itsnetsec

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

Google DeepMind dropped a paper that should scare every agent builder. It's the first systematic framework for a threat that barely existed two years ago: adversarial content engineered to hijack AI agents browsing the web. They call them AI Agent Traps. The paper maps six distinct attack surfaces. 1) Content Injection Traps (perception) Invisible CSS, hidden HTML, steganographic payloads inside images. The agent parses it, humans never see it. One study showed simple HTML injections hijack web agents in up to 86% of scenarios. 2) Semantic Manipulation Traps (reasoning) No overt commands. Just biased phrasing, framing, and contextual priming that skew the agent's synthesis. LLMs inherit human cognitive biases, and attackers can weaponize every one of them. 3) Cognitive State Traps (memory and learning) Poison the RAG corpus. Corrupt long-term memory. One study achieved over 80% attack success with less than 0.1% poisoned data. 4) Behavioural Control Traps (action) Jailbreaks embedded in external resources. Data exfiltration prompts hidden in emails. Sub-agent spawning that tricks an orchestrator into instantiating attacker-controlled agents inside the trusted control flow. 5) Systemic Traps (multi-agent dynamics) This is where it gets scary. A single fake news headline could trigger a synchronized sell-off. A compositional fragment trap splits a payload across sources, so each fragment looks benign until agents aggregate them. 6) Human-in-the-Loop Traps The agent becomes the vector. The target is you. Invisible prompt injections have already caused summarization tools to faithfully repeat ransomware commands as "fix" instructions. The core insight is uncomfortable. By altering the environment instead of the model, attackers weaponize the agent's own capabilities against it. Training-time defenses cannot solve an inference-time problem. The paper closes by calling for automated red-teaming that can probe these vulnerabilities at scale. That same shift is already happening on the offense side. Strix is an open-source project doing exactly this for web apps. AI agents that act like real hackers, running your code dynamically, finding vulnerabilities, and validating them with actual proof-of-concepts. 24k stars on GitHub. Apache 2.0 licensed. The agents writing your code need to be tested by agents trying to break it. I've shared the link to the paper and Strix GitHub repo in the replies

> Not really real ShinyHunters > Claims to have compromised Vercel > Real ShinyHunters say "wtf that's not me" > Impersonator ShinyHunters says stole source code, customer data, databases etc > Vercel makes security bulletin > Announces compromise > Real ShinyHunters "wtf that's not us tho fr" 1. WHO EXTORTS SOMEONE ON A SUNDAY 2. 200iq move to blame ShinyHunters for compromise 3. 400iq move if ShinyHunters made fork of ShinyHunters claiming to be impersonator ShinyHunters to convince everyone the fake ShinyHunters are impersonating ShinyHunters, but it was actually ShinyHunters being the fake ShinyHunters all along 4. Lots of cybercrime drama right now, but ITS SUNDAY. Dawg, WAIT UNTIL LIKE TUESDAY OR SOMETHING. Smdh

I'd like to apologize to my colleagues for not sharing the IoCs. Portable HWMonitor Installer (1.63): 3d91f442ddc055e19e3710482e1605836c799249dacd43d99843257a3affd2d2 Fake CRYPTBASE.dll: a27df06c7167eced1ddaeb8adccaa5f60500f52bc7030389eed2a0903cdf8286 Trojanized HWMonitor: 02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b Can't remember what this file did: 4547f3c7854413f9ae0806c51564684b796399bea0511a8b6c4d63a136c8ad56 Can't remember what this file did (1): f633b48d5281709bcf3b1d8f54703792e51bb38ab507e9caa9c2fbe79b78aa53 Can't remember what this file did (2): 058f45b11fdd43ef51571577ec2ed9bcabe039a6615d05900aeb3655e9cec7e9 .cs file: 788d3f14ff6a701b114e0b40990379c0302e26c1bbbce22a7ee5c872c7df1d1f .NET assembly: 47c17003d58cd609bff8ab788b51803b3b0de0648b40cd4e5591948298914753 C2: https://welcome[.]supp0v3[.]com/d/callback

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!