(Woman using artificial intelligence technology on laptop with glasses reflection.)
Security and privacy aren’t always the same thing, but there’s a reason that people who specialize in one care deeply about the other. Threats to your security are often also threats to your privacy and vice versa, since privacy is often about unwanted access to data, and security is often about what happens with that access and the harm that comes from misusing it. Following along? Great, now let’s talk about AI.
Earlier this week, we reported that on the same day that OpenAI introduced its ChatGPT-powered Comet Browser, the team at Brave Software revealed that AI-powered browsers will follow malicious instructions hidden in images on the web. This is known as a prompt injection attack, which we’ve long been aware that AI-powered browsers (and AI browser extensions for other browsers) are susceptible to. However, this is the first time we’ve seen the commands hidden from the user and still executed by the browser.
That’s the security side of things. On the privacy side, Geoffrey Fowler, writing for The Washington Post, explained that when he and Lena Cohen, staff technologist at the Electronic Frontier Foundation, tested the Comet Browser, they learned that it remembers everything that you do using it, including your browser history, search history, and even details about the pages you visit. On Bluesky, Fowler posted that the browser retained details like Cohen’s search for abortion care, including the name of her doctor.
To put it simply, while new AI-powered browser tools do deliver on the promise of bringing your favorite chatbot into your web surfing experience, they come with risks to your privacy and security that have yet to be addressed by their developers. Use them with caution.
Next, be careful if you’ve been using YouTube to dig up video game cheats and hacks; we reported that a network of YouTube accounts dating back to at least 2021 has been distributing malware disguised as cracks and other tools to help you cheat at games or play them for free. Remember, kids, cheaters never prosper, especially when it comes to video games.
Speaking of hacks, this week, we examined the 10 biggest VPN hacks in recent history. Many of them weren’t even caused by external bad actors; some were due to simple human errors, such as leaked credentials, third-party mistakes, or mismanagement. Luckily, we review the best VPNs and the best free VPNs, so you have plenty of options to choose from. We even asked you which security services you trust the most, and the results are a great read. You all have good taste.
Research: Ransomware Isn’t Slowing Down in Q3 2025
Research from NordStellar, the threat protection and monitoring arm of Nord Security, the company that makes NordVPN, reveals that ransomware attacks over Q3 of 2025 were up 47% compared with the same time last year. The data indicates that ransomware isn’t slowing down, and as we’ve mentioned here at PCMag before, it’s shaping up to be the most significant and disruptive security threat facing businesses and consumers on the internet today.
Sure, lots of threats are out there, everything from historic DDoS attacks to good old social engineering. But ransomware is unique in that it can be easily deployed with minimal intrusion to an organization’s infrastructure, and it can lead to a huge payday for the hackers involved, since they often demand ransom in crypto to hand over the decryption key, and even if the victims do pay, they have to trust that the hackers will follow through and hand over the key (they often don’t bother.) Luckily, you can protect yourself from ransomware, but the data reveals that many companies and government agencies have yet to take the issue seriously.
Zero-Click Dolby Audio Bug Lets Attackers Run Code on Android and Windows Devices
When you start paying attention to security, you quickly learn to compartmentalize your worries. There’s a new zero-day or breach every day, but that doesn’t mean it’s actively being exploited. Instead, you can (and should) consider it a reminder to practice good internet hygiene. So this Dolby audio bug, which affects Windows and Android devices, caught my attention because I use both platforms on a daily basis. Malwarebytes reports that researchers from Google’s Project Zero team, which is specifically tasked with uncovering zero-day attacks to try and get them fixed, caught an issue with Dolby audio that could allow a hacker to remotely execute code on any Android or Windows device without the user’s knowledge.
If you’ve heard “remote code execution” and “buffer overflow” in the context of security news in the past, you know what can happen here. In short, an attacker can use these kinds of issues in software to run malicious code, expose data on the victim’s system, or just otherwise cause system problems with the device. Luckily, because this is a zero-day, there’s no evidence that the exploit has been used. Malwarebytes’ advice (and ours) is simple: Don’t open unsolicited or unfamiliar files, including audio files. Install security updates. And make sure you have some active antivirus software installed, including on your Android phone.
Vibe Coding’s Real Problem Isn’t Bugs—It’s Judgment
We’ve discussed the pros and cons of vibe coding before, whether it’s the time a vibe coding agent deleted a developer’s entire codebase by accident, or when we discovered Grok’s vibe coding tool serially lied to its users. On the upside, vibe coding has the potential to turn anyone into a software developer, but according to SecurityWeek, that’s exactly the problem. It makes sense when you think about it: when you give everyone a powerful tool and tell them to use it, they’ll likely do things that people with experience with the tool would never do, especially things that aren’t terribly safe. And since they haven’t had the training to know better, they just don’t. It’s a recipe for mistakes.
SecurityWeek’s story runs down a number of issues that vibe coders (and the agents they use) often run into, from excessive comments on code to trying to perfect code the way a human would, when an AI assumes that if the code works, it’s good enough. The story isn’t so much a warning to not use AI-powered vibe coding agents, but certainly a call for caution and additional training when deploying them in professional settings, and a reminder for indie developers that access to one is no substitute for knowing what you’re doing.