2026-06-18 AI创业新闻
Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research. The threat actor also has at their disposal a dedicated WordPress phishing page that acts as the central hub, alongside GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and a cluster of accounts that engage in coordinated activity on VirusTotal with the intent to misclassify malicious files as safe. “To push a malicious ‘tool,’ a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust,” Check Point said in a report shared with The Hacker News. “The result is a fake reputation economy spanning every platform a curious victim might check before they click ‘download.’” The end goal of the campaign is to push a cryptocurrency clipboard hijacker that’s concealed within Solana and Pump.fun sniper bots and crash-game predictors, suggesting that cryptocurrency asset holders and online gamblers on the hunt for shortcuts and quick profits are the targets.
The Rust-based clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern. When a match is found, the malware substitutes the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively routing the digital assets to them. What’s notable about the activity is the use of Ghost Networks to poison reputation-driven systems like VirusTotal, aiming to reduce suspicion and increase victims’ trust in the malicious files through a combination of upvotes and highly positive comments. This behavior also extends to GitHub, where the threat actor operates at least six GitHub accounts to cross-promote and distribute their malware.
These synthetically boosted signals are designed to lull users into a false sense of security and trust. One such repository has 146 stars and 62 forks. “On SourceForge, the download counter reached 44,485, with a suspicious 37,460 supposedly originating from Android devices, despite the developer only offering Windows and macOS versions,” Check Point explained. “A plausible explanation is the use of an Android farm to artificially inflate the download count on SourceForge.” Furthermore, the software solutions are promoted through a dedicated YouTube channel with over 91,000 subscribers.
The channel was created in July 2020, with the operators claiming that it’s “strictly for educational purposes only.” The tutorial-style videos feature AI‑generated narrators and positive comments to reinforce the illusion of popularity and trustworthiness. Perhaps the most unusual aspect of the campaign is the threat actor’s use of a press release distribution service like EIN Presswire to market their tool’s purported capabilities. The press release has since been syndicated across the service’s partner news websites , primarily the USA TODAY Network. “Manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust,” Check Point said.
“The same playbook of fake reputation and aggressive cross-platform promotion can easily distribute information stealers or ransomware to higher-value targets over time.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
Microsoft has formally disclosed that it’s working to release a patch to address a Defender zero-day codenamed RoguePlanet . The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw. “Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender, publicly referred to as ‘RoguePlanet,’” the company said. “We are working to provide a high-quality security update that addresses this vulnerability.” The development comes nearly a week after a security researcher named Chaotic Eclipse (aka Nightmare-Eclipse) released RoguePlanet, calling the exploit a case of a race condition that grants attackers a shell with SYSTEM-level privileges.
- “The exploit is a race condition, so it’s a hit or miss,” the researcher noted. “I have managed to get a 100% success rate on some machines while it struggled to work on others.”
- In an update shared Tuesday, the researcher
- added
- “I forgot to add one thing, surprisingly, the PoC for RoguePlanet works regardless if real-time protection is on or not, which is hilarious. I think it even works in the case of passive mode, but not really sure, haven’t tested that.” Microsoft told The Hacker News last week that it’s aware of the reported vulnerability and that it’s “actively investigating the validity and potential applicability of these claims.” RoguePlanet is the fourth Defender vulnerability disclosed by Chaotic Eclipse after BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), all of which have since been patched by Microsoft. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim’s machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next day, his access did not.
Eighteen days later, the C2 came back, his agents reconnected on their own, and he carried on. Cato Networks captured the whole operation command by command, 339 of them over 33 days, after the operator left his SSH keys and a step-by-step playbook in an open storage bucket. The write-up, published Tuesday by Cato CTRL researcher Vitaly Simonovich, is a rare view of an intrusion from the operator’s keyboard rather than the forensic leftovers. Researchers’ lesson is blunt: pulling a C2 server offline is not remediation if the attacker has already built a separate door.
The actor, handle “Poisson,” is not an APT. Researchers describe a junior operator on what looks like a school schedule, active after 3 p.m. CET with a long midday gap, all of it running on free-tier kit: DuckDNS, Backblaze B2, and a cheap IONOS VPS in Berlin. His tradecraft was thin.
He leaked his home directory five times, named his storage buckets after his own handle, and left a test file of his own keystrokes typed over and over inside the keylogger package. He failed at roughly half of what he tried. He compromised four machines anyway. The chain The malware ran almost entirely in memory.
A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc’s Demon agent without dropping the implant to disk. For elevation, he used Start-Process -Verb RunAs, which is not a silent UAC bypass. It pops the Windows consent prompt and waits for someone to click Yes. On one victim, it took a dozen tries across two days.
After that came the nailing-down: a scheduled task running at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom-built RustDesk as a backup channel. The credential grabber was a 70-line Python keylogger that wrote keystrokes to a local file, with no beacon and no exfil server. Poisson just logged in, grabbed the file by hand, and ran powercfg to keep the machines from sleeping, so harvesting never paused. The move that matters On April 7, in a five-hour overnight session, he installed OpenSSH Server and Tailscale, joined the victim’s machine to his private Tailscale network, and set up key-based SSH and a reverse tunnel.
Now he could reach the machine over Tailscale’s encrypted mesh with no C2 and no exposed ports. The next day, the Havoc infrastructure went offline. Cato does not say why, and it barely matters: the Tailscale path sat on a separate network, so the access lived. When the C2 returned on April 26, the agents reconnected automatically, no re-compromise required.
Over the final five days, he ran 145 more commands, probed smart-card and certificate stores (a sign he was eyeing certificate-based logins), ran two unexplained executables from a file named Thales.zip for about 32 minutes total, then deleted 17 files and went quiet on May 1. What he wanted was narrow. No Mimikatz, no lateral movement, no ransomware, and no sign he took the documents he browsed, from tax records to insurance. Just what people type: banking logins, email passwords, government portals.
For a small business owner, that is direct financial exposure. None of the tools is new, which is the point. China’s APT31 used Tailscale through 2024 and 2025 to tunnel quietly out of Russian IT firms, Scattered Spider has leaned on legitimate remote-access tools like Ngrok and Fleetdeck, and RustDesk, Poisson’s backup channel, turns up in recent Akira ransomware intrusions. The binaries are signed and legitimate, so detection that stops at bad files, not bad behavior, misses them.
What Poisson adds is command-level proof that the trick outlives a takedown, run by someone clearly still learning. What to watch Cato’s hunting list is concrete: Alert when OpenSSH Server installs on a Windows workstation, which is rarely legitimate. Watch for tailscale.exe on machines that have no reason to run a VPN. Look for ssh -R reverse tunnels heading to outside hosts.
Check for wscript.exe running .vbs files out of user staging folders. Flag scheduled tasks set to the highest privileges that launch script interpreters. Watch for powercfg standby-timeout changes that keep machines awake. Block DuckDNS.
The bigger one: when you find a C2, assume it is not the only way in, and go hunting for the quiet persistence layer behind it. What was in Thales.zip, and what those two programs did in their 32 minutes on the machine, is the question Cato leaves open. The answer that matters more: the C2 was never the intrusion, just one way into it. Kill it and leave OpenSSH, Tailscale, the scheduled task, and the keylogger running, and the attacker still has a way back in.
That is the part remediation keeps missing. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Moses Frost Trains You to Think Like an AI-Armed Attacker - Online in Aug
Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization
For security teams, the findings never stop, but confidence in knowing which ones matter is becoming harder to maintain. The problem is no longer visibility. It’s validation. Security teams must decide which findings warrant action while operating under constant pressure and incomplete information.
Increasingly, the challenge is not discovering potential risks. It is determining which risks deserve attention first. Visibility Got Us Here. Validation Moves Us Forward.
The security industry has spent the better part of a decade improving visibility. Vulnerability scanners, cloud security posture tools, endpoint detection, attack surface platforms, code analysis, and threat intelligence feeds all contribute to a more complete understanding of the attack surface. The investment has been enormous, and it has largely worked. Modern enterprises can see their environments in ways that would have seemed remarkable ten years ago.
Yet improved visibility has not automatically translated into improved outcomes. The 2025 Verizon Data Breach Investigations Report highlights a persistent reality: exploitation of vulnerabilities is a leading initial access vector, while remediation timelines are often measured in days, weeks, or even years. Organizations are discovering more, but they are also being asked to evaluate and prioritize more. Whether findings originate from automated tools, attack surface monitoring, or penetration testing services , security teams still face the same question: Which risks deserve attention first?
That evolution has created a new challenge. Success increasingly depends on how quickly teams can determine which findings represent meaningful risk. From Detection to Decision Every new finding competes with every existing finding for a finite pool of attention, resources, and remediation capacity. In many cases, security teams have more visibility than ever before.
The challenge is understanding which findings represent meaningful, exploitable risk and which ones can be addressed over time. Those are two very different exercises. One is a detection problem. The other is a validation problem.
Organizations that excel at prioritization are not necessarily the ones with the fewest vulnerabilities. They are the ones who can consistently distinguish between theoretical exposure and practical risk. That ability allows them to focus resources where they will have the greatest impact. When every finding is presented as urgent, prioritization becomes more difficult.
Teams often find themselves balancing competing demands while trying to determine where action will make the biggest difference. The result is a lack of context. Context Is What Converts a Vulnerability into a Decision A vulnerability on its own provides only part of the picture. Security teams need to understand whether it is reachable, whether it can realistically be exploited, what systems sit downstream, and what business processes could be affected.
The answers to those questions determine whether a finding represents a routine issue or a priority that demands immediate attention. The organizations making the greatest progress in risk reduction are not necessarily collecting more data, but rather, they are building better ways to interpret it by creating workflows that connect technical findings to operational and business impact. This allows teams to make decisions with greater speed and confidence. Adversarial Exposure Validation Turns Context into Confidence This need for context is one reason Adversarial Exposure Validation (AEV) gained momentum within modern security programs.
As a core component of Continuous Threat Exposure Management (CTEM), AEV moves beyond identifying potential weaknesses and focuses on validating which exposures represent realistic risk. Unlike traditional assessment approaches that primarily surface findings, AEV evaluates how an attacker could interact with an environment. It uses adversary simulation to test security controls, attack paths, and response readiness while selectively incorporating adversary emulation techniques when deeper validation is required. The objective is not to generate more alerts.
It is to determine which exposures are actually reachable, exploitable, and consequential in the context of the organization’s environment. Security teams do not need additional evidence that vulnerabilities exist. They need confidence in understanding which vulnerabilities create meaningful business risk. By validating exposures through realistic attack scenarios, AEV helps transform findings into actionable priorities, enabling organizations to focus remediation efforts where they matter most.
Where AI Fits, and Where It Doesn’t This is also where the conversation about AI belongs. Automation provides tremendous value in discovery, scale, and signal processing across environments that are far too large for manual review alone. It can help organizations identify patterns, surface potential exposures, and accelerate analysis. What it cannot do on its own is solve a judgment problem.
The questions that matter most in security prioritization require an understanding of business context, risk tolerance, operational dependencies, and adversary behavior. Those inputs extend beyond what scanners and algorithms can observe. They require human expertise, organizational knowledge, and informed decision-making from experienced offensive security experts. AI can accelerate security operations, but confidence still comes from human accountability.
The Shift from Visibility to Validation Is Already Happening Many mature security programs have already begun making this shift. Conversations across the CISO community increasingly focus on exploitability, attack paths, and demonstrated exposure rather than raw finding counts. The goal is not simply to discover vulnerabilities. It is to understand which vulnerabilities create meaningful risk and require action.
That shift is as much about culture and process as it is about technology. Organizations leading the way have built workflows that ensure context accompanies findings before decisions are made. They have defined what exploitable means within their own environments. They have connected technical risk to business impact in language that resonates across leadership teams.
None of that requires a specific tool. It requires a different way of thinking about what security programs are designed to achieve. Confidence Is a Security Capability Worth Building The next phase of security maturity will not belong to organizations that discover the most vulnerabilities. For most enterprises, visibility is already well established.
What will distinguish leading security programs is their ability to turn visibility into confident action quickly, consistently, and at a pace that keeps up with an evolving threat landscape. Confidence is not a soft concept. It is an operational capability. It enables teams to prioritize effectively, communicate risk clearly, and invest resources where they can reduce the most exposure.
In an era defined by AI, automation, and an ever-expanding volume of findings, confidence may be one of the most important security capabilities that humans can bring. About BreachLock BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered attack surface management, penetration testing, red teaming, and adversarial exposure validation (AEV) services that help security teams stay ahead of adversaries. With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats
Cybersecurity researchers have flagged a “coordinated malware campaign” on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. “Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests,” Aikido Security researcher Ilyas Makari said . “They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker.” The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026.
Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it’s not clear if the counts are authentic or if they have been inflated to fake their popularity. The complete list of plugins is below - DeepSeek Junit Test (org.sm.yms.toolkit) DeepSeek Git Commit (com.json.simple.kit) DeepSeek FindBugs (org.bug.find.tools) DeepSeek AI Chat (org.translate.ai.simple) DeepSeek Dev AI (com.yy.test.ai.simple) DeepSeek AI Coding (com.dev.ai.toolkit) AI FindBugs (com.json.view.simple) AI Git Commitor (com.my.git.ai.kit) AI Coder Review (org.check.ai.ds) DeepSeek Coder AI (com.review.tool.code) AI Coder Assistant (org.code.assist.dev.tool) DeepSeek Code Review (com.coder.ai.dpt) CodeGPT AI Assistant (com.my.code.tools) DeepSeek AI Assist (ord.cp.code.ai.kit) Coding Simple Tool (com.dp.git.ai.tool) Aikido Security said all 15 plugins share a similar codebase, requiring users to open the settings panel and enter an API key for an AI like OpenAI, SiliconFlow, or DeepSeek in order to carry out the promised functionality. While the plugins work as they are intended to, they have been found to sneak in the ability to covertly siphon the provided API key to a remote server (“39.107.60[.]51”) under the attacker’s control over an HTTP request in plaintext format. “The plugins also run a paid tier,” the company said.
“After a user pays a small fee through the donation wall built into the plugin, the server sends an API key back down to the client, and the plugin starts using that key for its model calls instead of your own, which is bizarre, since no legitimate operator would simply hand a user a working and unrestricted key to a paid AI provider.” This has raised the possibility that the operators behind the campaign are likely sharing the stolen AI provider API keys with other threat actors as part of an illicit monetization scheme, effectively turning it into a service that grants paying users access to the victim’s AI provider. “The operator collects money on one side and free credentials on the other, while the genuine key owners pay the bill,” Makari added. The campaign is further evidence of how threat actors are increasingly targeting developer environments through the open-source ecosystem, which has become a lucrative target owing to the fact that they host source code, cloud credentials, signing keys, and API keys for paid AI services that can be resold for LLMjacking schemes. “Treat a plugin the same way you would treat any dependency that runs with your privileges, and be cautious about pasting long-lived secrets into tools you have not vetted,” Aikido Security said.
Malicious Chrome Extensions Steal AI Conversations The development coincides with the discovery of two Google Chrome ad blocker extensions that have been caught capturing users’ conversations with AI chatbots like OpenAI ChatGPT, Anthropic Claude, Google Gemini, Microsoft Copilot, Perplexity, DeepSeek, xAI Grok, and Meta AI. The data collection operation has been codenamed PromptSnatcher by researcher Jean-Marie R. The names of the extensions, which are still available on the Chrome Web Store, are as follows - Smart Adblocker (ID: iojpcjjdfhlcbgjnpngcmaojmlokmeii) - 90,000 users (Published in October 2022) Adblock for Browser (ID: jcbjcocinigpbgfpnhlpagidbmlngnnn) - 10,000 users (Published in August 2023) “While presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others),” the researcher said. “The operation uses legitimate public filter lists (EasyList, IDCAC) as functional cover, providing genuine ad-blocking utility while running an undisclosed telemetry channel.” The fact that the two extensions have been around for several years indicates that the AI-related data exfiltration features were introduced in the form of software updates.
These types of attacks fall under a category known as Prompt Poaching . Over the past several months, browser extensions, both legitimate and malicious, have been observed adopting this method to stealthily capture users’ AI chats under the pretext of enhancing Safe Browsing or providing in-depth traffic or engagement metrics. What’s unclear is whether these practices violate Google’s policies for browser extensions. “The extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic ‘Enhanced Protection’ consent string,” the researcher noted.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The Top 10 Attack Surface Exposures in 2026
Breaches don’t always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn’t just how fast you can patch.
It’s why the service was exposed in the first place. The team at Intruder analyzed 3,000 attack surfaces to find out how much of a typical organization’s attack surface consists of services that have no reason to be there. We grouped what we found into four categories — HTTP panels, risky ports and services, databases, and publicly accessible files and information. The full findings, including breakdowns by company size and industry, are in our 2026 Attack Surface Management Index .
How widespread is the problem? 60% of organizations had at least one HTTP panel exposed — admin consoles, management UIs, login pages for internal tools that have no business being publicly reachable. Nearly half (49%) had a risky port or service exposed. 42% had a database reachable directly from the internet.
30% had files or information publicly accessible that shouldn’t be — API documentation, config files, data that was never intended to be discoverable. The ten most common exposures These are the most common attack surface exposures affecting organizations in the past 12 months. MySQL Database Exposed — 26% Postgres Database Exposed — 16% API Documentation Exposed — 15% WordPress Admin Panel Exposed — 15% Remote Desktop Service Exposed — 11% SNMP Service Exposed — 9% phpMyAdmin Admin Panel Exposed — 8% UPnP Service Exposed — 8% NTP Service Exposed — 7% RPC Portmapper Service Exposed — 7% Databases dominate the top two spots Exposed databases take the top two spots, with more than a quarter of organizations exposing MySQL and Postgres, affecting 1 in 6. Internet-facing databases have long been a target for opportunistic attackers.
The PLEASE_READ_ME ransomware campaign in 2020 compromised more than 250,000 MySQL databases by brute-forcing weak credentials. MongoDB and Elasticsearch have faced the same. API documentation is more exposed than RDP API documentation ranked third — ahead of RDP, which surprised us. Some API docs are intentionally public, but organizations frequently overlook documentation tied to private or admin-side APIs that were never meant to be discoverable.
Public API docs can turn otherwise hard-to-find vulnerabilities into documented attack paths. RDP remains a ransomware entry point RDP at number five is a concern given its history as an initial access vector in ransomware attacks. BlueKeep in 2019 left nearly a million systems immediately exploitable. Credential guessing against exposed RDP remains one of the most reliable ways ransomware operators get in.
The rest of the list was never meant to be internet-facing The remainder of the list — SNMP, UPnP, NTP, RPC — are legacy services designed for internal networks that were never meant to be internet-facing. Get the full findings Most teams treat patching as the priority. But for a lot of what’s on this list — databases, admin panels, legacy services — the better question is why they’re reachable at all. That’s where attack surface reduction comes in — and for most organizations, it’s not getting the same attention as vulnerability management.
The full findings, including breakdowns by company size and industry, are in the 2026 Attack Surface Management Index . Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
144 Mastra npm Packages Compromised via Hijacked Contributor Account
As many as 144 npm packages associated with the Mastra namespace (“@mastra/*”), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from Endor Labs , JFrog , SafeDep , Socket , and StepSecurity . “A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17,” Socket said. The infected packages themselves do not include malicious code. Instead, it’s introduced by means of a third-party library named “easy-day-js” that has been added to each package’s dependency list in what has been described as an automated publishing campaign spanning 88 minutes.
In its analysis, SafeDep described “easy-day-js” as a clone of the “dayjs” date library that downloads and runs a cryptocurrency-stealing remote access trojan. The JavaScript library was published by an npm user called “sergey2016” on June 16, 2026, at 7:05 a.m. UTC as a clean, fully functional copy, with the malicious changes introduced on June 17, 2026, at 1:01 a.m. UTC.
“Because Mastra sits at the intersection of AI development and cloud infrastructure, its packages are routinely installed in environments that hold some of the most sensitive credentials in modern software development,” StepSecurity said. “This makes the Mastra ecosystem an exceptionally high-value target for supply chain attackers.” The “easy-day-js” package launches an obfuscated payload that’s fired during a postinstall hook, which acts as a dropper or loader for a second-stage payload retrieved from attacker-controlled infrastructure (“23.254.164[.]92”) after disabling TLS certificate validation. The payload is then executed as a detached background process, following which the loader takes steps to erase itself to minimize the forensic trail. The final stage is a cross-platform information stealer that can harvest browser history, store data from over 160 cryptocurrency wallet browser extensions, install persistence across Windows, macOS, and Linux, and exfiltrate the captured information to a command-and-control (C2) server (“23.254.164[.]123”).
The malware is also capable of polling the C2 server to receive commands, including downloading a module from an attacker-supplied URL and executing it on Windows, Linux, and macOS systems. “The malware combined familiar supply chain techniques with practical stealth: a clean decoy version, an obfuscated postinstall loader, runtime payload download, detached execution, self-deletion, Node-themed persistence, and a remote module system,” JFrog said. “Even if the first-stage package is removed after installation, the second-stage process may continue running and may have already installed persistence. This campaign shows how a small dependency change can become an install-time compromise across a large package ecosystem.” The attackers behind the campaign are said to have hijacked the “ehindero” account, a legitimate former Mastra contributor whose scope access was never revoked.
Npm has since pulled the malicious versions from the highest-profile packages and reverted their latest tag. Image Source: StepSecurity “Mastra ships its real releases from CI through npm’s trusted publisher flow, and each one carries SLSA provenance attestations,” SafeDep said. “The attacker pushed the malicious versions from a personal token and dropped the provenance.” “The same fingerprint repeats across the whole scope. Mastra generated provenance on CI publishes but did not require it, so a standard npm token could still publish without attestations.
A signature-verifying install (npm audit signatures, or a policy that requires attestations) would have rejected every package in this wave.” Any workstation, CI runner, or build environment that installed the affected versions should be treated as potentially compromised. It’s advised to roll back to a safe version, rotate any credentials, and audit the hosts for any artifacts linked to the campaign. “The affected packages include @mastra/core, which receives more than 918K weekly npm downloads, giving this campaign a large potential blast radius,” Socket said. “Because the payload executes during installation, systems may be exposed before developers import or use the package.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution. “Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users,” CISA said .
According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution. The issue impacts JCE versions from 1.0.0 through 2.9.99.4. It has been patched in version 2.9.99.5, released on June 3, 2026. In its release notes, Widget Factory said “insufficient access controls permitted unauthenticated users to upload editor profiles.” “The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe,” Joomla said last week.
“One important point: updating closes the entry point but does not clean a site that was already compromised. If you were hit before updating, the update will not remove what the attacker left behind.” The content management system (CMS) provider has urged users to look for suspicious editor profiles and audit web server access logs for unauthenticated requests to the profile import task, “index.php?option=com_jce&task=profiles.import.” Phil E. Taylor of mySites.guru has revealed that the vulnerability is being weaponized to import a rogue editor profile and use it to drop a web shell, granting the attackers a persistent backdoor on the server. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the fixes by June 19, 2026.
Multiple Campaigns Target WordPress Sites The disclosure comes as Sansec detailed a new supply chain attack campaign that targeted over 1 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, with the threat actors injecting malicious JavaScript that “waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.” In another campaign, unknown attackers have been found to compromise a WordPress site to embed a fake WordPress plugin named “Beloved PBN Entegrasyonu” that stealthily beaconed the site’s URL to an external API upon every page load and injected arbitrary HTML or JavaScript returned by the server into the web page’s footer. Exactly how the attackers breached the website is unclear, but the access is said to have enabled them to stage two PHP web shells as raw executable code with the “wp_posts” database records and granted them the ability to interact with the scripts over HTTP. This, in turn, facilitated unrestricted read/write access to the entire server file system without requiring any authentication. Specifically, the database-resident payloads allow the threat actor to perform file actions, such as read, write, edit, or delete any file on the server, browse directories across the entire server, change file permissions, rename files, create new files and folders, and upload files from their own computer.
“Every visitor to the compromised site received injected PBN outbound links in their page source on every page load, directly damaging the site’s search rankings and risking a manual penalty in Google Search Console,” Sucuri researcher Puja Srivastava said . “The campaign is operated by a Turkish-speaking threat actor and is built around a classic SEO monetization scheme: hidden backlink injection for a Private Blog Network (PBN), most likely tied to the gambling and adult affiliate niche.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting
A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim’s project hijack the victim’s machine learning model upload and run code inside Google’s serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google’s bug bounty program, calls the technique “ Pickle in the Middle “ and said it saw no exploitation in the wild. Google has patched it; if you use the SDK, update to version 1.148.0 or later. The attacker needed only a Google Cloud project of their own and the victim’s project ID, which is often public.
No credentials, no phishing, no foothold in the target. The flaw was in how the SDK chose a temporary Cloud Storage bucket for model uploads. If a user did not set a bucket, the SDK generated a predictable name from the project ID and region, such as project-vertex-staging-region . It checked whether that bucket existed, but not whether the victim owned it.
Because bucket names are globally unique, an attacker could create the expected bucket first in their own project. The victim’s SDK would then upload the model files to the attacker’s bucket. The attacker could then replace the uploaded model with a malicious one. Many Python ML models are saved with pickle or joblib , which can run code when a file is loaded.
When Vertex AI later loaded the swapped model, the attacker’s code executed inside the serving container. The attack depended on speed. Unit 42 measured about 2.5 seconds between the victim’s upload and Vertex AI reading the file. In its proof of concept, the attacker used a Cloud Function that triggered after upload and replaced the model in 1.4 seconds, before Vertex AI read it.
The payload then stole an OAuth token from the serving container’s metadata server and sent it to the attacker. In Unit 42’s test environment, that token was not limited to the compromised deployment. It could access other model artifacts in the same Google-managed tenant project, including a full TensorFlow model with trained weights, as well as BigQuery metadata, access lists, tenant logs, GKE cluster names, and internal container image paths. The attack worked only under specific conditions: the victim’s default staging bucket did not already exist in that region, and the victim left the staging_bucket parameter unset.
The first is common for a new project in Vertex AI in a region. The second depends on the developer relying on the SDK’s default rather than naming their own bucket. Unit 42 reported the flaw through Google’s Vulnerability Reward Program on March 5, 2026. It tested versions 1.139.0 and 1.140.0, the latest available at the time, and found both vulnerable.
Google shipped an initial fix in v1.144.0 on March 31, adding a random uuid4 to the bucket name. It completed the fix in v1.148.0 on April 15, adding bucket ownership verification to block bucket squatting in Model.upload(). As of publication, neither Unit 42 nor Google’s Vertex AI security bulletins list a CVE for the issue. Update to 1.148.0 or later so the ownership check is active.
Also, set an explicit staging_bucket to a Cloud Storage location you control when uploading models. Because the flawed logic lives in the client SDK, check the google-cloud-aiplatform version wherever it runs, including notebooks, CI jobs, and training pipelines, not only production services. It is the second predictable-bucket-name flaw to surface in Vertex AI this year. Google patched CVE-2026-2473 in February, a separate bucket-squatting bug in Vertex AI Experiments that also allowed cross-tenant code execution, model theft, and poisoning.
Unit 42’s earlier work on Vertex AI’s default service-agent permissions traced a related path from a deployed AI agent into customer and tenant data. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures
Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader , Lorem Ipsum Loader , and Potemkin , per independent reports from Morphisec , BlueVoyant , and Huntress , respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. “Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages,” Morphisec researcher Shmuel Uzan said. “This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility.” The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader, which is then used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, in-memory shellcode, DLL side-loading, and external payload storage.
The activity has been attributed to BabaDeda , a crypter service that was first documented by Morphisec in November 2021 in connection with a campaign targeting the cryptocurrency and Web3 sectors to distribute information stealers, RATs, and LockBit ransomware. The loader is designed to profile the host, avoid running on Russian or Belarusian systems, and perform security product-related checks before retrieving the main payload and injecting it into a trusted Windows process such as “svchost.exe.” One of the malware families delivered via BabaDeda Loader is a .NET backdoor and information stealer that can harvest sensitive data and establish an encrypted channel to a command-and-control (C2) server. The malware supports a wide range of functions, including - Collecting detailed system information Discovering installed browser profiles Extracting browser artifacts such as cookies, browsing history, saved credentials, preferences, and local-state encryption keys Traversing directories and selecting files based on configurable rules Reading and exfiltrating file contents Capturing screenshots and displaying information Executing shell commands or external processes and collecting output Transferring data back to the C2 server Using native Windows APIs for process interaction, memory operations, DPAPI access, Restart Manager behavior, and advanced file access A second attack chain drops a ZIP archive that employs DLL side-loading to launch DanaBot and SectopRAT (aka ArechClient). What’s notable about these attacks is the use of a staged loader component dubbed Storage Crypter that reads the payload material from external storage-like files such as “List.Control.dat.” “The visible application package appears legitimate, while malicious payloads remain hidden inside externally stored containers and are decoded only moments before execution,” Morphisec said.
“This design minimizes forensic visibility, complicates automated analysis, and reduces opportunities for traditional security tools to identify malicious activity before execution occurs.” The findings represent an evolution of the modern loader frameworks, which have become increasingly modular and separate delivery, storage, execution, and payload deployment into distinct components rather than relying on a single monolithic entity. ClickFix Chain Drops Lorem Ipsum Loader The Click Fix technique has also been observed in an active campaign that uses at least five compromised WordPress sites as a starting point to deliver a nascent loader and backdoor codenamed Lorem Ipsum Loader. The hacked websites span multiple sectors, including architecture, legal services, and construction technology. The attacks mark a departure from prior opportunistic campaigns that employed trojanized Microsoft Teams installers through fake download portals promoted via SEO poisoning and malvertising.
The loader is believed to be active in the wild since February 2026. “The pivot to ClickFix lures hosted on compromised WordPress (WP) sites significantly broadens the potential victim pool and demonstrates the operators’ willingness to rapidly adapt their initial access techniques,” BlueVoyant researchers Thomas Elkins and Joshua Green said. The change in delivery mechanism has been attributed to Microsoft’s recent disruption of Fox Tempest (aka Forging Marauder), a threat actor that advertised a malware-signing-as-a-service (MSaaS) operation to help deliver malware without raising any red flags using fraudulently signed Microsoft Trusted Signing certificates. “The loss of certificate supply rendered the previously signed-installer delivery model unviable, forcing the operators to adopt a delivery mechanism that eliminates code signing entirely,” the researchers added.
The threat activity cluster is the latest instance of how bad actors can easily bounce back and adapt to alternative delivery models despite continued efforts by defenders and law enforcement to dismantle their operations. The Lorem Ipsum ecosystem has been attributed with high confidence to a financially motivated threat actor known as Vanilla Tempest (aka Rapid Brigantine, Vice Society, and Vice Spider) that’s known for deploying ransomware families like Rhysida, BlackCat, Zeppelin, and Quantum Locker. Attack sequences distributing Lorem Ipsum Loader make use of ClickFix-style Edge web browser security update lures to run a malicious command that downloads a ZIP file and an outdated version of Node.js released in 2017 (version 7.10.1) to execute JavaScript-based payloads present within the archive while minimizing chances of detection. The JavaScript payload functions as a dropper for deploying and executing additional malware components on the infected system, including a batch script that sets up persistence by launching a DLL side-loading chain to execute a malicious DLL (“mscoree.dll” or “msvcp140.dll”), which, in turn, decodes the embedded Lorem Ipsum Loader payload.
“The Lorem Ipsum Loader is designed to retrieve the next-stage Lorem Ipsum Backdoor from C2 infrastructure obtained from attacker-controlled profiles hosted on social networking platforms,” BlueVoyant said, adding the backdoor contains functionality to run next-stage payloads received from the C2 server. “The Lorem Ipsum chain culminates in handoff to Rapid Brigantine’s established post-exploitation tooling and ultimately to their documented ransomware deployments, primarily Rhysida.” Potemkin, RMMProject, and EtherRAT Delivered via ClickFix The third campaign to rely on ClickFix is a sophisticated attack chain that installs an MSI package, which then drops a previously undocumented loader codenamed Potemkin via an HTML Application (HTA) payload. The loader serves as a conduit for EtherRAT and RMMProject, a Lua-scriptable DLL with modules to enable remote screen control and browser credential theft by getting around Chromium’s App-Bound Encryption ( ABE ) protections. RMMProject also implements a task dispatcher mechanism to run a file or process, take screenshots, siphon browser autofill data, execute arbitrary Lua scripts, terminate browser processes, and download and run an additional module from a URL at runtime.
Potemkin loader is a “custom x64 loader that uses a domain generation algorithm to find its C2 and reflectively loads follow-on modules in memory,” Huntress researchers Anna Pham and Zach Rogers said. The activity was detected by the security vendor last month. The loader supports various functionally distinct components to handle the overall lifecycle, DGA-driven C2 discovery using a built-in 1,000-word dictionary, victim identification by means of a unique UUID value written to “%LOCALAPPDATA%\hyper-v.ver,” task polling, DLL retrieval and execution, and a custom byte cipher to protect the C2 communication and the DGA dictionary. With the access established, the unknown threat actor is said to have engaged in hands-on keyboard activity to configure Microsoft Defender exclusions, deploy Chisel reverse SOCKS tunnels, conduct additional reconnaissance, set up a Cloudflare tunnel for persistent access, and spread laterally via WMIExec and SMBExec to reach the domain controller and propagate EtherRAT across over 11 hosts.
ClickFix Remains an Enduring Technique The discoveries come as ClickFix continues to be an effective method to target Windows and macOS users with fraudulent bot verification screens to deliver malicious payloads like Phexia Stealer , a macOS infostealer, and HellsUchecker , a backdoor delivered via EtherHiding that’s capable of executing files retrieved from C2 and reporting the results back. ClickFix campaigns have also capitalized on the growing interest surrounding artificial intelligence (AI) tools to distribute fake MSI installers for Claude to run PowerShell payloads. “ClickFix remains effective for a simple reason: it exploits human nature. People naturally follow directions when presented with a clear, authoritative-looking instruction (‘press Win+R, paste this, hit Enter’),” Huntress researchers said.
“The social engineering doesn’t need to be sophisticated; it just needs to look like a legitimate troubleshooting step, and more often than not, that’s enough.” The risk posed by pasting commands into the Terminal app from websites (or chat agents, or messaging or email apps) has prompted Apple to introduce a new security pop-up in macOS Tahoe 26.4 that warns Mac users attempting to do so. “Scammers use these channels to instruct people to paste malicious commands into Terminal to harm your Mac or compromise your privacy,” Apple notes in a support document published this week. “This alert helps make sure that you aren’t tricked into running a command that you didn’t expect.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds
Security researchers at Zimperium’s zLabs have documented a new Android banking trojan, Rokarolla , that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play Protect. Rokarolla , named after its command-and-control servers, spreads through malicious websites posing as well-known apps such as TikTok and Chrome. The first thing a victim installs is a dropper that pretends to be Google Play Protect.
It uses that disguise to get the payload installed and grab Accessibility access. Once the malware is running, one of its commands turns Play Protect off. The theft runs through overlays. Rokarolla pulls a target list from its server, and for each app flagged active, it downloads a fake HTML login page and stores it in a local database.
When the victim opens the real banking or wallet app, the malware drops the fake page on top and captures everything typed into it, card details included. The report shows one such fake page mimicking the banking app ‘imagin.’ A separate overlay mimics the Android lock screen to capture the PIN, pattern, or password, which lets the operator control the phone even while it is locked. It reads every SMS on the device and can send messages itself, which is enough to grab the SMS one-time codes banks use to approve logins and transactions. By making itself the phone’s default app for texts and calls, it can also block incoming calls, so a warning call from the bank never gets through.
A keylogger and screen logger record what the user types and sees, and the trojan scrapes contacts and reads notifications. The clipboard gets rewritten silently, swapping in attacker wallet addresses so a copied crypto payment lands in the wrong account. For surveillance, Rokarolla skips the usual MediaProjection screen casting, which throws a visible recording prompt, and instead takes screenshots through Accessibility, compresses them to PNG, and ships them out one frame at a time. That snapshot approach is simpler and quieter than the live hidden VNC seen in families like Klopatra .
- The malware carries multiple fallback C2 domains and can be handed new ones on the fly, so pulling a single server does little. It’s 137 commands outnumber the 107 Zimperium counted in the
- HOOK trojan
- , and the playbook is the same one running through a
- wave of 2026 Android bankers
- fake-app droppers, Accessibility abuse, and HTML overlays. There is no patch to apply here. This is malware, not a product flaw, so the defenses are the standard ones for Android bankers.
Install apps only from Google Play, leave Play Protect on, and treat any unexpected Accessibility request as a red flag, since that one permission drives the whole attack chain. Zimperium says its own products detect the family, and the indicators of compromise are in its GitHub repository . Zimperium did not tie Rokarolla to a named group. What the build shows is intent: a banker put together to beat the exact protections users are told to rely on, from Play Protect down to the lock screen.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive
Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations continue to face a fundamental challenge: sifting through the noise to understand who is behind an IP and what action should follow . Case in point: a recent industry study of more than 200 security practitioners conducted by Spur Intelligence found that anonymizing infrastructure - including VPNs and residential proxy networks - now appears in nearly every security incident.
At the same time, the study showed that many organizations admit they lack the visibility, context, and operational workflows needed to make effective decisions based on that IP data. The findings support a broader industry trend: a reactive approach to managing IP-based risks. The Rise of Anonymized Infrastructure The widespread availability of VPN services, residential proxy networks, and other anonymization tools has fundamentally changed how cybercriminals operate. Residential proxies route traffic through consumer internet connections, making malicious activity blend in with normal user behavior.
VPN services provide additional layers of anonymity while allowing rapid switching between locations and network identities. As a result, traditional approaches based solely on reputation or static blocklists are becoming less effective. Security teams are increasingly encountering attacks where the IP address itself provides little immediate insight into intent. The Spur study showed that nearly half of companies reported significant operational or financial impact from account takeover attempts and credential abuse via VPNs and residential proxies.
In these incidents, an address may appear residential, belong to a legitimate ISP, and exhibit no prior malicious reputation while still being part of an active attack campaign. The Context Deficit One of the most significant obstacles facing security operations today is a lack of contextual information to help determine who is actually behind a connection. The Spur study reinforces this observation, with nearly half of respondents saying a lack of context is the biggest challenge for their security teams analyzing IP activity. Basic IP attributes, such as geolocation and network ownership, remain useful, but they often fail to explain the intent behind activity.
Security teams increasingly need additional layers of context, including infrastructure classification, VPN and proxy attribution , behavioral indicators, historical usage patterns, device and session correlations, and automation and bot signals. Without this context, analysts are forced to make decisions based on incomplete information. With context, they can understand not only where traffic is coming from, but also why it may represent elevated risk. Reactive Security Remains the Norm Although organizations recognize the value of IP intelligence, many still use it primarily during investigations.
IP enrichment is commonly applied after alerts have already been generated, helping analysts review historical events and investigate incidents. While this approach provides value, it limits the strategic impact of IP intelligence. A growing number of security teams are exploring ways to move IP intelligence earlier into the decision-making process. Rather than using IP data solely to investigate incidents, they want it to influence security outcomes in real time.
The Spur study examines this dichotomy, with the majority of respondents indicating that they leverage IP intelligence for basic use cases but want workflows to be more predictive and intelligence-led. Examples include applying IP intelligence for adaptive authentication, risk-based access controls, fraud prevention workflows, automated policy enforcement, and session risk scoring. The goal of proactively applying IP intelligence is to make better decisions before incidents escalate. The Overlooked Internal Risk of Anonymization External threats receive most of the attention in discussions about anonymized infrastructure, but many organizations face a second challenge much closer to home.
Bring-your-own-device policies, consumer applications, and personal VPN usage have expanded the number of pathways through which anonymizing traffic can enter enterprise environments. Nation-state actors posing as legitimate employees in high-concentration remote work environments is another. In many cases, organizations have limited visibility into whether employees are using proxy services, residential networks, or VPN tools while accessing corporate resources. This creates blind spots that traditional perimeter-focused security strategies may not address.
The Spur study validates this concern, with a surprisingly high 61% of respondents reporting being moderately, slightly, or not at all concerned about the potential exposure of their internal network via residential proxies on employee devices or consumer apps. As zero-trust architectures continue to mature, security teams must treat internal proxy activity as a potential risk signal rather than assuming trusted users and trusted devices automatically imply trusted network behavior. Quantifying the Effectiveness of IP Intelligence Many organizations invest in IP intelligence technologies but struggle to quantify their effectiveness. Historically, success has often been measured using indicators such as blocked threats or enrichment coverage.
However, these metrics may not fully capture operational value. The Spur study shows that organizations are less mature in how they measure their IP intelligence efforts, and a full third of companies aren’t measuring it at all. Increasingly, security leaders are focusing on outcomes such as investigation time, false positives, and costs. These metrics align more closely with business impact and help justify investment in security intelligence capabilities.
As budgets remain constrained, demonstrating measurable operational improvements will become increasingly important. The Future of IP Intelligence The next phase of IP intelligence will likely be defined by three trends. First, organizations will demand richer context rather than larger volumes of raw data. Analysts need attribution, behavioral insight, and infrastructure intelligence, not just additional indicators.
Second, automation will become a priority. Security teams increasingly want IP intelligence integrated directly into detection, prevention, and access-control workflows rather than isolated in investigative tools. Third, IP intelligence will become more closely tied to decision-making. Instead of acting solely as an enrichment layer, it will increasingly serve as a foundation for risk-based security controls.
The organizations that succeed will be those that move beyond simply identifying suspicious IPs and focus on gaining an understanding of the infrastructure, behavior, and intent behind them. In an environment where anonymized infrastructure has become a routine component of cybercrime, the ability to make the leap from detection to decision will ultimately determine how effectively security teams can respond to modern threats. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.