Fortinet FortiSandbox: Critical RCE Vulnerabilities CVE-2026-25089 and CVE-2026-26083
Fortinet FortiSandbox is under active exploitation via a cluster of critical vulnerabilities, most notably CVE-2026-25089 and CVE-2026-26083 (CVSS 9.8). Attackers leverage OS Command Injection (CWE-78) and Missing Authorization (CWE-862) to execute arbitrary commands with high privileges without authentication. This is often chained with CVE-2026-39813 (Path Traversal in the JRPC API) and CVE-2026-39808 to bypass security controls and gain full system access. The primary impact is the complete compromise of the sandbox appliance, allowing adversaries to manipulate the malware analysis environment and potentially pivot deeper into the corporate network.
Structural Trust Failures in Intel SGX/TDX, AMD SEV-SNP, and ARM TrustZone Attestation
A systemic structural failure has been identified in the Remote Attestation mechanisms of Intel SGX/TDX, AMD SEV-SNP, and ARM TrustZone. Research, including the TEEFail analysis, reveals a fundamental decoupling between hardware identity proofs (Attestation Quotes) and the secure communication channels (Attested TLS). This gap allows attackers to execute relay attacks, where a "Fake Enclave" can spoof the identity of a secure environment, misleading the client into believing the session is hardware-isolated. This vulnerability invalidates the core premise of Confidential Computing by breaking the cryptographic binding between the hardware root of trust and the transport layer, exposing encrypted memory enclaves to Man-in-the-Middle (MitM) exploitation.
Npm, Microsoft, and AI Coding Agents: Shai Hulud and Miasma Worm Supply Chain Campaigns
Between May and June 2026, threat actor TeamPCP executed a multi-stage supply chain attack transitioning from the Shai Hulud cluster to the Miasma Worm. Shai Hulud utilized dependency confusion and SLSA provenance spoofing to compromise CI/CD pipelines and exfiltrate AWS Redshift data. The subsequent Miasma Worm evolved into an "environment-triggered" threat, hijacking AI agent configuration files (e.g., .claude/settings.json, .cursor/rules/setup.mdc) to achieve zero-click execution upon workspace opening. This campaign compromised 176 npm packages and 37 PyPI wheels, culminating in a June 5 breach of Microsoft that disabled 73 GitHub repositories and disrupted Azure Functions deployment actions globally.
Proton Lumo 2.0: Zero-Access Encrypted AI Assistant
Proton has released Lumo 2.0, an AI assistant utilizing a zero-access encryption architecture to prevent service provider access to user prompts, chat histories, and metadata. By decoupling the AI inference layer from the data storage layer, Proton implements a secure integration layer that interfaces with frontier LLMs while maintaining zero-knowledge guarantees for stored context and multimodal data. This deployment addresses the systemic data exposure risks inherent in centralized AI models, such as Microsoft Copilot and OpenAI, providing a secure environment for enterprise-grade collaboration and private AI utility.
Interpol-Impersonation Campaign Deploying IcedID, Qakbot, and Custom Ransomware
Threat actors are executing a targeted phishing campaign impersonating Interpol to compromise small business networks. The attack chain leverages high-pressure social engineering to deliver IcedID and Qakbot initial access trojans (IATs), which are utilized for credential theft and lateral movement within the environment. The final stage involves the deployment of custom ransomware designed for data encryption and operational disruption. Notably, security researchers discovered decryption keys embedded within the ransomware payload, indicating a critical implementation flaw or a specific behavioral pattern in the malware's deployment logic.
Iranian APT Escalation: Massive Surge in Cyber Operations Against Israeli Infrastructure
Following a U.S.-Israeli military offensive, Iranian-linked Advanced Persistent Threat (APT) actors have executed a massive escalation in cyber warfare, resulting in a 300% increase in hostile incidents. Intelligence indicates 4,800 recorded attacks in June 2026, compared to approximately 1,600 in June 2025. This campaign is characterized by the tactical unification of various Iranian hacking groups utilizing shared infrastructure and coordinated Tactics, Techniques, and Procedures (TTPs). Targeting has expanded from specialized government networks to include critical infrastructure and Small and Medium-sized Businesses (SMBs) to maximize systemic disruption and social impact.
The Anthropomorphism Paradox: AI-Driven Social Engineering and Agentic Risk
The Anthropomorphism Paradox describes a systemic vulnerability where human-centric AI design facilitates cognitive exploits. By leveraging the "Eliza Effect," attackers induce misplaced trust to execute data leakage and credential disclosure. Furthermore, the evolution of passive LLMs into agentic entities with API and tool-access creates a new class of Non-Human Identities (NHIs). These autonomous agents expand the attack surface, acting as "insider threats" that can be manipulated via prompt injection to perform unauthorized actions, while anthropomorphic terminology obscures technical accountability and legal liability during incident response.
ValleyRAT: Advanced Stealth RAT Utilizing RC4, Donut Shellcode, and Kernel-Mode Rootkits
ValleyRAT is a modular Remote Access Trojan (RAT) leveraging a multi-stage infection chain to achieve deep system persistence and invisibility. Initial access is gained via deceptive software installers, followed by the deployment of position-independent shellcode generated by Donut and injected into rundll32.exe using Asynchronous Procedure Calls (APCs). The malware employs RC4 stream ciphers for C2 communication and configuration obfuscation. Most critically, it deploys a kernel-mode rootkit to operate beneath the visibility of user-mode security tools, enabling undetected data exfiltration. This threat is primarily associated with WinOS 4.0 campaigns targeting Taiwanese entities, indicating a sophisticated state-sponsored espionage operation.
PolinRider: DPRK Supply Chain Offensive Targeting npm, Claude Code, and GitHub CLI
North Korean state-sponsored actors, associated with the PolinRider operation and Contagious Interview campaign, are executing a multi-vector supply chain offensive targeting the developer ecosystem. By compromising GitHub maintainer accounts and utilizing package impersonation, the actors injected malicious code into npm, Packagist, and Go ecosystems. The campaign specifically targets modern toolchains, including Claude Code and GitHub CLI, to deploy Windows Remote Access Trojans (RATs), Linux native C rootkits, and credential stealers aimed at SSH keys and developer tokens. With over 108 unique malicious packages and extensions identified, the operation seeks persistent high-level access to DevOps environments and AI-assisted coding workflows.
Agentic AI Ransomware Operations via Langflow JADEPUFFER
The JADEPUFFER campaign marks a shift toward autonomous, agentic ransomware operations utilizing the Langflow orchestration framework to execute end-to-end attack chains. By leveraging LLM reasoning for real-time decision-making, the attacker weaponized Langflow's tool-calling capabilities to automate reconnaissance, credential harvesting, and lateral movement after gaining initial access through vulnerabilities in Nacos. This autonomous agent functioned at "machine speed," identifying target databases and executing exfiltration and encryption without human intervention. The attack highlights a critical vulnerability in low-code AI orchestration tools that allow LLMs to execute arbitrary code and interact with system shells, bypassing traditional heuristic detections.
Function Stomping and Zig-Strike Evasion Techniques
Function stomping, referred to as "Trick 55," marks a strategic shift from external memory injection toward internal memory repurposing. By utilizing VirtualProtect to transition existing Read-Execute (RX) code segments to Read-Write-Execute (RWX), attackers can overwrite legitimate function prologues with malicious shellcode using memcpy. This methodology effectively bypasses EDR and AV heuristics that focus on the allocation of new, suspicious executable memory regions. By embedding the payload within the process's original memory footprint, attackers evade detection via Windows VAD or Linux /proc/self/maps, significantly increasing the forensic difficulty and analyst workload required to identify modified code segments during an investigation.
NIST Post-Quantum Cryptography Standards and pyca/cryptography Implementation
The US government is mandating a transition to Post-Quantum Cryptography (PQC) to mitigate "Harvest Now, Decrypt Later" (HNDL) threats from future large-scale quantum computers capable of breaking RSA and ECC. Driven by recent Executive Orders, the migration requires implementing NIST-standardized algorithms, specifically FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). This shift is not a drop-in replacement; it introduces significant data overhead in key and signature sizes. Implementation is surfacing in critical low-level libraries like pyca/cryptography (v48), which utilizes Rust bindings and AWS-LC to support these new primitives, impacting over 1.2 billion monthly downloads across critical infrastructure tools like Ansible and Certbot.
Darkmoon: Transitioning AI to Autonomous Active Directory Pentesting Agents
Darkmoon represents a strategic transition from stateless LLM-based chatbots to autonomous "agentic" systems designed for complex Active Directory (AD) exploitation. By implementing a recursive "Enumerate -> Reason -> Pivot" agent loop, the framework effectively overcomes the context window and statefulness limitations inherent in standard large language models. The system utilizes modular Markdown playbooks as state engines and a specialized State Proxy to maintain session context across multi-step, non-linear attack paths. This architecture enables autonomous discovery of privilege escalation routes and domain compromise via automated tool integration, providing an auditable and reproducible evidence trail for every stage of the exploit lifecycle.
Kairos Extortion Group: Data Exfiltration and Extortion of U.S. Government Entity
The Kairos threat group successfully executed a high-impact data exfiltration campaign against an undisclosed U.S. government entity, resulting in a verified $1 million ransom payment confirmed via blockchain analysis. Departing from traditional ransomware TTPs, Kairos bypassed encryption-based locking mechanisms to leverage "encryption-less" extortion, focusing exclusively on the theft and threatened release of sensitive government intelligence. The attack utilized specialized exfiltration tools and protocols to move large datasets, highlighting a critical failure in existing data loss prevention (DLP) strategies and a strategic shift in threat actor monetization focusing on confidentiality compromise over system availability.
Anubis Ransomware Exploitation of Citrix NetScaler CVE-2025-5777
The Anubis Ransomware group is executing high-velocity exploitation of CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC/Gateway appliances, colloquially known as "Citrix Bleed 2." This vulnerability permits session token and memory disclosure, allowing attackers to bypass authentication and hijack active sessions. By targeting edge-facing infrastructure, Anubis circumvents traditional perimeter defenses to gain initial access, facilitating lateral movement and the subsequent deployment of ransomware payloads. This campaign marks a strategic shift toward leveraging N-day vulnerabilities in critical network appliances to conduct large-scale extortion and enterprise-wide encryption.
Microsoft: Goal Hijacking and Zero-Click RCE via Poisoned MCP Tool Descriptions
Microsoft's AI Red Team and Lakera AI have identified a critical vulnerability in agentic AI systems utilizing the Model Context Protocol (MCP). Adversaries can poison the natural language descriptions of MCP tools to deceive AI agents into "Goal Hijacking," redirecting the agent from its intended objective to attacker-defined tasks. This vulnerability enables zero-click exploit chains where agents autonomously execute malicious actions, including remote code execution (RCE) in agentic IDEs and unauthorized data exfiltration, without requiring user interaction beyond the agent's initial deployment. This mechanism effectively bypasses traditional human-in-the-loop safeguards by exploiting the agent's inherent trust in tool metadata.
Agentjacking: CVE-2026-12957 Exploits Amazon Q via Malicious MCP Configurations
Wiz Research has identified a high-severity vulnerability (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer that allows for remote code execution (RCE) via "Agentjacking." By leveraging the Model Context Protocol (MCP), attackers utilize a "Fake Bug Report" social engineering vector to lure developers into opening booby-trapped repositories. These repositories contain a malicious .amazonq/mcp.json configuration file, which the AI agent automatically parses and executes with the developer's full environment privileges. This creates a direct pipeline from a local IDE session to enterprise cloud infrastructure compromise, enabling the exfiltration of live AWS credentials, API keys, and SSH agent access, effectively bypassing traditional perimeter-based security controls.
Multi-Vector Supply Chain Campaign: Mastra AI, GitHub Actions, and Arch Linux AUR Compromise
A sophisticated supply chain campaign, attributed to the suspected threat actor TeamPCP, has simultaneously targeted the Mastra AI framework via npm, GitHub Actions CI/CD workflows, and the Arch Linux User Repository (AUR). The attack utilized dormant contributor account takeovers to poison the @mastra npm scope using the easy-day-js dependency and hijacked GitHub Action version tags to exfiltrate CI/CD credentials. Additionally, over 1,500 AUR packages were compromised with eBPF-based rootkit malware. This coordinated infrastructure, linked by the "Mini Shai-Hulud" worm, facilitates widespread code execution, credential theft, and persistent rootkit deployment across development, DevOps, and end-user Linux environments.
The Human Element: Jasper Sleet and DPRK Employment Fraud
DPRK-aligned threat actors, specifically those tracked as Jasper Sleet, are infiltrating Western technology firms by securing legitimate remote employment through synthetic identities and AI-generated personas. By leveraging residential proxy networks and deepfake technology to bypass KYC and I-9 verification, these actors establish an "ultimate insider" position. This vector enables direct sanctions evasion via salary diversion and creates high-risk supply chain vulnerabilities, including the insertion of malicious code into corporate repositories and the theft of intellectual property. Mitigation requires transitioning from perimeter-based security to a rigorous Zero Trust identity lifecycle and behavioral monitoring of privileged technical roles.
Indirect Prompt Injection via Model Context Protocol MCP and OpenAPI Specifications
Adversaries are pivoting from direct prompt injection to indirect injection attacks targeting agentic AI systems by poisoning external data sources. By manipulating Model Context Protocol (MCP) tool definitions and OpenAPI/Swagger specifications, attackers embed malicious instructions within metadata fields such as 'description' or 'parameter'. When an AI agent parses this documentation to resolve tool-calling logic, it interprets the embedded payloads as functional requirements. This enables unauthorized tool execution, facilitating sensitive data exfiltration to attacker-controlled callback URLs, privilege escalation, and fraudulent financial transactions, including cryptocurrency payments. This vulnerability fundamentally compromises the security boundary of AI agents utilizing external tool integration and grounding.
Linux Kernel: Critical Local Privilege Escalation via Bad Epoll CVE-2026-46242
CVE-2026-46242, dubbed "Bad Epoll," is a critical local privilege escalation (LPE) vulnerability residing in the Linux kernel's epoll subsystem within fs/eventpoll.c. The flaw allows an unprivileged local attacker to trigger a memory corruption primitive, granting full root-level access to the host system. This vulnerability impacts a vast ecosystem, including enterprise Linux servers, desktop distributions, and the Android mobile operating system. Remediation requires applying the official patches from the Linux kernel stable tree. This case notably highlights the limitations of AI-driven vulnerability research, as the 'Mythos' AI model failed to detect this specific flaw despite auditing the same code segment.
Critical OS-Level RCE via "DuneSlide" in Cursor AI
Researchers at Cato Networks have identified "DuneSlide," a pair of critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI IDE. These flaws enable prompt-injection-driven sandbox escapes, escalating from LLM interactions to full operating system-level Remote Code Execution (RCE). Attackers can leverage malicious Model Context Protocol (MCP) servers or poisoned web search results to manipulate the run_terminal_cmd tool and bypass path canonicalization logic via symbolic links. Successful exploitation allows unauthorized file writes outside the project root, enabling attackers to overwrite the cursorsandbox executable, modify shell configurations, or establish persistence via macOS LaunchAgents, resulting in total system compromise.
MacOS Backdoor 'FlutterShell' Weaponizes Google's Flutter Framework to Bypass Apple Gatekeeper
The CL-CRI-1089 threat group is executing "Operation FlutterBridge," a macOS malvertising campaign distributing the FlutterShell backdoor via malicious Google Ads. By utilizing the Google Flutter framework, attackers develop applications that undergo Apple's notarization process, successfully bypassing Gatekeeper and traditional antivirus protections. The malware employs a "thin client" architecture, hosting core malicious logic on remote, attacker-controlled servers to evade static analysis. It leverages a hidden WebView combined with a JavaScript-to-native bridge to facilitate remote command execution (RCE) and unauthorized file system access, providing persistent remote control over compromised macOS endpoints.
Breach of the Homeland Security Information Network HSIN
A significant cyberattack has compromised the Homeland Security Information Network (HSIN), a critical multi-sector intelligence-sharing platform utilized by U.S. government agencies and private industry partners. The breach involves unauthorized access to the HSIN software stack, potentially via zero-day exploitation or misconfiguration, resulting in the compromise of authentication telemetry and access logs. Investigating agencies are analyzing lateral movement artifacts and outbound traffic patterns to determine the extent of data exfiltration. This event poses a critical threat to national security intelligence continuity and the integrity of shared intelligence databases, necessitating immediate forensic investigation into potential data tampering and actor-specific indicators of compromise (IoCs).
EvilTokens: AI-Enhanced OAuth 2.0 TaaS Phishing Targeting Microsoft 365
Threat actors are utilizing "EvilTokens," a Token-as-a-Service (TaaS) framework, to compromise Microsoft 365 accounts by exploiting the OAuth 2.0 Device Code Flow. By tricking users into authorizing malicious Client IDs on legitimate Microsoft authentication pages, attackers bypass Multi-Factor Authentication (MFA) to acquire session-persistent access and refresh tokens. The campaign is scaled via the ArToken affiliate panel and leverages AI for personalized lure generation. This methodology enables long-term persistence and complete account takeover (ATO) without requiring the victim's password, effectively neutralizing traditional identity-based security controls.
PamStealer: macOS Information Stealer Impersonating Maccy Clipboard Manager
PamStealer is a specialized macOS information stealer that leverages social engineering to distribute a malicious clone of the open-source Maccy clipboard manager. The attack chain initiates through fraudulent websites hosting a malicious compiled AppleScript (.scpt) file, which acts as a primary loader to bypass initial macOS security hurdles. This loader facilitates the deployment of a secondary payload, likely authored in Rust, designed for high-performance data exfiltration. The malware specifically targets sensitive information including system-level credentials, metadata, and real-time clipboard contents, posing a critical risk to macOS users seeking productivity-enhancing open-source utilities.
FortiBleed: Mass Credential Theft Targeting FortiGate VPNs
The FortiBleed campaign leverages a suspected zero-day vulnerability in FortiGate VPN devices to facilitate mass credential theft. This operation serves as a dedicated initial access pipeline for the INC and Lynx ransomware groups, orchestrated by a single operator managing both the exploit infrastructure and ransomware negotiation panels. The campaign results in high-velocity deployment of ransomware following the compromise of verified VPN credentials, bypassing traditional perimeter defenses. Impact is characterized by widespread unauthorized access to corporate environments and subsequent data encryption.
The Cognitive Firewall: A Proactive Zero-Trust Framework for LLM Safety
Current Large Language Model (LLM) safety paradigms utilize reactive, single-turn message filtering, leaving them vulnerable to "salami-slicing" attacks. These attacks decompose malicious intent across multiple dialogue turns to evade detection. The Cognitive Firewall framework addresses this through a proactive, stateful, multi-gate Zero-Trust architecture. By employing independent oversight agents—specifically Intent, Zero-Trust Context, Consistency, and Output Risk gates—the framework monitors the evolution of user objectives and treats all asserted roles as unverified evidence. This approach shifts defense from isolated scoring to escalation-based blocking, successfully reducing attack success rates (ASR) to <2% on standard benchmarks and 14% against complex, human-authored adversarial prompts.
APT28 and LameHug: AI-Driven Dynamic Command Generation
APT28 has deployed "LameHug," a novel infostealer that integrates Large Language Models (LLMs) to generate malicious Windows commands dynamically. By shifting from hardcoded C2 scripts to AI-driven prompt sequences, LameHug adapts attack commands in real-time to the victim's environment, significantly bypassing signature-based EDR and antivirus detection. The malware utilizes dedicated exfiltration modules to steal credentials and sensitive data from NATO, EU, and US targets. This workflow represents a strategic pivot toward "AI-as-a-weapon," reducing the manual research time required for target-specific exploitation and increasing the scalability of state-sponsored espionage operations.
Critical Authentication Bypass in Gardyn Home IoT Firmware CVE-2026-13768
CVE-2026-13768 is a critical vulnerability in Gardyn Home IoT firmware resulting from CWE-798 (Use of Hardcoded Credentials). This flaw allows unauthorized remote attackers to bypass authentication mechanisms and gain full administrative access to the device. Exploitation enables lateral movement within local area networks (LAN) and provides direct control over environmental actuators, including water and nutrient delivery systems. The vulnerability was identified through firmware reverse engineering and validated via a Proof-of-Concept (PoC). Immediate remediation requires deploying the latest firmware patch provided by Gardyn Engineering to remove the static credentials.