The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

Thursday 4 June 2026 · Melbourne

When Your Notifications Become the Attacker's Keyboard

A poisoned notification from WhatsApp or Slack could hijack Google Gemini's voice assistant — no malicious app required.

Lead story

When Your Notifications Become the Attacker's Keyboard

Imagine a colleague sends you a Slack message. Nothing unusual — it looks like a routine update. But buried inside it is a command, invisible to you, that your phone's AI assistant dutifully reads and executes. That's the gist of a prompt injection flaw disclosed this week in Google Gemini's Android voice assistant, and it's one of the cleaner demonstrations yet of how ambient AI creates entirely new attack surfaces.

Researchers found that a single malicious notification — from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger — could instruct Gemini to take actions on behalf of the victim. The assistant would open windows, draft and send messages impersonating someone the user trusted, push the phone into a Zoom call, or quietly insert poisoned content into Gemini's long-term memory. No malicious app on the device. No permission prompt. Just the AI doing what it was told.

Why this one matters more than a typical injection demo. Previous prompt injection proofs-of-concept generally required the victim to paste attacker-controlled text into the AI themselves, or visit a crafted web page. The notification attack vector is different: the delivery mechanism is one the user has trained themselves to glance at and dismiss. The phone is already listening. Gemini is already watching the notification stream. The attacker's "command" arrives in the same channel as everything else.

The memory poisoning element is especially worth noting. If an attacker can inject a false belief into Gemini's persistent memory — say, a fake HR policy, a fraudulent account number, a spoofed instruction from a boss — that context sticks around and can influence future AI-assisted decisions. It's less "hack the device" and more "hack the AI's worldview."

Google has patched the flaw, but the broader class of vulnerability it represents isn't going away. As voice assistants become more tightly integrated with calendar, email, banking apps, and communication tools, the notification stream becomes an increasingly attractive attack channel. Any AI that reads context from the environment — which is most of them now — faces some version of this problem.

The Australian picture. Gemini's Android integration is rolling out globally, and Android remains the dominant mobile platform in Australia. Australian banks, government agencies, and enterprises deploying Android device fleets — particularly those that have enabled Gemini for productivity — should treat this as a reminder to review what permissions their AI assistants hold. The ACSC's guidance on mobile device management doesn't yet specifically address agentic AI risk, which is a gap worth flagging to IT security teams.

What to watch. This isn't the last notification-channel injection we'll see. As AI assistants extend deeper into enterprise workflows — reading emails, joining calls, summarising documents — attackers will increasingly try to subvert them at the input layer rather than the device layer. The discipline of "prompt injection defence" is still very young, and the tooling to detect it at scale is thinner than most organisations realise.

The patch is out. The class of attack isn't.

Also today

Autonomous AI Tool Uncovers Two-Year-Old Redis RCE

An autonomous AI vulnerability-hunting tool has found a use-after-free bug in Redis's blocking-client code that lets an authenticated user execute arbitrary operating system commands on the host machine. The flaw, tracked as CVE-2026-23479, was introduced in Redis 7.2.0 and went undetected for over two years across every stable branch until a May patch. Redis is one of the most widely deployed caching and session-store databases in the world, including across Australian cloud infrastructure. The find is a meaningful data point: AI-assisted code auditing is now surfacing vulnerabilities that human reviewers missed for years. Operators should patch to the latest Redis release immediately.

The Hacker News

Stock Exchange Espionage: 150 Days of Silent Email Access

Threat actors spent five months with persistent access to a senior executive's email inbox at a global stock exchange, exfiltrating data continuously using legitimate, native Windows tools — the kind that rarely trigger security alerts. The attacker used living-off-the-land techniques specifically to blend into normal administrative activity. The case is a stark illustration of why detection mean-time matters more than prevention alone: 150 days of undetected access at a finance sector target represents a significant intelligence haul. Financial market operators in Australia — already subject to APRA's CPS 234 requirements — should treat this as a prompt to review email anomaly detection and privileged account monitoring.

SecurityWeek

Trail of Bits: AI Agent Skill Scanners Don't Actually Work

Security firm Trail of Bits has published a damning assessment of the tools meant to protect AI agent skill marketplaces — the ecosystems where developers publish plug-in capabilities for AI systems. The firm tested and bypassed ClawHub's malicious skill detector, Cisco's agent skill scanner, and all three scanners integrated into skills.sh. None of the attacks were sophisticated. Skill marketplaces are meanwhile being flooded with malicious capabilities that steal credentials, exfiltrate data, and hijack agents. The finding matters because enterprise AI platforms increasingly rely on third-party skills, and the defensive tooling enterprises are being sold to manage that risk is, by Trail of Bits' reckoning, largely security theatre.

Trail of Bits

Dashlane Discloses 20 Stolen Vaults — Then Goes Silent

Password manager Dashlane has issued a security advisory confirming that 20 encrypted vaults were stolen, but has provided minimal detail about the breach: how it occurred, when it was discovered, and what encryption specifics apply to the affected vaults. Dashlane has not responded publicly to follow-up questions. While the vaults are described as encrypted, the opacity of the disclosure is a problem in itself — affected users cannot make an informed decision about whether to rotate their credentials without knowing more. For Australian users, the Privacy Act's notifiable data breach scheme sets a higher standard of disclosure than Dashlane appears to be meeting.

Ars Technica

OpenAI Publishes a Federal Blueprint for AI Governance

OpenAI has released a formal policy document outlining its vision for how the US federal government should regulate frontier AI, proposing a framework covering safety testing, national security resilience, youth protection, workforce transition, and global standards. The timing — just days after Trump's AI executive order — is clearly deliberate. OpenAI is positioning itself as the responsible adult in the room while also, not coincidentally, shaping the regulatory environment it will operate in. Australia is developing its own mandatory AI guardrails framework; the OpenAI blueprint is likely to influence the international standards dialogue that Australia participates in through forums like the OECD AI Policy Observatory.

OpenAI Blog

Google Ordered to Let UK Publishers Opt Out of AI Search

UK regulators have ordered Google to make attribution clearer in AI Overviews and to offer publishers a mechanism to opt their content out of generative AI search features. Google had previously argued users don't want to see many sources — a framing regulators were unimpressed by. The opt-out tool will be tested in the UK before a global rollout. This is one of the most concrete regulatory interventions into AI search to date, and it sets a precedent that other jurisdictions — including Australia, where the ACCC has flagged AI search market power as an area of concern — will be watching closely.

Ars Technica

GitLab Cuts 14% of Staff, Exits 22 Countries

GitLab is laying off 14% of its workforce and withdrawing from 22 countries as it restructures to reduce management layers and invest in scaling its platform for AI workloads. The company framed the move as necessary to compete in a market where AI-assisted development is becoming table stakes — essentially betting that fewer, differently skilled people can do more with better tooling. GitLab is widely used by Australian software teams across enterprise and government, and the country-exit list hasn't been disclosed, making it worth checking whether local support arrangements are affected. The cuts are a reminder that the AI productivity narrative has a human cost attached.

TechCrunch

Australian Defence Says Palantir Is 'Sandboxed' — AI Features Disabled

The Australian Department of Defence has told a Senate committee that its Palantir deployment is sandboxed within its environment, with AI features specifically not in use. The disclosure comes as scrutiny of Palantir's government contracts intensifies globally, and as Australian defence and intelligence agencies face questions about the risk profile of US-linked data analytics platforms. The sandboxing approach reflects a cautious posture — allowing operational use of the platform's data integration capabilities while holding off on AI functionality until risk assessments are completed. It's a pragmatic hedge, though it also raises questions about what the platform is actually delivering at current capability levels.

iTnews

Previous briefs

Wednesday 3 June 2026

Trump's AI Executive Order Is Mostly a Handshake — and That Might Be the Point

Tuesday 2 June 2026

When the Support Bot Becomes the Attacker's Best Friend

Monday 1 June 2026

Dutch Police Dismantle a 17-Million-Device Botnet — and It's a Timely Reminder of How Big "Big" Really Is

Sunday 31 May 2026

Russia's Sanctions-Busting Tech Grab Is Now a Cyber Problem, Not Just a Trade One

Saturday 30 May 2026

The AI-Assisted Hack: When the LLM Does the Post-Breach Heavy Lifting

All briefs →