AI + ML

GTIG says AI-powered hacking has moved well beyond phishing emails and chatbot tricks

Google says crooks already have AI cooking up zero-days, and claims one nearly escaped into the wild before the company stopped it.

In a report shared with The Register ahead of publication on Monday, Google’s Threat Intelligence Group said that it has identified what it believes is the first real-world case of cyber-baddies using AI to discover and weaponize a zero-day vulnerability in a planned mass-exploitation campaign. 

The bug, a two-factor authentication bypass in a popular open source web-based administration platform, was reportedly developed by criminals working together on a large-scale intrusion operation.

GTIG said that the attackers appear to have used an AI model to both identify the flaw and help turn it into a usable exploit. Google worked with the unnamed vendor to quietly patch the issue before the campaign could properly kick off, which it believes may have disrupted the operation before it gained traction.

The company insists that neither Gemini nor Anthropic’s Mythos was involved, but said that the exploit itself looked suspiciously machine-made. According to the report, the Python script included what Google described as “educational docstrings,” a hallucinated CVSS score, and a polished textbook coding structure that looked heavily influenced by LLM training data.

Google said that the issue stemmed from developers hard-coding a trust exception into the authentication flow, creating a hole that attackers could exploit to sidestep 2FA checks. According to the firm, those higher-level logic mistakes are exactly the kind of thing modern AI models are starting to get surprisingly good at finding.

“While fuzzers and static analysis tools are optimized to detect sinks and crashes, frontier LLMs excel at identifying these types of high-level flaws and hardcoded static anomalies,” the report said.

John Hultquist, chief analyst at Google Threat Intelligence Group, said anyone still treating AI-assisted vulnerability discovery as a future problem is already behind.

“There’s a misconception that the AI vulnerability race is imminent. The reality is that it’s already begun. For every zero-day we can trace back to AI, there are probably many more out there,” Hultquist said.

“Threat actors are using AI to boost the speed, scale, and sophistication of their attacks. It enables them to test their operations, persist against targets, build better malware, and make many other improvements. State actors are taking advantage of this technology but the criminal threat shouldn’t be underestimated, especially given their history of broad, aggressive attacks.”

Google’s report suggests that the zero-day case is part of something much bigger. GTIG said North Korean crew APT45 had been using AI to churn through thousands of exploit checks and bulk out its toolkit, while Chinese state-linked operators were experimenting with AI systems for vulnerability hunting and automated probing of targets.

Google also described malware families padded out with AI-generated junk code designed to confuse analysts, Android backdoors using Gemini APIs to autonomously navigate infected devices, and Russian influence operations stitching fabricated AI-generated audio into legitimate news footage.

The awkward bit for everyone else is that this still appears to be the clumsy early phase. Google said mistakes in the exploit’s implementation probably interfered with the criminals’ plans this time around, but that may not stay true for long. ®

Password resets are often the first response to a suspected compromise. It makes sense; resetting credentials is a quick way to cut off an attacker’s most obvious path back in.

However, that doesn’t always completely solve the issue. In both Active Directory (AD) and hybrid Entra ID environments, password changes do not immediately invalidate the old credential across every authentication path.

Even a short window is an opportunity that potentially allows attackers to maintain access or re-establish a foothold.

For security architects and IT administrators, this gap has real implications during incident response.

The password reset gap

Windows systems cache password hashes locally to support offline logon. If a device hasn’t reconnected to the domain, it may still hold the previous credential in a usable form. In hybrid environments, there can also be a short delay before the new password syncs to Entra ID.

This means there are three possible states created after a password reset:

1. The user has logged in with the new credential while connected to AD. The cached credential store updates, invalidating the old hash.

2. The user has not logged in to a particular machine since the reset. The old cached credential may still be usable for certain authentication attempts.

3. In hybrid deployments, the password has been reset in AD but the new hash has not yet synchronized to Entra ID. The old password may still authenticate during the password hash synchronization interval.

How attackers exploit the gap

Cached credentials

Attackers take advantage of cached password hashes with methods like pass-the-hash, where the hash itself is used instead of the plaintext password. If that hash was captured before the reset, changing the password doesn’t immediately invalidate it everywhere.

Limiting that exposure is crucial to defending AD environments. Solutions like Specops uReset enable secure self-service password resets by enforcing end-user ID verification to reduce the risk of reset abuse.

When combined with the Specops Client, uReset can update the local cached credential store immediately on the device where the reset is performed, closing the window where the old hash remains usable on that endpoint.

This doesn’t remove identity drift entirely, but it does reduce exposure at the network edge, where corporate laptops and remote systems are frequently targeted.

Active sessions

AD authentication is primarily handled through Kerberos tickets, which are valid for a set period of time. If a user or attacker already has a valid ticket, they can continue accessing resources without re-entering a password.

That means an attacker with an active session remains authenticated even after the password has been changed. In some cases, that window is long enough to establish additional persistence or move laterally.

Unless sessions are explicitly invalidated, through logoff, reboot, or ticket purging, access can continue well beyond the reset itself.

Service accounts

Unlike user accounts, service accounts tend to have long-lived passwords, with elevated privileges tied to critical systems. Attackers can expose those credentials through techniques like Kerberoasting or discover them when moving laterally through a network.

Because these accounts are tied to running services, they’re less likely to be reset quickly, especially if there’s a risk of disruption. That makes them a reliable fallback for attackers after an initial access point is closed.

Ticket attacks

As mentioned above, in environments using the Kerberos authentication protocol, access is controlled through tickets rather than repeated password checks. If an attacker can forge those tickets, they don’t need valid credentials at all.

A Golden Ticket attack, made possible by compromising the Kerberos Ticket Granting Ticket account, allows attackers to create valid ticket-granting tickets for any user in the domain. Silver Tickets are more targeted, granting access to specific services without contacting a domain controller.

In both cases, these attacks effectively bypass password changes. Resetting user passwords won’t invalidate forged tickets, and access can continue until the underlying issue is addressed.

Permissions

AD is heavily driven by Access Control Lists (ACLs). If an attacker grants a compromised account (or a new one they control) rights like resetting passwords for other users, they’ve effectively created a backdoor. Even if the original password is changed, those permissions remain.

Furthermore, accounts protected by AdminSDHolder (like Domain Admins) inherit permissions from a specific template. Attackers who modify the ACL on the AdminSDHolder object can ensure their permissions are re-applied every hour by SDProp.

How to ensure attackers are removed

The time between a password reset and it synching across AD and Entra ID is small, typically just a few minutes, which severely limits the opportunity attackers have to exploit the gap. Forcing more frequent synchronizations is also possible, for instance turning on AD Change Notification or manually initiating a Sync to the Entra ID tenant.

However, the gap still exists, and by the time an account compromise is discovered, attackers may have been able to establish additional footholds. If password resets aren’t enough on their own, defenders need to look at fully closing off access.

That starts with invalidating anything already in play. Active sessions should be terminated, and Kerberos tickets cleared by forcing logoffs or reboots on affected systems. For more serious compromises, resetting the KRBTGT account (twice) is often necessary to invalidate forged tickets.

Next comes credential hygiene beyond standard user accounts. Service account passwords should be rotated, especially those with elevated privileges, and any cached credentials on endpoints should be cleared as systems reconnect.

Just as important is reviewing what’s changed in the directory itself. That means auditing:

• Group memberships
• Delegated rights and ACLs
• Privileged accounts and roles

Look for anything that could allow access to be re-established without relying on a password.

For serious breaches, there isn’t a single step that guarantees eviction. It’s a combination of cutting off sessions, rotating the right credentials, and verifying that no hidden access paths remain.

Secure your AD today

Hardening your AD requires every account to be protected by strong passwords, combined with a secure reset process that limits opportunities for abuse.

Specops helps you do both, giving you confidence that password resets strengthen your security rather than introduce new gaps.

Book a demo to see how our solutions can support your identity security strategy.

Sponsored and written by Specops Software.

Ravie LakshmananMay 11, 2026Cybersecurity / Hacking

Rough Monday.

Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.

The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping stolen access while defenders burn another weekend chasing logs and praying the weird traffic is just monitoring noise. The Internet’s held together with duct tape and bad sleep.

Anyway, Monday recap time. Same fire. New smoke.

⚡ Threat of the Week

Ivanti EPMM and Palo Alto Networks PAN-OS Flaws Under Attack—Ivanti warned customers that attackers have successfully weaponized CVE-2026-6973, an improper input validation defect in Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company did not say when the first instance of exploitation occurred, or precisely how many customers have been impacted. In a related development, attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls. As in the case of Ivanti, Palo Alto Networks did not say when or how it became aware of active exploitation, but said threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The memory corruption vulnerability, tracked as CVE-2026-0300, affects the authentication portal of PAN-OS and allows unauthenticated attackers to run code with root privileges on the PA-Series and VM-Series firewalls. Attack surface management platform Censys said it detected about 263,000 Internet-exposed hosts running PAN-OS. Patches are expected to be released starting May 13, 2026. 

• New Quasar Linux RAT Spotted—Attackers have found a new way to turn Linux systems into entry points for a supply chain or cloud infrastructure breach that are resilient to takedowns. The new malware framework, dubbed Quasar Linux or QLNX, is a modular Linux remote access trojan (RAT) that can harvest data from compromised systems. But what sets it apart is its use of a peer-to-peer (P2P) mesh capability that turns individual compromises into an interconnected infection network, making the campaign difficult to kill and allowing infected hosts to communicate with one another rather than relying entirely on centralized servers. QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling persistent access. It also hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine workflows. “Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features,” Trend Micro said. “The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.”
• PCPJack Replaces TeamPCP Malware to Steal Cloud Secrets—An unknown threat actor has launched a campaign to systematically clean up environments infected by the infamous TeamPCP hacking group and drop its own malicious tools to steal credentials from cloud, container, developer, productivity, and financial services for financial gain. Active since late April, the campaign is also capable of propagating itself by moving laterally both inside of a network and to other targets by breaking into open and exploitable cloud infrastructure. The broad credential harvesting sweep allows the malware to hack into more cloud servers and propagate the infection in a worm-like manner, while also rooting out any processes and artifacts belonging to TeamPCP. The external propagation is achieved by downloading parquet files from Common Crawl for target discovery. While threat actors aiming for cloud environments have long built methods to delete competing malware, particularly in cryptojacking campaigns, the lack of a miner and its specific targeting of TeamPCP tooling has raised the possibility that it may be someone who was previously associated with the group, is part of a rival crew, or is an unrelated third-party mimicking TeamPCP’s tradecraft.
• MuddyWater Uses Chaos Ransomware as Decoy in New Attack—An Iranian state-sponsored espionage group pretended to be a regular ransomware gang in a new ransomware attack detected in early 2026. The Iranian hackers known as MuddyWater disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence within a victim environment. Although the attack involved reconnaissance, credential harvesting, and data exfiltration, no file-encrypting ransomware was deployed, which is inconsistent with Chaos attacks. The victim was also added to the Chaos ransomware data leak site, but infrastructure and code-signing certificate evidence indicate the activity was likely used as a cover to mask the threat actor’s true espionage goals and to complicate attribution. Rapid7 told The Hacker News that there is no evidence to suggest that MuddyWater is operating as an affiliate of Chaos.
• DAEMON Tools Supply Chain Attack Leads to QUIC RAT—Hackers compromised installers of DAEMON Tools in a supply chain attack that affected users in more than 100 countries. The malicious versions, first observed in early April, impacted multiple releases of the software that were installed on thousands of machines across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The operation appears to be targeted. Most victims received only a data miner designed to gather system data, while a second, more advanced shellcode loader was deployed to just a handful of targets, including organizations in retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. It’s suspected that the attackers likely used the initial data collection to profile infected systems before selectively deploying an implant codenamed QUIC RAT. The malware was deployed against only one known target, an unidentified educational institution in Russia. Kaspersky said the malicious code included Chinese-language elements, suggesting the attackers are familiar with the language, but stopped short of attributing the campaign to a specific group. 
• Cybercrime Groups Use Vishing for Data Theft and Extortion—An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, which targets organizations across multiple industries, highlights a growing trend where attackers weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. What makes the campaign noteworthy is its deliberate avoidance of traditional malware in favor of two commercially available remote monitoring and management (RMM) tools, SimpleHelp and ScreenConnect, for persistent control over victim machines. The abuse of RMM tools by bad actors has surged in recent years as they offer a low-friction way to gain access to and maintain persistence on a victim environment. Because of how ubiquitous they are in enterprise environments, the tools are flagged as malicious, allowing the attackers to blend in with normal operations.

🔥 Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.

Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-6973 (Ivanti Endpoint Manager Mobile), CVE-2026-0300 (Palo Alto Networks PAN-OS), CVE-2026-29014 (MetInfo), CVE-2026-22679 (Weaver E-cology), CVE-2026-4670, CVE-2026-5174 (Progress MOVEit Automation), CVE-2026-43284, CVE-2026-43500 (Linux Kernel), CVE-2026-7482 (Ollama), CVE-2026-42248, CVE-2026-42249 (Ollama for Windows), CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 (cPanel and Web Host Manager), CVE-2026-23918 (Apache HTTP Server), CVE-2026-42778, CVE-2026-42779 (Apache MINA), CVE-2026-2005, CVE-2026-2006 (PostgreSQL pgcrypto), CVE-2026-32710 (MariaDB), CVE-2026-23863, CVE-2026-23866 (Meta WhatsApp), CVE-2026-29146 (Apache Tomcat), CVE-2026-1046 (Mattermost Desktop), CVE-2026-0073 (Google Android), CVE-2026-20188 (Cisco Crosswork Network Controller and Network Services Orchestrator), CVE-2026-20185 (Cisco SG350 and SG350X Series Managed Switches), CVE-2026-20034, CVE-2026-20035 (Cisco Unity Connection), CVE-2026-7896, CVE-2026-7897, CVE-2026-7898, CVE-2026-5865 (Google Chrome), CVE-2025-68670 (xrdp), CVE-2026-23864 (React Server Components), CVE-2026-23870, CVE-2026-44575, GHSA-26hh-7cqf-hhc6, CVE-2026-44579, CVE-2026-44574, CVE-2026-44578, CVE-2026-44573 (Next.js), CVE-2026-26129, CVE-2026-26164 (Microsoft M365 Copilot), CVE-2026-33111 (Microsoft Copilot Chat), CVE-2026-44843 (LangChain), and CVE-2026-33309 (Langflow).

🎥 Cybersecurity Webinars

• The Hidden Attack Paths Your AppSec Tools Completely Miss in 2026 → This webinar shows the real attack paths that most AppSec tools miss — from code and CI/CD pipelines to cloud setups, dependencies, and secrets. See how attackers combine small weaknesses into big breaches, and learn simple ways to find and stop them. With Wiz experts Mike McGuire and Salman Ladha.
• AI-Powered DDoS Attacks Are Here — And They’re Smarter, Faster & Deadlier in 2026 → Attackers are now using AI to launch DDoS attacks that are faster, smarter, and much harder to stop. This webinar shows how they instantly spot weak spots, create new attack methods, and dramatically increase success rates — plus easy ways defenders can fight back using smarter AI tools and proactive protection. Perfect for security leaders who want to stay ahead.

📰 Around the Cyber World

• JDownloader Website Compromised in Supply Chain Attack —The website for JDownloader, an open-source download management tool, was compromised last week to distribute malicious Windows and Linux installers. The compromise occurred on May 6, 2026, at 12:01 a.m. UTC. While the Linux version embeds malicious shell code, the Windows version has been found to serve a Python-based remote access trojan (RAT) that enlists the compromised device in a bot network and runs arbitrary Python code supplied by the operator, per researcher Thomas Klemenc. “The attack has modified alternative download pages and exchanged links and details,” the developer behind JDownloader said in a post on Reddit. “The bad ones are missing digital signatures and as such [Microsoft] SmartScreen will block/warn the execution of it.” Further investigation uncovered that the attack vector was an “unpatched security bug,” although it’s not clear which vulnerability was exploited by the threat actor to tamper with the site.
• Operation HookedWing Targets Over 500 Organizations —A long-running phishing campaign dating back to 2022 has stolen 2,000 credentials belonging to users from over 500 different organizations. According to SOCRadar, the campaign has mostly affected aviation, public administration, energy, and critical infrastructure. “The breadth of targeting, combined with the campaign’s longevity, points to a resource-capable operation rather than opportunistic activity,” it said. The activity has been codenamed Operation HookedWing. The attack uses phishing emails with lures related to human resources, Microsoft, or Google to direct users to fake landing pages hosted on GitHub.io and Vercel, capture entered credentials via an injected form, and exfiltrate them to servers compromised or created by the threat actor. More than 20 distinct command-and-control (C2) domains and 100 distribution domains have been identified.
• Uptick in Use of Vercel for Phishing Campaigns —Threat actors are increasingly using Vercel to create large numbers of realistic phishing websites that impersonate well-known brands. “Threat actors are able to redeploy phishing campaigns with ease if a web page is taken down,” Cofense said. “Vercel abuse has increased significantly over time and is likely to continue increasing as minimally skilled threat actors start using cheap or free force multipliers.”
• New ConsentFix V3 Attack Automates Microsoft Account Hijacking —Push Security said it identified a member of the XSS criminal forum advertising a new toolkit dubbed ConsentFix v3 that brings together ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. “ConsentFix v3 allows users to instrument the entire attack chain, enabling users to spin up ConsentFix infrastructure, create believable personas with which to interact with victims, craft and manage email campaigns, and automate the process of exchanging the captured OAuth token for session and refresh tokens to establish access to the compromised account,” Push Security said. The attack uses Cloudflare Workers for hosting the phishing pages, ZoomInfo for target identification, Dropbox for PDF hosting, and Pipedream as an exfiltration channel.
• Workplace Fraud Trends in 2026 —A new report from Cifas has found that 13% of employees said: “they have either sold their company login details to a former colleague, or know someone who has, in the past 12 months.” Another 13% of respondents believed selling access to company systems was justifiable. “Selling login details might seem insignificant to those involved, but it can open the door to serious fraud and financial harm,” Cifas said. “These findings show how vital it is for organisations to build fraud‑aware cultures, where employees at all levels understand their responsibilities and the consequences of their actions.”
• India Pushes for Sovereign Hosting of Anthropic’s Claude AI Models —According to a report from MoneyControl, the Indian government is said to be pushing for sovereign hosting of Anthropic’s Claude artificial intelligence (AI) models within India. Officials have argued that advanced AI systems meant for sensitive sectors such as banking, telecom, and critical infrastructure cannot operate on foreign-hosted infrastructure due to jurisdictional, compliance, and national security risks.
• OpenAI Rolls Out GPT-5.5-Cyber —OpenAI began rolling out GPT-5.5-Cyber, a security-focused variant of the model, in a limited preview capacity to select cybersecurity teams, a month after Anthropic’s Mythos debut. “The initial preview of cyber-permissive models like GPT‑5.5‑Cyber is not intended to significantly increase cyber capability beyond GPT‑5.5 – it’s primarily trained to be more permissive on security-related tasks,” OpenAI said. “The differences between model access levels are most pronounced when comparing prompts and responses.”
• FIRESTARTER Backdoor Targets Cisco Devices —Late last month, theU.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. The malware is noteworthy for its ability to survive reboots, firmware updates, and patches. In a new analysis, firmware security company Eclypsisum described the backdoor as a Linux ELF that hooks the LINA process and re-installs itself after receiving a termination signal. “When lina_cs runs, it copies its own contents from /usr/bin/lina_cs into memory and registers a signal handler, allowing the malware to take action in response to signals (e.g., when the system or user tells the process to restart),” security researcher Paul Asadoorian said. “It also triggers on runlevel 6, which is the system reboot runlevel on Linux. Which means every time the device shuts down or reboots, FIRESTARTER’s persistence routine fires.”
• Google Rolls Out Ways for Developers to Push Safer Android Apps —Google said it has expanded Play Policy Insights in Android Studio to catch common policy issues, like missing login credentials, and detect security threats and abuse using its Play Integrity API. “With significantly shorter warm-up latency, you can use these real-time checks in your most speed-critical user journeys, like logins or payments, to catch unauthorized access and risky interactions,” Google said. “We’re adding support for post-quantum cryptography in Play App Signing this year, which will protect your apps and app updates from potential threats with the emergence of quantum computing.”
• Poland Says Hackers Breached its Water Treatment Plants —Poland’s Internal Security Agency (ABW) disclosed that it detected attacks on five water treatment plants in 2025, potentially allowing bad actors to take control of industrial equipment and, in the worst case, tamper with the safety of the water supply. The intelligence agency did not attribute the attacks to a specific threat actor or group, but Russian government hackers were attributed to a failed attempt to bring down the country’s energy grid towards the end of 2025.
• Claude Leans More on Russian and Iranian Propaganda Sources —A new audit of Anthropic Claude has revealed that the AI chatbot “repeated false claims 15% of the time when it was asked about pro-Kremlin falsehoods in the voice of typical users, citing Russian state-affiliated media every time,” NewsGuard said. The figure represents a jump from only 4%. What’s more, since the start of the U.S.-Iran war, Claude cited Iranian state-affiliated media in one case when prompted on pro-Iran false claims, when previously it had never cited Iranian state-affiliated media. “This increase in citations to Kremlin propaganda sources, including when they spread false claims, suggests that Claude in recent months has become more vulnerable to state disinformation campaigns,” NewsGuard said.
• WebSocket Backdoor Campaign Injects Skimmers —Palo Alto Networks Unit 42 said obfuscated WebSocket backdoors are being used to inject credit card skimmers into hundreds of compromised websites with the goal of sending stolen card information back to the attacker’s C2 domains. “Obfuscated JavaScript creates a WebSocket backdoor using dynamically executed JavaScript,” Unit 42 said. “The WebSocket sends an obfuscated JavaScript payload to inject a credit card skimmer into the web page.”
• How Backdoored Electron Applications Evade Defenses —Cybersecurity researchers have detailed a technique that hijacks trusted Electron applications to enable persistence and bypass application safe listing controls. “In advanced variations of the attack, minimal changes are made to the components of the Electron application,” LevelBlue said. “This allows the application to function normally while at the same time loading the malicious command-and-control (C2) functionality in the background, hiding under the umbrella of the trusted process.”
• New Attacks Distribute Vidar Stealer, PlugX, and Beagle Malware —In an attack chain detailed by LevelBlue, threat actors have been found to leverage “MicrosoftToolkit.exe” as a starting point to launch an AutoIt script that drops the Vidar Stealer payload. “This intrusion highlights the continued effectiveness of script-based, multi-stage loaders in delivering commodity information stealers such as Vidar,” LevelBlue said. “A sophisticated multi-stage loader infection leveraging Windows-native tools and file-masquerading techniques. The attacker avoids dropping a single identifiable malware binary and instead reconstructs and executes payloads dynamically through staged file manipulation.” The development follows the discovery of a fake Claude website (“claude-pro[.]com”) that serves as a conduit for a fake MSI installer responsible for deploying a DonutLoader payload that drops a simple backdoor dubbed Beagle, which is capable of running commands and performing file uploads/downloads.
• Critical Flaw in Cline’s Kanban Server —A critical vulnerability in Cline’s local Kanban server (CVSS score: 9.7) could have been exploited by an attacker to facilitate information disclosure through the runtime state stream, remote code execution through the terminal I/O endpoint, and denial-of-service through the terminal control endpoint. Oasis Security, which discovered the vulnerability, said the AI coding agent’s localhost WebSocket lacks origin validation and authentication. Because web browsers don’t enforce the same-origin policy on WebSocket connections, any website the developer visits can connect to these endpoints to achieve full compromise. “Any website a developer visited while running an affected version could silently connect to their machine, exfiltrate workspace data in real time, and inject commands into the developer’s AI agent,” Oasis Security said. “The developer would see nothing unusual. They were just browsing the web.” Following responsible disclosure, the issue was addressed in Cline Kanban version 0.1.66.
• Mozilla Uses AI to Detect 423 Flaws in Firefox —Mozilla revealed Anthropic’s Mythos Preview and other AI models helped it identify and ship 423 Firefox security bug fixes in April 2026, compared to 31 a year earlier. This includes a 20-year-old use-after-free bug that could be triggered using the XSLTProcessor DOM API without any user interaction, as well as various flaws in its sandbox system. “This was due to a combination of two main factors,” Mozilla said. “First, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models – steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise.” The development comes as AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws.
• 60% of MD5 Password Hashes Can Be Cracked in Under an Hour —An analysis of 231 million unique passwords from dark web leaks between 2023 and 2026 has revealed that nearly 60% of them can be cracked in less than an hour. To make matters worse, nearly half of all passwords (48%) can be cracked within a minute. “Attackers owe this boost in speed to graphics processors, which grow more powerful every year,” Kaspersky said. “While an RTX 4090 in 2024 could brute-force MD5 hashes at a rate of 164 gigahashes (billion hashes) per second, the new RTX 5090 has increased that speed by 34% – reaching 220 gigahashes per second.”
• New JobStealer Targets Windows and macOS —Threat actors are luring potential victims to malicious websites and asking them to download a video conferencing app under the pretext of an online interview, only to drop a stealer that can harvest data from cryptocurrency wallets. “The malicious program JobStealer, disguised as an online conferencing app, is downloaded from them,” Doctor Web said. Some of the fake brands used by the threat actors include MeetLab, Juseo, Meetix, and Carolla. “To convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts – for example, on X.” The attack leverages a ClickFix-like instruction to copy and paste a command that drops the stealer malware.
• More ClickFix Attacks —ClickFix attacks seem to show no signs of stopping anytime soon. The Australian Cyber Security Center (ACSC) warned that the ClickFix social engineering tactic is being used to deliver Vidar Stealer. “The ClickFix attack typically begins with an adversary injecting a malicious payload delivery domain into the compromised website,” ACSC said. “The injected payload domain loads JavaScript code from an external API server. This code overwrites the content of the legitimate page, presenting a fraudulent Cloudflare verification prompt.” In recent months, ClickFix has evolved to abuse native Windows utilities like cmdkey and regsvr32, as well as drop Node.js-based infostealer to Windows users via malicious MSI installers and an AppleScript-based infostealer to macOS. ClickFix-related attacks have also been found to leverage shareable chat features on ChatGPT and Grok, or blog sites and other user-driven content platforms, to trick users into running AMOS Stealer, MacSync, and Shub Stealer. “Prior iterations of this campaign delivered the infostealers through disk image (.dmg) files that required users to manually install an application,” Microsoft said. “This recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script‑based loader execution.” Another campaign targeting Vietnam, Taiwan, and Spain has spread through fake Google documents containing a ClickFix command and malicious DMG files to deploy a new macOS stealer called NotnullOSX that exclusively targets victims holding over $10,000 in cryptocurrency holdings. ClickFix has also been used by a traffic distribution system (TDS) called ErrTraffic. “ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites,” LevelBlue said. “ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures [via EtherHiding].
• ShinyHunters Extortion Campaign Targets Instructure —The ShinyHunters group targeted Instructure, the supplier of the Canvas learning management system (LMS), defacing the login portals for 330 colleges and universities. According to Dataminr, ShinyHunters has claimed to have exfiltrated 3.65TB of data across approximately 275 million records from nearly 9,000 affected organizations listed publicly, including Harvard, Stanford, Columbia, and Apple. Exposed data includes usernames, email addresses, course names, enrollment information, and messages. Instructure has said no passwords, government IDs, birth dates, financial data, or course content were compromised. The threat actors exploited a “vulnerability regarding support tickets in our Free for Teacher environment,” the company added. Access to Free for Teacher has been disabled pending a full security review. As of writing, Canvas is fully back online and available for use. The message shared by the notorious cybercrime group showed that the group has threatened to leak the trove of data, giving a deadline of May 12. The May 7, 2026, incident is a continuation of prior unauthorized activity detected in Canvas on April 29, 2026. Following the hack, the U.S. Federal Bureau of Investigation (FBI) cautioned individuals to be on the lookout for “unsolicited emails, calls, or texts claiming to be from your school, the LMS provider, or law enforcement and to verify the contact through known channels before responding.”

🔧 Cybersecurity Tools

• AiSOC → It is an open-source, self-hostable AI-powered Security Operations Center. It brings together security alerts, uses AI agents to investigate them, maps findings to MITRE ATT&CK, and supports purple team exercises and incident triage — all within a single stack that you can run on your own infrastructure.
• Watcher → is an open-source platform that helps security teams monitor and detect emerging cyber threats. It uses AI to analyze threat data, track suspicious domains, watch for information leaks, and follow cybersecurity news from official sources — all in one dashboard. Built with Django and React, it runs easily with Docker.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law.

Conclusion

That’s the week: poisoned downloads, cloud messes, old bugs refusing to die, and attackers putting in barely more effort than a guy restarting a frozen router. Everybody’s tired, nobody trusts installers anymore, and the internet somehow keeps getting worse in very predictable ways.

See you next Monday, assuming nothing catches fire before then.