This article analyzes the vulnerabilities of the Model Context Protocol (MCP) used in coding copilot applications. It identifies critical attack vectors such as resource theft, conversation hijacking, and covert tool invocation, highlighting the need for stronger security measures. Three proof-of-concept examples illustrate these risks in action.

A new attack called TEE.fail compromises the security of Trusted Execution Environments (TEEs) from Nvidia, AMD, and Intel. It utilizes a simple hardware method that, once executed, renders these TEEs untrustworthy, even if the operating system kernel is compromised. This raises significant concerns about the security claims made by chipmakers regarding their TEEs.

Exploiting enterprise Wi-Fi networks, even those secured with EAP-TLS, is possible through techniques like wireless pivots and rogue access points. This article explores how attackers can capture credentials and network traffic by taking advantage of misconfigurations and the behavior of trusted devices as they connect to various networks. The discussion includes the mechanics of attacks and the importance of understanding Wi-Fi security boundaries.

Open-source software (OSS) is increasingly vulnerable to supply chain attacks that exploit the trust developers place in widely-used libraries and tools. Notable incidents, including attacks on Solana's Web3.js and Amazon's Q extension, demonstrate how malicious actors can compromise critical components, leading to significant security breaches. The article emphasizes the need for improved security measures and governance in the open-source ecosystem.

AWS EventBridge's cross-account capabilities can introduce significant security vulnerabilities if not configured properly, allowing attackers to infiltrate or exfiltrate data. The article outlines various attack patterns, including persistent beaconing, command and control, and reconnaissance, highlighting the stealthy nature of these threats and the importance of securing EventBridge configurations. Practical guidance for mitigating these risks is also provided.

AI-generated code poses significant risks to the software supply chain due to the prevalence of non-existent dependencies, which can be exploited in dependency confusion attacks. A recent study found that a majority of code samples generated by large language models contained these "hallucinated" dependencies, increasing the likelihood of malicious packages being unknowingly installed by developers. This vulnerability highlights the need for careful verification of code outputs from AI models to prevent potential security breaches.

The article discusses vulnerabilities found in industrial switches that could allow attackers to gain full control over critical systems. These flaws pose significant risks to operational technology environments, potentially leading to severe disruptions. Immediate action is recommended to mitigate these security threats.