DAILY WORKFLOW ARCHIVE

2026-06-02 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-06-02 AI创业新闻

Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded

Password manager Dashlane has disclosed that “fewer than” 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an “external” threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA) protections and allowing them to register new devices on existing user accounts. Exactly how many users were targeted remains unknown, but Dashlane said the high volume of attempts on those accounts triggered temporary account suspensions and authentication issues due to its built-in security controls. Although access to the accounts has since been restored, the company has now revealed that the attackers were successful in a handful of cases, enabling them to download a copy of the encrypted vaults belonging to less than 20 personal plan users.

“We have directly notified each of these users,” it said . “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account.” It’s worth noting that the vault data cannot be accessed without the Master Password. Unless this password is trivial and highly predictable, it’s unlikely that any attempts to crack open the vault will succeed. Dashlane also pointed out that its own internal systems were not impacted by the incident.

As a precautionary measure, users are advised to review the devices registered to their accounts and remove those they don’t recognize, enable 2FA, and use a strong Master Password that’s “long, unique, and difficult to guess.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma , has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. “This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said . Exactly who is behind the attack activity is presently unknown given that TeamPCP, an infamous cybercrime group, has open-sourced the attack tools linked to the Shai-Hulud worm, opening the door for other threat actors to pull off similar attacks and making definitive attribution harder. The names of some of the affected packages are listed below - @redhat-cloud-services/vulnerabilities-client @redhat-cloud-services/tsc-transform-imports @redhat-cloud-services/topological-inventory-client @redhat-cloud-services/sources-client @redhat-cloud-services/rule-components @redhat-cloud-services/remediations-client @redhat-cloud-services/rbac-client Per analyses from Aikido Security , JFrog , Microsoft , OX Security , SafeDep , StepSecurity , and Wiz , the npm packages contain an obfuscated preinstall hook that’s designed to collect GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, Git credentials, and other sensitive files.

Like observed in prior Mini Shai-Hulud waves, the malware also contains encrypted exfiltration logic that transmits the data to “api.anthropic[.]com:443/v1/api” and uses GitHub as a fallback mechanism. This indicates attempts made by the attacker to both steal credentials and weaponize them to further poison the software supply chain. “It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:." Another noteworthy step carried out by the malware is to avoid execution on Russian-language systems, a pattern also observed in the GlassWorm supply chain campaigns.

“For npm, the payload calls the OIDC token exchange and whoami endpoints, repackages a tarball (updateTarball, package-updated.tgz), and signs the artifact through Sigstore,” SafeDep said. “Stolen credentials exfiltrate to attacker-created public GitHub repositories, each carrying the description Miasma: The Spreading Blight.” The first commit containing the “Miasma: The Spreading Blight” string appeared on May 29, 2026, OX Security noted, indicating that either this variant was active since then, or the threat actor started testing around that time. As for GitHub, the malware enumerates repositories the token can write to, reads action.yml/action.yaml via GraphQL, and commits a workflow through the createCommitOnBranch mutation so that the commit appears as a verified, signed change. Other actions carried out by the malware are listed below - Attempt privilege escalation by launching a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo Check for endpoint protection from CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before commencing the malicious actions Establish persistence by injecting a SessionStart hook to Anthropic Claude Code and a tasks.json with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects so that the malware is automatically launched during every session “One of the main changes in this new variant is the addition of new data collectors focused on cloud identities,” Wiz researchers said.

“Specifically, collectors for GCP and Azure identities were added that collect all identities the infected machine has access to. While previous versions of the malware primarily focused on extracting secrets from these environments, this variant suggests an increased attacker focus on gaining and leveraging access to the cloud itself. Unlike previous versions, the malware has also been found to generate a uniquely encrypted payload for each infection, thereby making detection and version tracking significantly more challenging. Evidence suggests that the compromise of a Red Hat employee’s GitHub account was the patient zero that was used to inject the payload into these packages.

The compromised account is said to have pushed malicious orphan commits to two RedHatInsights repositories, bypassing code review. It’s recommended to isolate hosts that have installed the affected versions, remove the malicious versions, rotate exposed credentials, review for any signs of suspicious GitHub or npm activity, audit the environment for persistence artifacts that involve changes to configuration files (~/.claude/settings.json, .vscode/tasks.json, .github/workflows/codeql.yml, .github/setup.js), and enforce strong access controls. “Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup,” Socket explained. “For CI/CD systems, suspend affected workflow runs, invalidate build artifacts produced during the exposure window, and review whether any release, container image, npm package, or deployment artifact was created after the malicious package was installed.” Update Dark web monitoring and threat intelligence firm Whiteintel said it “detected a Red Hat GitHub credential and session cookie in infostealer logs on April 13 and May 15, 2026,” raising the possibility that this information may have been used to break into the employee’s account.

The development is the latest in a number of supply chain attacks that have targeted the open-source ecosystems over the past couple of months. These attacks have impacted well-known projects, including Aqua Trivy, Checkmarx KICS, Bitwarden, SAP, TanStack, and GitHub, and Nx Console. Last month, a separate campaign codenamed Megalodon was found to have injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens, impacting both development and deployment pipelines in public GitHub repositories. “These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the ‘Megalodon’ supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and processes that support enterprise, cloud, and DevOps environments - specifically CI/CD pipelines, code extensions and workflows,” the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More

Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some “patched-ish” thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought ‘curl sh’ had a personality. The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first.

Then read the rest. ⚡ Threat of the Week PAN-OS GlobalProtect Authentication Bypass Under Exploitation

Securing AI Use Within Your Organization Starts Here The risks of ungoverned AI within your organization are compounding at machine speed. Turn your AI security priorities into actionable steps with this step-by-step guide. Download Now ➝ 🔔 Top News Critical Unpatched Flaw in Gogs

“Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance,” the cybersecurity firm says. Any repository owner can enable rebase merging with a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user. Attackers with write access to repositories that have rebase enabled can exploit the flaw directly. “The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users’ private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository’s code,” Rapid7 said.

Gogs servers across Windows, Linux, and macOS that are running default configurations are affected. No patch has been released as of the time of publishing. GlassWorm C2 Taken Down

GlassWorm, since its emergence last year, has conducted a “multi-pronged campaign” using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX. The campaign is also known to have introduced malicious code through compromised npm and Python packages. By taking down all four channels at the same time, the action severed the operators’ access to the infected hosts and their ability to deliver new commands. Evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.

In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected endpoints to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections. Despite these efforts, the broader economics of repository abuse remain an ongoing issue. Open-source ecosystems continue to offer attackers low-cost distribution channels with a massive reach when compared to traditional software.

This also means operators behind such campaigns can resurface under new accounts, domains, or package names. In other words, it’s only a temporary disruption, not eradication. CERT-In Urges Organizations to Patch Exploited Flaws Within 12 Hours

The agency also warned that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation. The framework also recommends one-day remediation for critical externally exposed vulnerabilities, three days for critical internal vulnerabilities affecting high-value systems, and five days for high-severity flaws based on risk prioritization. GREYVIBE Leans on AI for Ukraine Attacks

“While the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors,” WithSecure said. The threat actor is believed to have been active since August 2025. What’s notable is the extent to which AI appears to be enmeshed throughout the operation. The group’s use of AI is believed to be “operationally integrated rather than isolated or experimental.” AI Chatbot Recommendations Redirect Users to Cryptojacking Malware

The goals of the campaign are not merely financially motivated. The threat actors have also been found to establish persistent remote access to compromised hosts through ScreenConnect deployments, which could then be leveraged for follow-on activity, such as data theft, lateral movement, or ransomware. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first - CVE-2026-8732 (WP Maps Pro plugin), CVE-2026-0257 (Palo Alto Networks PAN-OS and Prisma Access), CVE-2026-27771 (Gitea), CVE-2026-45659 (Microsoft SharePoint), from CVE-2026-9090 through CVE-2026-9098 (Casdoor), CVE-2026-48800 , CVE-2026-48778 , CVE-2026-48770 (Notepad++), CVE-2026-40933 ( Flowise ), from CVE-2026-9872 through CVE-2026-9893 (Google Chrome), CVE-2026-32996, CVE-2026-32997 (Veeam Backup & Replication), CVE-2026-44962 (Plesk), CVE-2026-4868, CVE-2026-1402, CVE-2026-6713 (GitLab), CVE-2026-46840, CVE-2026-46775, CVE-2026-46839, CVE-2026-2332 (Oracle), CVE-2026-4480 (Samba), CVE-2025-59199 aka Click Or Trick (Microsoft Windows 11), CVE-2026-9560 (OpenVPN Connect for macOS), CVE-2026-9312 (GitHub Enterprise Server), CVE-2026-3593, CVE-2026-5946, CVE-2026-5947 (BIND 9), CVE-2026-47783 (Memcached), CVE-2026-44930 (Apache CXF), CVE-2026-9089 (ConnectWise Automate), CVE-2026-4115 (PuTTY), CVE-2026-48095 (7-Zip), an argument injection vulnerability in Gogs , a remote code execution vulnerability in Microsoft Visual Studio Code Remote-SSH extension, and multiple vulnerabilities in Roundcube Webmail . 🎥 Cybersecurity Webinars Beyond Zero-Day: How Attackers Actually See Your Network → Zero-days are inevitable. The real battle is what attackers see once they’re inside. Join HD Moore (creator of Metasploit) in this webinar as he reveals how to map your network like an attacker - exposing hidden assets, forgotten bridges, and dangerous IT/IoT/OT connections most teams miss.

Why Automated Pentesting Falls Short - And How to Fix It → Automated pentesting tools promised comprehensive security validation, but in reality, they only scratch the surface. After a few runs, new findings drop sharply, leaving critical blind spots in detection, response, and control effectiveness. Join Autumn Stambaugh and Can Yüceel of Picus Security as they explain why automated pentesting alone isn’t enough - and how to build a complete validation program that actually closes the gaps. 📰 Around the Cyber World New Windows Flaw Under Attack

The vulnerability is a stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network. There are currently no details on how the vulnerability is being exploited. The vulnerability was addressed by Microsoft as part of its May 2026 Patch Tuesday update. Anthropic Confirms Mythos Release

New Linux Flaw CIFSwitch Uncovered

The password management company also noted that it’s taking measures to address the issue, adding that there is no evidence of compromise of Dashlane’s systems. It’s not known who is behind the attack. Global Smishing Operation Impacts 19 Countries

and Ireland, road police portals in Bulgaria and Armenia, tax authorities in Greece, and T-Mobile users in the United States,” the company said . “1,628 malicious URLs confirmed active across 19 countries and multiple sectors.” The campaigns are designed to invoke a false sense of emergency using fabricated fines and trick users into making payments and entering their personal information. Microsoft Teams and Google Drive Abused to Deliver Java RAT

“Nimbus RAT is a self-contained implant that uses Google Drive and Google Sheets for command-and-control (C2), helping its network traffic appear benign,” eSentire said . “From initial Teams contact to RAT execution, the attack took less than 20 minutes.” The activity overlaps with similar Teams-based social engineering attacks carried out by BlackSuit affiliates. Tracking Site Visitors Via FROST

“After tricking the victim into clicking a malicious link, an attacker can monitor the victim’s activity on the host system, such as website visits and application usage, without further user interaction.” The impact of the attack goes beyond website tracking. The study also demonstrated that it’s possible to fingerprint application usage, allowing attackers to potentially infer where specific apps were opened. Instagram Exploit Allegedly Enabled Account Takeover

The end goal of the attack appears to link the target account with a new email address using the Meta AI chatbot, seize control of high-profile Instagram profiles, and sell them on the gray market for thousands of dollars. According to a report from 404 Media, bad actors have been aware of the loophole since March 2026. The exploit has since been patched , though it’s unclear how many accounts were impacted by the exploit. The incident highlights the dangers of granting AI agents overly broad permissions that could be abused to trigger unintended actions without any human confirmation.

EvilTokens Abuses OAuth Flow, RatPressto Kit Surfaces

The kit, hosted on legitimate-but-compromised WordPress sites, is used to serve ScreenConnect for establishing persistent remote access. “RatPressto has been observed targeting financial organizations, looking to silently exfiltrate credentials, secrets, and sensitive data that could be used to aid further compromise,” Fortra said . Solo Russian-Speaking Threat Actor Linked to Patriot Bait Campaign

“Safeguards were bypassed via jailbreaking and non-English prompting, allowing explicit pump-and-dump prompts and instructions to mutate victim passwords to be processed, showing how frontier-AI safety controls can be circumvented through jailbreaks and non-English prompting.” The campaign once again highlights how AI has significantly cut down the resources needed to run influence operations. SonicWall Scanning Spike Recorded

“Although the group initially claimed only a limited number of victims, its operations quickly showed a global footprint, with targets across Egypt, Mexico, and Poland,” Dark Atlas said. 🔧 Cybersecurity Tools EvidenceForge → It is an open-source tool from Cisco Talos that generates realistic, multi-format synthetic security logs - including Windows events, Sysmon, Zeek, and more - with strong consistency and causal relationships. It’s particularly useful for threat hunting training, detection testing, and research where you need high-quality, non-obvious synthetic data. MCPGuard-Dynamic → It is an open-source project from Facebook that provides kernel-level sandboxing for LLM agent tool calls using the Model Context Protocol (MCP).

It combines policy enforcement, argument validation, and eBPF-based system call guards to restrict what potentially untrusted MCP servers can do - helping prevent file access, network exfiltration, and privilege escalation attempts. Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion That’s the week: too much speed, too many defaults, and not enough people treating “minor” exposed crap like it can become tomorrow’s incident report. The pattern is boring until it’s your box - attackers keep finding the cheap paths first, because cheap still works. Patch the loud stuff, audit the weird stuff, and don’t ignore the boring stuff. That’s usually where the fire starts.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

5 Defaults Mythos-Class AI Finds in Every Enterprise Environment

China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control. “When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background,” security researcher Priya Patel said .

The attack chain uses two different pathways to launch the final-stage malware. One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document. This leads to the execution of a PowerShell script that’s responsible for extracting an executable (“RuntimeBroker_update.exe”) from an intermediate DAT file and running it. In the second attack chain, the victim directly launches a binary from the same archive.

The binary functions as a self-contained Rust-based dropper to launch “RuntimeBroker_update.exe.” Regardless of the path chosen, the executable loads a malicious DLL (“UnityPlayer.dll”) via DLL side-loading , resulting in the deployment of a Rust-based loader called RUSTCLOAK. The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2). The loader is designed to perform anti-analysis checks to proceed only if the malware determines that it’s being run within a sandboxed environment. “The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide,” Seqrite Labs said.

“Instead of using a traditional pull-based C2 model, AZUREVEIL follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data.” AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including file operations, file uploads and downloads, shell command execution, process enumeration and termination, port forwarding, SOCKS proxy control, C2 server management, and in-memory execution of Beacon Object Files (BOFs). These capabilities grant the attacker complete control over the compromised endpoint.

Although the activity has been attributed to a known threat actor or group, it’s assessed to be China-aligned. The disclosure comes as Cato Networks said it detected and blocked an attempted intrusion against the Indian branch of an unnamed global manufacturing customer to deliver TencShell, a previously undocumented Go-based implant derived from the open-source rshell C2 framework. The attack is believed to be the work of China-nexus threat actors based on the historical use of rshell, Tencent-themed API impersonation, and infrastructure patterns. The initial access vector used in the intrusion is currently unknown.

“If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling,” researchers Idan Tarab, Dr. Guy Waizel, Zohar Buber, and Shani Kurtzberg said. In a report published last week, ESET said China-aligned threat actors have remained “highly active” globally from October 2025 through March 2026. This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad , COOLCLIENT , CurlyDoor, RudeGull, and MKTDownloader.

Also identified by the Slovakian cybersecurity vendor is a new toolkit linked to UNC5221 dubbed PhiliKit that acts as a passive backdoor for executing shell commands, Python scripts, and Perl scripts. It’s suspected that PhiliKit is deployed as part of the SPAWN malware suite used by the Chinese hacking group in the past. A third China-affiliated threat group is NegativeGlimmer, which is believed to share some level of overlap with TGR-STA-1030 , which Palo Alto Networks Unit 42 documented earlier this year as having breached at least 70 government and critical infrastructure organizations across 37 countries over the past year. In at least one instance observed in December 2025, the threat actor has been found to target a governmental organization in Panama, using a DLL side-loading chain initiated via spear-phishing to deliver a downloader that then deploys AdaptixC2 and simultaneously displays a decoy document to the victim.

Subsequent iterations in January 2026 have swapped out AdaptixC2 in favor of Cobalt Strike, with infections also reported in Cambodia and South Korea. “The latter targeting in South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy,” ESET’s Jean-Ian Boutin said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The Security Growth Platform: Why MSPs Are Moving Beyond vCISO Tools

Three years ago, the practical question for an MSP building a cybersecurity practice was which “vCISO platform” to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the software running their security practice in 2026.

It combines security program management, CISO-grade decision intelligence, multi-tenant portfolio architecture, and revenue intelligence in one system. Traditional GRC platforms track compliance, vCISO tools support single advisory engagements, and enterprise compliance platforms target end customers directly. None were built around the unit of work that defines a modern MSP security practice: the portfolio. Why The Work Outgrew The Term The demand kept outgrowing the category that named it.

SMB cybersecurity spending is projected to reach $109 billion in 2026, with small and medium businesses accounting for roughly 60% of global cybersecurity spend ( Analysys Mason ), and most of that share moves through service providers. The SMBs paying for security don’t have an internal CISO function. The MSP is the security function, and what “the security function” has to do has expanded well past what a vCISO methodology was designed to cover. What expanded was the work itself.

The tools designed for solo vCISO engagements increasingly describe only part of it, and the platforms built for enterprise compliance had never been built for this customer in the first place. The category sitting between those two reference points kept getting bigger while the language available to describe it stayed where it was. The Three Gaps That Created A New Tier The reason a new descriptor is needed comes down to three structural gaps in the categories already on offer. The Security Growth Platform tier exists because three different software categories each fell short of serving the same buyer, and each gap is structural rather than a feature shortfall.

GRC Platforms Weren’t Built For MSP Delivery Enterprise compliance automation platforms grew into the dominant players in their tier by automating compliance for companies with internal security teams. The architecture optimizes for one customer’s compliance posture, controls library, evidence collection, and audit cycle. Recent repositioning across that tier around agentic AI and trust automation reinforces this direction: the answer to expanding the category has been end-customer trust automation, not service-provider delivery infrastructure. That architecture doesn’t carry over to a service provider running security programs across 30 or 100 SMB clients, where there is no internal security team and the MSP itself is the security function.

A platform built around one customer’s security posture isn’t easily turned into a multi-tenant service-delivery system; the premise has to change at the architectural level. Standalone vCISO Tools Lack Compliance And Automation Depth The vCISO services category itself is real and growing. The global market is projected at $1.2 billion in 2026 with a 6.3% CAGR through 2035 ( Business Research Insights ). The tools built for it focused on the consultant doing the work: assessment templates, advisory frameworks, and reporting decks.

That works well for one senior person delivering one engagement. It works less well for a 30-client MSP that needs to run security as an ongoing program across every account. Compliance requirements have also grown more demanding, with 85% of organizations reporting that compliance is more complex than it was three years ago ( PwC Global Compliance Study 2025 ). That’s the depth the original vCISO tools weren’t engineered to carry.

vCISO tools also rarely automate compliance depth. Many partners ran the vCISO tool for advisory work and bolted on a separate GRC platform for audit work, ending up with two systems, two sources of truth, and no unified program. Enterprise-First Compliance Platforms Compete With The Channel Enterprise compliance platforms sell direct; service providers tend to encounter them when an SMB client asks for the name, typically because an investor or enterprise buyer demanded SOC 2. That motion treats the MSP as a referral channel rather than a partner; the economics flow to the platform, not to the practice running the security program.

The white space opened because the enterprise platforms made a structural choice to go direct, and the channel-native tools made a structural choice to stay narrow on compliance. True CISO-grade intelligence at 100% partner-only delivery, with SMB-accessible pricing and portfolio-level revenue analytics, fell into a gap no existing category was claiming. The Four-Tier MSP Cybersecurity Market In 2026 The market sorts into four tiers by who the platform is built for and how it goes to market. Tier Built For Channel Model Enterprise compliance automation End customers with internal security teams Direct-first Security Growth Platform Service providers delivering, scaling, growing security practices 100% partner only MSP-native Cyber GRC and vCISO Compliance tracking and audit readiness via MSPs Channel-friendly MSP advisory and assessment tools QBRs, vCIO presentations, vendor-neutral assessments Channel The enterprise tier dominates the top end, serving mostly mid-market and growth-stage companies pursuing SOC 2 or ISO 27001 to unlock revenue, in a direct motion where the MSP rarely sits at the center.

The MSP-native Cyber GRC tier clusters around compliance management as the entry point, which serves partners well when compliance tracking is the primary need. The advisory and assessment tier sits closer to a vCIO function than a security function: lower pricing, narrower capability scope, designed for business reviews and presentations rather than running a security program. The Security Growth Platform tier is its own category because the center of gravity is different. Compliance is an outcome of the program rather than its starting point.

Cynomi is the named example of the tier; the platform’s design choices, capability set, and 100% partner-only commercial model define what the tier looks like in practice. What Defines A Security Growth Platform Five capabilities define the tier. A platform without all five sits in a different category. CISO Intelligence built in.

The decision-making logic of an experienced security leader, integrated into the platform’s AI infrastructure and guided workflows. This is what allows any trained team member to deliver senior-level advisory outcomes rather than reproducing what one senior consultant can do alone. Cynomi’s named term for this capability is CISO Intelligence; it is a structured methodology rather than the generic “AI-powered” claims that surface across the broader compliance and GRC market. Unified security, risk, and compliance across 40+ frameworks.

One assessment maps controls across NIST CSF 2.0, CIS Controls, ISO 27001, SOC 2, HIPAA, CMMC, GDPR, NIS2, and DORA. Compliance becomes an outcome of the security program rather than a parallel workstream. Cynomi delivers this through its unified framework engine. Complete security lifecycle management.

Context-aware onboarding, risk-based prioritization, automated remediation roadmaps, task-driven execution, policy automation, business impact analysis, business continuity planning, third-party risk management, and executive dashboards in one system. The work runs continuously rather than in audit-cycle bursts. Portfolio-level revenue intelligence. A multi-tenant view across the partner’s entire client base that maps security gaps to the partner’s service catalog and quantifies recurring-revenue expansion opportunities.

Cynomi’s portfolio intelligence is the only platform-level revenue layer in this category; the other tiers do not expose revenue surface area at the portfolio level. Built for MSP and MSSP scale. Multi-tenant architecture, white-label outputs, no channel conflict, designed for portfolios from 15 to more than 500 clients. The phrase Cynomi uses is “100% partner only,” the practical distinction from channel-friendly platforms that still pursue end-customer revenue alongside partner-delivered revenue.

Why MSPs Need More Than A vCISO Platform If you’ve built a vCISO practice around single engagements, “vCISO platform” still describes the work you’re doing: a fractional security leader, a methodology, a deliverable. The category isn’t going anywhere, and the descriptor holds when the work itself is one engagement at a time. What the “vCISO platform” doesn’t describe is what changes when a service provider scales beyond single engagements. A practice running 30, 100, or 500 client security programs needs more than a vCISO methodology.

It needs the system that surrounds the methodology: portfolio visibility, service-catalog mapping, executive-ready reporting, and the commercial infrastructure for packaging, pricing, and growing the practice itself. Channel research from organizations including CompTIA and Service Leadership consistently documents that MSPs invest in cybersecurity tools faster than they package, price, and sell cybersecurity services to clients. The capability is there; the recurring-revenue motion isn’t. That gap is where most security practices stall: partners with the tooling to deliver, and no system for turning delivery into a sellable, repeatable service.

The Security Growth Platform tier closes that gap on purpose. Portfolio intelligence, service-catalog mapping, and commercialization-ready outputs are engineered into the platform, not bolted onto a vCISO methodology. Where “vCISO platform” describes the methodology, “Security Growth Platform” describes the system. The Outcomes That Define The Tier What separates this tier from compliance-only platforms is what your practice does with the assessment afterward, not what the assessment looks like or how many frameworks it covers.

Service providers running the program model through Cynomi report an average 70% reduction in assessment and reporting workload, a 30% margin improvement on security services, 60% security revenue growth, and 90% shorter discovery time, in line with the MSP cybersecurity benchmark data Cynomi publishes annually . Those are practice-level outcomes, not pilot-program metrics. A category becomes real when practitioners can name it, buyers can compare against it, and the market can see where its center of gravity sits. The Security Growth Platform tier has the practitioners: partners running 30, 100, and 500 clients through it today.

The naming is catching up. Buyers who started by asking “which vCISO platform should we use?” are increasingly asking a more specific question: how do we deliver, scale, and grow a security practice across our entire client base? That’s the question the Security Growth Platform is built for. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Gartner: 70% of SOCs Will Pilot AI Agents. Only 15% Will See Results

OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

Cybersecurity researchers have disclosed details of a new malicious supply chain campaign that’s targeting developers using OpenAI Codex through a legitimate-looking remote web UI. The tool, named codexui-android , is advertised on GitHub and npm as a remote web UI for OpenAI Codex, attracting over 29,000 weekly downloads. The package is still available for download from the repository. What makes this activity noteworthy is that it’s not a traditional attack that uses a typosquat or throwaway package to trick developers.

Rather, the malicious code is embedded into a functional npm package that has undergone active development. The associated GitHub repository remains clean. “And for the past month, every single invocation has been quietly exfiltrating your Codex authentication tokens to an attacker-controlled server,” Aikido Security researcher Charlie Eriksen said . The nefarious changes are said to have been introduced about a month after the package was published to the registry, likely in an effort to build user trust and expand its reach.

The npm account associated with the package is “friuns” (aka Igor Levochkin). Present within the package is code that extracts the contents of Codex’s “~/.codex/auth.json” file and exfiltrates them to a remote server (“sentry.anyclaw[.]store”) that masquerades as Sentry, a legitimate application monitoring and error tracking platform. The captured data includes the following details: access_token, refresh_token, id_token, and account ID. “The refresh_token doesn’t expire,” Eriksen said.

“An attacker holding it can silently impersonate you indefinitely. A stolen Codex refresh_token goes beyond access to a chat interface – it’s persistent, silent access to whatever that account can do.” It’s worth mentioning here that every time a user logs in to the Codex app, CLI, or IDE Extension using either ChatGPT or an API key, the login details are cached locally in a plaintext file at ~/.codex/auth.json or in the operating system-specific credential store. “If you use file-based storage, treat ~/.codex/auth.json like a password: it contains access tokens,” OpenAI warns in its support documentation. “Don’t commit it, paste it into tickets, or share it in chat.” Interestingly, the npm package is far from the only delivery vector the threat actor uses to target Codex developers.

Aikido said it observed an Android application named OpenClaw Codex Claude AI Agent (package name: “gptos.intelligence.assistant”) that runs the npm package within its PRoot sandbox and sends the Codex credentials to the same endpoint. “The APK itself is small (26 MB) and looks clean on a Play pre-publish scan,” Eriksen explained. “On first run, it extracts a Termux-derived Linux userland into the app’s private storage and runs Node.js inside it via PRoot.” “The version is not pinned, so the device pulls whatever is currently published on npm. The exfiltration has been in place since codexui-android@0.1.82.

The package runs inside the app’s PRoot sandbox, where the in-app Codex sign-in writes its auth.json. Once the user signs in, the package reads that file out of the sandbox and ships the full OAuth blob to sentry.anyclaw.store/startlog.” Released by an entity named “BrutalStrike,” the Android app has more than 50,000 downloads. The same exfiltration chain has also been flagged in a second Android app linked to BrutalStrike: Codex (package name: “codex.app”), which has been downloaded over 10,000 times. The remaining three apps offered by the developer do not contain the functionality.

Upon reaching out to the package author on GitHub, Aikido said they initially posted a comment stating they had lost access to their npm account, only to edit the response and post a different one in which they claimed they are “currently investigating this issue internally” and that they “have started removing the affected functionality and related data.” The author further claimed no credential data was shared with any third parties, without answering why this code was inserted only into the npm package build or why they needed access to the Codex tokens in the first place. The X profile linked to the author includes the domain “anyclaw[.]store.” WHOIS records indicate that the domain was registered on April 12, 2026, just two days after the very first version of the npm package (version 0.1.72) was uploaded to npmjs[.]com. The development comes as threat actors are increasingly targeting real artificial intelligence (AI) developer tooling and workflows to steal credentials and burrow deeper into the software supply chain. Late last month, the Belgian security company also found that a deleted Google API key remains live for up to 23 minutes, a window that an attacker with access to a leaked key can take advantage of to gain access to user data and other APIs, including those related to Google Gemini.

The median revocation window is around 16 minutes. “An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up,” researcher Joe Leon said . “If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations.” Although Google first opted not to fix the issue, stating it’s a “known property of the system and not a security issue,” the tech giant has since decided to treat it as a P0 bug , making it a severe issue that “needs to be addressed immediately.” The findings, as with a similar 4-second exploitation window previously observed with deleted Amazon Web Services (AWS) access keys, highlight how credential revocation delays are exploitable and can be used to gain unauthorized access to the cloud environments, while defenders assume the credentials have been revoked. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro , a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is used as a store locator tool, making it easier for users to find nearby locations, view listing details, and get directions. The vulnerability in question is CVE-2026-8732 (CVSS score: 9.8), a privilege escalation bug that allows unauthenticated attackers to create a WordPress user with administrative permissions, effectively allowing them to take control of a site.

The shortcoming impacts all versions of the plugin prior to and including 6.1.0. It has been addressed in version 6.1.1. Security researcher David Brown has been credited with discovering and reporting the flaw. At a high level, the problem is rooted in a “temporary access” feature that’s designed to allow support staff to log in to a customer’s site during troubleshooting.

Because this process allows unauthenticated users to invoke the “wpgmp_temp_access_support()” function without adequate checks, it ultimately allows them to create an administrator user. “This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism,” Wordfence said . “This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.” The patch released by the plugin maintainers on May 20, 2026, closes the vulnerability by ensuring that only authenticated administrators can access the endpoint. That said, the security flaw has since come under active exploitation, with Wordfence stating that it has blocked 2,858 attacks targeting the issue over the past 24 hours.

It’s therefore essential that site owners update their instances to the latest version for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices

Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the platform’s backend infrastructure. According to a statement issued by the NCSC, police officials seized a subset of these servers from a hosting provider that provided the infrastructure.

The provider is said to have subsequently taken the botnet offline following its use for criminal purposes. Although the name of the botnet was not explicitly mentioned, local news outlet NL Times reported that the service in question was Asocks, a company that offers residential proxies . In April 2024, HUMAN’s Satori Threat Intelligence team identified a campaign dubbed PROXYLIB that involved infecting Android devices with proxyware from LumiApps and Asocks. Per details shared on Asocks’ website, the platform advertises corporate, residential, and mobile proxies for monthly subscriptions between $5 and $15, with 5-15% discounts for bulk purchases ranging from 10 to 100 proxies.

Residential proxies have legitimate uses and privacy benefits, including to access geographically-restricted web resources. However, the ecosystem is also shadowy, with many providers catering to bad actors who purchase access to compromised devices enrolled in these networks to route malicious traffic and carry out cyber attacks. “Devices can become part of a botnet when they are accessible to malicious actors,” NCSC said. “After gaining access, attackers can install malware that allows the device to be controlled remotely.

This enables the device to become part of a network used for cybercriminal activities.” To counter the threat posed by botnet malware, it’s advised to keep the operating systems up-to-date, maintain visibility of edge devices like routers, use strong passwords, enable two-factor authentication wherever possible, install apps from trusted sources, change default passwords, and secure Wi-Fi networks with WPA2 or WPA3. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. “Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection,” Palo Alto Networks said in an advisory released on May 13, 2026. The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.

In an update to its advisory on May 29, 2026, Palo Alto Networks said it has “become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor. The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network.

No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added. “An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations,” Rapid7 said. “As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis.” As temporary mitigations, it’s recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature. The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer.

Update The U.S. Cybersecurity and Infrastructure Security Agency (CSIA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities ( KEV ) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to mitigate the flaw by June 1, 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant’s implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. “The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized. It auto-fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI,” security researcher Andi Ahmeti said in a report shared with The Hacker News.

In a hypothetical attack scenario, a bad actor can append a small payload to any web page that the victim later prompts ChatGPT to summarize, causing it to leak their IP, User-Agent, and Referer details when attacker-hosted images embedded in the page are automatically fetched when the answer is rendered. In addition, it can result in malicious Markdown links being rendered as live clickable elements inside the assistant’s response, serve far fake system-style security alerts, and serve a QR code from an attacker’s S3 bucket and trick the victim into scanning it via their mobile device, effectively bypassing desktop URL filters and enterprise security controls. The latest finding demonstrates how summarization can emerge as an adversarial surface. Earlier this March, Permiso also revealed how an attacker-controlled email containing specially crafted instructions, when summarized by Microsoft Copilot, could influence its output via a cross-prompt injection (XPIA) or indirect prompt injection.

What makes ChatGPhish a noteworthy attack technique is not the prompt injection itself, but in the manner in which the instructions embedded in a web page are followed and presented to the user as part of the summary. In other words, a regular web page summarized with ChatGPT is enough to render phishing links, spoofed account alerts, remote images, and QR codes directly inside a trusted AI interface. As organizations increasingly use ChatGPT for research and summarization, this vulnerability means any malicious web page an employee asks the AI chatbot to process could contain a payload that transforms ChatGPT into a phishing surface. “The shift from email to the browser significantly expands the potential attack surface.

A user no longer has to open a malicious attachment or interact with a suspicious message,” Permiso said. “Simply summarizing a page during normal browsing activity can introduce attacker-controlled instructions into the model context and ultimately into the rendered response.” The disclosure comes as Adversa AI documented two attack techniques codenamed SymJack and TrustFall targeting AI coding agents and agentic coding CLIs that allow attackers to achieve code execution and full machine compromise. SymJack is “a single attack pattern [that] lets a malicious repository achieve remote code execution through AI coding assistants,” security researcher Rony Utevsky said. “The agent is tricked into a benign-looking file copy that secretly overwrites its own config, and the next restart runs attacker code with full user privileges.” Specifically, a booby-trapped repository tricks the agent into copying a seemingly harmless file, where the destination is a symlink pointing to the agent’s own configuration, causing the attacker’s payload to be written to the config.

On the next restart, a malicious Model Context Protocol (MCP) server spawns and runs arbitrary code with full user privileges. TrustFall, on the other hand, is a one-click remote code execution attack via a malicious repository that can ship a configuration that auto-approves and spawns an MCP server without a user’s explicit approval or requiring a tool call from the agent. To put it differently, all a threat actor needs to carry out the attack is to create a repository that includes a malicious MCP server and configuration settings that auto-approve it to run. When a developer clones or opens the repository in the AI coding tool and presses “Enter” on the folder trust prompt, the AI coding tool ends up launching the attacker-controlled code with the developer’s full system privileges.

“The moment a victim clones the repo, runs Claude, and clicks the generic ‘Yes, I trust this folder’ dialog, the MCP server starts as a native OS process with full user privileges,” Adversa AI noted. “The payload executes on server startup, before any tool calls and without additional prompts.” The findings coincide with the discovery of a number of attack methods against AI models in recent months - The use of a novel jailbreak approach called Involuntary In-Context Learning ( IICL ) that “exploits the tension between in-context learning (ICL) and safety alignment” to bypass GPT-5.4 safety constraints The safety guardrails of LLMs can be circumvented if a user tricks the model into having a multi-turn conversation. “Multi-turn evaluation matters for one reason: it is where attackers actually live,” Cisco said . “Real adversaries iterate.

They reframe refusals, decompose tasks across turns, adopt personas, and escalate gradually. A single-turn benchmark cannot see any of that.” A vulnerability in Anthropic Claude Code that employs a user-level configuration change in “~/.claude.json” to rewrite MCP endpoints via a rogue npm package to put an attacker in between Claude Code and an OAuth-backed MCP server, allowing the bad actor to capture tokens used for downstream SaaS access. The use of a remote update mechanism that allows an OpenClaw skill to appear benign at installation time, but later allows the attacker to influence the agent through workspace files by instructing the user during skill setup to append specific instructions to the HEARTBEAT.md file . The use of hidden text featuring content pulled from a legitimate newsletter or a romance novel in phishing emails to confuse an AI-based email security system into flagging the message as benign.

A vulnerability in Claude’s Chrome browser extension called ClaudeBleed allows any extension, even those without any special permissions, to hijack it and trick the AI assistant to perform active agentic actions on their behalf. “The flaw stems from an instruction in the extension’s code that allows any script running in the origin browser to communicate with Claude’s LLM, but does not verify who is running the script,” LayerX said. “As a result, any extension can invoke a content script (which does not require any special permissions) and issue commands to the Claude extension.” A study from Cisco has found that adversarial text rendered as images, an attack known as typographic prompt injection, can be used to bypass safety filters in vision language models (VLMs). “When a model fails to read the original image (small font, heavy blur, rotation), a bounded perturbation can recover semantic content in the model’s internal representation without restoring visual legibility to a human,” Cisco said .

“This means an attacker can craft images that look like noise or illegible distortion to any OCR-based content filter yet carry fully readable instructions to the target VLM.” A set of vulnerabilities in Microsoft Semantic Kernel ( CVE-2026-25592 and CVE-2026-26030 ) that could turn a prompt injection into host-level remote code execution. The use of the Neural Exec prompt injection attack and the Unicode right-to-left-override function to bypass Apple’s input and output filters and the safety guardrails on Apple Intelligence’s local model and trick the LLM into producing attacker-directed results. The issue has been addressed in iOS 26.4 and macOS 26.4. An indirect prompt injection vulnerability codenamed WebPromptTrap impacts BrowserOS, an open-source agentic browser, that deceives users into approving an authorization step through an AI summary generated from processing a legitimate-looking article with hidden instructions.

The issue has been patched in BrowserOS version 0.32.0. An audit of the agent skills ecosystem spanning ClawHub and skills.sh has uncovered that 13.4% of 3,984 skills (i.e., 534 in total) have at least one critical security issue, including malware distribution, prompt injection attacks, and exposed secrets. About 1,467 skills have at least one security flaw, ranging from hard-coded API keys and insecure credential handling to third-party content exposure. A pair of attacks targeting NemoClaw , NVIDIA’s open-source reference stack to secure OpenClaw AI agents, to exfiltrate OpenClaw data using the sandbox’s default configuration via a malicious GitHub repository or an npm package.

As frontier AI models continue to evolve and mature, threat actors are increasingly experimenting with the technology to write malware with added capabilities to dynamically adapt its behavior in an attempt to evade detection, as well as offload decision-making to the LLM to ascertain if the compromised environment is valuable or safe enough to drop next-stage payloads. “In the short term, the proliferation of frontier AI models capabilities risks empowering adversaries to exploit zero-days and N-days at an unprecedented scale,” Palo Alto Networks Unit 42 said . “It is also likely to enable attackers to move at greater scale, sophistication, and speed than ever before.” Last month, the cybersecurity company also detailed a proof-of-concept (PoC) agent called Zealot that harnesses the power of LLMs to conduct end-to-end cloud attacks with minimal human guidance by exploiting known misconfigurations and vulnerabilities. This, in turn, stems from the fact that cloud environments are “AI-Attack-Ready” by default, given that every action has an API equivalent, have varied discovery mechanisms like metadata and enumeration services, are rife with misconfigurations, and are driven by credential-based access.

“Current LLMs can chain reconnaissance, exploitation, privilege escalation, and data exfiltration with minimal human guidance,” Unit 42 researchers Yahav Festinger and Chen Doytshman noted . “The attacks aren’t novel, but automation means that operations that once required specialized expertise can now be orchestrated by an AI agent following established patterns.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. “The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server,” Sysdig said . “The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes.” CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands.

The issue was addressed in version 0.23.0, released last month. The security defect has since come under active exploitation, with threat actors using it to initiate manual reconnaissance against honeypot systems and attempt to harvest sensitive data. The latest activity documented by Sysdig sticks to the same pattern, the primary difference being that an LLM agent was used to drive the post-exploitation activity. The incident, per the cloud security firm, was recorded on May 10, 2026, with the attacker gathering credentials from the environment and then using the harvested AWS access key to perform API calls against AWS Secrets Manager and retrieve an SSH private key.

Minutes later, the threat actor is said to have carried out the first SSH authentication on the SSH bastion server using the retrieved key, followed by launching eight parallel SSH sessions against the downstream server to siphon an internal PostgreSQL database. The end-to-end attack chain lasted a little over an hour. Sysdig said it uncovered four indicators that an LLM agent was behind the activity. First, the attacker improvised a database dump without any prior knowledge of the schema.

Second, a Chinese-language planning comment, “看还能做什么” translating to “See what else we can do” leaked directly in the command stream when executing a credential search. “The database hostname was opaque, with no application identifier on disk and no schema dump pre-staged, yet the chain still landed on a credential table within minutes,” Sysdig said. “The attacker no longer needs to see your environment to operate inside it.” The third sign is that every command is designed for machine consumption, with each command separated by a “—” delimiter, along with bounded output captures, disabling the “less” command, and discarding the error stream (stderr) to minimize noise. Lastly, the value handoffs are obtained from prior tool output.

In other words, the manner in which certain values, say, database passwords, were extracted implies an AI agent feeding its own previous output – running a cat command of the “~/.pgpass” file – into the next action. In another instance, a cat command to print the contents of a specific file (“cat ~/.ssh/id_ed25519”) is preceded by an ls (“list”) command that passes the same file pattern as input (“ls -la ~/.ssh/id_ed25519*”) to confirm that the SSH Key exists. “When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time,” Sysdig concluded. “However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target.

Here, the bar becomes inference budget, not playbook authorship.” “The defender-relevant property of an agent-in-the-loop is adaptiveness. A scripted attacker hits a missing file, an unexpected schema, or an authentication failure and either aborts or falls through to a hard-coded fallback. An agent reads the surprise, decides what to try next, and keeps going.” To counter this threat, it’s recommended that users update to the latest version of Marimo, audit environments for any publicly-accessible instances, and rotate credentials, API keys, and SSH keys. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war. “The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims,” WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. “Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware.” The victimology footprint spans military, government, civilian, and business-related organizations.

GREYVIBE, its nation-state-affiliated activity notwithstanding, also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminal actors. In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a “low-to-moderately sophisticated group” that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts. GREYVIBE has been observed using multiple attack chains against its targets - PhantomMail , which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.

PhantomClick , which uses ClickFix -style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain. PrincessClub , which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video. While FallSpy is an Android spyware capable of harvesting sensitive data from the compromised device, LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism.

DroneLink , which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay. Nebo , which uses a FallSpy sample that mimics a Russian-language login screen, likely in an attempt to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal. The variety of delivery vectors and tools used in the attacks likely stems from the use of AI platforms, including Ideogram AI, OpenAI ChatGPT, and Google Gemini, to assist with generating images and developing LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands. The cybersecurity company said GREYVIBE’s usage of AI serves multiple advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools that could aid in attribution efforts.

“If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time,” Nejad said. That said, the use of AI has also had the side effect of introducing design flaws into LegionRelay, exposing the malware’s backend functionality. This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes. The hacking group’s links to the cybercriminal ecosystem are based on multiple factors - Possible access to and use of an ISO builder with suspected ties to the TrickBot gang and UAC-0098 Presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters, such as a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware.

The upload of early development and test samples to VirusTotal Use of internet slang terms like “letsrollboyos,” “totallyunsus,” and “cuteuwu” as naming conventions for development artifacts. The deployment of XMRig miner on a small number of LegionRelay-infected machines “Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members,” WithSecure said. “The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team.” “The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.