2026-05-31 AI创业新闻
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. “Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection,” Palo Alto Networks said in an advisory released on May 13, 2026. The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.
In an update to its advisory on May 29, 2026, Palo Alto Networks said it has “become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor. The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network.
No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added. “An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations,” Rapid7 said. “As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis.” As temporary mitigations, it’s recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature. The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant’s implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. “The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized. It auto-fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI,” security researcher Andi Ahmeti said in a report shared with The Hacker News.
In a hypothetical attack scenario, a bad actor can append a small payload to any web page that the victim later prompts ChatGPT to summarize, causing it to leak their IP, User-Agent, and Referer details when attacker-hosted images embedded in the page are automatically fetched when the answer is rendered. In addition, it can result in malicious Markdown links being rendered as live clickable elements inside the assistant’s response, serve far fake system-style security alerts, and serve a QR code from an attacker’s S3 bucket and trick the victim into scanning it via their mobile device, effectively bypassing desktop URL filters and enterprise security controls. The latest finding demonstrates how summarization can emerge as an adversarial surface. Earlier this March, Permiso also revealed how an attacker-controlled email containing specially crafted instructions, when summarized by Microsoft Copilot, could influence its output via a cross-prompt injection (XPIA) or indirect prompt injection.
What makes ChatGPhish a noteworthy attack technique is not the prompt injection itself, but in the manner in which the instructions embedded in a web page are followed and presented to the user as part of the summary. In other words, a regular web page summarized with ChatGPT is enough to render phishing links, spoofed account alerts, remote images, and QR codes directly inside a trusted AI interface. As organizations increasingly use ChatGPT for research and summarization, this vulnerability means any malicious web page an employee asks the AI chatbot to process could contain a payload that transforms ChatGPT into a phishing surface. “The shift from email to the browser significantly expands the potential attack surface.
A user no longer has to open a malicious attachment or interact with a suspicious message,” Permiso said. “Simply summarizing a page during normal browsing activity can introduce attacker-controlled instructions into the model context and ultimately into the rendered response.” The disclosure comes as Adversa AI documented two attack techniques codenamed SymJack and TrustFall targeting AI coding agents and agentic coding CLIs that allow attackers to achieve code execution and full machine compromise. SymJack is “a single attack pattern [that] lets a malicious repository achieve remote code execution through AI coding assistants,” security researcher Rony Utevsky said. “The agent is tricked into a benign-looking file copy that secretly overwrites its own config, and the next restart runs attacker code with full user privileges.” Specifically, a booby-trapped repository tricks the agent into copying a seemingly harmless file, where the destination is a symlink pointing to the agent’s own configuration, causing the attacker’s payload to be written to the config.
On the next restart, a malicious Model Context Protocol (MCP) server spawns and runs arbitrary code with full user privileges. TrustFall, on the other hand, is a one-click remote code execution attack via a malicious repository that can ship a configuration that auto-approves and spawns an MCP server without a user’s explicit approval or requiring a tool call from the agent. To put it differently, all a threat actor needs to carry out the attack is to create a repository that includes a malicious MCP server and configuration settings that auto-approve it to run. When a developer clones or opens the repository in the AI coding tool and presses “Enter” on the folder trust prompt, the AI coding tool ends up launching the attacker-controlled code with the developer’s full system privileges.
“The moment a victim clones the repo, runs Claude, and clicks the generic ‘Yes, I trust this folder’ dialog, the MCP server starts as a native OS process with full user privileges,” Adversa AI noted. “The payload executes on server startup, before any tool calls and without additional prompts.” The findings coincide with the discovery of a number of attack methods against AI models in recent months - The use of a novel jailbreak approach called Involuntary In-Context Learning ( IICL ) that “exploits the tension between in-context learning (ICL) and safety alignment” to bypass GPT-5.4 safety constraints The safety guardrails of LLMs can be circumvented if a user tricks the model into having a multi-turn conversation. “Multi-turn evaluation matters for one reason: it is where attackers actually live,” Cisco said . “Real adversaries iterate.
They reframe refusals, decompose tasks across turns, adopt personas, and escalate gradually. A single-turn benchmark cannot see any of that.” A vulnerability in Anthropic Claude Code that employs a user-level configuration change in “~/.claude.json” to rewrite MCP endpoints via a rogue npm package to put an attacker in between Claude Code and an OAuth-backed MCP server, allowing the bad actor to capture tokens used for downstream SaaS access. The use of a remote update mechanism that allows an OpenClaw skill to appear benign at installation time, but later allows the attacker to influence the agent through workspace files by instructing the user during skill setup to append specific instructions to the HEARTBEAT.md file . The use of hidden text featuring content pulled from a legitimate newsletter or a romance novel in phishing emails to confuse an AI-based email security system into flagging the message as benign.
A vulnerability in Claude’s Chrome browser extension called ClaudeBleed allows any extension, even those without any special permissions, to hijack it and trick the AI assistant to perform active agentic actions on their behalf. “The flaw stems from an instruction in the extension’s code that allows any script running in the origin browser to communicate with Claude’s LLM, but does not verify who is running the script,” LayerX said. “As a result, any extension can invoke a content script (which does not require any special permissions) and issue commands to the Claude extension.” A study from Cisco has found that adversarial text rendered as images, an attack known as typographic prompt injection, can be used to bypass safety filters in vision language models (VLMs). “When a model fails to read the original image (small font, heavy blur, rotation), a bounded perturbation can recover semantic content in the model’s internal representation without restoring visual legibility to a human,” Cisco said .
“This means an attacker can craft images that look like noise or illegible distortion to any OCR-based content filter yet carry fully readable instructions to the target VLM.” A set of vulnerabilities in Microsoft Semantic Kernel ( CVE-2026-25592 and CVE-2026-26030 ) that could turn a prompt injection into host-level remote code execution. The use of the Neural Exec prompt injection attack and the Unicode right-to-left-override function to bypass Apple’s input and output filters and the safety guardrails on Apple Intelligence’s local model and trick the LLM into producing attacker-directed results. The issue has been addressed in iOS 26.4 and macOS 26.4. An indirect prompt injection vulnerability codenamed WebPromptTrap impacts BrowserOS, an open-source agentic browser, that deceives users into approving an authorization step through an AI summary generated from processing a legitimate-looking article with hidden instructions.
The issue has been patched in BrowserOS version 0.32.0. An audit of the agent skills ecosystem spanning ClawHub and skills.sh has uncovered that 13.4% of 3,984 skills (i.e., 534 in total) have at least one critical security issue, including malware distribution, prompt injection attacks, and exposed secrets. About 1,467 skills have at least one security flaw, ranging from hard-coded API keys and insecure credential handling to third-party content exposure. A pair of attacks targeting NemoClaw , NVIDIA’s open-source reference stack to secure OpenClaw AI agents, to exfiltrate OpenClaw data using the sandbox’s default configuration via a malicious GitHub repository or an npm package.
As frontier AI models continue to evolve and mature, threat actors are increasingly experimenting with the technology to write malware with added capabilities to dynamically adapt its behavior in an attempt to evade detection, as well as offload decision-making to the LLM to ascertain if the compromised environment is valuable or safe enough to drop next-stage payloads. “In the short term, the proliferation of frontier AI models capabilities risks empowering adversaries to exploit zero-days and N-days at an unprecedented scale,” Palo Alto Networks Unit 42 said . “It is also likely to enable attackers to move at greater scale, sophistication, and speed than ever before.” Last month, the cybersecurity company also detailed a proof-of-concept (PoC) agent called Zealot that harnesses the power of LLMs to conduct end-to-end cloud attacks with minimal human guidance by exploiting known misconfigurations and vulnerabilities. This, in turn, stems from the fact that cloud environments are “AI-Attack-Ready” by default, given that every action has an API equivalent, have varied discovery mechanisms like metadata and enumeration services, are rife with misconfigurations, and are driven by credential-based access.
“Current LLMs can chain reconnaissance, exploitation, privilege escalation, and data exfiltration with minimal human guidance,” Unit 42 researchers Yahav Festinger and Chen Doytshman noted . “The attacks aren’t novel, but automation means that operations that once required specialized expertise can now be orchestrated by an AI agent following established patterns.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. “The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server,” Sysdig said . “The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes.” CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands.
The issue was addressed in version 0.23.0, released last month. The security defect has since come under active exploitation, with threat actors using it to initiate manual reconnaissance against honeypot systems and attempt to harvest sensitive data. The latest activity documented by Sysdig sticks to the same pattern, the primary difference being that an LLM agent was used to drive the post-exploitation activity. The incident, per the cloud security firm, was recorded on May 10, 2026, with the attacker gathering credentials from the environment and then using the harvested AWS access key to perform API calls against AWS Secrets Manager and retrieve an SSH private key.
Minutes later, the threat actor is said to have carried out the first SSH authentication on the SSH bastion server using the retrieved key, followed by launching eight parallel SSH sessions against the downstream server to siphon an internal PostgreSQL database. The end-to-end attack chain lasted a little over an hour. Sysdig said it uncovered four indicators that an LLM agent was behind the activity. First, the attacker improvised a database dump without any prior knowledge of the schema.
Second, a Chinese-language planning comment, “看还能做什么” translating to “See what else we can do” leaked directly in the command stream when executing a credential search. “The database hostname was opaque, with no application identifier on disk and no schema dump pre-staged, yet the chain still landed on a credential table within minutes,” Sysdig said. “The attacker no longer needs to see your environment to operate inside it.” The third sign is that every command is designed for machine consumption, with each command separated by a “—” delimiter, along with bounded output captures, disabling the “less” command, and discarding the error stream (stderr) to minimize noise. Lastly, the value handoffs are obtained from prior tool output.
In other words, the manner in which certain values, say, database passwords, were extracted implies an AI agent feeding its own previous output – running a cat command of the “~/.pgpass” file – into the next action. In another instance, a cat command to print the contents of a specific file (“cat ~/.ssh/id_ed25519”) is preceded by an ls (“list”) command that passes the same file pattern as input (“ls -la ~/.ssh/id_ed25519*”) to confirm that the SSH Key exists. “When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time,” Sysdig concluded. “However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target.
Here, the bar becomes inference budget, not playbook authorship.” “The defender-relevant property of an agent-in-the-loop is adaptiveness. A scripted attacker hits a missing file, an unexpected schema, or an authentication failure and either aborts or falls through to a hard-coded fallback. An agent reads the surprise, decides what to try next, and keeps going.” To counter this threat, it’s recommended that users update to the latest version of Marimo, audit environments for any publicly-accessible instances, and rotate credentials, API keys, and SSH keys. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Securing AI Use Within Your Organization Starts Here
New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war. “The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims,” WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. “Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware.” The victimology footprint spans military, government, civilian, and business-related organizations.
GREYVIBE, its nation-state-affiliated activity notwithstanding, also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminal actors. In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a “low-to-moderately sophisticated group” that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts. GREYVIBE has been observed using multiple attack chains against its targets - PhantomMail , which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.
PhantomClick , which uses ClickFix -style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain. PrincessClub , which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video. While FallSpy is an Android spyware capable of harvesting sensitive data from the compromised device, LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism.
DroneLink , which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay. Nebo , which uses a FallSpy sample that mimics a Russian-language login screen, likely in an attempt to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal. The variety of delivery vectors and tools used in the attacks likely stems from the use of AI platforms, including Ideogram AI, OpenAI ChatGPT, and Google Gemini, to assist with generating images and developing LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands. The cybersecurity company said GREYVIBE’s usage of AI serves multiple advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools that could aid in attribution efforts.
“If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time,” Nejad said. That said, the use of AI has also had the side effect of introducing design flaws into LegionRelay, exposing the malware’s backend functionality. This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes. The hacking group’s links to the cybercriminal ecosystem are based on multiple factors - Possible access to and use of an ISO builder with suspected ties to the TrickBot gang and UAC-0098 Presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters, such as a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware.
The upload of early development and test samples to VirusTotal Use of internet slang terms like “letsrollboyos,” “totallyunsus,” and “cuteuwu” as naming conventions for development artifacts. The deployment of XMRig miner on a small number of LegionRelay-infected machines “Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members,” WithSecure said. “The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team.” “The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks
Shadow AI used to mean employees pasting things they shouldn’t into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product.
The risk surface moved with it. In The Shadow Builders report ( get it here ), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms. Roughly 5,000 looked corporate. More than 2,000 of those held sensitive corporate, operational, or personal data - sitting on the open web, deployed without basic access controls, often granting admin access by default to anyone who reached the URL.
Six continents. Every industry is examined. No exploitation required. Inside organizations, passing their audits while these exposures were live.
The new Shadow AI isn’t about prompts. It’s about products. Vibe coding - the broader space of AI-driven development platforms where anyone can build a working application by describing what they want - has compressed what used to take engineering teams months into something a non-developer can ship before lunch. A marketing manager builds a campaign tracker and connects it to the BI tool where the real numbers live.
An operations manager builds a vendor-intake form and connects it to the ticketing system. A finance team builds a board-prep dashboard and pulls invoice data into it before Friday. Those applications get connected to sanctioned production systems - CRMs, ERPs, ticketing tools, BI platforms - and frequently published to the open internet, with whatever access controls the builder happened to configure. Often, none.
The people doing this aren’t malicious. They are competent employees solving real problems faster than their organization could, doing exactly what the platforms invited them to do. The platforms aren’t villains either - they’re delivering what their original audience asked for. What hasn’t kept pace is the guardrails, technical and behavioral, governing what happens after the build.
This isn’t Shadow IT in the old sense. Shadow IT was bounded: when a team bought a Trello account on a corporate card without telling anyone, the data sat inside an unsanctioned SaaS vendor, but identity, audit logs, and a governance surface at least existed. Shadow Builders invert that. The application is custom-built, the data is custom-loaded, the integrations are direct connections to production systems of record, and the artifact is often published on the open internet.
The platform underneath may be audited; the application built on it isn’t. There is the builder, the platform, and the URL. IT? Mostly not in the room.
Why a mature security stack still misses this The reflex of a CISO reading the numbers above is to check the stack. EDR is running. DLP is configured. CASB is licensed.
Firewall and SSE are in place. Some organizations have added an enterprise browser. Each of those tools is doing what it was designed to do. The category sits in the gaps between them.
EDR sees the browser process, not the build inside it. To an endpoint agent, a Shadow Builder using a vibe-coding platform looks like ordinary, non-malicious browser activity - the same shape of telemetry as someone reading the news. Where modern EDR or an enterprise browser does see deeper, it only does so on devices the organization owns and inside browsers it manages. Personal laptops, contractor machines, BYOD devices, and personal-browser tabs are invisible by definition.
DLP watches enumerated channels. It can flag a user pasting regulated data into a known AI chat. It can’t see a vibe-coded application connecting programmatically to a sanctioned BI tool via API, moving data cloud-to-cloud, physically bypassing the endpoint entirely. CASB was built for Shadow IT - for SaaS vendors with discoverable identities.
It can’t readily distinguish an unbounded population of custom applications hosted on a vibe-coding platform’s subdomains from the platform itself. The whole population tends to register as one approved SaaS vendor. Firewall and SSE see traffic to the platform’s domain but lack the application-as-business-object context. And most SASE/SSE deployments are partial - even the mature ones leave the unmanaged-device problem unsolved.
None of these tools is failing. The category just sits across the gaps the existing architecture leaves between layers, generating fragments of signal that never assemble into a single, governable picture. Where visibility actually has to live End-to-end, vibe coding is a web-session event. The build is a browser event.
The OAuth grant that ties the new application to a sanctioned enterprise system is a browser event. The data the application is built around moves through the session. The deployment is a browser event - the publish action that turns the build into a live application at a public URL is a click inside the same tab where everything else happened. Every step happens at the session layer.
Not adjacent to it. Inside it. A control positioned at the session layer, therefore, sees the whole build path - not a fragment of it. The platform used.
The corporate systems connected to it, and through what mechanism. The data is moving in and out. The publish event that puts the application on the open internet. Attributable to a specific person and a specific application instance, regardless of which browser was used or which network path the traffic took.
And, critically, regardless of whether the device is a corporate-issued laptop or a contractor’s personal machine. What to do this week Four moves. None of them is a technology purchase. Start with discovery.
Ask employees directly what they’ve built. Most Shadow Builders are doing useful work and aren’t hiding anything; the framing matters. A workforce-wide prompt - if you’ve built a tool using an AI development platform, please tell us about it. We’re not auditing.
We’re inventorying
- gets further on the first pass than a policy memo or a tooling deployment. Then map. For each application surfaced, capture which corporate systems it’s connected to, how (OAuth, API key, manual upload - different audit trails), and whether it’s publicly reachable. Public reachability is the most actionable signal in the short term.
Establish a sanctioned path. Give Shadow Builders somewhere to tell you. Name the approved platforms, define acceptable data categories, and set a minimum authentication standard. Lower-friction than the alternative, which is them not telling you at all.
And then accept that the work isn’t a one-time inventory. Vibe-coded applications keep getting created; the picture you build this month will be incomplete next month. The mature posture is continuous discovery at the layer where the activity actually happens. The category will keep maturing.
Platforms will keep recalibrating defaults. None of those adaptations is finished. The exposure exists in most enterprises right now. Red Access is the agentless, session-layer security platform built for exactly this - SSE-grade visibility and governance at the session itself, across any browser, any device, including unmanaged ones.
Deployable in hours. Request your free audit. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets
Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil’s largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket , versions 2.0.0 through 2.0.4 of “ Sicoob.Sdk “ contain functionality to exfiltrate sensitive information, including PFX certificates that are used to authenticate businesses with the Sicoob banking network in order to automate banking operations, such as processing instant payments and generating dynamic Pix QR codes. The package is estimated to have been downloaded nearly 500 times. “When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint,” security researcher Kirill Boychenko said.
In addition, the package is designed to capture raw Boleto API responses via a separate Sentry path. Boleto is a popular cash payment method in Brazil for making online and offline purchases. This can potentially expose sensitive transaction details, payment status, amounts, due dates, identifiers, and payer or payee data. As a result, the stolen data could open the door to severe risks, as it can be abused by the threat actor to impersonate the victim’s Sicoob banking API integration, Socket added.
Following responsible disclosure, the package has been blocked by NuGet. The profile behind the package, named “sicoob,” has also listed 11 other NuGet packages that have collectively racked up about 6,000 downloads. The application security company also said the package was surfaced by Google Search AI Mode as a legitimate C# library for interacting with Sicoob banking APIs, thereby amplifying the malicious package to unsuspecting developers who may be searching for it. Another important aspect of the attack is the source-to-package mismatch between the linked GitHub repository and the artifact distributed via NuGet.
It’s suspected that the GitHub repository is designed to lend a veneer of legitimacy to the operation by keeping it clean, while the malicious data-stealing functionality is introduced only in the package uploaded to the registry. What’s more, the compromise of Sicoob API authentication material can also pose indirect risks to end users, as it could leak downstream financial data or enable payment abuse. Organizations that have installed “Sicoob.Sdk” are recommended to immediately remove the package, treat PFX material as compromised, replace exposed PFX certificates, rotate PFX passwords, and change or disable affected client IDs where applicable. It’s also advised to audit Sicoob authentication and API logs for signs of unusual activity.
The development coincides with the discovery of 14 malicious npm packages that typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment using a purpose-built credential harvester that’s launched through a preinstall hook. Per the Microsoft Defender Security Research Team, the packages were published by a single threat actor named “vpmdhaj” (“a39155771@gmail.com”) on May 28, 2026. The names of the packages are below - @vpmdhaj/devops-tools @vpmdhaj/elastic-helper @vpmdhaj/opensearch-setup @vpmdhaj/search-setup app-config-utility elastic-opensearch-helper env-config-manager opensearch-config-utility opensearch-security-scanner opensearch-setup opensearch-setup-tool search-cluster-setup search-engine-setup vpmdhaj-opensearch-setup The findings are the latest in a staggering spate of supply chain attack campaigns that have targeted the npm ecosystem over the past few days - 164 malicious npm packages across five scoped namespaces containing a postinstall payload that downloads second-stage JavaScript, spawns it as a detached process, and sends the victim’s environment variables (“process.env”) to “oob.moika[.]tech/report.” 141 malicious npm packages published between May 7 and 27, 2026, that abuse npm as free static hosting for an ad-monetized web proxy targeting students, serving popunder ads to those who land these pages through search results or shared links. A malicious npm package called “ forge-jsxy “ that’s capable of keylogging, clipboard monitoring, .env scanning, shell history exfiltration, host inventory, remote filesystem access, screenshot capture, and cryptocurrency wallet scanning.
“Forge-jsxy” is assessed to be a continuation of the “ forge-jsx “ campaign that came to light late last month. 176 malicious npm packages that employ dependency confusion by using a high version number (“99.99.99”) to distribute a postinstall script with capabilities to fingerprint the host and download a platform-specific JavaScript payload, which then conducts additional reconnaissance, exfiltrates credentials and other valuable developer secrets, and downloads and runs a second-stage binary. In a newly published report, Sonatype said threat actors have outgrown classic typosquatting techniques, moving beyond obvious misspellings to using names that appear convincing in legitimate developer workflows so as to steal data and drop malicious payloads. This, in turn, transforms a routine install step into a risk-prone pathway for reconnaissance, credential theft, and follow-on compromise.
Popular brandjacking techniques include prefix or suffix addition, dependency confusion, version mimicry, embedded target terms, altered scopes or namespaces, and names that resemble the function of a legitimate package. “‘Typosquatting’ is now too narrow a label for what this analysis captures,” the supply chain security company said . “The broader pattern is manufactured legitimacy: attackers designing package names to look plausible, useful, and operationally routine inside modern software ecosystems.” These incidents have also unfolded against a series of software supply chain compromises that have been linked to TeamPCP (aka Replicating Marauder and UNC6780), which has become a force to be reckoned with by poisoning popular developer tooling across npm, PyPI, Docker Hub, and Packagist in a worm-like fashion. “Replicating Marauder was not just inserting malicious code into packages, but also exploiting automation, inherited trust, and ordinary CI/CD workflows to push compromise further downstream,” BlueVoyant researcher Michael Warren said .
“This was the point where the campaign most clearly demonstrated that one poisoned dependency or container image could trigger compromise in an unrelated organization’s release pipeline. The tactical shift turned isolated software poisoning into a reproducible method for victim-to-victim expansion.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. “Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule,” ENKI said in an analysis published this week. The attacks have been found to deliver a variant of a known malware family dubbed HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023. In the latest campaign observed in March 2026, the adversary has been found to propagate malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service.
Given the nature of the lure, it’s suspected that the activity may have been specifically designed to single out messaging administrators within corporate environments. The page claims to offer two security tools: a firewall and a keyboard security program. Once unsuspecting users initiate the download, it results in the download of either of the two executables - “nos-setup.exe” and “astx-setup.exe” - that masquerade as nProtect Online Security and AhnLab Safe Transaction (ASTx). Despite the differences in the name, the malicious behavior embedded in them is identical.
The primary responsibility of the binaries is to launch a second-stage DLL payload (“MemLoader.dll”) via “regsvr32.exe,” after which a batch script is run to delete themselves from disk. The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload. “The attacker likely monitored the recurring GET requests from the malware and selectively delivered payloads to specific victims,” ENKI said. In another campaign observed in April 2026, a counterfeit web page mimicking Cisco Webex is said to have been used to display a pop-up message urging the victim to download and run a script to address issues with accessing the camera.
Doing so results in the retrieval of a ZIP archive containing an encrypted JavaScript (JSE) file (“fix-camera.jse”). The execution of the JSE file results in the deployment of an intermediate downloader (“mTSTCv8.mdxm”) using PowerShell, which then runs anti-analysis checks and contacts a C2 server to fetch the next-stage malware (“engine.dat” or “spyInster.dll”). In the final stage, the DLL drops a loader component (“cacheMon.dat”) that, in turn, executes HTTPSpy on the compromised system. HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.
This is not the first time Kimsuky has deployed HTTPSpy. In its 2025 European Threat Landscape Report, CrowdStrike said the hacking group likely targeted a German defense manufacturer’s employees via a credential phishing campaign deploying the malware between May 2024 and at least September 2024. The first use of HTTPSpy dates back to 2022. Simultaneously, the malware also drops and opens an HTML file named “meeting.html,” which immediately redirects the victim to a Webex meeting room.
Accessing the URL opens a legitimate Webex meeting room associated with an actual scheduled event that took place around the same time. “This indicates that the attacker likely compromised a service member’s device or account to obtain the meeting schedule, then crafted a fake meeting page to distribute malware to the other attendees,” the cybersecurity company said. ENKI said it also discovered additional fake web pages that query a local server set up by the malware on the victim’s machine via JSONP (JSON with Padding) to verify malware execution status and display an installation prompt if it’s not running. The technique has been codenamed JSONPing.
However, the exact nature of the downloaded malware remains unknown as the URL is currently inactive. “Kimsuky went beyond simple malware distribution, introducing sophisticated mechanisms to maximize delivery success, including real-time infection verification via JSONPing and crafting a fake page using a stolen meeting schedule,” ENKI said. Kimsuky Evolves with HelloDoor and HttpMalice The disclosure comes as Kaspersky detailed the threat actor’s use of Microsoft Visual Studio Code (VS Code) tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language in its latest campaigns, highlighting its continued adaptation and evolution. “Specifically, Kimsuky leveraged legitimate VS Code tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities,” the Russian cybersecurity company said .
“These activities affected various sectors in South Korea, impacting both public and private entities.” Attack chains have been found to rely on a variety of droppers written in JSE, PIF, SCR, and EXE to deliver two broad malware families: PebbleDash and AppleSeed . While PebbleDash attacks have also been recorded against defense organizations in Brazil and Germany, the AppleSeed cluster has mainly targeted government organizations. Some of the key malware families delivered by the droppers are as follows - HelloDoor , a Rust-based PebbleDash variant first identified in August 2025 and likely developed using an LLM. It supports basic functionality to set the current directory, sleep for a specific time interval, and run commands.
HttpMalice , the latest backdoor variant of PebbleDash, emerged no later than December 2025. It comes with capabilities to gather information about the compromised system, set up persistence, perform reconnaissance using native Windows commands, capture screenshots, load downloaded payloads into memory, run commands, and exfiltrate the execution output. HttpTroy , a backdoor delivered via a loader named MemLoad that allows file upload/download, screenshot capture, command execution, in-memory loading of executables, reverse shell, process termination, and trace removal. AppleSeed , which comes in two variants: Dropper and Spy.
The Dropper is responsible for downloading additional malware and executing commands received from its C2 server. The Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. This also includes harvesting data from the C:\GPKI directory, mirroring a similar feature implemented in Troll Stealer . HappyDoor , an advanced version of AppleSeed that first surfaced in 2021 .
Another notable tactical shift involves the abuse of the legitimate VS Code Remote Tunneling feature to establish covert remote access to the victim’s device, thereby eliminating the need for traditional malware-based C2 channels. This approach has also been highlighted by Darktrace and Logpresso . “Our analysis shows that the actor retains access to the original source code of the malware clusters and the ability to modify it,” Kaspersky researcher Sojun Ryu said. “Two clusters have overlapping target sectors that span the defense, military, government, medical, machinery, and energy industries.” “The AppleSeed cluster is shifting its focus to data exfiltration, and GPKI certificate extraction has become a signature capability.
Meanwhile, the PebbleDash cluster demonstrates advanced remote control capabilities and an expanding set of targets.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. “The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the ‘Rebase before merging’ merge operation,” security researcher Jonah Burgess said .
Rebasing is a Git action that’s used to take a sequence of commits from one feature branch and replay them on top of another base branch to create a linear project history. While “git rebase” solves the same problem as “git merge” – i.e., integrating changes from one branch into another – the former rewrites the project history by creating new commits for each commit in the original branch. The “git rebase” action also accepts as an argument a shell command via an –exec flag that’s executed after each commit is replayed. A notable aspect of the vulnerability is that it does not require admin privileges or interaction with other users.
To pull off the attack, all an unauthenticated threat actor has to do is create an account and repository on any default-configured instance. “Any registered user who creates a repo is automatically its owner,” Burgess said. “From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user.” In an alternative scenario, a user with write access to a repository where rebase is already enabled can exploit the flaw directly to obtain code execution. On Gogs instances where repository creation is restricted, an attacker is required to have write access to any repository that has rebase merging enabled.
As of writing, the vulnerability remains unpatched despite it being reported to the maintainer on March 17, 2026. Successful exploitation of the bug could grant an attacker the ability to breach the server, access every repository on the instance, dump credentials, move to other network-accessible systems, and tamper with any hosted repository’s code. What’s more, it can result in a cross-tenant data breach, allowing the attacker to read other users’ private repositories hosted on the same shared server. According to Rapid7, the flaw impacts all supported platforms, such as Windows, Linux, and macOS.
There are an estimated 1,141 internet-facing Gogs instances. However, the actual figure is expected to be higher, given that most deployments are placed behind VPNs or internal networks. In the absence of a patch, the following recommendations are outlined - Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts Restrict repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repositories Audit rebase merge settings Rapid7 has also made a Metasploit module that automates the full exploit chain against both Linux and Windows targets. The module supports two modes: a default mode where a temporary repository is created under the attacker’s account, the exploit is run, and the repository is deleted.
The second approach targets a repository that the attacker already has write and merge access to. “When the attacker creates and deletes their own repository, the only trace is an HTTP 500 in the server logs,” the cybersecurity expert said. “When exploiting an existing repository, additional artifacts remain.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. “The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints,” Arctic Wolf said . “Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell.” The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later.
A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a malicious script for execution on endpoint devices. “The observed execution pattern suggests that threat actors used FortiClient’s own management pathway to push malicious PowerShell commands to managed endpoints in a way that resembled legitimate management operations,” Arctic Wolf said. “Once the threat actors had a route to modify EMS-managed configuration, every managed endpoint became a potential execution target without requiring a separate intrusion path to each device.” In addition, the attack has been found to leverage “fortitray.exe,” a legitimate executable associated with FortiClient to launch a .cmd script file using “cmd.exe.” The .cmd script is designed to invoke a Base64-encoded PowerShell script that, in turn, is responsible for downloading a malicious payload, running it, and exfiltrating the results to “83.138.53[.]110” via an HTTP POST request. The executable, named “FortiEndpoint_Patch.exe,” masquerades as an update, but, in reality, is a previously unreported Windows information stealer capable of harvesting sensitive data, such as passwords, cookies, and autofill details such as credit card information, addresses, and phone numbers, from Chromium- and Gecko-based browsers.
The data is written to a log file and saved to the ProgramData directory. It’s worth noting that the stealer lacks network-based exfiltration capabilities. It’s the PowerShell script that transmits the captured data to the attacker-controlled infrastructure. “By bypassing API authentication and interacting with EMS functionality in a privileged context, threat actors were able to modify management configuration and push malicious scripts for execution on managed endpoints,” Arctic Wolf said.
“Session cookies and saved browser credentials may provide threat actors with follow-on access to cloud services, internal applications, and other authenticated resources, including cases where session reuse may circumvent MFA prompts.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and give affected vendors an opportunity to better understand the impact and address them before they are publicly disclosed. The development comes after a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) disclosed details of multiple zero-day vulnerabilities affecting various Windows components, including Defender and BitLocker, over the past month, citing a breakdown in Microsoft’s handling of the vulnerability disclosure process. “In recent weeks, several zero-day vulnerabilities have been publicly disclosed,” the tech giant said . “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.” “In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.” The vulnerabilities include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma , and MiniPlasma .
Following disclosure, BlueHammer, RedSun, and UnDefend have all come under active exploitation in the wild. Microsoft said it “firmly” opposes such uncoordinated disclosures and that putting proof-of-concept code for unpatched vulnerabilities can have “real-world consequences” when they end up in the hands of bad actors. “We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue,” the tech giant added.
“These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities.” The fallout from these disclosures is said to have led GitHub to take down the researcher’s account last week. Although the exploit code for the six vulnerabilities was subsequently uploaded to GitLab, the newly created account has since been blocked. “So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me, and made sure to insult me in front of people,” the researcher said in a post published over the weekend. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.
Now you take the courtesy to flag my GitHub account and wipe it out of the public, just like that? You are proving to everyone that you [sic] actively escalating this conflict but I’m done begging you.” The researcher also said they intend to release something on July 14, 2026, that “will make sure your bones are shattered that day.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a “minor” foothold into total account compromise because apparently six digits and blind trust were all that stood between your vault and getting absolutely pwned. Cool. Great. Love that for us.
Then there’s the supply chain mess… signed binaries, poisoned updates, legit tooling getting hijacked like it’s still 2017, plus a few reports this week that feel less like advanced tradecraft and more like watching skiddies discover low-hanging fruit with enterprise branding slapped on top. The weird part isn’t that it works. The weird part is how damn easy it still is.
Anyway. Grab caffeine. Let’s get into it. Massive regional C2 footprint More than 1.3K C2 Servers Discovered in the Middle East Hunt.io said it identified more than 1,350 command-and-control (C2) servers across 98 Middle East infrastructure providers over the past three months, between February 1 and May 1, 2026.
“C2 infrastructure dominates malicious activity (~96.8%), far exceeding phishing infrastructure (~0.5%) and publicly reported IOCs (~0.5%), while malicious open directories account for the remaining ~2.2% of observed artifacts,” it said . “Saudi Arabia’s STC (Saudi Telecom Company) hosts 981 C2 servers, representing 72.4% of all detected C2 infrastructure in the region. IoT-focused botnets (Hajime, Mozi, and Mirai) combined with offensive frameworks (Tactical RMM, Cobalt Strike, Sliver) represent the dominant malware families operating across Middle Eastern infrastructure.” AKS privilege escalation flaw Microsoft Patches Azure Backup for AKS Privilege Escalation Bug Microsoft is said to have silently fixed a privilege escalation flaw in Azure Backup for AKS that allowed a user with only the “Backup Contributor” Azure role (zero Kubernetes permissions) to gain cluster-admin on any AKS cluster, per security researcher Justin O’Leary . The vulnerability, which does not have a CVE, carries a CVSS score of 9.9.
While Microsoft rejected the vulnerability report as “AI-generated content,” it appears to have been patched since, and additional validation checks were enforced that did not exist in March 2026. Cybercrime operator jailed Romanian National Sentenced to Prison for U.S. Cyber Attacks A 46-year-old Romanian national found guilty of breaking into an Oregon state government office in 2021 and other cyber attacks across the U.S. has been sentenced to 56 months in prison.
Catalin Dragomir pleaded guilty to one count of aggravated identity theft and one count of obtaining information from a protected computer in February. Dragomir was arrested in Romania in November 2024 and extradited to the U.S. in January 2025 to face charges. Dragomir “sold access to a computer on the network of an Oregon state government office after obtaining unauthorized access to it in June of 2021,” the Justice Department said .
“During the sale, Dragomir provided the prospective buyer with samples of personal identifying information from the computer. He also sold access to the computer networks of numerous other victims in the United States, causing losses of at least $250,000.” DAEMON Tools added to KEV CISA Adds DAEMON Tools Supply Chain Incident to KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the supply chain attack targeting DAEMON Tools software to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary fixes by May 30, 2026. The incident is now being tracked under the identifier CVE-2026-8398 (CVSS v4 score: 9.3).
“Attackers gained unauthorized access to the vendor’s (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe,” according to the description of the CVE. “These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.” Apple unveils PQC code Apple Open-Sources PQC Implementation Apple has published its post-quantum cryptography (PQC) implementations in corecrypto , including quantum-secure ML-KEM and ML-DSA algorithms, along with mathematical verification tools that it built to assure compliance with FIPS 203 and FIPS 204 specifications for independent evaluation by experts. “Corecrypto is used continuously in our products, providing encryption and decryption, hashing, random number generation, and digital signatures on over 2.5 billion active devices,” Apple said . “A critical bug in corecrypto has the potential to compromise the security and reliability of every app and feature that depends on it, so we are conservative when adding new code to the library and make exceptional efforts to be comprehensive in our testing.” Law firms targeted by SRG Silent Ransom Group Impersonates IT Personnel in Social Engineering Attacks The U.S.
Federal Bureau of Investigation (FBI) has warned that the threat actor known as the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, has been targeting law firms using social engineering techniques as part of fresh attacks since spring 2026. Law firms are a rich target due to the highly sensitive nature of the data they possess. “Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company’s location to gain physical access to computers,” the FBI said . “While SRG has victimized companies in many sectors, including those in the insurance, finance, and healthcare industries, the group has consistently targeted U.S.-based law firms since Spring 2023.” As part of the scheme involving in-person visits, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.
Upon gaining a foothold, the attackers move swiftly to escalate privileges and pivot to data exfiltration without encryption. “By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI added. Fake installers spread Deno RAT Fake Software on GitHub and SourceForge Distributes Deno RAT Attackers are hosting counterfeit installers and plugins masquerading as popular software, including ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, and Kontakt, on GitHub and SourceForge to distribute a Deno backdoor known as DinDoor (aka Tsundere). “Attackers are using compromised YouTube channels to distribute links to these platforms,” Malwarebytes said .
“DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime.” PureLogs phishing wave Phishing Campaign Delivers PureLogs Stealer Variant A phishing campaign is using deceptive emails disguised as purchase orders to trick recipients into opening malicious JavaScript files contained within RAR archives that lead to the deployment of a PureLogs variant to steal sensitive data from the victim’s device. “Upon analyzing the PureLogs module, the malware’s primary capability is to collect sensitive data from the victim’s system, including basic hardware and system information, saved credentials, cryptocurrency-related data, and more,” Fortinet said . “The malware then compresses and encrypts the collected data before transmitting it to the C2 server.” U.K. targets crypto sanctions evasion U.K.
Government Unveils New Sanctions Against Crypto Networks The U.K. has announced sanctions against cryptocurrency exchanges and the A7 network used by Russia to evade existing restrictions. Among those hit by sanctions is HTX (aka Huobi Global), which is one of the largest cryptoasset exchanges in the world, with $3.3 trillion in trading volume in 2025. “It is suspected of providing services to A7, the sanctioned Russian payments network, and Garantex, the sanctioned cryptocurrency exchange,” Elliptic said .
It’s worth noting that the A7 corporate-and-token infrastructure emerged in the wake of the March 2025 Garantex takedown. Per data from TRM Labs , Huobi has sent more than $4.9 billion in direct on-chain transactions to U.K.-sanctioned and A7-network entities since 2021. Other entities hit by sanctions include Bitpapa and Rapira Group , the latter of which has transacted $375.6 million with Garantex’s named successor Grinex.io. Claude gains built-in code review Anthropic Announces Security-Guidance Plugin Anthropic has announced two new security features for its Claude AI: a self-hosted sandbox for Claude Managed Agents and a new security-guidance plugin.
“The security guidance plugin makes Claude review its own code changes for common vulnerabilities while it works and fixes what it finds in the same session,” Anthropic said . “The plugin catches issues such as injection, unsafe deserialization, and unsafe DOM APIs before the code reaches a pull request, reducing how much security review falls to human reviewers downstream. Once installed, the plugin runs automatically. There is nothing to invoke and no separate command to remember.” As described by Red Hat, a self-hosted sandbox “outsources the ‘thinking’ while keeping the ‘doing’ on your own infrastructure.” DACH cyberattacks jump 124% DACH Sees Rise in Hacktivism, Ransomware Data from Check Point has revealed that hacktivism and ransomware targeting organizations across Germany, Austria, and Switzerland increased 124% in 2025.
More than 60% of the hacktivist incidents have involved defacing websites to amplify political messaging. These efforts originated from NoName057(16), Mr Hamza, chinafans, Dark Storm Team, and Hezi Rash. Ransomware attacks, on the other hand, were mainly led by Akira, Qilin, and Safepay. “Germany accounted for more than 80% of regional incidents, with Switzerland at 12% and Austria at 8%,” Check Point said.
“Across Europe, the DACH region represented 18% of all recorded attacks, placing Germany above France, Spain, and Italy by individual country share.” World Cup scams explode online Scam and Fraud Campaigns Surge Ahead of FIFA World Cup Threat actors are increasingly capitalizing on the public excitement around the FIFA World Cup 2026 for scam campaigns. Bitdefender said it has identified more than 55 football-related malvertising campaigns targeting users through fake online stores, social media ads, IPTV piracy operations, fraudulent football apps, and FIFA-themed giveaway and lottery scams distributed through email. “The most-targeted users were in the United Kingdom, Portugal, Spain, Algeria, the United States, Canada, Mexico, Belgium, Germany, Brazil, and Australia,” the Romanian company said . Check Point said bad actors are “flooding the internet” with fake merchandise stores, fraudulent betting platforms, and phishing domains designed to steal personal data and money.
Host nations of the sporting event, Canada, Mexico, and the U.S., have also recorded an increase in the weekly average number of cyber-attacks per organization in April 2026, with Mexico registering a weekly average of 3,548 cyber attacks per organization. Group-IB said it uncovered six distinct fraud schemes and over 4,300 fraudulent domains impersonating FIFA’s official web presence. This includes a sophisticated phishing campaign conducted by a Chinese-speaking, financially motivated operator called GHOST STADIUM that involves using more than 300 domains using a shared phishing kit that exploits FIFA’s PingIdentity SSO login flow to harvest credentials and conduct fake ticket sales and payment fraud at scale. “GHOST STADIUM has built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages,” Group-IB said .
” Facebook Ads serves as the primary paid traffic acquisition channel for the GHOST STADIUM campaign.” Chrome extensions harvest WhatsApp data WaSteal, a 126-Extension WhatsApp Data Collection Network Cybersecurity researchers have uncovered a 126-extension Chrome Web Store extension network dubbed WaSteal that masquerades as independent WhatsApp CRM tools while exfiltrating user personal data, advertising cookies, and voice messages to operator-controlled servers, affecting nearly 148,000 users. According to researcher Jean-Marie R., the network is operated by wascript.com.br, which operates a white-label platform. “The largest variant (WaSeller, 100k installs) embeds a live GTM container giving its operator silent, permanent remote code execution with no extension update or Chrome review required,” the researcher said. “The operator’s own privacy policy directly contradicts every behavior documented.” GhostTree breaks endpoint scanning Bypassing Windows Security Using GhostTree A new technique named GhostTree abuses NTFS junctions to generate infinite file paths, causing endpoint security products to hang and leave files unscanned.
“We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths,” Varonis said . “With just two lines of code, a user can generate endless valid paths, making it impossible to finish scanning parent directories with the dir command recursively. The same applies to EDR products that scan folders for malicious files. An attacker places malware in the parent directory, sets up the GhostTree structure, and the containing folder becomes effectively unscannable.
The scan hangs. The malicious files go unexamined.” Kali365 targets Microsoft 365 Microsoft 365 Users Targeted by Kali365 Phishing Kit An emerging Phishing-as-a-Service (PhaaS) platform called Kali365, first observed in April 2026, has been targeting Microsoft 365 environments. “Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials,” the FBI said . “Through the Kali365 platform subscription, cyber threat actors can capture ‘OAuth’ tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments.” Like other PhaaS platforms, Kali365 risks lowering the barrier of entry to cybercrime, offering less-technical attackers access to artificial intelligence (AI)-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.
Kali365 is available to affiliates on a subscription basis, ranging from $250 for 30 days to $2,000 for a year. In a report published last month, Arctic Wolf said it observed a device code phishing campaign using Kali365 to obtain initial access and conduct follow-on activity. “The campaign relied on high-fidelity lures directing victims to Microsoft’s legitimate device login flow, where users unknowingly authorized threat actor-initiated sessions,” the company said . “Captured OAuth access and refresh tokens enabled immediate mailbox access and post-compromise activity.
In select cases, threat actors established malicious inbox rules to suppress security notifications, extending dwell time and reducing user awareness.” Barracuda Networks and Proofpoint have also warned of a spike in device code phishing campaigns in recent months. Barracuda said it detected more than 7 million device code attacks between March and April 2026. “The surge of device code phishing is the natural progression of credential phishing, as more people become aware of multi-factor authentication bypass techniques, criminals must get creative,” Proofpoint noted. Vaultjacking targets Google passwords Decrypting Google Password Manager Vault Using Vaultjacking PhishU has detailed a new technique called Vaultjacking , which demonstrates how a victim’s 6-digit Google Password Manager (GPM) PIN captured via an adversary-in-the-middle (AitM) phishing page can be used to decrypt the entire synced GPM vault.
“That single PIN releases Google’s Security Domain Secret, which decrypts every synced password and passkey on the account – not just the credential being registered, the entire vault,” Curtis Brazzell, PhishU Flounder and CEO, said in a statement. Once the AitM page harvests the user’s session cookies and GPM PIN, a threat actor can add a passkey to the victim’s Google account for persistence and then unlock the victim’s entire synced credential vault from their own infrastructure. Signed RVTools trojan spreads RAT Fake RVTools Installer Drops Python RAT A trojanized MSI installer for RVTools is being used to deploy a modular Python-based remote access trojan (RAT) using a VBScript loader. The malware includes a reconnaissance module that fingerprints the host and maps out Active Directory and a persistent command-and-control (C2) agent that encrypts stolen data and waits for operator commands.
“What made this campaign particularly effective was the use of a legitimately issued Sectigo code-signing certificate, registered under what appears to be a shell entity - Xiamen Lunwei Huage Network Co.(Sectigo), Ltd,” K7 Labs said . “At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint controls raised no flags. It has since been revoked, though it offers limited protection to environments not enforcing real-time OCSP or CRL checks at execution time.” None of this was especially sophisticated. That’s the lesson nobody wants to hear.
Most breaches still start with trust abuse, stale configs, lazy access controls, or users getting socially engineered by someone sounding vaguely competent over the phone. Patch faster. Audit harder. Stop assuming signed software, MFA prompts, or “internal-only” tooling means safe.
The attackers already figured out the shortcuts. Might be time defenders stop pretending those shortcuts don’t exist. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New AI Usage Report: Enterprise AI Risk Is Heavily Concentrated Among a Small Group of AI “Power users”
State of AI Usage Report 2026 ( full report here ) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don’t understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a handful of dominant AI platforms that drive the majority of enterprise AI activity and sensitive data exposure. At the same time, AI usage is rapidly fragmenting across personal accounts, AI browser extensions, embedded copilots, AI connectors, and secondary AI tools operating outside traditional visibility and governance controls.
The result is a fragmented AI ecosystem that most organizations still cannot fully see or govern. While AI Is Everywhere in the Enterprise, Most Employees Are Casual The common perception is that “everyone uses AI now”. The report paints a much more nuanced picture. While nearly half of enterprise users interacted with AI tools over the past year, only 18% use AI on a weekly basis.
This suggests that most employees remain casual users. At first glance, that sounds like good news for security teams. Fewer users should mean lower risk. But the report found the opposite.
Enterprise AI activity is heavily concentrated among a very small group of employees. While half of the users had 12 AI conversations or fewer, the top 5% generated at least 144 conversations. These same users also engaged in much deeper interactions, averaging 18 prompts per conversation compared to the average of 2. This creates a new class of “AI power users” that conduct far more conversations, interact across multiple AI platforms, and engage in significantly deeper prompt chains than average employees.
The result: AI risk is not distributed evenly across the organization. A relatively small group of users drives a disproportionate amount of enterprise AI exposure. ChatGPT Is Still Dominating Enterprise AI Usage, But Copilot is Coming Closer Despite the rapid growth of enterprise copilots, ChatGPT remains the dominant AI platform inside enterprises by a significant margin. It accounts for 36% of enterprise AI users and more than 55% of all AI conversations.
That gap matters because it shows ChatGPT users are far more active than users of competing platforms. Copilot M365 is growing quickly, reaching 29% adoption and nearly a quarter of enterprise AI conversations. The growth of Copilot also signals something important: enterprise AI usage is starting to split between governed enterprise-native AI and consumer-driven AI adoption. But beyond those two leaders, most AI platforms remain far behind despite the attention they receive.
While Copilot M365 usage is largely tied to corporate-managed Microsoft environments, where organizations typically maintain stronger visibility and governance controls, Gemini presents a very different risk profile. Most enterprise Gemini usage still happens through the regular consumer version, not Gemini Enterprise. In many cases, employees access it through personal accounts and unmanaged environments. That means organizations often have little visibility into how data is retained, whether prompts are used for model training, or how enterprise information is ultimately handled.
The implication is significant: not all enterprise AI adoption carries the same level of risk. The real governance challenge increasingly comes from consumer AI usage operating inside enterprise workflows under the appearance of legitimate productivity tools. Shadow AI Is No Longer A Few Applications; It’s a Long Tail of Under-the-Radar AI Apps Most organizations still think about Shadow AI as employees using an unapproved chatbot. That definition is already outdated.
The LayerX research shows that enterprise AI usage is rapidly fragmenting across a growing ecosystem of AI tools, embedded assistants, AI browser extensions, AI search engines, coding copilots, and AI-powered SaaS features that often operate outside traditional visibility and governance controls. Nearly 30% of enterprise users already use multiple AI platforms, while the top 5% interact with six or more AI applications. Employees are no longer relying on a single assistant for isolated tasks. They are combining multiple AI systems inside the same workflows, often switching between tools depending on the task, data type, or convenience.
This is what modern Shadow AI actually looks like. It’s the growing long tail of AI tools that organizations struggle to see, track, or govern. In many cases, organizations may not even realize AI is being used at all, creating a far larger governance challenge than most organizations anticipate. Enterprise AI Usage Is Far More Personal Than Organizations Realize Most organizations assume that if employees use AI for work, they will naturally use corporate-managed AI environments.
But that’s not true. Nearly half of all enterprise AI conversations happen through personal identities rather than corporate-managed accounts. What’s even more concerning is that over 14% of conversations conducted with corporate identities are tied to personal AI licenses. This creates a major governance blind spot, as when employees use personal AI accounts, organizations lose visibility into retention policies, auditability, model training exposure, and how enterprise data is ultimately handled.
Sensitive company information can move into external AI ecosystems without centralized oversight or policy enforcement. What makes this particularly surprising is that the divide is not just about identities. It is increasingly shaping platform selection itself. Enterprise-focused platforms such as Copilot M365 and Gemini Enterprise are used primarily through corporate-managed accounts.
Meanwhile, platforms like ChatGPT, Claude, and DeepSeek remain dominated by personal usage. This means the enterprise AI problem is no longer just about AI applications. It is increasingly becoming a “personal AI” and governance problem. Sensitive Data Flows Into All AI Platforms, With DeepSeek and ChatGPT The Worst Culprits The report found that more than 6% of enterprise AI conversations already contain sensitive data.
We categorized the sensitive data to find that personal data was the most common category by far, appearing in 5.81% of conversations, while financial and IT-related data appeared less frequently but still represented meaningful exposure. DeepSeek showed the highest sensitive data exposure rate at 12.63% of conversations. ChatGPT followed at 8.38%. Copilot M365 showed a significantly lower exposure rate at 3.65%.
This suggests enterprise-integrated AI platforms may operate within more controlled governance environments, while consumer-oriented AI tools continue to see much riskier usage patterns. The question is no longer whether employees will share sensitive data with AI systems. They already are. The real challenge is understanding where it happens, how often, and through which identities and platforms.
AI Extensions and Connectors Are Quietly Expanding the AI Risk Surface The report also highlights two fast-growing AI channels that many organizations are barely tracking today: AI browser extensions and AI connectors. About 15% of enterprise users already run at least one AI browser extension. Nearly 75% of these extensions request high or critical browser permissions. More than 16% already have known vulnerabilities.
At the same time, AI connectors are increasingly linking AI systems directly to enterprise applications like SharePoint, GitHub, Slack, Atlassian, and Google Workspace. This means that AI systems are no longer limited to employees manually pasting information into chatbot windows. They are increasingly being granted persistent, programmatic access to enterprise systems, documents, collaboration platforms, and internal knowledge repositories. This fundamentally changes the nature of enterprise AI risk.
Turning Insight Into Action: The Path Forward for CISOs The report makes one thing clear: traditional AI governance approaches are falling behind how employees actually use AI. It outlines a clear direction for security leaders: Identify and Monitor High-Risk AI Power Users: AI risk is highly concentrated among a small group of employees who rely heavily on AI across multiple platforms and expose significantly more sensitive data than average users. Treating all AI usage equally wastes resources and misses the highest-risk behavior. Stop Focusing Only on “Approved AI”: The biggest visibility gap is the growing long tail of AI tools, embedded assistants, browser extensions, AI search engines, and connectors quietly spreading across the enterprise.
Block Personal Account Usage as Active Shadow AI: Unmanaged personal AI accounts and personal AI licenses expose sensitive enterprise workflows to uncontrolled AI environments. Enforcing corporate AI identities and blocking personal account usage helps ensure that AI interactions, prompts, and data flows remain visible, governed, and protected under enterprise security controls. Shift From “Block or Allow” to Inline AI Guardrails: Blocking AI outright is no longer realistic, and an “allow-all” approach is equally risky. Organizations need inline guardrails that monitor prompts, uploads, responses, and AI-driven actions in real-time to prevent sensitive data exposure without disrupting productivity.
Download the full State of AI Usage report from here Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.