2026-05-16 AI创业新闻
Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access
The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that’s engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia’s Federal Security Service (FSB). It overlaps with activity traced by the broader cybersecurity community under the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH.
The hacking group is known for its attacks targeting government, diplomatic, and defense sectors in Europe and Central Asia, as well as endpoints previously breached by Aqua Blizzard (aka Actinium and Gamaredon) to support the Kremlin’s strategic objectives. “This upgrade aligns with Secret Blizzard’s broader objective of gaining long-term access to systems for intelligence collection,” the Microsoft Threat Intelligence team said in a report published Thursday. “While many threat actors rely on increasing usage of native tools (living-off-the-land binaries (LOLBins)) to avoid detection, Kazuar’s progression into a modular bot highlights how Secret Blizzard is engineering resilience and stealth directly into their tooling.” A key tool in Turla’s arsenal is Kazuar , a sophisticated .NET backdoor that has been consistently put to use since 2017. The latest findings from Microsoft charts its evolution from a “monolithic” framework into a modular bot ecosystem featuring three distinct component types, each with its own well-defined roles.
These changes enable flexible configuration, reduce observable footprint, and facilitate broad tasking. Overview of Kernel, Bridge, and Worker module interactions Attacks distributing the malware have been found to rely on droppers like Pelmeni and ShadowLoader to decrypt and launch the modules. The three module types that form the foundation for Kazuar’s architecture are listed below - Kernel , which acts as the central coordinator for the botnet by issuing tasks to Worker modules, manages communication with the Bridge module, maintains logs of actions and collected data, performs anti-analysis and sandbox checks, and sets up the environment by means of a configuration that specifies various parameters related to command-and-control (C2) communication, data exfiltration timing, task management, file scanning and collection, and monitoring. Bridge , which acts as a proxy between the leader Kernel module and the C2 server.
Worker , which logs keystrokes, hooks Windows events, tracks tasks, and gathers system information, file listings, and Messaging Application Programming Interface ( MAPI ) details. The Kernel module type exposes three internal communication mechanisms (via Windows Messaging, Mailslot, and named pipes) and three different methods for contacting attacker-controlled infrastructure (via Exchange Web Services, HTTP, and WebSockets). The component also “elects” a single Kernel leader to communicate with the Bridge module on behalf of the other Kernel modules. How the Kernel leader coordinates Worker tasking and uses the Bridge “Elections occur over Mailslot, and the leader is elected based on the amount of work (length of time the Kernel module has been running) divided by interrupts (reboots, logoffs, process terminated),” Microsoft explained.
“Once a leader is elected, it announces itself as the leader and tells all other Kernel modules to set SILENT. Only the elected leader is not SILENT, which allows the leader Kernel module to log activity and request tasks through the Bridge module.” Another function of the module is to initiate various threads to set up a named pipe channel between Kernel modules for inter-Kernel communications, specify an external communication method, as well as facilitate Kernel-to-Worker and Kernel-to-Bridge communication over Windows messaging or Mailslot. The end goal of the Kernel is to poll new tasks from the C2 server, parse incoming messages, assign tasks to the Worker, update configuration, and send the results of the tasks back to the server. Furthermore, the module incorporates a task handler that makes it possible to process commands issued by the Kernel leader.
Data collected by the Worker module is then aggregated, encrypted, and written to the malware’s working directory, from where it’s exfiltrated to the C2 server. “Kazuar uses a dedicated working directory as a centralized on-disk staging area to support its internal operations across modules,” Microsoft said. “This directory is defined through configuration and is consistently referenced using fully qualified paths to avoid ambiguity across execution contexts.” “Within the working directory, Kazuar organizes data by function, isolating tasking, collection output, logs, and configuration material into distinct locations. This design allows the malware to decouple task execution from data storage and exfiltration, maintain operational state across restarts, and coordinate asynchronous activity between modules while minimizing direct interaction with external infrastructure.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. A brief description of the flaws is below - CVE-2026-44112 (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. CVE-2026-44113 (CVSS score: 7.7/6.3) - A TOCTOU race condition vulnerability in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root.
CVE-2026-44115 (CVSS score: 8.8) - An incomplete list of disallowed inputs vulnerability that allows attackers to bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body to execute unapproved commands at runtime. CVE-2026-44118 (CVSS score: 7.8) - An improper access control vulnerability that could allow non-owner loopback clients to impersonate an owner to elevate their privileges and gain control over gateway configuration, cron scheduling, and execution environment management. Cyera said successful exploitation of CVE-2026-44112 could allow an attacker to tamper with configuration, plant backdoors, and establish persistent control over the compromised host, whereas CVE-2026-44113 could be weaponized to read system files, credentials, and internal artifacts. The exploitation chain unfolds over four steps - A malicious plugin, prompt injection, or compromised external input gains code execution inside the OpenShell sandbox.
Leverage CVE-2026-44113 and CVE-2026-44115 to expose credentials, secrets, and sensitive files. Exploit CVE-2026-44118 to obtain owner-level control of the agent runtime. Use CVE-2026-44112 to plant backdoors or make configuration changes and set up persistence. The root cause for CVE-2026-44118, per the cybersecurity company, stems from the fact that OpenClaw trusts a client-controlled ownership flag called senderIsOwner, which signals whether the caller is authorized for owner-only tools, without validating it against the authenticated session.
“The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request,” OpenClaw detailed the fixes in an advisory for the flaw. “The spoofable sender-owner header is no longer emitted or trusted.” Following responsible disclosure, all four vulnerabilities have been addressed in OpenClaw version 2026.4.22. Security researcher Vladimir Tokarev has been credited with discovering and reporting the issues. Users are advised to update to the latest version to stay protected against potential threats.
“By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence – using the agent as their hands inside the environment,” Cyera said. “Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface
In Your Biggest Security Risk Isn’t Malware — It’s What You Already Trust , we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender’s analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them .
The reaction we heard most was a fair one: We know. So what do we actually do about it? That’s what Bitdefender’s complimentary Internal Attack Surface Assessment is built to answer. It’s a 45-day, low-effort engagement available to organizations with 250 or more employees that turns the abstract problem of “living off the land” into a specific, prioritized list of users, endpoints, and tools you can safely take away from attackers without breaking the business.
Why This, Why Now A clean Windows 11 install ships with 133 unique living-off-the-land binaries spread across 987 instances. Bitdefender Labs telemetry found PowerShell active on 73% of endpoints , much of it invoked silently by third-party applications. This isn’t a malware problem — it’s an over-entitlement problem, and you can’t patch your way out of it. Gartner now projects that preemptive cybersecurity will account for 50% of IT security spending by 2030, up from less than 5% in 2024 , and that 60% of large enterprises will adopt dynamic attack surface reduction (DASR) technologies by 2030, up from less than 10% in 2025 .
The reason is mechanical: when most intrusions involve no malware and adversaries move in minutes, “detect and respond” is too slow a loop. You have to remove the moves attackers can make in the first place. How the Assessment Works The engagement runs in four steps over roughly 45 days, powered by GravityZone PHASR — Bitdefender’s Proactive Hardening and Attack Surface Reduction technology — and sits alongside whatever endpoint stack you already run: Kickoff and behavioral learning. PHASR builds behavioral profiles for every machine-user pair, typically over 30 days.
Attack Surface Dashboard review. You receive an exposure score (0–100) and a prioritized list of findings across five categories: living-off-the-land binaries, remote admin tools, tampering tools, cryptominers, and piracy tools — each mapped to the specific users and devices they affect. Optional reduction sprint. Apply controls manually or let PHASR’s Autopilot enforce them.
Users can request access back through a built-in one-click approval workflow. Reduction review. A final session quantifies how much surface you’ve shrunk and what shadow IT and unauthorized binaries surfaced along the way. Early-access customers have reduced their attack surface by 30% or more in the first 30 days , with one reporting close to 70% by locking down LOLBins and remote tools — without investigation overhead or end-user disruption.
What It Means for Different Stakeholders For the CISO: a defensible, board-ready exposure number that moves week over week, mapped to behaviors attackers actually use. For the SOC and IT admin: up to 50% less investigation and response workload , because entire classes of suspicious-but-legitimate behavior simply don’t occur on endpoints that don’t need them. For the business decision-maker: documented, ongoing surface reduction — increasingly what regulators, auditors, and cyber-insurers want to see. Start Where the Attackers Already Are The previous article ended on a principle: the most significant risks are no longer external or unknown — they’re already inside your environment.
This one ends on a practice: you can have a precise, prioritized map of those risks within 45 days, at no cost, without changing your existing stack. If you run a Windows-heavy environment with 250 or more users, request your Internal Attack Surface Assessment here . Compromises will keep happening. Whether one becomes a breach depends almost entirely on what an attacker can reach once they’re in.
The fastest way to shorten that list is to look at it. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates
OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. “Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems,” OpenAI said . “We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access.” The artificial intelligence (AI) upstart said only limited credential material was successfully transferred from these code repositories, adding no other information or code was impacted. Upon being alerted of the activity, OpenAI said it isolated impacted systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows, and audited user and credential behavior.
Since the impacted repositories included signing certificates for iOS, macOS, and Windows products, the company has taken the step of revoking the certificates and issuing new ones. As a result, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas are required to update their apps to the latest versions. “This helps prevent any risk, however unlikely, of someone attempting to distribute a fake app that appears to be from OpenAI,” OpenAI said. “Users do not need to take any action for Windows and iOS apps.” The certificates are scheduled to be revoked on June 12, 2026, after which new downloads and launches of apps signed with the previous certificate will be blocked by built-in macOS protections.
Users are therefore advised to apply the updates before the cut-off date for optimal protection. This is the second time OpenAI has rotated its code-signing certificates for its macOS in as many months. Around mid-April 2026, it rotated the certificates after a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, which was compromised by a North Korean hacking group called UNC1069. “This incident reflects a broader shift in the threat landscape: attackers are increasingly targeting shared software dependencies and development tooling rather than any single company,” OpenAI said.
“Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure, which means that a vulnerability introduced upstream can propagate widely and quickly across organizations.” The development comes close on the heels of TeamPCP claiming a number of fresh victims, compromising hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of an ongoing supply chain attack campaign designed to push malware to downstream developers and steal credentials from their systems to further extend the scale of the breaches. “Just to be clear, no maintainer was phished, had a password leak, or a token stolen from their account,” TanStack said . “The attacker managed to engineer a path where our own CI pipeline stole its own publish token for them, at the exact moment it was created, by way of a cache that everyone in the chain implicitly trusted. It is a sophisticated approach that we hadn’t anticipated and that we’re taking very seriously.” TeamPCP has since announced a supply chain attack contest in partnership with Breached cybercrime, offering participants with a $1,000 in Monero to compromise open-source packages using the Shai-Hulud worm that it has made freely available to others.
The hacking group has also threatened to leak about 5GB of internal source code from Mistral AI, asking for $25,000 BIN from prospective buyers. “We are looking for $25k BIN or they can pay this and we will shred these permanently, only selling to the best offer and limited to one person, if we cannot find a buyer within a week we will leak all of these for free to the forums,” TeamPCP said in the post. In an updated advisory, Mistral AI confirmed it was impacted by a supply chain attack caused by the compromise of TanStac, leading to the release of trojanized versions of its npm and PyPI SDKs. It also said a lone developer device was impacted in the hack.
There is no evidence to suggest its infrastructure was breached. A deeper analysis of the modular Python toolkit delivered to Linux systems via the guardrails-ai and mistralai packages has uncovered that the primary command-and-control (C2) server address (“83.142.209[.]194”) is hard-coded. In case the primary C2 becomes unreachable, a fallback mechanism called FIRESCALE is activated. “When the primary C2 is unavailable, the malware searches all public GitHub commit messages worldwide for a signed alternative server URL, verified against an embedded 4096-bit RSA key,” Hunt.io said .
“Exfiltration follows three paths in sequence: primary C2 server, FIRESCALE dead-drop redirect, and the victim’s own GitHub repository. Blocking any single tier leaves the other two intact.” The cybersecurity company also revealed that the collection module responsible for harvesting Amazon Web Services (AWS) credentials covers all 19 availability zones in its target list, including us-gov-east-1 (AWS GovCloud - US-East) and us-gov-west-1 (AWS GovCloud - US-West), which are restricted to U.S. government agencies and defense contractors. Another unusual aspect of the campaign is the destructive behavior attached to it.
On machines geolocated to Israel or Iran, a 1-in-6 probability gate activates audio playback at maximum volume, followed by the deletion of all accessible files. The malware exists on systems with a Russian locale. The destructive actions targeting specific geographic regions mirror the “kamikaze” wiper that was unleashed by TeamPCP on Iran-based Kubernetes clusters in connection with a prior supply chain attack distributing a self-propagating worm known as CanisterWorm . These recurring behaviours point to a more intentional operation rather than something opportunistic.
“The toolkit is more capable, more resilient, and more sophisticated,” Hunt.io said. “Beyond credential files, the malware captures every environment variable on the machine, reads all SSH keys and config, walks the entire home directory for dotenv files, and pulls credentials from running Docker containers.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. “Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network,” the tech giant said in a Thursday advisory.
Microsoft, which tagged the vulnerability with an “Exploitation Detected” assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other “certain interaction conditions,” can allow arbitrary JavaScript code to be executed in the context of the web browser. Redmond also noted that it’s providing a temporary mitigation through its Exchange Emergency Mitigation Service , while it’s readying a permanent fix for the security defect. The Exchange Emergency Mitigation Service will provide the mitigation automatically via a URL rewrite configuration, and is enabled by default. If it’s not on, users are advised to enable the Windows service.
According to Microsoft, Exchange Online is not impacted by this vulnerability. The following on-premises Exchange Server versions are affected - Exchange Server 2016 (any update level) Exchange Server 2019 (any update level) Exchange Server Subscription Edition (SE) (any update level) If using the Exchange Emergency Mitigation Service is not an option due to air-gap restrictions, the company has outlined the following series of actions - Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT. Apply the mitigation on a per-server basis or on all servers at once by running the script via an elevated Exchange Management Shell (EMS): Single server: .\EOMT.ps1 -CVE “CVE-2026-42897” All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .\EOMT.ps1 -CVE “CVE-2026-42897” Microsoft said it’s also aware of a known issue where the mitigation shows the “Mitigation invalid for this exchange version.” in the Description field. “This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as ‘Applied,’” the Exchange Team said .
“We are investigating on how to address this.” There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It’s also unclear who the targets are and if any of those attacks were successful. In the interim, it’s recommended to apply the mitigations recommended by Microsoft. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182 . It’s rated 10.0 on the CVSS scoring system, indicating maximum severity. “Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” CISA said .
In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616 , the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems. “UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.” It’s assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device.
They were added to the CISA’s KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell has been codenamed XenShell owing to the use of a PoC released by ZeroZenX Labs. At least 10 different clusters have been linked to the exploitation of the three flaws - Cluster 1 (Active since at least March 6, 2026), which deploys the Godzilla web shell Cluster 2 (Active since at least March 10, 2026), which deploys the Behinder web shell Cluster 3 (Active since at least March 4, 2026), which deploys the XenShell web shell and a variant of Behinder Cluster 4 (Active since at least March 3, 2026), which deploys a variant of the Godzilla webshell Cluster 5 (Active since at least March 13, 2026), which malware agent compiled off the AdaptixC2 red teaming framework Cluster 6 (Active since at least March 5, 2026), which deploys the Sliver command-and-control (C2) framework Cluster 7 (Active since at least March 25, 2026), which deploys an XMRig miner Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and a Nim-based backdoor that’s likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information Cluster 9 (Active since at least March 17, 2026), which deploys an XMRig miner and a peer-based proxying and tunneling tool called gsocket Cluster 10 (Active since at least Mar 13, 2026), which deploys a credential stealer that attempts to obtain an admin user’s hashdump, JSON Web Tokens (JWT) key chunks that are used for REST API authentication, and AWS credentials for vManage Cisco is recommending that customers follow the guidance and recommendations outlined in the advisories for the aforementioned vulnerabilities to protect their environments.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182 , carries a CVSS score of 10.0. “A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” Cisco said . The networking equipment major said the flaw stems from a malfunction of the peering authentication mechanism, which an attacker could exploit by sending crafted requests to the affected system.
A successful exploit could permit the attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then weaponize it to access NETCONF and manipulate network configuration for the SD-WAN fabric.. The vulnerability impacts the following deployments - On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) According to Rapid7, which discovered CVE-2026-20182, the shortcoming has its echoes in CVE-2026-20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023. “This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said .
“The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.” That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026-20182 to become an authenticated peer of the target appliance and carry out privileged operations. Cisco, in its advisory, noted that it became aware of “limited exploitation” of the flaw in May 2026, urging customers to apply the latest updates as soon as possible. The company also said Catalyst SD-WAN Controller systems that are accessible over the internet and that have ports exposed are at increased risk of compromise.
It’s recommending customers to audit the “/var/log/auth.log” file for entries related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses. Another indicator is the presence of suspicious peering events in the logs, including unauthorized peer connections that occur at unexpected times and originate from unrecognized IP addresses, or involve device types that are inconsistent with the environment’s architecture. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Cybersecurity researchers are sounding the alarm about what has been described as “malicious activity” in newly published versions of node-ipc. According to Socket and StepSecurity , three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 “Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior,” Socket said. “The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic.” StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server. This includes 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history, and more.
The harvested data is then compressed into a GZIP archive and transmitted to the “sh.azurestaticprovider[.]net” domain. The three versions were published by an account named “atiertant,” which has no connection to the package’s original author, “riaevangelist.” Although “atiertant” appears in the maintainer list, the account has no prior publish history in connection with the node-ipc package. The previous update to the package was in August 2024. The fact that the dormant, high-download package was compromised after a 21-month gap indicates that either the “atiertant” credentials were newly compromised, or the account was specifically added as a maintainer to publish the malicious versions.
What’s notable about the activity is that it does not rely on any npm lifecycle hooks such as preinstall, install, or postinstall scripts, instead appending the malicious payload as an Immediately Invoked Function Expression ( IIFE ) to the end of “node-ipc.cjs.” This, in turn, causes the malware to fire unconditionally on every require(‘node-ipc’). The oddity doesn’t end there, for the payload performs a SHA-256 fingerprint check and compares it against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code, before proceeding with system enumeration and comprehensive credential harvesting. “This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value,” StepSecurity researcher Sai Likhith said. “The attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing.
The 9.x versions do not have this gate and will execute the full payload on any system that loads them.” The malware also incorporates a second exfiltration channel besides issuing an HTTPS POST to the fake Azure domain containing the compressed stolen data. This involves encoding chunks of the archive as a DNS TXT record after overriding the system’s DNS resolver with Google Public DNS to sidestep local DNS-based security controls. “It first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP,” StepSecurity said. “Then it re-targets the resolver directly at the C2 IP for all exfiltration queries.” “The direct-to-C2 DNS sink is a notable anti-detection technique.
Because the exfiltration queries never touch public DNS resolvers, there is no observable bt.node.js activity in public DNS logs. Organizations relying solely on DNS logging through corporate resolvers would not see this traffic.” Lastly, the malware also attempts to continue execution independently of the original Node.js process by forking itself into a detached background child processes, allowing exfiltration activity to continue silently after the parent application is terminated. “This campaign reflects how software supply chain attacks are evolving beyond simple malicious packages into infrastructure-aware credential harvesting operations,” Avital Harel, security research lead at Upwind, said in a statement. “Attackers are increasingly targeting the identities and automation systems powering modern software delivery pipelines while designing malware specifically to blend into normal developer and application behavior.” This is not the first time the npm package has incorporated malicious functionality.
In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia’s military invasion of Ukraine. Two subsequent versions – 11.0.0 and 11.1.0 – included the “peacenotwar” dependency, which was also published by the same maintainer as a “non-violent protest against Russia’s aggression.” “The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt,” Socket said. Users are advised to remove the compromised node-ipc versions and re-install a known clean version (9.2.1 and 12.0.0), assume compromise and rotate credentials and secrets, audit npm publish activity for any packages accessible with the rotated tokens, review workflow run logs for suspicious activity, audit cloud logs to check if any unauthorized actions were performed by IAM identities whose credentials were available during the compromised window, and block egress traffic to the C2 domain. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago.
The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work get used for bad stuff, and nobody seems shocked anymore. Great. Love that for us. Anyway.
Let’s get into it. Exploited PAN-OS RCE Palo Alto Networks Releases Fixes for Exploited Flaw Palo Alto Networks has released the first round of fixes to address CVE-2026-0300 , a critical buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The company said it has observed the flaw being exploited in limited attacks since at least last month, with unknown threat actors leveraging it to drop payloads like EarthWorm and ReverseSocks5. Private AI chats Meta Announces Incognito Chat Meta has announced Incognito Chat with Meta AI in its namesake app and WhatsApp.
Incognito Chat is “a completely private way to interact with AI, similar to how end-to-end encryption means no one can read your conversations, even Meta or WhatsApp,” CEO Mark Zuckerberg said. “Incognito Chat handles all AI inference in a Trusted Execution Environment that ensures your messages are not accessible to us. The conversations on your phone also disappear when you exit the session.” The feature is powered by Private Processing , which already underlies its message summarization and composition tools. Zero-auth data leak Defense Company Exposes Sensitive Data A defense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks.
The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix , an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata, and direct links to documents hosted on Schemata’s Amazon Web Services instances. In a statement posted on the company’s website, Schemata said it did not have “evidence that any third party exploited the vulnerability to access customer data.” Router update reprieve FCC Softens Foreign Router Ban The U.S. Federal Communications Commission (FCC) has extended the deadline for owners of banned internet routers to provide security updates to U.S.-based users by two years.
In March 2026, the FCC banned the import and sale of all “consumer-grade” internet routers produced in a foreign country, citing unacceptable national security risks. In a new public notice published last week, the Commission’s Office of Engineering and Technology (OET) said it is extending this deadline until “at least” January 1, 2029. That said, the extension only applies to software and firmware updates so as to ensure the continued safety of already deployed routers in the U.S. and mitigate potential harm.
“These include all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems,” per the FCC . APT phishing campaign Operation GriefLure Targets Vietnam and the Philippines A new state-sponsored threat cluster dubbed Operation GriefLure has been observed targeting Vietnam’s telecom and the Philippines’ healthcare sectors with a RAR archive distributed via spear-phishing emails to deploy a remote access trojan on compromised hosts, while leveraging credible decoy documents to give them a veneer of legitimacy and trust. The malware is capable of process enumeration, screenshot capture, file and directory listing, credential harvesting, and file execution capabilities. JPEG PowerShell lure Operation SilentCanvas Drops ScreenConnect for Remote Access A multi-stage intrusion campaign has been observed leveraging a weaponized PowerShell payload disguised as a legitimate JPEG image file to deliver a trojanized instance of ConnectWise ScreenConnect to stealthy remote access.
“The intrusion likely originated through social engineering techniques such as phishing emails, malicious attachments, deceptive file-sharing interactions, or fake update lures involving a malicious file named sysupdate.jpeg,” CYFIRMA said . “The payload was specifically crafted to exploit user trust and bypass conventional file-extension validation mechanisms while blending malicious activity with legitimate enterprise software.” Aid-themed infostealer Operation HumanitarianBait Drops Python Infostealer A targeted cyber espionage campaign is leveraging social engineering and trusted infrastructure to establish persistent access to victim systems. The activity, which employs lure themes centred around humanitarian aid, is assessed to target Russian-speaking individuals or entities. “The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, using a Russian humanitarian aid request form to exploit contextual trust,” Cyble said .
“Execution triggers a stealthy, multi-stage infection chain in which a decoy document is presented to the user while a heavily obfuscated, fileless (PE-less) Python-based implant is silently deployed.” The payload is retrieved from GitHub Releases, allowing the operator to blend in with legitimate enterprise activity. The implant operates as a “full-spectrum surveillance platform,” facilitating credential harvesting, keystroke logging, clipboard and screenshot capture, sensitive data exfiltration, and covert remote access. Ransomware-like file lock New GhostLock Technique Blocks File Access A new proof-of-concept (PoC) tool dubbed GhostLock, created by Kim Dvash of Israel Aerospace Industries, has revealed that it’s possible for a domain user with read access to a file share to deny access to files without the need for deploying any ransomware or requiring elevated privileges. “By calling CreateFileW with dwShareMode = 0x00000000 across a target share, a low-privileged user holds files in an exclusively locked state indefinitely,” Dvash said .
“Other clients receive STATUS_SHARING_VIOLATION (0xC0000043) on every access attempt. ERP systems fail. Workflow queues stall. The impact is indistinguishable from encrypted ransomware.
The attack produces none of the signals that encrypted ransomware produces.” The disruptive technique is not a vulnerability, but rather documented behavior required for data integrity. GhostLock affects “any organization running SMB-backed shared file infrastructure where users have standard domain credentials and network access to file shares.” AI scan false positives Anthropic Mythos Finds Single Bug in cURL cURL developer Daniel Stenberg said that Anthropic Mythos model’s scan of the utility five “confirmed security vulnerabilities,” out of which one was a low-severity bug, while the rest were false positives. “The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June,” Stenberg said . “The flaw is not going to make anyone grasp for breath.
All details of that vulnerability will ofcourse not get public before then, so you need to hold out for details on that.” Stenberg, however, acknowledged that artificial intelligence powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers. Fraud intel pact India Announces New Measures to Tackle Cyber-Enabled Financial Fraud The Indian Cyber Crime Coordination Centre (I4C), along with the Ministry of Home Affairs, and Reserve Bank Innovation Hub (RBIH), have signed a Memorandum of Understanding (MoU) to “facilitate cooperation in the areas of fraud-risk intelligence sharing, analytical support, and operational coordination for strengthening proactive fraud detection and prevention mechanisms.” The goal is to combat cyber-enabled financial fraud and curtail mule accounts across the banking and digital payments ecosystem. OnlyFans ransomware lure New Campaign Uses OnlyFans Lures to Drop crpx0 Ransomware Attackers are enticing users seeking “free OnlyFans accounts” to download a seemingly harmless ZIP file that contains the crpx0 ransomware. The activity targets both Windows and macOS systems.
“Inside that ZIP file is a small trick, a malicious shortcut disguised as something legitimate. When the user clicks it, it quietly executes hidden commands,” Aryaka said . “A VBScript loader prepares the system and silently installs the components needed to run Python-based code. This is where the attack becomes more flexible.
Rather than relying on a single static payload, the attackers now have a programmable environment. Once the Python script is running, it connects to a remote server.” The Python-based malware allows the attackers to send commands, update the malware, or deploy new payloads. This enables system profiling, clipboard hijacking to conduct cryptocurrency theft, seed phrase harvesting, andransomware deployment. ClickFix proxy access New ClickFix Campaign Uses PySoxy A new ClickFix campaign carried out via a compromised website has been observed using scheduled tasks for persistence and PySoxy , an open-source Python SOCKS5 proxy, to establish encrypted proxy access.
“In the observed chain, one user-executed command led to persistence, domain reconnaissance, an initial PowerShell-based command-and-control (C2) channel, and a second C2 path through PySoxy, giving the attacker encrypted proxy access without relying on well-known malware or remote monitoring and management (RMM) tools,” ReliaQuest said . “This development shows ClickFix moving beyond one-time user execution into modular post-exploitation, where older open-source tools can create redundant access paths that are harder to classify and contain.” Tokenizer output hijack Manipulating Hugging Face Packages via Tokenizer Tampering HiddenLayer has demonstrated a technique called tokenizer tampering that details how modifying the “tokenizer.json” file in Hugging Face AI models can give an attacker direct control over model output, enabling an attacker to exfiltrate sensitive data via, say, stealthy tool call injections. The attack works across Safetensors, ONNX, and GGUF formats. “Tokenizer.json ships with the model in a HuggingFace repository, as shown above, and is loaded automatically when the model is initialized for inference, making it a direct attack surface,” HiddenLayer said .
“This can affect conversational responses, tool-call arguments, and any other generated text, without weight modifications, adversarial input, or knowledge of the model’s architecture.” Teams helpdesk lure Fake IT Support Message Leads to ModeloRAT Threat actors are sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that enables remote access, malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. “By abusing Teams external access, the threat actor delivered a Dropbox-hosted Python payload [called ModeloRAT ] that established command-and-control, deployed multiple backdoors, and began mapping the internal environment,” Rapid7 said . “The attacker then escalated privileges to SYSTEM using CVE-2023-36036 before deploying a fake Windows lock screen designed to harvest the user’s domain password.” The attackers then moved laterally to a second host, used legitimate tooling such as DumpIt to gather system memory, and likely exfiltrated the data via an anonymous file-sharing service. ReliaQuest has attributed the activity to a financially motivated initial access broker (IAB) tracked as KongTuke .
Supply chain contest TeamPCP and Breached Announce Supply Chain Attack Competition The notorious threat actor known as TeamPCP , which was recently linked to the compromise of TanStack’s npm packages , has teamed up with Breached forum to announce a supply chain attack competition with a $1,000 prize in Monero. As part of the announcement, the Shai-Hulud worm has been open-sourced and hosted on the forum’s content delivery network. While it was also made available on GitHub , it has since been removed. According to screenshots shared by Dark Web Informer on X, the competition rules require participants to use the worm in their attacks and submit proof that they have obtained access to a target’s environment.
“The biggest supply chain based on the amount of weekly/monthly downloads will win,” the threat actor said. “If you compromise many small packages, it will be added up.” The development marks a newfound escalation of TeamPCP’s tradecraft. “The contest essentially functions as a public recruitment stunt, turning supply chain compromise into a leaderboard for lower-tier actors willing to trade risk for recognition,” Socket said . “TeamPCP has already been positioning supply chain compromise as a way to harvest credentials, expose enterprise environments, and hand access to groups that know how to monetize it.
Now it is giving forum users an open source worm, a scoring system, and a reason to rack up compromises.” NATS-powered C2 NATS as C2 Channel An unknown threat actor has been spotted using a NATS server as a command-and-control (C2) channel rather than relying on traditional HTTP-based panels or chat platforms. The novel technique has been codenamed NATS-as-C2 by cloud security company Sysdig. The activity relates to the exploitation of CVE-2026-33017 , an unauthenticated remote code execution (RCE) vulnerability in Langflow. “Over roughly 30 minutes of hands-on activity, the operator at 159.89.205.184 (DigitalOcean) downloaded a Python worker and a Go binary,” the company said .
While threat actors have adopted legitimate platforms and services as covert communication channels, this is the first time NATS, a high-performance communications system, has been leveraged for this purpose. That’s it. Attackers keep winning with simple crap: fake prompts, trusted tools, weak checks, and old systems nobody wants to fix. Do the boring work.
Patch. Change keys. Check users. Test backups.
Block the obvious junk. We’ll be back when the fire moves. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It’s also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx. “FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe,” ESET said in a report shared with The Hacker News.
Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader , which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR ( CVE-2023-38831 , CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike. As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube ( CVE-2024-42009 , CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials. In at least some cases, the threat actors are said to have leveraged the harvested credentials to analyze mailbox contents, download the contact list, and abuse the compromised account to propagate more phishing messages, per a report from CERT Polska in June 2025.
Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain. “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms,” ESET researcher Damien Schaeffer said. “This newest compromise chain that we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets.” The latest set of activities, observed since March 2026, involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike. The PDF decoy documents have been found to impersonate the Ukrainian telecommunications company Ukrtelecom.
The infection sequence incorporates a geofencing check, serving a benign PDF file to victims whose IP address does not correspond to Ukraine. The embedded link in the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a lure document to keep up the ruse, while simultaneously launching PicassoLoader in the background. The downloader is also designed to profile and fingerprint the compromised host, based on which the operators may manually decide to send a third-stage JavaScript dropper for Cobalt Strike Beacon. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess whether the victim is of interest.
The activity primarily appears to center around military, defense sector, and governmental organizations in Ukraine, whereas the victimology in Poland and Lithuania is much broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors. “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms,” ESET said. “The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators.” Gamaredon Delivers GammaDrop and GammaLoad in Ukraine Attacks The disclosure comes as the Russia-affiliated Gamaredon hacking group has been tied to a spear-phishing campaign targeting Ukrainian state institutions since September 2025, with an aim to deliver GammaDrop and GammaLoad downloader malware through RAR archives that exploit CVE-2025-8088 . “These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system,” HarfangLab said .
“There is little technical novelty here, but Gamaredon has never relied on sophistication. The group’s strength lies in its relentless operational tempo and scale.” Russia Targeted by BO Team and Hive0117 The findings also follow a report from Kaspersky that the pro-Ukraine hacktivist group known as BO Team (aka Black Owl) may be working with Head Mare (aka PhantomCore) in attacks aimed at Russian organizations, citing overlapping infrastructure and tools. Attacks orchestrated by the BO Team in 2026 have employed spear-phishing to serve BrockenDoor and ZeronetKit, the latter of which is capable of also compromising Linux systems. Also observed in these attacks is a previously undocumented Go-based backdoor referred to as ZeroSSH that can execute arbitrary commands using “cmd.exe” and establish a reverse SSH channel.
As many as 20 organizations have been targeted by the BO Team in the first quarter of 2026. “The nature of the interaction between the groups remains unclear, but the recorded intersections of tools and infrastructure indicate at least the potential coordination of actions against Russian organizations,” Kaspersky said . In recent months, Russian enterprises have also been targeted by a financially motivated group called Hive0117 to steal over 14 million rubles by breaking into accountants’ computers via phishing campaigns and disguising transfers as salary payments. The phishing emails were sent to more than 3,000 Russian organizations between February and March 2026, per F6.
Besides Russia, the activity has also targeted users from Lithuania, Estonia, Belarus, and Kazakhstan. The attacks employ invoice-themed lures to distribute RAR archives that contain malicious files to drop DarkWatchman, a remote access trojan attributed to the group. “Using remote access to online banking systems via compromised accountants’ computers, they initiated payments to be credited to bank accounts listed in the registry,” F6 said . “Formerly, this looked like a payroll transfer, but the registry listed the bank accounts of mules.
If such payment transactions did not go through anti-fraud systems, the attackers were able to withdraw significant amounts from the companies’ accounts.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of its public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server’s protected functionality without a token. “ PraisonAI ships a legacy Flask API server with authentication disabled by default,” according to an advisory released by the maintainers earlier this month. “When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token.” Specifically, the legacy Flask-based API server, src/praisonai/api_server.py, hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None.
According to PraisonAI, successful exploitation of the flaw can have varied impacts, including - Unauthenticated enumeration of the configured agent file through /agents Unauthenticated triggering of the locally configured “agents.yaml” workflow through /chat Repeated consumption of the model/API quota, and Exposure of the results of PraisonAI.run() to the unauthenticated caller “The impact therefore, depends on what the operator’s agents.yaml is allowed to do, but the authentication bypass is unconditional in the shipped legacy server,” PraisonAI said. The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33. It has been patched in version 4.6.34. Security researcher Shmulik Cohen has been credited with discovering and reporting the bug.
In a report published by Sysdig this week, the cloud security company said it observed attempts to exploit the flaw within hours of it becoming public knowledge. “Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances,” it said. “The advisory was published [on May 11, 2026,] at 13:56 UTC. The first targeted request landed at 17:40 UTC the same day.” The activity, per Sysdig, originated from the IP address 146.190.133[.]49 and followed a packaged-scanner profile that carried out two passes spaced eight minutes apart, with each pass pushing approximately 70 requests in roughly 50 seconds.
While the first pass scanned generic disclosure paths (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock), the second pass specifically singled out AI-agent surfaces, including PraisonAI. “The probe that matched CVE-2026-44338 directly was a single GET /agents with no Authorization header and User-Agent CVE-Detector/1.0,” Sysdig said. “That request returns 200 OK with body {“agent_file”:”agents.yaml”,”agents”:[…]}, confirming the bypass was successful.” The scanner has not been found to send any POST request to the “/chat” endpoint during either pass, indicating the activity is consistent with an initial check to determine if the auth bypass works and confirm if the host is exploitable via CVE-2026-44338. The rapid exploitation of the PraisonAI is the latest example of a broader trend where threat actors are increasingly adopting newly disclosed flaws into their arsenal before they can be patched.
Users are advised to apply the latest fixes as soon as possible, audit existing deployments, review model provider billing for any suspicious activity, and rotate credentials referenced in “agents.yaml.” “Adversary tooling has scaled to the entire AI and agent ecosystem – no matter the size, and not just the household names – and the operating assumption for any project that ships an unauthenticated default must be that the window between disclosure and active exploitation is measured in single-digit hours,” Sysdig said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How AI Hallucinations Are Creating Real Security Risks
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs. When an AI model lacks certainty, it doesn’t have a mechanism to recognize that. Instead, it generates the most probable response based on patterns in its training data, even if that response is inaccurate. These outputs may appear authoritative, making them especially dangerous when driving real-world security decisions.
Based on Artificial Analysis’s AA-Omniscience benchmark , a 2025 evaluation of 40 AI models found that all but four models tested were more likely to provide a confident, incorrect answer than a correct one on difficult questions. As AI takes on a larger role in cybersecurity operations, organizations must treat every AI-generated response as a potential vulnerability until a human has verified it. What are AI hallucinations? AI hallucinations are confidently presented, plausible-sounding outputs that are factually inaccurate.
Base language models don’t retrieve verified information; they construct responses by predicting words and phrases from learned patterns in their training data. Since their responses are statistically likely but not necessarily true, hallucinated outputs can closely resemble accurate information. While hallucinating, AI models may cite nonexistent sources, reference research that was never conducted or present fabricated data with the same conviction as trusted information. For organizations, the main issue surrounding AI hallucinations is not only inaccuracy but also misplaced trust.
When an AI output sounds like the absolute truth, employees may assume it is correct and act on it without verification. In cybersecurity environments, incorrect AI outputs pose significant security risks because they not only inform key decisions but also feed directly into automated systems that can trigger operational actions. The results can include system disruptions, financial loss and the introduction of new vulnerabilities. What causes AI hallucinations?
The first step toward mitigating the impact of AI hallucinations is understanding how they form. Here are the various factors that may contribute to AI hallucinations: Flawed training data: AI models learn from the data they are trained on. If that data contains outdated information or outright errors, the model will incorporate those flaws into its outputs. It won’t flag the discrepancies; it will learn from them.
Bias in input data: Overrepresentation of certain patterns or scenarios can cause an AI model to treat those patterns as universally applicable, even when the context differs. Lack of response validation: Base language models aren’t built to verify factual accuracy. They optimize for coherent, plausible outputs. While some systems add retrieval or grounding layers to reduce this risk, the core generation process remains vulnerable to hallucinations.
Prompt ambiguity: Vague inputs increase the likelihood that AI models will fill in gaps with assumptions, raising the risk of incorrect outputs and hallucinations. 3 ways AI hallucinations are impacting cybersecurity Not every AI hallucination has equal impact, but incorrect or fabricated information can leave organizations vulnerable to serious cyber threats. Three main ways AI hallucinations manifest are missed threats, fabricated threats and incorrect solutions. 1.
Missed threats AI threat detection often relies on identifying patterns and anomalies based on historical data and learned behavior. When a cyber attack aligns with known behaviors, the AI model performs well; but when it doesn’t, the model has nothing to compare it to, so the threat may go unnoticed. This is especially problematic for underrepresented attack techniques and zero-day attacks , which exploit vulnerabilities unknown to the vendor and are therefore unpatched. Because these threats are not reflected in training data, the AI model lacks sufficient context to flag them, resulting in a higher likelihood of undetected vulnerabilities and greater exposure within the environment.
- Fabricated threats In contrast to missed threats, AI models may also hallucinate false positives by misclassifying normal activity as malicious, alerting teams to threats that do not exist. For example, normal network traffic may be misinterpreted as suspicious, triggering alerts that prompt unnecessary incident response actions. These false alarms can lead to system shutdowns, wasted resources and disrupted operations for fabricated threats.
Over time, repeated false positives can lead to alert fatigue, where security teams become desensitized to all warnings. This increases the risk that legitimate threats will be overlooked in environments where teams have been conditioned to distrust alerts. 3. Incorrect remediation This is one of the most dangerous forms of AI hallucination since it occurs after trust has already been established.
For example, an AI system may confidently recommend deleting sensitive files, modifying system configurations or disabling firewall rules. If these actions are executed, particularly through privileged accounts, they can leave organizations exposed to identity-based attacks, lateral movement or irreversible data loss. Even when AI threat detection is accurate, hallucinated guidance can escalate a contained security incident into a broader breach. How organizations can reduce AI hallucination risks Although AI hallucinations cannot be fully eliminated, their impact can be significantly reduced through the following controls and governance measures.
Require human review before action AI-generated outputs should not trigger sensitive or privileged actions without human verification first. This is especially important for workflows involving infrastructure changes, access updates or incident response. The review requirement should not only happen when something seems wrong; models can sound equally confident whether they’re right or wrong. Treat training data as a security asset AI hallucinations often trace back to training data.
Regularly auditing the data used to train or ground AI systems by eliminating outdated records, biased datasets and inaccurate information reduces the likelihood that those flaws will appear in outputs. As AI-generated content becomes more common online, there is an increased risk of future models being trained on fabricated information produced by earlier models, in a phenomenon sometimes referred to as model collapse. Without continuous data governance, the risk of flawed AI outputs only increases. Enforce least-privilege access for AI systems AI-driven systems should be granted only the permissions they need to perform their tasks.
This may look like an AI system that is allowed to read files only, not delete them – even if a hallucinated recommendation tells it to. By restricting access with least privilege, organizations ensure that even if an AI system generates incorrect guidance, it cannot execute actions beyond what it is allowed to do. Invest in prompt engineering training AI outputs are heavily shaped by input quality, so a vague prompt gives the model more opportunity to fill gaps with incorrect assumptions, increasing the risk of hallucination. Organizations must prioritize training employees, especially those who directly interact with AI systems, on how to write specific prompts that drive the model to produce verifiable outputs.
Employees who understand that AI outputs should always be validated before use are less likely to interpret the AI system as authoritative by default. Place identity security at the center of AI governance AI hallucinations become real security risks when they lead to action, which is not primarily a model problem but rather an access problem. Security incidents arise when AI systems have enough access to act on incorrect guidance, or when a human trusts outputs without verification. Keeper® is built to provide organizations with the visibility and access controls needed to prevent unauthorized access, even when AI-driven decisions are incorrect.
By enforcing least-privilege access, monitoring privileged activity and securing both human and Non-Human Identities (NHIs), organizations can reduce the risk of AI hallucinations evolving into damaging security incidents. Note : This article was thoughtfully written and contributed for our audience by Ashley D’Andrea, Content Writer at Keeper Security. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.