DAILY WORKFLOW ARCHIVE

2026-06-24 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-06-24 AI创业新闻

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign , active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. “Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said [PDF] in a fresh report. “The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.” Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances.

The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials. It’s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some “parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with another automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year. “The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,” the SOCRadar explained. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India.

The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments.” Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that’s orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026. In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines on May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included - 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials 924,000 NTLM hashes 130,000 Kerberos hashes 89 million MySQL authentication tokens The FortiBleed campaign takes place over five stages - Perform widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls, followed by using a custom utility dubbed FortiProbe-fast and GeoSplit to filter FortiGate systems and group them by country, respectively.

Compromise the devices with a credential checker named “forticheck” that specifically targets FortiGate’s administrative panel and SSL-VPN portal, along with using tools to obtain administrative SSH access via credential stuffing and dictionary attacks. Upon establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols (e.g., TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS) using native FortiOS diagnostic commands, making it possible to harvest cleartext credentials and password hashes. The password hashes are cracked using Hashmat and Hashtopolis, and orchestrated by a Telegram bot named HASHBOT, after which they are used for lateral movement and Active Directory enumeration. Sensitive data from network shares is exfiltrated while stolen session cookies are used to maintain persistent, authenticated access.

“The group does not treat all targets equally,” SOCRadar said. “Instead, targets are ranked according to economic value before exploitation resources are allocated.” What’s more, the sniffing mechanism includes a geofencing filter that restricts operations to specific IP ranges, not to mention limiting the activity to between 7 a.m. and 6 p.m. Moscow Time.

According to data captured by SpyCloud, the FortiGate-related capture cycle is said to have commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month. “The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute,” Zenox said. “In each cycle it loads a regional target list […] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%.” The Brazilian cybersecurity company also said it found certain username and password pairs to be repeated across thousands of distinct IP addresses, raising the possibility that the accounts have been planted by the attacker as a clandestine backdoor entry point.

The development comes as a Russian-speaking account named “ SantaAd “ has advertised access to thousands of Fortinet devices for a starting price of $30,000, before increasing it to $60,000 hours later. However, it’s unclear if this has any connection to the FortiBleed exposure. “The threat actor group behind ‘FortiBleed’ was not just targeting FortiGate VPNs,” SpyCloud said. “They were actually targeting a range of different internet-facing appliances with a standard spray-and-pray attack chain that relies mostly on mass scanning and brute-forcing logins.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user’s email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation.

A skill is a bundle of instructions an agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the whole problem, and it is the reason skill-scanning tools exist in the first place. The skill, named brand-landingpage , claimed to build a landing page using Google’s Stitch design tool, aimed squarely at non-technical users. To make it look credible, AIR went after two trust signals: GitHub stars and a clean scanner verdict.

For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills. The pull request was merged after a few days, so the skill inherited the repo’s count. Then it ran an Instagram ad aimed at marketers, salespeople, and designers, who installed it and put it to work. Why the scanners missed it The scanners AIR tested analyze the package you hand them: the SKILL.md and the files shipped with it.

That’s Cisco’s , NVIDIA’s , and the ones wired into skills.sh. AIR’s skill carried no setup instructions of its own. It told the agent to install the “Stitch SDK” by following the documentation at an external link, stitch-design.ai, a domain AIR controls, not Google (the real Stitch lives at stitch.withgoogle.com). At first, the link led to the genuine Stitch docs, so the scanners, seeing a clean package that pointed at a plausible setup page, cleared it.

The page the agent would actually fetch and follow sat outside the scan. Once the skill was installed widely, AIR swapped the page behind that link. The new version told the agent to download and run a script. In the demo, it only mailed the user’s address back to AIR, which is how the firm counted the agents it reached.

A real operator could have used that foothold to read files, move data, or hit internal systems, bounded only by what the agent could reach. AIR is not the first to show this. Three weeks earlier, Trail of Bits bypassed ClawHub’s malicious-skill detector, Cisco’s scanner, and all three scanners wired into skills.sh. Its conclusion was blunt: a scanner checks a fixed package, while an attacker can keep tweaking the payload until it passes.

Real campaigns have used the same trick for months, keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install. The problem is structural: the scan happens once, but the page a skill points the agent to can be rewritten at any time after. Anthropic’s own docs already warn that skills fetching external URLs are risky for exactly this reason, since the content can change after the skill is vetted. Separate research this year found scanners often disagree, because each one judges a skill in isolation, blind to its external links and to what changes after review.

What to do The read for defenders is the same one researchers keep landing on, now with a sharper example behind it. Treat skills as software, not text. Vet what a skill points to, not just what ships inside it. Most of these add-ons got installed with no review, so the first job is finding what is already running.

Route new skills through a single source you control, and re-check them when anything changes, because a clean result at install does not stay clean if the skill phones out to a link someone else can edit. Pin versions. Hold agents to the least privilege. Assume any external instruction an agent fetches runs with the agent’s access.

The scale figures come from AIR alone, and they deserve a skeptical read. The firm is launching a managed skill marketplace and closes the write-up, pitching it, so the 26,000 number, the corporate-account detail, and the claim that it could have seized full control of every agent are the company’s own and are not independently confirmed. What holds up is the method. The named scanners really do judge only the submitted package, the external-link blind spot is real and has been independently demonstrated, and the trust signals AIR borrowed, stars, and a clean scan are exactly the ones the ecosystem still treats as proof.

The experiment does not expose a new bug so much as it lines up every weak trust signal around agent skills into one run: stars that can be borrowed, a scan that reads a snapshot, and a link that can be rewritten after the check clears. Whether the real figure is 26,000 or a fraction of it, the gap it walks through is one that defenders still have not closed. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration

President Trump signed an executive order on June 22 setting hard deadlines for federal agencies to move high-value assets and high-impact systems to post-quantum cryptography. Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not need a working quantum computer today.

Adversaries can collect encrypted U.S. data now and decrypt it later, once a large-scale quantum machine exists, the risk is known as “harvest now, decrypt later” . The order describes that risk directly and pulls the government’s PQC timeline forward by four to five years. The prior government-wide target, set by the 2022 National Security Memorandum 10, ran to 2035.

The two deadlines line up with the standards NIST finalized in August 2024 . Key establishment uses FIPS 203, the ML-KEM algorithm formerly called CRYSTALS-Kyber. Digital signatures use FIPS 204 and 205, ML-DSA, and SLH-DSA. The standards have been ready for almost two years.

The order is what turns them into a schedule with consequences. What agencies have to do, and when The near-term clock starts fast. Within 30 days, each agency head names a PQC migration lead who reports to the agency CIO and owns the cryptographic inventory and migration plan. Within 90 days, OMB issues guidance requiring agencies to review their inventories of high-value assets and high-impact systems, plan the migration, and submit that plan.

NIST runs a pilot migration on a subset of its own systems, to be finished by December 31, 2027. The order reaches past federal networks. The Federal Acquisition Regulatory Council has 180 days to propose a rule giving “covered contractors” until December 31, 2030, to meet NIST’s FIPS, including the PQC algorithms. A second proposed rule, due in 270 days, would fold cryptographic flaws into contractor vulnerability disclosure programs, including tests for missing encryption and for non-FIPS algorithms.

Sector Risk Management Agencies and CISA are told to help critical infrastructure operators build their own migration plans, though that part is assistance, not a mandate. Then there is the inventory angle. Within 270 days, CISA and NIST are to publish the minimum elements for a cryptographic bill of materials, a machine-readable list of the cryptographic assets in a piece of hardware or software. That is the groundwork for crypto-agility: you cannot swap out weak algorithms on a deadline if you do not know where they are.

The practical read For federal teams and the vendors who sell to them, the work is the inventory, and it starts now. Find every place key exchange and signatures happen, flag what is not NIST PQC, and sequence the swap against the 2030 and 2031 dates. Contractors should expect the FAR clause and a 2030 compliance line once the rule lands. The standards exist.

The deadlines now exist. The gating task for almost everyone is knowing what cryptography is running, and where. A companion order signed the same day, “Ushering in the Next Frontier of Quantum Innovation,” pushes the other side of the equation: building the quantum computers that make the migration urgent in the first place. The teeth are still being written.

OMB’s 90-day guidance and the FAR rules will decide whether 2030 and 2031 become real procurement pressure or just another federal migration target that slips once the hard work starts. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns

GitHub is moving to strengthen software supply chain security by updating “ actions/checkout “ to block pwn request attacks that exploit the risky use of the “pull_request_target workflow” trigger to run malicious code with the workflow’s full privileges. Effective June 18, 2026, the latest version of “actions/checkout,” the official GitHub action for checking out a repository into the workflow’s runner, refuses common pwn request patterns by default. The change is expected to be backported to all currently supported major versions on July 16, 2026. “Actions/checkout v7 refuses to fetch fork pull request code in pull_request_target and workflow_run workflows (the latter only when workflow_run.event is a pull_request* event),” it added .

The refusal occurs when the pull request is from a fork, and any of the following criteria is met, unless workflow authors explicitly opt out of it by setting the “ allow-unsafe-pr-checkout “ flag to “true” in “actions/checkout” - repository: resolves to the fork pull request’ repository ref: matches refs/pull/number/head or refs/pull/number/merge ref: resolves to a fork pull request’s head or merge commit SHA The change is aimed at preventing the most common form of pwn requests in the Actions ecosystem. As a result, “actions/checkout” will fail for “pull_request_target events” from forks with insecure inputs. “Pull_request_target” is a workflow trigger that’s automatically run without requiring manual approval when a pull request is opened or reopened, or when the head branch of the pull request is updated. It’s important to note that the event runs in the context of the default branch of the base repository, potentially exposing secrets and a privileged GITHUB_TOKEN with both read and write permissions.

“Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities,” GitHub notes in its documentation. “These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.” The danger arises when a “pull_request_target” is combined with “actions/checkout” to download and execute code submitted by an untrusted fork. Should a bad actor submit a pull request containing malicious scripts and the workflow checks out and runs the code, it can allow the attacker to steal the GITHUB_TOKEN and other secrets, leading to what’s called a pwn request attack . “Workflows triggered by pull_request_target run with the base repository’s GITHUB_TOKEN, secrets, and default-branch cache access,” GitHub said.

“Checking out the head of an unreviewed pull request from a fork inside one of these workflows typically lets attacker-controlled code execute with the workflow’s full privileges.” In recent months, a number of software chain attacks have weaponized this behavior. The most severe of them was the compromise of multiple packages associated with the Nx build system as part of a campaign codenamed s1ngularity, as well as the breach of PostHog , TanStack , and the popular Emacs package, “ kubernetes-el/kubernetes-el .” “Pull_request_target was designed for trusted automation around pull requests, such as labeling, commenting, or applying project metadata,” Socket said. “But the checkout step controls which code actually lands in the runner workspace. If it pulls code from a forked pull request, the workflow can end up running attacker-controlled code with the base repository’s privileges.” That said, the Microsoft-owned subsidiary emphasized that pwn requests triggered via other event types besides pull_request_target (e.g., issue_comment) or through other means, such as git or the GitHub CLI, are out of scope of this change.

“This change only blocks checkouts of the fork pull request head and merge commits,” it added. “It does not block checkouts of other untrusted repositories. For example, setting repository: to an unrelated third-party repository is not blocked. Checking out and executing any untrusted code in a privileged event remains a pwn request risk that should be reviewed.” To counter the risk posed by “pull_request_target,” developers are advised to assess and use it only when necessary, switch to “ pull_request “ if the workflow does not require elevated permissions or access to secrets, restrict permissions granted to the workflows, and ensure user-controlled input does not result in execution of untrusted code.

“The protection in this update only covers checkouts performed through actions/checkout,” Socket said. “That makes this a guardrail, not a complete solution for Actions security. Workflows that run with secrets, write permissions, deployment permissions, or OIDC publishing access still need careful review.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Agentic AI: The Weapon That No Longer Needs a Warrior

Every weapon begins as an extension of the hand that holds it. The spear lengthened the reach of the arm. The bow sent the point flying without the throw. The rifle placed a man’s death a quarter mile beyond his sight, and the aircraft carried that death across oceans.

At each turn, the distance between the warrior and the wound grew wider, and yet one thing never moved: a human chose the target, and a human struck the blow. For the entire history of conflict, the cyber realm included, the hand has remained on the weapon. Offensive AI is the moment the weapon learns to aim itself. For three years, artificial intelligence (AI) has been an extension of the pen.

It drafted the phishing email, proposed the exploit, sketched the malicious function, and then, like every tool that came before it, handed the work back to a human to carry out. In 2023, I published a whitepaper at the SANS Technology Institute showing how a person of almost no skill could coax a chatbot into producing malware that strolled past the controls built to stop it. That was the age of the assistant: dangerous, certainly, but still leashed to the operator who held it. Agentic AI severs the leash.

It takes the objective and walks the steps itself. This single change, from a tool that drafts to a tool that acts, is reshaping offensive operations faster than the defenses built to catch them, and it cuts in two directions at once. It grants real capability to attackers who never possessed any, and it lends ferocious speed to those who were already deadly. If your trade is offensive work, this is the ground you now stand upon.

The tooling an adversary turns against a target is the tooling you must be capable of turning yourself, and it has marched far beyond chatbots composing prettier phishing. It is worth studying, with clear and unsentimental eyes, what these agents can do today, how they let you operate at a pace that lately seemed impossible, and where they will quietly walk you off a cliff should you follow them with too much faith. The Gate Has Fallen Consider the entry-level threat actor, historically limited by a lack of technical expertise. Such individuals can now leverage agents to develop exploits and conduct campaigns autonomously.

Technical mastery is no longer a prerequisite; intent and access to capable tools suffice. I refer to this phenomenon as ‘script kiddie as a service,’ signifying the emergence of sophisticated attacks from previously unskilled actors. A further implication is that the limitations of unskilled attackers are now defined by the capabilities of their chosen AI models rather than their own expertise. As numerous untrained actors employ similar models in comparable ways, their attack methodologies begin to converge, resulting in a behavioral monoculture.

While this increases the volume of competent attacks, it also creates recognizable patterns, such as standardized phishing and exploit chains. Skilled adversaries will adapt beyond these defaults, but the majority will not. Consequently, defenders who understand these default behaviors can better anticipate and mitigate widespread threats. For experienced practitioners, artificial intelligence does not necessarily enhance skill, but it significantly increases operational speed.

Training an agent on established tradecraft enables parallel execution of campaigns, reducing tasks that previously required weeks to mere hours. This dual effect, more attackers at the entry level and accelerated attacks from experts, broadens the overall threat landscape. For those conducting authorized offensive operations, this is now the prevailing standard. Adversaries already utilize these tools, and any engagement that neglects them fails to reflect current threats.

The Hunt Runs Itself One of the most common examples I often give to people is autonomous social engineering. In this scenario, an attacker deploys an agent to gather publicly available information about a target, such as LinkedIn profiles, press releases, or conference recordings, to construct a detailed profile. This intelligence is then utilized by a second agent, which generates and sends personalized messages, manages responses, and conducts an ongoing conversation, incrementally advancing toward its objective. No human intervention is required in the communication process.

The danger here is not speed; it is the quiet death of the signals we trusted. For years, our phishing defenses leaned on the tells of mass production: the clumsy grammar, the recycled template, the identical mail sent ten thousand times. Those are precisely the tells this arrangement erases. Each message arrives fluent, singular, and grounded in something genuinely true about its mark.

Sure, the infrastructure signals endure; things like sender reputation, authentication, and the like still stand watch, but now as defenders, we have to lean on them harder than ever, and how long is it going to be before those defenses break under that pressure? The linguistic and template-level information tells us that so much of our detection, quietly depended upon, is gone. And it’s not just social engineering. The same automation is overtaking exploitation.

As frontier models grow practiced at chaining tool calls and correcting themselves against a living environment, the bar for producing a working exploit is sinking lower with each release. So much so that the federal government is now getting involved and forcing models like Anthropic’s Fable 5 to be taken off the market over fears of its capabilities. But this is only the tip of the iceberg. Tying even moderately capable models into a retrieval database of known vulnerabilities, and it will perform its own reconnaissance, judge what a target is likely exposed to, draw the matching exploit from the shelf, and report back like a hound that has caught a scent: I believe this will work, based on these indicators.

Shall I run it? Malware is traveling the same road, growing agentic in its own right, and we are already watching agents rewrite existing malware into quieter strains bred to slip past the controls that knew the older form. This started years ago with the introduction of the “Guided Network Access Weapon (GNAW)” which I debuted at the Hackers Teaching Hackers conference. The Confidence of a False Oracle All of this makes the agents a very seductive thing to lean upon.

They are swift, they run themselves, and they speak with unbroken authority from beginning to end. That last quality is the trap, and to call it lying is to flatter it with intent. The agent is not seeking the truth. It is seeking a finished task and an answer that wears the appearance of being right.

It holds no privileged sight into whether a host is truly vulnerable; it matches indicators to a conclusion and delivers that conclusion in the same steady voice, whether the conclusion is sound or hollow. Marry it to a retrieval store of vulnerabilities, and the flaw compounds, for retrieval surfaces what is plausibly related, not what genuinely applies. It does not check the version, nor the configuration, nor whether the service can even be reached. Where the Proof Is Made That problem of judgment is precisely why the place this work occupies matters.

The SANS Secure AI Blueprint , authored by SANS Chief AI Officer Rob T. Lee , divides the wider challenge into three tracks: Protect AI, Utilize AI, and Govern AI. Govern produces the policy and the oversight that keep these systems accountable. Protecting hardens the systems an organization actually runs.

Utilize is where AI is put to work for offense and defense alike, and offensive operations are its keenest edge. Leadership hears the words “AI security” and pictures policy binders and a governance committee in a quiet room. Yet Utilize is the only one of the three that yields proof: the actual attacks run against the actual systems, which reveal whether the policy and the hardening hold when they are struck. An organization may write every guideline it pleases and stand up every defense it can purchase, but until someone turns this tooling against its own walls, it does not yet know which of them will hold.

A defense is a theory until it makes contact, and the operator is the one who brings it there. That is why the operators are, more and more, the ones who hold the whole program to account. What the Warrior Is For Return, then, to where we began. For the whole of human history, the hand stayed on the weapon because the weapon could not be trusted to choose, and that much has not changed.

The machine can aim itself now, but it cannot tell you whether the shot should be taken. It will name a target that was never there and ask, in the same untroubled voice it uses when it is right, for permission to fire. Every mechanical part of this craft is passed to the machine. The one part that is not, the judgment to know a true thing from a confident lie and to hold your hand until you are certain, is becoming the whole of the work.

The warrior has never stood farther from the wound, and the choice that joins them has never weighed more. The weapon no longer needs a warrior to swing it, but it has never needed a person to decide whether it should be swung at all more than now. Learn Offensive AI at SANS San Antonio 2026 This August, I will take up these questions in depth during my SEC535: Offensive AI – Attack Tools and Techniques course run at SANS San Antonio 2026 . Across three days of hands-on labs, we work the techniques described here from the operator’s side of the line: AI-assisted reconnaissance and social engineering, deepfake and voice-cloning attacks, AI-supported vulnerability discovery, and the use of AI in the development and evasion of malware.

You will drive the tooling with your own hands and come away with a true sense of its reach, its limits, and the precise points at which it must not be trusted. That is the distance between knowing these attacks exist and being able to carry them out. The machine will do the aiming. Be the judgment behind the shot.

Register for SANS San Antonio 2026 here . Note: This article has been expertly written and contributed by Foster Nethercott, SANS SEC535 Course Author. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named “ abdrizak “ and continue to be available for download from npm as of writing. “Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as layered AES/custom-codec packages and depend on the legitimate postcss-selector-parser,” JFrog said in an analysis. “Postcss-minify-selector presents itself as a PostCSS selector minifier and depends on postcss-minify-selector-parser.” As for “postcss-minify-selector-parser,” the name is a reference to “ postcss-selector-parser ,” a widely used npm library with more than 127 million weekly downloads.

Regardless of the package downloaded, the attack chain leads to the deployment of the same Windows malware. The packages come embedded with a JavaScript dropper that writes a PowerShell script (“settings.ps1”) to disk and executes it. The PowerShell script then acts as a downloader for a next-stage payload retrieved from an external server (“nvidiadriver[.]net”) using the “curl.exe.” The retrieved payload is a ZIP archive, from which a Visual Basic Script (“update.vbs”) file is extracted and run using “wscript.exe.” Also bundled in the downloaded ZIP file is a Python runtime, a Python loader (“loader.py”), and a number of Python extension modules (*.pyd) compiled using Nuitka . Visual Basic is responsible for setting up the Python environment on the compromised host and launching the “loader.py” script, which then triggers the core logic of the malware.

The RAT is equipped to gather host information, siphon credentials from Google Chrome, collect data from Chrome extensions, run shell commands, and download/upload files to and from a command-and-control (C2) server (“95.216.92[.]207:8080”). These features are realized through a set of Python native extension modules - config.pyd, which contains constants, command IDs, C2 URL, registry key names api.pyd, which handles HTTP C2 packet exchange audiodriver.pyd, which handles the main RAT orchestration loop command.pyd, which profiles the host, runs virtual machine (VM) checks, file transfer, and shell execution auto.pyd, which performs Chrome credential and extension theft, bypassing app-bound encryption ( ABE ) protections util.pyd, which acts as tar/gzip archive helpers “This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage,” JFrog said. “For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms, not just harmless naming noise.” The discovery coincides with three other campaigns targeting the npm and TypeScript ecosystem - A malicious package named “ apintergrationpost “ that delivers a full-featured Linux RAT dubbed MYRA, while claiming to be a Node.js integration client for authorized red team exercises. “It compiles a native C rootkit during install, establishes three independent persistence mechanisms, masquerades as a systemd service, supports fileless execution, and provides interactive shell access with live screen streaming,” SafeDep said.

A malicious package named “ @withgoogle/stitch-sdk “ that impersonates Google’s Stitch AI design tool but comes with capabilities to steal developer credentials from eight sources (Claude Code, git config, ~/.git-credentials, SSH public keys, GitHub CLI, npm config, ~/.npmrc, and ~/.docker/config.json) and exfiltrates them to an attacker-controlled domain (“stitch-production[.]org/api/v1”). A cluster of five packages (“procwire,” “routecraft,” “endpointmap,” “bytecraft,” and “staticlayer”) that delivers a dropper binary on Windows hosts from an external server and executes it during npm install. The “routecraft” package lists “procwire” as a dependency, while the latter lists “endpointmap” and “bytecraft” as dependencies. The last package, “staticlayer,” is designed to run on the server side and deliver files to a client that presents the dropper’s exact User-Agent.

Users who have installed any of the above packages are advised to remove them with immediate effect, remove any artifacts created by them, and rotate credentials from impacted developer machines. The findings also coincide with a supply chain attack targeting the “ gonex-AI/Understand-Anything “ knowledge graph tool to push a malicious payload that “beacons one of three hardcoded C2 servers, exfiltrates a campaign marker, XOR-decrypts and evaluates a downloaded bot client, then independently resolves a second-stage command from a Tron blockchain address whose latest transaction encodes a BSC transaction hash carrying the active payload.” The activity overlaps with a North Korean supply chain operation dubbed PolinRider , which has been observed injecting obfuscated JavaScript into legitimate developers’ configuration files across nearly 2,000 compromised GitHub repositories to deliver a known malware downloader and stealer referred to as BeaverTail , which then paves the way for the InvisibleFerret backdoor. “This attack combines three things that individually are familiar but together open a detection gap: an elaborate fake PR description with fabricated test evidence, a diff that hides its payload in horizontal whitespace, and a two-stage C2 where the second stage uses public blockchain infrastructure as a write-once, read-anywhere relay,” SafeDep said. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software. Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. The highest concentration of victims has been reported in Malaysia. “The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment,” security researcher Fareed Radzi said .

“Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system.” It’s suspected that the threat actor behind the operation managed to obtain surreptitious access to several WhatsApp accounts and then used them as a distribution vector for the VBScript files across their contacts. That said, exactly how these accounts are compromised is unclear. The heavily obfuscated VBScript files are dressed up as seemingly harmless business and financial documents, using names like “Financial Reports.vbs” or “Account Statement.vbs.” Some of the files are also named in other languages, such as Portuguese, French, German, and Malay, reflective of the global nature of the campaign. “In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components,” Kaspersky explained.

“Many of these comments are written in Chinese and include references to Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality.” The VBScript file is launched using “WScript.exe,” which then fetches and runs additional VBScript components required for the next stages of the attack. It’s worth noting that the infection chain behaves a little differently based on whether a victim is using WhatsApp Web or the WhatsApp Desktop application. In the case of the former, the attack relies on the user downloading the file to their system and then opening it from the downloaded folder or via the browser’s download history, assuming it to be a legitimate document. In WhatsApp Desktop, the malware is executed directly within the application, with the process tree revealing that “WhatsApp.Root.exe,” the background process associated with the client application, is responsible for spawning “WScript.exe.” The primary objective of the VBScript is to download two secondary VBScript payloads from a remote server, one of which attempts to tamper with Windows User Account Control (UAC) behavior, while the other downloads and executes a ZIP file containing the installation package for ManageEngine RMM Central.

The activity remains unattributed, however, the Russian cybersecurity company said it found infrastructure overlaps (“202.61.160[.]201”) with prior activity linked to Gh0st RAT and ValleyRAT . “Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts,” Kaspersky said. “Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws

OpenAI on Monday said it’s releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative the artificial intelligence (AI) company announced last month. Calling GPT‑5.5‑Cyber its “strongest model yet for finding and helping patch software vulnerabilities,” OpenAI said the model can “sustain deeper analysis across large codebases” to identify security issues, validate them in a controlled environment, and develop and test patches. In tandem, the tech upstart is releasing an update to the Codex Security plugin⁠ to speed up the process of discovering and patching vulnerabilities in existing systems, alongside preventing new vulnerabilities from entering production codebases. “Developers can run deep scans or review recent changes, generate reports with severity, affected code locations, validation evidence, and remediation guidance, trace attack paths, build threat models, validate findings, and generate codebase-specific patches for review,” OpenAI said.

On top of that, the plugin⁠ can triage and validate existing findings from scanners, advisories, bug-bounty reports, or ticketing systems, and then facilitate patch generation at scale to quickly close a backlog of vulnerabilities. OpenAI is also launching a new initiative called Patch the Planet in partnership with Trail of Bits to help secure open-source projects. Initial participants include cURL, NATS Server, pyca/cryptography, Sigstore, aiohttp, the Go project, freenginx, Python, and python.org. These moves come as frontier models from Anthropic and OpenAI are accelerating vulnerability discovery, leaving software maintainers overwhelmed with an ever-increasing volume of bugs that need to be verified, triaged, and patched.

While previously the challenge lay in finding vulnerabilities, the bottleneck has now shifted to patching them. AI models come with capabilities to navigate large codebases, reason through attack paths, and flag security issues that might have otherwise stayed hidden. Case in point is a 29-year-old flaw in the Squid web proxy ( CVE-2026-47729 , aka Squidbleed) that can leak cleartext HTTP requests belonging to other users under certain conditions. Cyber experts have also raised concerns that more advanced AI models are turbocharging bad actors’ abilities to take advantage of security vulnerabilities, forcing the industry to plug the holes almost as soon as they are discovered.

“Threat actors with limited technical expertise can use publicly available AI models for malicious purposes,” the Canadian Centre for Cyber Security said in guidance released in May 2026. “Organizations should assume that AI-driven exploitation may bypass preventative controls, significantly outpace vendors’ capacity to publish corrective measures and challenge the organization’s ability to deploy.” Patch the Planet aims to reduce this undue burden placed on maintainers by letting security engineers review and validate findings, work with projects to develop patches and tests, and help build reusable vulnerability discovery workflows with the goal of improving security even after the initial fixes are released. “With Patch the Planet, we are working with researchers, maintainers, enterprises, and partners to make powerful cyber capability available to defenders with appropriate access, governance, and human oversight,” OpenAI said. The AI company also said the Daybreak initiative has already helped surface a number of vulnerabilities across various operating systems and web browsers - 8 kernel pointer information leak proofs-of-concept (PoCs) and 24 local privilege escalation exploits in the Linux Kernel A 23-year-old use-after-free⁠ in OpenBSD’s kernel implementation of System V semaphores 34 vulnerabilities and 7 local privilege escalation PoCs in FreeBSD 6 vulnerabilities in dnsmasq (CVE-2026-4890⁠, CVE-2026-4891⁠, CVE-2026-4892⁠, and CVE-2026-5172⁠) A denial-of-service (DoS) technique called HTTP/2 Bomb impacting major HTTP/2 implementations, including NGINX, Apache, IIS, and Pingora 5 exploitable vulnerabilities in Google Chrome’s V8 JavaScript engine 10 exploitable Apple Safari vulnerabilities A WebAssembly vulnerability (CVE-2026-8390⁠) in Mozilla Firefox “Patch the Planet is designed to put that full defensive loop in service of maintainers: discovery, validation, severity review, disclosure, patch development, testing, and deployment,” OpenAI said.

“Frontier models can make parts of that loop faster, but the aim is to give the people responsible for shared infrastructure better tools and more capacity, while preserving their agency over how changes land.” The developments go hand in hand with bad actors misusing AI to compress the time between finding and exploiting a weakness, shrinking the window defenders have to respond. The use of vibe-coded exploits also heralds a new chapter where the technology is not only lowering the barrier to exploit development, but also enabling attackers to cast a wide net across newly disclosed vulnerabilities with lesser effort. Intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. have warned that advanced AI models can expedite the speed, scale, and sophistication of cyber threats, while lowering the barrier for malicious actors and shrinking the window between vulnerability discovery and exploitation ever more quickly.

“Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months, the agencies noted . “In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value.” “Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. “Attackers compromised the vendor’s build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels,” Wordfence said in an analysis published last week. The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2) As mentioned above, it’s worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor’s Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. The free versions of the plugins on WordPress.org are not impacted.

The supply chain compromise associated with Product Slider Pro for WooCommerce has been assigned the CVE identifier CVE-2026-49777 , along with a CVSS score of 10.0, indicating maximum severity. CVE-2026-10735 (CVSS score: 9.8) is the CVE identifier for the entire incident. The WordPress security company said the compromised versions of the plugins incorporate a loader that’s triggered on every admin page, causing it to fetch a payload from a remote server (“194.76.217[.]28:2871”), install it, and activate it as a fake plugin. Once it’s activated, the malware reports the victim domain back to the server and erases itself to cover up the tracks and complicate incident response efforts.

The counterfeit plugin, for its part, hides itself from the WordPress admin plugin list and is capable of capturing credentials in plaintext and two-factor authentication (2FA) codes. It also establishes multiple persistence methods that enable arbitrary file writes via a custom REST endpoint when provided a specific authentication token, as well as drop a web shell with command execution features. Lastly, it makes use of a PHP file named “install-persistent.php,” which is bundled as part of the plugin, to extract the below data - Full contents of wp-config.php, including database credentials, authentication keys, and debug settings All administrator accounts with registration dates Mail plugin credentials from WP Mail SMTP, Post SMTP, and Easy WP SMTP WooCommerce order data from the last 3 months with payment method breakdown Once this information is displayed, the file is deleted. Evidence indicates that the attack could be a compromise of the build pipeline, as opposed to a direct poisoning of the packages.

What’s particularly dangerous about this attack is that it exposes site owners who purchased legitimate licenses and installed updates directly from the vendor’s official update system to malware. Upon being notified of the issue, ShapedPlugin has confirmed the incident, adding that it’s reviewing the distribution and release processes to ensure the integrity of its products going forward. New versions of the impacted plugins are expected to be released pending comprehensive security reviews and validation tests. Site owners who have installed the malicious versions are recommended to reset all passwords, revoke and regenerate 2FA secrets for all users, review administrator accounts for unauthorized additions, and check mail plugin configurations for modified SMTP credentials.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

29-Year-Old Squid Proxy Bug ‘Squidbleed’ Can Leak Cleartext HTTP Requests

A heap over-read in the Squid web proxy can leak another user’s cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a
1997 FTP-parsing change
and is still live in Squid’s default configuration. Researchers at Calif.io
disclosed it in June
and named it
Squidbleed
(
CVE-2026-47729
), after Heartbleed, which leaked memory the same way. Squid describes this as an attack by a
trusted client
someone already permitted to use the proxy, not any random host on the internet.

That matches Squid’s usual home, shared networks like schools, offices, and public Wi-Fi. In those setups, the attacker is just another user of the same proxy. The leak also only reaches traffic that Squid can read. Normal HTTPS rides an opaque CONNECT tunnel, so Squid never sees inside it; the exposed traffic is cleartext HTTP, plus TLS-terminating setups where Squid decrypts and inspects.

The attacker also needs the proxy to reach an FTP server they control on port 21. Both FTP and that port are on by default. How the leak works The bug sits in Squid’s FTP directory-listing parser. To handle old NetWare servers that padded listings with extra spaces, the code skips whitespace with a loop: while (strchr(w_space, *copyFrom)) ++copyFrom;.

If the attacker’s FTP server sends a listing line that ends right after the timestamp, with no filename, copyFrom lands on the string’s null terminator. strchr treats that terminating NUL as part of the string it searches, so it returns a pointer instead of NULL, and the loop never stops. It walks off the end of the buffer, and xstrdup copies whatever follows back to the attacker as a filename. The leaked bytes are the useful part.

Squid reuses freed memory buffers without zeroing them, so a 4KB buffer that recently held a victim’s HTTP request still holds most of it. A short FTP line overwrites only the first few bytes; the over-read returns the rest. Calif’s demo pulls an Authorization header from a victim sharing the same proxy, enough to act as that user. Proof-of-concept code is public , and no in-the-wild exploitation has been reported as of writing.

What to do If you patch, verify the fix, not just the version. Confirm the guard is in FtpGateway.cc, or check your distribution’s backport, since distros ship their own builds (Debian packages Squid 5.7). The public thread is still inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7 , and on June 22 Debian’s Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. The fix is small, a null-terminator check before the vulnerable strchr calls , merged to the development branch in April and v7 in May.

Squid 7.6 does separately patch CVE-2026-50012, an unrelated cache_digest heap overflow. The cleaner move is the one the researchers recommend anyway: turn FTP off. Chromium dropped FTP years ago, and most networks carry almost none of it, so disabling it removes this attack surface for free, whatever build you run. The risk is real but bounded.

SUSE rates it moderate, CVSS 6.5 , and the vector explains the score: the attacker needs proxy access (low privileges), and the only impact is confidentiality, nothing on integrity or availability. Calif credits Anthropic’s Claude Mythos Preview, the model behind Project Glasswing , with catching the strchr quirk almost at once, the same kind of buried parser bug AI agents have been surfacing elsewhere , including in FFmpeg. Calif hints Squid’s FTP code may not be the last place it forgot to stop reading. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants

Cybersecurity researchers have disclosed details of four vulnerabilities in Dify , an open-source agentic workflow platform with more than 146,000 GitHub stars , that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers’ applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security. “Two were critical severity, two required no authentication, and three carried cross-tenant impact on Dify’s multi-tenant cloud service, allowing one customer’s data to be exposed to another,” researchers Ido Shani and Gal Zaban said . The security defects could have allowed attackers to read private AI chats from other customers’ applications, creating a covert exfiltration channel for every message and model response.

They also made it possible to traverse Dify’s internal Plugin Daemon API from unauthenticated requests and trigger cross-tenant internal API calls, as well as preview documents uploaded by other tenants and leak files across users within a tenant by attaching another user’s file unique identifier. Separately, Zafran said it also discovered that Dify’s file parsing stack relied on a version of PDFium, an open-source C++ library for PDF rendering, that was vulnerable to CVE-2024-5846 (CVSS score: 8.8), a two-year-old use-after-free bug that could allow a remote attacker to potentially exploit heap corruption via a crafted PDF file. The remaining vulnerabilities are listed below - CVE-2026-41947 (CVSS score: 9.1) - An authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. CVE-2026-41948 (CVSS score: 9.4) - A path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon’s internal REST API by exploiting insufficient URL path sanitization and access internal, private endpoints.

CVE-2026-41949 (CVSS score: 7.5/5.9) - An authorization bypass vulnerability in the file preview endpoint (“/console/api/files/{file_id}/preview”) that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file’s UUID. CVE-2026-41950 (CVSS score: 6.5) - An authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. The missing tenant ownership checks can be exploited to redirect all messages and responses from victim applications to an attacker-controlled LLM trace provider. It’s worth noting that anyone can freely register for a Dify account.

“Consequently, an attacker can configure their own tracing for any application they can access as a client, which includes all publicly accessible applications,” the researchers explained. “This allows an attacker to create a persistent exfiltration channel for all messages and responses sent in the application.” Following responsible disclosure, all vulnerabilities barring CVE-2026-41948 have been addressed in version 1.14.2 , which was shipped last month. A fix for the pending flaw is expected to be made available in the next release of Dify. “DifyTap demonstrates where the challenge lies in vulnerability visibility, particularly in container images, where differences between deployments can create visibility gaps that traditional scanners cannot detect,” the company said .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER . According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372.

“The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode,” researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown. The attack begins when unsuspecting users enter queries such as “lts version of node.js” on search engines like Google, redirecting them to a fake website (“node-js[.]prentiva99[.]info”) surfaced via bogus ads published under the verified name “ВОЛОДИМИР ТЕРЕЩЕНКО” that’s purportedly based in Ukraine. It’s currently unknown if the advertiser account is linked to the actual threat actor, or if it’s a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026.

Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters. Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER, through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt. The attack then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload.

OXLOADER also makes use of techniques like control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) to evade static detection, while simultaneously taking steps to ensure it’s not run on sandboxed environments. CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix . CastleLoader is attributed to a threat activity cluster known as GrayBravo. “OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching,” Elastic said.

“The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis.” “That investment is paying off, resulting in low detection rates across static engines and detonation runs, giving OXLOADER a window to operate before it gets hunted down.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.