Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

JadePuffer: First AI-Agent Ransomware Automates Entire Attack

 

Security researchers have identified JadePuffer as the first ransomware operation conducted entirely by an AI agent, marking a watershed moment in automated cyberattacks. Discovered by cloud security firm Sysdig, this incident demonstrates how large language model (LLM) agents can now execute complex intrusion campaigns without human intervention during the attack itself. 

Attack methodology 

The attack began by exploiting CVE-2025-3248, a critical remote code execution vulnerability in Langflow, an open-source platform for building LLM applications. Once inside the initial server, the AI agent systematically gathered intelligence, harvested credentials, and mapped the network to identify higher-value targets. It then pivoted to a production server running MySQL and Nacos configuration management, where it leveraged another known authentication bypass vulnerability to gain administrative access. 

What made JadePuffer particularly notable was its ability to detect and correct errors autonomously during the attack. When the agent's first attempt to create an administrator account failed, it analyzed the error and launched a corrected procedure just 31 seconds later, successfully modifying its credential generation approach. Sysdig researchers emphasized that this rapid self-correction capability is a strong indicator of genuine agentic behavior rather than a human operator using conventional automation tools. 

After securing access, JadePuffer encrypted more than 1,300 configuration elements in the database, deleted the original tables, and left a ransom note with a Bitcoin address and contact email. However, analysis revealed a disturbing detail: the encryption key was never stored or transmitted to any attacker-controlled server, suggesting victims could not recover their data even if they paid. Researchers believe this indicates the attack was oriented more toward data destruction than financial extortion, with claims of external backups appearing to be psychological pressure tactics without evidence of actual exfiltration. 

Security implications 

While JadePuffer has drawn attention to AI's role in cybercrime, experts stress that the fundamental vulnerability was poor security hygiene rather than the AI itself. Exposed credentials, unpatched vulnerabilities, default configurations, and excessive privileges enabled the agent to traverse the infrastructure within minutes. This incident underscores the urgent need for organizations to harden their AI application deployments, implement zero-trust architectures, and maintain rigorous patch management, as autonomous agents will increasingly exploit any weakness they encounter at machine speed.

Google Sent Earthquake Warnings Before Venezuela Tremor Reached Millions


In Venezuela, millions of Android users received earthquake alerts on their phones just minutes before two devastating 7.1 and 7.5 earthquakes struck, highlighting the increasing importance of smartphone-based early warning systems for disaster response. 


Google reported that its Android Earthquake Alerts System issued warnings to approximately 11.4 million people during the earthquakes in Venezuela. It was estimated that nearly 1.4 million users received the highest priority "Take Action" alerts, with warning times ranging from a few seconds to nearly two minutes based on their distance from the epicentre. 

Using Google's Android Earthquake Alert System, alerts were generated at the earliest signs of seismic activity and sent to affected areas prior to the strongest ground shaking. Warnings included an estimation of magnitude and an approximate distance from the epicentre to allow recipients to take immediate protective measures before destructive shaking began. 

Experts pointed out that Google did not predict the earthquake. The system detected primary seismic waves (P-waves), which are fast-moving and travel in advance of secondary waves (S-waves), which are stronger and more destructive. Within approximately three seconds after the earthquake began, stationary Android phones detected the initial P-waves, while Google's servers confirmed the event and began issuing alerts approximately six seconds later. 

As Nikhar Arora, Director at BOTS, explains, the magnitude shown in the initial alert is merely a preliminary estimate and can be revised if more seismic data becomes available. According to HR Anexi, Android smartphones are essentially a large-scale distributed sensor network. With their accelerometers, Android smartphones can detect unusual ground movement, allowing Google to analyze data from multiple nearby devices, estimate the location and magnitude of an earthquake, and send an alert rapidly. 

After launching the Android Earthquake Alerts System in California in 2020, Google expanded the system worldwide in 2021. In regions where monitoring infrastructure is limited, this platform uses data from national seismological agencies along with crowdsourced Android smartphone networks to identify earthquakes and to deliver rapid alerts. 

It is estimated that hundreds of millions of earthquake warnings have been delivered worldwide by the Android Earthquake Alerts System, thus significantly expanding access to early warning technology to areas without dedicated seismic alert infrastructure. With limited earthquake early warning infrastructure in Venezuela, Google's crowdsourced smartphone network was instrumental in estimating the location and intensity of an earthquake by analysing motion data from thousands of Android devices before stronger shaking reached nearby areas. 

A new debate has arisen over the role of technology in disaster management following the Venezuela incident. In his opinion, Hrishit Panthry, the Co-Founder of Envirocare Foundation, stated that smartphones have become a powerful tool for delivering emergency alerts directly to citizens. With the growth of cities and the interconnection of infrastructure, early-warning systems are becoming increasingly important as cities continue to expand. It is also believed that lessons can be applied beyond earthquakes.

A similar real-time warning technology would improve community resilience by facilitating faster communication during other natural disasters, such as flooding, severe storms, and extreme heat. Additionally, the incident highlighted differences between how earthquake alerts are delivered via smartphone platforms. The built-in sensors on Android devices can detect seismic activity in conjunction with official monitoring systems, while other platforms in many regions rely primarily on government-run alert systems for emergency notification.

Experts believe that the wider adoption of integrated warning technologies could help to further strengthen public safety. During the recent Venezuelan earthquakes, governments, scientists and technology companies have demonstrated how they are increasingly utilizing connected devices and real-time data in order to strengthen emergency response efforts. 

Although early warning systems cannot prevent earthquakes, experts say even a few seconds prior notice can assist in saving lives. During the Venezuela earthquake, advances in smartphone-based early warning systems were demonstrated as a major factor in improving disaster preparedness. 

Even though no technology can predict an earthquake in advance, rapid detection and timely alerts can provide crucial seconds to help reduce injuries and improve emergency responses. As these systems continue to evolve, collaboration among technology companies, scientists, and governments will be crucial to expanding access to life-saving warnings worldwide.

India Orders Telegram to Crack Down on Pirated Movies and OTT Content, Seeks Compliance Report

 

Ministry of Information and Broadcasting (MIB) has directed the messaging platform Telegram to take down the pirated films, OTT content and other audio-visual material uploaded on it. It also called upon the company to put in place measures to actively detect, report, disable and remove such unauthorized content from its platform instead of waiting for the government to notify it of alleged violations. 

As per the ministry's direction, the company was also asked to provide the details regarding steps taken by it against repeat offenders of copyright infringement on its platform like channels, groups, bots, admins, users and other entities. As per the notice sent by the ministry, the company was also asked to provide the details about its grievance redressal mechanism for film producers, OTT platforms, broadcasters, and law enforcement agencies concerning copyright infringements. 

At the same time, Telegram was also asked to suggest the steps it has taken to prevent, detect and remove the unauthorized copyrighted content. The ministry clarified that with the directions issued, there is an attempt to move to the next level in taking action against copyright infringement on online platforms. It emphasized that apart from responding to individual complaints, the onus is upon the companies to put in place robust systems to proactively prevent and detect such violations. 

The government has already taken down over 3,000 Telegram channels for hosting and distributing pirated content. However, it is felt that the step taken so far by blocking channels one by one is not an effective approach and the companies need to move to the next level. The ministry reminded Telegram that it was obliged to comply with the requirements of the Information Technology Act, 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 concerning its responsibility as an intermediary platform. 

It observed that due diligence by the companies so that they are not host to any unlawful activities on their platforms cannot be left to the authorities to identify the channels hosting unlawful content. The ministry drew attention to the fact that violation of copyright laws in India is not only a civil wrong but also a punishable offence under Copyright Act, 1957 and Cinematograph Act, 1952. 

Therefore, continued availability of unauthorized content on Telegram, lack of adequate response as expected by the ministry, and failure to address the issues raised by it may trigger further regulatory actions. The latest initiative by the ministry reflects its commitment to protecting and promoting India's creator economy and the content ecosystem. 

It may be noted that the government has taken several steps to ensure that the rights of filmmakers, broadcasters, OTT platforms, producers, distributors and other content creators are protected against online piracy. By asking the online intermediaries to take more responsibility, the government is encouraging them to adopt better moderation practices in order to prevent the unlawful use of content on their platforms.

Centre Plans New Cybersecurity Norms for Electric Two- and Three-Wheelers to Address Battery Tampering Risks

 

The Central government is preparing to introduce new cybersecurity measures aimed at preventing unauthorised tampering with the batteries of electric two-wheelers and three-wheelers. The proposed regulations are expected to mandate stronger software security standards for electric scooters and e-rickshaws, including fully imported models, which have so far operated with limited cybersecurity oversight.

As part of the initiative, authorities are also considering banning mobile applications that can be used to exploit vulnerabilities in electric vehicles equipped with imported Chinese batteries. 

Officials from the Ministry of Heavy Industries and the Ministry of Electronics and Information Technology have reportedly held discussions on addressing these security concerns.

"The software security vulnerability will be plugged," a senior official told ET, adding downloads of mobile apps that can disturb e2w and e3w are expected to be curbed.

According to officials, the decision to restrict such software stems from the difficulty of individually fixing every electric two-wheeler and three-wheeler already in circulation. The software reportedly takes advantage of weaknesses in battery troubleshooting systems, enabling unauthorised users to interfere with vehicle operations.

Another official said electric rickshaws and low-speed electric scooters were initially permitted to encourage wider adoption of electric mobility. However, this also resulted in a significant influx of low-cost imported electric vehicles from China.

"A call has been taken to ensure more safety and software safeguards in new e2w and e3w sold in the country," the official said, adding roadworthy certificates will be issued only to new vehicle models that are free from such vulnerabilities.

The upcoming regulations are also expected to cover completely imported electric vehicles sold in India, ensuring they comply with the same cybersecurity and software safety requirements as locally manufactured models.

Operation Endgame Disrupts Global Cyber Crime Assembly Line


Private companies and international authorities have disrupted a malicious “assembly line” that let hackers steal millions of login details and theft of $47 million in ransom payments via extortion. The operation aimed at catching two tools that are used in online scams.

The first tool is called Amadey, a malware-as-a-service platform for disrupting devices and deploying infected payloads for ransomware and related attacks. Amadey was first discovered in 2018 and in 2025, it exploited GitHub as it stored system info from malicious devices and deployed custom payloads.

The second tool is called StealC, it is an infostealer-as-a-service tool that steals cryptocurrency wallets, browser extensions, authentication cookies, and login credentials.

Disrupting a crucial link in the cyberattacks chain

Amadey and StealC are distinct tools that function autonomously. They are widely used, but many people use them in their personal cybercrime operations. 

The tools depend on the same infrastructure to function. Microsoft made this link after analyzing the tools using AI. The discovery allowed Microsoft to stop both tools simultaneously.

“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain,” Microsoft said.

About the investigation

Companies gathered proof that the tools shared the same infrastructure and invoked RICO statutes against organized crime. This resulted in treating the two tools as part of a single scam. 

Microsoft has disrupted over 200 C2 servers and shut down criminal control of over 18,000 compromised computers. Europol also assisted in the operation to track down the culprits and recovered around 27 million stolen login details and found $47 million worth of crypto assets tied to cybercriminals.

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover,”  Europol said.

Operation Endgame

Other firms that helped in “Operation Endgame” are ESET, IBM X-Force, ESET, Mitsui Bussan Secure Directions, and Bitsight. 

According to Europol, another tool that disrupted Operation Endgame was SocGholish. It is a malware installer tied to the Russian cybercrime group Evil Corp. that distributes via hacked websites. If you visit such sites, you will be tricked into installing malware apps mimicking as browser extensions or genuine software.  

IBM Explores Vertical Chip Architecture to Extend the Future of Semiconductor Scaling

 




IBM researchers have developed a new semiconductor architecture that could dramatically increase the number of transistors packed onto a silicon chip while improving both computing performance and energy efficiency. The company's experimental design, known as NanoStack, represents a departure from conventional chip scaling by expanding vertically instead of relying solely on shrinking transistor dimensions.

According to IBM, the new architecture has the potential to accommodate approximately 100 billion transistors on a silicon chip roughly the size of a fingernail. Although the technology remains in the research phase and is still years away from commercial manufacturing, the announcement underlines one of the industry's latest efforts to overcome the physical limitations confronting modern semiconductor development.

IBM says NanoStack is comparable to a 0.7-nanometre technology generation, placing it below the 1-nanometre threshold that has long been viewed as a significant milestone in chip manufacturing. While node names such as 2 nm or 0.7 nm no longer represent the exact physical dimensions of transistors, they generally indicate successive generations of manufacturing technology that deliver greater transistor density, improved performance, and lower power consumption.

In laboratory testing, IBM reported that its prototype achieved up to 50% higher performance than its previously demonstrated 2 nm research chip while consuming as much as 70% less energy under comparable conditions. Those improvements, if successfully translated into commercial manufacturing, could support faster artificial intelligence workloads, improve cloud computing efficiency, reduce power consumption in data centres, and extend battery life in mobile devices.

Rather than focusing exclusively on making individual transistors smaller, NanoStack introduces a new architectural approach by stacking multiple layers of transistors vertically. Traditional semiconductor manufacturing has primarily increased computing capability by placing more transistors across the surface of a silicon wafer. As transistor miniaturization approaches fundamental physical limits, researchers are increasingly exploring three-dimensional designs that use vertical space to continue increasing transistor density without proportionally expanding chip size.

Transistors serve as the fundamental electronic switches inside every processor, enabling calculations performed by smartphones, personal computers, gaming systems, enterprise servers, networking equipment, and the rapidly expanding infrastructure supporting artificial intelligence. As more transistors are integrated into a processor, chips are generally able to execute more operations simultaneously, improving computational performance across a wide range of applications.

The continued drive toward higher transistor density has historically been guided by Moore's Law, the observation that the number of transistors integrated onto a chip approximately doubles every two years. For decades, that trend has driven advances in computing performance while reducing the cost of processing power. However, maintaining that pace has become increasingly difficult as transistor dimensions approach atomic scales, where issues such as heat generation, electrical leakage, manufacturing complexity, and quantum effects become far more challenging to manage.

IBM's NanoStack architecture represents one possible response to those constraints by building upward rather than outward. Industry researchers often compare this concept to urban development. Instead of constructing additional houses across limited land, engineers create increasingly taller buildings to accommodate more occupants within the same footprint. Similarly, vertically stacking transistor layers allows exponentially more computing elements to occupy the same silicon area.

The concept also distinguishes IBM's research from other advanced semiconductor initiatives pursuing three-dimensional integration. While several major chip manufacturers have already adopted various forms of 3D packaging and transistor architectures, IBM's proposal seeks to extend vertical integration even further, reflecting the growing industry focus on architectural innovation as conventional transistor scaling becomes more difficult.

Despite its promise, vertically stacked semiconductor designs introduce substantial engineering challenges. Heat generated by densely packed transistors becomes more difficult to dissipate as additional layers are added, potentially affecting reliability and long-term performance. Extremely thin insulating materials separating transistors may also allow unintended electrical leakage, making it harder for components to switch cleanly between operating states. Engineers must additionally solve complex manufacturing problems involving layer alignment, interconnections between stacked components, power delivery, fabrication precision, and production yield before such architectures can be manufactured at commercial scale.

Although NanoStack remains an experimental technology, IBM's latest research illustrates how semiconductor innovation is evolving beyond simply reducing transistor size. Future advances are increasingly expected to depend on new chip architectures, advanced materials, and sophisticated three-dimensional integration techniques capable of delivering the computing performance required by artificial intelligence, high-performance computing, cloud infrastructure, and next-generation consumer electronics.

U.S. Security Expert Sentenced for Aiding BlackCat Ransomware Gang

 

A cybersecurity professional has become the third U.S. security expert sentenced to prison for aiding a ransomware gang, marking a significant escalation in insider threat cases involving incident response firms. Angelo Martino, a 41-year-old from Florida, pleaded guilty to providing confidential victim information to the BlackCat/Alphv cybercrime group while ostensibly working to help companies negotiate with attackers. 

Modus operandi 

Martino worked as a ransomware negotiator for DigitalMint, a Chicago-based incident response company hired by victims to minimize damage and negotiate lower payouts. Instead, he fed critical details to BlackCat operators, including insurance policy limits and negotiation strategies, enabling the gang to maximize ransom demands across five separate incidents. Prosecutors revealed that Martino also assisted co-conspirators Kevin Martin and Ryan Goldberg in deploying BlackCat ransomware against U.S. victims for six months in 2023, effectively becoming an affiliate of the criminal group. The trio earned more than $1.2 million from a single victim during this period. 

Martino faces up to 20 years in prison at his sentencing hearing scheduled for July 2026, following guilty pleas from Martin and Goldberg in late 2025, who each received four-year sentences in April 2026. Federal authorities have already seized $10 million worth of assets from Martino as part of the investigation. The Justice Department emphasized that Martino's actions directly assisted ransomware actors and increased the financial burden on victim organizations, undermining trust in the cybersecurity incident response ecosystem. 

Lessons for the Industry 

This case highlights a concerning trend of cybersecurity professionals exploiting their trusted positions to facilitate cybercrime, raising questions about vetting processes and oversight within incident response firms. Organizations are now urged to conduct thorough background checks on security personnel and implement strict compliance measures to prevent similar insider threats. The BlackCat/Alphv gang, once a dominant ransomware outfit, has been linked to numerous high-profile attacks, and this collusion scheme demonstrates how criminal groups increasingly target the defenders themselves. 

As the cybersecurity field grapples with this breach of trust, the Martino case serves as a stark reminder that even those hired to protect can become perpetrators. Companies must strengthen internal controls, monitor negotiator activities, and ensure transparency in ransomware response engagements. With sentencing underway and more cases potentially emerging, the industry faces a critical moment to restore confidence in its ability to defend against evolving ransomware threats without internal compromise.

Six U-Boot Vulnerabilities Could Enable Pre-Boot Code Execution and Persistent Firmware Attacks

 



Security researchers have identified six vulnerabilities in the widely deployed U-Boot bootloader that could allow attackers to execute malicious code during the earliest stages of a device's startup process. If successfully exploited, the flaws could enable firmware-level attacks capable of bypassing security protections before the operating system loads and establishing malware designed to remain on affected systems.

As one of the most widely used open-source bootloaders, U-Boot plays a fundamental role in the startup sequence of embedded Linux devices by initializing hardware and loading the operating system. It is integrated into a broad range of technologies, including enterprise server Baseboard Management Controllers (BMCs), networking equipment, industrial control systems, Internet of Things (IoT) devices, and numerous other embedded appliances.

Because the bootloader executes before the operating system and endpoint security tools become active, vulnerabilities at this stage can have far-reaching consequences. An attacker who gains control during the boot process may be able to interfere with the system's trusted startup sequence before conventional security controls have an opportunity to detect or prevent malicious activity.

One of U-Boot's primary security mechanisms is Verified Boot, which uses cryptographic signatures to verify the authenticity of firmware and operating system images before they are executed. During startup, only images signed with a trusted cryptographic key are intended to be loaded, helping prevent unauthorized or modified firmware from running on the device.

In a technical report published this week, firmware security company Binarly disclosed six vulnerabilities affecting U-Boot's Flattened Image Tree (FIT) signature verification code. The FIT framework is responsible for validating firmware images during the boot process, making it a critical component of the platform's chain of trust.

According to Binarly, researchers examined the verification logic because of its importance in maintaining firmware integrity during startup. Their analysis uncovered six distinct vulnerabilities ranging from denial-of-service conditions that can interrupt the boot process to flaws capable of enabling arbitrary code execution while processing untrusted firmware images.

The researchers said two of the vulnerabilities could potentially allow arbitrary code execution during firmware verification, while the remaining four can be exploited to trigger crashes during the boot process. Since these weaknesses affect the validation of firmware before the operating system starts, a successful exploit could allow malicious instructions to execute before higher-level security mechanisms become operational.

The disclosed vulnerabilities include a flaw identified as BRLY-2026-037 that can cause U-Boot to crash when processing a specially crafted firmware image and, under certain conditions, may also permit arbitrary code execution. BRLY-2026-038 is a memory corruption vulnerability that could enable attackers to execute malicious code during firmware signature verification. BRLY-2026-039 involves an out-of-bounds read that may force U-Boot to access memory beyond the firmware image, resulting in a system crash. BRLY-2026-040 is a null pointer dereference vulnerability that allows crafted firmware images to terminate the bootloader unexpectedly. BRLY-2026-041 stems from insufficient validation of externally stored firmware data and can also be used to crash vulnerable systems. The sixth flaw, BRLY-2026-042, involves unbounded recursion that can exhaust available stack memory and prevent the bootloader from completing the startup process.

Binarly noted that much of the affected code has been present since U-Boot version 2013.07, meaning the vulnerabilities could impact more than 50 stable releases of the project. Because many hardware manufacturers maintain customized downstream versions of U-Boot within their own firmware, the potential exposure extends beyond the upstream project to a large number of commercial products deployed across multiple industries.

If the arbitrary code execution vulnerabilities are successfully exploited, attackers could gain execution during one of the earliest phases of system initialization. Operating at this level may allow threat actors to alter the boot sequence, disable firmware security mechanisms, deploy persistent firmware malware, or perform other privileged actions before the operating system begins loading.

Firmware-based attacks can also be considerably more difficult to identify than malware operating within the operating system. Since malicious activity occurs before the operating system initializes, traditional endpoint security software and many monitoring tools may have limited visibility into the compromise, allowing malicious modifications to remain undetected for extended periods.

Binarly also noted that exploitation does not necessarily require physical access to a device. Systems equipped with Baseboard Management Controllers that support remote firmware updates could become vulnerable if an attacker first compromises the management interface. In such cases, a specially crafted firmware image could be uploaded and processed during the update process, potentially triggering the identified vulnerabilities.

The researchers reported all six vulnerabilities to the U-Boot maintainers and submitted patches addressing each issue. Those fixes have since been accepted into the project's upstream codebase. However, because U-Boot is incorporated into firmware by individual hardware manufacturers, vendors must integrate the patches into their own firmware releases before updates become available to customers.

Organizations operating embedded systems should monitor firmware advisories issued by their hardware vendors and apply security updates as they become available. Restricting access to firmware management interfaces, securing remote administration services such as BMCs, and verifying firmware authenticity before deployment can further reduce exposure while patches are being distributed.

Devices that have reached end-of-life or no longer receive firmware updates may remain permanently vulnerable, underscoring the long-term security challenges posed by legacy embedded systems that continue operating long after vendor support has ended.

Meta Faces Privacy Questions After Employee Data Exposure Report


 

After sensitive employee information was reportedly made available throughout the organization, Meta has suspended an internal employee monitoring initiative intended to assist in the development of artificial intelligence systems. 

Initially introduced in April, the Model Capability Initiative was intended to collect workplace activity data to assist Meta in improving its artificial intelligence models through the collection of work activity data. The system was reportedly used by employees to monitor interactions across various workplace applications including Gmail, Google Chat, and Meta’s AI assistant, as well as capture screenshots and usage patterns. 

In response to concerns about privacy and consent, the initiative quickly drew criticism from employees. More than 1,600 Meta employees, including engineers, researchers, and designers, have signed a petition advocating the discontinuation of this program. Prior to the latest incident, the monitoring initiative had already been under scrutiny. A Reuters report reported that the program collected more information than originally indicated and stored some of the data unencrypted, raising concerns among employees about privacy. 

In internal discussions, employees were also concerned that personal information, including tax and medical records accessed from work devices, could be disclosed, despite assurances that the data would be protected and used solely for legitimate business purposes. According to the petition, employees argued that responsible AI development should not be compromised by individual privacy concerns. 

A company's stated commitment to building trustworthy and responsible artificial intelligence systems is in conflict with the company's collection of workplace data without meaningful consent. Following reports that sensitive employee information had been accessed internally by employees, the controversy became more intense. 

According to information cited in media reports, the exposed data could have included private communications, AI prompts, transcriptions, as well as performance data. The incident has sparked an internal investigation, though there is no evidence of the information being improperly accessed or misused. Meta, according to Reuters, suspended the initiative after filing an internal security incident (SEV) in response to employee data being widely accessible within the organization. 

As indicated in internal documentation, this information included artificial intelligence prompts and transcriptions, private conversations, personnel records, and classifications of data sensitivity. This incident raised new concerns regarding the collection, storage, and protection of employee information. The Meta program has been suspended while the matter is being investigated. 

A company spokesperson confirmed the initiative was designed with privacy safeguards and stressed the absence of any indication of unauthorized access during the investigation. As of the time of the investigation, Meta had not announced when the initiative might resume, and executives of Meta indicated that it would remain halted while the investigation continued. As Meta stated, the Model Capability Initiative will be suspended gradually and might not reach all employees immediately. 

A source familiar with the matter told Reuters that the monitoring tool was still recording employee activity on Monday afternoon while the company attempted to disable it across all its systems. An additional clarification of the incident was provided by Meta Chief Technology Officer Andrew Bosworth in a later interview, in which he stated that the incident was not the result of an external security breach. Bosworth reported that employee information generated through the program initially could only be accessed by a small number of authorized employees, but was accidentally stored in an internal location incorrectly by a researcher. 

According to Meta, there was no evidence of malicious activity found, and the incident was an internal error that caused the company to suspend the initiative while investigating the matter. The development indicates growing tensions between rapid advancement of artificial intelligence and employee privacy rights. The majority of technology companies are exploring new sources of training data to enhance the performance of their models, as well as investing heavily in artificial intelligence. 

Despite increasing competition in the AI industry, Meta is expected to spend more than $135 billion on infrastructure in 2018. According to leaked audio from an internal Meta meeting, Mark Zuckerberg was in favor of using employee-generated data for AI training, asserting that highly skilled employees could serve as valuable examples for AI systems. It has been criticized by privacy advocates, however. 

Digital rights experts have argued that extensive workplace monitoring raises serious concerns about employee consent and transparency. According to the incident report, maintaining employee trust and protecting sensitive information are critical challenges that organizations should not overlook as they accelerate the development of artificial intelligence. 

A growing concern is how to strike a balance between rapid AI innovation and employee privacy and data security, as exemplified by the incident. As Meta continues its internal investigation, the outcome will likely influence how organizations approach AI training, workplace monitoring, and responsible data governance in the years to come.

Okta Uncovers Vishing Campaign Using Fake Microsoft Entra ID Pages to Hijack Microsoft 365 Accounts

 

Okta has identified a sophisticated vishing campaign targeting organizations across multiple industries, where attackers attempt to steal Microsoft 365 credentials by directing victims to fraudulent Microsoft Entra ID login pages.

The campaign, which began in April, uses voice calls to persuade employees that they need to register a new passkey for their Microsoft account. Victims are then guided to convincing fake Microsoft Entra ID pages designed to capture their credentials.

The threat activity, tracked as O-UNC-066 and also referred to as CL-CRI-1147 or Pink, has primarily targeted organizations in the automotive, aviation, construction, food and beverage, healthcare, and technology sectors. The group's primary objective appears to be data extortion.

To support the campaign, the attackers have registered multiple domains containing the word "passkey" and created phishing pages that closely imitate Microsoft's legitimate passkey enrollment experience.

“It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account,” Okta says.

According to Okta, the fake Microsoft Entra ID login portals are customized for each intended victim through the phishing kit's backend. These pages incorporate authentic Microsoft branding and even load content directly from Microsoft's content delivery network to appear legitimate.

Unlike conventional phishing kits that automatically harvest usernames, passwords, MFA tokens, and session cookies, this toolkit relies on a manually operated PHP control panel. The attacker actively interacts with victims in real time, adjusting the phishing pages throughout the authentication process to accommodate different multi-factor authentication methods.

“It is likely that the threat actor uses the kit to take over the user account and trick the user into approving an attacker-initiated registration of a passkey,” Okta notes.

Throughout the attack sequence, the phishing pages conduct anti-analysis checks, collect usernames without redirecting users to federated identity providers, and prompt victims to enter their passwords. The attackers are believed to use these credentials immediately to access the targeted Microsoft account.

After the initial login, victims are shown a processing screen while the attacker determines which MFA method is enabled, such as SMS one-time passwords, time-based one-time passwords (TOTP), or push notifications, and modifies the phishing flow accordingly.

As part of the deception, victims are eventually redirected to a fake passkey registration page. There, they are instructed to save a recovery key generated from a list of attacker-controlled BIP-39 seed phrases before verifying the final word in the phrase.

“The phishing kit appears to prey on the lack of user familiarity with passkey authentication. In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey,” Okta notes.

Okta points out that BIP-39 seed phrases have no apparent role in Microsoft Entra passkey registration, suggesting that this step is merely a distraction while attackers secretly enroll their own passkeys into compromised accounts.

The company also highlighted that Microsoft automatically sends legitimate email notifications whenever a new passkey is registered. However, because the attackers complete the enrollment directly with Microsoft, they can assign the passkey an innocent-looking name, reducing the likelihood of raising suspicion.

“Any time a user enrolls a passkey with Microsoft, the owner of the compromised account receives a legitimate Microsoft email to notify them that a new passkey has been registered in their account. During an attack, the passkey was actually enrolled by the threat actor directly with Microsoft, and the threat actor is in a position to name the passkey with something the targeted user would view as benign,” Okta explains.

Hackers Target Industries in Japan, Attacks Share One Pattern


Four big Japan cyberattacks point to a common trend: threat actors are getting access via third-party infrastructure and subsidiaries, not from corporate headquarters. 

While the attacks impacted companies from varying industries such as telecommunications, manufacturing, insurance, and brewing, the breaches have one same characteristic.

Attacks share same patterns

Instead of directly disrupting corporate headquarters, hackers gained access via third-party infrastructure, subsidiaries, and overseas operations. 

The impacted organizations are Nidec, KDDI, Aflac Japan, and Sapporo Holdings. While the attacks involved different contexts, the incidents hint towards an increasing attack surface that expands well beyond a company’s primary network.

About KDDI incident 

KDDI, a telecommunications provider, reported illegal access to an email platform used by various Japanese internet service providers.

KDDI reported the incident surfaced from a bug in third-party software, revealing around 14.22 million email account records throughout six ISPs.

The attack shows how a single bug inside shared infrastructure can impact various organizations continuously.

Aflac Japan incident

On June 30, Aflac Japan revealed that between June 15 and June 25, hackers gained access to its Japanese operations. The company claims that some 4.38 million clients and agents were impacted, and a portion of the documents included bank account details used to pay insurance premiums.

According to the insurance, the incident only affected its company in Japan and had no bearing on its operations in the United States.

The alleged tactics are similar to social engineering strategies previously linked to Scattered Spider, even though the business has not linked the attack to any particular threat organization.

Sapporo Holdings and Nidec incident

Sapporo Holdings revealed possible illegal access involving two foreign subsidiaries, Canadian brewer Sleeman and Singapore-based Pokka. After identifying suspicious activity, the company shut down the impacted systems and started an investigation to find out if any data had been taken or accessed.

Nidec, a manufacturing company, has revealed that its Taiwanese subsidiary, Nidec Chaun Choung Technology, was the subject of a ransomware attack.

More than two gigabytes of firm data, including personnel, financial, procurement, manufacturing, legal, and IT information, were allegedly taken by the BlackField ransomware organization, which claimed responsibility for the attack. A $2 million ransom was allegedly demanded by the organization.

Injective Labs GitHub Compromise Distributes Malicious npm Package Targeting Crypto Wallet Keys

 

Cybersecurity researchers have detected a software supply chain attack in which threat actors compromised the Injective Labs SDK GitHub repository and utilized it to distribute a backdoored version of the npm package containing cryptocurrency wallet credentials stealing capabilities. Researchers at security company Socket have identified that the attackers distributed the malicious code in the @injectivelabs/sdk-ts version 1.20.21 after compromising the GitHub account of one of the trusted maintainers. 

The compromised package was published to the npm registry on July 8, 2026, and subsequently deprecated. Nevertheless, the distribution channel for the malicious artifacts remained available on GitHub at the time of publication. The attackers distributed the backdoored SDK to 17 other @injectivelabs packages, including the wallet, utility, networking, and crypto modules. Since the packages include various apps as dependencies, developers who did not directly install the SDK might also be affected. 

Unlike traditional supply chain malware that typically persists in the compromised software at installation time, the detected backdoor was not activated when the developers installed the package. Rather, the malicious code was designed to exfiltrate the cryptographic assets when the developers used the SDK’s wallet generation feature. 

Thus, the threat actors could hide the malicious payload’s presence by avoiding the use of suspicious scripts typically associated with malware. The detected malware consisted of modified cryptographic functions that replaced the legitimate implementation with the backdoor, which the attackers masked as a performance telemetry component. The additional function exfiltrated the cryptographic assets, including the mnemonic seed phrase and private key generation details, required to recreate the cryptocurrency wallet. 

Researchers noted that the malware persisted in the compromised repositories by sending the collected data to the remote server in aggregated fashion to avoid suspicion by grouping multiple exfiltration requests into one encrypted HTTPS session. The security analysts at OX Security stated that the detected threat was capable of intercepting the master recovery phrase used to seed cryptocurrency wallets. Since the mnemonic seed phrase gives the adversary full access to the wallet funds, threat actors could reproduce the cryptographic assets to gain unauthorized access to the blockchain assets. 

The malware’s distribution channel was compromised using the trusted publishing infrastructure and OpenID Connect (OIDC) publishing pipeline. The detected threat utilized the legitimate account of one of the maintainers, which implies that the attackers did not have to use supply chain malware or impersonate the project on a third-party registry. The developers who installed the affected package should switch to the latest version, 1.20.23, which has been released. 

The security analysts advise the developers to consider all private keys and mnemonic phrases generated with the compromised version of the code as compromised and take the appropriate actions to rotate the cryptographic assets. Moreover, the developers should review their project dependencies to ensure that they do not use the affected versions of the packages indirectly. 

The incident demonstrated how the threat actors could target the software supply chain to compromise the cryptocurrency ecosystem and gain unauthorized access to the crypto assets by compromising the open-source developer infrastructure.

Injective SDK Supply Chain Attack Exposed Developers to Cryptocurrency Wallet Theft


 

InjectiveLabs/SDK-TS, a widely used package, was briefly published on Node Package Manager (npm) as a malicious version after attackers gained access to a legitimate contributor's GitHub account, exposing developers to the theft of cryptocurrency wallet credentials. Several security researchers from Socket, Ox Security, and StepSecurity identified the supply chain attack as targeting Injective Labs' TypeScript/JavaScript SDK, which is used to develop applications based on Injective's blockchain.

The SDK is widely adopted by developers who create cryptocurrency wallets, decentralized finance (DeFi) applications, decentralized exchanges, trading bots, and payment platforms, with approximately 50,000 downloads per week on NPM. 

A significant security issue is the responsibility of the SDK when it comes to creating and importing cryptocurrency wallets, as it occupies a critical position in the development process. Developers and end users alike are particularly vulnerable to any compromise of the SDK because the wallet creation functions are crucial to the handling of users' mnemonic recovery phrases and private keys. 

Researchers have determined that hackers gained access to a legitimate contributor's GitHub account on June 8 and introduced malicious code, which was later released as version 1.20.21 for the @injectivelabs/sdk-ts package. Additionally, 17 additional Injective-related packages were referenced by the compromised release, resulting in a significant impact on downstream projects. According to security researchers, attackers compromised a legitimate maintainer's account after exploiting the trust-worthy GitHub publishing workflow of the project. 

As opposed to stealing an NPM publishing token or creating a fake package, the malicious version was distributed through the repository's normal release process, making the compromise appear genuine. Package maintainers detected the malicious activity within minutes, reverting the unauthorized changes and releasing a version that is free of malicious activity, 1.20.23. 

Nevertheless, systems that downloaded or updated the compromised package during the brief exposure window may still have been affected. In contrast to conventional malware that is executed during installation, the injected code is activated when developers create or import cryptocurrency wallets using SDK functions. 

When this was achieved, the malware captured private wallet keys and mnemonic seed sentences, encoded the information, and sent it via HTTP POST request to what appeared to be an official Injective Labs infrastructure endpoint in order to blend into normal network traffic. As a method of minimizing detection, the malware disguised its outbound communication as legitimate injective network traffic in order to prevent detection. 

By capturing multiple wallet secrets temporarily, encoding them, and transmitting them as a single request, the malicious activity was able to blend in with blockchain-related communications, avoiding detection. The malware, according to StepSecurity researchers, collected wallet secrets for approximately two seconds before bundling them into a single request to minimize suspicion while maximizing the amount of data stolen. 

In a recent report, Socket reported that 310 malicious packages had been downloaded before they were deprecated, but there is reportedly still availability of the associated malicious GitHub release artifacts. As a consequence of Ox Security's warning, the compromised SDK is dependent on 87 direct NPM packages, accounting for more than 112,000 cumulative downloads, illustrating the risk to a larger supply chain.

Researchers noted that even though the malicious payload was contained within @injectivelabs/sdk-ts, the compromised release affected 17 additional injective packages that depended on the infected SDK version. This could have resulted in developers installing the backdoored package unknowingly through normal project dependencies, thereby significantly expanding the attack's impact. 

It is advised that developers who suspect they may have installed the affected version transfer cryptocurrency assets immediately into new wallets, replace compromised private keys and seed phrases, and rotate any sensitive credentials stored within their development environment immediately. The incident underlines the growing threat posed by software supply chain attacks, particularly within the cryptocurrency ecosystem where a compromised development dependency may result in a significant financial loss to both developers and end users.

Due to the increasing sophistication of software supply chain attacks, organizations and developers must strengthen dependency verification, monitor package integrity, and respond quickly to compromised components so that credential theft and downstream compromise can be reduced.


QIZ Security Raises $17 Million to Expand Cryptographic Security and Post-Quantum Readiness Platform

 

Israeli cybersecurity startup QIZ Security has raised $17 million in seed funding to fuel the development of its cryptographic security management solution and post-quantum cryptographic (PQC) readiness platform. The Israeli cybersecurity company has seen rising demand for its service, which assists firms in inventorying their cryptography assets in preparation for the transition to post-quantum cryptography algorithms. 

The round was led by Bessemer Venture Partners and Merlin Ventures, with Evolution Equity Partners, Qbeat Ventures, Singtel Innov8, and Qino Cyber Capital also participating. The funding will support the company’s expansion and product development, with the company’s QIZ Security cryptographic governance platform’s research and development being the main focus. 

The startup was founded in 2022 by Ben Volkow, Lenny Ridel, and Itan Barmes, and its cybersecurity solution allows organizations to manage and inventory all cryptographic assets in on-premises, cloud, and hybrid environments without the need to scan their networks. Using industry standard APIs, QIZ Security’s cryptographic governance platform enables enterprises to detect and assess the risk of all certificates, encryption assets, security controls, protocols, cipher suites, and cryptographic keys. 

These details are automatically correlated to the organization’s applications and business processes discovered across hybrid cloud infrastructure environments. Moreover, the application detects vulnerabilities, weaknesses, and exposures to outdated encryption technologies that put enterprise data at risk in both transit and at rest. 

In addition, the company’s solution helps enterprises prioritize risks according to their technical and business significance and guides enterprises in responding to each identified risk. This empowers security operations and compliance teams to coordinate and accelerate activities and responses to cryptographic risks, ensuring that application owners and security stakeholders reduce exposure to business-specific threats. 

Modern cryptographic infrastructure governance is necessary for enterprises to inventory and better understand their cryptography assets, identify risks, and respond to them in a timely and cost-effective manner. With the upcoming quantum computing era, enterprises and government agencies are preparing to migrate their cryptographic infrastructure to post-quantum algorithms. This migration requires organizations to fully understand where their cryptography is, which encryption technologies put them at risk, and how best to respond. 

According to Chief Executive Officer Ben Volkow, enterprises are unable to effectively plan their transition to modern cryptography without gaining continuous visibility into their cryptography assets. Organizations need to take a step back and understand the overall state of cryptography in their IT environments to be prepared for upcoming changes. With the quantum era of computing arriving, businesses need to ensure they are taking the right steps now to safeguard their sensitive data. 

The news comes as governments and enterprises worldwide are beginning to acknowledge the need to inventory cryptographic assets to develop migration plans for post-quantum cryptography algorithms. Additionally, with increased concerns over the implications of quantum computing, multiple cybersecurity startups are positioning their services to assist enterprises in preparing their cryptography infrastructure for the transition to post-quantum cryptography algorithms.

OpenMandriva Accuses Former Contributor of Project Sabotage

 

OpenMandriva Linux is facing a serious internal security dispute after it said a former contributor abused administrative access to damage the project’s infrastructure. The alleged actions included deleting GitHub repositories and publishing an empty package that could have broken desktop systems for users of GNOME and COSMIC. 

According to the project, the problem did not begin with code but with conflict inside the community. OpenMandriva says an abusive incident in its Matrix chat led to one contributor being removed, which then triggered a chain of resignations and escalating anger among some members. 

The most damaging part of the incident involved repository access. Long-time maintainer AngryPenguin said the contributor had admin privileges because he had previously helped migrate and mirror project repositories to a private OneDev instance, and that access was later used to delete part of a repository the team had maintained for nearly 10 years. 

OpenMandriva also says the contributor pushed an empty package into its Cooker development branch. That package obsoleted the GNOME and COSMIC packages, meaning it could have caused real disruption for people relying on those desktop environments if the issue had not been caught quickly. 

The accused contributor, Davide Beatrici, rejects the sabotage allegation and says his goal was not to harm users or the distro itself. He argues that his actions were tied to a dispute over the project’s direction, including disagreement about OpenMandriva’s support for GNOME and COSMIC alongside KDE and LXQt. OpenMandriva says it is now restoring deleted repositories, repairing affected packages, and conducting a full audit to confirm that nothing else was altered. 

The project has also said the incident may meet the threshold of a criminal offense, though it has chosen not to pursue legal action at this stage. This case is a reminder that open-source projects do not only face technical threats from outside attackers. Internal access, trust, and governance can become just as dangerous when disputes turn personal and administrative privileges are misused.

Why Apple, Meta and Snap Want You to Stop Looking at Your Phone

 



The technology industry's next computing platform may not fit in your hand. Instead, it could rest on your ears, sit on your face or hang around your neck.

Apple is reportedly exploring AirPods equipped with cameras that would give Siri the ability to interpret a user's surroundings, according to a Bloomberg report. The cameras are not expected to function like traditional smartphone cameras for photography or video recording. Instead, they would provide visual context that allows Apple's AI assistant to respond more intelligently to spoken requests. Apple has not commented on the report.

The development reveals a comprehensive industry effort to move everyday computing beyond smartphone screens. For decades, displays have served as the primary interface between people and their devices. Advances in artificial intelligence, computer vision and voice assistants are now encouraging technology companies to develop wearable devices that can understand a user's environment and respond without requiring constant screen interaction.

Snap recently expanded that vision with its latest augmented reality smart glasses, Specs, priced at £1,995 in the UK and $2,195 in the US. Unlike many existing smart glasses, the device is designed to operate independently rather than relying on a connected smartphone. Digital content appears only when needed, overlaying information onto the wearer's view of the real world instead of replacing it. Snap Chief Executive Evan Spiegel said the goal is to let users remain engaged with their surroundings while accessing digital experiences.

Meta is also increasing its investment in wearable AI. The company has reportedly sold around seven million pairs of its Ray-Ban Meta smart glasses and recently introduced more affordable models. Reports also indicate Meta is evaluating audio-only smart glasses that could reduce some of the privacy concerns associated with built-in cameras.

Those concerns remain one of the biggest obstacles to wider adoption. Camera-equipped wearables have faced criticism after users were found recording people without their knowledge, despite recording indicator lights intended to alert those nearby. Privacy advocates continue to question whether visible indicators alone provide sufficient transparency in public spaces.

Apple could attempt to distinguish itself by relying heavily on on-device processing, allowing visual information to be analyzed locally rather than stored or transmitted to cloud servers. Such capabilities could enable users to identify objects, receive navigation guidance, ask questions about nearby landmarks or generate recipe suggestions based on ingredients already in their kitchen through simple voice interactions.

Analysts believe AI-powered wearables could gradually shift some everyday computing tasks away from smartphones. Even so, most expect the smartphone to remain central to digital life for the foreseeable future, with wearable devices evolving as complementary tools rather than direct replacements. Whether they ultimately reduce screen time or simply expand the ways people interact with technology remains an open question.

AI Agents Built to Detect Malware Can Be Manipulated Into Running It


 

AI agents capable of identifying malicious software can be manipulated by the AI Now Institute to execute it, according to new research. The proof-of-concept attack, known as "Friendly Fire," demonstrates that autonomous AI coding agents, such as Claude Code from Anthropic and Codex from OpenAI, can be deceived into running malicious code while performing open-source security reviews. 

AI agents can approve and execute commands independently of the user without requiring user confirmation for every action, which is what this attack targets. Researchers contend that the vulnerability does not lie in the software version used by these agents, but rather in the way they interpret and react to instructions embedded within untrusted repositories rather than exploiting a software vulnerability. 

A comparison with conventional supply-chain attacks that hide malicious code within a repository was made by the researchers, who noted that when static analysis and manual review are performed, the repository itself can appear to be completely free of malicious code. By introducing the malicious payload at execution time, the AI agent follows embedded instructions, so traditional security tools cannot detect this technique.

By adding a seemingly harmless README.md instruction to an open-source project that recommended running a script entitled security.sh before submitting a pull request, attackers modified it. By launching a malicious binary hidden within a legitimate compiled Go file, the script silently executed on the host computer without triggering security warnings or approval prompts, allowing the malicious binary to execute on the system. 

According to the researchers, the attack is successful because the AI agent recognizes the instructions as a legitimate step in the process of installing software rather than an attempt to exploit the system maliciously. Once the recommended script has been executed, the payload will run under the same permissions that were provided for the developer or AI agent, potentially exposing credentials, environment variables, and other sensitive information. 

The procedure differs from previous prompt injection attacks, which relied on configuration files and often generated trust warnings, as this technique hides instructions inside standard documentation that is regularly read by developers and AI agents. It has been reported that both Claude Code and OpenAI Codex followed the embedded instructions during testing, while newer AI models executed the disguised binary upon detecting differences between the source file and the compiled executable. 

A laboratory proof-of-concept has been demonstrated, with no evidence of active exploitation in the field. In addition to excluding the malicious payload, the publicly released demonstration code does not attempt privilege escalation or lateral movement. These findings indicate that autonomous AI agents pose a greater challenge in terms of design rather than a problem that can be resolved by simply updating software. 

It is becoming more common for organizations to employ AI-powered coding assistants to review third-party software. Researchers recommend treating AI coding agents as privileged software, rather than simply assistants. Autonomous agents should not be permitted to execute commands on untrusted repositories, least-privilege access policies should be enforced, AI workflows should be isolated in sandboxed environments, and human approval should be required before running scripts or binaries recommended by project documentation. 

In accordance with the researchers, the issue is not related to any particular AI model, but a broader trust problem affecting autonomous coding assistants capable of executing shell commands. In addition to creating new attack surfaces if they are unable to reliably distinguish legitimate instructions from content controlled by the attacker, AI agents are becoming increasingly capable of cloning repositories, installing dependencies, and resolving setup issues independently. 

As autonomous AI systems are increasingly adopted in the software development and cybersecurity sectors, prompt injection attacks remain a major security threat. This study adds to a growing body of evidence that prompt injection attacks remain one of the greatest security risks. In light of the increasing autonomy of AI agents, organizations must balance automation and strong oversight in order to balance automation and security workflows. 

AI-driven attack techniques cannot be effectively countered until artificial intelligence (AI) systems can reliably discriminate between trusted and malicious instructions. Human verification and secure execution environments will therefore remain critical safeguards.

GhostApproval Symlink Codes Could Run Malicious Codes in AI Coding Agents


Cyber security experts at Wiz discovered that a bug in six famous AI coding assistants allows a booby-trapped code project to silently take over a developer’s system. The assistant can ask access to edit one innocent-looking file, but the write takes over a sensitive file.

The impacted tools are Windsurf, Google Antigravity, Cursor, Amazon Q Developer, Claude Code by Anthropic, and Augment. Wiz has termed the technique GhostApproval and posted it recently.

Three of the six AI assistants have addressed, two did not, while Anthropic argues if it is a bug. The most vulnerable are the tools that modify file before you can notice.

Attack tactic

The threat actors exploit an old Unix feature called symlink (or symbolic link), that AI assistants cannot check. 

A symlink silently directs to other files somewhere else on disk, hence writing to it particularly writes to the victim. 

“Symbolic links have been a security headache since the early days of Unix. From /tmp race conditions to privilege escalation exploits, symlinks have a long history of bypassing security boundaries by making one path silently resolve to another. It's a well-documented attack primitive - CWE-61 dates back decades,” Wiz said.

Research model

Wiz made a malicious repository with a symbolic link called project_settings.json that really directs to target’s SSH login file, ~/.ssh/authorized_keys. The repo’s README commands the assistant to put “a line” to project_settings.json, and this line is the hacker’s SSH key mimicking an innocent setting. “

If you ask the agent to “set up the workspace” or “follow the README,” it writes the key directly via the symlink into the login file. Following this, if the machine plays an SSH  service the threat actor can access, they can sign in without password. 

The second variant

Another variant of the attack writes to your shell startup file, ~/.zshrc, which the shell runs the next moment you open a terminal without needing an SSH. There are no indications that any of this has been abused in real-time operations, Wiz has only demonstrated it as their research.

“Symlinks have been exploited for decades – in race conditions (CVE-2018-15664), in package managers (CVE-2021-32803), in container escapes (CVE-2024-21626). Any time a tool writes to a user-controlled path without resolving it first, symlinks become a weapon,” Wiz wrote in its blog. 

Datadog Uncovers Coordinated GitHub API Campaigns Targeting Organizations for Large-Scale Reconnaissance

 

Datadog Security Labs has identified multiple coordinated campaigns that are systematically using the GitHub API to enumerate corporate GitHub organizations, repositories, and user accounts. The activity highlights how attackers are leveraging both legitimate and compromised resources to gather intelligence on organizations while blending into normal API traffic.

"Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," Julie Agnes Sparks, senior security engineer at Datadog, said.

According to the security researchers, the majority of the observed activity has focused on collecting publicly available information. However, in a limited number of incidents, the attackers progressed beyond reconnaissance and successfully cloned private repositories.

The campaigns rely on a combination of automated scanning tools, more than 50 dormant GitHub accounts, and several legitimate accounts whose personal access tokens (PATs) had either been unintentionally exposed or compromised. These resources are used to perform extensive enumeration across multiple GitHub organizations.

A notable aspect of the operation is the use of so-called "ghost" accounts that were created between two and five years ago and deliberately left inactive before being activated for API-based reconnaissance. By using aged accounts instead of newly created ones, the attackers are able to make their activity appear more legitimate and reduce the likelihood of triggering security alerts.

Since a significant portion of GitHub's API can be accessed without authentication, the attackers are able to retrieve large amounts of publicly available data while remaining indistinguishable from routine API traffic. Their reconnaissance includes listing public repositories within organizations, mapping user followers and following relationships, identifying gists, starred repositories, and organization memberships, as well as executing GraphQL queries against public objects.

The collected information enables threat actors to build detailed profiles of an organization's GitHub environment, including its public repositories, contributors, developer relationships, and project activity. Such intelligence can be used to support future targeted attacks.

Datadog also confirmed that in a small number of cases, attackers escalated their activity by cloning a private repository belonging to a targeted organization, indicating that the campaigns can extend beyond information gathering.

"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog said. "The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning."