Microsoft Threat Intelligence

Research into AutoGen Studio identified an attack chain that could allow attacker-controlled web content rendered by a browsing agent to trigger arbitrary process execution on the host. https://t.co/6DTIlyi1ib The technique, which we call “AutoJack”, demonstrates a broader pattern in agent security: when an AI agent can browse untrusted content and interact with privileged local services, localhost could become an attack surface rather than a trust boundary. The issue was reported and addressed during development, and the affected surface was never included in a PyPI release. As AI agents gain access to browsers, tools, and local services, control planes must be authenticated, authorized, and isolated. Learn more and get mitigation and hunting guidance that defenders can use to assess similar risks across agent frameworks in this blog post from the Microsoft Defender Research team.

Since February 2026, Microsoft Defender Experts have tracked a cryptocurrency clipper campaign that combines clipboard theft, wallet address replacement, worm-like functionality, and Tor-based communications, enabling both financial gain and continued access to devices. https://t.co/tngq6Gmx30 This campaign uses malicious .lnk files to deliver a worm and a script-based stealer. Upon execution, the clipper deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor. Due to the nature of this attack chain, defenders should hunt for correlated behaviors rather than investigate isolated events. Read our latest blog to get our full analysis, as well as detection and mitigation guidance to help security teams investigate and contain similar activity in enterprise environments.

In this episode of the Microsoft Threat Intelligence Podcast, Sherrod DeGrippo joins Aurora Johnson of SpyCloud & Amitai Cohen of Wiz to discuss their Sleuthcon talks on two rapidly evolving threats: software supply chain threats and smishing ecosystems. https://t.co/ohcYX3XoBM Smishing ecosystems operate as complex service-based economies, like a cybercrime sub-culture with specialized roles dedicated for phishing panels, infrastructure, and monetization. These attacks leverage bulk messaging platforms and advanced cash-out techniques like NFC relay to scale fraud globally. Meanwhile, software supply chain attacks exploit poor configurations, over-reliance on auto-updates, and vulnerabilities in CI/CD workflows to compromise widely used packages. Defenders are grappling with “spaghetti dependencies” that allow malicious packages to spread rapidly. Both topics emphasize how cybercrime operates as like a mature business that is highly collaborative, scalable, and accelerated by AI. Defenders must focus on fundamentals like security configurations and adding guardrails like dependency pinning and controlled updates.

Microsoft has identified a supply chain attack on the Mastra-AI npm ecosystem, with 80+ packages compromised through npm account takeover. The attacker introduced a phantom dependency into the compromised packages. The malicious dependency was published by a single anonymous maintainer less than 24 hours ago. The compromised [email protected] adds the dependency easy-day-js@^1.11.21 (typosquat of "dayjs"), which resolves to v1.11.22. The post-install script runs node setup.cjs, which downloads and executes a remote payload. The post-install script in [email protected]: 1. Bypasses TLS: Disables SSL verification (NODE_TLS_REJECT_UNAUTHORIZED=0) to communicate with attacker C2 without certificate errors 2. Writes tracking files: Creates ~/.pkg_history (infected machine path) and ~/.pkg_logs (XOR-encoded marker) to prevent re-infection 3. Downloads hidden payload: Fetches second-stage .js from 23[.]254[.]164[.]92:8000/update/49890878 4. Executes as invisible process: Spawns downloaded payload with C2 endpoint 23[.]254[.]164[.]123:443 passed as argument, runs detached and hidden (windowsHide=true) 5. Covers tracks: Deletes setup.cjs to remove all evidence of initial infection This attack affects [email protected], mastra/pg, mastra/mcp, mastra/schema-compat, mastra/ai-sdk, mastra/rag, and 80+ other packages. Microsoft Defender for Endpoint customers should monitor and act on alerts with Trojan:JS/ObfusNpmJs in the title. Customers can also check for the following IOCs: - ls ~/.pkg_history ~/.pkg_logs - random .js files in home/temp directory Users are advised to downgrade to previous versions immediately, use [email protected] explicitly, and use lockfiles.

Microsoft Threat Intelligence continues to observe Sapphire Sleet refining their macOS intrusion tactics, following the same previously documented core attack chain, but with a new Teams‑themed lure. https://t.co/1Gtyc7X8Zz Along with the lure, the new activity also uses updated infrastructure and component naming while maintaining the same user-driven execution model: tricking users into executing trusted system tools to enable credential theft, persistence, and data exfiltration without exploiting vulnerabilities. We updated our blog to highlight the new Sapphire Sleet campaign, and expanded Microsoft Defender detections and hunting queries to help organizations defend against this new activity.

Threat actors are increasingly exploiting the hype around AI as social engineering lure in phishing, malvertising, and search-driven attacks. By impersonating trusted tools and services, they capitalize on user curiosity and urgency to improve success rates. https://t.co/JTlA2xUWdK Despite using hooks tied to new technologies, these campaigns combine familiar techniques like multi-stage redirects, abuse of legitimate infrastructure, and interaction-based evasion to enable credential theft, financial fraud, or malware infection. Read the latest Microsoft Defender Research blog to get an analysis of some of these campaigns and guidance for detecting, mitigating, and responding to these threats.

Microsoft discovered that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when AI agents process untrusted content, including issue bodies, pull request descriptions, and comments. https://t.co/EFDooX4EjU Following our disclosure, Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files. Read the blog for details from our research, along with practical guidance for reducing prompt injection, over-permissive tooling, and secret exposure risks in agentic CI/CD workflows.

Attackers are targeting open-source software ecosystems at scale, using coordinated and repeatable approaches that take advantage of dependency chains and maintainer trust models to distribute malicious packages across widely used registries. https://t.co/Gh6lgCtIHM The use of AI is reducing barriers to entry, enabling high‑volume package creation and faster iteration of malicious code. At the same time, shifts in coding patterns and tooling behaviors can provide defenders with signals to better identify and track adversary activity. These campaigns increasingly focus on the software supply chain itself, targeting the tools, libraries, and pipelines used to build and distribute applications. As a result, a single compromised component can propagate across complex dependency trees and significantly expand impact. Learn more from Microsoft Security’s Allie Luhrs and Mario Samolis from their talk at this year’s Blue Hat USA on the Microsoft Threat Intelligence Podcast, hosted by Sherrod DeGrippo.

Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. https://t.co/z2GjRIAyYS A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

Microsoft has identified an active supply chain attack using typosquatted npm packages to steal cloud and CI/CD secrets. On May 28, 2026, a single threat actor operating under newly created maintainer alias vpmdhaj published 14 malicious packages within a 4-hour window. https://t.co/jC3f2m6EBp The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment. Read the blog from the Microsoft Defender Research team to an in-depth analysis, as well as mitigation, detection, and hunting guidance.