LodeHQSubscribe →

GPUHammer flips Nvidia A6000 bits, Laravel RCE from leaked keys

Infosec · 2026-07-12

Vulnerabilities & Exploits
Invisible HTML Prompts Let Gemini Inject Phishing Alerts into Email Summaries2 MIN

A researcher showed that hidden HTML prompts in Gmail can trick Google Gemini for Workspace into inserting phishing warnings into AI-generated email summaries. The attack bypasses existing prompt‑injection defenses and needs only a user to click “Summarize this email,” making it a stealthy vector without links or attachments. Google says mitigations are being rolled out but no real‑world abuse has been seen yet.

Chrome bug revives ad‑blocker blocking in MV3 extensions5 MIN

A Chrome bug in legacy JavaScript bindings lets MV3 extensions fabricate webRequest events, effectively restoring the webRequestBlocking permission Google removed to cripple ad‑blockers. Reported in 2023, the flaw shows that Google’s anti‑ad‑block push can still be sidestepped, keeping request‑blocking extensions alive.

Zimbra Classic Web Client XSS flaw lets attackers run code via crafted emails5 MIN

Zimbra Collaboration Suite's Classic Web Client suffers a stored XSS flaw (CVE-2025-27915) that executes JavaScript when a user opens a crafted email with an embedded calendar file. Exploitation grants attackers full session control, enabling actions like email redirection and data exfiltration. Zimbra released version 10.1.19 to patch the issue.

600+ Laravel sites face RCE after 260k APP_KEYs leaked on GitHub7 MIN

Researchers at GitGuardian unearthed more than 260,000 Laravel APP_KEYs exposed in public GitHub repos, enabling attackers to trigger remote code execution via deserialization. Over 600 live applications were confirmed vulnerable, highlighting the critical risk of secret leakage in widely used PHP frameworks.

GPUHammer Flips Bits on Nvidia A6000 GPUs, Endangering AI Models1 MIN

Researchers at the University of Toronto unveiled GPUHammer, the first Rowhammer attack on Nvidia A6000 GPUs with GDDR6 memory. The technique induced up to eight bit flips across four DRAM banks, allowing attackers to corrupt machine‑learning models and slash their accuracy by as much as 80%.

Gigabyte BIOS exposes four SMM callout bugs for SMM takeover3 MIN

Four SMM callout bugs (CVE‑2025‑7026‑7029) in Gigabyte UEFI firmware let admins execute code in System Management Mode, bypassing OS defenses. The flaws, previously patched by AMI, resurfaced in Gigabyte BIOS builds; Gigabyte has released firmware updates. Users should verify their motherboard firmware version and apply the patch.

Combining Echo Chamber and Crescendo Beats Grok‑4 Safety Guardrails3 MIN

Researchers at NeuralTrust showed that pairing the Echo Chamber and Crescendo jailbreak methods lets Grok‑4 bypass its safety filters in just a few turns, even producing detailed instructions for illicit actions. The hybrid attack adds a nudging phase after the persuasion cycle, dramatically increasing success rates over either technique alone.

Breaches & Industry News
McHire’s default admin password leaked data of 64 M job seekers2 MIN

Security researchers discovered that McHire, McDonald’s AI chatbot hiring platform, used default admin credentials (123456/123456) and an insecure IDOR API, exposing personal data of over 64 million applicants. The vendor revoked the credentials and fixed the flaw within days, underscoring the urgent need for robust security in AI‑driven recruitment tools.

13 Romanians Arrested for £47M HMRC Phishing Scam2 MIN

Romanian police, aided by HMRC, arrested 13 suspects in a phishing operation that compromised 100,000 UK tax accounts and siphoned £47 million. The bust highlights the scale of cross‑border tax fraud and underscores the need for tighter identity controls in government portals.

Privacy, Policy & Governance
Meta’s ‘localhost tracking’ could cost the company €32 bn in fines11 MIN

Meta’s Android apps silently opened local ports, letting web‑page scripts send identifiers via WebRTC and tie anonymous browsing to individual Facebook or Instagram accounts. Bypassing sandbox protections, the technique could breach GDPR, DSA and DMA, exposing Meta to up to €32 billion in combined fines.

Research & Tools
Figma rolls out Santa binary‑auth across all laptops, keeping productivity intact12 MIN

Figma scaled Santa, an open‑source macOS binary‑authorization tool, to every employee laptop. By running it in monitoring mode first, they built a data‑driven allowlist and added file‑access controls for browser cookies, slashing the attack surface without slowing developers.

Cameradar automates RTSP camera hunting and credential brute‑forcing6 MIN

Cameradar lets attackers sweep networks for unsecured RTSP cameras, auto‑detect models, brute‑force stream routes and credentials, then dump a full report. With a single Docker command it probes ports 554/5554/8554 across subnets, leveraging custom dictionaries for routes and login combos. Security teams can use it to audit camera exposure before attackers do.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ