DAILY WORKFLOW ARCHIVE

2026-07-07 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-07-07 AI创业新闻

BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA

BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are listed below - CVE-2026-40138 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access stemming from improper validation of authentication data that could allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. CVE-2026-40139 (CVSS score: 9.2) - A pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support stemming from improper processing of authentication requests that could allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. CVE-2026-40140 (CVSS score: 8.7) - A pre-authentication vulnerability in the network communication subsystem stemming from insufficient validation of client-supplied input that could allow an unauthenticated remote attacker to trigger a denial-of-service condition, affecting appliance availability.

CVE-2026-40141 (CVSS score: 8.5) - A vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access stemming from insufficient validation of user-supplied input that could allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. It’s worth noting that the successful exploitation of CVE-2026-40138 and CVE-2026-40139 hinges on a specific authentication configuration being enabled. In the case of CVE-2026-40141, exploitation, should it occur, is restricted to accounts with specific permissions. BeyondTrust said all the identified internally as part of ongoing security assessments, with assistance using publicly available artificial intelligence (AI) models like Anthropic Claude Opus 4.8 and its own proprietary research tooling.

“The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations,” it said. “Additional vulnerabilities may allow service disruption, unintended data access, and, under distinct configurations, elevated access by an authenticated user that may impact system integrity.” The issues have been addressed in the following versions - Remote Support RS 25.3.2 or lower (Fixed in RS 25.3.3 and above) Privileged Remote Access PRA 25.3.2 or lower (Fixed in PRA 25.3.3 and above) BeyondTrust makes no mention of the vulnerabilities being exploited in the wild. However, security flaws in RS and PRA products ( CVE-2024-12356 and CVE-2026-1731 ) have come under repeated exploitation in the past to deploy web shells and backdoors, making it essential that users move quickly to apply the fixes. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations

An Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations. The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research under the moniker Cavern Manticore , which it said shares some level of tactical overlaps with MuddyWater and Lyceum , the latter of which is assessed to be a subgroup within OilRig . “The framework reflects a mature and adaptable toolset built around a shared .NET foundation, while using multiple compilation formats across different components, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT ,” the cybersecurity company said . “The compilation format itself becomes the anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows.” The components of the C2 framework are used as Cavern Agent and Cavern modules, demonstrating a clear division of responsibilities between core communication capabilities and mission-specific post-exploitation functionality.

This architecture has inherent advantages as it allows the operators to tailor deployments based on the victim profile, reduce forensic visibility, and ensure persistent access through bespoke modules for reconnaissance, data theft, tunneling, and lateral movement. The attack chain documented by Check Point Research commences with SysAid’s software update feature, which is leveraged by the adversary to initiate a DLL side-loading chain that leads to the execution of a trojanized DLL (“uxtheme.dll”) containing the Cavern Agent. The agent, for its part, loads a standalone communication DLL module (“n-HTCommp.dll”) to contact the C2 server (“hospitalinstallation[.]com”) and fetch additional post-exploitation modules on the fly over HTTPS or WebSocket. As many as five DLL modules have been uncovered - mhm.dll , for file operations, enumeration, recursive file search, archive handling, and bidirectional file transfer db.dll , for SQL database enumeration, query, export, and manipulation ode.dll , for Active Directory reconnaissance, user/group enumeration, and LDAP brute-force attempts n-ten.dll , for network reconnaissance, port scanning, share enumeration, and SMB brute-force attempts n-sws.dll , for SOCKS5 proxy and WebSocket tunneling A defining trait of the framework is its use of three different .NET compilation targets spanning its components: while mhm.dll, db.dll, and ode.dll are pure .NET Framework modules, n-HTCommp.dll, n-ten.dll, and n-sws.dll make use of Native AOT (Ahead-of-Time) compilation.

The main agent, uxtheme.dll, combines managed .NET code with native C++ in a single portable executable. Embedded within the agent is a unified module dispatcher that treats components whose names start with n- as native DLLs and loaded via the LoadLibraryA Windows API, while the rest is interpreted as managed .NET assemblies and loaded through a mechanism known as AppDomain isolation . “The framework’s anti-analysis posture relies on uncommon .NET compilation formats (Mixed-Mode C++/CLI and Native AOT) that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure,” Check Point explained. Attacks orchestrated by Cavern Manticore have involved the threat actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization, indicating their ability to weaponize trusted relationships in the software supply chain to their advantage.

“This activity highlights the operational value of trusted service-provider relationships, particularly where Remote Monitoring and Management (RMM) solutions are deployed,” the company noted. “By abusing these tools, the actor can move laterally between victims and deliver malicious software disguised as legitimate updates. The actor also appears to leverage browser-based remote desktop technologies to access targets of interest and, in some cases, abuse built-in features such as remote printing to exfiltrate data when clipboard-based copy-paste or file-transfer capabilities are restricted.” The development unfolds against the backdrop of the ongoing joint military operation launched by Israel and the U.S. against Iran.

In recent months, the Iranian state-sponsored threat actor tracked as MuddyWater has been observed conducting a broad reconnaissance campaign across more than 12,000 internet-exposed systems by exploiting known security flaws in internet-exposed SmarterMail, n8n, N-central, Langflow, and Laravel Livewire systems. The list of exploited vulnerabilities is as follows - CVE-2025-52691

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems

A use-after-free bug in Linux’s KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed ‘ Januscape ‘ and tracked as CVE-2026-53359 , the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution. Security researcher Hyunwoo Kim (@v4bel) found and reported the bug.

He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years. According to Kim, the exploit was used as a zero-day submission in Google’s kvmCTF , the controlled KVM vulnerability reward program that offers up to $250,000 for full guest-to-host escapes. How It Works To run a virtual machine, KVM keeps its own private set of page tables that mirror the guest’s memory layout.

When it needs one of these tracking pages, it looks for an existing one to reuse. The problem: it matched them by memory address alone and ignored what type of tracking page it was grabbing. Two different types can share the same address but do completely different jobs, so KVM would sometimes reuse the wrong kind. That mix-up scrambles KVM’s internal records of which page belongs where, and once those records are wrong, something has to give.

Most of the time, the kernel notices the mess and shuts itself down on the spot to avoid doing damage. That crash is what the public demonstration triggers: a guest can knock over the whole host, taking every other VM on that machine down with it. The rarer, worse case happens when the freed tracking page gets handed out for another use before the kernel cleans up. The cleanup then scribbles a value into memory it no longer owns.

An attacker only controls where that write lands, not what gets written, but even that limited foothold can be worked up into running code on the host. The flaw behaves the same on Intel and AMD chips; only the final, hardest step of turning it into full control takes different work on each. Who Is Affected The vulnerable code has been present since commit 2032a93d66fa in August 2010 (kernel 2.6.36 era) and was fixed by commit 81ccda30b4e8 , merged into mainline on June 19, 2026. The attack requires two things from the guest side: root inside the VM, a common condition on rented cloud instances, and nested virtualization exposed by the host.

Even on hosts that run hardware EPT or NPT by default, nested virtualization forces KVM back through the legacy shadow MMU, which is where the bug sits. The exploit needs no cooperation from QEMU or any userspace VMM. It is purely an in-kernel KVM bug. The practical concern is any x86 environment that hosts untrusted guests with nested virtualization enabled.

An attacker who rents a single such instance can panic the host, taking down every other tenant VM on the same physical machine. Kim said the withheld full exploit runs code as root on the host, which would expose other guests on the same machine to that root access. On distributions like RHEL, where /dev/kvm is world-writable (0666), Kim noted the same bug could also serve as a local privilege escalation to root, though the guest-to-host path is the higher-impact use. A Busy Few Months for One Researcher Januscape is Kim’s third Linux kernel exploit disclosure in roughly two months.

In May 2026, he disclosed Dirty Frag ( CVE-2026-43284 / CVE-2026-43500 ), a page-cache write vulnerability chain that delivers deterministic root on most major distributions, extending the same bug class as Dirty Pipe and Copy Fail. In June, he published ITScape (CVE-2026-46316), the first publicly demonstrated guest-to-host escape on KVM/arm64, exploiting a race condition in the virtual interrupt controller. Januscape now adds the x86 side; the same trigger fires on both Intel and AMD, with the PoC carrying a separate code path for each vendor. Google launched kvmCTF in 2024 specifically because KVM underpins both Android and Google Cloud.

A separate KVM x86 shadow paging use-after-free ( CVE-2026-46113 ) involving a related but distinct rmap mismatch was fixed in May 2026. That makes two shadow MMU use-after-frees in the same legacy code path within two months. What to Do The fix is a one-line addition to kvm_mmu_get_child_sp(): the reuse condition now checks role.word alongside the gfn, so a shadow page is only reused when both the frame number and the role match. KVM maintainer Paolo Bonzini wrote the patch .

Fixed stable versions shipped on July 4, 2026: 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211, and 5.10.260. NVD has not yet assigned a CVSS score; do not wait for one. If you operate an x86 KVM host that accepts multi-tenant guests with nested virtualization, confirm that your kernel includes commit 81ccda30b4e8. Distribution backports may carry the fix under a different version number, so check the package changelog rather than relying on uname -r alone.

If you cannot patch immediately, disabling nested virtualization (kvm_intel.nested=0 or kvm_amd.nested=0) removes the attack path for untrusted guests. ARM64 hosts are not affected by Januscape; ITScape (CVE-2026-46316) is a separate KVM/arm64 issue. The public PoC demonstrates a reliable host panic from a guest with a loadable kernel module and seconds to minutes of racing. Treat exposed x86 KVM hosts with nested virtualization as high-priority patch targets.

Update: Distribution Patch Status
Updated July 6, 2026. The fix reached the mainline stable kernels on July 4 (
7.1.3
,
6.18.38
,
6.12.95
,
6.6.144
,
6.1.177
,
5.15.211
,
5.10.260
). Downstream distributions ship the backport on their own schedules, so confirm status against your vendor’s tracker rather than the upstream version alone. Debian
Fixed in DSA-6381-1 (July 5) for testing/trixie ( linux 6.12.95-1 ) and unstable/sid ( 7.1.3-1 ).
Stable (bookworm) and oldstable (bullseye) were still vulnerable, fixes pending. SUSE / openSUSE
Rated important. Status is Pending across most SUSE Linux Enterprise 15 SP7 and Leap products, with kernel updates in QA rather than released. Apply via zypper patch once published.
AlmaLinux, Rocky Linux, Oracle Linux
These rebuild from RHEL and track its kernel errata; expect their advisories to follow the corresponding Red Hat update. Red Hat
Per-product status and the RHSA, once released, are on the Red Hat CVE page . Ubuntu
Canonical’s per-release status is on the Ubuntu CVE tracker . NVD had not scored the CVE at the time of writing, but SUSE rated it 8.8 (v3.1) / 9.3 (v4.0), a reminder not to wait on an NVD number before patching exposed hosts.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Take the AI Sprawl CISO Survey. We’ll Ship You Swag For It

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig . The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the “X-WEBAUTH-USER” header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access. In a statement shared with The Hacker News via email, security researcher Ali Mustafa (@rz1027), who is credited with discovering and reporting the flaw, said the Gitea Docker images shipped an “app.ini” template that hard-codes “REVERSE_PROXY_TRUSTED_PROXIES = *” by default. The “ app.ini “ file is a core configuration file for managing server parameters, database connections, security behavior, and application settings.

“With reverse-proxy login enabled, that wildcard trusts every source IP, so anyone who could reach the port could send an X-WEBAUTH-USER header and be authenticated as any user, with no password and no token,” Mustafa explained. “With auto-registration on, an admin username gives admin.” It’s worth noting that the documented safe value for the “REVERSE_PROXY_TRUSTED_PROXIES” internal variable is “127.0.0.0/8,::1/128,” meaning only localhost, aka the loopback interface, is allowed as a trusted proxy server. However, the official Docker image doesn’t use this default, hard-coding “*” instead. In other words, the allowlist check is as good as not having it.

Thus, when an admin sets “ENABLE_REVERSE_PROXY_AUTHENTICATION = true” to put Gitea behind an authenticating reverse proxy and leaves the “REVERSE_PROXY_TRUSTED_PROXIES” setting to its default value, it allows a X-WEBAUTH-USER custom HTTP header from any source IP that can reach the container. “Any process that can reach the Gitea container’s HTTP port directly – not through the intended authenticating proxy – can impersonate any user whose login name is known or guessable,” according to Gitea’s advisory. “Admin accounts (admin, gitea_admin, etc.) are the obvious targets.” The vulnerability affects Gitea Docker images versions before and including 1.26.2. It has been addressed in version 1.26.3 released late last month, with the “*” wildcard now removed and reverse-proxy authentication made opt-in.

Cloud security company Sysdig has since revealed it detected the first in-the-wild exploitation attempt 13 days after public disclosure of the vulnerability. There are about 6,200 internet-facing Gitea instances. “So far, the activities have been related to initial investigation by the threat actor,” Michael Clark, senior director of threat research at Sysdig, told The Hacker News. “While we saw the first action from an IP from the ProtonVPN service, 159.26.98[.]241, it has not so far progressed to any exploitation or attack progress.

We think this is because we have seen this one early before it has had the chance to develop beyond that initial phase.” Given the severity of the issue, it’s essential that users apply the fixes as soon as possible for optimal protection. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover.

Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust placed one layer too early.

Below is the full recap, since this is apparently what counted as a normal week. ⚡ Threat of the Week NetNut Residential Proxy Network Disrupted — Google, in collaboration with the U.S. Federal Bureau of Investigation (FBI), Lumen, and other partners, took action against the NetNut residential proxy network, also known as Popa, building upon its takedown of IPIDEA in January 2026. Google said it disabled Google accounts and associated Google services used by NetNut for malware command-and-control (C2) and updated Google Play Protect, in addition to disabling applications known to incorporate NetNut SDKs.

The size of the network is estimated to be at least 2 million devices globally. “NetNut populates its botnet by distributing SDKs for devices commonly found in homes, such as smart TVs and streaming boxes,” Google said, adding it “identified NetNut botnet plugin components for large-scale botnets such as BADBOX 2.0.” The end goal is to leverage the route traffic through these devices, allowing bad actors to mask malicious activity. The devices are pre-installed with malware before purchase or because users unknowingly download applications containing hidden proxy code. Case Study: How 1Password Secured Canva’s Path to 260M Users When Canva 5xed their headcount across 8 countries, they needed security that could scale as fast as their business.

See how 1Password helped them onboard teams in minutes, eliminate secret sprawl, and keep engineering moving. Learn More ➝ 🔔 Top News WhatsApp Gets Usernames But Impersonation Concerns Are Raised — WhatsApp officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. The feature is expected to be generally available later this year.

The rollout marks a shift in how people identify one another on the messaging app. It has also drawn scrutiny in India, its largest market, over concerns it could be abused to impersonate public authorities, financial institutions, government departments, and other prominent figures. While Meta told TechCrunch it reserves usernames for public figures, government entities, and some of their variations so that only legitimate users can claim them, it’s currently not clear how it decides which lookalike usernames get reserved and which don’t. ChocoPoC RAT Targets Vulnerability Researchers with Fake PoC Exploit Repos — Security researchers on the lookout for Python-based proof-of-concept (PoC) repositories on GitHub claiming to exploit new CVEs are being tricked into executing malicious code that delivers ChocoPoC.

While the PoC in itself looks clean, the actual malware sits inside a dependency named “skytext” pulled by the PoC. The malware is a full-featured trojan capable of harvesting passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox. It also captures text files, notes, local databases, shell history, network settings, and a list of running processes, as well as supports running arbitrary shell commands or Python code. 19-Year-Old Alleged Scattered Spider Suspect Extradited to the U.S.

— Peter Stokes (aka Bouquet, Spencer, and Jordan), a 19-year-old man with dual U.S. and Estonian citizenship, was extradited from Finland to the U.S. to face criminal charges over his involvement in a criminal scheme in connection with the Scattered Spider hacking group. Finnish police arrested him in April 2026.

Stokes and other Scattered Spider members are alleged to have breached an unspecified “luxury-jewelry retailer” in May 2025 and demanded an $8 million ransom in cryptocurrency. The company incurred at least $2 million in losses from business disruption, incident response, and recovery efforts. Stokes was involved in at least four Scattered Spider breaches, the Justice Department said. Stokes faces charges of fraud, conspiracy, and computer intrusion.

Ousaban Banking Trojan Targets Spain and Portugal — A new Brazilian banking trojan called Ousaban has been observed using fake PDF documents containing a link to a malicious web page that scans the user’s environment. “If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack,” Fortinet said. “The final payload is an EXE file that is dropped onto the victim’s computer and executed by the VBS script.” Ousaban gets triggered when victims visit a banking site, at which point it captures screenshots and keystrokes, tampers with the clipboard, and enables remote control. AI-Generated Browser Ransomware Exploits Chromium File Access API — A new malware artifact generated using DeepSeek has constructed a novel attack path combining “unrealistic browser-malware concepts with a real browser capability” to turn it into a working ransomware technique that runs entirely inside the browser on Windows, Linux, macOS, and Android devices.

The approach is limited to web browsers that expose the picker-based File System Access API. This includes Google Chrome and other Chromium-based browsers across Windows, macOS, ChromeOS, Linux, and Android. There is no evidence that the browser-native ransomware pattern has been abused in the wild. “What we are witnessing is a fundamental shift in how novel cyber attacks are born,” Check Point said.

“For the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed.” 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-48276, CVE-2026-48283, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48313, CVE-2026-48315 (Adobe ColdFusion), CVE-2026-48286 (Adobe Campaign Classic), CVE-2026-50548, CVE-2026-50549 (Cursor), CVE-2026-46242 aka Bad Epoll (Linux Kernel), CVE-2026-6682, CVE-2026-6687, CVE-2026-6688 (FatFs), CVE-2026-8037 (Progress Kemp LoadMaster), CVE-2026-28701, CVE-2026-33560, CVE-2026-31928 (Daktronics Controller Firmware), CVE-2026-41120 (Dell Wyse Management Suite), CVE-2026-41492 (Dgraph), CVE-2026-55047 (Anthropic Buffa), from CVE-2026-13774 through CVE-2026-13788 (Google Chrome), CVE-2026-48519, CVE-2026-48520, CVE-2026-7528, CVE-2026-7524 (Langflow), CVE-2026-3199 (Sonatype Nexus Repository), CVE-2026-12166, CVE-2026-12167, CVE-2026-12168 (Little Orbits GameFirst Anti-Cheat driver), CVE-2026-56141, CVE-2026-56142, CVE-2026-50242, CVE-2026-50242 (JetBrains), CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, CVE-2026-20244 (ClamAV), CVE-2026-20191 (Cisco Catalyst Center), CVE-2026-53917 , CVE-2026-54475 , CVE-2026-49877 (Apache ActiveMQ), CVE‑2026‑13050, CVE‑2026‑13053, CVE‑2026‑13054, CVE-2026-13079 (WatchGuard Fireware OS), CVE-2026-45504 (Microsoft Exchange Server), CVE-2026-14191 (WinRAR), CVE-2026-44024, CVE-2026-44025 (Fluentd), CVE-2026-55957 , CVE-2026-55956 (Apache Tomcat), CVE-2026-13136, CVE-2025-15660 (Synology MailPlus Server), CVE-2026-22678, CVE-2026-49102, CVE-2026-49103, CVE-2026-42210, CVE-2026-56022 (Webmin), from CVE-2026-12044 through CVE-2026-12050 (pgAdmin), CVE-2025-66273, CVE-2025-66279, CVE-2026-22893 (QNAP QTS, QuTS hero, QuTS cloud, and QVP), CVE-2026-11310, CVE-2026-11999, CVE-2026-6679, CVE-2026-55958, CVE-2026-55960, CVE-2026-55961 (wolfSSL), CVE-2026-48611 (phpBB), and CVE-2026-20896 (Gitea). 🎥 Cybersecurity Webinars AI Attacks Are Moving Faster Than Your Defenses → AI is helping attackers write better lures, change tactics faster, and run campaigns at a scale many security teams are not built to handle.

This webinar breaks down how AI-powered threats like Mythos gain access, move through environments, and expose the limits of traditional network-based defenses—then shows how teams can reduce attack surface, stop lateral movement, and contain risky behavior before it turns into a major incident. Your AI Agents Need a Kill Switch → AI agents can do more than make mistakes—they can expose credentials, bypass controls, and become a new attack surface inside the business. This webinar uses hands-on findings from OpenClaw testing to show where agentic AI breaks down, why guardrails are not enough, and how teams can reduce risk with identity-based governance, least-privilege access, short-lived secrets, logging, auditing, and visibility into shadow AI use. 📰 Around the Cyber World Indirect Prompt Injection Attacks Targets AI Agents for Typosquatting and Payment Scam — Threat actors are using indirect prompt injection (IPI) to hide instructions in websites, attempting to trick an AI agent into following the attacker’s instructions.

“The observed campaigns combine SEO poisoning with CSS/HTML abuse to both manipulate search results and conceal prompt-style instructions that influence AI decision making,” Zscaler said . “When AI agents misclassify malicious websites as legitimate, they increase the risk of context contamination and downstream Retrieval-Augmented Generation (RAG) poisoning.” Dropping Elephant Delivers In-Memory RAT — The threat actor known as Dropping Elephant (aka Patchwork) has been observed using a China-themed energy-sector contract lure to deliver a heavily reworked, in-memory remote access trojan (RAT). “This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of ‘Donut’ shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls,” Rapid7 said . “The revamped RAT significantly complicates detection by using control-flow flattening, runtime API reconstruction, and hardened C2 communications.” The malware supports directory listing, file upload/download, screenshot capture, and command execution capabilities.

Microsoft Updates SSPR to Require Registered Authentication Methods — Starting September 7, 2026, Microsoft said Entra self-service password reset will require users to have explicitly registered authentication methods for password reset verification, while explicitly disallowing directory-sourced contact information unless registered. “Currently, SSPR may allow users to verify their identity using contact information stored in directory attributes such as mobile phone, business phone, and alternate email, even if those values were never explicitly registered as authentication methods,” Microsoft said . “To strengthen identity security, SSPR will require explicitly registered authentication methods for verification. This change is part of Microsoft’s Secure Future Initiative and ensures password reset verification is based on trusted, user-validated methods rather than directory-sourced attributes.” The development comes as the Windows maker has introduced jailbreak and root detection for Entra credentials in the Microsoft Authenticator app on both iOS and Android platforms, preventing Entra credentials from functioning on jailbroken/rooted devices.

Scammers Exploit Trusted Brand Names to Drive Casino Traffic — Scam advertising campaigns are impersonating trusted brands to drive consumers to unrelated online gambling sites. “These campaigns utilize paid social ads, fake app store pages, and Progressive Web Apps to make users believe that well-known brands have launched ‘official’ casino or slot products,” Netcraft said . “The scams begin with an ad on social media platforms such as Facebook, Instagram, and TikTok. The ad claims that a recognizable brand has launched ‘[Brand] Slots’ or a similar gambling product.

Upon interacting with the ad, the user is taken to a fake landing page designed to look like an official app store listing or branded game page. Instead of installing a real app, the user is prompted to add a Progressive Web App to their device, which opens an unrelated online casino through affiliate tracking links.” PhishLumos as a Way to Counter Cloaking-Based Phishing Threats — As phishing continues to be a persistent threat in cybersecurity, researchers from Tokyo Metropolitan University and NTT Security Holdings have demonstrated PhishLumos to counter campaigns that evade automated scanners through cloaking and selective blocking techniques. “When content is missing, deceptive, or inaccessible, PhishLumos pivots to infrastructure evidence, including shared domains, IP addresses, certificates, and historical scan metadata,” the researchers said . “It consolidates observations into a typed property graph knowledge base with a deterministic, idempotent merge operator and provenance for auditable investigations.

A supervisor agent coordinates specialized agents and synthesis agents powered by large language models to profile campaigns and generate empirically validated detection rules for deployment in existing controls.” CVE Explosion in the AI Era — With artificial intelligence (AI) and large language models (LLMs) accelerating vulnerability discovery, a new report from ProjectDiscovery has found that 30,550 CVEs have been published so far in 2026, a figure that’s expected to eclipse 2025’s 49,458 CVEs. Of these, 2,906 are rated critical, and 11,187 are rated high in severity. In contrast, a total of 30,361 CVEs were published in 2023. “The exploitable surface is doubling faster than defenders can absorb,” ProjectDiscovery said .

When the median time-to-exploit is days and the mean is negative, a 55-day critical-remediation cycle is not a process, it’s an open door. If attackers are weaponizing bugs in minutes with AI, the response, finding them, proving they’re real and handing developers a fix, has to run continuously and autonomously, not on a calendar.” New ClickFix Campaign Uses Blockchain C2 — An active malware-as-a-service (MaaS) operation is abusing the Polygon (MATIC) blockchain as a resilient C2 configuration with a ClickFix lure. More than 130 compromised lure websites have been detected so far as part of the campaign. “Compromised websites are injected with a script named tracker.js, appearing as ‘JokerStat Analytics Tracker,’” Palo Alto Networks Unit 42 said .

“In addition to the clipboard injection, this script performs screenshot and victim-session telemetry exfiltration every 2 minutes.” When a victim visits a compromised site, the injected JavaScript performs a blockchain lookup to fetch the C2 server URL. “After C2 resolution, tracker.js starts collecting victim telemetry, including pageview events, heartbeat and screenshots,” Unit 42 said. “The same tracker.js then injects the clipboard content personalized per victim. The victim sees a fake CAPTCHA overlay and follows the instructions leading to a ClickFix attack.” The attack culminates with the deployment of an infostealer written in Ruby.

2 Venezuela Nationals Sentenced in ATM Jackpotting Attacks — Two illegal aliens from Venezuela, Carlos Javier Padron, 36, and Arnoldo Cabrera Torrealba, 37, were sentenced to 78 months in prison in the U.S. for their involvement in ATM jackpotting activities. The two individuals pleaded guilty to one count of conspiracy to commit bank burglary and one count of computer fraud and intentional damage to a protected computer. The defendants built and deployed a variant of the Ploutus malware on ATMs across the country and used it to withdraw money without authorization.

“The conspiracy relied on individuals, including Padron and Torrealba, to deploy the Ploutus malware onto ATMs in person,” the U.S. Justice Department said . “Once installed and activated, the malware permitted the co-conspirators to issue commands to the cash dispensing module of the ATM in order to force unauthorized withdrawals of currency.” Padron and Torrealba were also ordered to jointly pay $1.53 million in restitution. More than 90 other defendants have been charged over their roles in the operation.

Bypassing Microsoft Entra Conditional Access Policies — NetSPI said it found a way to bypass Microsoft Entra Conditional Access Policies by abusing Nested App Authentication to return access tokens for the Microsoft Graph API. “It was possible to use certain Nested App Authentication (or BroCI) flows to bypass any Conditional Access policy,” security researcher Thomas Byrne said . “This vulnerability served mainly as a persistence mechanism as it would have required a successful phishing attack to return an initial refresh token before the vulnerable authentication flows could be carried out.” A fix for the issue has since been rolled out by Microsoft. Threat Actors Target Laravel Livewire Flaw — More than 6,100 applications have been compromised as part of a campaign targeting CVE-2025-54068 , a critical unauthenticated RCE vulnerability in Laravel Livewire, to deliver a credential stealer by means of a shell script.

The stealer harvests database-related configurations, Stripe secret keys, SMTP passwords, Google OAuth client secrets, JWT secrets, and AWS IAM credentials from .env files and exfiltrates them to a remote server. The campaign is assessed to have been underway for several months. “Recovery and analysis of the attacker’s exfiltration infrastructure revealed credentials harvested from 6,167 distinct applications spanning dozens of countries and sectors, from e-commerce and healthcare to financial services, education, and government,” Imperva said . “The attacker’s FTP server contained 1,851+ database dumps and 18+ email lists with over 26 million addresses, indicating the stolen credentials were being actively exploited.” The activity has been attributed to an Indonesian-origin threat actor.

Booking.com Partner Firms Targeted in TONResolver Campaign — Attackers are targeting employees of Booking.com partner companies in Japan using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files. The emails are sent using the notification functionality of a scheduling tool service, allowing them to bypass SPF, DKIM, and DMARC checks . The attacks led to the deployment of TONResolver, which abuses the Open Network (TON) blockchain platform as a dead drop resolver. “In this attack, a ZIP file was downloaded by accessing a hyperlink to a suspicious website, and the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the ZIP archive,” Trend Micro said .

This triggers the execution of PowerShell that fetches and runs the JavaScript-based TONResolver malware using “node.exe,” a core executable file for Node.js. The malware then connects to the C2 server obtained from the TON platform for additional attack execution and sends commands. Mamont Android Malware Dissected — An Android malware called Mamont is distributed via dropper apps masquerading as dating services to facilitate financial fraud. “The dropper and its embedded companion APK work in tandem to silently install, launch, and maintain control over the victim device while performing financial reconnaissance and awaiting attacker instructions,” NCC Group said .

A second variant of the malware has been found to serve phishing overlays inside Android WebView components at runtime, while also initiating phone calls, collecting installed applications, gathering device/network information, and manipulating system behavior to suppress notifications. “Additionally, it can execute commands dynamically based on input, indicating remote control functionality, and it reports execution results back through an internal handler or communication channel,” security researcher Vamsi Pavuluri said . 2 Campaigns Deliver AsyncRAT — Phishing emails containing a Dropbox URL as well as macro-laced spreadsheets to distribute AsyncRAT malware. “When the recipient clicks on the link, a ZIP file is downloaded,” Forcepoint said .

“This file contains an Internet shortcut file in a .URL format. Opening this file leads to downloading multiple malware payloads in the background while the user is deceived by a legitimate-looking PDF opening. This file leads to a .lnk file, which then leads to a JavaScript file. This JS file links to a .BAT file, which hosts malicious content that ultimately delivers another ZIP file.

This new ZIP file houses the Python script used to execute the AsyncRAT malware.” The second campaign, detailed by LevelBlue, involves the use of generic emails targeting sales, procurement, and vendor management staff with a malicious spreadsheet that uses an embedded macro to download an HTA script, which then performs environment checks before delivering AsyncRAT or Remcos RAT . Clubfoot Wolf and Fluffy Wolf Targets Russia — BI.ZONE has disclosed cyber attacks mounted by an intrusion set it tracks as Clubfoot Wolf targeting a wide range of Russian sectors using spear-phishing emails to deliver NetSupport RAT to establish persistent remote access. A second threat cluster dubbed Fluffy Wolf has leveraged malicious email attachments and GitHub repository URLs to redirect recipients to ZIP archives that deliver PureLogs Stealer, PureRAT , and the Pay2Key ransomware. Also put to use in the attacks is a previously unreported C++ downloader called PowerLoader to fetch malicious PowerShell scripts from the C2 server over HTTP.

In this attack chain, the loader is responsible for retrieving PureCrypter, which then launches the final payload. Multiple PhaaS Kits Spotted in the Wild — A number of phishing-as-a-service (PhaaS) toolkits have been identified: CodeStorm (which is a tenant-aware Microsoft 365 phishing kit), ARToken (a fully-featured PhaaS operator panel that shares overlaps with EvilTokens , a device code phishing toolkit), Console (for harvesting AWS console credentials), Mirage2FA (which uses short-lived HTML smuggling and obfuscated JavaScript-loaders to deliver fake Microsoft 365 login pages), and Bluekit (which uses browser-in-the-middle technique to load the legitimate login page inside an attacker-controlled browser, causing the victim to log into their accounts on the attacker’s machine). At the same time, reports indicate that the Tycoon 2FA PhaaS service has resurfaced with new infrastructure and obfuscation layers following its law enforcement takedown back in March 2026. These developments also coincide with a surge in device code phishing attacks that exploit legitimate OAuth flows.

Specifically, the attack tricks users into entering a device code that then issues active cookies and tokens directly to the attacker’s device, bypassing multi-factor authentication (MFA). In tandem, Chinese-language phishing-as-a-service (PhaaS) communities are expanding in an area historically dominated by Russian-speaking cybercriminal groups. One such PhaaS service is the Darcula platform, linked to threat actor UNC5814, which has abandoned static phishing templates in favor of AI-powered page generators and browser automation tools, Loke Puppeteer, that can clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements. Because each generated phishing page is unique, traditional signature-based detection methods are rendered ineffective.

While PhaaS is at the core of these operations, these developers also typically offer numerous ancillary services, including the sale of personal and financial information. According to a report from Group-IB, data brokers active in Chinese-speaking dark web forums and Telegram channels are advertising large volumes of purportedly stolen data from organizations worldwide. These include marketplaces like Exchange Market, Chang’An Sleepless Night, Aiqianjin, Yiqun Data, and Phoenix Overseas Resources. 🔧 Cybersecurity Tools T3MP3ST → It is an open-source offensive security framework that connects to an AI coding agent and uses it to run authorized security tests across web apps, CTF-style challenges, source code, and other targets.

It provides a browser War Room and CLI for recon, exploit testing, and reporting, while its maintainers state it should only be used on systems the user owns or has written permission to test. NOX → It is an open-source Go-based tool for attack surface management, reconnaissance, and vulnerability scanning. It can run passive checks, quick probes, custom YAML workflows, or a full scan using 299 built-in modules across OSINT, subdomains, DNS, ports, web fingerprinting, and deeper vulnerability tests. Its maintainers warn that active scans make real network requests and should only be run against systems the user owns or has written permission to test.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion Most of this week’s problems did not need a clever attacker so much as a useful opening.

A trusted device, a trusted repo, a trusted reset path, a trusted browser feature. That word did a lot of damage. Patch what is yours. Question what looks too clean.

And maybe stop assuming the boring parts are safe just because they look boring. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How to Evaluate an AI SOC Platform in 2026: 6 Capabilities That Separate Leaders from Bolt-On AI solutions

Building a shortlist for an AI SOC evaluation can be tough. SIEM, SOAR, and pureplay AI SOC vendors are all saying the same thing. But behind the identical label sit very different products, from chat assistants bolted onto a legacy SIEM to agent platforms that run detection, triage, investigation, and response on their own data foundation. Whether a platform will materially change outcomes for your team matters more than what it is called.

We can measure that in investigation time, false-positive volume, analyst hours returned, total cost of running your SOC and finally whether the architecture will hold up 2-3 years from now as the volume, speed and complexity of attacks keep increasing. What Is an AI SOC Platform? An AI SOC platform is a security operations platform where AI agents carry out the core work of the SOC (detection, triage, investigation, and response) by reasoning over correlated security data, under human oversight. It differs from bolt-on AI, which summarizes alerts inside an existing SIEM while the underlying work stays manual.

Agents doing the core work are what vendors mean when they say agentic. The distinction can look subtle on a datasheet, but the real proof is during POCs. What Makes an AI SOC Agent Predictable? Predictability separates SOC automation you can trust from automation you babysit, and it is a data property more than a model property.

An agent that only summarizes alerts can work from the alert payload alone. An agent trusted to close alerts or take response actions needs to have much more context, such as the entity (identity, resource, device/asset) involved, how its configuration has drifted, and what normal looks like for the entity and numerous other factors. Platforms built for that level of trust maintain a real-time knowledge graph, a continuously updated map of the identities, resources, configurations, and behavioral baselines in an environment and the relationships between them, assembled before any alert fires. Grounded in that context, and paired with the layered model architecture covered in the checklist below, an agent returns consistent, evidence-backed verdicts.

Bolt-on AI works in the opposite direction, querying raw logs after an alert lands, which is why its conclusions often fail to hold up under scrutiny. Breadth matters just as much. The strongest platforms add detection coverage for sources you never instrumented, run threat hunts continuously, and begin response while an incident is still unfolding. 6 AI SOC Capabilities to Test Before You Buy Each capability below can be checked during a proof of concept, in your own environment, or live in a vendor demo.

A real-time, correlated data foundation. An AI verdict is only as good as the context behind it. Ask whether identity, configuration, resource, and baseline data are correlated continuously (the knowledge-graph approach) or assembled from raw logs at query time. Speed alone proves little; a fast query engine also returns in seconds.

Instead, pick an identity at random and understand its permissions (admin or not), configuration drift, and behavioral baseline (normal location, IP, ASN, user agent, etc.). None of that can be faked at query time. Full-lifecycle agents. Have the vendor walk one incident end-to-end, from the detection that created it through triage, investigation, and a response action, and watch whether context carries across each step or gets re-gathered.

Many platforms automate Tier-1 triage and stop there, which speeds up the alert queue without speeding up the SOC. Evidence-backed, auditable verdicts. Ask to see the evidence trail behind a verdict — every log line, correlation, and inference that produced it — and confirm your analysts can reproduce the finding from the same data. A verdict you cannot audit is an opinion.

Detection coverage beyond the SIEM. Real incidents cross cloud, SaaS, identity, and code, yet much of that telemetry never reaches the SIEM because ingesting it costs too much. List the sources your stack leaves dark, such as high-volume cloud audit logs, GitHub, and Google Workspace, then have the vendor show a detection firing on them and an investigation across them. Staged autonomy with human oversight.

Full autonomy on day one is a warning sign, and so is a platform that never earns more than read-only access. Probe how trust is staged, which actions start as recommendations, what evidence record unlocks automatic execution, and where a person still signs off. Confirm you can tune those thresholds per action type. Measurable outcomes.

Define the numbers before the POC begins: false-positive rate and mean time to investigate and respond. Measure the results against your current baseline, and ask reference customers what moved in their first quarter. If you may eventually want the vendor to run it for you, confirm the managed service uses the same product your team would operate. Spotlight: Exaforce’s Agentic SOC Platform One platform designed around these capabilities is Exaforce, an agentic AI SOC platform whose four Exabots cover the full SOC lifecycle.

Exabot Detect works as your AI detection engineer, Exabot Triage takes every alert to a verdict with Tier-3 depth, Exabot Investigate reduces the barrier for anyone to threat hunt, and Exabot Respond coordinates actions across the kill chain, with a human approving anything irreversible. All four Exabots reason over a unified real-time data platform that ingests and enriches logs and configuration across cloud, SaaS, identity, endpoint, and code. Analysts query all of it in plain language through Exabot. The same platform can stand in for a SIEM, minus the parsers, pipeline upkeep, and SIEM-expert hires that usually come with one.

Guardant Health made Exaforce its primary SIEM and MDR. “I don’t write queries anymore. I just ask Exabot,” says Mike Shannon, Guardant Health’s Director of Security Engineering. The measured outcomes map to the capabilities above.

Invisible cut means time to investigate by 95% , taking investigations from hours or days to minutes. Forcepoint replaced an MSSP that needed hand-holding with Exaforce MDR and now holds a 14-minute mean time to respond on P0 incidents. You have a choice to run the platform with your in-house team or have Exaforce operate it for you through its MDR offering. The architecture and the Exabots are identical either way; only who operates them changes.

How Close Is the Autonomous SOC? No platform, Exaforce included, makes the modern SOC a solved problem. The fight is AI against AI, and it will be won not on the frontier models but in the data the agents reason over. Agents grounded in real-time data correlated with identity, assets/device, resource impacted, baseline behaviors produce verdicts you can predict, reproduce, and audit, instilling confidence in humans to leverage AI in the SOC.

If you’re starting an evaluation, Exaforce’s own primer, What is an AI SOC? , is a grounding read. Then put the six capabilities above in front of every vendor on your shortlist, and request a demo to see how Exaforce answers them. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.

“It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem,” security researchers Dixit Panchal and Soumen Burma said . The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft. The attack chains begin with phishing messages masquerading as India’s income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link (“govtop[.]one/incometax”) embedded within PDF attachments. The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL (“nvdaHelperRemote.dll”), which, in turn, injects another payload into memory.

This payload ensures it’s running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image (“lllyd.jpg”) from a hard-coded server (“204.194.48[.]250”) and stores it as “C:\Windows\background.jpg.” “This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to ‘C:\Program Files\Windows Media Player\nvdaHelperRemote.dll,’” Seqrite Labs explained. “After extracting the payload, the malware copies itself as ‘Mixed Reality.exe’ and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot.” “This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.” The “Mixed Reality.exe” binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server (“kkxqbh[.]top”).

Exactly who is behind the activity is unclear, but infrastructure analysis indicates the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat command-and-control (C2) server (“223.26.63[.]40”). In addition, Seqrite said it identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns that deliver ValleyRAT. Based on these similarities, it’s suspected that the campaign is the work of a China-aligned threat actor conducted with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration, Seqrite concluded. The disclosure comes as LevelBlue said it detected two distinct campaigns that employ fake installers for LINE and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.

The email-driven campaign begins with a malicious email containing a URL link that, when accessed by the recipient, triggers the download of a ZIP archive. The archive acts as a foundation for a DLL side-loading chain, with the DLL ultimately downloading and executing ValleyRAT, a remote access trojan that allows operators to seize control of an infected system. The fake installer attack chain, in contrast, employs bogus installers for popular software to deliver the malware using techniques like PoolParty Variant 7 , while simultaneously focusing on anti-analysis and detection evasion, per Cybereason. Interestingly, the use of PoolParty Variant 7 to inject shellcode into “explorer.exe” has been previously observed in connection with a custom malware loader dubbed SADBRIDGE , which is designed to deploy a Golang-based reimplementation of Quasar RAT known as GOSAR.

The intrusion set, which targeted Chinese-speaking regions with malicious installers for Telegram and Opera, was attributed by Elastic Security Labs to REF3864. “While we don’t have conclusive proof, these commonalities suggest they may have been created by the same threat actor,” Cybereason researcher Hajime Takai noted back in February 2026. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions

Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix , tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it is a way for stolen data to get out, not a way in. In the researchers’ tests, TrojPix hit a peak throughput of 8.1 Mbps and reached as far as 208 meters, the two measured separately rather than together.

Most air-gap covert channels crawl along at bits or kilobits per second; at 8.1 megabits, roughly a megabyte a second, TrojPix could move a 100 MB file in under two minutes. That turns the threat from leaking a password into moving whole files while the monitor looks switched off. Real-world range is another matter: a receiver still has to fight through walls, shielding, and noise. The method, which the researchers call imperceptible pixel modulation , needs no administrator rights and no hardware changes, they say; user-level malware that can draw to the screen is enough.

They describe two ways to hide the traffic. One fakes a powered-off display, keeping the screen dark while it transmits. The other buries the signal in whatever is already on screen, so ordinary-looking content carries the payload. The team reports it is working across nine monitor brands and fifteen video cables, so the result is not tied to one setup.

Turning a video cable into a covert transmitter is not new. It traces back to the decades-old study of compromising emanations, known as TEMPEST, and more recently to work like TEMPEST-LoRa (CCS 2025), which used the same trick to reach off-the-shelf LoRa radios, a common long-range wireless standard. That one topped out at 87.5 meters, or 21.6 kbps. TrojPix’s peak throughput is hundreds of times higher, though the two use different receivers under different conditions, so the numbers are not a head-to-head comparison.

These emission channels remain lab work. The air-gap attacks that have surfaced in the wild, from Stuxnet to Agent.BTZ, crossed the gap on USB drives, not over radio; TrojPix and its kind show what is possible, not what has been caught. Another screen-based channel, PIXHELL, which The Hacker News covered in 2024 , made the display itself emit sound to leak data from an air-gapped PC. Others have pulled data off Ethernet with a planted hardware implant , the kind of hardware change TrojPix avoids.

You cannot patch away the emission itself. The countermeasures are physical and preventive: run video over fiber-optic links, which carry no such signal, rather than copper; shield cables and rooms where the data warrants it, as TEMPEST-rated facilities already do; and above all, keep malware off the machine in the first place, since without that foothold, TrojPix has nothing to send. Once an attacker is inside, a channel this fast can move the data out in the time the screen sits dark. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Cybersecurity researchers have flagged a novel Java-based remote access trojan (RAT) called QuimaRAT that’s capable of targeting Windows, Linux, and macOS environments. According to LevelBlue, the cross-platform malware is advertised under a malware-as-a-service (MaaS) model, costing anywhere between $150 for one month to $1,200 for lifetime access. Other subscription tiers include $300 for three months, $500 for six months, and $700 for twelve months. “Built around a modular architecture, the RAT supports dynamic capability expansion through encrypted plugins that can be delivered, loaded, unloaded, and updated directly from its command-and-control (C2) infrastructure,” the cybersecurity company said in an analysis of the malware.

The malware author also advertises a builder capable of generating multiple output formats, including JAR, EXE, APP, SH, BAT, and VBS, indicating an attempt to help prospective customers package the client tailored for different environments and delivery scenarios. The seller’s post guarantees complete stealth on Windows and Linux, noting there are no visible user interface elements or desktop entries. On macOS, however, the threat actor includes a caveat that certain features like screen capture and input control require “user-granted admin permissions.” Visiting their website, users are greeted by a pop-up message that states the platform “provides offensive security tooling intended exclusively for professional security research, authorized penetration testing, and controlled educational environments,” warning them against using it for “malicious, unauthorized, or illegal purposes.” In all, the threat actor offers four tools - Quima Control (aka QuimaRAT), a remote administration tool with 74 Windows and 46 macOS and Linux modules Quima Builder , a modular builder and launcher toolkit with support for XLL, LNK, VBS, JS, BAT, DOCM, XLSM, MSC, CPL, and CHM file formats Quima Loader , a browser-cache payload delivery service to stage and deliver the malware payload Quima Dropper , an HTML/SVG payload generator Quima Loader, particularly, is noteworthy, as it allows an operator to upload an EXE file through a dedicated panel and select a delivery format (e.g., HTA or LNK) and a landing page template (e.g., fake CAPTCHA check or software update alerts), after which the tool generates a stager link that, when opened by the victim in the browser, initiates the following sequence of actions, per the malware developer - The landing page is loaded, and the payload is fetched and held in the browser cache. A download button appears on the page.

Clicking it saves a “small, clean loader file” that’s trusted by the browser. Target runs the loader, which reads the cached payload. The main payload gets executed on the system, while bypassing SmartScreen protections on Windows. “A RAT, a builder suite, a web loader, and an HTML dropper — each built around what Windows already trusts,” the author behind the Quima suite claims on their website.

“Native execution paths, system-owned resources, clean outputs. AV [antivirus] sees nothing unusual. Neither does the user.” LevelBlue’s analysis suggests that QuimaRAT is organized as a modular Java project built using Apache Maven, while containing embedded Java Native Access (JNA) native libraries for Windows, Linux, and macOS across various architectures. It also decodes and parses an internal configuration file necessary for environment validation, persistence installation, and C2 initialisation.

“These native components allow the RAT to interact directly with low-level operating system APIs through C/C++ code, indicating intentional support for broad multi-platform deployment,” researchers Chen Aviani and Nikita Kazymirskyi said. Before execution, the malware ensures only one instance of the trojan is running on the infected machine at any given point in time. It achieves this by creating a lock file within the operating system’s temporary directory and preventing other processes from using it simultaneously. If it detects that another RAT instance is already holding the lock to the file, it terminates execution.

QuimaRAT is designed to determine the current operating system name, using it to dictate the next course of action, including evading sandboxed and virtual environments, establishing persistence, and serving the main payload. Furthermore, it supports the ability to execute an additional embedded payload or decoy application along with the main RAT process if the functionality, named Binder, is enabled through the configuration. The malware sets up persistence using a variety of operating system-specific methods: Registry Run keys, Scheduled tasks, and the Startup folder for Windows, .desktop autostart entries and crontab reboot tasks for Linux, and a LaunchAgent plist file for macOS. What’s more, the Trojan incorporates an optional Pastebin-based C2 host update mechanism that is controlled via the configuration.

This approach allows the operator to dynamically rotate or replace the C2 infrastructure without having to rebuild and redistribute the payload. The end goal of the QuimaRAT is to establish communication with the C2 server over TCP (or alternately via WebSocket, TLS, and HTTPS) to receive and execute commands. A watchdog component built into the malware ensures that the channel remains active and reconnects to it, if contact is lost with the C2 server. “QuimaRAT maintains an internal shutdown state flag used to control whether the RAT should continue performing networking, reconnect, watchdog, and recovery operations,” the researchers said.

“This mechanism allows QuimaRAT to stop reconnecting, watchdog, and communication recovery operations after shutdown mode is activated.” The malware supports a wide range of capabilities, including remote command execution, remote payload and plugin delivery, credential theft, persistence, file transfer, clipboard manipulation, and webcam surveillance, granting the attacker comprehensive control over an infected system. Besides these conventional features present in most RAT malware, QuimaRAT facilitates fileless shellcode execution on Windows hosts and a resilient communication framework that enables persistent access to compromised hosts. “QuimaRAT should be viewed as a modular Java RAT platform rather than a single static implant,” LevelBlue said. “ProGuard-class obfuscation indicators, Maven Shade relocation, preserved runtime symbols, and synthetic string decryptors further support the assessment that QuimaRAT is designed to rotate static fingerprints without changing its core behavior.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

Researchers found a flaw in Opera GX , the gaming-focused version of the Opera browser, that let a malicious website silently install a browser add-on and use it to lift specific data from the pages a victim visits. In a proof of concept, they reconstructed a signed-in user’s full Gmail address from a single visit, with no click. Opera has patched the flaw and says it found no evidence that it was ever used in the wild. The fix shipped in Opera GX version 130.0.5847.89, so anyone on a current build is already covered; you can confirm yours at opera://about.

There is no CVE. Because the attack needed no clicks or approvals, there was no workaround short of the patch. Opera’s bug bounty team rated the issue P1, its top severity, and paid the maximum $5,000 award for a critical bug. How the attack works GX Mods let you reskin Opera GX with custom sounds, themes, wallpapers, and CSS that restyles the sites you visit.

They ship as .crx files, like browser extensions, but they cannot run JavaScript and hold no permissions. The weakness is in how they install: Opera’s mod pipeline downloads and enables a mod automatically, with no approval prompt. So a malicious page can install one silently, for instance by loading a hidden iframe pointed at a .crx file. The only sign is a notification bar below the address bar telling you a mod was added, with a Remove button.

This auto-install behavior is not new. The researcher Renwa identified it back in 2023 and, by escalating an installed mod into a full extension, used it to spoof the browser’s address bar. Opera patched that specific attack in March 2023 but left the underlying auto-install in place, which is what this new research builds on. A silent look-and-feel mod sounds harmless on its own.

But a mod’s CSS is applied to every page you visit, not just one. Ordinary CSS injection is confined to the page it lands on; here, the attacker’s styling reaches every site the browser opens, a technique the researchers call a universal CSS injection. CSS cannot read a page and send it off on its own. But it can be coaxed into leaking a value one piece at a time.

The trick relies on attribute selectors: a rule can test whether an element’s attribute value, like an email tucked into a hidden field, begins with a given letter, and fetch a background image from the attacker’s server only when it does. Fire enough of these, and you learn the value character by character. Researchers call this an XS-Leak , short for cross-site leak. To pull a Gmail address, the researchers aimed this at a Google account page, myaccount.google.com/contactemail, that carries the address inside three of its HTML attributes.

They packed a mod with roughly 150,000 CSS rules, one set for every possible three-letter piece of the address, and let a reconstruction script stitch the matches back together. They first tried four-letter pieces, which needed 5.6 million rules and about 880 MB of CSS. The browser choked, so they scaled down to three-letter chunks that overlap just enough to reassemble. Chaining it together took only a nudge.

The victim lands on the attacker’s page, the mod installs within seconds, and a few lines of JavaScript then redirect the browser to the Google account page. The mod’s CSS is already loaded there, so it fires the requests and leaks the address as the page renders, before the victim can reach the notice’s Remove button. The Gmail address was just the proof of concept; the same approach can lift other values a page exposes in its markup, like a username. The same auto-install path has a second, cruder use the researchers documented: loading a .crx while in private (Incognito) mode crashes the browser and dumps every open tab.

This one hits regular Opera too, not just Opera GX, since any .crx trips the extension-install pipeline, whatever it contains. Opera’s advisory addresses the data-theft fix and does not mention the crash. Severity and the bigger picture The report almost did not get its due. Opera runs its bounty program on Bugcrowd, and the triage analysts struggled to grasp what the bug did, first rating it a middling P3.

The researchers made their case in an unusually direct way: while an analyst was reproducing the attack, they caught the analyst’s own trigrams, rebuilt the analyst’s Gmail address, and pasted it into the report. Opera’s team then raised the severity to P1 and paid the $5,000 critical-tier maximum. Opera’s own account is more measured. In its advisory , the company says it is “quite confident” the flaw was never exploited in the wild, and frames the attack as complicated to pull off: the victim had to land on a malicious site, end up with a fresh mod, and ignore the removal notice long enough for the redirect to fire.

The researchers’ demo is the counterweight. Their redirect runs in the seconds before a user can even read the notice, let alone click Remove. It was a narrow, fiddly attack that Opera found no trace of in the wild, and it still worked with zero clicks once it was set up. The risk here was never the cosmetic feature by itself.

It was reach. Once a mod’s CSS could follow you from one site to the next, “just styling” turned out to be plenty. That is the twist on a familiar idea: CSS-only theft usually stays trapped on the page where it is injected, as in PortSwigger’s Blind CSS Exfiltration research, but here it rode along on every site the victim opened. It is also not the first Opera feature turned against its users; The Hacker News covered the 2024 MyFlaw bug in Opera’s My Flow, and Opera had been warned about this very auto-install behavior since 2023.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

Scanners meant to catch malicious add-on “skills” for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss. Skills are small packages, usually a Markdown instruction file plus a few scripts, that agents such as Claude Code, OpenAI Codex, and OpenClaw load to pick up a new capability. Because a skill is just a bundle of files, the same one can run across different agents.

And it runs with the agent’s own access: your files, your terminal, your saved passwords. A bad one can steal credentials, copy source code, or install a backdoor. Most of what a public marketplace lists is uploaded by strangers with little vetting. The main defense so far has been the skill scanner, which reads a skill’s files before you install it and blocks anything that looks dangerous.

The paper, titled “ Cloak and Detonate ,” tests whether that actually holds up. It does not. Beating scanners isn’t new, though. The Hacker News has covered researchers pushing a fake skill past every scanner it faced , which by the firm’s own count reached tens of thousands of agents.

What this paper adds is a way to do it systematically, at scale, and a defense that still works when it does. How the disguised skills get through The researchers’ tool, SKILLCLOAK , rewrites a malicious skill to look clean while behaving exactly the same. It works two ways. The lighter one rewrites the give-away bytes a scanner keys on, using the paper’s own operators: swap a character for a look-alike from another alphabet, or split a flagged command across a newline, so the scanner’s pattern no longer matches but the command still runs.

The heavier one, self-extracting packing, moves the whole payload into a directory the scanner skips, like .git/, behind a harmless-looking decoder that rebuilds the skill only when the agent runs it. Scanners skip such directories to save time and cut false alarms, which is exactly the blind spot the trick exploits. Across eight scanners and 1,613 real malicious skills pulled from ClawHub, a public marketplace, the packing trick got past each of the eight more than 90% of the time, and past most of them more than 99%. The lighter rewriting cleared more than 80% on most scanners and 96% on one.

And the disguise costs the attacker almost nothing: on Claude Code and OpenAI Codex, the cloaked skills worked just as well as the originals. Watching what a skill does, not how it looks Since appearance can be faked, the researchers propose checking behavior instead, in a tool they call SKILLDETONATE . It runs the skill in a sandbox and watches what it does at the operating-system level: what it reads, what it writes, where it sends data. Two ideas make it work for agents.

It tracks sensitive data by where it flows rather than what it looks like, so base64 or encryption doesn’t throw it off. And it runs the instructions a skill builds only at runtime, which is exactly where the packing trick hides its payload. In a controlled test, the checker caught 97% of attacks while wrongly flagging 2% of safe skills, a lower false-alarm rate than the scanners it beats, and it held steady when the skills were cloaked. On real-world malicious skills, it caught 87%.

Cisco’s scanner, the strongest tested, went the other way: it caught 99% of the real-world skills before cloaking and about 10% after. The catch is speed, a couple of minutes per skill against a scanner’s few seconds, though it runs once, before a skill goes live. The work is a preprint and hasn’t yet been peer-reviewed; the researchers have released their code. Already happening in the wild None of this is hypothetical.

Public marketplaces are already full of malicious skills that scanners are not stopping: Bitdefender found roughly 17% of the skills it checked on one marketplace carried hidden malicious code, and Koi Security counted 341 in a single campaign it called ClawHavoc, as THN reported , later 824 as the marketplace grew. Some use the paper’s exact tricks. Of five evasive skills Unit 42 found still live on ClawHub despite its built-in scanning , one, omnicogg, padded its README with 22 MB of junk to slip past the scanner’s size cap, the same size-padding operator the paper tests. Two more delivered Mac password-stealers, and two hijacked the agent’s financial advice to push affiliate links and rig meme-coin launches.

The runtime gap shows up outside skill marketplaces, too. A clean-looking GitHub repository recently led Claude Code to open a reverse shell on the developer’s own machine, handing the attacker remote control. The malicious code was never in the repo; the setup script fetched it at runtime from a DNS record, so a static scan had nothing to catch. Mozilla’s 0DIN team traced the chain.

A related failure hits the tool descriptions that agents read through the Model Context Protocol. Microsoft warned that a poisoned description, changed after the tool was approved, quietly pushed a finance agent into leaking unpaid invoices . The mechanism is different, but the broken assumption is the same: that what passed review is what runs. A few limits are worth stating plainly.

No one has yet caught attackers using these exact packing tricks at scale; the real-world cases here are adjacent evasions, not SKILLCLOAK itself. The runtime checker is a research prototype, strong in the lab but untested on a live marketplace or under an attacker actively trying to evade it. And every performance number is the authors’ own, from a paper that has not been peer-reviewed. The direction is well-evidenced; the specific figures deserve the usual caution owed to a single group’s early work.

That is the real lesson, and it is where a growing line of work is converging. A scanner judges a skill by how it looks when it is submitted, but the malicious behavior only shows up once the skill runs, after the scan has passed. So the trust decision has to move from the marketplace gate to the machine where the skill executes. What to hunt for?

The paper’s evasions leave signs a defender can look for, even on a skill that passed a scan: Large or high-entropy files tucked in directories a scanner tends to skip, such as .git/ or build/ . Skills that unpack or assemble code only when they run, rather than shipping it in plain sight. Files padded well past a sensible size, the trick that slips a skill under a scanner’s size cap. None of these is proof on its own.

They are cheap first flags, not a verdict. For teams using coding agents, that makes a “passed the scan” badge a starting point, not a guarantee. Keep static scanning as cheap hygiene, but watch what a skill does when it runs: the files it touches, the commands it runs, and where it sends data. The paper offers concrete stopgaps too, like hashing a skill when it is scanned and re-checking before each run to catch payloads that unpack later, and flagging skills that ship opaque blobs in ignored folders or pad files past a size cap.

None of those close the gap on their own, which is the point: the durable defense is watching behavior at runtime. Beyond that, install only from a vetted source, give agents the least access they need, and don’t run them on machines that hold the secrets worth stealing. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC , built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos , but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single machine: no encryptor, no locker, no demand for a decryption key.

The threat was simpler. Steal the files, then charge the victim not to publish them. Krishnan does not name the victim, but the chat points to Union County, Ohio. The proof-of-theft files carry names like Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar.

The victim calls itself a small county with limited resources. The attacker leans on one folder in particular, marked “prosecutors office,” warning that leaking it would help criminals dodge charges. The clues fit a real case. In May 2025, Union County, Ohio, said it detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken, affecting most of the county of roughly 70,000.

The stolen records ran from Social Security and financial details to fingerprints and passport numbers. Neither the county nor Kairos has confirmed the connection. But if it holds, a county government paid about $1 million it never publicly disclosed. The Hacker News has contacted the Union County Commissioners’ Office for comment.

This story will be updated with any response. The negotiation ran for about a month. Kairos opened at $3 million and claimed it was holding more than 2 terabytes of data, some 1.6 million files. The county started at $100,000, crept up to $255,000, then $430,000.

Kairos dropped to $2 million, then set a hard final number: $1 million, pay by Friday, or the files go public. The payment on-chain: about 9.44 BTC lands in the Kairos-linked wallet. It used the usual levers: a countdown timer, tight deadlines, and threats to dump the most sensitive folders first. The county paid on June 13, 2025, ten times its first offer.

The payment was roughly 9.44 bitcoin, worth about $1 million at the time. Krishnan traced the money from there. Within hours, it was split in two and pushed through a chain of wallets toward deposit addresses tied to the crypto exchanges Bybit, OKX, and a Russian service called BELQI. That kind of tracing hands investigators leads, not names.

And the money bought nothing solid. Kairos sent over a “proof of deletion” file, but a list of file names shows only that the attacker once had the files, not that the originals were wiped. Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief. Union County called what happened to it ransomware, the word everyone reaches for, but in the Kairos case, nothing was locked.

That is the real shift: much of what still gets called ransomware now skips encryption and uses the stolen data itself as the pressure point. Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption, the lowest rate in six years. Some crews have dropped it entirely. Silent Ransom Group , a Conti offshoot, has spent years running pure data-theft extortion against U.S.

law and finance firms with no encryptor at all. The Kairos chat fits a familiar negotiation pattern, too. When Black Basta’s internal chats leaked in February 2025, an analysis of the messages turned up a deal that ran from a $1.5 million demand to a $100,000 counter to a $1 million payment, almost the same arc. Those chats, and the Conti leaks before them in 2022, are how researchers now reconstruct the way these bargains actually get struck.

Kairos itself has gone quiet. The leak site is down, and its last known victim showed up in June 2026. But a wallet tied to the operation was still moving money as recently as May 2026, a reminder that a dark leak site is not the same as a dead crew. For anyone running a small government network, the lessons are dull and familiar, which is rather the point.

Turn on multi-factor authentication, since Kairos claimed it got in by simply guessing a password. Watch for repeated failed logins, large outbound data transfers, and burner file-sharing links like the temp.sh addresses Kairos used to move the files. Keep legal, HR, and citizen records walled off from the rest of the network. Have a public statement plan ready before you need one.

And treat any promise to delete stolen data as worth exactly nothing. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider . “The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access,” Socket security researcher Karlo Zanki said in an analysis published this week. The 162 malicious release artifacts span multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. Contagious Interview is the moniker assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working in the cryptocurrency sectors, using persuasive job interviews and assessments to trick them into executing malicious code.

The activity is known to be active since at least 2023. Attackers masquerade as recruiters or collaborators on platforms like LinkedIn, GitHub, or freelance websites, often setting up elaborate front companies and AI-generated employee profiles to build trust and ultimately deliver malware. PolinRider was first flagged by the OpenSourceMalware team in March 2026, describing it as involving the threat actors implanting malicious obfuscated JavaScript payloads in hundreds of public GitHub repositories belonging to several unique owners to deliver a new variant of BeaverTail, a known JavaScript malware associated with Contagious Interview. As of April 11, 2026, the activity has compromised 1,951 public GitHub repositories associated with 1,047 unique owners, while also merging with another cluster called TaskJacker that drops malicious VS Code task files into GitHub users’ existing repositories.

The VS Code tasks include the “runOn: ‘folderOpen’” option to trigger the execution of arbitrary code when the folder is opened as a workspace folder in an IDE like VS Code or Cursor. “The threat actor is not using stolen GitHub credentials,” OpenSourceMalware said. “Instead, the victims have been compromised via a malicious VS Code extension or npm package.” It’s believed that the attackers are taking over maintainer accounts, likely through expired domain takeover or another account recovery path, to pull off the scheme. Once executed, the malware searches the infected computer for certain files like “postcss.config.mjs,” “tailwind.config.js,” “eslint.config.mjs,” next.config.mjs,” babel.config.js,” and “app.js,” and, if found, appends malicious JavaScript code to them.

It also makes use of a Windows batch script to stealthily modify the last commit, while making it appear as if they were made by the original author. It’s suspected that similar tools are being utilized to rewrite Git history for other operating systems like Linux and macOS. “The core tradecraft remains consistent across the campaign: threat actors plant obfuscated JavaScript loaders in legitimate repositories, conceal the code through whitespace padding or fake .woff2 font files, and trigger execution through developer tooling such as VS Code task files,” Socket said. In the latest wave, the payload functions as a JavaScript malware loader that reaches out to blockchain infrastructure, including TRON, Aptos, and BNB Smart Chain services, to fetch an encrypted second-stage payload that unpacks to DEV#POPPER RAT and OmniStealer.

This attack chain was detailed by eSentire in March 2026. “The threat actors use Git history rewriting, including force pushes and anti-dated commits to make malicious changes appear older and less suspicious,” Zanki said. “This makes the GitHub landing page and visible commit history unreliable indicators of compromise; defenders should review repository activity logs, package release metadata, VS Code task configuration, and suspicious changes to configuration files.” The development comes as JFrog uncovered a cluster of npm packages linked to Contagious Interview, some of which masqueraded as Rollup polyfill tools to enable remote access and data theft. Earlier this week, another set of npm packages and Go packages was identified as incorporating VS Code auto-run tasks to run JavaScript payloads disguised as fake font files, indicating tactical overlaps between Fake Font, TaskJacker, and PolinRider.

Users who have installed these packages should treat the environment as compromised, rotate exposed secrets from a clean machine, remove affected versions and rebuild from a known good lockfile, and audit developer workstations and repositories for hidden execution paths or suspicious commits that have modified “.vscode/tasks.json,” “config.js,” “vite.config.js,” and “eslint.config.js” files. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.