Security teams are staring at two AI problems at once. Adversaries are using AI to iterate on phishing kits, generate lures, and rotate infrastructure faster than blocklists can follow. Employees are adopting AI tools faster than security teams can review them, pasting sensitive data into LLMs, granting OAuth permissions to AI agents, and installing AI browser extensions that nobody vetted.

Both problems play out in the same place: the browser. The most efficient way to address them is with a single platform that has deep visibility into what’s happening inside browser sessions — not two separate tools that each see half the picture.

AI-enabled attacks are outpacing traditional defenses

Security has always been a cat and mouse game between attackers and defenders, but AI is accelerating the attacker side of that equation. Phishing kits are forked, modified, and brought to market faster than ever — AI is a force multiplier for the criminal ecosystem, and it’s changing the calculus for defenders in three ways.

AI has supercharged attacker tool creation: Attackers are using AI the same way any engineer would: to multiply their output. We’re seeing attackers heavily use AI in the creation and iteration of PhaaS tools and kits. 

The rapid evolution of ClickFix, with new techniques like InstallFix and ConsentFix is one example. And device code phishing, which abuses a legitimate OAuth flow to bypass MFA and passkeys entirely, has surged from a research curiosity to an industrialized PhaaS offering, with more than 18 kits being actively tracked in the wild. As AitM and device code kits converge into single platforms, we’re seeing signs of heavy AI use — as we observed when we got an inside look at Doko’s Panel and derivative kits, used extensively by ShinyHunters and BlackFile. 

IoC-based detections are increasingly degraded: AI has also collapsed the cost of building convincing phishing infrastructure (which was already on the floor). A convincing-looking phishing page can be vibecoded in minutes, deployed to a fresh domain, successfully claim victims, and rotated out before any reputation service flags it. 

According to Spamhaus, 89% of phishing domains are active for fewer than two days. For organizations relying on blocklists and IOC feeds, every phishing attack is effectively a zero-day — it’s never been seen before, and the next one won’t look the same either. 

Combined with the misuse of legitimate sites for hosting and delivery of phishing links, it’s very difficult to discern good from bad when relying on low-level IoCs like domains and IPs. Recent examples are even seeing attackers host malicious links via legitimate AI chat sharing functionality (a technique we’re detecting as LLMShare). 

AI is making it easier to build and run multi-channel campaigns: Push’s own data shows that roughly 1 in 3 phishing payloads arrive via channels other than email — malvertising, social media, SEO poisoning, and so on. ClickFix is an even clearer example, where 4 in 5 payloads arrive specifically through search engine results. Email security is structurally blind to the delivery channels that are growing fastest. 

The LLMShare example is a good one here too: attackers were malvertising the links via search engine ads that are incredibly hard to spot (showing how non-email delivery + legit site abuse + misuse of AI tools themselves can combine for maximum impact). 

All three trends converge in the browser session, where payload delivery and account takeover actually happen. That’s the layer where detection needs to operate — analyzing page behavior, script execution, and malicious mechanics (session theft, malicious copy and paste, file downloads, and so on) rather than matching domains against a feed — particularly where many attacks now take place entirely inside the browser session without touching the endpoint.

Uncontrolled AI adoption is the other half of the problem

On the employee side, adoption is outrunning governance. 

There is a top-down mandate for organizations to use more AI in order to remain competitive. Attempting to block or bottleneck that process in a way that hurts potential efficiency and productivity gains is not going to cut it — so security teams need to find a way to adopt AI safely and securely. 

The signs show that this is out of control for many organizations. The 2026 Verizon DBIR found that 45% of employees are now regular AI users on corporate devices, with 67% using non-corporate accounts. Push’s own telemetry shows the average organization has 16 unique AI apps, 17 AI browser extensions, and 17 AI-connected OAuth integrations — most of them unapproved. Of file uploads to AI tools, 38% are made from personal shadow accounts rather than organizational ones.

The risks stack up quickly. Sensitive data leaves the organization through clipboard pastes and file uploads to AI tools that security teams didn’t approve and can’t monitor. AI browser extensions collect browsing context from internal applications, creating a data exfiltration path that operates outside traditional DLP. 

AI agents are requesting OAuth permissions to access organizational data — pulling information from one system, analyzing it in another, and presenting it in a third — with MCP connections now creating persistent, permissioned access that most organizations have little visibility and control over.

The 2026 Vercel breach shows where this leads: a compromised third-party AI SaaS provider’s OAuth integration became the entry point into a corporate Google Workspace tenant. ShinyHunters’ campaigns against Salesloft Drift and Gainsight demonstrated the same pattern at scale last year.

The browser sees both sides — and that’s the point

Both problems share a root cause: security-relevant activity is happening inside browser sessions that most tools can’t observe. 

Many of these attack techniques are browser-native, meaning traditional monitoring tools simply do not have the required visibility inside the browser session to detect and intercept them. 

The browser is equally the best single layer for gaining visibility and control over AI usage — it sees the apps, the OAuth grants, the extensions, and the account context. And enterprise AI tools like Claude, ChatGPT Enterprise, Microsoft Copilot, Gemini for Workspace increasingly provide native prompt logging and DLP controls on their enterprise plans. 

Combining the two means that you can use the browser to enforce which AI tools employees can access and ensure they reach the corporate tenant rather than a personal account, then rely on platform-native controls to govern activity within that environment.

The browser is what makes platform controls effective and prevents the kind of shadow AI use that can otherwise go undetected — for example, if employees are using personal accounts, there are no enterprise audit logs to inspect. And for the growing category of AI agents, agentic browsers, and MCP-connected tools that operate through OAuth grants rather than direct user interaction, the browser is where the consent decisions that authorize those agents are made.

What to ask when evaluating browser-based solutions

When you’re evaluating platforms in this space, four questions separate tools that provide genuine security telemetry from those that offer compliance reporting with limited investigative value.

Does the tool capture AI interactions that didn’t trigger a policy violation? Enforcement-first tools record what they stopped — blocked uploads, unapproved app usage, flagged file names. That’s useful for compliance, but the most significant events are often the ones that looked normal at the time: an approved extension that quietly updates its permissions, an OAuth consent grant that was technically permitted but shouldn’t have been, a user whose behavior shifted gradually before a resignation. Ask whether the tool collects telemetry for permitted events, not just violations.

Does the tool capture the full OAuth consent flow when an AI agent requests access to organizational data? Most enforcement-first tools treat OAuth as binary — approved app or blocked app. That was a reasonable model when OAuth grants were IT-managed integrations. It isn’t sufficient for agentic AI, where user-initiated consent grants happen inside browser sessions with broad scopes and frequently without security team awareness. The right tool captures what scopes were requested, who approved them, and what application received them — and can warn or block in real time.

When a new attack technique emerges that no tool has a signature for, how quickly does the platform detect it? Attackers rotate infrastructure in hours and use AI to generate new lures at scale. A detection model built on blocklists and known-bad indicators is architecturally behind any novel technique. Ask vendors to show you a specific detection that fired before the infrastructure appeared on any threat feed.

What telemetry reaches your SIEM — just alerts, or the session data that makes them investigable? Some tools send alert metadata: policy violations, timestamps, users involved. Others forward broader telemetry — credential reuse, app logins, extension installs, phishing kit detections, file uploads, clipboard activity, OAuth consents. The difference determines whether your SOC can investigate from the SIEM event itself or needs to pivot back to the vendor’s console for actual evidence.

What this looks like in practice

Push Security is a browser-based threat detection and response platform, deployed as a lightweight browser extension that can be rolled out across an organization in under an hour with no browser migration required. It treats AI visibility and control as features that extend naturally from the platform’s underlying architecture: deep browser-layer telemetry that powers both attack detection and AI governance in a single tool.

With Push, you can:

• Detect and stop emerging browser-based attack techniques, including AI-enabled phishing and quickly evolving *Fix-style attacks.

• Benefit from Push’s agentic detection pipeline, which continuously hunts across customer environments to identify emerging threats and ship new detections.

• Stream telemetry to your SIEM for a wide variety of events, including attack detections, newly installed browser extensions or newly adopted apps, updates to extension permissions, file uploads and downloads, clipboard pastes, app logins, credential reuse, OAuth consents, and more.

• Block file uploads and downloads.

• Block clipboard pastes of sensitive data, with regex-based patterns you can define.

• Write your own custom YAML rules targeting specific elements of the page DOM, web requests and responses, HTTP headers such as cookies, and more.

Security teams don’t need to choose between stopping AI-enabled attacks and governing AI usage — or pay for two tools that each see half the picture.

If you’d like to learn more about Push, book a live demo.

Sponsored and written by Push Security.

Networks

High radix, low latency and low power is what AI datacenters crave, the chipmaker says

COMPUTEX 2026 Marvell enjoyed a fillip from Nvidia chief Jensen Huang at Computex, who praised the firm as it unveiled the latest 102.4 Tbps switch silicon it has purpose-built for AI infrastructure.

The fabless semiconductor biz announced upcoming availability of its Teralynx T100 chip to coincide with the Taiwanese trade show, claiming that it needs 25 percent lower power than competitive solutions with lower latency for AI training and inference workloads.

But the firm is late to this party, as other vendors are already shipping their equivalent products, such as Broadcom’s Tomahawk 6 that launched last year, or Cisco’s Silicon One G300 announced earlier this year.

That didn’t stop Nvidia’s Huang from styling Marvell as the “next trillion-dollar company,” and saying that its networking and connectivity chips are essential to datacenters where compute tasks are distributed across thousands of connected nodes.

According to Reuters, the chipmaker’s shares surged in value more than 24 percent in pre-market trading following Huang’s remarks. The rockstar CEO will no doubt be pleased, as his company invested $2 billion in Marvell earlier this year, at the same time as announcing a strategic partnership to connect the firm with Nvidia’s AI factory initiative.

Marvell has an estimated market capitalization of approximately $179 billion to $196 billion, so it has some way to go to get to that trillion-dollar mark, but perhaps it is hoping its new silicon will get it there.

As GPU racks approach 120 KW of power, a low-power switch enables datacenters to deploy larger numbers of accelerators within existing power envelopes, the firm says.  

The Teralynx T100 is a monolithic device manufactured using a 3nm process technology, which eliminates unnecessary legacy elements that otherwise increase power and die area. Because of this, it comes in at under 1000 W typical power, which sounds like an awful lot to us, but it is claimed to be 25 percent lower than rivals.

For scale-out deployments, the switch chip supports up to a 512-port radix, enabling operators to consolidate network tiers and reduce latency across large AI training clusters. The more ports there are in a switch, the higher the radix, and the fewer of them are needed for a given number of endpoints, as The Register previously detailed, cutting latency by flattening the hierarchy.

However, for scale-up deployments, Marvell says the product’s programmable pipeline architecture supports a variety of interconnect standards and emerging scale-up fabric protocols. These include the Ethernet Scale-Up Networking (ESUN) protocol, the latest Ultra Ethernet Consortium (UEC) requirements and evolving AI Ethernet fabrics.

“The Teralynx T100 was purpose-built for AI – designed without the legacy baggage that inflates power, and engineered to deliver the deterministic performance and efficiency required to scale next-generation datacenter infrastructure,” Marvell’s Data Center Switch Business Unit VP Rishi Chugh remarked.

“As AI workloads evolve and scale exponentially, hyperscalers require network architectures that optimize latency, power and scalability simultaneously,” he added.

The Teralynx T100 switch will begin sampling to customers this quarter. It will be available in multiple package configurations, including ball grid array (BGA), co-packaged copper (CPC) and co-packaged optics (CPO) implementations. ®

Multiple Instagram users had their accounts hijacked after attackers convinced Meta’s AI-powered support tools that they were the legitimate owners.

In many cases, impacted users are unable to recover access due to the platform’s use of automated assistance that involves only AI/chatbot loops and no human support agents.

On Monday, multiple holders of rare and high-value accounts reported suddenly losing access to their accounts, claiming that their identities had been verified via facial scans and that they had enabled safeguards such as two-factor authentication (2FA).

Among the impacted accounts were one previously used by the Obama White House team, one belonging to app researcher Jane Manchun Wong, @hey, and @korn.

The owner of the @korn account, who noted that the band never officially claimed the account and is using another one, expressed frustration with Meta’s recovery mechanism, which had put them in a time-wasting loop.

“I spent 6 hours trying to get human support, and Meta’s support AI gave me 4 broken links in a row,” explained the user identifying as Kornel.

“We’re at the point where one AI stole it, and another can’t fix it, zero humans in the loop anywhere,” the @korn account owner said.

According to some reporters, the account-hijacking attacks were trivial. The activity involved chatting with Meta’s AI assistant, convincing it that the attacker was the legitimate account owner, and tricking it into changing the associated email address.

The takeover process starts with the threat actor activating the “forgot password” protocol due to the account being hacked. When Instagram’s AI-powered assistance asks the user to verify with a selfie, the attacker uses a photo from the target’s account, passes it through an AI video generator to turn it into an animation, and uploads it to Meta for verification.

User André says that “Meta’s AI just accepts it because it can’t tell the difference between a real selfie and an AI-generated video of someone’s face.” They also added that the takeover method bypasses 2FA protections.

“Then you try to recover your account, and you’re talking to a chatbot that has zero ability to help. You can’t escalate to a human. You’re just stuck. Your asset is gone, and there’s no one to call,” André said.

Some reports claim that attackers used VPN services to appear as if they connected from the target’s usual region, to pass geolocation checks that would trigger a more complex login flow for added security.

After changing the email address, the attacker could initiate a password reset process and receive the required security code for gaining access to the account.

Some online reports claim that the @e and @f one-letter accounts on Instagram were obtained through an active exploit. However, others dispute this information, arguing that the usernames were secured by an individual with internal privileges. BleepingComputer was not able to independently verify either claim.

Because single-letter social media accounts are very rare, they have a high value on the black market, typically in the tens of thousands of U.S. dollars.

While Meta has yet to publish a press release with an official response to the situation, the company’s vice president of communications, Andy Stone, replied on social media to an affected user stating that the “issue has been resolved, and we are securing impacted accounts.”

BleepingComputer has contacted Meta with a request for a comment, but we have not heard back as of publishing.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Download Now