DAILY WORKFLOW ARCHIVE

2026-07-02 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-07-02 AI创业新闻

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-45659 (CVSS score: 8.8), is a case of remote code execution arising from the deserialization of untrusted data. The issue was addressed by Microsoft in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

Microsoft noted that any authenticated attacker could trigger the vulnerability, and that it does not require admin or other elevated privileges. In a network-based attack, an authenticated attacker with a minimum of Site Member permissions (PR:L) could leverage it to execute code remotely on the SharePoint Server. “Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network,” CISA said . According to the Windows maker’s advisory, the flaw has been tagged with an “Exploitation Less Likely” assessment.

It’s currently not known how the vulnerability is being exploited, who is behind the activity, and what the end goals of these efforts are. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 4, 2026. Microsoft Uncovers Parallel Threat Activity from 2 Clusters Late last month, Microsoft revealed that a routine ransomware investigation uncovered two unrelated attackers operating simultaneously within the same network, while adopting deliberate techniques to establish persistent access and complicate incident response efforts. One set of attacks has been attributed to Storm-2603 , a threat actor known for deploying Warlock ransomware often by exploiting known vulnerabilities in on-premises SharePoint servers since mid-2025 .

“In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion,” Microsoft said. Evidence points to it being CVE-2025-11371 (CVSS score: 9.1), a critical flaw impacting Gladinet Triofox. Upon gaining initial access, the threat actor is said to have deployed tools like Velociraptor to blend malicious activity with trusted administrative behavior, as well as established multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. The attack also escalated privileges by creating new local and domain administrator accounts, while a vulnerable driver (“NSecKrnl.sys”) acted as a conduit for tampering with endpoint security protections to help reduce their visibility.

In tandem, Microsoft said it uncovered signs of a second, unrelated threat actor co-existing in the same environment using DLL side-loading and custom backdoors, thereby making attribution more challenging. Further investigation uncovered that the attackers had moved laterally beyond the first network and into a second organization, which confirmed they had been compromised by the same ransomware activity attributed to Storm-2603. “Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion,” the Microsoft Incident Response team said. “The blend of known ransomware tactics and hidden techniques allowed the threat actors to establish deep and lasting access.” “What may appear to be a single ransomware incident can quickly expand into something more complex-spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel.

For security teams, the implication is clear: isolated signals rarely tell the full story.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

Argo CD , a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component’s internal network port. Synacktiv , which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD’s maintainers in January 2025; roughly eighteen months later, it remains unpatched, so it published the details to warn users.

The bug sits in repo-server, the Argo CD component that reads Git repositories and builds Kubernetes manifests, the files that define what the cluster deploys. Its internal gRPC service has no authentication; anyone who can reach it can send a crafted request to run a command. Synacktiv demonstrated the attack against Argo CD v2.13.3 and reports no patched release; it did not publish a full list of affected versions. The technique abuses kustomize , a standard tool Argo CD runs to turn repository files into manifests.

Kustomize has a –helm-command option that points to the helm binary it should call. Synacktiv found that an unauthenticated request to the repo-server’s GenerateManifest service can set that option to a script instead, pulled from an attacker-controlled Git repository. When kustomize runs, it executes the script rather than helm. But “internal” does not mean isolated by default.

Argo CD ships Kubernetes network policies that wall the repo-server off from everything except its own components. Synacktiv found the Helm chart, a common way to install Argo CD, leaves those policies off by default , with networkPolicy.create set to false. In that setup, an attacker who compromises a single pod in the cluster can reach the repo-server and trigger the bug. Running code on the repo-server is not the end of it.

Synacktiv used that access to read the cluster’s Redis password from an environment variable, connect to Argo CD’s Redis cache, and poison the stored deployment data. On the next automatic sync, Argo CD deployed an attacker-supplied workload. That step revives CVE-2024-31989 , a 2024 flaw Cycode found where Argo CD’s Redis had no password, letting any pod in the cluster poison the deployment cache. Argo CD fixed that by adding a Redis password, but the cache itself is still not signed, so stealing the password back reopens the same attack.

What to do There is no patched version, so the defense is network isolation. Turn on Kubernetes network policies so only Argo CD’s own components can reach the repo-server and Redis ports. Argo CD provides the policy files; Helm users have to enable them because the chart leaves them off. Check what is active with: kubectl get networkpolicy -A.

A healthy install shows one network policy per component, including the repo-server and Redis. If those policies are missing, the repo-server and Redis ports are reachable from the rest of the cluster. Synacktiv built a tool, argo-cdown, that automates the full attack. It is holding the tool back for now to give defenders time to lock down their network policies, and says it will publish it on GitHub later so administrators can test their own deployments.

This is not Argo CD’s first exposure of its own internals. In September 2025, it patched CVE-2025-55190 , where an API token with only basic read access could pull back a project’s Git repository credentials, a flaw that The Hacker News flagged at the time . In May 2026, another bug, CVE-2026-42880 , allowed read-only users to read plaintext Kubernetes secrets. The pattern is hard to miss: Argo CD concentrates cluster access and repository secrets, and its internal surfaces keep handing them out, to an unauthenticated request in one bug and a low-privilege token in the next.

Until a patch ships, treating the cluster network as hostile is the only real defense. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes , 19, a dual U.S.

and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police arrested him in April on an Interpol Red Notice, an international arrest request, before his extradition in late June. His case is the latest in a run of arrests targeting a crew tied to breaches at casinos, retailers, and airlines. Court records identify Stokes by the online handle “Bouquet” and describe at least four intrusions, the first when he was 16.

In one case, in May 2025, prosecutors say he and others broke into a luxury jewelry retailer, copied its data, and demanded about $8 million in cryptocurrency. The retailer refused to pay, evicted the intruders, and spent at least $2 million cleaning up. According to those records, Finnish officers seized two 2-terabyte hard drives when they stopped Stokes at Helsinki airport as he tried to board a flight to Japan. Who is Scattered Spider Scattered Spider is not a traditional gang.

It is a loose, mostly English-speaking group of young people, many of them teenagers, spread across the U.S., U.K., and Europe. Security companies also track it under the names Octo Tempest, UNC3944, and 0ktapus. Its main trick is simple and hard to stop. Instead of breaking software, it fools people.

Members phone a company’s IT help desk , pretend to be a worker who is locked out, and talk the staff into resetting a password or approving a login. Once inside, they steal files and threaten to leak them unless they are paid. The group is best known for the 2023 attacks on MGM Resorts and Caesars Entertainment, which shut down MGM’s casino and hotel systems. Through 2025, it was linked to attacks on U.K.

retailers including Marks & Spencer, Harrods, and Co-op, then U.S. insurers and, later, airlines, a pattern security researchers describe as moving through one sector at a time. Assistant Attorney General A. Tysen Duva said the group has been involved in “over 100 network intrusions, resulting in more than $100 million in ransom payments.” Part of a wider crackdown Stokes is part of a broader shift in the Scattered Spider story: police are putting names, countries, and court dates to a crew that long operated as handles in chat rooms.

Recent cases include: Tyler Buchanan, a 24-year-old from Scotland, who was once described as a ringleader, pleaded guilty in a U.S. court in April 2026 to fraud and identity theft. He admitted stealing at least $8 million in cryptocurrency through phishing campaigns that hit companies including Twilio and LastPass, and faces a statutory maximum of 22 years in prison. Noah Urban, a member from Florida, was sentenced in August 2025 to 10 years and ordered to repay about $13 million.

Thalha Jubair and Owen Flowers, two young men in the U.K., pleaded guilty in June 2026 to a 2024 attack on Transport for London , the capital’s transit agency. Flowers also admitted conspiring to hack two U.S. health systems, SSM Health and Sutter Health. How companies can defend The playbook has outlived the arrests.

Mandiant reported a lull in attacks tied to the group after the 2025 arrests, then warned that other crews are already copying it. The weak point is the help desk, not the firewall, so the fixes that hold are stricter identity checks before a reset and sign-in keys that phishing cannot steal. A joint U.S. and international advisory adds that once inside, the intruders often lurk in a company’s chat tools and join the calls it holds to respond to the breach, watching who is hunting them.

For investigators, the drives seized in Helsinki may matter as much as the charges: devices taken from one member often lead to others. Stokes is presumed innocent, and his case must still go to trial, but the past year has made one thing plain: being young, scattered across borders, and good at talking past a help desk is no longer keeping this crew out of court. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT . Kaspersky said the activity is part of a “massive, multi-domain, multi-language” campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. The Russian cybersecurity company said it identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic.

Some of these domains were set up between August 2025 and March 2026. “The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library,” security researcher Denis Kulik said . “It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the threat actors.” “This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations.” Once ScreenConnect is up and running, the service creates and executes a PowerShell script (“Fj5NmEsp9EuKrun.ps1”), which configures Microsoft Defender exclusions, disables User Account Control (UAC) prompts, and then creates a Visual Basic Script (VBScript) file called “installer_method3_stream.vbs.” The script, for its part, creates a set of five files in the “C:\Users\Public directory” - msgbox.txt secret_bytes.txt 1.vb cap.ps1 script.vbs In the next stage, it triggers the execution of “script.vbs,” a script that’s responsible for terminating all active PowerShell processes and running “cap.ps1” in a hidden window. The primary goal of the PowerShell script is to read the contents of the “secret_bytes.txt” file, extract from it the AsyncRAT module, and run it using process hollowing .

The malware then establishes a connection to a remote server (“mora1987.work[.]gd”), allowing the threat actor to covertly control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content. Persistence is established by means of a scheduled task (“MasterPackager.Updater”) that’s activated every two minutes to execute “script.vbs,” ensuring that the entire attack is run after a system reboot. “The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages,” Kaspersky said. “The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs . The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise , which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker’s control. “The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), allowing the attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure as a stager and to blend in with legitimate web activity. The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer , a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts. The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as “wscript.exe” to minimize forensic trail, delete “transcript.pdf.js” to eliminate evidence of execution, and decrypt an embedded payload. “Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,” Securonix explained.

“Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.” This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (“/”) to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms. In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection. The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk.

This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that’s launched using a technique known as reflective code loading . In the event security controls and other environmental restrictions prevent it from executing the recovered .NET assemblies directly from memory, the loader incorporates a fallback execution method that relies on Microsoft-signed binaries, such as “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler.exe,” to accomplish the same goals without attracting any attention. Because these binaries are trusted, signed by Microsoft, and are already present on the system, the living-off-the-land (LotL) approach enables the attackers to make their activity appear legitimate and fly under the radar. “One of the most notable aspects of the loader is that it does not depend on any single LOLBin ,” the researchers pointed out.

“Instead, execution follows a cascading model, attempting each method until one succeeds.” The impact of a stealer infection typically goes beyond the initially compromised endpoint, as the harvested data can act as a stepping stone to burrow deeper into the target environment, establish persistence, perform lateral movement, and even breach its cloud infrastructure. “The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures

A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet’s FortiGuard Labs identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal banking logins and take over accounts.

Ousaban sits quietly on a Windows PC and waits for the user to open a banking site. When a target bank loads, it can capture screenshots and keystrokes, tamper with the clipboard, show fake messages, and give the attacker remote control. Together, those are the tools for hijacking a live banking session and taking over an account. Ousaban watches for more than two dozen banks across the two countries, among them Banco Santander, BBVA, CaixaBank, Bankinter, and Caixa Geral de Depósitos.

How the attack works It starts with a phishing PDF disguised as a corrupted file. The PDF shows a prompt telling the victim to press an “Atualizar” (Update) button, which opens a malicious webpage. Hidden JavaScript in the PDF can open the same page on its own. The page poses as a tax-document and installer portal while screening visitors.

Fortinet says an earlier version ran these checks in the browser: it looked at the visitor’s IP address, language, and time zone, blocked anyone coming through a VPN, and filtered out automated security tools by checking details like screen size and installed fonts. The current version moves that screening to the operator’s server, so the exact rules are hidden. Either way, visitors outside Spain or Portugal get a Spanish “access denied” notice instead of malware. Clear the check, and the download starts.

A script downloads an image that looks like a PDF icon but hides a ZIP file inside, a trick called steganography. The script unpacks Ousaban from that ZIP, runs it, then deletes the image, the ZIP, and itself to leave less behind. Once running, Ousaban adds a registry entry named Financeiro (Portuguese for “finance”) so it starts up with Windows. Ousaban’s command server, the machine that controls it, is deliberately hard to find.

It carries a Pastebin link that points to one server address, but Fortinet says that address is a decoy. Hiding these details in web services is an old Ousaban habit: earlier campaigns stashed the configuration in Google Docs . This time, the real server moves every day. The malware reads the current date off a Google page, builds a web address from that date plus a fixed secret, and looks it up.

Blocking yesterday’s address does little good. A familiar Brazilian playbook None of this is new. Ousaban, also tracked as Javali, is one of a group of Brazilian banking trojans that Kaspersky labeled years ago as the “Tetrade,” alongside Grandoreiro, Guildma, and Melcoz. These families started in Brazil and pushed into Spain and Portugal, borrowing code from each other as they went; Ousaban’s string encryption is the same custom scheme used by another family, Casbaneiro.

Grandoreiro, the best known of the group, shows how durable the playbook is. It survived an Interpol-coordinated takedown in January 2024 and was back within months , and its loaders leaned on the same habit of hiding downloads behind PDF-looking lures and country checks. It is still active against Iberian targets , with a campaign reported this year that kept hitting Portuguese banks. Fortinet links the same infrastructure to Ousaban activity in late 2025 that used other entry points, including “ClickFix,” a scam that gets the victim to paste a malicious command themselves while thinking they are fixing an error.

What to do The first place to catch it is the lure. Treat any PDF or email that claims a file is corrupted and tells you to press “Update” as hostile. The same goes for prompts that tell users to paste a command to fix an “error.” The PDF can even open the malicious page on its own. Treat unexpected invoice, factura, or tax-document attachments as suspect, especially in Spain and Portugal.

Server-side screening means that an automated sandbox that just fetches the link may get only the Spanish error page instead of the malware. Gateway detonation alone can miss it. The campaign only affects Windows. Fortinet’s report lists domains, IP addresses, and file hashes to block.

Defenders should watch for the Financeiro registry Run key and files dropped to C:\SysMain_5874288. Fortinet says its FortiGuard antivirus flags the samples, and its FortiMail product flags the phishing email. The Trojan itself is old, and Fortinet says its custom encryption has stayed effective against detection for years. The newer part is the wrapper: geofencing, a hidden payload, and a throwaway daily address, all built to show the malware to real victims in two countries and nobody else.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates “resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,” Adobe said in an alert released Tuesday. The vulnerabilities are listed below - CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) - Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) - Improper input validation vulnerabilities that could lead to arbitrary code execution CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability that could lead to arbitrary code execution CVE-2026-48313 (CVSS score: 9.3) - A path traversal vulnerability that could lead to arbitrary file system read CVE-2026-48315 (CVSs score: 9.3) - An improper input validation vulnerability that could lead to privilege escalation The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.

Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397. Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments.

Adobe-hosted instances have already been updated and require no action. The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates. The disclosure comes as Adobe said it’s moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models. “The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours,” Adobe’s Chief Security Officer Aanchal Gupta said .

“We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor’s safety sandbox and run any command on a developer’s computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide . They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3 under the newer CVSS 4.0 scale).

The fix is already out. Both bugs are patched in Cursor 3.0, released April 2, and every version before 3.0 is affected. Cursor’s maker says more than half the Fortune 500 use the tool, so if you run it, update now. What the sandbox was for, and how it broke Starting in the 2.x line, Cursor runs the terminal commands its AI agent issues inside a sandbox by default: a locked box that limits what those commands can touch, so a stray instruction cannot wreck the machine.

DuneSlide is about getting out of that box. The way in is prompt injection . The attacker never types into your Cursor. They plant instructions inside something your agent reads on your behalf, such as a connected service through the Model Context Protocol (MCP) or a page returned by a web search.

You ask a normal question, the hidden instructions come along for the ride, and because it needs no click or approval from you, the attack is “zero-click.” Both flaws use the same trick: get the agent to write one file it should not be allowed to write, then use that write to turn the sandbox off. CVE-2026-50548 abuses a setting. The sandbox permits writes into a command’s working folder, and that folder is an optional parameter, working_directory, on Cursor’s run_terminal_cmd tool. When the agent sets it to a non-default path, Cursor adds that path to the allowed-write list without question.

Injected instructions point it at a system file instead of the project. Overwrite the sandbox helper itself (on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox), and later commands run with no sandbox at all. Startup files like ~/.zshrc work as targets too. CVE-2026-50549 abuses a safety check.

Before writing, Cursor resolves shortcuts (symlinks) to confirm the real destination sits inside your project. The bug is the fallback: when that check fails, because the target does not exist or the attacker removes read access from a folder in the path, Cursor gives up and trusts the shortcut’s in-project path instead. An attacker creates a shortcut that points outside the project, forces the check to fail, and Cursor writes straight through it to the same sandbox helper. Same escape, different door.

Once the sandbox is neutralized, the next command runs as you. That means control of the developer’s machine, plus any cloud or SaaS workspaces the editor is signed into. It all follows from one harmless-looking prompt. There is no sign this has been used in real attacks.

Cato presents it as research, not an active campaign, and the public vulnerability record shows no known exploitation as of publication. Cato reported both issues on February 19. By Cato’s account, Cursor rejected them four days later, saying its threat model did not cover misuse of MCP servers, even standard ones like the official Linear workspace. Cato escalated on February 26; Cursor reopened the reports, triaged them, and shipped both fixes in 3.0.

The CVE IDs were assigned on June 5. Cursor published its own advisory for the symlink bug, and its NVD record is live. Not the first, and probably not the last DuneSlide is the latest in a run of Cursor bugs that start with a poisoned prompt and end in code execution, each one defeating a different guardrail. The Hacker News covered the earlier rounds : CurXecute (CVE-2025-54135, August 2025) came from the same team, then operating as Aim Security.

A planted Slack message rewrote Cursor’s ~/.cursor/mcp.json config and ran commands even after the user rejected the edit. Fixed in 1.3. MCPoison (CVE-2025-54136), from Check Point Research, lets an attacker get an MCP config approved once, then quietly swap in malicious commands with no second prompt. CVE-2026-26268 (February 2026) hid a booby-trapped Git hook in a repository that fired the moment the agent ran a Git command.

Patched in 2.5. The sandbox in the 2.x line was Cursor’s answer to that earlier wave. DuneSlide is about escaping the answer. Cato says it is disclosing similar flaws in other coding agents and argues the problem is structural rather than a string of one-offs.

That leaves an open question for anyone shipping an agent that reads the open web: whether treating every input as hostile becomes the default, or stays a patch-by-patch scramble. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire’s Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve arbitrary code execution on susceptible devices. The exploitation activity commenced on June 29, 2026. “OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an unauthenticated attacker with permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input,” Progress said in an advisory for the vulnerability released early last month.

In an analysis published this week, watchTowr Labs described the flaw as rooted in a function named “escape_quotes()” within the load balancer application and that it stems from improper handling of user-supplied input. The problem was that the function failed to properly null-terminate sanitized strings, thereby leading to an out-of-bounds read into adjacent heap memory. An attacker could weaponize this loophole to issue specially crafted requests to the “/accessv2” endpoint that manipulate the heap memory to enable command injection. The impact of successful exploitation is severe, as it allows an unauthenticated attacker to run arbitrary commands on the affected appliance without having to possess valid credentials.

eSentire noted that exploitation efforts it observed ended in failure, as a result of which no post-compromise activity occurred. However, the availability of a proof-of-concept (PoC) exploit and detailed technical specifics is expected to drive malicious activity against CVE-2026-8037 in the immediate future. The attack attempts originate from the following IP addresses - 192.42.116[.]58 192.42.116[.]105 146.70.139[.]154 CVE-2026-8037 is the second Progress Progress Kemp LoadMaster flaw to witness active exploitation efforts after CVE-2024-1212 (CVSS score: 10.0), another critical OS command injection vulnerability that could be abused for arbitrary system command execution. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining “unrealistic browser-malware concepts with a real browser capability” to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. “This is the first documented case where a frontier AI model independently bridged the gap between a theoretical browser-only ransomware risk and a practical, working attack chain – surfacing a novel attack path that defenders had previously dismissed as unfeasible due to browser sandboxing limits,” Check Point said in a statement shared with The Hacker News. “The expertise needed to discover a new attack path is no longer the bottleneck, and defenders need to account for that shift now — before threat actors operationalize it at scale.” The identified sample is a Python Flask application named “ deepseek_python_20260125_da0631.py “ that was uploaded to VirusTotal on January 25, 2026, with the Google-owned malware scanning service describing it as a “fully functional information stealer and ransomware toolkit.” It has been named InfernoGrabber v9.0 by the malware author. The application is designed to operate as a malicious web server that lures victims with a fake Discord avatar AI upscaler, while stealthily running a wide array of harmful actions, including stealing Discord tokens, harvesting credit card numbers and cryptocurrency seed phrases, logging keystrokes, and capturing unauthorized webcam and microphone feeds.

“The code includes specific routines for browser exploitation (targeting CVEs like CVE-2023-4863), data exfiltration via a hard-coded Discord webhook, a ransomware ‘WinLocker’ screen demanding Bitcoin, and an administrative dashboard for the attacker to manage stolen data,” according to VirusTotal. The findings come as artificial intelligence and large language models (LLMs) are redefining the cyber threat landscape, enabling threat actors to abuse the technology to develop malware and exploits. The use of DeepSeek is noteworthy as it signals that the Chinese company’s models have lower refusal rates for malicious cyber requests when compared to its Western counterparts from Anthropic, Google, or OpenAI. Other factors that may have facilitated the use of DeepSeek is its free access via the web interface, availability in regions where other frontier models do not operate, and its ability to generate a working malicious application from a “single broad prompt” as opposed to models from Anthropic or OpenAI.

“DeepSeek models can turn high‑level malicious ideas into concrete, complete attacks with less expertise than competing platforms,” Check Point Research said. The Israeli cybersecurity company said it unearthed the Python artifact as part of its analysis of about 3,000 files attributed to DeepSeek over the past year. Of these, 1,383 samples have been classified as malicious or dangerous. The Python malware is an instance of what’s called In-Browser Ransomware that implements a browser-native technique not encountered in real-world campaigns in the past.

The exact prompt that was used to produce the sample is unknown. The attack technique entails using a phishing decoy to trick a user into granting file system access to a web page, which then enumerates local files in the selected folder, reads and exfiltrates their contents, encrypts and overwrites them, and finally displays an extortion note to the victim. What makes this more unusual is that all of this can be accomplished without installing a native payload, exploiting a browser vulnerability, or requiring root access. It’s worth mentioning here that the approach is limited to web browsers that expose the picker-based File System Access API .

This includes Google Chrome and other Chromium-based browsers across Windows, macOS, ChromeOS, Linux, and Android. There is no evidence that the browser-native ransomware pattern has been abused in the wild. “Our testing confirmed the attack works across Windows, macOS, Linux, Android, and Microsoft Edge on Windows,” Pedro Drimel Neto, malware analysis team leader at Check Point Research, told The Hacker News. “The only significant exception is that on iOS, we could not reproduce the attack there.

Since the File System Access API is implemented in Chromium-based browsers across these platforms, the attack surface is wider than initially thought, affecting the vast majority of desktop and Android users.” Another troubling aspect of AI-assisted development is that it not only lowers the barrier for bad actors to generate offensive code, but also the fact that they do not even need to know such a file system access API exists in the first place, or have the technical expertise to abuse it. Put differently, entering an overly broad prompt is enough for an LLM – subject to guardrails, or lack thereof – to formulate a working attack blueprint from an abstract malicious request. When a user with limited technical understanding outlines unrealistic requirements, the model, in its quest to satisfy them, can generate hallucinated outcomes, surfacing unusual techniques in the process. Drimel Neto said the research demonstrates that even broad prompts can produce hallucinated but functional malware, and that LLMs with lower resistance to harmful requests are “significantly” easier to abuse.

“Threat actors are actively selecting LLMs based on which ones will cooperate with harmful requests,” he added. “What we are witnessing is a fundamental shift in how novel cyber attacks are born. For the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed,” Eli Smadja, head of research at Check Point Research, said in a statement. “The barrier to operationalizing complex attacks is collapsing, and that has profound implications for every organisation embedding AI into its workflows, and for every mobile user who now carries their entire personal and professional life inside a photo library.

The future of AI security cannot rest on hoping models refuse the obvious malicious request; it must assume that the next attack technique will be discovered not by a human researcher, but by an AI hallucination that accidentally got one thing right.” Smadja is also urging organizations to prepare by hardening the delivery layer, rethinking permission-based trust, and treating every browser prompt as a security decision. (The story was updated after publication to include additional insights from Check Point Research.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

2026 Cybersecurity Assessment: The Gap Between Awareness and Resilience

Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year’s findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals across six countries.

IT & security leaders believe they have sufficient visibility into employee AI usage, while many frontline practitioners disagree . Security teams understand the importance of reducing the attack surface, yet they often lack the skills, resources, or strategy to do so. AI dominates cybersecurity conversations, but in some cases, it is drawing attention away from more prevalent attack techniques already causing significant damage. Although organizations say they recognize the importance of transparency after a breach, many professionals still report pressure to remain silent, even if a breach is reportable.

Together, these findings point to an industry wrestling with a new reality: the gap between awareness and resilience. AI Has Become Both the Biggest Priority and the Biggest Blind Spot Artificial intelligence has rapidly become part of everyday business operations, whether security teams planned for it or not. Yet visibility into that usage remains surprisingly inconsistent. While 51.8% of respondents believe they have full visibility into sanctioned and unsanctioned AI use, 47.4% admit they have only partial or no visibility into Shadow AI tools or personal AI accounts being used for work.

The disconnect becomes even more striking when comparing leadership with practitioners. Nearly 58% of managers believe they have complete visibility, while only 45.9% of practitioners agree. The implication: many organizations may be making strategic decisions based on an incomplete picture of their AI exposure. Majority Agree Attack Surface Reduction Matters—Few Can Achieve It Reducing unnecessary exposure has become one of cybersecurity’s most widely accepted priorities.

Actually doing it is another matter. Respondents identified maintaining hardening policies and exceptions (38%), fear of disrupting business operations (35.4%), and limited resources (34.6%) as the biggest obstacles to reducing the attack surface. Another 33.8% cited uncertainty about which legitimate tools individual users actually require, with that figure climbing to 48.8% among U.S. organizations.

The challenge isn’t convincing anyone of the value of shrinking the attack surface; instead, it’s about finding a way to do it dynamically, without disrupting productivity or creating additional operational burden. AI Is Dominating Attention, Prevalent Threats Ignored In this year’s assessment, security professionals rank AI-related threats as their top three cybersecurity concerns. This includes: Self-mutating malware (55.9%), public LLM data leakage (53.5%), and AI-driven evasion techniques (52.5%), which were all ranked as high or extreme risks by respondents. Yet today’s threat intelligence paints a more nuanced picture.

Rather than inventing entirely new attack techniques, adversaries are largely using AI to improve existing techniques, like making phishing campaigns more convincing, automating reconnaissance, and accelerating attack execution. Meanwhile, one of today’s most prevalent attack methods continues to receive comparatively little attention. Bitdefender Labs recently found that 84% of high-severity attacks leveraged Living off the Land (LOTL) techniques by abusing legitimate tools already present inside the environment. Yet only one in five survey respondents ranked LOTL attacks among their top three concerns.

This suggests that while AI deserves attention, organizations cannot afford to lose sight of the threats already succeeding today. Transparency Remains One of Cybersecurity’s Hardest Challenges Perhaps this year’s most surprising finding isn’t about attackers at all. It’s about organizational culture. More than half (55.2%) of respondents who experienced a breach during the previous twelve months say they were instructed to keep the incident confidential despite believing authorities should have been notified.

The figure rises to 68.6% in the United States. These findings raise important questions about governance, compliance, and trust. Responding effectively to a cyber incident is no longer measured solely by technical recovery. Increasingly, resilience includes transparency, accountability, and confidence in decision-making when incidents occur.

Awareness Is No Longer Enough Taken individually, each finding is interesting. Taken together, they reveal something much larger. Organizations understand today’s cyber risks better than ever before. They know AI introduces new exposure.

They recognize the importance of attack surface reduction. They appreciate the need for transparency and resilience. What remains difficult is operationalizing that understanding while balancing productivity, complexity, compliance, and limited resources. That is the real challenge of defining cybersecurity in 2026.

See How Your Organization Compares To explore the complete results, compare regional trends, and benchmark your organization against 1,200 cybersecurity professionals worldwide: Download the complete 2026 Bitdefender Cybersecurity Assessment Register for the deep dive webinar: 2026 Cybersecurity Assessment: Blindspots, Benchmarks, and What’s Next Because the organizations best prepared for tomorrow’s threats won’t simply understand the risks—they’ll be the ones that know how to turn that understanding into resilience. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Accelerates Post-Quantum Cryptography Shift to 2029

Microsoft on Tuesday said it’s accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. “Advances in quantum research and development have shifted the risk horizon,” Mark Russinovich, chief technology officer of Microsoft Azure, said . “We believe cryptographically relevant quantum computers could arrive sooner than previously expected – and the work required to prepare is significant, so organizations need to start now.” To that end, the Windows maker is speeding up the Microsoft Quantum Safe Program ( QSP ) timeline with the goal of transitioning critical products and services to post-quantum cryptography (PQC) by 2029. The company is also planning to incorporate PQC requirements into its Secure Future Initiative ( SFI ).

Some key focus areas include upgrading network cryptography by adopting TLS 1.3, building crypto-agility for stored data to facilitate the ability to change cryptography without having to redesign the underlying systems, and transitioning to PQC algorithms to secure trust chains, such as code signing, certificate issuance, key protection, and update pipelines. “This brings quantum-safe readiness into the same disciplined engineering framework we use for other critical security outcomes: clear ownership, measurable milestones, and transparent progress,” Russinovich said. “Embedding these capabilities into our platforms empowers customers to move sooner and more confidently.” Microsoft also noted that crypto-agility is essential for post-quantum migration, calling for the need to remove hard-coded algorithm assumptions, persist adequate information to reconstruct the cryptographic context, and build systems such that algorithm upgrades become routine engineering tasks rather than emergency rewrites. “Crypto-agility requires either self-describing cryptographic metadata or versioned ciphertext formats so implementations can read legacy data while writing with the newest approved algorithms,” it explained .

“A well-designed crypto-agile system should aim to read older ciphertext formats long enough to support migration, while writing new data with the newest approved configuration.” The development comes days after U.S. President Donald Trump signed an executive order setting hard deadlines for federal agencies to move high-value assets and high-impact systems to PQC. Earlier this March, Google announced a new program in its Chrome browser to ensure that HTTPS certificates are secure against the future risk posed by quantum computers. That same month, the tech giant publicly committed to migrating its own infrastructure to be quantum secure by 2029.

Web infrastructure company Cloudflare has also followed suit with similar plans to move towards PQC by the same year. The threat is compounded by what’s called “harvest now, decrypt later,” where adversaries can collect encrypted data now in hopes of decoding it later once a large-scale quantum machine becomes operational. What’s more, a team of researchers from Google disclosed it had drastically improved upon the quantum algorithm to break elliptic curve cryptography, specifically the 256-bit elliptic curve discrete logarithm (ECDLP-256), using fewer qubits and gates than previously realized. Separately, a group of academics from Caltech and Oratomic demonstrated a new error-correction approach that could make Shor’s algorithm practical with as few as 10,000 reconfigurable qubits and potentially break RSA-2048 and P-256 .

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware

Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks’ Unit 42 calls the trick phantom squatting , and its new research shows it is already happening in the wild. The reason it matters is trust.

Developers and AI assistants increasingly treat the links a model hands back as real. When a model invents a domain that does not exist yet, whoever registers it first inherits all of that misplaced trust, with no phishing email and no malicious ad required. To measure the problem, Unit 42 asked two AI models 685,339 questions about 913 well-known brands across technology, finance, healthcare, government, gambling, and other sectors. The models produced 2.1 million links.

Threat intelligence already flagged 13,229 of them as outright malicious, meaning the AI was handing out known-bad addresses. Roughly 250,000 of the invented domains had no owner yet, each a ready target for whoever registers it first. How phantom squatting works The attack works because a brand-new domain has no reputation. Blocklists, threat feeds, and reputation scores all need a site to misbehave for a while before they flag it.

A freshly registered phantom domain has no such record, so those filters have nothing to flag. By the time they catch up, the victim has already been sent to the site by a tool they trust. Two details make it worse. The fake domains were not sitting in the training data: both models shipped before the real malicious sites existed, so the addresses come from the models’ own language patterns, not memory.

And those patterns are consistent. Different models often invent the same fake domain for the same question, which makes an attacker’s next target easy to guess. Turning up a model’s “creativity” setting only produced more invented domains. As Unit 42’s researchers put it, the vector “exploits a structural property of LLM architectures that remains inherently unpatchable.” Two observed cases Two cases show the full loop.

On March 8, 2026, Unit 42’s system predicted that AI models would invent a domain resembling a national postal service’s online marketplace. Both models generated it at every temperature setting, a strong sign that they treated the fake site as fact. Twenty-three days later, on March 31, an attacker registered that exact domain and stood up a phishing kit named Montana Empire. The kit copied the real storefront in real time.

It stole card numbers, bank-transfer details, and national ID data. A Telegram bot lets the operator approve victims’ one-time passcodes by hand. The giveaway: leftover project files and session logs showed the criminal had built the kit with an AI coding assistant. Attacker and defender reached the same fake domain the same way, by asking an AI.

In the second case, Unit 42 flagged a hallucinated postal-service domain a full 51 days before an attacker registered it. The attacker then wrapped it in a pixel-perfect brand clone, added a fake 4.8-star rating and a claim of over two million users, and used it to push a malicious Android app. Other detected domains impersonated a major UAE bank that an attacker had already been abusing for nearly a year, a European bank, and sports-betting sites aimed at users in Bangladesh. An old trick with a new target Phantom squatting is the domain version of slopsquatting , where attackers register the fake software package names that AI coding tools invent.

That is not a hypothetical. A large USENIX study found code-generating models routinely suggest package names that do not exist, and the PhantomRaven campaign turned exactly that behavior into malware hidden in 126 npm packages with more than 86,000 installs. It points to a larger shift: model output is becoming input. Developers, agents, and security teams act on AI-generated links and names before anyone verifies them, and AI keeps shrinking the time defenders have to react .

It also lands in a world where brand-impersonation phishing is now a paid service , with kits like Lucid and Lighthouse standing up 17,500 fake domains against 316 brands in 74 countries. What to do Because models hallucinate consistently, security teams can map which fake domains a model is likely to produce and watch for anyone registering them, often with weeks of warning. For everyone else, the practical steps are simple: Do not trust a link just because an AI gave it. Confirm the domain is the real, official one before you type a password or paste it into code.

Keep AI agents from automatically opening or downloading from model-generated links without a check. An agent has no instinct to hesitate the way a person might. Treat anything a model writes as an unverified draft, not an authority. That window is open, and it rewards whoever moves first.

The real question, as Unit 42 frames it, is simply whether defenders or attackers reach these domains sooner. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.