DAILY WORKFLOW ARCHIVE

2026-06-05 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-06-05 AI创业新闻

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network. “Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes,” Hunt.io said in a statement. “The infrastructure was still running when we found it.” The threat intelligence company said it found source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration after the threat actor behind the operation left two open directories on a command-and-control (C2) server (“213.136.80[.]73”) without any authentication. PCPJack was first discovered by SentinelOne in April 2026 after it identified a credential theft framework that specifically targets cloud services, while taking steps to terminate and remove processes or artifacts associated with TeamPCP , another notorious hacking group that has attracted attention in recent months for its software supply chain attacks.

Staged in one of the open directories Sliver -integrated SMTP proxy deployment toolkit, along with Chisel tunneling and proxy binaries for most Linux CPU architectures, such as AMD64, ARM64, and x86. On the victim side, the binary is dropped as a hidden dot-prefixed file and persisted at “/var/tmp/.xs.” Also found in the directories are deployer scripts designed to load the Sliver C2 client configuration and filter for Linux beacons that have checked in within the last ten minutes. Beacons are implants that periodically phone home to the C2 server at regular intervals to check in and retrieve commands. “Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999,” Hunt.io noted.

“The same beacon always maps to the same port across runs, eliminating the need for a shared port registry.” The script is also capable of running an SMTP quality gate that probes for outbound access to smtp.gmail[.]com:587. Hosts that fail this check are skipped with an exit code of zero. “This gate defines the operation’s purpose: hosts that cannot relay email have no value to this pipeline,” the cybersecurity company added. “Beacons are processed in batches of 50, with a 25-minute wait after uploads and 15 minutes after execution commands, to accommodate slow-interval beacon check-ins.” Subsequent iterations of the deployer scripts have been found to remove the SMTP gate and the batching logic.

Also present is a diagnostic script that selects five active beacons and tasks them each a shell command that checks for the following - Presence of Chisel binaries at known drop paths A Chisel process is running Disk space Reachability of port 9000 on the C2, and Presence of persistence artifacts, such as the cron entry or systemd service In addition, the C2 server runs a Python script named “chisel_verifier.py” as a persistent background daemon, which enumerates active Chisel tunnel ports via ss -tlnp every 60 seconds, tests each new port for SMTP capability, and removes failed or dropped tunnels from the active pool. Verified proxies are enriched with exit IP address, country, and ASN via services like api.ipify[.]org and ip-api[.]com. The proxy lists are then synced every five minutes via the Secure Copy Protocol (SCP) to a separate downstream server at 38.242.204[.]245. The server is currently not accessible.

The end goal of the operation remains unclear at this stage. “The 230-node outcome is the observable result. Whether this progression reflects a single operator iterating or multiple actors sharing the same infrastructure cannot be determined from the recovered files,” Hunt.io said, describing it as an opportunistic campaign. “The verified proxy list is being synced every five minutes to that server, and someone is consuming it.

Whether for spam, phishing, or something else, the infrastructure to deliver at scale was clearly running.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root. It is tracked as CVE-2026-20230 , and proof-of-concept exploit code is already public. Cisco’s PSIRT says it has not seen the flaw used in attacks yet. The PoC shortens that runway.

The flaw is a server-side request forgery. Unified CM and its Session Management Edition fail to validate certain HTTP requests properly, so a crafted request can push the server into writing arbitrary files onto the underlying OS. Those files are the foothold. Cisco says they can be used later to escalate to root, the top privilege on the system.

That two-step is why the score and the rating disagree. The CVSS base is 8.6: it scores the file write (an integrity-only impact, no confidentiality or availability loss) but not the root escalation that follows. Cisco rated the advisory Critical anyway, since the end state is full root. There is one mitigating factor: the flaw only works when the WebDialer service is running, and WebDialer ships off by default.

That does not help any deployment that has switched it on. To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability. Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section. Started means you are exposed.

Patching is the only real fix. For the 14 train, that is 14SU6. For 15, the full Service Update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn WebDialer off (uncheck it under Tools > Service Activation and save). An independent researcher working with SSD Secure Disclosure reported the bug.

Unified CM has been a steady source of unauthenticated, root-level trouble. Last July, Cisco pulled a hard-coded root SSH account left in from development (CVE-2025-20309, CVSS 10). In January, it patched an unauthenticated RCE across several of its voice products (CVE-2026-20045) that was already being exploited in the wild, enough for CISA to add it to its known-exploited list. This one fits the pattern: a request that should never have reached anything sensitive, reaching it.

With a PoC public and the 15-train fix months out, assume someone turns that file-write into a working attack before the patches are everywhere. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic’s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days , with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty.

Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo’s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access. The trigger check had a hole.

It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw “a bot” and let the attacker’s content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn’t, which left it open.

From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would “recover” by running the commands buried in it. The target is /proc/self/environ, the Linux file that holds a process’s environment variables, secrets included. Claude Code blocks naive reads, but RyotaK bypasses the guard anyway and gets Claude to write the values back into the issue, where the attacker can grab them.

The real prize in those variables is the credential pair GitHub Actions uses to request an OIDC token, a signed token that proves “I’m this workflow running in this repo.” Claude Code trades that token with Anthropic’s backend for a Claude GitHub App installation token with write access. Steal those credentials, replay the exchange, and you hold write access to the target’s code, issues, and workflows. Aim it at the claude-code-action repo itself, and you could poison the action that downstream projects pull. RyotaK also flagged a softer route that skipped the bot trick entirely.

Anthropic’s own example issue-triage workflow shipped with allowed_non_write_users: “*”, which lets anyone trigger it, a setting Anthropic’s docs already flag as risky. Worse, Claude was posting task summaries to the workflow run’s publicly visible summary panel, a ready-made way to leak data out. Plenty of repos copied that example and inherited the hole. There’s also a path for an attacker who can edit issues but can’t trigger Claude on their own: edit a trusted user’s issue after it has fired the workflow, but before Claude reads it, and the payload rides in as “trusted” input.

What to do? Update to claude-code-action v1.0.94 or later. Then audit any workflow that lets users without write access, or bots, trigger Claude: if it is taking untrusted input, don’t feed it any secret beyond the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that can be used for exfiltration. None of this is theoretical.

The same setup, an AI issue-triager plus broad permissions plus prompt injection, already caused a real supply-chain hit: In February, a prompt-injected issue title against Cline’s claude-code-action triage workflow let attackers steal an npm publish token and push an unauthorized cline@2.3.0 . The rogue version only force-installed a separate, non-malicious AI agent and was pulled about eight hours later, but the same chain could just as easily have shipped real malware to everyone who updated. The autonomous “HackerBot-Claw” bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others, though when it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. There’s no public sign of this exact path, the one that poisons Anthropic’s own action, was used against a live target; RyotaK proved it only in his own test repos, and he’s careful to separate that from the variants above that did get exploited.

RyotaK says he has now reported around 50 separate ways to bypass Claude Code’s permission system and run commands, part of a steady run of prompt-injection flaws in AI coding agents . Prompt injection still isn’t solved, and an agent with real tools and real tokens can be pushed as far as its permissions allow. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The AI Security Vendor Test Most Vendors Hope You Skip

Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It

Over the past several weeks, the cybersecurity community has been reminded how quickly frontier and agentic AI in defense networks can challenge our assumptions. When Anthropic’s Claude Mythos model was made available to a limited set of organizations as a technical preview, it was reported that an unauthorized group claimed that it had gained access within hours. The incident, if true, was more than a possible breach. It was a warning.

The potential impact of advanced AI on U.S. defense and intelligence networks is significant. As the U.S. government moves to deploy AI capabilities on classified networks, the opportunity is clear: advanced AI can help accelerate decision superiority for American forces .

But the risks are expanding just as quickly, particularly as agentic AI begins to operate across sensitive networks, data environments, and mission workflows. AI adoption is not simply about deploying powerful models. It requires the right security, governance, and resilient infrastructure around them. AI is only as trustworthy as the data it uses, the networks it touches, and the controls that determine who and what can access it.

In classified environments, that challenge is compounded by the need to move information securely across classification levels, compartments, coalition boundaries, and operational environments. For AI to rapidly deliver the expected decision advantage, three important areas must be considered:

  1. What is entering the model? Training data and commercial models must move quickly but securely into classified environments.

Without proper inspection, even the strongest AI model can become a liability by processing stale information or ingesting ‘poisoned’ content that leads to compromised assessments. 2. Who and what can access the AI? Cleared analysts, coalition partners, edge operators, and AI integration teams will all require governed access that enforces security boundaries without inadvertently ‘collapsing’ networks together.

  1. Where is the AI agent reaching back out? Every model call to a database, mission system, or coalition partner must preserve the integrity of the classification layer. If AI is going to compress operational timelines, the security boundary cannot become the first point of failure.

AI Mission Advantage Starts with Secure Infrastructure All of this depends on the network layers beneath the models. Everfox is enabling defense and intelligence agencies to keep pace with revolutionary changes in AI without compromising mission speed and security. Our technologies provide a secure network fabric built on cross domain capabilities and hardware-enforced protection that is purpose-built for classified environments and the tactical edge, all so AI can be securely and confidently deployed at mission scale. AI introduces risk across every layer: system components, integrations, downstream outputs, and mission workflows.

As defense and intelligence organizations accelerate adoption, AI tools will increasingly operate across domains, compartments, and operational theaters. In these environments, trusted infrastructure, strict access controls, and strong data governance are not optional. They are mission critical. Sensitive data must be able to move securely across classification boundaries, with threats and policy violations identified before they ever reach a model.

If we want to deploy AI responsibly at scale, we have to build security in from the start, not bolt it on after the technology is already embedded in mission operations. Frontier AI will be an important engine of future mission advantage. But without a secure network fabric to carry it, even the best models cannot be trusted to operate where and when they matter most. Note: This article is written and contributed by Dave Wajsgras - Chairman and CEO of Everfox.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

It got stupid again. The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper.

And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems.

Great. Read the whole thing before it ruins your week anyway. Unauthenticated SSRF risk Cisco Patches Unified Communications Manager Flaw Cisco has released fixes to address a high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. “This vulnerability is due to improper input validation for specific HTTP requests,” Cisco said.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” The issue has been addressed in Cisco Unified CM and Unified CM SME Release versions 14SU6 and 15SU5. Cisco said it’s aware of the availability of proof-of-concept exploit code for the flaw, but noted there is no evidence of active exploitation. It credited an independent security researcher working with SSD Secure Disclosure for reporting the vulnerability.

Mobile spyware operation Russia Claims Large-Scale Operation Targeting High-Ranking Officials Russia’s Federal Security Service (FSB) has disclosed details of what it described as a “large-scale action” undertaken by foreign intelligence services to stealthily implant spyware on the mobile devices of high-ranking officials in the country. “This software was utilized to exfiltrate existing data, intercept ongoing conversations, and conduct covert audio and video surveillance of the immediate surroundings of the electronic devices, with the ultimate objective of obtaining sensitive information,” the FSB said . Russia did not reveal who was behind the attacks, but noted the “representatives of foreign intelligence services” leveraged the technical capabilities of major international IT corporations to exfiltrate sensitive data from the devices. This specifically included the exploitation of mobile communication channels, the agency added.

An investigation into the activity is ongoing, with the FSB also initiating a criminal case to investigate the matter. Layered keylogger lures VIP Keylogger Campaigns Analyzed Threat actors have been relying on social engineering over the past few months to push VIP Keylogger via loaders written in JavaScript, batch scripts, and Visual Basic Script (VBS). “Attackers are masquerading as legitimate business communications such as bank payment notifications, procurement orders, and logistics updates to lure users into opening malicious files,” Splunk said . Crypto sanctions escalation U.S.

Sanctions Nobitex Crypto Exchange The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran’s largest cryptocurrency exchange, for facilitating payments related to terrorist activities. “Nobitex has provided significant support to the regime, processing more than 50 percent of all Iranian digital asset inflows in 2025 and facilitating payments tied to Iran’s terrorist activities, sanctions evasion efforts, and Islamic Revolutionary Guard Corps (IRGC)-linked transactions, including activity associated with IRGC-affiliated ransomware actors,” the Treasury said . The sanctions also extend to Nobitex’s chairman, co-founder, and former CEO, Amir Hossein Rad, as well as other Nobitex leaders and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex.

According to Chainalysis , Nobitex processed over 50% of all Iranian digital asset inflows last year. The four exchanges accounted for roughly $7.7 billion, 78% of Iran’s USD 9.9 billion in attributed 2025 crypto volume, per TRM Labs . Cybercrime forum fallout XSS Takes Fractures Cybercrime Underground The July 2025 law enforcement takedown of XSS , a prominent Russian-speaking cybercrime forum, didn’t dismantle the ecosystem. Rather, it fractured it into competing, harder-to-track factions, Flashpoint said .

The collapse has triggered an exodus into new, unvetted, and often adversarial communities. Some of the new forums that have rushed to fill up the void left by XSS include DamageLib (launched by legacy moderators of XSS), Rehub (launched by another former XSS moderator), XSS.pro (a resurrection using old backups and suspected to be a law-enforcement honeypot), and XSSF (started by a pro-Russian Telegram hacking group). RMM abuse surge Malicious Use of Tiflux in Attacks Surges A lesser-known remote desktop tool called Tiflux is being used in a growing number of attacks to establish persistence, transmit screenshots, and run commands to collect system profiling information. “Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system,” Huntress said .

“Threat actors continue to test and weaponize the use of commercial remote access management tools.” Malware delivery network DriveSurge Linked to ClickFix and FakeUpdates Campaigns A threat cluster tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates (aka SocGholish) social engineering techniques on compromised sites. Thousands of websites are estimated to have been compromised, directing users to malicious infrastructure. DriveSurge primarily acts as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are steered through a traffic distribution system (TDS) known as zTDS, which profiles the system and decides whether the visitor should be served a ClickFix or a FakeUpdates lure.

zTDS, in use since at least 2015, is publicly available at ztds[.]info. “Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push said . The campaign has been active since September 2025. Sensitive data leak Spain Arrests Suspect for Leaking Sensitive Data The Spanish National Police has arrested an unidentified individual for leaking sensitive information related to members of various critical state organizations, including the National Cybersecurity Institute (INCIBE), the State Attorney General’s Office, the National Police, the Civil Guard, and the National Security Council.

JavaScript backdoor malspam Malspam Distributes JavaScript Backdoor Intrinsec haș disclosed that multiple malspam campaigns have been used to distribute a JavaScript-coded backdoor. “The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region,” the company said. “We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC).” The activity was observed in March 2026. On-chain malware delivery ClearFake Campaign Leverages EtherHiding Cybersecurity researchers have flagged an intrusion in which threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet.

“The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that confirmed each victim compromise in real time,” Trend Micro said . Cloud attack tradecraft Exploitation of ROADtools by Nation-State Groups Nation-state hacking groups like APT29 , APT33 , and UTA0355 are exploiting ROADtools , a Python-based open-source framework for red-teaming and research, to blend in with normal traffic and evade detection. “ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic,” Palo Alto Networks Unit 42 said . “Further defense evasion can be achieved by configuring request attributes such as user-agent strings.

These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence, and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools’ token management capabilities.” Data-only extortion rises Pure Data Exfiltration Campaigns on the Rise Pure data-exfiltration campaigns without deploying ransomware to pressurize victims are on the rise. In 2025, such attacks have primarily targeted professional services, healthcare, and consumer services firms.

“Interestingly, while manufacturing remains the single most disrupted sector overall, construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot,” Unit 42 said . “These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls.” AI-assisted evasion testing Threat Actor Uses AI for Testing EDR Evasion An unknown threat actor has been observed using artificial intelligence (AI) technologies to automate Active Directory discovery and refine endpoint detection and response (EDR) evasion tactics in a red team post-exploitation framework. “Analysis revealed that AI for malware development was more limited and was mainly used to coordinate workflows and support experimentation,” Sophos said . “The actual EDR-bypass path was a structured engineering test cycle that included human review and iteration.” To develop tools for bypassing EDR agents, the attacker is said to have used Cursor and Anthropic Claude Opus.

At the core of the framework is a Python tool that generates Go and Rust payloads for testing with an aim to resist sandboxing, antivirus, and EDR detection. This approach was used to build nearly 80 modules covering more than 70 techniques. Also attributed to the threat actor are Python-based malware development scripts for injecting shellcode into legitimate Windows executables and a Telegram bot API-based external command and control (C2) mechanism. “The use of AI agents to accelerate tool development and test evasion techniques lowers the barrier to entry for sophisticated red team-style attacks,” Sophos said.

“However, this shift does not change how defenders should protect themselves.” The framework is said to be built for stealthy post-exploitation activity in target environments, linking it to “known ransomware deployment and data theft operations.” Steam-hosted malware payloads Steam Community Profiles as Dead Drop Resolvers A newly identified malware is using Steam Community profile comments to host malicious payloads for WordPress, hiding malicious infrastructure behind Valve’s legitimate platform. “The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods,” GoDaddy said . “A cookie-authenticated backdoor enables remote code execution, allowing attackers to modify plugin and theme files by sending base64-encoded PHP code via POST requests.” The malware performs two primary functions, including client-side JavaScript injection, which fetches encoded URLs from Steam profile comments, decodes them, and injects external JavaScript into WordPress pages, and a server-side backdoor that provides cookie-authenticated remote access for modifying PHP files across plugins and themes. The campaign was first detected in July 2025.

The malware has been detected on approximately 1,980 WordPress sites. It is unclear how the websites are breached, but it’s assessed that the initial infection vector could be stolen admin logins, compromised FTP/SFTP credentials, the exploitation of a vulnerable WordPress theme or plugin, or a supply chain compromise. Trusted tools abused FalkonC2 Becomes Stealthy Flare.io has disclosed details of FalkonC2, a commercial hacking tool that appears designed to hide inside enterprise environments by abusing trusted remote access software. “FalkonC2 has an enterprise version called Rotemelli2 that runs in memory, rotates its command-and-control domains every 72 hours, and uses tools such as ScreenConnect, Datto, and SimpleHelp to quietly launch attacks,” the company said in a statement.

An analysis of dashboard telemetry suggests active enterprise infections across the U.S., Australia, the Netherlands, and Poland. The framework also checks infected machines for QuickBooks and Sage50 data, suggesting attackers are looking for accounting systems they can quickly exfiltrate. AI vulnerability surge Anthropic Expands Project Glasswing Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries for access to its Claude Mythos Preview. “The bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities that Mythos-class models can surface,” the company said .

The growing number of flaws identified with the help of AI models has shifted the scales from discovery to patching. A recent report from the Cloud Security Alliance (CSA), the SANS Institute, and the Open Worldwide Application Security Project (OWASP) concluded that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” the report said . Linux flaw under attack CISA Adds Linux Kernel Flaw to KEV Catalog The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel flaw ( CVE-2022-0492 , CVSS score: 7.8) to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026. “Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature,” CISA said. The development comes after Kaspersky said it observed the flaw, along with CVE-2019-5736 and CVE-2024-21626, being exploited in attacks aimed at container environments. Fake image tools deliver malware ClickFix Becomes BackgroundFix A new ClickFix-style lure is being dressed up as free image-editing tools to deliver CastleLoader , which then drops both NetSupport RAT and a custom .NET stealer called CastleStealer.

“The sites look like every other ‘remove your photo background’ service with uploads, progress bars, and download buttons, but the entire UI is fake,” Huntress said . The activity has been codenamed BackgroundFix. CastleLoader is attributed to a threat cluster known as GrayBravo. Session theft defense Google Makes DBSC Generally Available to Workspace Users Google has revealed that Device Bound Session Credentials (DBSC) in the Chrome browser is now generally available and enabled by default for Google Workspace users.

“DBSC strengthens account security after users are logged in and helps bind a session cookie - small files used by websites to remember user information - to the device a user authenticated from,” Google said . “Even if malware was present on the user’s device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies.” The feature was formally released in April 2026. Adobe abused in phishing Fake LinkedIn Emails Abuse Adobe to Track Victims Cybercriminals are weaponizing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. Opening an HTML attachment in the email message serves a login form urging the recipient to enter their credentials.

The captured information is delivered to the domain “lnkd.tt.omtrdc[.]net/rest/v1/delivery,” after which they are redirected to the LinkedIn site. “This domain belongs to Adobe and is associated with the Adobe Target A/B testing platform,” Malwarebytes said . “But the campaign isn’t using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect/abuse point in the phishing flow.” Supply chain delay defense RubyGems Debuts “cooldown” Time-Based Filter to Tackle Supply Chain Attacks RubyGems has included a cooldown, a time-based filter, in Bundler version 4.0.13 that refuses to resolve to a version until it has been public for at least “N” days.

“Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window,” Hiroshi Shibata, RubyGems maintainer, said . “It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.” Users can declare a “small cooldown” on the source in the Gemfile. The efforts go along with other initiatives like AI-assisted vulnerability scanning against the most critical gems in the registry. Iran-linked Israel attacks Three Iranian Threat Clusters Highlighted ESET said it recorded an unusual spike in Iran-aligned activity against Israeli targets between October 2025 and March 2026 that could not be linked to previously known groups.

“Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential - including deployment of a bootkit-style wiper and retaining destructive tooling for later use - whereas a third, MOØN Badr, appears to have been limited to targeted espionage,” the Slovakian company said . MoKhargosh, first observed in January 2026, used Go-compiled binaries in attacks targeting Israel. This includes a backdoor called GoKhargosh, along with wipers, filecoders that overwrite files with junk data, and a wiper that targets the master boot record to render the system unbootable. MOØN Badr, on the other hand, singled out three unidentified victims in Israel in early January 2026 to deliver the MOØN AGENT backdoor via phishing emails to facilitate command execution and file uploads and downloads.

Fuel tank systems exposed CISA Warns of Attacks Targeting Automatic Tank Gauge Systems The U.S. government has issued an advisory urging organizations to take steps to defend against attacks targeting U.S.-based automatic tank gauge (ATG) systems by securing them with strong passwords and by removing them from the internet to reduce public exposure. The activity, which remains unattributed, involves the attackers compromising internet-exposed ATG systems via hard-coded credentials, command execution, and SQL injection vectors, followed by escalating privileges to obtain full administrator rights and modifying the system functions. “Should a cyber threat actor exploit these vulnerabilities and compromise an ATG system, they could disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console,” government agencies said .

Verified call defense Google Adds New Scam Detection Feature to Android Google has announced a fake call detection feature, built on Rich Communication Services (RCS), to Android devices running versions Android 12 and later that verifies whether a call is coming from the caller’s actual Android smartphone. Enabled by default, the alert is designed to avoid falling victim to deepfake impersonation and call spoofing in real time. “When a contact calls you and you’re both using Phone by Google, their device sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact’s device,” Google said . “If a scammer tries to impersonate your contact, that initial confirmation signal will be missing.

Your device will instantly notice this and ping your contact’s actual device to double-check. If their real device says, ‘I’m not making a call right now,’ you’ll get a warning on your screen advising you to hang up immediately.” Because the digital handshake uses end-to-end encrypted RCS technology, Google said the process is completely private. That said, the feature requires users to have three Google apps installed: Phone by Google, Contacts, and Google Messages. It will roll out globally this month, starting with Pixel devices.

Agentic AI failures AI-security and Operational Incidents Analyzed An analysis of 7,200 publicly reported AI-security and operational incidents has identified “344 verified enterprise-relevant agent-inflicted damage cases between September 2023 and May 2026, including 188 incidents where autonomous AI systems caused direct organizational harm without any external attacker involvement,” Cyera researchers Ehud Halamish, Assaf Morag, and Vladimir Tokarev said . “The majority of confirmed incidents involved real production impact rather than theoretical AI risk scenarios. Observed outcomes included deleted databases, destructive cloud actions, unauthorized financial operations, runaway API spending, service outages, exposed secrets, and silent integrity corruption inside enterprise environments. As agents gain broader permissions and deeper integration into SaaS, cloud, development, and business environments, the AI interaction layer itself increasingly becomes part of the enterprise attack surface and critical data perimeter.” The lesson is boring because the lesson is always boring.

Patch faster, kill exposed admin panels, stop trusting “safe” tools by name, and watch the weird edges where attackers like to hide. The cheap stuff still works because too many teams leave it cheap. Security is not magic. It is inventory, logs, least privilege, backups, tested restores, and people who notice when something normal starts acting wrong.

Do that well, and half this mess gets a lot less exciting. That is the point. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Gartner: 70% of SOCs Will Pilot AI Agents. Only 15% Will See Results

China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a “rapid operational tempo” and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader , according to Proofpoint. The enterprise security company is keeping tabs on the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor largely targeting East Asia. TA4922 is assessed to share some level of overlap with Silver Fox , with the threat actor’s tradecraft more focused on cybercriminal objectives than espionage.

“The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access,” the company said , characterizing it as an adversary conducting “more unique campaigns” than any other threat actor it tracks. In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader. Another notable shift involves attempts to move conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams, allowing the attackers to bypass enterprise security controls and steal data or deliver malware. Details of some of the recently observed TA4922 phishing campaigns are below - March 6, 2026: Using human resources-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading March 23, 2026: Using corporate- and human resources-themed lures in attacks targeting Japanese organizations to deliver a C-based loader called RomulusLoader via DLL side-loading March 30, 2026: Using tax authority-related lures in attacks targeting organizations in the U.K.

to deliver a vibe-coded Python-based loader and stealer called SilentRunLoader, which then drops an executable to harvest sensitive data from Google Chrome including stored credentials, cookies, and browsing information April 2, 2026: Using human resources communication lures in attacks targeting organizations in the U.K. and Germany to deliver Atlas RAT via DLL side-loading April 7, 2026: Using invoice-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading April 10, 2026: Using benefits- and compliance-themed lures in attacks targeting organizations across Southeast Asia and the U.K. to deliver SilentRunLoader via DLL side-loading and exfiltrate Chrome data Mid-April 2026: Using business- and tax-related themes in attacks targeting organizations in Japan and Germany to deliver RomulusLoader, which is then used to deploy AnyDesk and SyncFuture via DLL side-loading “While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups,” Proofpoint said. “The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting.

These types of actors can quickly expand and scale their tactics to include more targets at any time.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads

Cybersecurity researchers have shed light on a macOS malvertising campaign codenamed Operation FlutterBridge that spreads a new backdoor called FlutterShell . According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple ) in late August 2025. The cybercrime group behind the two attack chains is being tracked under the moniker CL-CRI-1089. The attackers are assessed to be active since at least 2023.

“Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications,” Unit 42 said . “In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation.” Operations attributed to CL-CRI-1089 also include Recipe Lister and Calendaromatic , both of which fall under a broader designation known as TamperedChef (aka EvilAI ), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware. These campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications. Some of the front companies are AdsParkPro LTD , Advantage Web Marketing LLC , and SOFT WE ART LIMITED (now PACIFIC TRADE SOLUTIONS LTD).

Target audiences for these ads are macOS users in the U.S., Canada, Australia, France, and Germany. Although none of the Google Ads accounts are currently accessible via the Google Ads Transparency Center, records from YouControl and the U.K. government’s Companies House register indicate that the firms all have links to Ukrainian individuals. The latest iteration entails the deployment of FlutterShell, which supports arbitrary command execution, file system interaction, and environment variables exfiltration.

These efforts have been detected as recently as March 2026. “Upon execution, the malware modifies Google Chrome configuration files to hijack the browser, forcing all traffic through an attacker-controlled, ad-filled intermediary site,” researchers Ido Asher, Noa Dekel, and Tom Fakterman said. “All observed samples were signed with valid Apple Developer IDs and successfully passed notarization, meaning Apple’s automated security checks did not flag them as malicious at the time of submission.” What makes FlutterShell noteworthy is that it implements a WebView-based architecture that utilizes a JavaScript-to-native bridge, thereby allowing the adversary to host malicious logic on an external website, rather than embedding it into the binary. This, in turn, makes it possible to dynamically alter the malware’s behavior in real time without having to recompile or push out an updated version to compromised hosts.

“In WebView-based architecture, a native application uses an embedded web browser component to display content,” Unit 42 explained. “The JavaScript-to-native bridge acts as a communication channel between this web content and the host native application, allowing them to exchange data and cross-invoke functionality.” Three different variants of FlutterShell, viz., PodcastsLounge, PDF-Brain, and PDF-Ninja, have been identified. This, coupled with the presence of unfinished functions in the JavaScript logic hosted on the attackers’ infrastructure, suggests the malware is likely under active development. Some of the variants, PDF-Brain and PDF-Ninja, feature an artificial intelligence (AI)-powered summarization capability by relaying documents through an attacker-controlled server before processing them.

In addition, the malware enables system fingerprinting and the theft of browser session data. FlutterShell has also been found to share technical similarities with Calendaromatic and Recipe Lister, the most obvious being the WebView-based code architecture to facilitate dynamic payload changes. What’s more, Advantage Web Marketing LLC has been observed not only spreading malicious ads but also acting as the signatory for Windows adware variants associated with the cluster. “The evolution from JSCoreRunner to FlutterShell represents a significant increase in technical depth for the attackers behind CL-CRI-1089,” Unit 42 said.

“Furthermore, the scale of the distribution network, coupled with the verified shell entities used to bypass ad-network vetting, highlights the persistent danger of malvertising. The coordination of multiple shell entities, and the rapid development and delivery of new FlutterShell variants, indicates that this campaign is far from over.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework. “The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources,” Check Point security researcher Alexey Bukhteyev said in a breakdown of the campaign. “The deception is not in the page content alone, it’s in what happens when a user interacts.” “These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a ‘download’ button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.” It’s suspected that the operation is designed for traffic acquisition and monetization, while leading select users to malware delivery infrastructure.

Some of the identified sites mimic trusted reverse-engineering and security tooling such as Ghidra, dnSpy, and SpiderFoot. Attack chains specifically target users looking for such tools on search engines like Google, causing the bogus sites to be surfaced on top of the search results. An early iteration of the campaign was documented by Fullstory in November 2025. Evidence indicates that the activity has been ongoing since September 2025.

“These domains are focused on gaining favorable search engine rankings by leveraging the name, brand, and popularity of the original web sites and projects,” the Atlanta-based company noted at the time. “Many sites are in the top rankings on Google for the relevant search term, often eclipsing the real project’s web site. This makes their visibility an asset and can maximize links and content.” Although there was no indication that any of these domains were put to use for malicious activity, other than to generate content to drive traffic and enable third-parties to advertise their own sites, the latest findings from Check Point show that the TDS scripts were embedded not long after, and the infrastructure was repurposed for malware distribution starting January 2026. Clicking the “Download” button initiates a TDS redirection chain that results in the deployment of malware.

One of the most striking aspects is that hovering over the button reveals the legitimate URL from where the tool can be downloaded, thereby lending the site a veneer of legitimacy. The redirect chains are also engineered such that repeated attempts to enter it from the same IP address result in the download of benign software, like the Opera browser or unnecessary browser extensions. Some of the payloads distributed via this TDS are listed below - SessionGate , a previously unknown multi-stage, obfuscated loader that’s used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience. Remus Stealer , a new information stealer offered under a malware-as-a-service (MaaS) model, can steal data from more than 20 browsers, including hundreds of browser extensions and applications, such as cryptocurrency wallets, two-factor authentication tools, and password managers.

Remus is believed to be a variant of the Lumma Stealer. AnimateClipper , a cryptocurrency clipper that can substitute wallet addresses copied to the clipboard and hijack transactions across more than 20 blockchain ecosystems. It’s delivered by means of a ClickFix lure. An analysis of VirusTotal telemetry has revealed approximately 2,000 to 3,500 submissions of samples associated with the SessionGate family to date.

The vast majority of the submissions have originated from Turkey, Poland, Brazil, Germany, France, Russia, and the U.K. The end goal of the SessionGate infection sequence is to drop a payload that’s unique per client and delivered only after traversing the redirect path end-to-end. The multi-stage delivery chain, combined with an extensive validation logic and TDS-side gating, is designed to resist analysis and make payload retrieval a challenging task for analysts. The final DLL payload is responsible for communicating with an external server, retrieving an encrypted configuration from the server, extracting the download URL from the configuration, and downloading and silently executing the next-stage malware via “cmd.exe.” “The entry sites mimic legitimate open-source project portals, preserve real GitHub links to pass quick visual checks, and then use click interception to route the first download click into a gated TDS stack,” Bukhteyev said.

“The more plausible primary objective is traffic acquisition and monetization. However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors. The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity. Symantec and Carbon Black’s Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab: Symantec said the commands indicate intelligence collection, not theft for profit. Neither the executive nor the exchange was named.

The value is plain enough: an exchange executive’s inbox can hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive’s calendar and contacts. Five months of quiet access handed the attacker a detailed read on the executive’s dealings and where the organization was heading, without needing broad access to other business systems. The first malicious activity showed up on October 10, 2025. By then, the attacker was already running two binaries as SYSTEM, the highest Windows privilege level, one faking Adobe’s updater and the other faking OneDrive.

By the time defenders noticed anything, the intruder had full control of the machine, and how they first got in is still unknown. However, Symantec confirmed that the first signs likely came from lateral movement off a previously compromised device. The operation kicked into gear on November 12. The attacker pulled a Dropbox API token, started uploading data with curl, and deployed the main tool: a mailbox stealer built on Aspose, a legitimate .NET library that reads Outlook OST and PST files.

Wrapped in an executable, it converted the mailbox to PST and wrote it to disk, run each time with a password and a date-range flag. The first run grabbed everything from August 2025 on. After that the attacker came back every two to four weeks, each run taking only the days since the last one, eight more pulls through February 17, 2026. The result is a near-continuous copy of the mailbox, sliced thin enough not to draw attention from security software.

The stealth came from making the work look ordinary. Scheduled tasks posed as Adobe, Lenovo and OneDrive system services. For exfiltration the attacker used Dropbox and OneDrive Personal, and for OneDrive they connected to hard-coded Microsoft IP addresses instead of the onedrive.live.com hostname, so there were no DNS lookups for a perimeter tool to catch or block. The attacker also tested the public file host temp.sh once in November, then dropped it.

The last observed activity, on March 19, 2026, was a new backdoor that was staged but never run, which Elias said may mean the attacker lost access soon after. Symantec’s published indicators point to a wider intrusion kit, not just a mailbox grabber: FRPC for tunneling traffic out, Secretsdump for pulling Windows credentials, SharpDecryptPwd for recovering saved app passwords, and a tool to bypass Windows User Account Control. The report does not say how each was used here, and none of them point to a specific group. There is no CVE in this story.

It was an intrusion against a person’s mailbox, not the exploitation of a freshly disclosed flaw, which is part of why it is worth reading: no patch closes this, and the burden shifts to monitoring and response. Attribution is unresolved too. The mix of public tooling and consumer cloud services left little to tie the activity to a known actor, and that stays open until a stronger source says otherwise. Routing exfiltration through Dropbox and OneDrive to blend in is a well-worn play, and one Microsoft has flagged as a deliberate way to slip past perimeter defenses and muddy attribution.

If you defend an exchange, a regulator, or any firm sitting on market-moving information, feed the hashes in now and watch for the behavior behind them: unusual mailbox export activity, odd Outlook access, uploads to personal Dropbox or OneDrive accounts, unexpected tunneling, and credential-dumping on systems tied to privileged users. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets

The U.S. Department of Justice (DoJ) on Wednesday announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans. The “Disruption Week” operation began May 18, 2026, leading to the takedown of millions of social media, email, and internet access accounts used by transnational cybercrime groups in Southeast Asia to defraud victims. Private sector entities voluntarily froze over $3.8 million in cryptocurrency involved in the laundering of funds stolen from Americans.

“Cyber-enabled and crypto investment fraud is devastating Main Street Americans, wiping out life savings and preying on some of our most vulnerable citizens,” said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia. The efforts are part of an ongoing U.S. government initiative called Scam Center Strike Force, which aims to dismantle transnational criminal organizations running cyber-enabled fraud and “ pig butchering “ (aka romance baiting) scams from compounds in Southeast Asia, along with the human trafficking and money laundering operations that fuel the illicit enterprise.

These schemes typically involve cultivating relationships with prospective victims over time before they are coaxed into depositing funds into fraudulent investment platforms under the promise of high returns. Once the assets are deposited, they are routed to accounts under the scammers’ control. Once the victim runs out of money or discovers the fraud, the criminals cease contact with them. Participating in the operation were Apple, Coinbase, Google, Meta, Microsoft, Silent Push, SpaceX/Starlink, TRM Labs, and Zenlayer, alongside the Australian Federal Police, Canadian Anti-Fraud Centre, New Zealand Police, the Royal Thai Police, and U.K.

National Crime Agency. The “first-of-its-kind event” has resulted in a series of actions - Disruptions of criminal activity across more than 1.4 million accounts, pages and groups across Facebook and Instagram, 20,000 Microsoft accounts, and thousands of Starlink kits; Interruptions of malicious IP address traffic and of network connections hosted by scammers; Decommissioning of servers, colocation environments, and hosting infrastructure linked to scam networks operating across Southeast Asia; Identification of multiple scammers and scam platforms, and referrals of the same to U.S. authorities for investigation and possible prosecution; and Arrests of seven scammers in Thailand and the opening of new cases by the Royal Thai Police Anti-Cyber Scam Center. According to the DoJ, cryptocurrency investment scams have emerged as one of the “fastest growing and most financially devastating forms of fraud” targeting Americans, with reported losses from these scams rising from $3.96 billion in 2023 to $5.8 billion in 2024 and to more than $7.2 billion in 2025, registering a 24% increase year-over-year.

“Many of these schemes are run out of industrial-scale compounds in Cambodia, Laos, and in Burma along the border with Thailand,” the DoJ said. “Criminal syndicates often lure workers to Thailand with promises of high-paying technical jobs, then seize their identification documents and traffic them to work in scam compounds.” “Within the compounds, trafficked workers are frequently forced to conduct fraud operations against victims in the United States and elsewhere under threat of violence.” Last month, a joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans. In a coordinated statement, Meta said law enforcement has arrested 63 potential criminals connected to scam centers thus far, with Coinbase freezing over $3 million in cryptocurrency assets tied to criminal networks.

“Transnational online fraud cannot be solved by any single agency or country acting alone, which is why strong collaboration and timely information sharing remain essential to dismantling these networks and protecting the public,” Police Lieutenant General Jirabhop Bhuridej, Royal Thai Police, said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini’s voice assistant on Android and made it open a victim’s connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile notification as useful context. The research, published by SafeBreach’s Or Yair, follows the team’s earlier “ Invitation Is All You Need “ work, which pulled off similar tricks through malicious Google Calendar invites.

After that, Google hardened Gemini against indirect prompt injection. Yair found a way around the new defenses. Google has since patched it, SafeBreach lists no CVE for the issue, and there is no evidence that the technique was ever used in the wild. On Android, Gemini’s Utilities feature can read and reply to your notifications, including ones from apps like WhatsApp.

It isn’t available on iOS or the web, which keeps this vector Android-only. Yair found the agent that reads those notifications treats their text as instructions it can act on. So anything that can push a notification to a phone can deliver a payload, an attack surface Yair called “ effectively infinite .” At minimum, that lets an attacker rewrite what Gemini says, including faking a message from a named contact. Spoken aloud while you drive and don’t look at the screen, “your manager asked you to upload the docs to this Drive folder” is hard to second-guess.

The blind version is worse: the payload fires after Gemini has loaded real notifications, so it can grab the first real sender name in the queue and pin the fake message on them. Faking output is one thing. Firing real tools, like opening a window or launching an app, is what Google’s post-“Invitation” mitigations were built to stop. Yair’s read, from black-box testing: when a “Yes” authorizes a sensitive action, a check weighs both the user’s reply and Gemini’s last output to decide whether that “Yes” makes sense.

Inject a delayed instruction out of nowhere, and Gemini refused, every time. So the bypass, which Yair named Fake Context Alignment , runs two illusions at once: a legitimate-looking authorization for the security check, a harmless exchange for the human. Obfuscated. Gemini asks the real authorization question in a language the victim doesn’t speak, say Chinese (“Do you want to open the window?”), then follows in English with something innocuous like “Is that all you needed?” The user shrugs off the foreign phrase as a glitch, says “Yes,” and the backend ties that “Yes” to the Chinese question.

Muted. Gemini’s text-to-speech skips hyperlinks hidden behind clickable text. So the malicious question gets buried in a link the assistant never reads aloud. Gemini says, “I’m sorry, I had an error, are you there?” while the screen silently shows “Do you want to open the window?” The driver says “Yes,” the check sees the on-screen text, and the windows open.

Combine the two, a Chinese authorization prompt hidden inside a muted link, and you get a payload that sounds like a normal English exchange while clearing Google’s newest checks. Past the authorization gate, the impacts matched the earlier research and then went further: Smart home control through Google Home: connected windows, boilers, and lights. Tracking and downloads. Opening URLs to geolocate a victim by IP or push file downloads.

Crossing into other apps. In the demo, Yair set a safe-looking domain to redirect to a Zoom app link, and Gemini followed it without prompting, forcing the phone to join a meeting and stream video. By his account, it worked because Gemini trusted the domain after it had served clean content, then followed the later redirect. SafeBreach stresses its own domain never redirected to Zoom; the redirect ran on a local server on the test device.

Memory poisoning, which the earlier calendar technique never managed. Fake Context Alignment simulates consent, so Gemini persistently saved an attacker-chosen fact. In the demo, it stored the victim’s name as “Danny.” Because that memory is account-level, the poisoned fact isn’t stuck on the phone; it follows the victim wherever they use Gemini on that account. Persistence via scheduled actions, such as a recurring task to read the victim’s recent messages every day at 8 PM.

SafeBreach reported the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google treated it as a high priority and confirmed on November 14, 2025, that content-classifier improvements mitigated the notification injections and the Delayed Tool Invocation bypass. Because the fix is server-side, there is no app update to chase. The only control users have is whether Gemini reads notifications at all: disconnect the Utilities app in Gemini’s Connected Apps settings, or turn off the Google app’s “Notification read, reply & control” permission on Android.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user’s GitHub token. “Just by clicking a link, it’s possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones,” security researcher Ammar Askar said . GitHub supports a feature called GitHub.dev that runs as a lightweight web-based source code editor in the web browser’s sandbox by launching a VS Code environment. It allows users to send pull requests and make commits.

“This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf,” Askar said. “The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to.” In a nutshell, the vulnerability allows attackers to install malicious VS Code extensions that steal GitHub OAuth tokens when they are passed to GitHub.dev by exploiting a message-passing mechanism between the main VS Code window and webviews . Webviews are used to render Markdown previews or edit Jupyter notebooks. Specifically, the exploit runs malicious JavaScript inside an untrusted webview to simulate keypresses (aka keydown events) in the main editor window, open the Command Palette by triggering “Ctrl+Shift+P,” and install an attacker-controlled extension that extracts the GitHub OAuth token sent to GitHub.dev and queries the GitHub API to enumerate all private repositories the victim can access.

It’s worth noting the approach also leverages a VS Code feature called local workspace extensions that allows an extension to be directly installed without presenting any additional trust dialog prompt as long as it’s placed in the “.vscode/extensions” folder within that workspace, effectively bypassing the publisher trust check. “This is just a small hiccup though, one of the things that extensions can do as part of their package.json is to contribute extra keybindings to VS Code,” the researcher explained. “Since we can reliably trigger keybindings, we can just add a keybind for whatever VS Code command we want, such as installing an extension while skipping the trusted publisher check.” The researcher also noted GitHub was notified of the vulnerability on June 2, 2026, an hour after which details of the issue were made public knowledge, citing Microsoft’s handling of VS Code-related bugs in the past. As of writing, Microsoft has acknowledged the vulnerability and noted that it’s working on a fix.

“To clarify, this issue does not affect VS Code Desktop,” Alexandru Dima, a partner software engineering manager at Microsoft, said. Update Following the publication of the story, Microsoft told The Hacker News that the vulnerability has been addressed. “This issue has been mitigated for our services and no customer action is required,” a Microsoft spokesperson said. (The story was updated after publication to include a response from Microsoft.) Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.