DAILY WORKFLOW ARCHIVE

2026-05-07 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-07 AI创业新闻

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems. vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment. The security flaws are listed below - CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via “lookupGetter” and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) CVE-2026-24120 (CVSS score: 9.8) - A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host.

(Affects versions <= 3.10.3, patched in 3.10.5) CVE-2026-24781 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via the “inspect” function and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.3, patches in 3.11.0) CVE-2026-26332 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via “SuppressedError” and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) CVE-2026-26956 (CVSS score: 9.8) - A protection mechanism failure vulnerability that allows sandbox escape with arbitrary code execution by triggering a TypeError produced by Symbol-to-string coercion. (Affects version 3.10.4, confirmed on Node.js 25.6.1, patched in 3.10.5) CVE-2026-43997 (CVSS score: 10.0) - A code injection vulnerability that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution.

(Affects versions <= 3.10.5, patched in 3.11.0) CVE-2026-43999 (CVSS score: 9.9) - A vulnerability that allows a bypass of NodeVM’s built-in allowlist and enables an attacker to load excluded builtins like child_process and achieve remote code execution. (Affects version 3.10.5, patched in 3.11.0) CVE-2026-44005 (CVSS score: 10.0) - A vulnerability that allows attacker-controlled JavaScript to escape the sandbox and enable prototype pollution. (Affects versions 3.9.6-3.10.5, patched in 3.11.0) CVE-2026-44006 (CVSS score: 10.0) - A code injection vulnerability via “BaseHandler.getPrototypeOf” that enables sandbox escape and remote code execution. (Affects versions <= 3.10.5, patched in 3.11.0) CVE-2026-44007 (CVSS score: 9.1) - An improper access control vulnerability that allows sandbox escape and execution of arbitrary operating system commands on the underlying host.

(Affects versions <= 3.11.0, patched in 3.11.1) CVE-2026-44008 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via “neutralizeArraySpeciesBatch()” and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) CVE-2026-44009 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via a null proto exception and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) The disclosure comes a couple of months after vm2 maintainer Patrik Simek released patches for another critical sandbox escape flaw ( CVE-2026-22709 , CVSS score: 9.8) that could lead to arbitrary code execution on the underlying host system. The string of newly identified sandbox escapes illustrates the challenge of securely isolating untrusted code in JavaScript-based sandbox environments, with Simek acknowledging previously that new bypasses will likely be discovered in the future.

Users of vm2 are advised to update to the latest version ( 3.11.2 ) for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Cybersecurity researchers have exposed a new Mirai -derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge ( ADB ) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address “176.65.139[.]44” without requiring any authentication. The malware supports “21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection,” Hunt.io said, adding it’s offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts. What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes, set-top boxes, smart TVs, could be a potential target.

Besides an Android APK (“boot.apk”, the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating it’s also designed to target residential routers and internet-of-things (IoT) hardware. The result is a purpose-built botnet engineered to receive an attack command from the operator’s panel (“xlabslover[.]lol”) and generate a flood of junk traffic on demand, specifically directing the DDoS attack against game servers. “The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp,” Hunt.io explained. “The operator’s nine-variant payload list is tuned for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.” There is evidence indicating that the DDoS-for-hire service features bandwidth-tiered pricing.

This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation. This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to assign each compromised device to a pricing tier for its paying customers. An important aspect to note here is that the botnet exists after sending the bandwidth information in Megabits per second (Mbps), meaning the operator must re-infect the device a second time through the same ADB exploitation channel, given the absence of a persistence mechanism.

“The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,” Hunt.io said. “This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent.” xlabs_v1 also features a “killer” subsystem to terminate competitors so that it can usurp the victim device’s full upstream bandwidth to itself and use it to carry out the DDoS attack. It’s currently not known who is behind the malware, but the threat actor goes by the moniker “Tadashi,” as evidenced by a ChaCha20-encrypted string embedded in every build of the bot. Further analysis of the co-located infrastructure has uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, although it’s currently not known if the two sets of activities are the work of the same threat actor.

“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork […], but less sophisticated than the top tier of commercial DDoS-for-hire operations,” Hunt.io said. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target.” The development comes as Darktrace revealed that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet downloaded from a remote server (“103.177.110[.]202”), while simultaneously taking steps to evade detection.

“The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers,” the company said . “This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack

The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a “false flag” operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to it being a targeted state-backed attack that masquerades as opportunistic extortion. “The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams , where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA),” Rapid7 said in a report shared with The Hacker News.

“Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent.” The findings indicate that MuddyWater is attempting to muddy attribution efforts by increasingly relying on off-the-shelf tools available in the cybercrime underground to conduct its attacks. This shift has also been documented by Ctrl-Alt-Intel, Broadcom, Check Point, and JUMPSEC in recent months, highlighting the adversary’s use of CastleRAT and Tsundere. With that said, this is not the first time MuddyWater has conducted ransomware attacks. In September 2020, the threat actor was attributed to a campaign targeting prominent Israeli organizations with a loader called PowGoop that deployed a variant of Thanos ransomware with destructive capabilities.

Then, in 2023, Microsoft disclosed that the hacking group teamed up with DEV-1084, a threat actor known to use the DarkBit persona, to conduct destructive attacks under the pretext of deploying ransomware. As recently as October 2025, the attackers are believed to have used the Qilin ransomware to target an Israeli government hospital. “In this case, the emerging picture was that the attackers were likely Iranian-affiliated operators working through the cyber criminal ecosystem, using a criminal ransomware brand and methods associated with the broader extortion market, while serving a strategic Iranian objective,” Check Point noted back in March. “The use of Qilin, and participation in its affiliate program, likely serves not only as a layer of cover and plausible deniability, but also as a meaningful operational enabler, especially as earlier attacks appear to have heightened security measures and monitoring by Israeli authorities.” Chaos is a RaaS group that emerged in early 2025.

Known for its double extortion model, the threat actor has advertised its affiliate program on cybercrime forums, like RAMP and RehubCom. Attacks mounted by the e-crime gang leverage a combination of mail flooding and vishing using Teams, often by impersonating IT support personnel, to trick victims into installing remote access tools like Microsoft Quick Assist, and then abuse that foothold to burrow deeper into the victim’s environment and deploy ransomware. “The group has also demonstrated triple extortion by threatening distributed denial-of-service (DDoS) attacks against the victim’s infrastructure,” Rapid7 said. “These capabilities are reportedly offered to affiliates as part of bundled services, representing a notable feature of its RaaS model.

Additionally, Chaos has been observed leveraging elements of quadruple extortion, including threats to contact customers or competitors to increase pressure on victims.” As of late March 2026, Chaos has claimed 36 victims on its data leak site, most of which are located in the U.S. Construction, manufacturing, and business services are some of the prominent sectors targeted by the group. In the intrusion analyzed by Rapid7, the threat actor is said to have initiated external chat requests via Teams to engage with employees and obtain initial access through screen-sharing sessions, followed by using compromised user accounts to conduct reconnaissance, establish persistence using tools like DWAgent and AnyDesk, move laterally, and exfiltrate data. The victim was then contacted via email for ransom negotiations.

“While connected, the TA [threat actor] executed basic discovery commands, accessed files related to the victim’s VPN configuration, and instructed users to enter their credentials into locally created text files,” Rapid7 explained. “In at least one instance, the TA also deployed a remote management tool (AnyDesk) to further facilitate access.” The threat actor has also been observed using RDP to download an executable (“ms_upd.exe”) from an external server (“172.86.126[.]208”) using the curl utility. Upon execution, the binary kicks off a multi-stage infection chain that delivers more malicious components. A brief description of the malware families is below - ms_upd.exe (aka Stagecomp ), which collects system information and reaches out to a command-and-control (C2) server to drop next-stage payloads (game.exe, WebView2Loader.dll, and visualwincomp.txt).

game.exe (aka Darkcomp ), which is a bespoke remote access trojan (RAT) that masquerades as a legitimate Microsoft WebView2 application. It’s a trojanized version of the official Microsoft WebView2APISample project . WebView2Loader.dll , a legitimate DLL downloaded by ms_upd.exe. It’s required by Microsoft Edge WebView2 to embed web content in Windows applications.

visualwincomp.txt , an encrypted configuration used by the RAT to obtain the C2 information. The RAT connects to the C2 server and enters an infinite loop to poll for new commands every 60 seconds, allowing it to run commands or PowerShell scripts, perform file operations, and spawn an interactive cmd.exe shell or PowerShell. The campaign’s links to MuddyWater stem from the use of a code-signing certificate attributed to “Donald Gay” to sign “ms_upd.exe.” The certificate has been previously put to use by the threat cluster to sign its malware, including a CastleLoader downloader called Fakeset . These findings underscore the growing convergence of state-sponsored intrusion activity and cybercriminal tradecraft to obscure attribution and delay appropriate defensive response.

“The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution,” Rapid7 said. “Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.” “Notably, the apparent absence of file encryption, despite the presence of Chaos ransomware artifacts, represents a deviation from typical ransomware behavior. This inconsistency may indicate that the ransomware component functioned primarily as a facilitating or obfuscation mechanism, rather than as the primary objective of the intrusion.” The development comes as Hunt.io revealed details of an Iranian-nexus operation targeting Omani government institutions to exfiltrate more than 26,000 Ministry of Justice user records, judicial case data, committee decisions, and SAM and SYSTEM registry hives. “An open directory on 172.86.76[.]127, a RouterHosting VPS in the United Arab Emirates, surfaced an active intrusion campaign against the Omani government, with the toolkit, C2 code, session logs, and exfiltrated data all sitting in plain sight,” the company said .

“The primary target was the Ministry of Justice and Legal Affairs (mjla.gov[.]om).” The discovery also coincides with continued activity from pro-Iran-aligned hacktivist groups, such as Handala Hack, which has claimed to have published details on nearly 400 U.S. Navy personnel in the Persian Gulf and carried out an attack on the Port of Fujairah in the United Arab Emirates, enabling it to gain access to its internal systems and leak about 11,000 sensitive documents related to invoices, shipping records, and customs documents. “A month ago, we documented a broad escalation in Iranian-linked cyber operations — surveillance via hacked cameras , the leak of thousands of highly sensitive documents from Israel’s former Military Chief of Staff, and a measurable rise in attack volume across the region. We said then that further escalation was likely,” Sergey Shykevich, group manager at Check Point Research, told The Hacker News.

“The claimed attack on the Port of Fujairah is that escalation, if confirmed. What’s changed is the nature of the threat: this is no longer about intelligence gathering or public embarrassment. Stolen port infrastructure data was allegedly used to enable physical missile targeting.” “The cyber and kinetic domains are now explicitly connected. This campaign is not slowing down.

Every quiet period on the physical front has historically been followed by intensified cyber activity — and what we’re seeing now is the most serious manifestation of that pattern to date.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Hacker News Launches ‘Cybersecurity Stars Awards 2026’ — Submissions Now Open

For nearly 20 years, we at The Hacker News have mostly told scary stories about cyberspace — big hacks, broken systems, and new threats. But behind every headline, there’s a quieter, better story. It’s the story of leaders making tough calls under pressure, teams building smarter defenses, and security products that keep hunting threats 24/7 — even when it’s hard. Most of the time, this work is invisible.

When everything goes perfectly, nothing happens. The world just stays safe, and no one notices. Today, we want the world to notice. Introducing the CyberStars Awards 2026 We are launching the Cybersecurity Stars Awards 2026 , a global program that recognizes excellence across the cybersecurity industry and highlights outstanding work that often goes unnoticed.

Submissions are now open, and companies, products, and professionals can apply via the official awards portal: https://awards.thehackernews.com/ We don’t just want to report the news anymore. We want to recognize the people behind it. This program is designed to highlight organizations and individuals making meaningful contributions to cybersecurity across innovation, execution, and real-world impact, and to give them a platform to showcase their work. Why is this different?

One of the defining aspects of the program is its audience. The Hacker News reaches a global community that includes CISOs and senior security leaders, practitioners and engineers, and enterprise buyers. Recognition through the Cybersecurity Stars Awards is not just symbolic. It provides visibility among the people who evaluate, select, and deploy cybersecurity technologies.

Each submission is evaluated through a structured and impartial review process designed to maintain fairness and integrity. Award Categories We have opened four main paths for you to be recognized. Whether you are a solo hero or a global giant, there is a place for you: Cybersecurity Product / Service: Covers all areas of cybersecurity, including cloud, endpoint, identity, threat detection, application, and data protection. Choose the closest fit or request a new category.

Cybersecurity Industry Solution: For solutions built for specific industries such as finance, healthcare, government, or critical infrastructure, with clear impact. Cybersecurity Company: For organizations showing strong leadership, growth, and consistent execution. Cybersecurity Professional / Team: For individuals and teams driving innovation, resilience, and measurable impact. How to Apply We have made the process simple so you can focus on telling your story.

Here is how to get started: Visit the Awards Portal and create an account in seconds. Purchase nomination credits. Choose the most relevant category or categories to apply to. Complete the nomination form with details on your work, impact, and innovation.

Submit your entry before the deadline. For any questions or support, contact - awards@thehackernews.com Key Dates Submission Deadline: May 15, 2026 Winners Announcement: May 26, 2026 Why Does It Matter? Recognition in cybersecurity only matters when it is trusted. For vendors, trust drives credibility, adoption, and long-term value.

The Hacker News has built its reputation on independent, reliable reporting for a global audience of security professionals. The Cybersecurity Stars Awards extend that same foundation to provide credible, visible recognition for meaningful contributions across the industry. Apply Now If your organization, product, or team is contributing to the cybersecurity landscape, this is your opportunity to be recognized. Submit your nomination today: https://awards.thehackernews.com/ Submissions are open, and the deadline is approaching.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Your AI Agents Are Already Inside the Perimeter. Do You Know What They’re Doing?

Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them. In their inaugural Market Guide for Guardian Agents, Gartner states that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls.” Enterprise leaders can request access to the Gartner Market Guide for Guardian Agents , available complimentary from Orchid Security. The challenge is not simply one of tooling. It is a structural gap in how identity has been managed over the past decades.

Traditional identity and access management were designed for human users to log in and out of systems. AI agents operate differently — they run continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed. The result is yet another form of what Orchid Security calls “identity dark matter”: an invisible and unmanaged layer of identity activity operating beneath the radar of conventional IAM platforms. According to Orchid’s analysis, roughly half of enterprise identity activity already occurs outside centralized IAM visibility.

Why? Because while many identities reside in central directories, and controls are available in central IAM tools, just as many identities and controls live in the applications themselves. This is the challenge of identity and access management (IAM), how do I manage what I can’t even see? Good news though, one answer is, “ask Orchid.”  Here are some examples.

Three Questions Identity Teams Are Now Asking Ask Orchid is the AI agent built into Orchid’s platform for exactly this. It applies identity observability at the source - inside applications, at the binary and configuration layer - and answers natural language questions about the full identity estate. Here are three of the questions security and compliance leaders are bringing to it now. Question 1: “What AI Agents Are Running in Our Environment?” This is the question that most enterprises cannot yet answer — and it may be the most important one to ask.

AI agents are being spun up across business units, embedded in SaaS platforms, integrated via APIs, and built in-house by development teams. Governance processes have not kept pace. Many organizations have no centralized inventory of the agents operating within their environment, let alone visibility into what those agents are doing, what data they are accessing, or what identities they are using to do it. “Ask Orchid addresses this directly.

When asked “What AI agents are running in our environment?” it applies identity observability across every application — examining user accounts, authentication flows, authorization permissions, and runtime activity at the source. The platform does not simply flag agents that are active during a monitoring window. It provides: Automatic discovery of AI agents, including their likely purpose and risk profile Identification of areas where AI agents are confirmed not to be in use, for a complete picture Recommended actions to help establish appropriate oversight For governance, risk, and compliance leaders, this capability represents the difference between managing AI adoption and being managed by it. Question 2: “How Compliant Are We With NIST Identity Requirements Right Now?” For enterprise CISOs, regulatory compliance is a dual obligation — both a legal requirement and a security baseline.

But with application estates constantly evolving, knowing the actual state of NIST compliance, for example, at any given moment has historically required a third-party external audit. “Ask Orchid” changes that equation. When asked directly — “How compliant are we now with the identity requirements of NIST CSF ?” — it examines how identity controls are implemented inside each application, at the binary level, where they are ultimately defined. It then compares what is actually coded against what NIST requires, covering both the established 1.1 framework and the updated 2.0 version.

The output is not a generic scorecard. It includes: A clear view of which controls are properly implemented and where gaps exist Application-level detail, not just platform-level or tool-specific summaries A prioritized remediation roadmap with actionable next steps Rather than waiting for an auditor to reveal vulnerabilities after the fact, CISOs can now assess and address their compliance posture on demand — before the audit, not because of it. Question 3: “Do We Have Static Credentials That Should Be Rotated Immediately?” Static credentials are one of the oldest and most persistent problems in identity security. Service accounts, API access, machine-to-machine tokens, “break glass” credentials — they accumulate across every enterprise, often issued for legitimate reasons and then forgotten.

Left unmanaged, they become one of the highest-value targets for attackers and one of the most common footholds for AI agents exploiting identity dark matter by design. When asked “Do we have static credentials that should be rotated immediately?”, Ask Orchid examines credentials across every application - not just those connected to a central identity provider, but those in the cloud, on-premise, and in local accounts. The response includes: A complete inventory of static credentials across the environment Where they live and why they need to be rotated A risk-tiered prioritization, identifying which credentials pose the most urgent exposure Credential intelligence that used to be invisible is delivered in minutes. The Deeper Problem: Identity Dark Matter Is Accelerating The three scenarios above are not edge cases.

They represent the core challenge facing enterprise security teams today: the identity estate has grown far beyond what traditional IAM platforms were designed to see. Applications authenticate users locally. Service accounts are provisioned and forgotten. AI agents are granted new identities with broad permissions.

The sum of all this unmanaged activity (and more) — identity dark matter — is expanding at a pace that matches, and in many cases exceeds, the rate of AI adoption itself. What makes this particularly difficult is the gap’s structural nature. It is not simply a matter of adding more connectors to an existing IAM platform. The problem is that most identity tooling stops at the login event.

It does not observe what happens inside applications after authentication. How Orchid Security Closes the Gap Orchid Security was built for exactly this environment. It works inside applications, at the source of identity activity, rather than at the perimeter of a centralized IAM system. Through binary analysis and dynamic instrumentation, Orchid inspects native authentication and authorization logic directly within applications — without requiring APIs, source code changes, or lengthy integrations.

This gives it visibility into the half of enterprise identity activity that falls outside conventional IAM visibility, including every AI agent operating across the estate. Recognized as a Representative Vendor in
Gartner’s inaugural Market Guide for Guardian Agents
— described as a vendor “managing the identities/access for AI agents with zero-trust policies and governance” — Orchid delivers what it calls full-spectrum identity authority: from observability to orchestration, across every identity, human and non-human. For agent AI in particular, its approach is grounded in five principles that govern secure AI-agent adoption:
Human-to-Agent Attribution
Every AI agent action is linked to a responsible human owner, ensuring accountability for machine-driven activity Comprehensive Activity Audit
A complete chain of custody is recorded — Agent → Tool/API → Action → Target — enabling compliance reporting and incident response Dynamic, Context-Aware Guardrails
Access decisions are evaluated continuously, based on real-time context, the sensitivity of the target resource, and the human owner’s entitlements, replacing broad standing privileges with purpose-bound authorization Least Privilege
Just-in-Time elevation replaces persistent “god-mode” access across AI agents and machine identities Automated Remediation
Risky behavior triggers automatic responses, including credential rotation and session termination, without requiring manual intervention To learn more, check out Orchid’s platform for guardrails on autonomous identity . Final Thought For security teams asking whether they have ungoverned AI agents in their environment, unrotated credentials sitting in forgotten applications, compliance gaps their last audit missed,Orchid provides the answers — and the remediation path — without waiting for a breach to make them visible.

Enterprise leaders responsible for cybersecurity, identity and access management, and AI agent governance can request access to the Gartner Market Guide for Guardian Agents , compliments of Orchid Security. Gartner does not endorse any vendor, product, or service depicted in its publications. Gartner publications reflect the opinions of Gartner’s research organization and should not be construed as statements of fact. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google’s Android Apps Get Public Verification to Stop Supply Chain Attacks

Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. “This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute,” Google’s product and security teams said . The initiative builds upon the foundation of Pixel Binary Transparency , which Google introduced in October 2021 to bolster software integrity by ensuring that Pixel devices are only running verified operating system (OS) software by keeping a public, cryptographic log that records metadata about official factory images. The verifiable security infrastructure mirrors Certificate Transparency , an open framework that requires all issued SSL/TLS certificates to be recorded in public, append-only, and cryptographically verifiable logs to help detect mis-issued or malicious certificates.

The move is aimed at countering the risks posed by binary supply chain attacks, which often deliver malicious code by poisoning the software update channels, while keeping the digital signatures intact. The latest example is the compromise of Windows installers of the DAEMON Tools software to serve a lightweight backdoor, which then acts as a conduit for an implant dubbed QUIC RAT. What’s more, the installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. “It is becoming insufficient to rely on the binary’s signature alone, as a signature cannot guarantee that this particular binary was the intended one to be released to the public by its author,” Google said.

“Digital signatures are a certificate of origin, but binary transparency is a certificate of intent.” By expanding Binary Transparency on Android, the company said the idea is to provide guarantees that the Google software on a user’s device is exactly what was intended to be built and distributed. To that end, Google’s production Android applications released after May 1, 2026, will have a corresponding cryptographic entry confirming their authenticity. The initiative currently includes production Google applications , including both Google Play Services and standalone Google applications, as well as Mainline modules that are part of the OS and can be dynamically updated outside of the normal release cycle. “This provides a transparent ‘Source of Truth’ that allows anyone to verify that the Google software on their Android device is a production version authorized by Google and has not been modified by an attacker,” Google noted.

“If the software is not on the ledger, Google did not release it as production software. Any attempt to deploy a ‘one-off’ version will be detectable.” As part of this effort, the tech giant is also making available verification tooling that users and researchers can leverage to verify the transparency state of supported software types. The development comes amid a string of supply chain attacks that have targeted developers and downstream users of popular software in recent months. Bad actors are increasingly compromising the accounts of developers and abusing that access to push malware, allowing them to breach several users at once.

“This is a critical pillar for user privacy and security because it changes the fundamental power dynamic of software updates,” Google said. “This level of transparency serves as another layer of protection on our software’s integrity, acting as a powerful deterrent against unauthorized binary releases.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. “According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs),” Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in a Tuesday analysis. What makes the attack novel is that CloudZ uses the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, permitting the plugin to monitor for active Phone Link processes and potentially intercept sensitive mobile data like SMS and one-time passwords (OTPs) without the need for deploying malware on the phone. The findings demonstrate how legitimate cross-device syncing features can expose unintended attack pathways to credential theft and help bypass two-factor authentication.

What’s more, it obviates the need to compromise the mobile device itself. The malware, per the cybersecurity company, has been put to use as part of an intrusion that’s been active since at least January 2026. The activity has not been attributed to any known threat actor or group. Built into Windows 10 and Windows 11, Phone Link offers a way for users to pair their computer with an Android device or iPhone over Wi-Fi and Bluetooth, allowing users to make or take phone calls, send messages, and dismiss notifications.

Unknown threat actors have been observed attempting to leverage the application using CloudZ RAT and Pheno to confirm Phone Link activity on a victim environment and then access the SQLite database file used by the program to store the synchronized phone data. The attack chain is said to have employed an as-yet-undetermined initial access method to obtain a foothold and drop a fake ConnectWise ScreenConnect executable that’s responsible for downloading and running a .NET loader. The initial dropper also makes use of an embedded PowerShell script to establish persistence by setting up a scheduled task that runs the malicious .NET loader. The intermediate loader is designed to run hardware and environment checks to evade detection and deploy the modular CloudZ trojan on the machine.

Once executed, the .NET-compiled trojan decrypts an embedded configuration, establishes an encrypted socket connection to the command-and-control (C2) server, and awaits Base64-encoded instructions that allow it to exfiltrate credentials and implant additional plugins. Some of the commands supported by CloudZ include - pong, to send heartbeat responses PING!, to issue a heartbeat request CLOSE, to terminate the trojan process INFO, to collect system metadata RunShell, to execute shell command BrowserSearch, to exfiltrate web browser data GetWidgetLog, to exfiltrate Phone Link recon logs and data plugin, to load a plugin savePlugin, to save a plugin to disk at the staging directory (“C:\ProgramData\Microsoft\whealth") sendPlugin, to upload a plugin to C2 server RemovePlugins, to remove all deployed plugin modules Recovery, to enable recovery or reconnection DW, to conduct download and file write operations FM, to conduct file management operations Msg, to send a message to C2 server Error, to report errors to C2 server rec, to record the screen “The attacker used a plugin called Pheno to perform reconnaissance of the Windows Phone Link application in the victim machine,” Talos said. “The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300 , has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any untrusted network. The severity comes down to 8.7 if access to the portal is restricted to only trusted internal IP addresses.

“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets,” the company said . According to Palo Alto Networks, the vulnerability has come under “limited exploitation,” specifically targeting instances where the User-ID Authentication Portal has been left publicly accessible. The following versions are impacted by the flaw - PAN-OS 12.1 - < 12.1.4-h5, < 12.1.7 PAN-OS 11.2 - < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12 PAN-OS 11.1 - < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 PAN-OS 10.2 - < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 The issue, as it stands, is unpatched, with Palo Alto Networks planning to release fixes starting May 13, 2026. The company also said the vulnerability is applicable only to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal.

“Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk,” it added. In the absence of a patch, users are advised to either restrict User-ID Authentication Portal access to only trusted zones, or disable it entirely, if it’s not required. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of “double free and possible RCE” in the HTTP/2 protocol handling. This issue affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67. Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski have been credited with discovering and reporting the vulnerability.

When reached for comment, Dmitruk told The Hacker News via email that the severity of CVE-2026-23918 is critical, as it can be exploited to achieve denial-of-service (DoS) and RCE. Additional details of the vulnerability are below - CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2 , specifically in the stream cleanup path of h2_mplx.c. The bug triggers when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks then fire in sequence, on_frame_recv_cb for the RST and on_stream_close_cb for the close, and both end up calling h2_mplx_c1_client_rst -> m_stream_cleanup, which pushes the same h2_stream pointer onto the spurge cleanup array twice.

When c1_purge_streams later iterates spurge and calls h2_stream_destroy -> apr_pool_destroy on each entry, the second call hits memory that has already been freed. The DoS, Dmitruk added, is trivial and works on any default deployment with mod_http2 and a multi-threaded MPM , whereas the RCE path requires an Apache Portable Runtime ( APR ) with the mmap allocator, which is the default on Debian-derived systems and on the official httpd Docker image. Dmitruk further explained - The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes. Apache respawns it, but every request on the crashed worker is dropped, and the pattern can be sustained as long as the attacker keeps sending.

The second outcome is remote code execution, and we built a working proof of concept on x86_64. The chain places a fake h2_stream struct at the freed virtual address via mmap reuse, points its pool cleanup function to system(), and uses Apache’s scoreboard memory as a stable container for the fake structures and the command string. The scoreboard sits at a fixed address for the lifetime of the server, even with ASLR, which is what makes the RCE path practical. The usual caveats apply: practical exploitation requires an info leak for system() and the scoreboard offsets, and the heap spray is probabilistic, but in lab conditions execution lands in minutes.

Dmitruk also pointed out that the MPM prefork is not affected by the flaw. However, the researcher cautioned that the attack surface is large as mod_http2 ships in default builds and HTTP/2 is widely enabled in production deployments. In light of the severity of the flaw, users are advised to apply the latest fixes for optimal protection. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. “These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,” Kaspersky researchers  Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said . The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. While DAEMON Tools is also available for Mac, Kaspersky told The Hacker News that only the Windows version was compromised.

The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach. Specifically, three different components of DAEMON Tools have been tampered with - DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe Any time one of these binaries is launched, which typically happens during system startup, an implant is activated on the compromised host. It’s designed to send an HTTP GET request to an external server (“env-check.daemontools[.]cc”) – a domain registered on March 27, 2026 – in order to receive a shell command that’s run using the “cmd.exe” process.

The shell command, for its part, is used to download and run a series of executable payloads. These include - envchk.exe, a .NET executable to collect extensive system information. cdg.exe and cdg.tmp, the former of which is a shellcode loader responsible for decrypting the contents of the second file and launching a minimalist backdoor that contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory. The Russian cybersecurity company said it observed several thousand infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

However, the next-stage backdoor has been delivered only to a dozen hosts, indicating a targeted approach. The systems that received the follow-on malware have been flagged as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. What’s more, one of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT. The use of the C++ implant has been recorded against a lone victim: an educational institution located in Russia.

“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner,” Kaspersky said. “However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.” The malware supports a variety of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, and comes equipped with capabilities to inject payloads into legitimate “notepad.exe” and “conhost.exe” processes. The activity has not been attributed to any known threat actor or group. But evidence points to it being the work of a Chinese-speaking adversary based on an analysis of the artifacts observed.

The DAEMON Tools compromise is the latest in a growing list of software supply chain incidents in the first half of 2026, and follows similar high-profile breaches involving eScan in January, Notepad++ in February, and CPUID in April. “A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” Kucherin, senior security researcher at Kaspersky GReAT, said in a statement shared with The Hacker News. “Because of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities.

Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having DAEMON Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.” When contacted for comment, a representative for the Latvian developer said they are “aware of the report and are currently investigating the situation.” “Our team is treating this matter with the highest priority and is actively working to assess and address the issue,” the spokesperson added. “At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users. We will provide an update as soon as we have more verified information to share.” Update AVB Disc Soft has released a software update to address the supply chain incident.

“The updated release 12.6.0.2445 no longer includes the malicious behavior,” Kaspersky said. In a statement shared with the publication, AVB Disc Soft said the incident is limited to the Lite version of the software and that it’s continuing to investigate the root cause and full scope of the breach. The entire statement from the company is reproduced verbatim below - Within less than 12 hours of identifying the issue, we were able to implement a solution. Based on our current findings, the issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products.

We have not identified evidence supporting claims that all DAEMON Tools users were impacted, and at this stage, we are not in a position to confirm any impact on paid versions customers. Our current analysis indicates that DAEMON Tools Pro and DAEMON Tools Ultra were not affected and absolutely safe. On May 5, 2026, we released version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files. We strongly recommend that all users update to the latest version to ensure they are fully protected.

The company also said it has isolated and secured affected systems; removed all potentially compromised files from distribution; audited the build and release pipeline; rebuilding and validating installation packages; and strengthened internal security controls and monitoring systems. In addition, users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) during the affected period are advised to uninstall the application, run a full system scan using trusted security or antivirus software, and download the latest version of DAEMON Tools Lite from the website. (The story was updated after publication to include a response from Kaspersky and AVB Disc Soft.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions

A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302 , with post-exploitation involving the deployment of custom-made malware families that have been put to use by other China-aligned hacking groups. Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor) that has been previously linked to threat clusters known as Ink Dragon , CL-STA-0049, Earth Alux , Jewelbug , and REF7707 . ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin .

Interestingly, the same malware has also been deployed against Russian IT organizations by a threat actor referred to as Erudite Mogwai (aka Space Pirates and Webworm), per Russian cybersecurity company Solar, which has given it the name LuckyStrike Agent . Some of the other tools utilized by UAT-8302 are as follows - CloudSorcerer , a backdoor observed in attacks targeting Russian entities since May 2024. SNOWLIGHT , a VShell stager used by UNC5174 , UNC6586 , and UAT-6382 . Deed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor , both of which have been deployed by Earth Estries in late 2024.

Draculoader , a generic shellcode loader that’s used to deliver Crowdoor and HemiGate . “Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least,” Talos researchers Jungsoo An, Asheer Malhotra, and Brandon White said in a technical report published today. “Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.” It’s currently not known what initial access methods the adversary employs to break into target networks, but it’s suspected to involve the tried-and-tested approach of weaponizing zero-day and N-day exploits in web applications. Upon gaining a foothold, the attackers are known to conduct extensive reconnaissance to map out the network, run open-source tools like gogo to perform automated scanning, and move laterally across the environment.

The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell. UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it. Besides using custom malware, the threat actor sets up alternative means of backdoor access using proxy and VPN tools like Stowaway and SoftEther VPN. The findings underscore the trend of advanced collaboration tactics between multiple China-aligned groups.

In October 2025, Trend Micro shed light on a phenomenon called “Premier Pass-as-a-Service,” where initial access obtained by Earth Estries is passed to Earth Naga for follow-on exploitation, clouding attrition efforts. This partnership is assessed to have existed since at least late 2023. “Premier Pass-as-a-Service provides direct access to critical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases,” Trend Micro said. “Although the full extent of this model is not yet known, the limited number of observed incidents , combined with the substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of threat actors.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed

Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don’t see it. Your MFA doesn’t stop it. And when an attacker gets hold of one, they don’t need a password.

OAuth grants don’t expire when employees leave. They don’t reset when passwords change. And in most organizations, nobody is watching them. The model made sense when a handful of IT-approved apps needed calendar access.

It doesn’t hold up when every employee is independently wiring AI tools, workflow automations, and productivity apps directly into their Google or Microsoft environment — each one receiving a persistent, scoped token with no automatic expiration and no centralized visibility. That’s not a misconfiguration. It’s how OAuth is designed to work. The gap is that most security programs weren’t built to account for it at scale.

CISOs know it’s a problem. Most aren’t solving it. New research from Material Security quantifies the gap between awareness and action. 80% of security leaders consider unmanaged OAuth grants a critical or significant risk.

Most have said as much for years. But awareness doesn’t translate directly into capability. A substantial portion of organizations (45%) are doing nothing to monitor OAuth grants at scale. Many of the rest (33%) are running manual processes — tracking grants in spreadsheets, reviewing permissions on an ad hoc basis, relying on employees to flag unusual app behavior.

Spreadsheets are not a threat response capability. They’re a record of how much exposure an organization doesn’t know it has. It’s not theoreticalrisk The argument for OAuth visibility often gets framed as employees piping sensitive information into third-party tools without IT visibility. That’s a real problem, but it’s the smaller one.

The more pressing issue is that OAuth grants are an active attack vector. The Drift incident makes that concrete. Drift, a sales engagement platform acquired by Salesloft, maintained OAuth integrations with Salesforce instances across hundreds of customer organizations. A threat actor tracked by Palo Alto Unit 42 as UNC6395 obtained valid OAuth refresh tokens — likely through prior phishing campaigns — and used them to access Salesforce environments belonging to more than 700 organizations.

The attack’s structure is a warning: the tokens were legitimate, the integration was legitimate. From the perspective of any perimeter control, nothing was wrong. MFA was bypassed entirely because the attacker wasn’t logging in — they were presenting a token that Drift had already been granted permission to use. Once inside, UNC6395 systematically exported data and combed through it for credentials: AWS access keys, Snowflake tokens, passwords.

Cloudflare, PagerDuty, and dozens of others were affected. The full scope is still being assessed. The Drift incident wasn’t an attack from a suspicious, unknown app. It was an attack through a trusted one.

The lesson isn’t that organizations should restrict OAuth integrations — it’s that trusting an app at the time of installation doesn’t mean it stays trustworthy, and that OAuth grants need active, continuous monitoring rather than passive acceptance. What monitoring actually needs to look like The current generation of OAuth security tools addresses OAuth risk at the point of installation. They check whether a requested permission scope is excessive. They may flag apps from vendors with poor reputations.

That’s useful — but it’s not sufficient. For the Drift scenario, a legitimate app whose credentials were later stolen and weaponized — it catches nothing. To begin with, vendor trust levels and app scopes are important, but it only tells part of the story. Monitoring the actual behavior of the app–the API calls it makes, the actions it takes–is critical to understanding what the app is actually doing, not just what it could do.

And even then, without deep visibility into the account(s) the app is linked to, you’re still operating half-blind. A risky app tied to an intern’s account is one thing–the same app being used by a VIP with access to countless sensitive emails, files, and systems is something else entirely. The Drift attack didn’t involve a suspicious app requesting unusual permissions at installation. It involved a legitimate app whose credentials were later compromised and weaponized.

A tool that only evaluates the grant at the point of creation would have seen nothing wrong. The risk materialized later — when the token was stolen and used by a different actor entirely. Effective OAuth security requires: Continuous behavioral monitoring, not point-in-time review. What is the app actually doing after it’s been granted access?

Monitoring the API calls an OAuth-connected app makes over time reveals anomalies that no static permission review can catch — sudden spikes in data access, queries for unusual data types, andaccess at unexpected hours. Blast radius assessment. An OAuth grant connected to an account with read access to thousands of sensitive documents and years of email history is categorically different from the same grant on a freshly provisioned account with limited exposure. The reach of the user’s account determines the potential impact of a compromised or malicious OAuth connection.

Risk scoring should reflect that. Graduated response matched to organizational risk tolerance. An obviously malicious app — unknown vendor, broad permissions, anomalous API behavior from day one — shouldn’t sit in the environment while a ticket works through a queue. It should be revoked immediately.

A mission-critical integration from a major vendor showing mild anomalies warrants human review before any action is taken. The response layer needs to be intelligent enough to tell the difference. Material’s OAuth Threat Remediation Agent Material Security’s OAuth Threat Remediation Agent is built around this more complete model of OAuth risk. The agent runs continuously across an organization’s Google Workspace environment, monitoring every OAuth-connected application — not just new ones at the point of grant.

For each connected app, the agent evaluates three factors together: Vendor trust and scope analysis — the standard baseline that most tools stop at Behavioral monitoring of actual API calls made by the app over time, surfacing anomalies against expected behavior Blast radius assessment based on the access levels and data exposure of the accounts the app is connected to These inputs combine into a risk signal that reflects both the probability of a problem and its potential impact. When the agent identifies a high-risk grant, it can act immediately — revoking the token before harm is done. For lower-certainty situations involving mission-critical applications, it surfaces the finding to the security team with full context: what the app is, what it’s been doing, what it has access to, and what the risk score is. Organizations configure their own thresholds: how much risk triggers automated remediation, and where the line is for requiring human sign-off.

The agent is designed to keep security teams in the loop for the decisions that matter, and out of the loop for the ones that don’t. Closing the back door OAuth grants are the default way third-party apps and AI tools connect to the enterprise workspace. That’s not changing. The number of grants in most environments will continue to grow as AI adoption accelerates.

Telling employees they can’t use AI tools isn’t a viable security posture for most organizations — and it wouldn’t address the threat posed by apps that are legitimate at installation and malicious later. The answer isn’t fewer OAuth grants. It’s better visibility into the ones that exist, continuous monitoring of their behavior, and the operational capability to respond fast enough to matter and smart enough to avoid disrupting the integrations that keep the business running. For security teams who want visibility into what’s actually connected to their environment — and the ability to respond when something changes, reach out to Material Security for a demo of the OAuth Threat Remediation Agent .

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.