Connect with us

CyberSecurity

Paragon Refuses to Cooperate With Italian Authorities in Spyware Probe, Report Alleges

Published

on

Paragon Refuses to Cooperate With Italian Authorities in Spyware Probe, Report Alleges

New allegations suggest that Paragon Solutions, the Israeli-American surveillance technology firm, is stonewalling Italian prosecutors investigating a massive spyware scandal. According to a report from Wired Italy, the company has failed to respond to a formal request for information sent via the Israeli government—more than a year after the investigation began. This development marks a significant turn in the ongoing Paragon spyware scandal, which has shaken Italy’s political and journalistic communities.

Last year, both WhatsApp and Apple alerted several Italian citizens—including journalists and activists—that they had been targeted with government-grade spyware. WhatsApp specifically identified Paragon as the supplier of the “Graphite” spyware used in a global hacking campaign that affected roughly 90 individuals. The notifications triggered a wave of criminal complaints and a formal investigation by Italian prosecutors.

The Alleged Refusal to Cooperate in the Italian Spyware Investigation

Building on the initial scandal, the latest twist involves Paragon’s apparent unwillingness to assist authorities. Wired Italy reports that prosecutors in Rome and Naples jointly sent a formal request for information to Paragon through diplomatic channels. However, the company has not replied. This silence contradicts earlier public statements from Paragon, in which the firm claimed it had offered to help investigate the hacking of a journalist—an offer it says the Italian government rejected.

As a result, Paragon even canceled its contracts with Italy’s two main intelligence agencies, AISE and AISI. The company argued that the Italian government turned down its proposal to probe whether a journalist was actually spied on using Graphite. This public feud between a spyware vendor and a former client is highly unusual in the secretive surveillance industry.

Possible Reasons for Paragon’s Silence

Observers speculate that the Israeli government may have intervened to block Paragon’s cooperation. In 2024, The Guardian reported that Israeli authorities seized documents from NSO Group to prevent the company from complying with legal demands in a lawsuit brought by WhatsApp. Israeli human rights lawyer Eitay Mack told Wired Italy that while the Israeli government has the legal power to force local companies to cooperate with foreign judicial requests, it has never done so. This context raises questions about whether Paragon is acting on its own or under state pressure.

Meanwhile, Spain’s High Court closed its own investigation into NSO spyware targeting Spanish politicians earlier this year, citing a lack of cooperation from Israeli authorities. This pattern suggests a broader reluctance among Israeli surveillance firms to engage with foreign probes.

Paragon’s Attempt to Position Itself as an Ethical Alternative

In the history of government spyware, it is extremely rare for a company to engage in a public dispute with a former customer. Paragon’s aggressive stance appears to be part of a strategic effort to differentiate itself from rivals like NSO Group and Intellexa, which have been mired in numerous scandals worldwide. The company’s now-defunct official website once claimed it provides customers “with ethically based tools, teams, and insights.”

However, the Paragon spyware scandal is its first major public controversy. The firm currently holds an active contract with U.S. Immigration and Customs Enforcement (ICE), which has been using Paragon’s technology to arrest and deport tens of thousands of immigrants. ICE told lawmakers that its law enforcement arm, Homeland Security Investigations (HSI), deploys Paragon’s spyware to counter terrorism and drug trafficking.

Italy’s Government Denies Involvement in Journalist Hacking

Italy’s government, led by Prime Minister Giorgia Meloni, has consistently denied authorizing the hacking of journalists Francesco Cancellato and Ciro Pellegrino, both of whom work for the online news outlet Fanpage. The Citizen Lab, a leading research organization that has investigated spyware abuses for over a decade, confirmed that both journalists were compromised using Graphite. Other victims include activists from Mediterranea Saving Humans, an Italian nonprofit dedicated to rescuing migrants crossing the Mediterranean Sea.

In June of last year, the Italian parliamentary committee overseeing intelligence agencies concluded that the targeting of activists was lawful. However, the committee stated it could not find evidence that Cancellato was targeted, and it did not examine Pellegrino’s case at all. Then, in March, the same prosecutors who requested information from Paragon announced that a forensic analysis of Cancellato’s device confirmed he was hacked, though the results for Pellegrino’s phone were inconclusive.

What Comes Next for the Italian Spyware Probe?

The prosecutors’ investigation remains open. Without Paragon’s cooperation, Italian authorities face significant hurdles in uncovering the full scope of the spyware campaign. This situation underscores the challenges that national governments encounter when trying to hold foreign surveillance companies accountable. For now, the Paragon spyware scandal continues to unfold, leaving journalists, activists, and legal experts watching closely for any signs of progress—or further obstruction.

For more insights into similar cases, read about how spyware targets journalists globally and explore the ethics of government surveillance.

Do you have more information about Paragon Solutions and the spyware scandal in Italy? Contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

WriteOut Flaw: How a Session Token Leak Could Have Exposed Every Writer AI Tenant

Published

on

Writer AI flaw

They called it WriteOut. And it could have blown open every tenant on the Writer AI platform.

Cybersecurity researchers at Sand Security have revealed the details of a critical vulnerability in Writer, an enterprise generative AI platform. The flaw, now patched, allowed a one-click attack that could leak session tokens across tenants — effectively letting an outsider hijack any agent preview without ever logging in.

The bug is being tracked as WriteOut. And it’s a textbook case of what happens when session isolation isn’t bulletproof.

What exactly was the Writer AI flaw?

The vulnerability lived inside Writer’s agent preview feature — the sandbox where users test and iterate on AI agents before deploying them. Under the hood, each tenant is supposed to be walled off from every other tenant. That’s basic multi-tenant security: your data, your sessions, your agents — all isolated.

WriteOut broke that wall.

Sand Security found that a malicious actor could craft a specially designed link. Click it, and the victim’s browser would execute a cross-tenant request that leaked their session token. From there, the attacker could impersonate the victim inside Writer, accessing their agents, their prompts, their history — everything.

No credentials needed. No brute force. Just one click.

Cross-tenant compromise: the real danger

Cross-tenant vulnerabilities are the nightmare scenario for any SaaS platform. They mean that a breach at Company A can spill directly into Company B’s data — without either company doing anything wrong.

In Writer’s case, the agent preview feature was the entry point. The platform uses session tokens to keep users authenticated as they move between features. But the token validation logic didn’t properly enforce tenant boundaries during preview requests. A request from Tenant A could include a token from Tenant B, and the server would accept it.

That’s the kind of bug that keeps CISOs up at night.

Sand Security’s team demonstrated the attack with a proof-of-concept they called WriteOut. It required no authentication from the attacker. Just a link, a victim, and a click.

How Writer fixed the session isolation vulnerability

Writer patched the flaw after Sand Security disclosed it responsibly. The fix involved tightening session token validation to ensure that tokens are scoped to their originating tenant. Now, a token from Tenant A simply won’t work when presented to Tenant B’s resources.

The company also added additional checks on the server side to verify tenant identity on every request involving agent previews. It’s the kind of layered defense that should have been there from the start — but at least it’s there now.

Writer has not disclosed whether the vulnerability was ever exploited in the wild. But given the nature of the bug — a cross-tenant session leak — the potential blast radius was enormous. If an attacker had discovered WriteOut before Sand Security did, they could have silently harvested tokens from any Writer user who clicked a malicious link.

That’s the quiet danger of session isolation flaws: no alarms, no unusual login activity. Just a stolen token and a ghost in the machine.

What this means for enterprise AI security

Writer is far from alone. Enterprise AI platforms are being built at breakneck speed, and security often takes a backseat to shipping features. Agent previews, custom model tuning, and collaborative workspaces all introduce new surfaces for cross-tenant attacks.

The WriteOut vulnerability is a reminder that session isolation isn’t a checkbox — it’s a continuous engineering discipline. Every new feature that touches authentication needs to be audited, not just for its intended behavior, but for what happens when someone sends unexpected data across tenant boundaries.

For enterprises using AI platforms, the lesson is clear: don’t assume your data is walled off just because the marketing materials say so. Ask your vendors about their session isolation architecture. Ask about their bug bounty program. And if they can’t give you a straight answer, that’s an answer in itself.

Key takeaways

  • One-click exploitation: WriteOut required only a single click from a victim to leak their session token.
  • Cross-tenant scope: The flaw broke tenant isolation, meaning data from one organization could be accessed by an attacker posing as a user from another.
  • No authentication needed: The attacker didn’t need valid credentials — just a crafted link and a victim.
  • Patched responsibly: Sand Security disclosed the bug to Writer, which fixed it before public disclosure.

For more on securing generative AI workflows, check out our guide on AI platform security best practices and how to audit session token handling in multi-tenant SaaS apps.

Writer has since confirmed the patch is complete and no customer data was compromised. But WriteOut will go down as a near-miss — one that could have exposed every agent, every prompt, and every session on the platform.

Continue Reading

CyberSecurity

‘GitLost’ Bug Lets Attackers Drain Private Repos Through Public GitHub Issues

Published

on

GitLost vulnerability

How a Single Public Issue Can Expose Your Private Repos

A newly uncovered vulnerability, dubbed GitLost, exposes a dangerous gap in GitHub‘s agentic workflow system. The flaw allows an unauthenticated attacker to craft a seemingly harmless GitHub Issue in a public repository — and then silently siphon data from that organization’s private repositories.

It’s a classic supply-chain twist: the attacker never needs credentials. They don’t need to compromise a developer’s machine. All they need is a public repo where issues are open, and a victim organization that uses GitHub Actions or other automated workflows that respond to issue events.

The vulnerability was disclosed by researchers at Protect AI, who gave it the name GitLost. The name is fitting — it describes data that should be private but gets “lost” to an outsider through a side channel.

Why Agentic Workflows Are the Weak Link

GitHub’s agentic workflows — automated pipelines that can read, write, and act on repository events — are powerful. They let teams build bots that triage issues, run tests, or deploy code. But that power comes with a blind spot.

Here’s the core problem: when a workflow triggers on an issue_comment or issues event, it often runs with permissions that extend beyond the public repo. A typical action might clone the repo, check environment variables, or even access other repositories in the same organization. If the workflow’s code doesn’t strictly sanitize input from the issue, an attacker can inject commands that exfiltrate that data.

The Attack Chain, Step by Step

  1. Identify a target — Find a GitHub organization with a public repository that has issues enabled and uses a workflow that responds to issue events.
  2. Craft a malicious issue — The attacker opens an issue containing specially crafted content, such as a payload in the issue title, body, or a comment.
  3. Trigger the workflow — The organization’s GitHub Action runs automatically (e.g., on issue_comment), pulling the issue data into its execution context.
  4. Data exfiltration — The payload executes within the workflow, reading secrets, environment variables, or files from private repos, then sending them to an attacker-controlled server.

Protect AI’s researchers demonstrated the attack using a custom GitHub App that mimicked a real-world workflow. They were able to extract private repository contents, access tokens, and even organization-level secrets — all from a single public issue.

Who Is at Risk? Nearly Anyone Using GitHub Actions

The GitLost vulnerability doesn’t require exotic configurations. Any organization that runs GitHub Actions on issue events — including popular actions like stale, labeler, or custom bots — could be exposed. GitHub Actions security is often overlooked because teams assume the trigger event is low-risk.

But the risk is real. An attacker could:

  • Steal proprietary source code from private repos
  • Extract API keys, database credentials, or cloud service tokens
  • Pivot to compromise other systems using leaked credentials
  • Plant backdoors in CI/CD pipelines

The attack is especially dangerous for open-source projects that have both public and private repositories under the same organization. A popular library with a public issue tracker could become the entry point to the company’s internal infrastructure.

What GitHub Has Done — and What You Should Do

GitHub has acknowledged the vulnerability and released a security advisory. The company recommends that organizations review their workflow permissions and apply the principle of least privilege. Specifically:

  • Use pull_request events instead of issue_comment where possible, since PRs come from forked repos with limited trust
  • Set permissions: read-only on workflows that don’t need write access
  • Avoid using ${{ github.event.issue.body }} or other user-supplied data directly in shell commands
  • Pin action versions to specific commit SHAs, not version tags
  • Use OpenID Connect (OIDC) for cloud authentication instead of long-lived secrets

Protect AI also released a free checker tool that scans your GitHub organization for workflows vulnerable to GitLost. The tool checks for common misconfigurations and flags risky patterns.

The Bigger Picture: Agentic Security Is Still Immature

The GitLost flaw is not an isolated incident. It’s part of a broader trend where AI-powered agentic workflows — systems that autonomously act on events — introduce new attack surfaces. Traditional security models assume a human in the loop, but agents act quickly, silently, and with broad permissions.

Security researchers have warned for years that GitHub Actions, like any CI/CD system, is only as secure as its least-trusted input. The GitLost vulnerability is a concrete demonstration of that principle. It shows that even a seemingly innocuous feature — opening an issue — can be weaponized.

For now, the best defense is skepticism. Treat every external input as untrusted, especially in automated workflows. Audit your actions. And remember: just because a repo is public doesn’t mean its workflows should trust anyone.

Continue Reading

CyberSecurity

Microsoft Fixes a Staggering 570 Bugs — Nearly Triple Last Month’s Record

Published

on

Microsoft patches record

Microsoft’s July Patch Tuesday Shatters All Records

Microsoft dropped a bombshell this week. The company released security updates covering at least 570 vulnerabilities — nearly triple what it fixed in last month’s already record-breaking Patch Tuesday. That’s not a typo. Fifty-seven zero-zero.

The sheer scale is unprecedented. Microsoft attributes this explosion in patch counts directly to artificial intelligence. Pavan Davuluri, Microsoft’s Executive Vice President, wrote on July 9 that Windows users should expect “a higher volume of security updates” going forward. AI, he explained, is now finding more bugs, faster, across more code than ever before.

60 Critical Bugs and 3 Zero-Days Under Active Attack

Nearly 60 of the flaws fixed this month carry a “critical” severity rating. That means attackers or malware can remotely take over a Windows device with minimal user interaction. It gets worse: Microsoft addressed three zero-day vulnerabilities, two of which are already being exploited in the wild.

Two of those zero-days let an attacker elevate their privileges on a Windows system. They are CVE-2026-56155, an Active Directory Federation Services bug, and CVE-2026-56164, a Microsoft SharePoint vulnerability. The third zero-day, CVE-2026-50661, is a BitLocker security feature bypass. Microsoft says this one has been publicly detailed but isn’t yet actively exploited. If an attacker gets physical access to your device, they could potentially read your encrypted data.

250 Elevation-of-Privilege Flaws: A Troubling Pattern

Here’s a number that should make any security team sit up straight: roughly 250 of this month’s patches fix elevation-of-privilege (EoP) vulnerabilities. That’s nearly half of all the bugs Microsoft is squashing.

EoP flaws are especially dangerous because they turn a limited user account into an administrator. Once an attacker has admin rights, they can install malware, steal data, or move laterally across a network. The sheer volume suggests that either Microsoft’s codebase has systemic privilege-escalation issues, or AI is surfacing problems that were invisible before. Probably both.

Copilot Bug Scores 9.6 — and It’s Remote Code Execution

Perhaps the most eye-catching single vulnerability this month is CVE-2026-48561, a remote code execution flaw in Microsoft Copilot. It carries a CVSS score of 9.6 — nearly perfect severity. Jack Bicer, director of vulnerability research at Action1, highlighted the risk: an unauthorized attacker can execute code over the network simply by hosting a malicious website. When a user visits that site using Microsoft Edge for Android, the browser automatically sends crafted prompts to Copilot. No user interaction required beyond the visit.

That’s alarming for anyone using Copilot on mobile. Microsoft’s own exploitability index initially rated this bug as “less likely” to be exploited. But security researchers aren’t buying it.

AI Is Changing the Game — But So Are Attackers

Satnam Narang, senior staff research engineer at Tenable, argues that Microsoft’s exploitability index is becoming dangerously outdated. The system was designed around human attackers. Now AI tools can generate working exploits in minutes.

Narang pointed to research from Anthropic’s Red Team. Their Mythos Preview model produced proof-of-concept exploits for 13 out of 14 vulnerabilities that Microsoft had rated “Exploitation Less Likely” or “Exploitation Unlikely.” That’s a 93% success rate on bugs the company considered low-risk.

“Our way of looking at Patch Tuesday has changed,” Narang said. “The exploitability index is centered around humans, not AI tools. As these tools continue to improve, defense needs to improve alongside it.”

His point is stark: if AI can weaponize supposedly “unlikely” vulnerabilities in minutes, Microsoft’s ratings are essentially meaningless. The company added CVE-2026-56164, the SharePoint zero-day, to CISA’s Known Exploited Vulnerabilities list on July 1 — after initially calling it “less likely” to be exploited.

Other Vendors Are Also Ramping Up Patch Volume

Microsoft isn’t alone in this surge. Chris Goettl at Ivanti noted that Adobe, Cisco, Mozilla, and Oracle are all shipping updates more frequently. Adobe announced it’s moving to twice-monthly security bulletins, also citing AI for accelerating its patch cycles. Google’s patch batches in June 2026 totaled more than 900 security fixes.

The industry is clearly in a new era. AI is helping find vulnerabilities at machine speed. But it’s also helping attackers weaponize them just as fast. The old monthly patch cycle was designed for a slower world. That world is gone.

Should You Patch Immediately or Wait?

Here’s the practical dilemma. With 570 fixes, the odds of a patch causing system instability are higher than usual. Microsoft’s own history shows that large patch batches sometimes break things. Windows backup best practices are always a good idea before applying updates. For end users, waiting a few days to let early adopters discover any issues might be wise. For IT administrators, the calculus is different: two actively exploited zero-days mean the risk of not patching is real.

Either way, July 2026 will be remembered as the month Microsoft patched more vulnerabilities than ever before — and signaled that this is the new normal.

Continue Reading

Trending