Security – Lifeboat News: The Blog

Jan 29
2026

Researchers Show AI Robots Vulnerable to Text Attacks

“I expect vision-language models to play a major role in future embodied AI systems,” said Dr. Alvaro Cardenas.

How can misleading texts negatively affect AI behavior? This is what a recently submitted study hopes to address as a team of researchers from the University of California, Santa Cruz and Johns Hopkins University investigated the potential security risks of embodied AI, which is AI fixed in a physical body that uses observations to adapt to its environment, as opposed to using text and data, and include cars and robots. This study has the potential to help scientists, engineers, and the public better understand the risks for AI and the steps to take to mitigate them.

For the study, the researchers introduced CHAI (Command Hijacking against embodied AI), which is designed to combat outside threats to embodied AI systems, including misleading text and imagery. Instead, CHAI employs counterattacks that embodied Ais can use to disseminate right from wrong regarding text and images. The researchers tested CHAI on a variety of AI-based systems, including drone emergency landing, autonomous driving, aerial object tracking, and robotic vehicles. In the end, the researchers discovered that CHAI successfully identified incoming attacks while emphasizing the need for enhancing security measures for embodied AI.

Jan 28
2026

New sandbox escape flaw exposes n8n instances to RCE attacks

Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host.

Identified as CVE-2026–1470 and CVE-2026–0863, the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog.

Despite requiring authentication, CVE-2026–1470 received a critical severity score of 9.9 out of 10. JFrog explained that the critical rating was due to arbitrary code execution occurring in n8n’s main node, which allows complete control over the n8n instance.

Jan 28
2026

Radiowaves enable energy-efficient AI on edge devices without heavy hardware

As drones survey forests, robots navigate warehouses and sensors monitor city streets, more of the world’s decision-making is occurring autonomously on the edge—on the small devices that gather information at the ends of much larger networks.

But making that shift to edge computing is harder than it seems. Although artificial intelligence (AI) models continue to grow larger and smarter, the hardware inside these devices remains tiny.

Engineers typically have two options, neither are ideal. Storing an entire AI model on the device requires significant memory, data movement and computing power that drains batteries. Offloading the model to the cloud avoids those hardware constraints, but the back-and-forth introduces lag, burns energy and presents security risks.

Jan 28
2026

Fortinet Patches CVE-2026–24858 After Active FortiOS SSO Exploitation Detected

Fortinet released updates for an actively exploited FortiOS SSO authentication bypass flaw, CVE-2026–24858, now listed by CISA in KEV.

Jan 28
2026

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

Meta is rolling out Strict Account Settings on WhatsApp and using Rust-based media code to protect journalists and high-risk users from spyware attack

Jan 28
2026

Microsoft Office Zero-Day (CVE-2026–21509) — Emergency Patch Issued for Active Exploitation

Microsoft released out-of-band patches for an actively exploited Microsoft Office zero-day, CVE-2026–21509, a security feature bypass flaw.

Jan 27
2026

Malicious VS Code AI Extensions with 1.5 Million Installs Steal Developer Source Code

Security researchers found two AI-branded VS Code extensions with 1.5M installs that covertly send source code and files to China-based servers.

Jan 27
2026

Microsoft patches actively exploited Office zero-day vulnerability

Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The security feature bypass vulnerability, tracked as CVE-2026–21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company’s cloud-based subscription service).

However, as noted in today’s advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible.

Jan 27
2026

6 Okta security settings you might have overlooked

What worked six months ago may no longer be sufficient to protect against today’s threats.

This article outlines six fundamental Okta security best practices that form the backbone of a resilient identity security program.

Beyond implementing these settings, continuous security posture monitoring for Okta (and the rest of your SaaS ecosystem) with a tool like Nudge Security can help you stay ahead of emerging threats and maintain a robust security posture as your environment grows and changes.

Jan 27
2026

Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies

The defense mechanisms that NPM introduced after the ‘Shai-Hulud’ supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies.

Collectively called PackageGate, the vulnerabilities were discovered in multiple utilities in the JavaScript ecosystem that allow managing dependencies, like pnpm, vlt, Bun, and NPM.

Researchers at endpoint and supply-chain security company Koi discovered the issues and reported them to the vendors. They say that the problems were addressed in all tools except for NPM, who closed the report stating that the behavior “works as expected.”