2026-07-01 AI创业新闻
Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
Cybersecurity researchers have warned of a “massive, ongoing, automated password spray attack” aimed at Microsoft’s Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress , originates from an IPv6 address range ( 2a0a:d683::/32 ) controlled by internet infrastructure provider LSHIY LLC (AS32167). “Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations,” the company said in a statement. “The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry.” What makes the password spray attack noteworthy is not only the scale, but also the fact that many of the compromised organizations had Conditional Access policies enabled.
Specifically, the campaign has been found to leverage a deprecated OAuth flow called Resource Owner Password Credentials (ROPC) to bypass Conditional Access Policy (CAP) protections. ROPC is a legacy OAuth 2.0 grant type where a user directly provides their username and password to a client application, which then sends these credentials to an authorization server to exchange them for an access token. It was deprecated in OAuth 2.1. In its documentation, Microsoft recommends customers against using the ROPC, arguing it’s incompatible with multi-factor authentication (MFA).
“In most scenarios, more secure alternatives are available and recommended,” the tech giant says . “This flow requires a very high degree of trust in the application, and carries risks that aren’t present in other flows. You should only use this flow when more secure flows aren’t viable.” The credential and token spray attacks are said to have resulted in a handful of successful logins per day between June 12 and 21, 2026, averaging two to four accounts being compromised daily, with the exception of June 19, when 12 user accounts (aka identities) were compromised. The steady cadence changed on June 22, with 30 identities across 23 businesses impacted.
In all, 78 user accounts were compromised across 64 organizations as part of the campaign. The vast majority of the password spraying activity emanated from LSHIY LLC. Some of the IP addresses resolve to the U.S., while a few others resolve to China. “These attacks are part of a large wave of credential spray attacks across a few different ASNs,” Huntress said, adding it has witnessed the volume of credential spray attacks surge by over 155 times across its customer base.
“Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant.” The activity appears to specifically weaponize old username/password combinations that were previously breached but had never been rotated. The use of the ROPC vector meant that the attackers were able to target enterprises that had implemented MFA, but it wasn’t enforced or configured to account for Azure CLI ROPC logins. This included scenarios where MFA wasn’t triggered - Enforcing MFA only for specific apps, as opposed to “All Cloud Apps,” thereby failing to cover Azure CLI logins used by the threat actors Enforcing MFA only for specific user groups, such as Admins Enforcing MFA only when requests originate from non-trusted locations “It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all,” Huntress said. “While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents.” To counter this line of attack, organizations are advised to require MFA for All Users, All Cloud Apps, and All Client App types when enabling CAP, restrict the Azure CLI application for non-admin users, and prioritize response by credential validity.
“This attack reveals cracks in CAPs that haven’t been appropriately configured,” Huntress researchers concluded. “There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through. One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don’t go through the authorization endpoint where policies are enforced.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
ClickFix , the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake “prove you’re human” pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows’ script scanning. Security researcher Bert-Jan Pals took apart several ClickFix platforms and analyzed roughly 3,000 payloads from live campaigns.
He presented the findings at OrangeCon in early June and published the details on June 30. ClickFix is simple by design. A booby-trapped page shows a fake CAPTCHA or error, hidden JavaScript drops a command into your clipboard, and the page tells you to press a key combo, paste, and hit Enter. You run the malware yourself.
There’s usually no exploit at the first step and often no file for traditional antivirus to flag, so conventional email and endpoint controls have less to catch. It works well enough that ESET measured a 517% jump from late 2024 into the first half of 2025, and Microsoft’s 2025 Digital Defense Report put it at 47% of the initial-access cases seen by its Defender Experts team. The technique now has its own entry in MITRE ATT&CK, T1204.004 . Payloads made to order The new part is how the payloads are produced.
Pals found the pages pulling their commands from backend servers that work like an on-demand service: they take requests, check an access token, log the caller, and return a freshly scrambled command each time. He asked one server for 100 payloads and got 100 different ones, wrapped in a rotating mix of Base64, AES, TripleDES, Rijndael, and Deflate. Strip the wrapping and, at least for now, they all unpack to the same script, which runs in memory through a PowerShell runspace. The disguise is disposable; the malware under it is not, though Pals warns the core payload will likely start changing per victim before long.
The same platform serves lures in 25 languages and matches the command to the visitor’s operating system, with macOS versions running alongside Windows. The “as-a-service” label is not just branding. ESET has tracked criminals selling ready-made ClickFix builders to other attackers. Pals found a parallel commercialization one layer deeper, in how each payload is churned out on request.
A quieter way in: the Downloads-folder method The second finding is a direct answer to defenders who watch the clipboard. Instead of copying a malicious command, the newer pages copy a harmless-looking one. The page quietly downloads a file to the Downloads folder, and the clipboard gets a short “orchestrator” line that moves that file, unpacks it, and runs the script inside. Because the pasted line is only that orchestrator and not the payload itself, it is built to slide past AMSI, the Windows feature that lets antivirus scan scripts before they run.
The bad code sits in the downloaded file, off to the side. The observed clipboard line looked like this: powershell -C “$t=$env:TMP;Move-Item "$HOME\Downloads\tmp.zip" "$t\7947.zip";tar -xf "$t\7947.zip" -C "$t";conhost –headless powershell -ExecutionPolicy Bypass -File "$t\tmp.ps1" # "* I am not a robot reCAPTCHA Verification ID:7947 *"” Execution has drifted toward stealth as well. The original 2024 lure told people to press Windows+R and paste into the Run box. A newer version, common through 2025 and into 2026, points them to Windows+X and the Windows Terminal instead.
Terminal use looks more ordinary, and unlike the Run box, it leaves no trace in the RunMRU registry key that investigators normally check. ClickFix stopped being a criminals-only tool a while ago. Proofpoint tied state-backed groups from Russia, Iran, and North Korea, including APT28, MuddyWater, and Kimsuky, to campaigns that dropped ClickFix into their existing infection chains, and North Korean crews built a fake-job “ClickFake Interview” version to hit cryptocurrency workers. The trick has spawned named relatives such as FileFix and DownloadFix that lean on other trusted Windows tools.
The scale is not theoretical either: security firm Expel found one ClearFake wave that likely infected as many as 147,521 systems since late August 2025. What defenders should watch The defensive lesson has not changed. The details have. The dependable signals are process chains, not clipboard text: explorer.exe or WindowsTerminal.exe launching powershell.exe , cmd.exe , or msiexec.exe and reaching out to the network right after.
Those were the most common launchers in Pals’ data, with PowerShell and cmd tied at about 39% each and msiexec close behind at 34%. Behavioral EDR, application-control rules that limit which programs can call script interpreters, and plain user guidance (“never paste a command you were told to run into the Run box or a terminal”) all still hold. The Downloads-folder method adds one more thing to hunt: an innocent-looking one-liner that touches the Downloads folder and then spawns a hidden PowerShell. Pals also listed three payload servers seen during the research: comicstar[.]lat babybon[.]cfd merkantalolol[.]asia A connection to one of these does not prove infection.
It means a command was most likely placed in someone’s clipboard. Pals’ verdict on the technique is blunt: “ClickFix is here to stay.” The pattern across his research is that ClickFix shifts the moment defenders catch up, and the move from one-off scripts to on-demand payload servers is what keeps that adaptation cheap to repeat. The next thing worth watching is whether the malware itself, not just its wrapper, starts changing from one victim to the next. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP CVE-2026-8452 (CVSS score: 8.8) - A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server CVE-2026-8655 (CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment CVE-2026-10816 (CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled CVE-2026-10817 (CVSS score: 6.9) - An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler CVE-2026-13474 (CVSS score: 8.7) - A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler Patches for the security defects have been released in the following versions - NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1 NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams - For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds. The fix is effective immediately after the upgrade. For appliances NOT using HTTP Strict Profiles, the default value is 0.
In this case, merely upgrading to the builds containing the fix will not address the vulnerability completely. Customers must manually set Http2SmallWndTimeout to 30 seconds. The command to set this parameter is below -
set ns httpProfile
watchTowr Labs, in a technical write-up released alongside Citrix’s bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce CVE-2026-3055 (CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year. The cybersecurity company said the vulnerability stems from how NetScaler parses SAML authentication requests and shares the same root cause as the March 2026 flaw, resulting in out-of-bounds memory reads when sending malformed SAML requests. “One thing we’re keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >),” security researcher Hammond said . “In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server.” “However, what should be of concern is the bigger picture - the trend, which is very clearly suggesting that memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory.” In recent years, Citrix appliances have been a lucrative attack target, with multiple flaws in its software exploited by threat actors for ransomware deployment in the past, making it crucial that users apply the patches for optimal protection.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data
New Microsoft research shows how attackers can hijack AI agents that act on a user’s behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its Defender security research team, and it lands as companies start letting AI do more than read and summarize.
What changes when an agent can act Until recently, the workplace AI risk was mostly framed around what a model read and wrote. A poisoned document could skew an answer, and that was mostly where it ended. Agents are different. Microsoft 365 Copilot can send email, create files, and change calendars.
Custom agents built in Copilot Studio or Azure AI Foundry can reach into business systems and run multi-step jobs on their own. The same injection trick that biases a summary now triggers an action. Against a reader, an attack changes the output. Against an agent, it changes what the software actually does.
These agents reach business systems through MCP, the Model Context Protocol , an open protocol that lets an AI call outside tools the way an app calls an API. Microsoft calls it the fastest-growing part of the agentic AI supply chain, which makes it an expanding attack surface. How the attack works Every MCP tool ships with a description: a few lines of plain text that tell the agent what the tool does and when to use it. The agent reads that text to decide how to act.
That is the whole weakness. The description is just words, and words can carry instructions. Microsoft walks through it with an invoice example, built to show the pattern rather than report a named victim. A finance team stands up an agent to handle vendor invoices.
It connects to three tools, including a third-party “invoice enrichment” service that was approved for use but never given a real security review. Then the attacker updates that third-party tool. The name and the visible summary stay the same. Buried in the description, dressed up as formatting notes, is a hidden order: grab the last thirty unpaid invoices and attach them to the next call.
MCP picks up description changes on the fly. In setups without a re-approval trigger, the poisoned version goes live with no extra review. After that, an analyst asks a routine question about a supplier. The agent follows the hidden order, collects the invoices and sends them along as part of a normal-looking request.
The tool returns a clean answer and quietly copies the stolen data to a server the attacker controls. The analyst sees nothing wrong. Each move the agent makes is legitimate on its own. The tool was approved.
The data query ran with the analyst’s own permissions. The outbound call went to a server that was allowed when it was added. The weakness is not in any one system. It lives in what Microsoft calls “the trust boundary between them.” The deeper problem is that MCP mixes instructions and data in the same place.
A tool’s description lives in the agent’s working memory right next to its real orders, so editing that description can steer the agent as effectively as rewriting its system prompt. The agent has no reliable way to tell an honest instruction from a malicious one slipped in by whoever maintains the tool. Microsoft notes this is not a bug in Copilot itself. It is a trust gap opened up by plugging in outside tools.
What defenders should do Microsoft’s advice, stripped to plain terms: Treat every connected tool as part of your supply chain. Keep a list of approved tool publishers, turn off “allow all,” and let an agent use only the specific tools it needs. Treat a tool’s description like a system prompt. Review changes to it the way you would review a code change, and scan the text for commands that have no business sitting in a help field.
Put a human in front of risky actions. Anything that moves money, shares data outside the company, or changes accounts should need a person to approve it. Give each agent its own identity and watch what it does. Log its actions, set a baseline for normal, and flag new endpoints, larger data pulls, or odd queries.
Apply least agency, not just least privilege. Even a low-permission agent can do real harm if it is allowed to act without checks. Microsoft maps its own products to each step, including Prompt Shields, Purview DLP, Entra Agent ID, Defender for Cloud, and Sentinel, but the principles hold whatever stack you run. Not a theory: how we got here This class of attack has a paper trail.
Invariant Labs named “tool poisoning” in April 2025, with a proof of concept that hid instructions in a calculator tool’s description and got the Cursor editor to read a user’s private SSH key and send it off. Developer Simon Willison dug into it days later. The same group later showed a related trick: a malicious GitHub issue could hijack an agent connected to the GitHub MCP server and walk data out of private repositories. The tools there were trusted and untouched; the bad instructions rode in on the data the agent read.
OWASP now cites that case as an Agentic Supply Chain Vulnerabilities example in its December 2025 Top 10 for Agentic Applications. A related supply-chain failure has already happened in the wild. In September 2025, researchers at Koi Security found an npm package called postmark-mcp. It had mirrored a legitimate email tool for fifteen clean releases before version 1.0.16 slipped in one line that secretly BCC’d every email an agent sent to an attacker.
Koi called it the first real-world malicious MCP server . Academics have started measuring the problem too. The MCPTox benchmark , released in August 2025, ran poisoned tool descriptions against 45 real MCP servers and 20 leading AI models. It found the attack widely effective, with a success rate as high as 72.8 percent, and the models almost never refused.
The throughline is the one Microsoft is pressing now. AI that can act is only as trustworthy as the tools you let it touch, and right now those tools are easy to poison and hard to watch. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin’s XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles. RustDuck is one more entrant in a crowded field, but it stands out for two reasons.
It is being rewritten from the C programming language into Rust, and its newer versions go to unusual lengths to avoid being studied or shut down. How it spreads RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH).
Guess the password, walk in. The second is unpatched device bugs. XLab says RustDuck goes after exposed Android debugging interfaces and flaws in gear from TVT (DVRs and cameras), Ruijie, TP-Link, and ZTE, plus a handful of named, years-old vulnerabilities that still litter the internet: CVE-2017-17215, a remote code execution bug in Huawei HG532 routers that the original Mirai-style botnets abused back in 2017. CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers that Akamai watched Mirai variants exploit in March 2026.
CISA added it to its Known Exploited Vulnerabilities list the next month. CVE-2024-1781, a command-injection bug in Totolink X6000R routers, whose maker never responded to the disclosure. CVE-2018-8007, a remote code execution path in Apache CouchDB that an authenticated admin can abuse. The third path is web software.
RustDuck also targets known holes in ThinkPHP, Jenkins, and Hadoop YARN, which stretches its reach from cheap home hardware to exposed server software. XLab counted more than 20 internet addresses spreading the malware, with the busiest at 176.65.139[.]204. What makes it tricky RustDuck installs in two stages: a small loader that decrypts and unpacks a heavier core module. That core is where the interesting engineering lives, and it is the part being rewritten in Rust.
Rust binaries are generally tougher for analysts to take apart than the C that has powered device malware for years, and XLab says RustDuck’s Rust core shows real depth in how it derives its keys, hides from analysis, and talks to its servers. The switch points to active development, not a quick re-skin of leaked code. The bigger tell is how hard the newer samples work to stay hidden. Before doing anything, RustDuck runs a checklist to decide whether it has landed in a security researcher’s lab instead of on a real victim’s device.
It looks for analysis tools like Wireshark and gdb, for debuggers attached to its own process, for the fingerprints of a honeypot trap, even for virtual-machine hardware. Each hit adds points to a risk score. Cross a threshold, and the malware erases its traces and quits before anyone can watch it run. Two of those checks stand out.
One quietly tries to reach an internet address that is reserved for testing and should never answer; if something replies, RustDuck knows it is inside a fake network built to fool malware, and bails. Another compares two clocks to catch sandboxes that speed up time to rush malware into showing its hand. Its communications are locked down to match. RustDuck encrypts its traffic with modern ciphers: ChaCha20-Poly1305 for the handshake, AES-GCM once it is taking commands.
It derives its keys with HKDF-SHA256 and a Curve25519 exchange, rotates them every ten minutes, and dresses the connection up to look like ordinary encrypted web traffic so it blends in. Once a device checks in, the operators can send a short list of orders: start an attack, stop it, report status, switch to new control servers, or quietly upgrade the malware to a newer build. The control addresses lean on free dynamic-DNS services like duckdns.org, which is where the “Duck” in the name comes from. This fits a bigger pattern RustDuck is not the first botnet to reach for Rust.
In April 2025, Fortinet documented RustoBot , a Rust-based botnet that spread through Totolink and other routers to run DDoS attacks, using the same recipe: cheap routers, a modern language, and flood traffic on demand. It also arrives in a brutal year for DDoS. The same kind of botnet, scaled up, has produced the biggest floods on record. AISURU and a cluster of related botnets, more than three million hijacked devices between them, drove attacks near 30 Tbps before a US-led operation tore down their infrastructure this spring.
Next to that, RustDuck is tiny. The worry is the direction it is heading. One detail worth a second look: RustDuck’s busiest delivery address, 176.65.139[.]204, sits in the same small block of addresses as the server behind a separate ADB-targeting DDoS botnet reported in spring 2026. That could be a coincidence or shared bulletproof hosting, and XLab does not link the two, but the overlap is the kind of thing worth checking.
What to do There is no patch for RustDuck itself, because it is malware, not a single bug. Defense means closing the doors it walks through: Get remote-management interfaces off the public internet. Turn off Android Debug Bridge, Telnet, and SSH where they are not needed, and never leave them reachable with default passwords. Patch what you can, replace what you can’t.
CouchDB has fixed releases to upgrade to, but some of these routers are past end-of-life. For the D-Link DIR-823X, CISA’s advice is to pull it from service rather than wait for a patch that isn’t coming, and the Totolink maker never answered the disclosure. Unsupported gear has to be replaced, not fixed. Block the known indicators.
XLab’s report lists the malware’s file hashes, control domains, and source addresses; feed them into your monitoring. RustDuck is a small botnet wearing the engineering of a serious one. Whether it grows into a real threat or fizzles out, the techniques it is testing, a Rust rewrite and a paranoid hide-from-researchers routine, are the parts other crews are most likely to borrow. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026. “In this campaign, a single line of Python code evaluated inside an unauthenticated Langflow API endpoint pulls down a shell script, fetches a miner binary, and launches it detached,” Trend Micro researchers Simon Dulude and John Zhang said in a technical report published last week.
At a high level, the malware is designed to terminate competing cryptocurrency miner processes associated with Kinsing , WatchDog , Rocke , and Outlaw , delete rival wallet and key material, disable host-level security controls, establish cron-based persistence, beacon to an external server (“83.142.209[.]214:80), and deploy a custom miner. It can also propagate to other systems through reused SSH keys, effectively turning an exposed Langflow instance into a pathway for broader compromise. This involves exploiting the Langflow flaw to run an attacker-supplied Python script, which, in turn, is configured to launch a remotely hosted shell script that acts as a dropper whose primary responsibility is to check if a binary called “lambsys” is already running on the host. Subsequently, it downloads the binary on the machine using curl or wget, launches it as a detached process, and spreads itself to every SSH-reachable host the victim can authenticate to.
The binary, an ELF executable written in Go, is also engineered to disable AppArmor, Ubuntu’s Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud’s Aliyun agent. In addition, the malware removes system logs to cover up the tracks, and removes the immutable attribute from files like “~/.ssh/,” “~/.ssh/authorized_keys,” “/etc/crontab,” and “/etc/ld.so.preload,” “/tmp/,” “/var/tmp/,” and “/var/spool/cron” in order to make its modifications, and then reapplies the immutable attribute to “/tmp/” and “/var/tmp/.” Illicit cryptocurrency mining operations are known to set the “chattr +i” attribute on these files to ensure that they cannot be modified, renamed, or deleted by any user, including the superuser. The binary’s behavior reflects that the threat actor behind the operation is aware of persistence methods adopted by rival cryptojacking groups. In the final stage, the binary contacts the same server to fetch a TAR archive and extracts from it a bespoke XMRig miner.
Once the miner begins execution, the archive file is wiped from the file system. It further sends a request to ipinfo[.]io to obtain the host’s public IP address and location, allowing the threat actors to make operational decisions on the fly. The first is pool selection. Given that mining pools tend to be geographically distributed, connecting the miner to a pool near the victim can minimize latency and maximize hash rate.
The second reason behind obtaining this information is geo-fencing, as it gives the threat actors a way to exclude victims in certain regions. “Lambsys does not run its attack logic as Go functions,” the researchers explained. “Instead, it forks a cascade of short-lived sh -c subprocesses, each executing one shell command (one pkill, one chattr, one sysctl). The design trades stealth for reliability.
If one of 51 pkill commands fails, the failure is contained to that subprocess, and the other 50 carry on.” Trend Micro said an artifact belonging to the previous iteration of the same binary was compiled in May 2024, indicating that the threat actors behind the campaign have likely been iterating on the family for over two years, while taking steps to evade detection by antivirus tools. Over the past year, a number of security flaws in Langflow have come under active exploitation. In June 2025, another critical vulnerability (CVE-2025-3248, CVSS score: 9.8) was abused to distribute the Flodrix botnet malware. “This cryptocurrency-mining campaign shows how exposed AI application endpoints are becoming another route into enterprise environments,” Trend Micro said.
“The payload might be familiar, but the delivery vector is not. A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. “The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with The Hacker News. The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers.
For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files. The end goal of the extension is to act as a clipper that’s capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history. Because most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss.
McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters. What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. This allows the attacker to trivially update a smart contract value to point to the new domain instead of having to redeploy the malware itself. The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files.
The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics. “Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately.” “This allows the extension to bypass the normal extension web store installation process and load silently without user approval.” The campaign’s persistence and evasion posture has been characterized as deliberate and layered, with the primary focus being on maintaining low visibility to the end user and high resilience against takedown and static analysis. Persistence is established by registering the extension by altering the browser’s Secure Preferences file so that it’s loaded on subsequent browser launches without the need for a separate mechanism.
In addition, the malware attempts to enable developer mode programmatically in Brave and Opera, and the installer is self-deleted after execution, effectively removing an indicator of initial compromise. Another evasion technique is the use of dynamic wallet substitution, which is responsible for fetching a replacement address corresponding to a victim’s original address. “It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address,” McAfee said. “If the backend request fails, the function falls back to a predefined hard-coded wallet address, ensuring uninterrupted malicious activity.” For every wallet address matching patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, it’s mapped to a unique attacker-controlled address on the server-side.
In contrast, all submitted Solana addresses resolve to a single attacker address. As of writing, the Solana address has been found to have a balance of $1,902.45. “Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side.
Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain. “This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading,” McAfee said. “Static attacker addresses have been replaced with a server-side, per-victim mapping.
Fragile, hard-coded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction.” Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers The disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both carrying the name “VPN Go: Free VPN” on the Chrome Web Store and Firefox Add-ons marketplace. “Both extensions present themselves as free VPN tools and include visible proxy functionality,” Socket researchers Kirill Boychenko and Kush Pandya said . “Under the hood, both also contain malicious clipboard theft logic that continuously monitors copied text and exfiltrates it to threat actor-controlled infrastructure.” The behavior extends beyond wallet addresses, as it allows the operators to siphon all kinds of sensitive data, including passwords, authentication codes, API keys, OAuth tokens, and seed phrases. Further examination of the extensions has revealed a staged malicious update pattern, where the extension developer initially published a benign version to the extension storefront before introducing the clipboard-stealing capability through a subsequent update.
While versions 1.1 and 1.2 of the Chrome extension have been found to exfiltrate clipboard data to “178.236.252[.]133,” version 1.3 switches the exfiltration channel to a different IP address (“77.91.123[.]187”). In the case of its Firefox equivalent, 1.3.3 is the first version to include the clipboard stealer and send the information to “178.236.252[.]133.” The 1.3.4 update moves the infrastructure to “77.91.123[.]187.” Users who have installed either of the extensions are advised to remove them immediately and treat any secrets while the extension was active as compromised. “The static code is enough to show that the extensions were designed to function as proxy tools, not merely display a fake VPN interface,” Socket said. “The proxy capability still increases risk because it can route browser traffic through threat actor-supplied infrastructure, expose plaintext HTTP traffic and connection metadata, and make the extension appear useful while the clipboard monitor runs in parallel.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks
The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI , which is named the bypass GuardFall , found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, “Continue,” was built to defend against it. Why does it matter?
These agents run shell commands with your full account access. Point one at a booby-trapped repository or software package, and a hidden instruction can quietly run a command that wipes files or steals the secrets your account can reach, from SSH keys and cloud credentials to anything sitting in your home folder. How does it get past the guard? Most of these agents try to stay safe by checking each command against a blocklist of dangerous patterns before running it.
The flaw is that they check the command as plain text, while bash rewrites that text before it actually runs. The shell strips quotes and expands shortcuts, so the filter and the shell end up looking at two different things. The simplest example: a filter watching for rm sees nothing wrong with r’‘m, because to a text matcher those are different strings. Bash removes the empty quotes and runs rm anyway.
The same idea works in other forms: a command hidden in base64 and piped into a shell, or ordinary tools like find and dd turned destructive with the right flag. The researchers call this not a bug but “a dangerous convention and a class of problems,” which is why adding more blocklist patterns fixes none of it. There is no single CVE to track or patch. Two things have to line up for an attack to land, and neither is exotic.
First, the AI has to produce the malicious command. A blunt “run rm -rf” is usually refused, but the same command tucked inside normal-looking work, such as a build file or a tool’s “documentation” reply, gets emitted as a routine step. Second, the agent has to be running on its own, with an auto-execute flag turned on or its container sandbox switched off, both of which are routine in automated pipelines. The live tests used Claude Sonnet 4.6.
The other ten tools all left the gap open: opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and the Hermes project, where the bug first surfaced and is documented in Hermes’s own issue tracker . The tools in Adversa’s survey together carried roughly 548,000 GitHub stars as of May 2026. Adversa demonstrated the full attack end-to-end against the production Plandex binary, and the same shape worked against eight others. It describes the work as lab research; no public exploitation has been reported.
Continue, the one agent that held up, defends by reading the command the way bash will before deciding: it breaks the command into the same pieces the shell would, checks what actually runs, and keeps a hard list of destructive commands that are blocked outright. That protection held against every payload in Continue’s default editor mode. Its command-line auto-run mode is weaker: a few payloads slipped through, though the most destructive ones still hit the hard block. Adversa calls the design portable and says re-implementing it is roughly a two-day job for an experienced engineer.
What to do now None of the quick fixes is a complete answer, but they cut your exposure until a proper guard is in place: Run agents with $HOME pointed at a throwaway folder, so secrets like ~/.ssh and ~/.aws are out of reach. Turn off auto-execute flags such as –auto-exec, –auto-run, –auto-test, and dangerously-skip-permissions unless the job genuinely cannot pause for a human. Do not let agents run on pull requests from forks, the easy path from an attacker’s file to your secrets. Treat config files shipped inside a repository, like .aider.conf.yml, as untrusted code; a malicious one can trigger the attack on the first accepted edit.
GuardFall lands in the middle of a run of similar findings this year. Adversa’s own TrustFall hit Claude Code, Cursor, Gemini CLI, and Copilot CLI, and a separate deny-rule bypass hit Claude Code. Attacks like AutoJack and Agentjacking turned poisoned content into commands that an agent runs with its owner’s privileges. The common thread is simple: untrusted text keeps reaching a real shell before the guard understands what bash will actually run.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer’s account, and the developer pays the bill. Three months after the researchers warned the developers, only 28% had fixed it.
The work, from researchers at Wake Forest University, is the first in-depth study of the problem on iOS . It is striking partly because of how little effort the snooping took. The team used a tool they built, LLMKeyLens , that watches an app’s traffic and pulls out the credentials as they go by. No jailbreaking, no cracking the app open.
The key is the secret that lets the app call a service like OpenAI or Google Gemini. Embed it in the app, and it is exposed with every request the app makes. All 282 fell into one of three groups: Plaintext keys (54 apps): the key is sent in the open, readable from a single captured request. No key needed (92 apps): the app routes requests through a server that answers anyone, with no check on who is asking.
An open relay to a paid AI account. Replayable tokens (136 apps, the most common): the app hands out temporary access tokens instead of the raw key, the approach that is supposed to be safer, but the tokens leak in the same traffic and were usually still valid when captured. Some were not temporary at all, as the cases below show. For 28 of the 54 plaintext-key apps, the same request also exposed the app’s hidden system prompt, the behind-the-scenes instructions that define what the assistant does and how the product works.
One capture, two prizes. The leaks span at least ten AI providers, with OpenAI the most common, and reach across 13 app categories. Productivity apps were the biggest group; health and fitness apps had the highest leak rate. Finance and medical apps, notably, leaked nothing.
Most affected apps were small, but not all of them: one had more than two million user ratings. This is not theoretical money. Stolen AI keys feed a practice the industry calls LLMjacking , where attackers run other people’s keys to get free model access. Sysdig calculated a worst-case scenario in which stolen credentials could run up more than $46,000 a day in AI charges.
The researchers notified all 282 developers and waited three months. Only 28% had clearly fixed it. Another 23% were still wide open; the leaked access was working. The rest had gone offline, become unreachable, or returned errors.
The token apps were often the worst: one popular app, with over 100,000 ratings, set its access token to expire in the year 2125, a hundred-year pass. Another app’s one-hour token still worked 128 days after it had expired. The fix is old advice that few followed: Do not put the key in the app. Route AI calls through your own server, make that server check who is calling, and revoke any key that has already leaked.
The researchers also want AI providers to label client-side keys as unsafe in their documentation and to flag keys that suddenly get used by thousands of devices, and they want Apple to screen for this during App Store review. The pattern is familiar. A 2025 study, LM-Scout , found the same insecure AI wiring across Android apps and automatically broke into 120 of them. A larger audit, Leaky Apps , pulled secrets from thousands of Android and iOS apps and found developers routinely fail to revoke keys even after removing them, leaving the old ones live.
Others have probed the broader LLM app ecosystem for similar holes. The AI rush has not changed the habit. It has raised the bill, because a leaked key is now charged with the token. One caveat: the two-thirds figure is a floor.
Many apps blocked the interception entirely, and the study covers only the US App Store in late 2025, so the true rate is likely higher. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
What the Numbers Say About FIFA 2026 Cyber Risk
The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering financial services, transportation, hospitality, and gambling.
Here are three findings worth reading carefully. 1 in 3 FIFA Partners Can’t Block Email Impersonation Pre-tournament research by Proofpoint found that more than one-third of official FIFA World Cup 2026 partners lack sufficient DMARC enforcement to prevent domain spoofing. That means attackers can send an email that appears to come from a sponsor, a vendor, or a logistics partner, with no technical barrier stopping it. The World Cup supply chain is enormous.
Airlines, hotels, broadcast partners, merchandise contractors, and catering companies. Every procurement email traveling that chain is a potential interception point. High transaction volumes, tight deadlines, and the operational chaos of a global event create exactly the conditions that suppress payment verification rigor. Check Point’s attack surface management and digital brand protection capabilities are built for this kind of external exposure, continuously monitoring partner ecosystems for authentication gaps and impersonation infrastructure before attackers can use them.
Fake Sportsbook Apps Surged 60x Above Baseline A controlled comparison across eight major sportsbook brands, covering 60-day windows in 2025 and 2026 using identical methodology, found zero impersonator app detections in the non-tournament baseline. The pre-tournament window found 64. That is roughly 60 times the baseline rate, concentrated in April and May 2026, and concentrated on Google Play. At least five distinct developer accounts published apps spoofing two or more different sportsbook brands within hours or days of each other.
This is a coordinated multi-brand operation, timed to tournament activation. The attack surface here extends well beyond the app stores. Check Point Exposure Management also identified active Russian-language Telegram channels operating as fake tipster services, routing followers through referral links to generate affiliate commissions on fraudulent deposits. The channels split their picks across the audience, so roughly half the subscribers always “win” enough to keep depositing.
The sportsbook pays the affiliate commission on every conversion. Check Point’s dark web monitoring covers Telegram channels at this depth, giving security and fraud teams visibility into the operations before the tournament window-branded content fully activates. The Fake Hotel and Travel Sites Were Built Two Months Before Kickoff Check Point Exposure Management tracked monthly registrations of FIFA-themed lookalike domains targeting travel and hospitality services from November 2025 through May 2026. April 2026 alone accounted for 21.9% of the entire 12-month sample, eight weeks before kickoff.
March and April together represent 34%. Hotel and lodging brands account for 56% of the total Travel and tour brands account for another 27%. The sites were built to intercept fans at the point of purchase, when urgency was highest, and verification habits were the weakest. A small number of registrars carry most of the infrastructure.
GoDaddy, Hostinger, Namecheap, Porkbun, and IONOS together host 56% of the fraudulent domains. One interesting finding worth flagging is .top TLD accounts for 28% of registrations. .top is a phishing-favored generic TLD with low abuse-response thresholds and cheap registration costs. Actors who want infrastructure that stays up choose it deliberately.
A subset of the domains also has MX records configured. That means they can receive email, run reply-path impersonation, and intercept password-reset flows from victim accounts. These are active phishing infrastructures, registered and staged before the tournament started. Check Point’s phishing and brand protection capabilities continuously monitor for this kind of pre-positioned infrastructure, with a 99% takedown success rate and an average mean time to remediation of 12 hours.
For organizations whose brands are being cloned at scale ahead of a global event, detection speed and remediation speed are the only variables that matter. What This Means Security teams supporting any organization in the financial, travel, hospitality, or gambling sectors should treat the current period as elevated, not because the threat landscape changed with the opening match, but because threat actors were already positioned before it started. Read the full FIFA World Cup 2026 Cyber Threat Report or contact Check Point Exposure Management if you’re seeing escalation. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer . The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated attacker could exploit to obtain a fully authenticated “Technician session by submitting a forged token containing arbitrary identity claims. “TaskWeaver is a heavily obfuscated Node.js loader, delivered as jquery.js and executed through node.exe, that implements an encrypted, reusable payload delivery channel rather than a fixed set of post exploitation commands,” Blackpoint Cyber said in an analysis. “The observed second stage payload, Djinn Stealer, targets Windows, macOS, and Linux systems.” Djinn Stealer is designed to harvest credentials associated with cloud platforms, source control, package registries, infrastructure tooling, AI development assistants, browsers, SSH, and cryptocurrency wallets.
Details of CVE-2026-48558 emerged earlier this month when Horizon3.ai, which discovered the flaw, said it affects servers configured to use either generic OIDC or Azure AD OIDC and that it stems from the manner in which SimpleHelp validates the IdP assertions. “In many SimpleHelp deployments that have OIDC-type authentication enabled, an unauthenticated attacker can create and authenticate as a new ‘Technician’ user,” Horizon3.ai security researcher Zach Hanley said . “This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more.” “Even when the SimpleHelp server is configured to enforce MFA for technicians, this issue allows the attacker to bypass this mechanism because on first login, technicians can self-register their own MFA method.” In the attack chain documented by Blackpoint Cyber, successful exploitation of the flaw in the Remote Monitoring and Management (RMM) software is said to have enabled the threat actor to obtain an authenticated “Technician” session on a publicly-accessible server, which was then abused to deploy TaskWeaver and Djinn Stealer. “The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server,” researchers Nevan Beal and Sam Decker said.
TaskWeaver is a modular Node.js loader capable of fingerprinting the system, establishing encrypted communications with a remote server (“a.dev-tunnels[.]com”), and retrieving and executing additional JavaScript payloads with elevated access to the Node.js runtime. The final stage is an information stealer engineered to siphon valuable data from compromised Windows, macOS, or Linux hosts. The breadth of the information targeted by the stealer is as follows -
Credentials, history, and bookmarks stored in web browsers
Configuration and authentication data associated with AWS, Azure, Google Cloud, Oracle Cloud Infrastructure, Okta, Cloudflare, DigitalOcean, Linode, Heroku, Vercel, Railway, Supabase, Pulumi, Terraform, HashiCorp Vault, and Consul
GitHub CLI data
Git configuration
SSH keys
Docker authentication
Helm registry information
S3 and MinIO client configurations
Subversion credentials
Credentials for npm, pnpm, Yarn, NuGet, Cargo, Composer, Maven, Gradle, pip, PyPI, Conda, Bun, Ivy, and Scala Build Tool
Configuration, authentication, session, and project data associated with Anthropic Claude, Google Gemini, OpenAI Codex, Cline, OpenCode, and Kilo
Cryptocurrency wallets and keystores associated with Bitcoin, Litecoin, Dogecoin, Dash, Ethereum, Monero, Zcash, Exodus, Atomic Wallet, and Electrum
On Linux systems, the malware also attempts to read the “/proc/
The campaign illustrates how threat actors are increasingly going after artificial intelligence (AI)-powered platforms as the technology gets embedded across enterprise workflows, enabling them to abuse the AI assistants’ privileges to access sensitive data. “A single authentication bypass became a pathway into everything the managed systems could reach, from cloud platforms and code repositories to AI tools, cryptocurrency wallets, and customer infrastructure,” the researchers said. “Credentials accessible from a developer or administrator workstation may provide entry into production infrastructure, build pipelines, source code repositories, deployment platforms, cloud tenants, and customer environments long after the original endpoint has been contained.” The active exploitation of CVE-2026-48558 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 2, 2026.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks
Two researchers have found six security flaws in AirDrop and Quick Share , the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that bypass Samsung’s session checks and trigger a potentially exploitable crash in Google’s Windows app. The two features run inside an ecosystem of more than five billion active Apple and Android devices, though the tested bugs hit specific implementations and versions.
The work, laid out in a new research paper by Arash Ale Ebrahim and Nils Ole Tippenhauer of the CISPA Helmholtz Center for Information Security, is the first to pull both stacks apart side by side, above the radio layer, where discovery becomes session handling, parsing, and trust decisions. The fixes have already started. Apple has patched one of the three AirDrop bugs and assigned it a CVE, though the advisory is not yet public; the other two are still in coordinated disclosure. Google paid a bounty for the Windows flaw and has landed a code fix, with its CVE still pending.
Samsung’s two bugs were handed to Google and remain under investigation. No public reports of these flaws being exploited have surfaced as of this writing. Three ways to knock out Apple’s sharing All three AirDrop flaws end in the same crash: they take down sharingd, the background service on macOS and iOS that handles AirDrop. The catch is that this service also runs AirPlay, Handoff, Universal Clipboard, Continuity Camera, and NameDrop, so one crash takes the whole set down together.
The simplest of the three needs only a single malformed request sent to a device with AirDrop set to receive from “Everyone.” Send those crash messages on a loop, about one every two seconds, and the features stay down for as long as the attacker keeps going. In the researchers’ test, no legitimate AirDrop transfer got through while the attack ran. Two of the three are more than AirDrop bugs, because they live in shared Apple frameworks. The broadest is a stack overflow in Foundation’s XML property list parser, triggered by a small file with around 200 nested layers.
Any Apple app that opens an untrusted file of that type could hit the same parser path, across macOS, iOS, watchOS, tvOS, and visionOS. The researchers reproduced the AirDrop crashes on macOS 15.7.4, macOS 26.3, iOS 18.x, and iOS 26.3; an older iOS 16 build was not affected. The Quick Share bugs, and a fix that broke On Android, two flaws in Samsung’s Quick Share let an attacker skip past the handshake that is supposed to lock down a session. One lets an unverified device start driving the connection before any encryption is set up.
The other lets some control messages pass unencrypted even after a secure session exists. An attacker on the same Wi-Fi network could use that gap to force a connection into an “accepted” state, keep it alive, or make the server return attacker-supplied IP and port values. Neither was shown to steal files, but both defeat the protections the system promises. The researchers tested these on a Galaxy S23 Ultra and noted that other Android makers’ versions of Quick Share need separate checking.
The most serious flaw is in Google’s Quick Share for Windows. It is a memory bug that surfaces when two connections collide at the right instant, leaving the program using a chunk of memory it has already thrown away. That is the kind of bug that can sometimes be turned into running attacker code, and the researchers say the path is plausible here because a Windows defense called Control Flow Guard is switched off in the app. They confirmed a crash but did not build a working exploit.
Google acknowledged it, paid a bounty, and has now landed a fix; the CVE is still pending. It is not the first time Quick Share for Windows has been here. SafeBreach reported a 10-bug code-execution chain in 2024 (CVE-2024-38271 and CVE-2024-38272), then returned in 2025 to bypass Google’s fixes (CVE-2024-10668). The new use-after-free adds another entry to a pattern of the same component being patched and probed again.
The detail that stings: the program’s own source code carried a comment admitting a prior bug in that exact spot, reading ”We had a bug here, caused by a race with EncryptionRunner.” The fix written to handle it reintroduced the same kind of flaw. The risk is local, not remote The key limit is range. These are local attacks, not internet-wide ones: the attacker has to be within about 10 to 30 meters or on the same local network. While less sweeping than a remote bug, a single attacker in a crowded place like an airport, train, or conference can still reach many devices at once.
The researchers tested only their own hardware and have released their tools openly so other security teams can reproduce the findings. On a Mac or iPhone, install Apple’s latest update (iOS and macOS 26.5.2 shipped June 29) and keep AirDrop on “Contacts Only” or off rather than “Everyone,” which is the setting these flaws need. On Quick Share, leave it out of “Everyone” visibility when you are not actively receiving a file, and update the Windows app now that Google’s fix has landed. Two independently built systems failed the same way: crashes in code that faces the network, and security checks bolted onto individual message handlers instead of being enforced up front.
It also lands at an awkward moment. Google’s AirDrop interoperability for Quick Share is already rolling out across flagship Android phones, and it only works when the iPhone is set to receive from “Everyone,” the exact setting that exposes the AirDrop crash bugs. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials
Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking , a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user’s credentials and sending them to an attacker. The targets included OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension. An AI browser is one that can act for you, not just read pages.
Switch it to agent mode, and it can click, type, and reach into the sites you are already signed into. That access is the whole point, and it is also the problem. The trick works because of how these agents read. The web page and your own instructions arrive as a single stream of text.
That lets a malicious page slip in commands dressed up as ordinary content or game rules, and the agent cannot reliably tell the difference. Researchers call this indirect prompt injection . How the trick works The attack starts with a web page built as a puzzle. To fit its dystopian theme, the puzzle rewards wrong answers, like insisting that 2 + 2 = 5.
Once the agent accepts that “wrong” is the winning move, it follows game logic instead of safety logic. The final step of the puzzle asks it to grab the user’s credentials, and not one of the six agents flagged that as something it should refuse. The dangerous part is where the agent looks. In the test, a link was sent to the victim’s work GitHub repository, where it pulled SSH login credentials and passed them to the attacker.
LayerX used a harmless plaintext file, but the same trick could point the agent at other resources it can reach in that session: open tabs, signed-in accounts, and internal tools. The agent did not hesitate. Afterward, it cheerfully reported the theft as a win. The name nods to BioShock, where a brainwashed character obeys the trigger phrase “Would you kindly?” The agent is no different.
It trusts the context it is handed. Change the context, and you change what it will do. LayerX has shown this pattern before, demonstrating that a single click could hijack Perplexity’s Comet and quietly steal data. What the vendors did, and what to do By LayerX’s account, the responses were uneven.
It reported the issue to vendors between October 2025 and January 2026. OpenAI fixed it in ChatGPT Atlas. Perplexity closed the report without acting on it. Fellou, Genspark, and Sigma did not respond.
Anthropic tried to patch its Claude extension, but LayerX says the fix did not hold. To shut the attack down, LayerX wants AI browsers to ask before reading from logged-in accounts. One prompt, “I’m about to copy data from your GitHub repository. Continue?”, would break the chain.
It also wants agents to notice when a page tells them the normal rules no longer apply, and to let users set hard limits on what an agent can touch. Winning a game is no reason to open a private repository. For users, the advice is shorter. Treat agent mode with care: whatever you are signed in to is fair game, so decide what the browser should see and cut that access when you are done.
For security teams, the same logic scales up. An AI browser in agent mode is effectively another account with reach into company systems, and it should get the narrowest access a task needs rather than a standing pass to everything the user can touch. The common thread across these findings is that handing an AI agent the keys to your signed-in accounts turns a jailbreak from a party trick into real access. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.