2026-06-29 AI创业新闻
Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer
Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. “This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain ‘compatible’ with npm v12’s security hardenings ,” JFrog said in a technical analysis. “The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer.
The names of the identified npm packages are listed below - html-to-gutenberg fetch-page-assets (which lists html-to-gutenberg as a dependency) The two packages were uploaded to npm on May 25, 2026, and are no longer available for download from the registry. The starting point of the attack is a hidden Microsoft Visual Studio Code (VS Code) task named “eslint-check” that’s configured with the “runOn: ‘folderOpen’” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor. “They do not recursively execute every nested .vscode/tasks.json; in this case, the trigger fires when the malicious package directory itself is opened as the workspace and marked as trusted, or that the developer explicitly allowed automatic tasks,” JFrog said. “The command also disguises the payload as a font file - public/fonts/fa-solid-400.woff2, even though the file just contains JavaScript code.” It’s worth noting that the abuse of a VS Code auto-run task , coupled with the disguise of JavaScript malware as font files, has been attributed to North Korea.
The OpenSourceMalware team, which is tracking the activity under the moniker Fake Font, has described it as a variant of Contagious Interview , a long-running campaign targeting software developers and technical personnel through fraudulent job interview processes. “This ‘Fake Font’ campaign delivers a multi-stage loader that ultimately deploys the InvisibleFerret Python backdoor, designed to steal cryptocurrency wallets, browser credentials, and establish persistent access,” security researcher Paul McCarty noted back in January. “This is the third sub-campaign of the Contagious Interview’ campaign that has been ongoing since 2023.” The bogus font file uses blockchain infrastructure as a dead drop resolver, relying on TronGrid and Aptos as a fallback mechanism to fetch a next-stage JavaScript payload in a manner that’s resilient to takedown efforts. The JavaScript stage repeats the same dead drop retrieval pattern to configure a command-and-control (C2) server that enables file uploads and Python malware delivery.
This includes setting up a Socket.io backdoor that grants the operator remote control over the infected host through features like shell execution, clipboard harvesting, file system operations, file upload, process management, and arbitrary JavaScript execution. In parallel, the infection chain launches a Python loader component that’s responsible for retrieving the Python infostealer from the C2 server and installing the necessary dependencies. The artifact is a wide-ranging credential, browser, wallet, and developer artifact stealer that can siphon data stored in Chromium-based and Mozilla Firefox browsers, password managers, authenticators, and cryptocurrency wallets. It’s also equipped to harvest developer-oriented information like Git credentials, GitHub CLI hosts.yml, GitHub Desktop logs, VS Code, and global storage, as well as data from Windows Credential Manager, Linux Secret Service, KDE Wallet, macOS Keychain, and cloud storage metadata for Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud.
In the final stage, the collected data is packaged into compressed ZIP archives and uploaded to the C2 server, and to a Telegram bot if a bot token is provided by the attacker during runtime. The campaign has also targeted the Go ecosystem, with Nextron Systems discovering a set of 16 Go packages containing the same malware. The list is as follows - github.com/lambda-platform/lambda github.com/reauheau/goaubio github.com/glacialspring/go-winsparkle github.com/bm-197/chill github.com/naol7/dist-task-scheduler github.com/anatoli-derese/a2sv-excercise github.com/amantsehay/a2sv-go-course github.com/dexbotsdev/uniswap-v2-v3-arbitrage github.com/lambda-platform/ebarimt-rest-api github.com/lambda-platform/dan github.com/zainirfan13/graphql-client github.com/hngi/team-fierce-backend-golang github.com/glacialspring/static github.com/rickt/slack-weather-bot github.com/Barsu5489/commerce github.com/Setsu548/Logistic “Most appear to be legitimate packages whose latest released version included the malware alongside the original package contents, using the same structure and fake font file,” JFrog added. Users who have installed the packages are advised to remove them with immediate effect, search developer machines for hidden VS Code folder-open tasks, and rotate credentials, tokens, cloud credentials, API keys, browser-stored credentials, and wallet credentials.
“The payloads show that the attacker was interested in both immediate theft and interactive access,” the cybersecurity company concluded. “The socket.io-based backdoor provides command execution and file collection, while the Python stage performs wide credential and wallet harvesting across browsers, OS credential stores, developer tooling, and cryptocurrency applications.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S. The systematic cyber attacks aimed at stealing sensitive information from the victims, the agency added. “The goal of these ‘hacks’ is to gain access to sensitive military, political, and economic information exchanged by users, as well as to steal their personal data,” the agency warned in a post shared on Telegram.
To pull off the operation, the attackers send SMS messages that masquerade as the messaging platform’s support bot and urge users to disclose their account credentials. The SSU noted that these attacks include not only organizations, officials or public figures, but also personal accounts belonging to Ukrainian nationals. It did not attribute the campaign to a specific hacking group. However, similar attack waves directly aimed at Signal and WhatsApp messaging app users have been attributed to Russian threat activity clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
To counter the risk posed by such threats, it’s advised to periodically review active messaging app sessions and log out of unknown connections, enable two-factor authentication, refrain from scanning QR codes received from unknown users, not disclose confirmation codes, PIN codes, passwords, and account recovery keys, and click on suspicious links or open files from unknown or dubious chats. The development comes as the FBI attributed Russian Intelligence Services (RIS) cyber threat actors to an ongoing commercial messaging application (CMA) phishing campaign aimed at high-value targets to deceive them into handing over their backup recovery keys. Late last month, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed to the Belarus-aligned threat actor known as UNC1151 (aka Ghostwriter and UAC-0057) a spear-phishing campaign that targeted government organizations using compromised accounts to deliver an information stealer called OYSTERBLUES. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards
OpenAI on Friday released three versions of GPT-5.6 , called Sol, Terra, and Luna , as a limited preview to a small number of companies as part of an ongoing engagement with the U.S. government. While Sol is the latest flagship model and the most powerful, Terra strikes a balance between efficiency and power, and Luna is fine-tuned for speed and affordability. “GPT‑5.6 Sol launches with our most robust safety stack to date.
We strengthened protections for higher-risk activity, sensitive cyber requests, and repeated misuse, and spent multiple weeks finding weaknesses, pressure-testing our system, and hardening it against real-world attacks,” OpenAI said . The model has also been touted as the “most capable model yet” for cybersecurity, making it much more suitable for vulnerability research and exploitation. On ExploitBench , GPT‑5.6 Sol is competitive with Anthropic Mythos Preview using only about one-third of the output tokens, OpenAI noted. The goal, it added, is to enable access to legitimate work such as code review, vulnerability research, patch development, debugging, security education, and defensive testing, while enforcing strong guardrails that block offensive activity and swiftly remediating newly discovered jailbreaks.
This includes adversarial attempts to jailbreak the model and refuse what it describes as “prohibited cyber assistance.” “As these capabilities continue to advance, our priority is to make sure they reach and benefit defenders, who can use these tools to find weaknesses, develop patches, and strengthen systems more broadly,” the artificial intelligence (AI) company explained. That said, OpenAI is also warning that there may be scenarios during the preview phase where users may encounter safeguards that block or refuse legitimate requests, or have their requests paused for additional review, owing to the “ dual-use “ nature of the technology. According to OpenAI’s GPT-5.6 Preview System Card, although the model is more adept at finding vulnerabilities in code and developing exploits, the capabilities do not extend to carrying out autonomous, end-to-end attacks against hardened targets or weaponizing those cyber vulnerabilities in real attacks. “Separate evaluations examined misaligned behavior in agentic coding tasks and found GPT-5.6 shows a greater tendency than GPT-5.5 to go beyond the user’s intent, including by taking or attempting actions that the user had not asked for, though absolute rates remain low,” it pointed out .
An evaluation of GPT-5.6 Sol against widely deployed hardened software projects using VulnLMP, which is OpenAI’s internal framework designed to test end-to-end exploit chain development against real-world targets, has found the model to produce credible memory safety leads, some of which could lead to disclosure, mutation, or control flow corruption. “This suggests that substantial parts of real world vulnerability research are becoming increasingly automatable when models are paired with tool use, build systems, and verification infrastructure,” the tech upstart said. OpenAI intends to make GPT‑5.6 Sol, Terra, and Luna generally available in the coming weeks, and it previewed the model capabilities to the U.S. government.
It’s also launching a limited preview for a small group of trusted partners whose participation has been approved by the government before a broader launch. Earlier this month, U.S. President Donald Trump signed an executive order on AI and cybersecurity, calling for the creation of a framework that grants the federal government the ability to evaluate AI models’ capabilities and determine which qualify as “covered frontier models,” a designation for AI systems with advanced cyber capabilities. The staggered release comes days after the company released an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative and launched a new project called Patch the Planet in collaboration with Trail of Bits to help secure open-source projects.
It also follows the U.S. government’s decision to permit Anthropic to release its Mythos AI model to a group of about 100 trusted companies and federal government agencies that “operate and defend critical infrastructure,” more than two weeks after the powerful cybersecurity-focused models were pulled from the market . “We’re restoring access for these organizations quickly, and we’re continuing to work with the government to expand access to Mythos 5 and make Fable 5 available for general use again,” Anthropic said in a statement posted on X. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys
The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account’s backup, read the private and group message history, and take over the account. Worse, the key keeps working. Make a new account on the same phone number, and the old key can still be used against it, the advisory warns.
The fix is blunt: generate a new key in Settings, which kills the old one for future backup downloads, and accept that anything the attacker already pulled is gone. The updated advisory, PSA I-062626-PSA , adds two public tracking names the March notice lacked: UNC5792 and UNC4221. The FBI ties the activity to multiple Russian Intelligence Services (RIS) groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military services. The campaign hits Signal and WhatsApp accounts; the new recovery-key tactic the advisory describes is specific to Signal.
The targets are individuals of high intelligence value: current and former U.S. and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March notice said the broader campaign had already compromised thousands of accounts worldwide. The phishing message poses as Signal support.
Earlier waves asked for SMS verification codes and account PINs, or used doctored “group invite” links that silently linked an attacker’s device to the account. The updated version walks the target through turning on Signal backups, opening the Recovery Key, and pasting it into the chat. The advisory prints two sample messages: one dressed up as a mandatory two-factor rollout, the other as an urgent “data recovery” fix for messages supposedly at risk of loss. As in March, the agencies are clear that none of these breaks Signal’s encryption or the app itself.
The actors compromise individual accounts through social engineering, then walk in through a legitimate feature. Alongside the update, the State Department’s Rewards for Justice program is offering up to $10 million for information on UNC5792. The activity overlaps with warnings from Dutch intelligence (AIVD and MIVD), Germany’s BfV and BSI , and France’s ANSSI earlier this year. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked-device feature in early 2025, and saw the same tradecraft turn up against WhatsApp and Telegram.
What to do now Treat any in-app message from “Signal support” as hostile. Real support does not message you inside the app to ask for codes, PINs, or your Recovery Key. Never paste your Backup Recovery Key, verification code, or PIN into a chat. Nothing legitimate asks for them that way.
Open Settings, check Linked Devices, and remove anything you do not recognize. If you think you handed over your Recovery Key, generate a new one in Settings now, and assume any backup made before that is already in someone else’s hands. The March notice warned the tactics would shift. They have, from chasing one-time codes to taking the key that opens the entire archive.
The encryption holds. The account is the weak point, and the person holding it is the target. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, and Serbia. “The observed victimology suggests a campaign with broad geographic reach and a diverse target set rather than a narrow focus on a specific industry or region,” the Russian cybersecurity vendor said . The campaign does not exhibit direct links to any known threat actor or group, although the operators have utilized several open-source post-compromise tools like FScan and Pillager , which are commonly put to use by Chinese-speaking developers.
It’s believed that the campaign is the handiwork of a Chinese-speaking threat actor. Attack chains involve the two initial access pathways: the exploitation of known Exchange Server flaws, such as CVE-2021-26855 (aka ProxyLogon), to strike the Indonesian diplomatic entity, or through a path traversal vulnerability impacting Openfire ( CVE-2023-32315 ) in the case of Taiwanese software development organizations, or a critical remote code execution bug in GeoServer ( CVE-2024-36401 ) to target a Colombian organization. Other remote code execution and authentication bypass vulnerabilities weaponized by the threat actor are listed below - Apache Shiro: CVE-2016-4437 Hikvision Products: CVE-2021-36260 Microsoft SharePoint: CVE-2021-27076 Zimbra Collaboration Suite: CVE-2022-27925 Microsoft Exchange Server: CVE-2022-41082 (aka ProxyNotShell ) F5 BIG-IP: CVE-2023-46747 Fortinet FortiOS: CVE-2024-21762 React Server Components: CVE-2025-55182 Fortinet FortiOS: CVE-2022-40684 Cisco IOS XE Web UI: CVE-2023-20198 It’s assessed that the threat actors are likely employing publicly available proof-of-concept (PoC) exploits hosted on GitHub or other open-source platforms to gain initial access in an opportunistic manner. Upon gaining a foothold, the threat actors establish persistence by deploying web shells to trigger a DLL side-loading chain involving “ SystemSettings.exe “ ( CVE-2021-27076 ) to deliver SharkLoader (“SystemSettings.dll”).
A second method used by StrikeShark to distribute the loader is via custom dropper executables masquerading as legitimate software installers or applications like Google Update and Cisco AnyConnect, and executing the malware loader once the installation process completes. The method by which these droppers are delivered is currently unknown. “In addition to installer-themed lures, several SharkLoader droppers use decoy PDF documents to persuade victims to open the malicious file,” Kaspersky explained. “However, not all samples employ this technique, as some droppers function solely as a delivery mechanism for SharkLoader without presenting any lure content.” Once the DLL is loaded, SharkLoader implements what’s called Perfect DLL Hijacking , a technique detailed by security researcher Elliot Killick in October 2023, to execute malicious code while bypassing Windows Loader Lock , a system-wide lock held by the operating system when loading and unloading DLLs.
Specifically, it’s engineered to decrypt and load “DscCoreR.mui,” which is then used to decompress and load Cobalt Strike in a new thread created in a suspended state, along with two other components - SyncRes.dat, which installs multiple Windows API hooks by using the Microsoft Detours library to monitor exceptions generated during runtime. MinHook DLL, which installs API hooks for the VirtualAlloc and Sleep functions to copy the decompressed Cobalt Strike Beacon into the allocated memory region using VirtualAlloc. The Sleep-related hook is triggered when the Beacon calls Sleep, likely in an attempt to evade memory scanning techniques that identify executable (RWX) code regions in memory. “Finally, after the API hooks are installed and the Cobalt Strike Beacon shellcode has been written to the thread buffer, the malware calls the ResumeThread API to resume the suspended thread and begin execution of the beacon,” Kaspersky explained.
While SharkLoader does not come with persistence mechanisms built into it, the threat actor has been found to leverage Registry Run keys and scheduled tasks as a way to activate the launch of “SystemSettings.exe” either when a user logs in, or even if no user is logged in. The attacks also involve an extensive reconnaissance phase following initial compromise and persistence, with the threat actor engaging in Active Directory enumeration, credential theft by targeting the LSASS process and the NTDS database file, and deploying open-source scanners and information gathering tools like FScan, Searchall, and Pillager. Given the absence of active data exfiltration, it’s unclear what the end goals of StrikeShark are. However, the targeting of government and software development organizations suggests a cyber espionage bent with a potential interest in hoovering political intelligence or intellectual property.
“At the same time, the use of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing applications and malicious installers and droppers, suggests the attacker may also be opportunistically targeting vulnerable systems,” Kaspersky said. “The absence of clear evidence of data exfiltration thus far does not exclude this possibility, as Cobalt Strike’s file operation and data exfiltration modules could be employed at a later stage.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign
A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062 , which Palo Alto Networks Unit 42 said shares overlaps with UAT-7237 , a hacking group that was first flagged by Cisco Talos in August 2025 in relation to a campaign directed against web infrastructure entities in Taiwan. Unit 42 said it also observed CL-STA-1062 campaigns in prior operations targeting strategic sectors in East Asia since March 2022, suggesting a broader but sustained focus in the region. “From a technical standpoint, the attackers behind CL-STA-1062 rely on a hybrid toolkit,” Unit 42 said in a technical report.
“While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.” TinyRCT is equipped to run arbitrary commands, enumerate files and exfiltrate them, capture the device’s screen, and delete itself from the compromised host. In one campaign detected in September 2025, the threat actor is said to have infiltrated a Southeast Asian government entity and deployed a web shell to exfiltrate data from an MS SQL server. During the same attack, the threat actors have been found to conduct network reconnaissance on a separate government entity in the same country. “This suggests an effort to identify lateral movement opportunities and broaden their access.
In one case, we observed the attacker staging and exfiltrating an entire directory of web server source code from the government entity,” Unit 42 said, adding it detected the breach of at least 10 different organizations in Southeast Asia between October and December 2025. Since at least mid-2025, CL-STA-1062 has trained its sights on the critical infrastructure, with the adversary scanning multiple entities in the region for vulnerabilities and then establishing a foothold via ASPX web shells that facilitate initial reconnaissance and outbound requests from the infected networks to attacker-controlled infrastructure, leading to the deployment of additional payloads. This includes SoftEther VPN components and RAR archives containing the group’s toolset, including open-source utilities such as Yuze (a SOCKS5 proxy) and VNT (a VPN), often disguising them as VMware executables or an XDR agent (e.g., “XDRAgent.exe,” “vmtools.exe,” and “vmwared.exe”). Further analysis of the campaign’s infrastructure has led to the discovery of a previously undocumented .NET backdoor dubbed TinyRCT (“PerfWatson2.exe”), a lightweight remote access trojan that enables system reconnaissance, command execution, file uploads, screenshot capture, remote control, and wipe traces of itself, while taking steps to avoid running in sandboxed environments.
It establishes a persistent communication channel with a remote server (“45.32.113[.]172”) over HTTP, but encrypts the exchanged data using AES-128 encryption in CBC mode. “The malware operates on a beaconing model, with a default 10-second sleep interval between requests,” Unit 42 explained. “It polls the C2 server for instructions using GET requests, while it sends exfiltrated data via POST requests.” As for how TinyRCT is delivered, it takes the form of a malicious archive named “chrome_setup.zip” containing a legitimate executable (“chrome_setup.exe”), a configuration file (“chrome_setup.exe.config”), and a rogue DLL (“MyAppDomainManager.dll”) that’s used to trigger an AppDomainManager injection attack to load the malicious DLL, which functions as a downloader by contacting “139.180.134[.]221” to retrieve “PerfWatson2.exe.” “The combination of tools observed in this activity cluster reflects a pragmatic approach to tool selection and attack capabilities,” Unit 42 concluded. “The attackers behind this cluster continue to leverage common open-source tools such as SoftEther VPN and VNT to facilitate lateral movement.” “Our discovery of the TinyRCT backdoor in the attackers’ infrastructure underscores their ability to customize tools to gain specific capabilities.
The combination of targeting critical infrastructure and the development of custom malware suggests that CL-STA-1062 activity will continue to pose a threat to the region.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
A flaw in the Linux kernel’s traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331 , nicknamed “ pedit COW ,” is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as important .
The exploit never touches the file on disk. It poisons the cached copy of a setuid root binary (/bin/su) in memory, injects a small payload, and runs that altered image as root. File-integrity checks come back clean while a root shell is already open. The exploit needs two things: act_pedit being loadable and unprivileged user namespaces being open, giving the attacker a namespace-local networking capability (CAP_NET_ADMIN) needed to trigger the bug.
On the tested RHEL and Debian targets, both conditions were present. How the Bug Works Linux’s tc traffic-control tool can rewrite packet headers in flight using an action called pedit. The kernel function that does this, tcf_pedit_act(), is supposed to make a private copy of the data before editing it, the standard copy-on-write pattern. It checked the writable range once, before the final offsets were known.
Some edit keys only resolve their offset at runtime. When that happens, the write lands outside the privately copied region, so the kernel modifies a shared page-cache page instead of a private copy. If that page belongs to a cached file, the file’s in-memory image is corrupted. The pattern is familiar.
Dirty Pipe , Copy Fail , DirtyClone , and Dirty Frag all share the same shape: a kernel fast path writes into a page it does not exclusively own, and the page cache takes the hit. What is new here is the entry point. An unprivileged user can configure tc actions from inside a user namespace, which gives them the CAP_NET_ADMIN that the exploit needs. Affected Systems The PoC author reported unprivileged-to-root exploitation on RHEL 10 and Debian 13 (trixie), where unprivileged user namespaces are open by default.
Ubuntu 24.04 required routing execution through AppArmor profiles that still permit user namespaces. Ubuntu 26.04 blocks that path by default because its AppArmor profiles restrict unprivileged user namespaces, though the underlying kernel remains vulnerable. Fixes are split by vendor. Debian has fixed trixie through its security channel.
Debian 11 and 12 are still listed as vulnerable. Ubuntu lists supported releases from 18.04 through 26.04 as vulnerable as of June 25. Red Hat lists RHEL 8, 9, and 10 as affected; RHEL 7 is not listed in the bulletin. What to Do Install the patched kernel and reboot.
Prioritize systems where “local user” does not mean trusted user: multi-tenant hosts, CI/CD runners, Kubernetes nodes, build workers, and shared research or lab machines. If you cannot patch yet, two mitigations kill the exploit chain. On systems that do not need tc pedit rules, check whether the module is in use (lsmod | grep act_pedit), then block it from loading: echo ‘install act_pedit /bin/true’ | sudo tee /etc/modprobe.d/disable-act_pedit.conf Alternatively, disable unprivileged user namespaces (user.max_user_namespaces=0 on RHEL, kernel.unprivileged_userns_clone=0 on Debian/Ubuntu). That removes the namespace-local capability the exploit needs, but it breaks rootless containers, some CI sandboxes, and sandboxed browsers.
Test first. Because the overwrite targets cached memory, file-integrity checks may not catch it. Dropping the page cache (echo 3 > /proc/sys/vm/drop_caches) clears the poisoned in-memory copy, but does nothing about the root shell the attacker already opened. Treat the host as compromised.
The fix landed on the netdev mailing list in late May, framed as a routine data-corruption patch. The exploitable detail sat on a public mailing list for weeks. No CVE, no security warning. The CVE was assigned when the fix was merged on June 16.
The weaponized proof-of-concept followed within a day. For kernel page-cache corruption bugs, waiting for a scanner rule is too slow. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer’s cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon’s AI coding assistant handled Model Context Protocol (MCP) servers.
Wiz Research, which found and reported it, showed that a single config file dropped in a repo was enough to go from git clone to cloud compromise. How the attack worked Amazon Q read an MCP configuration file, .amazonq/mcp.json, from the open workspace and launched the servers it defined. MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools, so starting one means running commands on the machine. Those processes inherited the developer’s full environment.
That usually means AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets. Put the two together, and a file sitting in a cloned repo could run arbitrary code with the developer’s live cloud session attached. No password, no second sign-in. In its proof of concept , Wiz had the file run aws sts get-caller-identity and ship the output to an attacker server, capturing the active AWS session.
What comes next depends on that developer’s cloud permissions: backdoor an IAM user for persistence, reach internal services, or pivot toward production. AWS and Wiz frame the consent step differently. Amazon’s advisory says the user has to trust the workspace when prompted, and CVSS rates the user interaction as passive. Wiz reported there was no separate consent step for the MCP servers themselves before the fix.
The patch closes that gap: Amazon Q now flags an untrusted MCP server and lets the developer reject the command before it runs. The flaw lives in Language Servers for AWS , the runtime that powers Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio. All four plugins bundle it, so all four were exposed by versions that shipped an older copy. What to do Update.
CVE-2026-12957 is fixed in Language Servers for AWS 1.65.0, but AWS’s bulletin tells customers to move to 1.69.0. That build also closes a second issue, CVE-2026-12958 , a missing symlink check that could allow arbitrary file writes outside the workspace trust boundary. The patched plugin minimums: VS Code: 2.20 or later JetBrains: 4.3 or later Eclipse: 2.7.4 or later Visual Studio toolkit: 1.94.0.0 or later The language server auto-updates unless the network blocks it, and reloading the IDE pulls the latest build. There is no known public exploitation; CISA’s ADP entry for CVE-2026-12957 lists it as none.
Wiz found the flaw through research and disclosed it in coordination with Amazon, reporting it on April 20 and seeing a fix on May 12, ahead of the June 26 public write-up. A pattern, not a one-off Amazon Q is not the first coding assistant to trip over MCP trust. The bugs are not identical, but they rhyme: project configuration turns into executable behavior, and the trust checks around that handoff keep failing. Claude Code (CVE-2025-59536) and Cursor (CVE-2025-54136) both had project-level MCP config that led to command execution.
Windsurf (CVE-2026-30615) reached the same end by a different path, with attacker-controlled content rewriting the local MCP config to register a malicious server. The convenience of letting a project folder configure an AI agent is also the attack surface. Repo-carried config is untrusted input. Turning it into a running process should take an explicit yes.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. “The vulnerability is a remote code execution (RCE) issue that may be exploited through deserialization of untrusted data,” according to an advisory released by PTC.
Although patches for the flaw were released last week, PTC has since confirmed, as of June 25, that “we’ve received continued reports of heightened threat activity,” with the company disclosing that unknown attackers are exploiting the vulnerability to deploy JSP web shells against susceptible systems. PTC has also released the following indicators of compromise (IoCs) associated with the activity - 172.111.38.31 216.152.148.54 104.243.35.131 74.50.76.146 5.180.41.35 216.152.148.54 5.180.41.35 (Attacker command-and-control address) Web shell files following the naming pattern /Windchill/login/[0-9a-f]{16}.jsp As mitigations, users are advised to perform the following actions - Block 5.180.41.35 at the perimeter firewall immediately Search HTTP access logs for any POST requests to /Windchill/login/*.jsp Scan the filesystem for JSP files matching the 16-hex-char pattern /Windchill/login/[0-9a-f]{16}.jsp Hash-check any suspicious JSP files against 55a1eb4c2d3da04376df39d7ba832569c6af1a37a0cf2b95f754ac898023a30c Check for flst.txt in /tmp or the Windchill working directory, the presence of which confirms attacker file-listing activity Add WAF / IDS rule blocking any request containing the header X-windchill-req: Restrict internet exposure of the Windchill login endpoint where operationally possible The development makes it the first-ever PTC product vulnerability added to CISA’s KEV catalog, not to mention highlighting how threat actors are rapidly weaponizing newly disclosed vulnerabilities to their advantage. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant. Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now.
When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet’s memory as shared with a file on disk. That missing flag is the entire vulnerability. The attacker loads a privileged binary like /usr/bin/su into memory, wires those memory pages into a network packet, and forces the kernel to clone it. The cloned packet passes through an IPsec tunnel that the attacker controls, and the decryption step overwrites the binary’s login checks with attacker-chosen bytes.
The next time anyone runs su, it hands over root. The file on disk never changes. The modification lives only in the kernel’s in-memory copy, so file-integrity tools miss it, the attack leaves no audit trail, and a reboot restores the original binary. The attacker already has root by the time anyone might think to check.
Exploitation requires CAP_NET_ADMIN to configure the loopback IPsec tunnel. On Debian and Fedora, unprivileged user namespaces are enabled by default, so a local user can obtain that capability inside a new namespace. Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path. Page cache is shared at the host level, so modifications made inside a namespace affect every process on the machine.
The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces. JFrog confirmed the exploit on Debian, Ubuntu, and Fedora systems with default namespace configurations. Fourth in a Series This is the fourth recent privilege escalation with the same failure mode: file-backed memory gets treated as packet data, then an in-place network operation writes where it should have copied. Copy Fail (CVE-2026-31431) came first in late April, exploiting the algif_aead module for a four-byte page-cache write.
DirtyFrag (CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive. Fragnesia (CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in skb_try_coalesce(). Each fix closed one code path and left others open. DirtyClone’s demonstrated exploit centers on __pskb_copy_fclone(), with skb_shift() also affected; the broader CVE fix covers additional frag-transfer helpers where the same flag could be lost.
The underlying problem is not one bad helper function. It is a contract problem: every code path that moves skb fragments has to preserve the shared-frag bit, every time. The kernel’s zero-copy networking lets file-backed memory serve as packet data, and a single dropped flag anywhere in the chain turns a performance optimization into a write primitive. Each variant found a path where the contract was not honored.
The original DirtyFrag researcher, Hyunwoo Kim, had submitted a broader multi-site patch covering several remaining frag-transfer helpers on May 16. The combined fix was merged on May 21 (commit 48f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24. What to Do Install your distribution’s kernel update. The fix landed upstream in v7.1-rc5 and has been backported to stable and LTS branches.
Ubuntu , Debian , and SUSE have published advisories; Red Hat has a Bugzilla tracking entry . If you cannot patch today, two workarounds reduce the attack surface. Restrict unprivileged user namespaces: on Debian and Ubuntu, set kernel.unprivileged_userns_clone=0 (other distributions use different mechanisms). Alternatively, blacklist the esp4, esp6, and rxrpc kernel modules, though that breaks IPsec and AFS and only works when those features are loadable modules rather than compiled into the kernel.
Both are temporary controls, not fixes. The DirtyFrag class is probably not done. Any function that moves fragment descriptors without propagating the shared-frag flag is a potential new CVE, and auditing should cover every path that touches skb_shinfo()->flags during fragment transfer. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Guardian Agents: The Next Layer of Identity Governance
AI agents are moving through enterprise environments, inheriting permissions, traversing systems, and executing decisions at machine speed with minimal oversight. The identity infrastructure built to govern human access wasn’t designed for autonomous actors, and the gap between what enterprises are deploying and what their governance programs actually cover is widening fast. This guide breaks down how the guardian agents emerged, why it matters, and what operationalizing it looks like in practice. The Governance Gap Agentic AI Created Identity governance has always lagged behind infrastructure change, but the arrival of production-grade agentic AI didn’t just widen the gap.
It changed its shape entirely. The assumptions baked into every IAM architecture built over the past two decades are no longer sufficient for the environment most enterprises are actually running today. Agents Aren’t Service Accounts Security teams have spent years getting reasonably good at governing non-human identities. Service accounts get provisioned, rotated, and scoped.
API keys get vaulted. Machine identities get enrolled in PAM workflows. The controls aren’t perfect, but the mental model is coherent: a non-human identity performs a defined function against a known set of resources, and you govern it by constraining what it can reach. AI agents break every part of that model.
An agent doesn’t execute a fixed function. It receives an instruction, reasons about how to accomplish it, dynamically selects tools, chains calls across multiple systems, and delegates sub-tasks to other agents, all within a single session. The permission footprint of a single agent invocation can span a CRM, a code repository, a document store, and an internal API, touching resources that no human explicitly authorized the agent to access. The Permission Inheritance Problem The deepest architectural problem isn’t that agents carry too much access.
It’s that they inherit access from the human or service identity they operate on behalf of, and that inherited access was scoped for an entirely different context. When an agent executes on behalf of a sales director, it carries that person’s OAuth tokens, their delegated permissions, and any overprivileged access accumulated over years of role changes. The agent doesn’t distinguish between what the human would have done and what it’s been instructed to do. It executes with full inherited authority across every application that identity can reach.
Traditional IAM governance was built around authentication events. A human presents credentials, the system validates them, and access is granted or denied at login. Agents don’t follow that sequence. They authenticate once, often via a long-lived token or API credential, and then operate continuously across sessions, systems, and contexts without an intervening governance checkpoint.
An Architectural Problem, Not a Configuration One IAM tools weren’t designed to observe what happens after authentication. They record the login event and stop. The entire sequence of tool calls, permission uses, data accesses, and cross-system traversals an agent performs inside a session remains invisible to the governance layer. Agents find existing identity dark matter and move through it at machine speed.
Stale delegations and over-scoped credentials that IAM teams have long deprioritized become an active attack surface the moment an agent touches them. Governing that requires a layer purpose-built to operate where identity actually executes, not just where it authenticates. Why Adoption Is Accelerating Now The speed of agentic AI deployment inside enterprise environments has less to do with hype and more to do with three converging forces: models that now reliably complete multi-step reasoning tasks, infrastructure that makes orchestrating those models straightforward, and business pressure to automate knowledge work at a scale that headcount alone can’t support. The Infrastructure Maturity Inflection Point Twelve months ago, deploying a reliable multi-agent workflow required significant custom engineering.
Today, frameworks like LangGraph, AutoGen, and Anthropic’s Model Context Protocol provide development teams with standardized primitives for agent orchestration, tool calling, memory management, and inter-agent communication. The cost of inference has dropped sharply across all major model providers, making it economically viable to run agents continuously rather than on demand. Together, these shifts moved agentic AI from proof of concept to production pipelines on timelines most security organizations didn’t anticipate. Enterprise adoption reflects that shift.
Agents now handle procurement workflows, customer support escalations, code reviews, financial reconciliations, and internal knowledge retrieval across organizations of all sizes. Line-of-business teams deploy them via low-code platforms and vendor-supplied integrations, often without any security review during provisioning. Security Teams Are the Last to Know The deployment pattern for agentic AI consistently repeats itself: engineering or operations teams identify a workflow to automate, a vendor provides an agent-enabled feature or API, and the agent goes live. Security teams discover it later, sometimes during an incident review, sometimes during an audit, sometimes not at all.
The 2026 market guide on guardian agents documents exactly this pattern across enterprise deployments. Governance readiness consistently lags deployment timelines, not because security teams are inattentive but because the provisioning motion for agents bypasses the identity lifecycle entirely. Agents don’t go through access request workflows. They don’t get onboarded into IGA systems.
They inherit credentials from existing identities and start executing. The result is an expanding population of autonomous identities operating across enterprise systems with no formal governance record, no ownership mapping, and no behavioral baseline. The agents are running. The question is whether anyone knows what they’re doing.
What Guardian Agents Are A guardian agent is a purpose-built autonomous control layer that governs the identity and behavior of AI agents operating inside enterprise environments. Where traditional IAM tools govern human access and static machine identities, a guardian agent for AI operates at the execution layer, observing, analyzing, and enforcing policy against autonomous systems that act, reason, and move across applications in real time. The term has moved from conceptual to operational. Enterprises running production agentic workloads now require a dedicated governance mechanism that keeps pace with agent activity, not one that audits it quarterly.
Continuous Identity Inventory The first function of a digital guardian agent is discovery. Every AI agent operating in an environment carries an identity, inherits permissions, and leaves an access trail, but most enterprises lack a systematic way to enumerate which agents are running, which identities they’re acting on behalf of, or which applications they’ve touched. A guardian agent for AI maintains a continuous, live inventory of every autonomous entity in the environment. It maps each agent to its originating identity, its owner, its permission scope, and the applications it interacts with.
When a new agent spins up, provisioned through a vendor integration or deployed by a development team, the guardian agent registers it immediately rather than waiting for a manual review cycle that may never happen. Behavioral Baselining and Anomaly Detection Inventory alone doesn’t constitute governance. A guardian AI agent builds a behavioral baseline for each autonomous identity it monitors, tracking the pattern of tool calls, data accesses, API interactions, and cross-system movements an agent makes during normal operation. Deviation from that baseline is where risk surfaces.
An agent that begins accessing file stores outside its typical scope, calling APIs it has never used before, or escalating through a chain of delegated permissions signals a potential compromise, a prompt injection attack, or a misconfigured policy that has expanded its reach beyond its intended scope. The guardian AI agent surfaces these deviations in real time, with enough context to distinguish a legitimate workflow change from a genuine anomaly. Runtime Policy Enforcement and Permission Scoping Detection without enforcement is monitoring. A digital guardian agent applies a least-privilege policy at runtime, constraining what it can access during a given session based on the context of its current task, rather than the full scope of permissions its inherited identity technically allows.
Runtime scoping is the technical capability that separates guardian agents from conventional identity tooling. Rather than relying on pre-provisioned roles defined before anyone knew an agent would use them, a guardian agent for AI evaluates the current execution context and enforces permissions accordingly, dynamically tightening access as the agent moves through its workflow. A Distinct Category from AI Security Posture Tools A guardian AI agent is not an AI-SPM tool. AI security posture management focuses on the configuration and risk posture of AI infrastructure: model access controls, training data exposure, and API security.
A guardian agent operates one layer down, governing the identity execution behavior of agents themselves, tracking what they do with the access they have, and enforcing boundaries at the moment of action rather than at the point of configuration. How Guardian Agents Differ from Traditional IAM Tools The instinct to govern AI agents using existing IAM tooling is understandable, and it’s wrong. Not because those tools are poorly built, but because they were engineered against a fundamentally different model of what an identity is and how it behaves. Mapping that tooling onto agentic workloads creates dangerous blind spots rather than adequate coverage.
What IGA Was Built to Do Identity governance and administration platforms were designed to manage the lifecycle of human identities: joiner, mover, and leaver workflows, access certifications, role mining, and separation-of-duties enforcement. They work well when identities are enumerable, when access requests follow defined workflows, and when the relationship between a user and their permissions changes on a human timescale. AI agents violate every one of those assumptions. An agent’s identity isn’t provisioned through a request workflow.
Its permission scope shifts dynamically within a session. Its lifecycle doesn’t map to employment status. IGA platforms have no native concept of an agent that inherits a human identity, operates autonomously for the duration of a task, and then becomes dormant, only to reactivate under a different context with different inherited permissions the next time it runs. Access certification campaigns can’t capture what a guardian agent for AI continuously tracks: the actual runtime behavior of an autonomous identity as it moves across systems.
Where PAM Falls Short Privileged access management tools address a different problem. PAM assumes that high-risk access is bounded, that a human operator checks out credentials for a session, performs a defined task, and returns the credentials. The session is recorded, the access is time-limited, and the human is accountable. Agents don’t check out credentials.
They operate through inherited OAuth delegations, service account bindings, or API keys embedded in orchestration configurations. A PAM tool sees none of that. It governs the vault, not the execution path the agent takes once it’s operating with credentials obtained entirely outside the PAM workflow. When an agent traverses four systems in a single session using a delegated OAuth token, PAM has no visibility into any part of that traversal.
A digital guardian agent does. The CIEM Boundary Problem Cloud infrastructure entitlement management tools brought meaningful progress on the non-human identity problem, particularly for cloud service principals, IAM roles, and workload identities operating within a single cloud environment. The limitation is the boundary itself. Agentic workloads routinely span multiple clouds, SaaS applications, self-hosted systems, and third-party API integrations within a single workflow.
CIEM tools govern entitlements within their supported platforms. They don’t follow an agent as it moves from an AWS service role to a SaaS CRM to an internal document management system, accumulating effective permissions across each hop. A guardian AI agent operates across that entire surface, maintaining a unified view of what each autonomous identity can access and what it actually did, regardless of which platform boundary it crossed. The Core Architectural Difference Traditional IAM tools answer identity questions at provisioning time or at the authentication boundary.
A guardian agent for AI answers them at execution time, inside the session, at the application layer, where permissions are actually exercised. The difference isn’t incremental. Governing an autonomous identity that reasons, delegates, and acts requires a control plane that reasons alongside it, observing behavior in motion rather than auditing access after the fact. Common Risks: How Unmanaged Agents Become Identity Dark Matter Unmanaged AI agents don’t announce themselves as a security problem.
They accumulate as one. Each agent that deploys without a governance record, inherits permissions without review, and operates without behavioral oversight adds to a growing population of autonomous identities that security teams can’t see, audit, or control. Orchid Security calls this identity dark matter: the mass of identity activity that exists and exerts real risk inside an environment while remaining invisible to the tools responsible for governing it. Over-Privileged Agent Identities The most pervasive risk pattern starts at provisioning.
When an agent deploys by binding to an existing service account or human identity, it inherits the full permission scope of that identity, regardless of what the agent actually needs. A code review agent bound to a senior engineer’s identity might inherit access to production infrastructure, financial systems, and HR data accumulated over years of role changes. The agent needs none of it, but carries all of it into every session it runs. Over-privileged agent identities are the rule in unmanaged deployments.
Because agents bypass access-request workflows, no one applies least-privilege scoping at provisioning time. The permissions are already there, and binding an agent to an existing identity is the path of least resistance. Orphaned Sessions and Stale Credentials Agent sessions don’t always terminate cleanly. Long-running agents and scheduled automation tasks can maintain active credentials well beyond the duration of the task they were created for.
When an agent is decommissioned or simply forgotten, the credentials it used often remain valid. Stale agent credentials are particularly dangerous in SaaS environments where token revocation requires deliberate action against each connected application. An orphaned agent operating through a long-lived OAuth token can retain access to sensitive systems for months after anyone last intentionally invoked it. Prompt Injection as a Privilege Escalation Vector Prompt injection attacks target agents directly.
An attacker embeds malicious instructions in content the agent processes: a document it summarizes, a web page it retrieves, a ticket it reads. The agent incorporates those instructions into its reasoning and takes actions that the legitimate user never authorized. In environments where agents operate with overprivileged inherited identities, prompt injection becomes a reliable path to privilege escalation without touching credentials at all. Lateral Movement Through Chained Agent Calls Multi-agent architectures introduce compounding risk.
When an orchestrator agent delegates sub-tasks to specialized child agents, each delegation transfers a portion of the orchestrator’s authority. A compromise at any point in that chain propagates downstream, giving an attacker effective access to every system the trust chain touches. The audit trail problem makes all of this harder to contain. Agents operating across unmanaged SaaS applications leave no coherent forensic record in existing security tooling.
When an incident occurs, security teams reconstruct what happened from fragmented logs across disconnected systems, often without enough fidelity to determine which agent took which action on whose behalf. Putting this into your identity governance program requires treating agent identities with the same rigor applied to privileged human accounts: continuous inventory, ownership mapping, behavioral monitoring, and a full audit record across every application each autonomous identity touches. How to Bring AI Agents into the Light Getting AI agents under governance control is an operational capability that security and identity teams need to continually build as agent deployments continue to grow. The following sequence reflects how mature organizations are approaching it, moving from visibility to classification to enforcement to integration.
- Start with Discovery: Know What’s Running Governance starts with an accurate inventory, and most enterprises don’t have one. The first operational step is deploying discovery mechanisms that identify every AI agent active in the environment, regardless of how it was provisioned or which team deployed it. Effective discovery operates at the application layer.
Network-level monitoring captures traffic patterns but can’t attribute them to specific agent identities or map them to the human identities those agents act on behalf of. Application-layer discovery surfaces the agent, its credential bindings, its permission inheritance, and its operational context, all the information needed to make a governance decision. 2. Classify by Trust Level and Permission Scope Not every agent carries the same risk.
Once an inventory exists, classify each agent by the sensitivity of the permissions it holds, the systems it can reach, and the trust level of its originating identity. An agent operating with read-only access to a single internal knowledge base carries a fundamentally different risk profile than one holding delegated OAuth tokens to a financial system and a customer data platform simultaneously. Classification drives prioritization. Agents with broad permission inheritance and connections to sensitive systems warrant immediate least-privilege remediation.
Agents with narrow, well-scoped access warrant monitoring and periodic review. Without classification, every agent looks the same, and remediation effort is distributed without regard to the actual concentration of risk. 3. Enforce Least-Privilege at Runtime, Not at Provisioning Static scoping at provisioning time degrades quickly.
As agents are reused for new tasks, their permissions drift, and the inherited credentials they carry rarely get updated to reflect actual requirements. Runtime enforcement through a guardian agent for AI dynamically applies least privilege, constraining what each agent can access based on the context of its current task rather than on the broadest permissions its identity technically allows. Runtime enforcement also contains the blast radius of a compromise. A prompt injection attack against an agent operating under tight runtime scoping reaches far less than the same attack against an agent running with its full inherited permissions active.
- Integrate with Existing IAM and IGA Stacks A guardian AI agent doesn’t replace the IAM infrastructure already in place. It extends it. Agent identity data feeds into IGA platforms to enable access certification, into PAM tools to flag credential exposure, and into SIEM systems to enrich alert context with agent behavioral history.
The integration layer transforms agent governance from a standalone capability into a live input to the broader identity security platform , giving every downstream tool more accurate information about what’s actually executing in the environment. How Orchid Security Helps The governance gap described throughout this guide is what Orchid Security is built to close. The platform operates as a continuous identity control plane across human, machine, and agentic identities, providing security and identity teams with the visibility and enforcement capabilities that existing IAM tooling doesn’t provide. Continuous Discovery Across Every Identity Type Orchid’s discovery engine automatically inventories every application, account, and authentication flow in an environment, managed or otherwise.
When AI agents spin up, whether through vendor integrations, internal deployments, or low-code automation platforms, Orchid surfaces them, maps them to their originating identities, and enriches them with ownership, permission scope, and business context. Security teams get an accurate, continuously updated picture of what’s running rather than a static snapshot that degrades the moment it’s produced. From Visibility to Enforcement The guardrails for the autonomous identity use case apply Orchid’s identity control plane directly to agentic workloads. Every agent gets mapped to an accountable human owner.
Runtime guardrails enforce least-privilege at the execution layer. Behavioral observability tracks what agents actually do across tool calls, data accesses, and cross-system movements, surfacing anomalies before they become incidents. Orchid also integrates with existing IAM programs and GRC workflows, feeding continuous agent identity telemetry into the tools already governing the rest of the environment. For teams building out their identity governance program, that telemetry becomes the connective tissue between agent activity and enterprise-wide identity policy.
The result is an identity infrastructure that governs the autonomous workforce with the same rigor it applies to human identities, at the speed agents actually operate. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. “The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project,” Socket said . The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. The list of affected packages is below - hexo-deployer-wrangler@1.0.4 hexo-shoka-swiper@0.1.10 leo-auth@4.0.6 leo-aws@2.0.4 leo-cache@1.0.2 leo-cdk-lib@0.0.2 leo-cli@3.0.3 leo-config@1.1.1 leo-connector-elasticsearch@2.0.6 leo-connector-mongo@3.0.8 leo-connector-mysql@3.0.3 leo-connector-oracle@2.0.1 leo-connector-redshift@3.0.6 leo-cron@2.0.2 leo-logger@1.0.8 leo-sdk@6.0.19 leo-streams@2.0.1 prism-silq@1.0.1 rstreams-metrics@2.0.2 rstreams-shard-util@1.0.1 serverless-convention@2.0.4 serverless-leo@3.0.14 solo-nav@1.0.1 github.com/verana-labs/verana-blockchain@v0.10.1-dev.20 (Go) It’s suspected that an npm developer account associated with the LeoPlatform (“ czirker “) was breached, likely via leaked credentials, to enable the attack, allowing the threat actors to leverage an npm token belonging to the maintainer to push trojanized versions within a six-second window.
The new wave leverages many of the tactics observed in prior campaigns, including npm registry poisoning, binding.gyp install-time execution, Bun-staged JavaScript malware, GitHub dead-drop infrastructure, GitHub Actions secret theft, IDE and AI coding assistant persistence, and encrypted credential exfiltration. The malicious npm packages, while lacking a lifecycle hook typically added to the package.json file, incorporates a binding.gyp file to execute arbitrary code during installation, resulting in the launch of a JavaScript loader that downloads and installs the Bun runtime if not present, and then initiate the stealer payload responsible for harvesting secrets, credentials, and tokens. The malware , besides featuring a Russian locale killswitch and checking for the presence of endpoint security software, drops a workflow named “Run Copilot” to capture CI/CD environment secrets from the runner memory. The information is then uploaded to a public GitHub repository with description “Alright Lets See If This Works.” As of writing, there are 559 repositories matching the description.
The token relay marker has also witnessed a change in the latest iteration. While earlier waves used strings like “IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner,” the current artifact uses “RevokeAndItGoesKaboom,” a string that has been used as GitHub dead drop resolver in connection with the recent compromise of the “codfish/semantic-release-action” GitHub Action. “On June 24, 2026 at 15:39:06 UTC, an attacker force-pushed a malicious commit to codfish/semantic-release-action and redirected several version tags to point at the malicious commit,” StepSecurity said . “Any workflow that ran against one of these tags after that timestamp executed the attacker’s payload directly inside the GitHub Actions runner.
The payload steals GitHub OIDC tokens, harvests Personal Access Tokens matching known GitHub token patterns, encrypts the collected material with AES-128-GCM, and attempts to propagate a backdoor into other repositories accessible with the stolen credentials.” This indicates that all these events are linked to the same operational cluster or tooling lineage. According to Endor Labs and OX Security , the malware also polls GitHub every hour for commits matching the string “ firedalazer “ to retrieve and execute the Hades variant of the malware. “The Leo/RStreams package set is tied to cloud-native and serverless workloads,” JFrog said. “A compromise here can expose developer workstations, CI/CD systems, AWS-backed applications, GitHub repositories, package publishing credentials, and downstream package consumers.” “The notable story is not that the payload is radically new.
It is that Shai-Hulud continues to move across legitimate package ecosystems while changing just enough indicators to make stale detections less effective.” What’s more, the poisoning of the Verana GitHub expands the scope of the campaign beyond npm. That having said, the attack employs the same Miasma execution pattern observed in malicious npm packages without relying on native Go module resolution or build logic. “Unlike the npm packages, this sample does not rely on binding.gyp,” Socket explained. “The risk is source-repository execution: a developer who clones or opens the repository in a trusted IDE or AI coding assistant environment may trigger the payload through project configuration.” “This reinforces the larger campaign theme: Miasma is moving across package ecosystems by targeting developer workflows, not just package-manager install hooks.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.