared them with the Scattered Lapsus$ Hunters hacking collective, which later posted the screenshots on Telegram as supposed proof of a deep breach. The company insists its systems and customer data were never compromised, says the insider was caught and cut off before hackers could use the access, and has turned the case over to law enforcement.

Record DDoS Attack Slams Microsoft Azure but Is Neutralized

Microsoft said it neutralized the largest single cloud DDoS attack ever recorded, measuring 15.72 Tbps and nearly 3.64 billion packets per second. Launched from more than 500,000 IP addresses and aimed at a single Azure endpoint in Australia, the attack was mitigated by Azure's DDoS protection systems without interrupting customer service availability.

FCC Eliminates Cybersecurity Rules for Telecom Providers

The Federal Communications Commission voted to scrap its effort to require telecom companies to meet minimum cybersecurity standards, reversing a January ruling that said carriers must secure their networks under the 1994 CALEA law. FCC Chair Brendan Carr argued the Biden-era rules were unlawful and ineffective, while critics warn that rolling them back after China's Salt Typhoon espionage campaign leaves US telecom networks with no federal baseline protections and leans too heavily on voluntary security measures from carriers.

That's all for now… Stay informed and protected.