Launcher V2 will go through a private beta before a public release.

Two AI tools broke in the same way in the same two weeks, and four research teams proved it. The pattern underneath every disclosure is one sentence: enterprise AI accepts external input with no trust boundary.

On June 15, Varonis disclosed SearchLeak (CVE-2026-42824), a proof-of-concept exfiltration chain in Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL, Copilot searches their mailbox, and the data leaves through a Bing SSRF. No plugins, no second click, no visible indicator. Four days earlier, Obsidian Security published a three-CVE chain against LiteLLM that carried a default low-privilege user all the way to admin and remote code execution. Two tools. Two teams. One broken boundary.

The five-check audit at the end of this article maps each gap to a CVE or a market signal from June, a command you can run before lunch, and a sentence a CISO can read to the board.

Copilot turned a trusted URL into an exfiltration engine

SearchLeak chained three weaknesses into a silent data-theft chain. The URL q parameter fed attacker instructions straight to Copilot’s LLM. A rendering race condition fired an image tag before the output sanitizer ran. Bing’s image-search endpoint, allowlisted in the Content Security Policy, routed the stolen data out. Microsoft rated the flaw critical and patched it on the back end, according to Varonis. NVD has not yet scored it; a third-party tracker lists it at 6.5 medium. The severity is contested, but the mechanism is not.

The escalation is the real story. This is the third Varonis Copilot exfiltration chain in twelve months, after Reprompt in January and EchoLeak in 2025. Reprompt hit Copilot Personal. SearchLeak hit Enterprise Search. Enterprise inherits the user’s full organizational permissions, so the blast radius is everything that a user can reach.

LiteLLM handed a default account to every provider key

The LiteLLM gateway holds the keys for OpenAI, Anthropic, Azure, and Bedrock behind a single proxy. The Obsidian chain runs in three moves. CVE-2026-47101, an authorization bypass, lets a non-admin mint a wildcard API key. CVE-2026-47102 promotes that caller to proxy admin through an unguarded /user/update endpoint. CVE-2026-40217 escapes the code sandbox through exec() with full builtins. Obsidian then demonstrated a reverse shell by injecting a forged tool-call response through LiteLLM’s callback mechanism. Obsidian assessed the combined chain at CVSS 9.9. The developer typed one word. The attacker popped a shell.

A separate LiteLLM flaw made the urgency immediate. CVE-2026-42271, a command-injection bug in the MCP test endpoints, landed on the CISA KEV list on June 8 with a June 22 remediation deadline. That KEV entry is not the Obsidian chain. The two are distinct disclosures four days apart, fixed in different releases, pointed at the same gateway. LiteLLM carries more than 40,000 GitHub stars and sits in thousands of enterprise deployments. This is not the first scare, either. A supply-chain compromise backdoored LiteLLM versions 1.82.7 and 1.82.8 on PyPI in March. A compromised gateway exposes every provider credential the organization holds.

Langflow and Mini Shai-Hulud proved the pattern scales

The same boundary broke in two more tools in the same fortnight. Langflow CVE-2026-5027 became the third Langflow remote-code-execution flaw to hit active exploitation this year. A path traversal in file upload lets an attacker write files anywhere on disk, and because Langflow ships with auto-login enabled by default, a single unauthenticated request reaches RCE. VulnCheck confirmed exploitation on June 9. Censys counted roughly 7,000 exposed instances, the heaviest concentration in North America, with MuddyWater attribution.

The Mini Shai-Hulud campaign hit a different pressure point. After the worm’s source code went public on May 12, copycat variants compromised 32 Red Hat Cloud Services npm packages on June 1, packages pulled 80,000 times a week. The worm harvests more than 20 credential types and self-propagates under the compromised maintainer’s identity.

Four teams, four tools, one operating failure. The bug classes differ. SearchLeak is a prompt injection. LiteLLM is privilege escalation. Langflow is path traversal. Mini Shai-Hulud is supply-chain poisoning. The boundary that broke is the same in all four.

The market already repriced the risk

CrowdStrike’s Q1 FY27 earnings call put a number on the gap. AIDR, the company’s AI detection and response line, grew ending ARR more than 250% sequentially, with a Q2 pipeline above $50 million (SEC-filed 8-K). Total company ARR reached $5.51 billion, and CrowdStrike’s fleet telemetry shows more than 1,800 agentic applications running across enterprise endpoints.

On June 17, the company extended AIDR to AWS, adding real-time evaluation of agent, LLM, and MCP communications across Amazon Bedrock, Kiro, and Strands Agents, building on its work with Anthropic’s Project Glasswing. Daniel Bernard, CrowdStrike’s chief business officer, said the AI attack surface now spans development, runtime, identities, and cloud infrastructure, and that teams treating those as separate domains leave the gaps between them open.

Practitioners name the same gap in plainer terms

David Levin, CISO at American Express Global Business Travel, told VentureBeat the pattern does not surprise him. “We kind of have this shadow AI, which is just the new version of shadow IT,” Levin said.

Both Langflow and LiteLLM fit the description. Teams stood them up for convenience, gave them credentials, and never brought them under governance. Levin puts the fix before deployment. “We didn’t go into this with just saying we’re going to go do this without the right fundamentals,” he said. “We leverage NIST controls. NIST has released their CSF along with their AI framework. OWASP released their top 10. You need the right fundamentals before you deploy.”

Merritt Baer, CSO at Enkrypt AI and former AWS Deputy CISO, named the structural version of the failure in a separate VentureBeat interview. “Enterprises believe they’ve ‘approved’ AI vendors, but what they’ve actually approved is an interface, not the underlying system,” Baer said. “The real dependencies are one or two layers deeper, and those are the ones that fail under stress.” She has tied that directly to how systems fall. “Raw zero-days aren’t how most systems get compromised. Composability is,” Baer told VentureBeat. “It’s the glue between the model and your data where the risk lives. If you give an agent bash and a root token, you’ve already done most of the attacker’s work for them.” That is what rows 2 and 4 of the audit test: the gateway that holds every key, and the agent identity no one governs.

Levin had a sharper frame for the boardroom. “You need to talk more in terms of risk versus compliance to your boards and your executives,” he said. “It’s not about the size of the engineering team anymore. It’s the size of your imagination. It’s all written in plain English. It’s not hard for anyone.” Neither SearchLeak nor LiteLLM needed custom malware or a zero-day to work.

Adam Meyers, CrowdStrike’s SVP of Intelligence, put the operational squeeze in numbers in an exclusive VentureBeat interview. “The problem is not zero-day. The problem is patching. If you 10x that problem, they’re gonna be completely underwater,” Meyers said. He pointed to identity as the second front. “Some of these AI have their own identities, or people give their identity to the AI to take action on their behalf, and that makes it a very complex problem.”

The five-check trust-boundary audit

Each row maps a gap to its proof point, a verification command for Monday morning, the fix, and the sentence to read to the board.

The fix is plumbing, not policy

The June 2 executive order creates an AI Cybersecurity Clearinghouse with a July 2 deadline. The five gaps above are not frontier-model problems. They are plumbing problems in the gateways, orchestration platforms, identity layers, and runtime environments where AI meets the enterprise.

The audit is five rows. Every row maps to a June disclosure or market signal, a command a team can run before lunch, and a sentence a CISO can read to the board. The question is not whether your vendor will patch. It’s whether you find the gap first — or whether an attacker finds it the way they found Copilot and LiteLLM.

DEvops

Cost premium of using AWS indirectly via Vercel is mitigated by more efficient use of compute resources, CTO claims

Vercel introduced an open source agent framework called eve at its Ship event in London this week, along with other new features including Passport, an attempt to put employee apps created with AI under enterprise control.

Agents are dominating the AI conversation currently, and in particular custom agents. Agent frameworks that simplify coding already exist, though eve has a few notable characteristics.

The coding languages are TypeScript and Markdown, and an agent is a directory with files that define the instructions and skills, the model provider, the tools, the authentication, the channels, and the schedule. Agents are sandboxed on isolated VMs by default. The framework also includes a simple testing tool that exercises the agent and evaluates the result. Code is on GitHub under the Apache 2.0 license.

There are plenty of existing agent frameworks, but Vercel CTO Malte Ubl told us that with eve, simplicity is a feature, with users able to take a “fill in the blanks” approach.

“The life cycle of the agent is completely orchestrated by the framework, and as a developer or builder you have to put things in the right places, but then everything magically works,” Ubl said.

“It’s a system where you don’t have to understand every little bit about what sandboxes are and how to compact context windows… All these things are quite complex; you don’t have to understand any of it.”

Agents built with eve deploy to Vercel by default, using the same command that works for web applications: vercel deploy. That said, the company says it is not tied to its platform.

“We are 100 percent committed to making it work everywhere,” Ubl told us, though an early user has already raised an issue about it requiring a Vercel login even when set to use a different model provider; it is early days and this may be a bug. Providers for LLMs and sandboxes are configurable. An eve project also runs locally with: npx eve dev.

What LLM does eve use? “You can connect any model that AI SDK connects to, which is all the models,” Ubl said, where the AI SDK is a Vercel SDK. There is also an option to use Vercel’s AI Gateway, which has a single endpoint for multiple model providers and can improve reliability by switching to another model if one fails.

The company also previewed Enterprise Apps and Agents, which have four components. Vercel Connect replaces static secret credentials with short-lived tokens accessed by OAuth or an API. Vercel Passport uses OpenID Connect to put all the applications and AI agents in a team behind an identity provider such as Okta or Microsoft Entra. Enterprise Managed Users uses directory sync to enable Vercel in a team to be managed by the organization’s identity system. Finally, Bring Your Own Cloud (BYOC) lets organizations use Vercel’s platform running on AWS infrastructure provisioned by the customer.

According to Vercel, Passport was a highly requested feature because of the number of employees who create applications hosted by Vercel but outside the control of the organization. A typical scenario is that an employee builds an application with AI assistance, and the AI agent defaults to using the Next.js React-based framework and Vercel hosting. It is a variety of shadow IT – or shadow AI – where staff create vibe-coded applications using company data but outside the organization’s IT policy or control.

Vercel itself is an AWS customer so its platform should work well using BYOC, but there are some trade-offs, Ubl said. One is that “we don’t allow your compute to assume AWS roles… If you are really deep in the AWS IM [Identity Management] security system, then Vercel doesn’t give this to you,” he told us, “but we do always issue an OIDC token for every invocation of the compute, so you can use that to configure your AWS policies.” Second, with BYOC, “we become a management vendor,” Ubl said, which means giving Vercel access to that part of the customer’s AWS infrastructure.

All Vercel deployments are immutable, which means “every time you push to Git you get a new infrastructure from scratch,” Ubl told us. He considers this ideal for AI agents. Other aspects of the platform have also been optimized for agents. “We try to be close to what the agents do,” he said.

A common critique of Vercel is that since it runs on AWS, using Vercel means paying a premium for hosting that would be cheaper when purchased directly. According to Ubl, that premium is mitigated by Vercel’s efficient use of those resources, “especially at low scale, and especially compared to Lambda,” the AWS serverless platform. Vercel said last year that it cut its Lambda costs by up to 95 percent by reusing idle instances.

Ubl claimed AWS customers need “more than 35 percent utilization to match Vercel’s price.”

Another Vercel competitor is Cloudflare, which, unlike Vercel, hosts on its own datacenters and has an efficient serverless platform using Workers, based on V8 isolates, a feature of the V8 JavaScript engine used by Google Chrome and the open source Chromium project.

Ubl said that whereas Cloudflare Workers are unique to Cloudflare, Vercel “is a more normal platform, we don’t run some bespoke runtime that we create ourselves, we just run Node.js or Python or PHP and it runs on a VM (virtual machine)… We offer standard PostgreSQL, VPC peering, AWS, S3 and not bespoke.”

This is a bit of a war of words. Cloudflare engineering director Steve Faulkner in February described the Next.js tooling, sponsored by Vercel, as “entirely bespoke.” Since then the situation has improved, with an Adapter API that is stable in Next.js 16.2, meaning other providers no longer need to reverse-engineer the build output, but adapters for AWS and Cloudflare are still under development, with completion expected by the end of 2026. ®

Prime Day 2026 kicks off on Tuesday, but there are numerous Apple deals in effect now that deliver the lowest prices of the season.

There are several early Prime Day Apple deals worth checking out this weekend, as the sale festivities kick off. From AirPods 4 for $99 to triple-digit discounts on M5 MacBook Air models, Apple products are a popular pick for Prime Day.

Shop Prime Day deals

AirPods drop to $99

AirPods Pro 3 are down to the lowest price ever.

Advertisement

AirPods prices have dipped to as low as $99 heading into Prime Week, with earbud and over-ear models on sale. Walmart has also replenished AirPods Pro 3 inventory at $169.

Today’s top AirPods deals

iPads on sale from $299

Early Prime Day deals on iPads deliver prices from $299.

Those in search of a budget-friendly tablet can grab Apple’s 11-inch iPad with an A16 chip for $299. The current M4 iPad Air and M5 iPad Pro are also on sale, with a detailed rundown of the discounts in our iPad Price Guide.

Buy iPad 11 for $299

Today’s best iPad offers

• iPad A16 (128GB, Wi-Fi): $299 ($50 off)
• iPad mini 7 (128GB, Wi-Fi): $474 ($25 off)
• M4 iPad Air 11-inch (128GB, Wi-Fi): $559 ($40 off)
• M4 iPad Air 13-inch (128GB, Wi-Fi): $749 ($50 off)
• M5 iPad Pro 11-inch (256GB, Wi-Fi, Standard Glass): $899.99 ($100 off)
• M5 iPad Pro 11-inch (1TB, Wi-Fi, Nano-texture Glass): $1,499 ($200 off)
• M5 iPad Pro 13-inch (1TB, Wi-Fi, Standard Glass): $1,749.99 ($150 off)

Apple Watches up to $200 off

Apple Watch Series 11 prices have dipped to as low as $299.

Current Apple Watch Series 11, SE 3, and Ultra 3 models are marked down by as much as $200, delivering some of the lowest prices of the year.

Buy Apple Watch Series 11 for $299

42mm Apple Watch Series 11 deals

• 42mm Apple Watch Series 11 GPS (Aluminum Case, Sport Band): $299 ($100 off)
• 42mm Apple Watch Series 11 GPS + Cellular (Aluminum Case, Sport Band): $399 ($100 off)
• 42mm Apple Watch Series 11 GPS + Cellular (Titanium Case, Sport Band): $589 ($110 off)
• 42mm Apple Watch Series 11 GPS + Cellular (Titanium Case, Milanese Loop Band): $639 ($160 off)

46mm Apple Watch Series 11 discounts

• 46mm Apple Watch Series 11 GPS (Aluminum Case, Sport Band): $329 ($100 off)
• 46mm Apple Watch Series 11 GPS + Cellular (Aluminum Case, Sport Band): $399 ($130 off)
• 46mm Apple Watch Series 11 GPS + Cellular (Titanium Case, Sport Band): $549.97 ($200 off)

Apple Watch SE 3 & Ultra 3 markdowns

MacBooks as low as $589

Apple’s latest MacBooks are marked down to as low as $589.

Advertisement

Early Prime Day deals are plentiful on Mac computers as well, with Apple’s budget-friendly MacBook Neo dipping to $589.99. M5 MacBook Air models are also as low as $949.99, while M5 MacBook Pros with at least 1TB of storage can be picked up for as low as $1,529.99.

Compare prices across dozens of configurations in our Mac Price Guide.

Latest MacBook Neo savings

Early Prime Day MacBook Air deals

• 13″ MacBook Air M5 (16GB RAM, 512GB SSD): $949.99 ($150 off)
• 13″ MacBook Air M5 (16GB RAM, 1TB SSD): $1,149 ($150 off)
• 13″ MacBook Air M5 (24GB RAM, 1TB SSD): $1,329 ($170 off) with in-cart coupon
• 15″ MacBook Air M5 (16GB RAM, 512GB SSD): $1,149.99 ($150 off)
• 15″ MacBook Air M5 (16GB RAM, 1TB SSD): $1,349.99 ($150 off)
• 15″ MacBook Air M5 (24GB RAM, 1TB SSD): $1,549 ($150 off)

Top MacBook Pro discounts

• 14″ MacBook Pro M5 (10C CPU, 10C GPU, 16GB, 1TB, Standard Display): $1,529 ($170 off) with in-cart coupon at B&H
• 14″ MacBook Pro M5 (10C CPU, 10C GPU, 24GB, 1TB, Standard Display): $1,749 ($150 off)
• 14″ MacBook Pro M5 Pro (15C CPU, 16C GPU, 24GB, 2TB, Standard Display, Space Black): $2,399 ($230 off) with in-cart coupon at Amazon

Best 16-inch MacBook Pro sales

• 16″ MacBook Pro M5 Pro (18C CPU, 20C GPU, 48GB, 1TB, Standard Display, Space Black): $2,879 ($220 off) at B&H
• 16″ MacBook Pro M5 Max (18C CPU, 40C GPU, 64GB, 2TB, Standard Display): $4,299 ($300 off) at B&H
• 16″ MacBook Pro M5 Max (18C CPU, 40C GPU, 128GB, 2TB, Standard Display, Space Black): $5,099 ($300 off) at B&H

Chargers, cables, and more for your Apple devices

Apple iPhone accessories are up to 40% off.

iPhone accessories

Buried deep inside everything announced at WWDC this year was something I, an Apple Shortcuts enthusiast, can’t wait to try: the ability to make Apple Shortcuts using generative artificial intelligence. In macOS 27, you’ll be able to just type what you want a shortcut to do, and the app will build it.

Anyone who builds shortcuts regularly knows the process of doing so can be tedious, even if the end results save you a lot of time. So I’m excited about the idea of describing what you want in plain language and ending up with a working shortcut. Even if it doesn’t work perfectly (let’s face it, AI-built things rarely do), it’s a starting point that you can tweak to meet your needs.

The only downside: This feature doesn’t launch until autumn, when version 27 of Apple’s operating systems come out.

What if you want to try it now? It turns out that Federico Viticci, who founded and runs the fantastic blog MacStories, also couldn’t wait—so much so that he went and built his own version. It’s called Shortcuts Playground, which runs in either Claude Code or OpenAI’s Codex. (OpenAI’s Codex is free for now; Claude Code requires at least a Pro plan, which starts at $20 per month.)

To get started you first need to install the Shortcuts Playground agent; there are instructions on GitHub. Basically you will need to copy and paste a command into the Terminal. (I am not going to include the command here in case it changes.)

I tested this in Claude Code, but the tool works the same way in Codex. Once you’ve installed Shortcuts Playground you can trigger it by typing / followed by “shortcuts.” You’ll see a list of options pop up:

The different options for using the agent.

Courtesy of Justin Pot

If you’re starting from scratch, I recommend using the shortcuts-playground:build option, followed by a rough description of what you want the shortcut to do. (The other option, shortcuts-playground:remix, is for making changes to existing shortcuts.)

The agent will get to work building a shortcut for you. Sometimes it will stop to ask you for more information, or to explain what is and isn’t possible to build in Apple Shortcuts.

While exploring this tool, I asked for a shortcut that compiled today’s weather, my calendar appointments, and my to-do list for the day, then read the entire thing out loud. The agent happily went to work.