NEW#08541 day ago8 min▤RecapJun 29 – Jul 6
Token Theft and AI Poisoning Redefine the Perimeter
Attackers are shifting from breaking passwords to stealing active login sessions, bypassing multi-factor authentication entirely. This week, ARToken and ConsentFix exploited Microsoft 365 OAuth flows to hijack accounts, while Anubis ransomware used the ongoing CitrixBleed 2 vulnerability to steal session tokens from network gateways. Even a standard user can become a Global Administrator in minutes if identity settings are loose, as demonstrated by a recent M365 privilege escalation analysis.
Simultaneously, artificial intelligence systems have evolved from helper tools to critical vulnerabilities, serving as both the weapon and the target. Threat actors are using AI to generate malware like InfernoGrabber v9.0 and BusySnake Stealer, while also poisoning AI agent ecosystems with malicious skills like OpenClaw and tricking AI models into executing financial fraud via indirect prompt injection. The AI arms race has accelerated breakout times to under 30 minutes, with state-sponsored groups like GTG-1002 now orchestrating entire espionage campaigns via AI.
Defenders must immediately audit identity and session controls, treating session tokens as highly sensitive credentials. Security teams should also implement guardrails for AI agents, verifying external URLs and restricting autonomous financial or code execution actions.
NEW#0853
Canadian Centre for Cyber Security3 days ago6 min▣LLM reporthigh The Canadian Centre for Cyber Security issued advisory AV26-649 referencing WatchGuard security advisories published on July 2, 2026. The advisories cover a race condition and use-after-free vulnerability in Mobile VPN with IKEv2 LDAP Authentication on Firebox appliances, as well as a local privilege escalation in the Mobile VPN with SSL Windows client. Multiple Fireware OS branches and the Windows VPN client are affected through several recent versions. No CVE IDs, exploit details, or IOCs are provided in the advisory digest.
NEW#0852KKaspersky4 days ago16 min▣LLM reporthigh The Armored Likho APT group deploys a previously undocumented Python-based infostealer called BusySnake Stealer against government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan. The malware uses PyArmor Pro obfuscation, AI-generated first-stage loaders hosted on GitHub, and a modular C2 architecture to steal browser credentials, cookies, cryptocurrency wallets, 2FA secrets, Telegram data, and screenshots. The campaign demonstrates evolving TTPs including in-memory Python script execution, COM-based scheduled task persistence, and integrated reverse SSH tunneling that receives keys directly from the C2 server.
NEW#0851
Zscaler ThreatLabz4 days ago9 min▣LLM reportmedium Zscaler ThreatLabz identified two campaigns leveraging Indirect Prompt Injection (IPI) to manipulate AI agents via malicious websites. The first campaign uses SEO poisoning and hidden IPI instructions on a fraudulent API documentation site to trick AI agents into sending cryptocurrency payments for a fake API key. The second campaign uses a typosquatting domain (debank.auction) with hidden prompt injection to misclassify the fraudulent site as the legitimate DeBank platform. Testing across 26 LLMs showed 4 models vulnerable to the payment scam and 2 models susceptible to misclassification, demonstrating measurable real-world impact that varies by model and context.
NEW#0850
Mandiant4 days ago8 min▣LLM reporthigh Google, in coordination with the FBI and Lumen, disrupted the NetNut residential proxy network (aka Popa), which is estimated to comprise at least 2 million consumer devices enrolled as proxy exit nodes via malicious SDKs embedded in apps and firmware. The network was used by 316 distinct threat clusters in a single week for masking origin IPs, password spraying, and other malicious activity. Google disabled associated C2 accounts, shared intelligence with partners, and enabled Google Play Protect to warn users about apps containing NetNut SDKs.
NEW#0849WWatchtowr4 days ago10 min▣LLM reportcritical Adobe ColdFusion security bulletin APSB26-68 patches 11 CVEs across ColdFusion 2025 and 2023, including critical arbitrary file read/write vulnerabilities in the RDS module and a path traversal in the CKEditor file manager upload endpoint. When RDS is enabled with authentication disabled, attackers can use the simple length-prefixed RDS RPC protocol to read or write arbitrary files, achieving remote code execution as SYSTEM by deploying a CFML webshell. A separate unauthenticated path traversal in the CKEditor file manager allows file uploads to arbitrary directories, also executing as SYSTEM.
NEW#0848
Socket4 days ago16 min▣LLM reportcritical A new wave of the Mini Shai-Hulud/Miasma/Hades supply chain attack campaign has compromised 23 npm packages across the LeoPlatform and RStreams ecosystems, plus the Verana Blockchain Go module. The attack uses binding.gyp install-time execution (Phantom Gyp pattern) to trigger multi-stage obfuscated JavaScript loaders that decrypt AES-GCM payloads, stage execution through Bun to evade Node.js security hooks, and steal developer/CI/CD credentials including npm, GitHub, cloud, and AI-agent tokens. The campaign also poisons GitHub Actions workflows and plants persistence hooks in AI coding assistant configurations, creating delayed execution surfaces that survive package remediation.
NEW#0847
SentinelOne4 days ago4 min▣LLM reportlow SentinelLABS evaluated OpenAI's native compaction feature in the Responses API for automated binary analysis workflows. Compaction reduced input tokens by approximately 86% with no aggregate score degradation, but domain object modeling quality decreased, indicating that structural reasoning can be flattened during context compression. The research advocates for a context-engineering strategy that separates compacted working memory from durable artifact storage and treats compaction as lossy until validated.
NEW#0846
Canadian Centre for Cyber Security4 days ago7 min▣LLM reportcritical A critical deserialization vulnerability (CVE-2026-45659) in Microsoft SharePoint Server is being actively exploited, enabling remote code execution by low-privileged attackers. The flaw affects SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition, with fixed versions available. CISA added this CVE to its KEV catalog on July 1, 2026, and the Canadian Cyber Centre urges immediate patching, especially for internet-exposed on-premises deployments.
NEW#0845
Trail of Bits5 days ago6 min▣LLM reporthigh Trail of Bits and OpenAI's Patch the Planet initiative used GPT-5.5-Cyber to autonomously build a bespoke fuzzing harness for zlib in a single day, discovering multiple vulnerabilities now undergoing coordinated disclosure. The model independently chose dynamic fuzzing over static review, wrote C/C++ harnesses across a dozen entrypoints, used ASan/UBSan builds and compile-time variants, and demonstrated disciplined reporting by filtering out unreachable crashes. This represents a significant shift in the threat model: the expertise barrier for bespoke fuzzing has collapsed, making large-scale vulnerability discovery accessible to both skilled researchers and low-skill attackers.
NEW#0844KKaspersky5 days ago16 min▣LLM reporthigh Kaspersky's 2025 compromise assessment report reveals that organizations consistently fail to detect long-dwelling threats, with 30.8% of incidents persisting over 3 months and 52% of high-severity compromises going undetected for 90+ days. Key findings include widespread abuse of LoLBins and remote management tools in every incident-bearing engagement, 40% of web shells surviving in backups to be restored post-remediation, and a strong correlation between in-house forensics/reverse-engineering capability and reduced incident severity. Multiple case studies document dormant crypto-mining on domain controllers (4 years), in-memory LionTail implants on critical servers, PurpleFox rootkit infections evading EDR with disabled memory scanning, and ClipBanker persistence via registry Run keys with Defender exclusions.
NEW#0843EEclecticiq5 days ago10 min▣LLM reporthigh AI is not fundamentally changing adversary capabilities but is compressing attack timelines, lowering operational costs, and scaling existing tactics. Breakout times have dropped to an average of 29 minutes, with AI-enabled operations increasing 89% year-on-year. The most significant emerging threats are runtime-LLM malware (PROMPTSTEAL/LAMEHUG, QUIETVAULT) that query language models during execution, and agentic AI operations (GTG-1002) where AI agents conduct multi-stage intrusions with minimal human steering. Defenders face a dual pressure: faster attacks and an expanding attack surface from AI supply-chain dependencies.
NEW#0842
Socket5 days ago11 min▣LLM reporthigh Malicious Chrome and Firefox browser extensions masquerading as free VPN tools ('VPN Go: Free VPN') were distributed via official extension marketplaces and later updated to include clipboard-stealing functionality. The extensions monitor clipboard contents on a timer, chunk copied text into ~1000-character segments, and exfiltrate data via HTTP GET requests to hardcoded attacker-controlled IP addresses using a /html/continue.php endpoint with uid, part, total, and data query parameters. Both extensions share infrastructure, code patterns, and build artifacts, confirming a common threat actor. The staged update pattern—initial versions functioning as legitimate proxy tools with later versions adding clipboard theft—highlights the risk of extension update supply chain compromise.
NEW#0841
Cofense5 days ago9 min▣LLM reporthigh Cofense Intelligence reports a strategic shift in phishing operations toward platform-aware delivery, where threat actors fingerprint victim devices via browser User-Agent strings and deliver OS-specific payloads from a single landing page. Windows users receive legitimate remote access tools like ConnectWise RAT or Itarian RAT repurposed as malware, while MacOS and Android users are redirected to credential phishing pages. The abuse of legitimate RATs evades signature-based detection, and platform-siloed security tools fail to correlate the campaign across operating systems, leaving organizations with an incomplete picture of the intrusion scope.
NEW#0840
Arctic Wolf5 days ago12 min▣LLM reportcritical Arctic Wolf Labs documents Anubis ransomware affiliate tradecraft observed across multiple 2026 intrusions, featuring CitrixBleed 2 (CVE-2025-5777) exploitation and valid VPN credential abuse for initial access. Affiliates consistently deploy legitimate RMM tools for persistence, use Mimikatz and ntds.dit extraction for credential access, establish alternate egress via cloudflared and SSH SOCKS tunnels, and employ exfiltration tools like S3 Browser and rclone before deploying encryptors on Windows and Linux systems. The attack chain relies on commodity tools and living-off-the-land techniques that resemble legitimate administration in isolation but form a distinctive kill chain when correlated.
NEW#0839WWatchtowr5 days ago9 min▣LLM reportcritical CVE-2026-8037 is a pre-authentication Remote Code Execution vulnerability in Progress Kemp LoadMaster caused by an uninitialized heap buffer and missing null terminator in the escape_quotes() function. When the API is enabled, an unauthenticated attacker can send a crafted POST request to /accessv2 with JSON key/value pairs that spray command injection payloads onto the heap, then use single-quote expansion in the apiuser field to overwrite adjacent allocator metadata, causing the unescaped payload to be read and executed via system().
NEW#0838WWatchtowr5 days ago6 min▣LLM reporthigh A new pre-auth memory overread vulnerability, CVE-2026-8451 (CVSS 8.8), has been disclosed in Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers. The flaw resides in the custom XML parser handling SAML AuthnRequest messages, where unquoted attribute values terminated by newlines cause the parser to read beyond the buffer boundaries. This leaked memory, which may include sensitive data or pointers, is returned to the attacker via the NSC_TASS cookie, and the issue can also be triggered to crash the nsppe process.
NEW#0837
Trail of Bits5 days ago5 min▣LLM reportlow Trail of Bits, funded by the Sovereign Tech Agency, has implemented NIST-standardized post-quantum primitives ML-KEM (FIPS 203) and ML-DSA (FIPS 204) in pyca/cryptography version 48, making them available across the Python ecosystem via pip. The release includes Rust bindings, a cross-binding API, and AWS-LC backend support. Migration to post-quantum cryptography is not a drop-in replacement due to significantly larger key, signature, and ciphertext sizes that require protocol-level changes, and integration into real-world protocols like TLS and SSH is still ongoing.
NEW#0836
Cisco Talos5 days ago12 min▣LLM reporthigh Cisco Talos identified ARToken, a phishing-as-a-service platform linked to EvilTokens, that abuses Microsoft's OAuth 2.0 Device Authorization Grant to bypass MFA and capture victim tokens. The platform provides affiliates with a comprehensive post-compromise toolkit including PRT-based persistence surviving password resets, BEC email operations, inbox rule manipulation, and SharePoint exfiltration. ARToken deploys a sophisticated seven-layer client-side anti-analysis system and abuses legitimate sharepoint.com URLs from attacker-controlled Microsoft 365 workspaces to evade security scanners.
NEW#0835
Socket5 days ago17 min▣LLM reporthigh The Miasma Mini Shai-Hulud supply chain campaign has expanded to compromise 22 npm package versions under the @immobiliarelabs scope, targeting Backstage plugins for GitLab integration and LDAP authentication. The malicious packages use a binding.gyp 'Phantom Gyp' trick to execute hidden root-level index.js payloads without preinstall/postinstall hooks, followed by AES-128-GCM decryption and multi-stage delivery under the Bun runtime. The final payload exfiltrates developer and CI/CD secrets via the GitHub API to attacker-controlled repositories, and the campaign likely propagated through a compromised codfish/semantic-release-action GitHub Action that enabled access to release automation credentials.