AnonymousMedia.org

Category: Uncategorized

  • Trump says he will ‘100%’ carry out Greenland tariffs threat, as EU vows to protect its interests

    Trump says he will ‘100%’ carry out Greenland tariffs threat, as EU vows to protect its interests


    AFP via Getty Images Composit image of Donald Trump and Kaja Kallas. Both are looking towards the camera, Kallas has two microphones in front of her whereas Trump is outside wearing a navy coat and a red tie.AFP via Getty Images

    Kaja Kallas, the EU’s foreign policy chief, said the bloc has “no interest to pick a fight, but we will hold our ground”.

    Donald Trump has vowed to “100%” follow through on his threat to impose tariffs on European countries who oppose his demand to take control of Greenland.

    European allies have rallied around Greenland’s sovereignty. Denmark’s foreign minister emphasised the US president cannot threaten his way to ownership of the semi-autonomous Danish territory.

    UK Foreign Secretary Yvette Cooper reiterated the UK’s position that the future of Greenland is for “Greenlanders and for the Danes alone” to decide.

    On Monday, Trump declined to rule out the use of force and insisted he would press ahead with the threatened tariffs on goods arriving in the US from the UK and seven other Nato-allied countries.

    Asked by NBC News if he would use force to seize Greenland, Trump answered: “No comment”.

    The US president said he would charge Britain a 10% tariff “on any and all goods” sent to the US from 1 February, increasing to 25% from 1 June, until a deal is reached for Washington to purchase Greenland from Denmark.

    Trump said the same would apply to Denmark, Norway, Sweden, France, Germany, the Netherlands and Finland – all of whom are members of the defence alliance Nato which was founded in 1949.

    Asked if he will follow through on the tariff threat, Mr Trump told NBC News: “I will, 100%.”

    AFP via Getty Images People walk past Greenlandic flags outside a shop in the city centreAFP via Getty Images

    Trump added: “Europe ought to focus on the war with Russia and Ukraine because, frankly, you see what that’s gotten them… That’s what Europe should focus on – not Greenland.”

    Denmark has warned that US military action in Greenland would spell the end of Nato. In recent days, Greenland has received support from European members of the alliance – some even sent a handful of troops to Greenland last week in a move seen as symbolic.

    However, Trump followed that deployment with an announcement to impose tariffs on the eight Nato allies.

    Danish foreign minister Lars Løkke Rasmussen said that Europe had to show President Trump tariff threats were “not the way forward”.

    “We have red lines that can’t be crossed,” he told Sky News. “You can’t threaten your way to ownership of Greenland. I have no intention of escalating this situation.”

    Nato secretary general Mark Rutte said the alliance will keep working with Denmark and Greenland on the security of the Arctic.

    The European Union is to hold an emergency summit in Brussels for its leaders on Thursday where they will discuss how to respond to Trump’s latest threat to take over Greenland.

    Kaja Kallas, the EU’s foreign policy chief, said the bloc has “no interest to pick a fight, but we will hold our ground”.

    “But trades threats are not the way to go about this,” Kallas added. “Sovereignty is not for trade.”

    It comes as text exchanges between Trump and the Norwegian prime minister were released – showing that on Sunday the US president blamed Norway for the fact he didn’t get the Nobel Peace Prize.

    In his reply – seen by the BBC – Jonas Gahr Støre explained that an independent committee, not the government of Norway, awards the prize which last October went to Venezuela’s opposition leader María Corina Machado.

    “Norway’s position on Greenland is clear. Greenland is a part of the Kingdom of Denmark, and Norway fully supports the Kingdom of Denmark on this matter,” Støre added.

    Trump also addressed the text message exchange in Monday’s interview and said: “Norway totally controls it [the Nobel Prize] despite what they say.

    “They like to say they have nothing to do with it, but they have everything to do with it.”



    Source link

  • Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites

    Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites


    Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism.

    The vulnerability, Miggo Security’s Head of Research, Liad Eliyahu, said, made it possible to circumvent Google Calendar’s privacy controls by hiding a dormant malicious payload within a standard calendar invite.

    “This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction,” Eliyahu said in a report shared with The Hacker News.

    The starting point of the attack chain is a new calendar event that’s crafted by the threat actor and sent to a target. The invite’s description embeds a natural language prompt that’s designed to do their bidding, resulting in a prompt injection.

    The attack gets activated when a user asks Gemini a completely innocuous question about their schedule (e.g., Do I have any meetings for Tuesday?), prompting the artificial intelligence (AI) chatbot to parse the specially crafted prompt in the aforementioned event’s description to summarize all of users’ meetings for a specific day, add this data to a newly created Google Calendar event, and then return a harmless response to the user.

    “Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user’s private meetings in the event’s description,” Miggo said. “In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.”

    Cybersecurity

    Although the issue has since been addressed following responsible disclosure, the findings once again illustrate that AI-native features can broaden the attack surface and inadvertently introduce new security risks as more organizations use AI tools or build their own agents internally to automate workflows.

    “AI applications can be manipulated through the very language they’re designed to understand,” Eliyahu noted. “Vulnerabilities are no longer confined to code. They now live in language, context, and AI behavior at runtime.”

    The disclosure comes days after Varonis detailed an attack named Reprompt that could have made it possible for adversaries to exfiltrate sensitive data from artificial intelligence (AI) chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls.

    The findings illustrate the need for constantly evaluating large language models (LLMs) across key safety and security dimensions, testing their penchant for hallucination, factual accuracy, bias, harm, and jailbreak resistance, while simultaneously securing AI systems from traditional issues.

    Just last week, Schwarz Group’s XM Cyber revealed new ways to escalate privileges inside Google Cloud Vertex AI’s Agent Engine and Ray, underscoring the need for enterprises to audit every service account or identity attached to their AI workloads.

    “These vulnerabilities allow an attacker with minimal permissions to hijack high-privileged Service Agents, effectively turning these ‘invisible’ managed identities into ‘double agents’ that facilitate privilege escalation,” researchers Eli Shparaga and Erez Hasson said.

    Successful exploitation of the double agent flaws could permit an attacker to read all chat sessions, read LLM memories, and read potentially sensitive information stored in storage buckets, or obtain root access to the Ray cluster. With Google stating that the services are currently “working as intended,” it’s essential that organizations review identities with the Viewer role and ensure adequate controls are in place to prevent unauthorized code injection.

    The development coincides with the discovery of multiple vulnerabilities and weaknesses in different AI systems –

    • Security flaws (CVE-2026-0612, CVE-2026-0613, CVE-2026-0615, and CVE-2026-0616) in The Librarian, an AI-powered personal assistant tool provided by TheLibrarian.io, that enable an attacker to access its internal infrastructure, including the administrator console and cloud environment, and ultimately leak sensitive information, such as cloud metadata, running processes within the backend, and system prompt, or log in to its internal backend system.
    • A vulnerability that demonstrates how system prompts can be extracted from intent-based LLM assistants by prompting them to display the information in Base64-encoded format in form fields. “If an LLM can execute actions that write to any field, log, database entry, or file, each becomes a potential exfiltration channel, regardless of how locked down the chat interface is,” Praetorian said.
    • An attack that demonstrates how a malicious plugin uploaded to a marketplace for Anthropic Claude Code can be used to bypass human-in-the-loop protections via hooks and exfiltrate a user’s files via indirect prompt injection.
    • A critical vulnerability in Cursor (CVE-2026-22708) that enables remote code execution via indirect prompt injection by exploiting a fundamental oversight in how agentic IDEs handle shell built-in commands. “By abusing implicitly trusted shell built-ins like export, typeset, and declare, threat actors can silently manipulate environment variables that subsequently poison the behavior of legitimate developer tools,” Pillar Security said. “This attack chain converts benign, user-approved commands — such as git branch or python3 script.py — into arbitrary code execution vectors.”
    Cybersecurity

    A security analysis of five Vibe coding IDEs, viz. Cursor, Claude Code, OpenAI Codex, Replit, and Devin, who found coding agents, are good at avoiding SQL injections or XSS flaws, but struggle when it comes to handling SSRF issues, business logic, and enforcing appropriate authorization when accessing APIs. To make matters worse, none of the tools included CSRF protection, security headers, or login rate limiting.

    The test highlights the current limits of vibe coding, showing that human oversight is still key to addressing these gaps.

    “Coding agents cannot be trusted to design secure applications,” Tenzai’s Ori David said. While they may produce secure code (some of the time), agents consistently fail to implement critical security controls without explicit guidance. Where boundaries aren’t clear-cut – business logic workflows, authorization rules, and other nuanced security decisions – agents will make mistakes.”



    Source link

  • At the scene of Spain’s worst rail disaster in over a decade

    At the scene of Spain’s worst rail disaster in over a decade


    The small town of Adamuz in Spain has become the scene of a fatal rail disaster.

    Dozens of people died in the incident, with even more injured.

    The BBC’s Guy Hedgecoe visited the scene, where a large police cordon is in place.

    Officials said an investigation has been launched but it is not expected to determine what happened for at least a month.



    Source link