DAILY WORKFLOW ARCHIVE

2026-06-14 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-06-14 AI创业新闻

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253 , is rated 9.8 on the CVSS scoring system. “In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint,” Splunk said in an alert this week. “The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.” The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.

What the Flaw is All About On Friday, watchTowr Labs released additional technical details of CVE-2026-20253, stating it could be exploited to achieve pre-authenticated remote code execution on susceptible systems through the “/v1/postgres/recovery/backup” and “/v1/postgres/recovery/restore” endpoints. The attack chain works as follows - Connect to an attacker-controlled database and dump its contents into an arbitrary file using the /backup endpoint Load the dump of the attacker-controlled database into the local PostgreSQL instance using the /restore endpoint by including a “passfile” argument that specifies the path to a “ .pgpass “ file (“/opt/splunk/var/packages/data/postgres/.pgpass”) containing the password for the “postgres_admin” user SQL queries defined in the database dump will get executed by Splunk’s PostgreSQL instance An attacker could weaponize this weakness to define a new function that uses lo_export

The entire sequence of actions is below - Create a database and configure it such that a user can authenticate without a password and grant it sufficient permissions to invoke functions like lo_export Use the /backup endpoint to drop a dump of the remote database onto the Splunk file system Use the /restore endpoint to load the malicious database dump, trigger execution of the malicious function during the restore process, and write an attacker-controlled Python script to the Splunk file system Although there is no evidence of the flaw being exploited in the wild, the availability of the exploit specifics can be enough to drive threat actors to trigger opportunistic attempts. It’s essential that users move quickly to apply the fixes to stay protected. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals

Anthropic said on Friday it will “abruptly disable” its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5 , for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., citing national security concerns. The AI company said it received an order at 5:21 p.m. ET, instructing it to suspend all access to the models by foreign nationals.

It said that it believed there was a “misunderstanding” and that it is working to restore access to the models as soon as possible. Access to other models will not be affected by the export control directive. “Our understanding is that the government believes it has become aware of a method of bypassing, or ‘jailbreaking’ Fable 5,” the company said. “We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities.

These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.” The unexpected move comes days after the launch of Claude Fable 5 and its counterpart Mythos 5, which uses the same underlying model but with the safeguards lifted in some areas, like cybersecurity. The latter, described as having the “strongest cybersecurity capabilities of any model in the world,” remains accessible to a vetted group of cyber defenders and critical infrastructure operators. Anthropic emphasized that it has implemented “strong” guardrails to prevent the misuse of its models for cybersecurity-related tasks . Specifically, this is undergirded by a set of safety classifiers that are used to detect potential misuse, including jailbreak attempts, and prohibit the main model from responding.

The cybersecurity classifier is designed to block harmful single-turn requests relating to planning a cyber attack, exploit development, or defense evasion, with the company noting that Mythos-class models are skilled at finding and exploiting software vulnerabilities, thereby giving attackers a strategic advantage. Last week, Anthropic revealed its Mythos-class model can turn newly disclosed software vulnerabilities into working exploits in hours, or even minutes in some cases, instead of weeks, converting N-days into N-hours. The findings suggest that frontier models may be just as good at rapidly weaponizing flaws that have been publicly disclosed. “A lone operator can now turn a month’s worth of patches into working exploits in a single afternoon - for a few thousand dollars and with no specialized expertise,” Anthropic’s Red Team said .

“This means that the typical patching playbook that software developers use today - with monthly release cadences, multi-week staged rollouts, and a lag between pre-release and stable channels - no longer holds.” Fable 5’s protections mean that queries on cybersecurity topics will instead receive a response from Claude Opus 4.8, the company’s next capable model. In its latest statement, the company argued that no universal jailbreak methods have been developed against the latest models to date, adding that third-party and internal red-teaming exercises have found its safeguards to be “substantially more effective than those of any previously deployed model.” Furthermore, Anthropic claimed that “the perfect jailbreak resistance” is not possible for any model provider, as every safeguard used by the industry is susceptible to non-universal jailbreaks that are “effective in very limited contexts or require additional effort to be adapted to each new situation.” “To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws,” it said. “Our understanding is that one potential jailbreak was shared with the government. We have reviewed a report that we believe is the basis of the government’s directive and validated that the level of capability displayed there is widely available from other models (including OpenAI’s GPT-5.5), and is used every day by the defenders who keep systems safe.” Anthropic also pointed out that while it’s all for the government to block unsafe AI deployments, it said the discovery of a “narrow potential jailbreak” shouldn’t be the reason for recalling a commercial model that’s deployed widely.

The statutory process should be “transparent, fair, clear, and grounded in technical facts,” it added. Earlier this year, the U.S. Department of Defense labeled Anthropic a “supply chain risk” after the Claude-maker sought to draw red lines over the military use of its technology. The company has filed two lawsuits to block the designation.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux’s community package collection, and it is separate from the official Arch repositories, which were not affected.

If you installed or updated an AUR package on or after June 11, check it against the current affected-package lists before trusting the host. The list of names is large, still growing, and not yet complete. This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them.

Only the build instructions changed. The trap sat in the recipe, leaving the package itself looking exactly like the software users meant to install. No exploit, no zero-day, and no sign Arch’s own systems were breached. The attackers adopted abandoned packages, edited the build files, and let users run the payload for them.

Sonatype, which named the campaign Atomic Arch , found them going after orphaned projects: packages whose maintainers had walked away, leaving them open for anyone to adopt. They also spoofed git commit metadata so the changes looked like they came from a long-standing maintainer, an account an Arch Linux Trusted User later confirmed was never compromised. Once a package was adopted, its PKGBUILD or .install script was edited to run npm install atomic-lockfile during the build, pulling the malicious npm package alongside a couple of legitimate ones for cover. That package, atomic-lockfile@1.4.2, carries a preinstall hook that runs a bundled Linux ELF named deps.

Build the package, and the binary runs. Confirmed examples reported to the Arch mailing list include the alvr and premake-git packages. What the malware does Independent researcher Whanos reverse-engineered the deps payload and describes a Rust credential stealer aimed at developer workstations and build systems. It collects: Cookies, tokens, and local storage from Chromium-based browsers (Chrome, Edge, Brave, and many more) Session data from Electron apps, including Slack, Discord, and Microsoft Teams GitHub, npm, and HashiCorp Vault tokens, plus OpenAI/ChatGPT bearer material and account metadata SSH keys, known_hosts, and shell histories Docker and Podman credentials and VPN profiles Stolen files go out over HTTP to temp.sh.

Command and control runs through a Tor onion service via a local loopback proxy. For persistence, it installs a systemd service with Restart=always. With root it copies itself under /var/lib/ and writes a unit under /etc/systemd/system/; as a normal user it uses the home directory and a per-user unit under ~/.config/systemd/user/. Either way, it wants to come back.

Early write-ups oversold the eBPF rootkit. It is optional, and it only loads when the binary already has root and the right capability. It is not used to gain privileges. When it does activate, it hides the malware’s own processes, process names, and socket inodes from standard tools, using pinned BPF maps named hidden_pids, hidden_names, and hidden_inodes, and it kills attempts to attach a debugger.

That changes the cleanup advice. Removing the AUR package is not enough once the payload has run. A package manager can remove the files it knows about. It cannot prove the machine is clean after a rootkit-capable payload has had a chance to execute.

The binary also stages a second file tied to monero-wallet-gui that the analysis flags as a possible, unanalyzed cryptominer. An eBPF rootkit bolted onto a smash-and-grab stealer is unusual, and it is why this one is worth more than a shrug. Scope, and a second wave Sonatype’s first write-up counted more than 20 hijacked packages. Within a day, community trackers and the Arch aur-general thread had cataloged over 400, with one master list compiled by grepping the AUR git mirror, putting it around 408, and consolidated lists climbing higher.

The atomic-lockfile npm package itself showed only 134 weekly downloads on Socket before it was pulled from the registry, so the real exposure is the AUR build path rather than npm installs. A second wave used bun install js-digest, pushed from a separate set of accounts that community trackers link to the same npm publisher as atomic-lockfile. Its payload is a different binary, a separate ELF by its hash, that the community also flagged as malicious. How far this wave has spread is still being counted.

Early breakdowns listed a few dozen packages, while later grep-based searches of the AUR mirror returned much higher numbers that may include churn as commits are removed. Either way, it is not a footnote to the first wave, so check for both atomic-lockfile and js-digest. What to do now Arch maintainers are resetting the malicious commits, banning the accounts, and asking users to keep reporting suspect packages in the mailing-list thread. Treat the published affected-package list as incomplete.

On your end: Check any AUR package installed or updated on or after June 11 against the community package lists and detection scripts, which compare your foreign packages against the known-bad set. Grep recent build history and caches for npm install atomic-lockfile, bun install js-digest, and the payload path src/hooks/deps. If a flagged package ran, treat the host as credential-compromised. Rotate everything the stealer touches: browser sessions, SSH keys, GitHub and npm tokens, Slack, Teams and Discord sessions, Vault tokens, Docker and Podman credentials, and any cloud keys.

Hunt for persistence. Check for unknown systemd services (both system units and ~/.config/systemd/user/) and unexpected files under /var/lib/. Inspect /sys/fs/bpf/ for the maps hidden_pids, hidden_names, and hidden_inodes. Review outbound connections to Tor and to upload services.

If the package ran as root, assume the rootkit is present and reinstall from trusted media. There is no way to trust the system otherwise. Going forward, read the PKGBUILD and any .install hooks before you build, especially for packages recently adopted or suddenly active after long dormancy. If you do not understand the build instructions, do not install the package.

For detection, the main payload’s SHA-256 is 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b; the full indicator set, including the onion C2 host, is in the ioctl.fail analysis. The same adoption tactic hit an abandoned PDF-viewer package back in 2018 ; the 2026 version just scaled it up, part of a broader run of supply-chain attacks that hijack orphaned projects to inherit trust rather than typosquatting to trick users. The affected list is still incomplete, and no CVE has been assigned; Sonatype tracks the campaign as Sonatype-2026-003775 (CVSS 8.7). The attack worked because the AUR still trusts a package’s name and history over who is maintaining it now.

A recently adopted package, or one that suddenly sprouts new install hooks, now deserves the same suspicion as a package from a stranger. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing

Google on Friday said it’s pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phishing-as-a-service (PhaaS) software kit called Outsider, per the tech giant. “The operation weaponized Gemini to help generate fraudulent phishing pages and deploy massive SMS phishing (‘smishing’) attacks, often through text messages impersonating legitimate brands, alerting recipients of ‘brokerage account issues’ or insisting they are eligible for ‘rewards through their mobile phone carrier,’” Google said . “The texts prompt users to click a link leading to a fraudulent website that mimics trusted institutions to steal personal and financial information.” Google said it’s filing the lawsuit to dismantle the network’s infrastructure, and that it’s partnering with AT&T, T-Mobile, and Verizon to block such messages from reaching customers.

Outsider’s operations, according to the company, are coordinated through Telegram, with the network distributing phishing kits that make it possible for threat actors to push fake text messages that claim to be from trusted brands. These schemes are estimated to have victimized more than 100,000 people, leading to millions of dollars in losses. In addition, 9,000 fake websites and more than 1.59 million fraudulent URLs tied to the phishing service have been identified between November 14, 2025, and April 14, 2026. In a two-week period from May 18 to June 1, 2026, Outside was responsible for 55,000 spam texts flagged by Android users.

During the same timeframe, 2.5 million messages were sent by the network to Android users containing links to Outsider-generated websites. For as little as $88 a week (or $200 a month), the kit allowed criminals to create fraudulent websites, launch phishing campaigns, and steal victims’ credit card numbers, bank account credentials, and personal data. A license can be purchased via a “self-service ordering bot” on Telegram ( @OutsiderCodeBot ). The service also offers more than 290 pre-built templates that impersonate legitimate websites of trusted institutions, real-time keystroke logging, and a performance dashboard to track the effectiveness of a campaign.

“As if Outsider’s plug-and-play simplicity were not alarming enough, the Enterprise has made the tool even more powerful by providing step-by-step instructions on how Outsider can weaponize AI-generated code,” Google said in its complaint filed in Manhattan federal court. “Following those instructions, Enterprise members can use AI tools to generate programming code for a shell website, and copy and paste that code into Outsider to transform that shell into a fraudulent site that can be used to steal personal or financial information from their victims.” Google said the prompts for Gemini and other AI platforms are framed as harmless requests for programming assistance, asking the model to generate HTML code to design a “gift redemption page” with the desired functionality and features, and instructing it to avoid using JavaScript and employ inline CSS to implement it. Once the counterfeit website is online, its URL is sent to potential victims via text messages. The Outsider Enterprise is said to include a number of interconnected groups that play different roles, but collaborate to execute phishing attacks using the phishing kit.

These include - The Developer Group, which supplies the phishing software and templates The Data Broker Group, which provides curated lists of people to target The Spammer Group, which provides the tools to send fraudulent text messages in bulk The Theft Group, which helps monetize stolen information (e.g., credit cards and credentials) and launder funds from stolen credit cards The Telegram Group, which facilitates collaboration among members and recruits new members The advantage with such services, as in the case of recently disrupted Sniper Dz , is that they dramatically lower the barrier to entry for novice fraudsters lacking programming knowledge, who can leverage them to mount convincing phishing attacks with minimal effort and at scale. “The criminals behind the Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims,” said Brett Leatherman, assistant director of the U.S. Federal Bureau of Investigation’s (FBI) Cyber Division. “Criminals increasingly use AI to make fraud like this more convincing and harder to detect.” The FBI said the PhaaS platform accounted for at least an estimated 3,870,000 stolen credit cards and a corresponding estimated $1.9 billion in losses between July 2023 and the present.

As part of a joint takedown called Operation Ghost Hook, a number of domains, including a Shopify e-commerce storefront and an account used to test the phishing service, have been seized. In tandem, approximately $100,000 USDT from Outsider payment wallets have been confiscated, along with disrupting thousands of phishing domains from U.S. providers, rerouting them to an FBI splash page. The law enforcement agency also said it leveraged an Outsider Telegram bot to obtain information on the cybercrime network’s customers.

Operation Ghost Hook is part of Operation Riptide, which the FBI described as an ongoing campaign targeting the “criminal actors, infrastructure, and financial networks behind cybercrime, cyber-enabled crime, and fraud against the American people.” The development comes exactly seven months after Google filed another lawsuit in the U.S. against China-based hackers behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that ensnared over 1 million users across 120 countries. Update The Telegram bot (@OutsiderCodeBot) used to purchase Outsider licenses is no longer accessible. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant , says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no direct internet access, so the group first staged through internet-facing systems to get there. The earliest traces go back to 2016.

Instead of dropping new malware that a scanner might catch, the attacker changed the trusted login programs themselves. Nothing obvious appeared, and no exploit was needed, so the activity looked like normal administration. On many machines, the attacker replaced the main PAM login module with backdoored copies. Some let them in with a secret password; others quietly recorded real usernames and passwords as people logged in.

Researchers found nine separate versions. The OpenSSH programs were altered the same way, logging credentials and every command typed, with a hidden switch to turn that logging off when needed. Reaching the isolated network at all took extra work. The attacker used other disguised tools and an internet-facing web server as a bridge, passing commands through it to open remote sessions deep inside the segment that had no direct internet access.

Because the login system itself was compromised, normal containment did little. Password resets and killed sessions do not help when the thing that checks those credentials is working for the attacker. This is not new for the group. Each time defenders find one foothold, Velvet Ant moves to gear they watch less and sets up there.

In a 2024 case , Sygnia found the same actor turning internet-exposed F5 BIG-IP appliances into internal command servers. Later that year, it reported the group exploiting a Cisco NX-OS flaw, CVE-2024-20399 , to plant a backdoor on the switches . That bug needs admin access first, so it is a persistence tool, not a remote break-in. Cisco patched it in July 2024, and CISA flagged it as exploited the next day.

Operation Highland is the same idea, one level deeper. Load balancers, switches, and the login software itself are trusted by default and rarely checked, which is exactly why a patient attacker hides inside them. Operation Highland is not a one-CVE problem. The attacker changed trusted programs after getting in, so the fix is verification, not patching, and cleanup is delicate: a wrong replacement can lock admins out of a live system.

Watch the login files . Monitor the PAM and OpenSSH programs and their key files for any change, and alert when they change. Hunt by checking what changed , not by waiting for an alert. Compare these programs against known-good copies, because nothing will flag them for you.

Remove the backdoor before resetting passwords , or the new ones get stolen the same way. Test any replacement in a lab first. The earlier F5 and Cisco cases have their own checks: patch CVE-2024-20399 on Cisco Nexus gear, and watch F5 boxes for unexpected outbound connections. The wider lesson is plain: infrastructure that sits outside normal monitoring still needs integrity checks, and that now includes the login layer.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted using Sentry, an open-source error-tracking and performance-monitoring platform. “The attack exploits a critical architectural flaw at the intersection of Sentry’s event ingestion (which accepts arbitrary payloads from anyone with the DSN) and the Sentry MCP server (which returns this data to AI agents as trusted system output),” security researchers Ron Bobrov, Barak Sternberg, and Nevo Poran said . The idea is to inject crafted input into Sentry error events, which are then interpreted by coding agents like Claude Code and Cursor as legitimate diagnostic resolution steps and run attacker-controlled code.

A successful attack of this kind can expose sensitive data, including environment variables, Git credentials, private repository URLs, and developer identities, without having to rely on methods like phishing or prior server compromise. The problem is rooted in the implicit trust associated with connecting to external services using Model Context Protocol (MCP). Because an AI agent is unable to distinguish between an error event generated by a real application crash or injected by an attacker, it creates a pathway to arbitrary code execution when the agent processes the response. The attack chain devised by Tenet is as follows - An attacker finds a target’s Sentry Data Source Name ( DSN ), a public, write-only credential that’s embedded in websites.

The attacker sends a malicious error event to Sentry’s ingest endpoint via a POST request using the DSN. The injected event contains “carefully formatted markdown” in the message field and context key names. When the Sentry MCP server returns this event to an AI agent, it is rendered as structured content visually identical to the Sentry’s system template. When a developer asks their AI coding agent to “fix unresolved Sentry issues” (or a similar prompt), the agent queries Sentry via MCP and receives the malicious event.

The agent executes malicious code, which runs with the developer’s full privileges. “The attacker never touches the victim’s infrastructure,” the researchers explained. “The malicious instruction arrives disguised as a legitimate ‘Resolution’ inside an ordinary error. When a developer asks their AI agent to fix the Sentry issue, the agent reads the attacker’s command as trusted guidance and runs it - with the developer’s own privileges, on the developer’s own machine.” Agentjacking stands out because it targets the AI agent a developer trusts and uses a Sentry DSN as a starting point.

In addition, the markdown injection is rendered such that the agent cannot distinguish it from legitimate Sentry guidance. The AI cybersecurity company said it found at least 2,388 organizations exposed with valid injectable DSNs, and that it tested the attack in a controlled manner against over 100 organizations, achieving an 85% exploitation success rate against injected errors across some of the most widely used AI coding assistants. Sentry, for its part, has acknowledged the issue, but opted not to fix it, stating it’s “technically not defensible.” However, the company is said to have activated a global content filter that blocks a “specific payload string.” “As enterprises race to deploy AI coding agents, this research proves the agents themselves are now the attack surface - turned against the developers who trust them, using nothing but data those organizations publish about themselves,” Tenet said. “The attack bypasses EDR, WAF, IAM, VPN, Cloudflare, and firewalls - because there is nothing malicious to detect.

Every action in the chain is authorized.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Rethinking MDR as Attackers and Defenders Embrace AI

For most of the past decade, managed detection and response was the answer to a real problem. Security teams couldn’t staff around the clock, couldn’t hire enough analysts, and needed someone else to handle the alert queue. MDR stepped in. It worked well enough.

Until now. The threat landscape has changed faster than the MDR model can adapt. Attackers are using AI to move faster, generate more convincing phishing at scale, automate reconnaissance, and create malware variants that evade signature-based detection. The attack surface has expanded from endpoint to cloud, identity, and network simultaneously.

And yet MDR is still doing what it always did. Routing alerts to human analysts who triage what they can, in the order they can get to it. That is no longer enough. The data we share below proves it and security leaders might consider exploring whether they have outgrown their MDR .

MDR’s 24/7 promise doesn’t cover 60% of your alerts MDR promised 24/7 human coverage. What it delivered was a 24/7 human capacity to triage high-severity alerts. Those are not the same thing. Across the industry, approximately 60% of alerts go unreviewed.

That’s not a performance failure. Human teams, whether in-house or outsourced to an MDR, cannot process the volume of alerts that modern environments generate. So they do what any rational person does. They prioritize.

P1s and P2s get worked. P3s and P4s pile up. But this is exactly where attackers hide. Analysis of 25 million alerts across global enterprises in 2025 found that nearly 1% of real threats originate in low-severity and informational alerts.

In an enterprise generating 450,000 alerts annually, that translates to roughly 54 real incidents per year, about one per week, sitting in the deprioritized queue where no one is looking. The breaches hiding in that backlog are not theoretical. They are happening right now, in organizations that believe they have coverage. Note: The math behind the above statement assumes 450K annual alerts, of which 60% are not investigated and of those, 2% are real incidents.

Of those real incidents, 1% originate in low-severity alerts. Investigation quality varies by who is on shift Even for alerts that do get reviewed, MDR investigation quality is not consistent. It is bounded by the experience of the analyst on duty, the queue depth at that moment, the time of day, and whether the team is fully staffed. A P1 at 3 am gets a different investigation than the same alert at 10 am.

This is not a criticism of MDR analysts. It is a description of what happens when any human-executed process runs at high volume, under pressure, around the clock. Variance is unavoidable. The consequences are real.

When an investigation is shallow, threats get classified as noise. When follow-through is inconsistent, early-stage lateral movement looks like routine behavior. The attacker who got in on a low-severity alert keeps moving undetected because no one had the time or context to connect the signals. Detection engineering is not a closed loop In most MDR deployments, detection engineering is a periodic exercise.

Rules get tuned when customers complain about alert volume. New coverage gets added when a major CVE makes news. Otherwise, the detection posture drifts. The core problem is architectural.

MDR investigation and detection engineering operate in separate silos. When an analyst investigates an alert and closes it as a false positive, that insight rarely feeds back into the detection system. Broken rules stay broken. Noisy rules keep generating noise.

New attacker techniques arrive without matching detections. The result is a detection posture that degrades faster than it improves. Real coverage, measured against the MITRE ATT&CK framework, can be far lower than teams assume. You can’t audit what you can’t see Most MDR services are a black box.

Customers receive escalations and summaries. They do not get to see the investigation logic, inspect the evidence trail, verify the verdict, or audit what the analyst actually reviewed before closing a case. In an era where accountability and transparency are security requirements, this is a genuine liability. When an incident is missed, you cannot diagnose why.

When a verdict is wrong, you cannot trace the reasoning. When regulators ask what was investigated and how, there is no answer. The AI savings are going to the vendor, not to you AI is reducing the operational cost of MDR. Providers are using it to automate portions of triage, reduce analyst hours, and increase margins.

Those efficiency gains do not flow through to customers as lower prices or expanded coverage. The buyer still pays the same rate, or more. The provider keeps the savings. But the coverage gap stays the same.

The human scaling constraint stays the same. Only the provider’s cost structure has improved. You don’t own what was built in your name Detection rules, triage logic, case history, and investigation learnings accumulate inside the MDR vendor’s platform over the life of the contract. When the contract ends, that knowledge does not move with you.

The years of tuning, the accumulated context about your environment, and the detection improvements built from your data all stay with the vendor. This creates two problems. First, organizations that switch providers start from scratch, rebuilding institutional knowledge that took years to develop. Second, organizations that want to bring security operations in-house, a trend that is accelerating as AI SOC tools mature, find themselves starting with no foundation.

MDR providers, for obvious reasons, are not incentivized to help customers build internal capability. Their model depends on retaining the work. Your MDR contract may block you from using Claude for your SOC The above-mentioned knowledge lock-in is no longer just a switching-cost problem. It’s also an AI readiness problem.

When you try to deploy an AI agent for SOC work, it needs a knowledge foundation to reason over. Detection rules, case history, behavioral baselines, and forensic verdicts. If those live in your MDR vendor’s platform, your agent is starting from near zero. Additional MDR gaps worth noting Aside from the above, MDR has a set of smaller gaps that compound over time.

Every customer gets the same generic playbook regardless of their specific risk profile, compliance obligations, or data sensitivity. Integration tools like SOAR, which were supposed to streamline MDR findings into internal workflows, largely failed to deliver on that promise because human-driven investigation doesn’t produce the structured, consistent outputs that automation requires. And when a real incident surfaces and a customer needs to talk to someone who understands their environment, they often reach an AI chatbot or a ticketing queue instead of a person. What the AI-powered attacker era actually requires The attackers of 2026 are not waiting for alert queues to clear.

AI-generated phishing campaigns hit inboxes at a volume and quality that bypass conventional gateways. Credential stealers like Agent Tesla and LummaC2 move fast. EDR tools are being actively evaded, with research showing that more than half of confirmed compromised endpoints had already been marked as “mitigated” by the EDR vendor . The attacker has already won a round that the defender didn’t know was being played.

Meeting this moment requires a different operating model. One where investigation speed is measured in seconds, not hours. Where every alert gets examined, regardless of severity or time of day. Where the output is an evidence-backed verdict, not an analyst’s judgment call under pressure.

This is what an AI SOC is designed to deliver. An operating model shift where AI executes and humans supervise The core idea behind an AI SOC is simple. Move investigative execution out of the human queue and into AI, so that humans can focus on decisions rather than discovery. In practice, this means 100% of alerts, including endpoint, identity, cloud, network, phishing, and SIEM, are triaged and investigated automatically.

Not sampled. Not filtered by severity. All of them. The AI applies the same forensic depth to a P4 alert at 3 am that a senior analyst would apply to a P1 in the afternoon.

Intezer’s platform data across 25 million alerts shows this is achievable. Less than 2% of alerts required human escalation. The over 98% that resolved autonomously did so with sub-minute median triage time and 98% verdict accuracy. For a large enterprise with 450K annual alerts, that means roughly 441K alerts per year are fully investigated and resolved without human intervention and 54 genuine threats that would have been missed under traditional MDR coverage are now caught with actional remediation recommendations.

Forensic depth is what makes AI autonomy trustworthy AI can summarize an alert. That’s useful. AI can enrich with threat intelligence. Also useful.

But neither of those activities is investigation. They are pre-processing. Genuine AI-driven investigation requires forensic-level interrogation. When an alert fires, the question is not “does this look suspicious?” It is, what actually executed, where did it originate, what did it do, and is there evidence of compromise in memory that the alert itself didn’t surface?

This matters because the most dangerous threats are specifically designed to evade surface-level detection. Fileless malware lives entirely in memory and writes nothing to disk. Code injection hides inside legitimate processes. Early-stage credential theft looks like normal authentication.

Without memory forensics, binary analysis, and code reuse detection, an AI investigation is only as deep as the alert data it was handed. Forensic depth is also what creates the trust threshold, the point at which AI verdicts are accurate and evidence-backed enough to act on without human validation. Below that threshold, AI assists analysts. Above it, AI can safely take on the full investigative workload and escalate only when evidence warrants it.

Closed-loop detection engineering changes everything One of the most significant structural advantages of a true AI SOC is the closed loop between investigation and detection. Every alert investigation surfaces information about detection quality. Which rules are firing accurately, which are generating noise, and which attacker techniques have no coverage at all? When this feedback flows continuously into detection engineering, the posture improves without waiting for an annual audit or a customer complaint.

Noisy rules get tuned. Broken telemetry gets flagged. New coverage for emerging techniques gets deployed in days, not months. The detection system gets smarter alongside the investigation system.

This is how MITRE ATT&CK coverage moves from a static baseline to a dynamic, improving map of what an organization can actually detect. It is the difference between coverage that reflects what was set up two years ago and coverage that reflects what attackers are doing today. Pricing that aligns with full coverage The economics of an AI SOC should match the coverage it provides. Per-alert pricing, still common among AI copilot tools that rely heavily on LLMs, forces customers to be selective about which alerts to send.

The result is the same cherry-picking problem that MDR created. High-severity alerts get the attention, low-severity alerts accumulate in a deprioritized queue. Per-endpoint pricing changes this entirely. The cost is fixed to the number of monitored endpoints, not to alert volume.

There is no economic penalty for investigating every alert. Full coverage becomes the default, not a premium option. This also matters for budget predictability. Alert volumes spike unpredictably during active incidents or when new detections deploy.

Endpoint counts are stable. For finance teams trying to plan security spend, the difference is significant. What ownership looks like under an AI SOC Detection rules, investigation history, and organizational context should belong to the organization, not to the vendor. This means every detection deployed to a customer’s SIEM is the customer’s rule.

Investigation evidence is available for audit at any time. If the organization decides to expand internal capability, build its own AI agents, or switch tools, they take everything with it. This is not just a contract term. It is a prerequisite for security maturity and for broader adoption of AI tools like Claude for your security team.

Organizations that want to eventually supervise AI systems rather than outsource to vendors need a knowledge foundation to build on. That foundation cannot exist if it lives inside a vendor’s platform. The transition from MDR to AI SOC Moving from MDR to an AI SOC is not necessarily a rip-and-replace decision for most organizations. The practical path might be augmentation first.

Bring in an AI investigation alongside the existing MDR contract, observe what the AI surfaces that the MDR was missing, and let the comparison build the case for a clean transition at renewal. By the time the MDR contract is up for renewal, the organization typically has months of evidence showing what full alert coverage looks like, what the escalation rate was under AI triage, and what it would cost to maintain the old model versus the new one. The decision is no longer theoretical. The question security leaders need to answer The MDR model was designed for a world where attackers operated at human speed, and the primary challenge was staffing coverage.

That world is gone. Attackers are running AI-assisted campaigns, moving through environments faster than human triage queues can respond, and specifically targeting the low-severity signal space where MDR leaves blind spots. The question for every CISO and security leader evaluating their current operations is straightforward. Of the 60% of alerts your team isn’t reviewing, how confident are you that none of them contain a real threat?

The answer, informed by Intezer’s analysis of 25 million real alerts, is that roughly 54 of them do. Every year. One per week. In the pile that no one is looking at.

The AI SOC doesn’t promise to eliminate all threats. No platform does. But it closes the coverage gap that the MDR model structurally cannot. Every alert, every severity, every hour of the day, is investigated with forensic depth, in under a minute.

That is what security operations in the AI era look like. Found this article interesting? See the 2026 MDR renewal checklist by Intezer . Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution

Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph , including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. “An SQL injection in LangGraph’s function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data,” Check Point said . The list of identified vulnerabilities is as follows - CVE-2025-67644 (CVSS score: 7.3) - A SQL injection vulnerability exists in LangGraph’s SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys.

(Affects langgraph-checkpoint-sqlite versions before 3.0.1) CVE-2026-28277 (CVSS score: 6.8) - An unsafe msgpack deserialization vulnerability in LangGraph that could be used to trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. (Affects langgraph versions before 1.0.10) CVE-2026-27022 (CVSS score: 6.5) - A RediSearch Query Injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain/langgraph-checkpoint-redis versions before 1.0.1) “The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input,” Check Point said. “LangChain’s managed platform (LangSmith Deployment), is not affected.” Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 could be chained to achieve remote code execution.

Specifically, the attack chain hinges on the application exposing the get_state_history() endpoint, which then allows an attacker to retrieve historical checkpoints based on their metadata. It requires the following steps - The attacker prepares a msgpack payload containing instructions to execute arbitrary code. The attacker sends a malicious filter parameter that exploits the SQL injection vulnerability to return a fake checkpoint row to the database query results, where the checkpoint column contains attacker-controlled serialized data. When the application processes the query results, it deserializes the malicious checkpoint’s BLOB.

The attacker exploits the unsafe deserialization vulnerability to execute the attacker’s payload, giving them remote code execution on the server. LangGraph has described CVE-2026-28277 as a post-exploitation issue, where successful exploitation requires the ability to write attacker-controlled checkpoint data and turn that into code execution in the application runtime, and it does not pose any risks to existing LangSmith-hosted deployments. In such a scenario, this escalation from write access to checkpoint store” to code execution may “expose runtime secrets or provide access to other systems the runtime can reach,” LangGraph maintainers said. “The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.” Check Point said the findings illustrate how classic vulnerability classes like SQL injection can become more potent when they manifest inside AI agent frameworks that carry elevated access and trust, thereby opening the door to sensitive data exposure.

Users are advised to apply the latest fixes, implement authentication for self-hosted LangGraph servers, avoid long-lived static secrets, enforce network segmentation, treat AI agents as privileged identities, and apply the principle of least privilege (PoLP) to limit the agent’s access footprint. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator

An INTERPOL-led operation last month resulted in the disruption of Sniper Dz , a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz , took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that’s said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police.

Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts. “Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals,” the Singapore-headquartered cybersecurity company said .

In the years since then, more than 20,000 unique domains associated with the PhaaS service have been identified. The toolkit primarily targeted 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam, using 80 phishing templates deployed in five languages, including Arabic, English, French, Spanish, and Hebrew. Phishing campaigns using Sniper Dz singled out users of technology, social media, and streaming platforms across several geographies by impersonating popular brands and government entities using convincing imitation websites with the goal of harvesting credentials, personal information, and other sensitive data. “Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa,” Group-IB explained.

“Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access.” Sniper Dz was the subject of a comprehensive analysis by Palo Alto Networks Unit 42 in October 2024, which detailed the threat actor’s use of a Telegram channel with more than 7,300 subscribers to share tutorial videos and the options it provides to host the phishing pages on its own infrastructure behind a proxy server. What made Sniper Dz stand out from the crowded PhaaS market is that it offered its entire infrastructure for free, making it easier for aspiring cybercriminals to pull off phishing campaigns at scale. The monetization avenues instead relied on credential theft and victim traffic. “Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns,” Group-IB said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs

Authorities in Europe have disrupted AudiA6 , a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks. Europol, in a statement issued Thursday, said the dismantling of AudiA6 cut off a “key financial pipeline used to wash hundreds of millions in illicit profits.” The service is estimated to have been used to launder more than €336 million (~$389 million) since the service was launched in 2021. “The platform became a central hub for ransomware actors and cybercriminals seeking to cash out stolen digital assets while hiding the money trail from authorities,” the agency added . The operators of AudiA6 are suspected to have also administered a dark web cybercrime forum known as Dark2Web, where cybercriminals advertised illicit services and connected with other threat actors across the world.

As part of the operation that took place on June 10, 2026, a number of coordinated actions were carried out, including - The arrest of two alleged administrators of Ukrainian and Russian nationality in Georgia Three property searches Takedown of 25 domains and seizure of more than 30 servers Seizure of more than 80 vehicles and multiple properties in Georgia Freezing cryptocurrency assets worth €692,000 ($798,000) and seizure of €86,000 ($99,400) in cryptocurrency Blocking Telegram accounts used by the network Replacing the clear web and dark web websites of AudiA6 and Dark2Web with a law enforcement seizure banner In tandem, the U.S. Department of Justice (DoJ) announced charges against the two arrested individuals - Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25 - accusing them of one count of conspiracy to launder monetary instruments and one count of sting money laundering. If convicted, both of them face a maximum possible sentence of 20 years in prison. “Out of the approximately 10,333 bitcoin deposited, approximately 393.39 BTC (valued at around $19,234,331 at the time of the transactions) were received directly from known darknet markets, ransomware organizations, cybercrime services, and other illicit sources, while additional funds were deposited indirectly from illicit sources into AudiA6 wallets,” the DoJ said .

Europol said the crackdown was the result of an earlier enforcement action carried out by the Polish Police that led to the arrest of an Ukrainian national in September 2025 for their alleged involvement in money laundering activities connected to the AudiA6 group. This made it possible for authorities to initiate a forensic examination of the seized electronic devices belonging to the suspect and identify additional individuals linked to the operation. AudiA6 has been described as an industrial-scale cryptocurrency laundering operation that relied on thousands of fraudulent exchange accounts opened using stolen or purchased identities. The criminal service has been linked to more than 15 investigations worldwide related to ransomware attacks and large-scale cryptocurrency theft.

Prior to its disruption, AudiA6 was marketed as a cryptocurrency mixing service guaranteeing anonymity and speed. It allowed customers to transfer their ill-gotten proceeds to wallets controlled by the group and received “cleaned” funds in return within an hour through a “complex chain of transactions” designed to conceal the origin of the funds. These transactions took place over private messaging platforms, with the operators charging commissions ranging from commissions of between 3 percent and 10 percent. “More than 6,000 Know Your Customer (KYC) records linked to money mule accounts were identified during the investigation,” Europol said.

“Many of the mule accounts were connected to Russian-speaking intermediaries recruited specifically to help move criminal proceeds through cryptocurrency exchanges.” AudiA6 is also said to have relied on both commercial email providers and email addresses linked to domains under their control to register money mule accounts with various cryptocurrency exchanges. The names of the domains are listed below - designli.pictures pheontx.eu smplfy.in sumato-soft.org technobrains.dev lett.email trayo.app deliverly.top inboxly.top postfast.eu postino.click inboxally.agency mailora.eu postify.email quix.express flowcomm.click qube.black deliverlett.com lettermail.eu In a report published in November 2021, Intel 471 disclosed that AudiA6 required a minimum balance of 27 bitcoins and that it charged a flat service fee between 3 percent and 5.5 percent. As recently as December 2025, a TRM Labs analysis found that funds stolen from the 2022 LastPass hack were routed through Cryptex and AudiA6. The investigation was carried out by the United States Secret Service and the IRS Criminal Investigation, along with the Polish Police and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K.

The findings illustrate the rise of industrial-scale cryptocurrency laundering services that enable the cybercrime economy, as well as the use of fraudulent exchange accounts, mule wallets and privacy-focused tools designed to cover up the money trail and bypass anti-money laundering controls. “Ransomware groups and cybercriminal networks are increasingly relying on chain-hopping, decentralised exchanges and ‘mixer-as-a-service’ platforms to move illicit cryptocurrency across multiple blockchains within minutes, helping criminal profits disappear into the digital underground,” Europol said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities

The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.

The flaw, CVE-2026-35273 , is a remote code execution bug in PeopleSoft Enterprise PeopleTools rated 9.8 out of 10. It needs no login and no user interaction, just network access over HTTP, to take over the server. If you run PeopleSoft with the Environment Management Hub reachable from outside, that is your exposure, and the immediate move is to lock those endpoints down. The vulnerability sits in the Updates Environment Management component, the piece behind the Environment Management Hub (PSEMHUB).

Oracle lists PeopleTools 8.61 and 8.62 as affected and says earlier, unsupported versions are probably vulnerable too. It credits researchers from TrendAI Zero Day Initiative and TrendAI Research for the report. Mandiant CTO Charles Carmakal confirmed the bug is being exploited in the wild; Oracle has not said whether it has seen exploitation. Its advisory points to a patch availability document behind a support login, and whether a full fix is broadly available is unclear.

For now, the guidance centers on mitigation. The operational detail became public because the attackers left their own gear exposed. Researcher @nahamike01 publicly flagged the open directories. Mandiant then triaged five sequential IP addresses running Python’s SimpleHTTP server on port 8888.

Those servers exposed the staging files: a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. The agents called home to a command-and-control server at azurenetfiles.net, a domain picked to look like Azure NetApp Files. The script, named [victim]_fanout.sh, spreads over SSH by spraying a hardcoded list of usernames and passwords against internal hosts pulled from /etc/hosts, then drops a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. The command history shows the data compressed with zstd and an outbound SSH connection to the server hosting the public mirror of the ShinyHunters leak site.

Mandiant notified more than 100 organizations whose IP addresses matched vulnerable endpoints. Sixty-eight percent were in higher education, most of them in the United States. Some blocked the activity; others were compromised and had data posted to the leak site. The University of Nottingham is one of the first confirmed victims.

Have I Been Pwned has counted about 455,000 unique email addresses in the leaked set, covering current students and alumni, with names, addresses, phone numbers, passport numbers, and details on ethnicity and disabilities. The university has confirmed the breach. Oracle’s guidance is to disable the Environment Management Hub service on multi-server setups, or remove the PSEMHUB application outright on single-server setups. If you cannot do either, block external access to /PSEMHUB/* (especially /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter.

Mandiant warns that WAF body-inspection rules alone are not enough, since they can be bypassed. Restricting these endpoints does not break normal user sessions. Then hunt for signs of an existing compromise: WebLogic access logs showing external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector. Unexpected .jsp files under the PSEMHUB.war web application directory, or odd folders named logs, persistantstorage, or scratchpad under the PSEMHUB paths.

Recently changed .xml files under the web doc root’s envmetadata/data/environment, which can be abused for XMLDecoder persistence that fires on the next restart. Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations, which the exploit chain may use to capture machine-account NetNTLM hashes. Apply Oracle’s update for your PeopleTools version once you confirm it is available in My Oracle Support. ShinyHunters says victim outreach has only just started, and it has not posted most of the organizations it claims, so more names are likely.

The method is the bigger tell. ShinyHunters has lately leaned on vishing, stolen tokens, and weak access controls to steal data from SaaS and education platforms, from Salesforce customers to Canvas . A server-side zero-day in on-premises ERP software is a step up from that, aimed at the same data-rich targets. The open question is whether this was a one-off borrowed zero-day or the start of ShinyHunters moving into ERP exploitation.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets

Two security teams have shown, in separate research published this week, that OpenClaw , the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and location pins that the agent executed without the victim ever seeing them. Varonis built a test agent on the platform, gave it a mailbox full of synthetic business data, and watched a single plain email talk it into forwarding mock AWS keys and a fake customer export to an outside address. The flaw Imperva found is patched in OpenClaw 2026.4.23, so update if you run it.

The phishing weakness Varonis found is not something a patch fixes; it comes down to limiting what the agent can do on its own. Different doors into the same room: the agent trusts what reaches it, and its access becomes the attacker’s. Hidden commands in a shared contact Imperva researcher Yohann Sillam looked at how OpenClaw hands messaging data to the model behind it. The problem is in the plumbing.

When the agent passes a shared contact, vCard, or location to the LLM, it flattens the object into the prompt text inline, with no boundary marking it as untrusted. The content the agent fetches from the web gets wrapped in an untrusted-content marker. Message objects do not. Only some fields travel to the model, and that is what the attack abuses.

A shared contact sends just the name field, serialized as <contact: name, number>. The angle brackets are legal in a name, so the model cannot tell where the real name ends and an injected instruction begins. The contact name is truncated where it shows on screen, both on WhatsApp and in the receiving app, so the victim does not see the payload either. The same trick works through a vCard’s full-name field, which WhatsApp supports natively, and through the label on a shared location pin.

In Imperva’s tests against Gemini 3.1 Pro (preview build), the hidden text told the agent to download and run a script from a server the researchers controlled. It did. A plain image with instructions buried in it failed, likely because that attack has been reported so often that models are now trained to resist it; the message-object route worked because models have seen far fewer examples of it. With OpenClaw’s memory on by default, Imperva warns, a single piece of widely shared content carrying a hidden instruction could quietly compromise the agents that ingest it, if they are not sandboxed.

Imperva disclosed the issue, and OpenClaw shipped a fix in version 2026.4.23 that moves contact names, vCard fields, and location labels out of the prompt body and into a separate untrusted-metadata channel. Imperva found the same flattening pattern in other personal AI assistants, so the underlying problem is not OpenClaw’s alone. A normal email is enough Varonis Threat Labs came at OpenClaw from the social angle. In research led by Itay Yashar, the team built an agent called Pinchy on the platform, wired it to a Gmail inbox stocked with realistic but synthetic business clutter and mock secrets, and ran it through four phishing simulations on Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4.

They draw a line between prompt injection, which hides instructions in data, and what they call agent phishing: a believable request that arrives through a normal channel and works because the agent acts before checking who sent it. The agent failed both exfiltration tests. In the first, a message posing as a team lead named Dan, sent from an outside Gmail address, asked for staging access during a fake production incident. Pinchy found the credentials and forwarded mock AWS IAM access keys, database connection strings, and SSH credentials in plaintext.

The second pretext was softer: a routine-sounding request for the weekly customer export, supposedly for a QBR deck. The agent shipped out a synthetic dataset of 247 enterprise customers, contacts, and contract values included. Both failures happened under a strict profile that told the agent to verify senders first. The rule existed.

Urgency beat it once, routine beat it the second time. The agent did better when the threat was technical rather than social. It interacted with a gift-card phishing page but withheld real credentials and eventually flagged it; the strict profile blocked the page outright. On a malicious OAuth consent screen dressed up as a timesheet app, it inspected the redirect target, judged it suspicious, and stopped before granting access.

That is the split Varonis draws out: the agent is better than many people at spotting bad URLs and fake login portals, and worse at the social judgment that makes a human pause when a colleague suddenly asks for credentials at an odd hour. The drive to be helpful is the attack surface. Varonis says OpenAI Codex GPT-5.4 was more cautious than Gemini 3.1 Pro about entering or sending data to outside sites without confirmation, but both fell for the social pretexts. The weak spot behind both attacks
Varonis maps both attacks onto what Simon Willison calls the
lethal trifecta
an agent that can read private data, take in untrusted content, and send data back out.

OpenClaw has all three, which is why a poisoned contact and a friendly email end in the same place. That trust boundary is not only a prompt problem; it shows up in OpenClaw’s code as well. A separate InfoSec Write-ups analysis turned OpenClaw’s past advisories into static-analysis rules, then used them to find five more flaws across the Slack, Discord, Matrix, Zalo, and Microsoft Teams channel extensions. All five were the same bug: the startup code resolved each channel’s allowlist by mutable display name instead of a stable ID, so an attacker who renamed themselves to match an allowed user could slip onto the list and steer the agent.

OpenClaw has patched them. OpenClaw ships with broad access to files, shells, and more than twenty messaging platforms, and it has drawn a steady run of earlier prompt-injection and data-exfiltration warnings since it launched late last year. The Dutch data protection authority took the strongest line: the Autoriteit Persoonsgegevens told users and organisations not to run OpenClaw on systems that hold sensitive data, citing data-breach and account-takeover risks. What to do about it Anyone running OpenClaw should update to 2026.4.23 or later for the message-object fix.

The rest is architecture, not prompt wording, and Varonis lays out four controls. Treat the agent’s instruction file as an enforced, version-controlled policy, not a suggestion. Outbound mail needs a gate: no first-time sends to unfamiliar addresses without approval, so a hijacked agent cannot relay phishing from a trusted account. Connector access should track the trust level of whatever triggered the task, so an inbox handling outside email cannot also read the whole CRM.

And the riskiest actions, forwarding credentials or moving money, should wait for a human. Both teams land on the same mental model. Varonis frames it as treating the agent like a junior employee with system access and no instinct for what looks off, not as a security tool. Imperva gets there from the other direction, calling it an authenticated executor that trusts its inputs.

The fixes on offer today are specific patches and guardrails. The harder problem is still open. An agent useful enough to act on your email and run your commands is, by design, one that trusts input and wants to help, and nobody has a general fix for that yet. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.