The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Thursday 4 June 2026

When Your Notifications Become the Attacker's Keyboard

A poisoned notification from WhatsApp or Slack could hijack Google Gemini's voice assistant — no malicious app required.

Lead story

When Your Notifications Become the Attacker's Keyboard

Imagine a colleague sends you a Slack message. Nothing unusual — it looks like a routine update. But buried inside it is a command, invisible to you, that your phone's AI assistant dutifully reads and executes. That's the gist of a prompt injection flaw disclosed this week in Google Gemini's Android voice assistant, and it's one of the cleaner demonstrations yet of how ambient AI creates entirely new attack surfaces.

Researchers found that a single malicious notification — from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger — could instruct Gemini to take actions on behalf of the victim. The assistant would open windows, draft and send messages impersonating someone the user trusted, push the phone into a Zoom call, or quietly insert poisoned content into Gemini's long-term memory. No malicious app on the device. No permission prompt. Just the AI doing what it was told.

Why this one matters more than a typical injection demo. Previous prompt injection proofs-of-concept generally required the victim to paste attacker-controlled text into the AI themselves, or visit a crafted web page. The notification attack vector is different: the delivery mechanism is one the user has trained themselves to glance at and dismiss. The phone is already listening. Gemini is already watching the notification stream. The attacker's "command" arrives in the same channel as everything else.

The memory poisoning element is especially worth noting. If an attacker can inject a false belief into Gemini's persistent memory — say, a fake HR policy, a fraudulent account number, a spoofed instruction from a boss — that context sticks around and can influence future AI-assisted decisions. It's less "hack the device" and more "hack the AI's worldview."

Google has patched the flaw, but the broader class of vulnerability it represents isn't going away. As voice assistants become more tightly integrated with calendar, email, banking apps, and communication tools, the notification stream becomes an increasingly attractive attack channel. Any AI that reads context from the environment — which is most of them now — faces some version of this problem.

The Australian picture. Gemini's Android integration is rolling out globally, and Android remains the dominant mobile platform in Australia. Australian banks, government agencies, and enterprises deploying Android device fleets — particularly those that have enabled Gemini for productivity — should treat this as a reminder to review what permissions their AI assistants hold. The ACSC's guidance on mobile device management doesn't yet specifically address agentic AI risk, which is a gap worth flagging to IT security teams.

What to watch. This isn't the last notification-channel injection we'll see. As AI assistants extend deeper into enterprise workflows — reading emails, joining calls, summarising documents — attackers will increasingly try to subvert them at the input layer rather than the device layer. The discipline of "prompt injection defence" is still very young, and the tooling to detect it at scale is thinner than most organisations realise.

The patch is out. The class of attack isn't.

Also today

HTTP/2 Bomb: One Machine, One Minute, Server Down

Researchers have disclosed a denial-of-service technique dubbed the HTTP/2 Bomb that can crash NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora from a single machine in under a minute. The attack chains a compression bomb with a Slowloris-style connection hold, exploiting default HTTP/2 configurations that most servers ship with and most operators never change. The finding was made by OpenAI Codex, which adds a curious footnote: AI tooling is now finding infrastructure-level vulnerabilities, not just logic bugs. Australian web operators running any of the affected server stacks should check vendor advisories immediately — this is exploitable without authentication.

SecurityWeek

VS Code Zero-Day Lets Attackers Steal GitHub Tokens in One Click

A security researcher has published working exploit code for a Visual Studio Code zero-day that lets an attacker steal a victim's GitHub OAuth token — including access to private repositories — simply by getting them to click a crafted link. The flaw abuses the GitHub.dev in-browser editor feature built into VS Code. Given that VS Code is the dominant editor across the Australian developer community and GitHub tokens are often scoped far more broadly than users realise, the practical risk here is significant. Developers should be wary of unsolicited links pointing to VS Code or GitHub.dev until Microsoft issues a patch.

Bleeping Computer

Microsoft 365 Android Apps Left a Debug Flag On in Production

A development-mode flag that was never switched off in production builds of several Microsoft 365 Android apps — Word, PowerPoint, Excel among them — disabled the check that normally limits account-token sharing to trusted Microsoft apps. The result: any app on the same device could silently request the signed-in user's token and gain access to their email, files, calendar, and outbox with no password or permission prompt required. Microsoft has patched the issue. The incident is another example of a single carelessly left configuration value creating enterprise-wide exposure — and a useful prompt for organisations to audit which M365 Android permissions are active on corporate devices.

The Hacker News

Autonomous AI Tool Uncovers Two-Year-Old Redis RCE

An autonomous AI vulnerability-hunting tool has found a use-after-free bug in Redis's blocking-client code that lets an authenticated user execute arbitrary operating system commands on the host machine. The flaw, tracked as CVE-2026-23479, was introduced in Redis 7.2.0 and went undetected for over two years across every stable branch until a May patch. Redis is one of the most widely deployed caching and session-store databases in the world, including across Australian cloud infrastructure. The find is a meaningful data point: AI-assisted code auditing is now surfacing vulnerabilities that human reviewers missed for years. Operators should patch to the latest Redis release immediately.

The Hacker News

Stock Exchange Espionage: 150 Days of Silent Email Access

Threat actors spent five months with persistent access to a senior executive's email inbox at a global stock exchange, exfiltrating data continuously using legitimate, native Windows tools — the kind that rarely trigger security alerts. The attacker used living-off-the-land techniques specifically to blend into normal administrative activity. The case is a stark illustration of why detection mean-time matters more than prevention alone: 150 days of undetected access at a finance sector target represents a significant intelligence haul. Financial market operators in Australia — already subject to APRA's CPS 234 requirements — should treat this as a prompt to review email anomaly detection and privileged account monitoring.

SecurityWeek

Trail of Bits: AI Agent Skill Scanners Don't Actually Work

Security firm Trail of Bits has published a damning assessment of the tools meant to protect AI agent skill marketplaces — the ecosystems where developers publish plug-in capabilities for AI systems. The firm tested and bypassed ClawHub's malicious skill detector, Cisco's agent skill scanner, and all three scanners integrated into skills.sh. None of the attacks were sophisticated. Skill marketplaces are meanwhile being flooded with malicious capabilities that steal credentials, exfiltrate data, and hijack agents. The finding matters because enterprise AI platforms increasingly rely on third-party skills, and the defensive tooling enterprises are being sold to manage that risk is, by Trail of Bits' reckoning, largely security theatre.

Trail of Bits

Dashlane Discloses 20 Stolen Vaults — Then Goes Silent

Password manager Dashlane has issued a security advisory confirming that 20 encrypted vaults were stolen, but has provided minimal detail about the breach: how it occurred, when it was discovered, and what encryption specifics apply to the affected vaults. Dashlane has not responded publicly to follow-up questions. While the vaults are described as encrypted, the opacity of the disclosure is a problem in itself — affected users cannot make an informed decision about whether to rotate their credentials without knowing more. For Australian users, the Privacy Act's notifiable data breach scheme sets a higher standard of disclosure than Dashlane appears to be meeting.

Ars Technica

OpenAI Publishes a Federal Blueprint for AI Governance

OpenAI has released a formal policy document outlining its vision for how the US federal government should regulate frontier AI, proposing a framework covering safety testing, national security resilience, youth protection, workforce transition, and global standards. The timing — just days after Trump's AI executive order — is clearly deliberate. OpenAI is positioning itself as the responsible adult in the room while also, not coincidentally, shaping the regulatory environment it will operate in. Australia is developing its own mandatory AI guardrails framework; the OpenAI blueprint is likely to influence the international standards dialogue that Australia participates in through forums like the OECD AI Policy Observatory.

OpenAI Blog

Google Ordered to Let UK Publishers Opt Out of AI Search

UK regulators have ordered Google to make attribution clearer in AI Overviews and to offer publishers a mechanism to opt their content out of generative AI search features. Google had previously argued users don't want to see many sources — a framing regulators were unimpressed by. The opt-out tool will be tested in the UK before a global rollout. This is one of the most concrete regulatory interventions into AI search to date, and it sets a precedent that other jurisdictions — including Australia, where the ACCC has flagged AI search market power as an area of concern — will be watching closely.

Ars Technica

GitLab Cuts 14% of Staff, Exits 22 Countries

GitLab is laying off 14% of its workforce and withdrawing from 22 countries as it restructures to reduce management layers and invest in scaling its platform for AI workloads. The company framed the move as necessary to compete in a market where AI-assisted development is becoming table stakes — essentially betting that fewer, differently skilled people can do more with better tooling. GitLab is widely used by Australian software teams across enterprise and government, and the country-exit list hasn't been disclosed, making it worth checking whether local support arrangements are affected. The cuts are a reminder that the AI productivity narrative has a human cost attached.

TechCrunch

Australian Defence Says Palantir Is 'Sandboxed' — AI Features Disabled

The Australian Department of Defence has told a Senate committee that its Palantir deployment is sandboxed within its environment, with AI features specifically not in use. The disclosure comes as scrutiny of Palantir's government contracts intensifies globally, and as Australian defence and intelligence agencies face questions about the risk profile of US-linked data analytics platforms. The sandboxing approach reflects a cautious posture — allowing operational use of the platform's data integration capabilities while holding off on AI functionality until risk assessments are completed. It's a pragmatic hedge, though it also raises questions about what the platform is actually delivering at current capability levels.

iTnews

Sources consulted