FILTERING BY: CLEAR FILTER

Critical OS-Level RCE via "DuneSlide" in Cursor AI

Researchers at Cato Networks have identified "DuneSlide," a pair of critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI IDE. These flaws enable prompt-injection-driven sandbox escapes, escalating from LLM interactions to full operating system-level Remote Code Execution (RCE). Attackers can leverage malicious Model Context Protocol (MCP) servers or poisoned web search results to manipulate the run_terminal_cmd tool and bypass path canonicalization logic via symbolic links. Successful exploitation allows unauthorized file writes outside the project root, enabling attackers to overwrite the cursorsandbox executable, modify shell configurations, or establish persistence via macOS LaunchAgents, resulting in total system compromise.

Convergence of Agentic AI Hijacking, MFA Bypass, and Software Supply Chain Compromise

Attackers are converging credential theft, AI-driven MFA bypass, and agentic toolchain hijacking into a unified assault on AI infrastructure. Utilizing generative social engineering and real-time session hijacking, adversaries bypass legacy Multi-Factor Authentication (MFA) to establish identity-layer footholds. Following initial access, attackers leverage the Model Context Protocol (MCP) and inject malicious "skills" or plugins to weaponize autonomous agents. This lifecycle transforms AI agents from productivity tools into high-privilege, autonomous execution engines, enabling systemic lateral movement and exploitation across the software supply chain via corrupted model-based dependencies and agentic workflows.

Linux Kernel: Critical Local Privilege Escalation via Bad Epoll CVE-2026-46242

CVE-2026-46242, dubbed "Bad Epoll," is a critical local privilege escalation (LPE) vulnerability residing in the Linux kernel's epoll subsystem within fs/eventpoll.c. The flaw allows an unprivileged local attacker to trigger a memory corruption primitive, granting full root-level access to the host system. This vulnerability impacts a vast ecosystem, including enterprise Linux servers, desktop distributions, and the Android mobile operating system. Remediation requires applying the official patches from the Linux kernel stable tree. This case notably highlights the limitations of AI-driven vulnerability research, as the 'Mythos' AI model failed to detect this specific flaw despite auditing the same code segment.

Critical Authentication Bypass in Gardyn Home IoT Firmware CVE-2026-13768

CVE-2026-13768 is a critical vulnerability in Gardyn Home IoT firmware resulting from CWE-798 (Use of Hardcoded Credentials). This flaw allows unauthorized remote attackers to bypass authentication mechanisms and gain full administrative access to the device. Exploitation enables lateral movement within local area networks (LAN) and provides direct control over environmental actuators, including water and nutrient delivery systems. The vulnerability was identified through firmware reverse engineering and validated via a Proof-of-Concept (PoC). Immediate remediation requires deploying the latest firmware patch provided by Gardyn Engineering to remove the static credentials.

Microsoft: Goal Hijacking and Zero-Click RCE via Poisoned MCP Tool Descriptions

Microsoft's AI Red Team and Lakera AI have identified a critical vulnerability in agentic AI systems utilizing the Model Context Protocol (MCP). Adversaries can poison the natural language descriptions of MCP tools to deceive AI agents into "Goal Hijacking," redirecting the agent from its intended objective to attacker-defined tasks. This vulnerability enables zero-click exploit chains where agents autonomously execute malicious actions, including remote code execution (RCE) in agentic IDEs and unauthorized data exfiltration, without requiring user interaction beyond the agent's initial deployment. This mechanism effectively bypasses traditional human-in-the-loop safeguards by exploiting the agent's inherent trust in tool metadata.

Kaspersky Compromise Assessments and Anthropic Claude Code Data Leakage

Kaspersky's 2025 Compromise Assessments reveal systemic detection failures, with threat actor dwell times reaching four years and 52% of high-severity breaches persisting beyond 90 days. Concurrent research into Anthropic's Claude Code highlights a critical data exfiltration vector where the tool captures confidential files and session data, leading to corporate bans by organizations like Alibaba. Technical artifacts include the NSABuffMiner crypto-mining malware and AI-driven exfiltration mechanisms, indicating a dual threat of long-term persistent compromises and emergent AI-driven supply chain leakage across government (29%) and financial (17%) sectors.

The Cognitive Firewall: A Proactive Zero-Trust Framework for LLM Safety

Current Large Language Model (LLM) safety paradigms utilize reactive, single-turn message filtering, leaving them vulnerable to "salami-slicing" attacks. These attacks decompose malicious intent across multiple dialogue turns to evade detection. The Cognitive Firewall framework addresses this through a proactive, stateful, multi-gate Zero-Trust architecture. By employing independent oversight agents—specifically Intent, Zero-Trust Context, Consistency, and Output Risk gates—the framework monitors the evolution of user objectives and treats all asserted roles as unverified evidence. This approach shifts defense from isolated scoring to escalation-based blocking, successfully reducing attack success rates (ASR) to <2% on standard benchmarks and 14% against complex, human-authored adversarial prompts.

CISA Emergency Directive 26-01: Microsoft Entra ID MFA Bypass

CISA Emergency Directive 26-01 mandates the immediate remediation of a critical MFA bypass vulnerability in Microsoft Entra ID. Threat actors exploited the legacy Resource Owner Password Credentials (ROPC) OAuth 2.0 flow via the Azure CLI to conduct high-volume password spraying. This vector bypasses Conditional Access (CA) policies and MFA challenges by utilizing non-interactive authentication. Between June 12 and June 26, 2026, over 81 million login attempts were recorded, resulting in the compromise of 78+ accounts across 64 organizations. Immediate remediation requires the total disablement of the ROPC flow or its restriction to isolated service accounts to secure the cloud identity perimeter.

Anubis Ransomware Exploitation of Citrix NetScaler CVE-2025-5777

The Anubis Ransomware group is executing high-velocity exploitation of CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC/Gateway appliances, colloquially known as "Citrix Bleed 2." This vulnerability permits session token and memory disclosure, allowing attackers to bypass authentication and hijack active sessions. By targeting edge-facing infrastructure, Anubis circumvents traditional perimeter defenses to gain initial access, facilitating lateral movement and the subsequent deployment of ransomware payloads. This campaign marks a strategic shift toward leveraging N-day vulnerabilities in critical network appliances to conduct large-scale extortion and enterprise-wide encryption.

GREYVIBE Leverages ChatGPT and Google Gemini for AI-Augmented Operations against Ukraine

Russia-aligned threat group GREYVIBE is utilizing OpenAI's ChatGPT and Google Gemini to facilitate "capability equalization" during cyber offensive operations against Ukrainian infrastructure. By integrating large language models (LLMs) into the cyber kill chain, the actor automates the generation of linguistically precise phishing lures, develops malware-related scripts, and streamlines post-compromise reconnaissance and lateral movement. This AI-augmented workflow enables the concurrent execution of five parallel attack chains, significantly reducing the technical skill barrier and operational cost-per-attack. The campaign demonstrates a strategic shift toward using commercial AI to mimic APT-level sophistication, posing an increased threat to critical sectors in Ukraine.

Aadhaar APIs and Government Domain Registrars: Systemic Data Exposure in Indian National Infrastructure

Rapid digital transformation in India has outpaced cybersecurity governance, resulting in critical data leaks across national infrastructure. Primary vectors include authentication bypass methods within Aadhaar APIs and misconfigurations in .gov.in and .nic.in domain registrars. These vulnerabilities facilitate the exposure of massive volumes of Personally Identifiable Information (PII). To counter sophisticated state-sponsored actors and criminal groups, the Indian Computer Emergency Response Team (CERT-In) is pivoting toward AI-driven risk operations. This shift aims to address high Mean Time to Remediation (MTTR) and bridge the gap between machine-speed digitization and human-speed administrative security responses.

PamStealer: macOS Information Stealer Impersonating Maccy Clipboard Manager

PamStealer is a specialized macOS information stealer that leverages social engineering to distribute a malicious clone of the open-source Maccy clipboard manager. The attack chain initiates through fraudulent websites hosting a malicious compiled AppleScript (.scpt) file, which acts as a primary loader to bypass initial macOS security hurdles. This loader facilitates the deployment of a secondary payload, likely authored in Rust, designed for high-performance data exfiltration. The malware specifically targets sensitive information including system-level credentials, metadata, and real-time clipboard contents, posing a critical risk to macOS users seeking productivity-enhancing open-source utilities.

EvilTokens: AI-Enhanced OAuth 2.0 TaaS Phishing Targeting Microsoft 365

Threat actors are utilizing "EvilTokens," a Token-as-a-Service (TaaS) framework, to compromise Microsoft 365 accounts by exploiting the OAuth 2.0 Device Code Flow. By tricking users into authorizing malicious Client IDs on legitimate Microsoft authentication pages, attackers bypass Multi-Factor Authentication (MFA) to acquire session-persistent access and refresh tokens. The campaign is scaled via the ArToken affiliate panel and leverages AI for personalized lure generation. This methodology enables long-term persistence and complete account takeover (ATO) without requiring the victim's password, effectively neutralizing traditional identity-based security controls.

FortiBleed: Mass Credential Theft Targeting FortiGate VPNs

The FortiBleed campaign leverages a suspected zero-day vulnerability in FortiGate VPN devices to facilitate mass credential theft. This operation serves as a dedicated initial access pipeline for the INC and Lynx ransomware groups, orchestrated by a single operator managing both the exploit infrastructure and ransomware negotiation panels. The campaign results in high-velocity deployment of ransomware following the compromise of verified VPN credentials, bypassing traditional perimeter defenses. Impact is characterized by widespread unauthorized access to corporate environments and subsequent data encryption.

Multi-Vector Supply Chain Campaign: Mastra AI, GitHub Actions, and Arch Linux AUR Compromise

A sophisticated supply chain campaign, attributed to the suspected threat actor TeamPCP, has simultaneously targeted the Mastra AI framework via npm, GitHub Actions CI/CD workflows, and the Arch Linux User Repository (AUR). The attack utilized dormant contributor account takeovers to poison the @mastra npm scope using the easy-day-js dependency and hijacked GitHub Action version tags to exfiltrate CI/CD credentials. Additionally, over 1,500 AUR packages were compromised with eBPF-based rootkit malware. This coordinated infrastructure, linked by the "Mini Shai-Hulud" worm, facilitates widespread code execution, credential theft, and persistent rootkit deployment across development, DevOps, and end-user Linux environments.

Critical Memory Overread Vulnerability in Citrix NetScaler CVE-2026-8451

Citrix has identified a high-severity memory overread vulnerability (CVE-2026-8451, CVSS 8.8) affecting NetScaler ADC and NetScaler Gateway. The flaw stems from insufficient input validation, allowing unauthenticated attackers to trigger memory dumps and expose sensitive session data or credentials. This vulnerability is specifically critical for instances configured as a SAML Identity Provider (IdP). Active exploitation has been observed in the wild, mirroring the mechanics of the previous "CitrixBleed" exploit. Remediation requires immediate firmware updates to address this and five associated vulnerabilities, including CVE-2026-8452 and CVE-2026-13474, to prevent unauthorized resource access.

FBI Seizure of NetNut Residential Proxy Platform and Popa Botnet

The FBI and Google Threat Analysis Group (TAG) have dismantled the NetNut residential proxy platform and the associated Popa botnet, which compromised approximately two million home IoT devices, including Smart TVs. The operation leveraged malicious SDKs embedded in legitimate software to transform residential hardware into a for-hire relay network, masking malicious traffic and supporting broader cyber operations. This disruption involved the seizure of hundreds of command-and-control (C2) and proxy domains. The infrastructure was managed by Alarum Technologies, a publicly traded company, highlighting a sophisticated abuse of the residential proxy business model to facilitate botnet-scale traffic obfuscation.

Breach of the Homeland Security Information Network HSIN

A significant cyberattack has compromised the Homeland Security Information Network (HSIN), a critical multi-sector intelligence-sharing platform utilized by U.S. government agencies and private industry partners. The breach involves unauthorized access to the HSIN software stack, potentially via zero-day exploitation or misconfiguration, resulting in the compromise of authentication telemetry and access logs. Investigating agencies are analyzing lateral movement artifacts and outbound traffic patterns to determine the extent of data exfiltration. This event poses a critical threat to national security intelligence continuity and the integrity of shared intelligence databases, necessitating immediate forensic investigation into potential data tampering and actor-specific indicators of compromise (IoCs).

Retaliatory Espionage against EU PEGA Committee via NSO Group Pegasus

Forensic analysis by Citizen Lab confirmed that Stelios Kouloglou, a member of the EU's PEGA Committee, was twice infected with NSO Group's Pegasus spyware. The campaign utilized advanced mobile exploitation to compromise a device specifically tasked with investigating commercial surveillance abuses. This breach resulted in the potential exfiltration of sensitive European Parliament communications and internal PEGA Committee investigative strategies. The attack demonstrates a targeted retaliatory pattern where commercial spyware is deployed by government customers to monitor and intimidate democratic oversight bodies, compromising the integrity of legislative deliberations and diplomatic security.

The Vect and TeamPCP Alliance: Industrialized Supply Chain and Cloud-Native Ransomware Orchestration

The convergence of the Vect Ransomware-as-a-Service (RaaS) operation and the TeamPCP threat actor marks a strategic shift toward a vertically integrated cybercrime model. Vect provides high-volume initial access and credential harvesting, while TeamPCP specializes in ransomware orchestration and the development of cloud-native worms. This alliance targets the software development lifecycle through industrialized supply chain compromises of CI/CD pipelines and developer tools. By leveraging stolen OAuth tokens and API keys, the actors facilitate lateral movement across AWS, Azure, and GCP environments. The campaign focuses on cloud-native extortion, utilizing exfiltration of S3 buckets and database snapshots to maximize leverage against enterprise targets.

Indirect Prompt Injection via SEO Poisoning Targeting OpenAI, Anthropic, and Google AI Agents

Attackers are leveraging Indirect Prompt Injection (IPI) to hijack AI agents from OpenAI, Anthropic, and Google by weaponizing the Retrieval-Augmented Generation (RAG) process. Through SEO poisoning, malicious sites are prioritized in agent grounding searches, delivering hidden payloads via CSS (display:none, opacity:0) and zero-width characters. These invisible instructions override system prompts to execute unauthorized tool-use functions, enabling cryptojacking via WebAssembly and the exfiltration of sensitive session data to attacker-controlled endpoints. This vulnerability shifts the primary attack vector from direct user input to external, untrusted data sources utilized for agentic autonomy.

U.S. State Department Issues $10M Bounty Targeting UNC5792 and UNC4221 via Signal and WhatsApp Phishing Campaigns

The U.S. Department of State has announced a $10 million reward for actionable intelligence identifying Russian-linked threat actors UNC5792 and UNC4221. These actors focus on bypassing end-to-end encryption (E2EE) on Signal and WhatsApp through sophisticated account takeover (ATO) workflows. By utilizing advanced social engineering, credential harvesting, and session hijacking, the groups compromise mobile identities of high-value targets, including military and diplomatic personnel. The campaign targets the application layer to circumvent cryptographic protections, facilitating large-scale intelligence exfiltration from mobile endpoints. This shift toward identity-centric exploitation bypasses traditional network perimeter defenses, necessitating enhanced hardware-backed authentication and mobile-specific threat intelligence.

APT28 and LameHug: AI-Driven Dynamic Command Generation

APT28 has deployed "LameHug," a novel infostealer that integrates Large Language Models (LLMs) to generate malicious Windows commands dynamically. By shifting from hardcoded C2 scripts to AI-driven prompt sequences, LameHug adapts attack commands in real-time to the victim's environment, significantly bypassing signature-based EDR and antivirus detection. The malware utilizes dedicated exfiltration modules to steal credentials and sensitive data from NATO, EU, and US targets. This workflow represents a strategic pivot toward "AI-as-a-weapon," reducing the manual research time required for target-specific exploitation and increasing the scalability of state-sponsored espionage operations.

The Rise of Agentic AI: New Attack Surfaces in Coding Agents and MCP

The transition from passive LLM suggestions to agentic AI introduces critical vulnerabilities via Indirect Prompt Injection and Model Context Protocol (MCP) tool poisoning. By exploiting the LLM's inability to distinguish between data and instructions, attackers can embed malicious commands in external sources that agents process. When agents possess privileged toolsets—including Git write access and filesystem interaction—these injections enable remote code execution (RCE), silent supply chain compromise through unauthorized repository commits, and the exfiltration of environment variables or SSH keys. This expands the attack surface from simple prompt manipulation to automated, privileged system exploitation.

The 2026 Resilience Paradox: Microsoft and Adobe Critical Vulnerability Surge

The June 2026 security updates for Microsoft and Adobe address a systemic surge in vulnerabilities, highlighting a "resilience paradox" where AI-accelerated discovery outpaces human remediation. Critical risks include wormable RCEs in the Windows Kernel (CVE-2026-45657), HTTP.sys (CVE-2026-47291), and the DHCP Client (CVE-2026-44815), all rated CVSS 9.8. Adobe Campaign Classic (APSB26-66) reached a CVSS 10.0. Active exploitation of CVE-2026-41091 (Defender EoP) is confirmed. Remediation requires immediate kernel patching, specific registry modifications for HTTP.sys to mitigate unauthenticated remote execution, and urgent deployment of Adobe bulletins to prevent total environment compromise.

Indirect Prompt Injection Hijacks Claude Code and AI Coding Agents

Researchers from Mozilla 0DIN have identified critical Indirect Prompt Injection (IPI) vulnerabilities within Claude Code and other agentic AI coding tools. By embedding malicious instructions in seemingly benign external data, such as GitHub README files or bug reports, attackers can manipulate the agent's control flow to execute unauthorized system commands. This exploitation enables Remote Code Execution (RCE) on developer workstations, often bypassing traditional EDR/AV via instruction-based hijacking rather than traditional binary-based malware. Specifically, the research demonstrates an escalation path where the agent is coerced into establishing a reverse shell through DNS TXT records, providing a covert Command and Control (C2) channel that facilitates full machine compromise.

Russian State-Sponsored Deployment of StockStay and SharkLoader

Russian state-sponsored actors Turla and Gamaredon are deploying AI-augmented malware and custom toolsets to target critical infrastructure and diplomatic entities in Ukraine, Italy, Taiwan, and Indonesia. The campaign utilizes SharkLoader to deliver Cobalt Strike Beacons and a .NET-based backdoor, StockStay, which employs secure WebSocket connections for C2 and the Windows Forms framework for persistence. Initial access is frequently achieved via WinRAR vulnerabilities. Notably, the integration of AI-driven "dynamic payload adaptation" enables real-time modification of malware signatures to bypass traditional EDR and AV detections, shifting the defensive requirement from static IOC blocking to anomaly-based behavioral detection.

Critical Unauthenticated RCE in Adobe ColdFusion CVE-2026-48281

Adobe has released security update APSB26-68 to address seven maximum-severity vulnerabilities in ColdFusion, headlined by CVE-2026-48281. This vulnerability carries a CVSS 10.0 rating, enabling unauthenticated remote code execution (RCE) by exploiting improper input validation or deserialization flaws within specific ColdFusion tags or functions, such as <cfinvoke> and <cfcomponent>. Successful exploitation allows an attacker to achieve full system control, facilitating lateral movement and privilege escalation within the enterprise network. Organizations running legacy ColdFusion environments face heightened risk, especially as Proof-of-Concept (PoC) research and exploit availability increase following public disclosure. Immediate patching is required to mitigate the risk of widespread exploitation.

AMOS Stealer Deployment via ClickFix Social Engineering on macOS

Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.

Microsoft Defender: RoguePlanet Zero-Day CVE-2026-50656 and Woodgnat Exploitation

The 'Woodgnat' threat actor (KongTuke) is leveraging a critical race condition in the Microsoft Defender quarantine pipeline (CVE-2026-50656) to facilitate local privilege escalation (LPE) to SYSTEM on Windows 10 and 11. The attack chain initiates with 'ClickFix' social engineering, followed by DLL sideloading via the legitimate MpExtMs.exe binary. This enables the deployment of the 'Mistic' backdoor (utilizing EndpointDlp.dll) and the 'ModeloRAT' Python-based Trojan. This sophisticated access is subsequently auctioned to high-impact ransomware groups such as Qilin, Akira, and Black Basta, presenting a significant risk to Insurance, Education, and IT service sectors through high-durability, privileged persistence.


LINK COPIED TO CLIPBOARD