Friday, July 3, 2026

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft.

According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" mimic the legitimate "rollup-plugin-polyfill-node" project, down to the description, repository metadata, and package shape.

"The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review," JFrog said in a technical write-up of the campaign.

The campaign also involves four other packages, all of which have since been removed from the npm registry -

  • quirky-token
  • react-icon-svgs
  • rollup-plugin-polyfill-connect
  • swift-parse-stream

What's noteworthy here is that "rollup-packages-polyfill-core" installs and loads "swift-parse-stream," while "rollup-runtime-polyfill-core" installs and "quirky-token." In a similar fashion, "react-icon-svgs" has been found to install "rollup-plugin-polyfill-connect" as a second stage.

"The second-stage packages are near-identical SVG utilities that fetch a JSON object from JSONKeeper and eval the model field," the cybersecurity company said. "This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns."

It's worth emphasizing here that this is not the first time North Korean threat actors have uploaded npm packages impersonating Rollup polyfill tools. In April 2026, Panther detailed a sustained npm campaign that involved publishing 108 malicious npm packages spanning 261 versions to deliver BeaverTail and OtterCookie, two known malware families linked to Contagious Interview. Among those packages was "rollup-plugin-polyfill-route," which was published on March 20, 2026.

The starting point of the attack is a Base64-encoded npm install command for "swift-parse-stream" (or "quirky-token") that's concealed within "rollup-packages-polyfill-core" (or "rollup-runtime-polyfill-core"). The two second-stage packages are dressed up as SVG sanitization utilities, while reaching out to a JSON Keeper URL to retrieve and execute a JavaScript malware.

The JavaScript code runs checks to avoid execution within cloud development environments, sandboxes, serverless runtimes, and analysis infrastructure. Past this gate, the malware installs the necessary dependencies and reaches out to an external server ("216.126.236[.]244") to fetch an encrypted JavaScript payload.

The decrypted payload then acts as a loader for additional scripts responsible for enabling remote access to the compromised host to support interactive terminal sessions, command execution, screenshot capture, process termination, Windows-only mouse movement, clicks, scrolling, keyboard presses, and hotkeys using the "@nut-tree-fork/nut-js" package, as well as steal data from web browsers and cryptocurrency wallets, collect files matching specific extensions, and periodically capture clipboard content.

The features overlap with those of OtterCookie, with the use of "@nut-tree-fork/nut-js" for remote mouse and keyboard control also observed in a package named "express-session-js" that was detailed by SafeDep in April 2026. The file collector component has been found to specifically look for editor history associated with Microsoft Visual Studio Code, Windsurf, and Cursor, along with developer and AI tool configurations, such as AWS, Microsoft Azure, Google Gemini, Anthropic Claude, Foundry, SSH, and Z shell (Zsh).

"Rollup plugins are commonly loaded from local configuration files, developer workstations, and CI jobs," JFrog said. "These environments often have access to sensitive assets such as source code, npm tokens, Git credentials, cloud keys, SSH keys, browser data, and project secrets."

"The payload is also broader than a simple downloader. Once the later stages run, the attacker gains both collection and control capabilities. This makes the payload relevant to developer workstations and build machines, where API keys, SSH keys, wallet material, cloud credentials, and project secrets are often present."

The disclosure coincides with the discovery of multiple software supply chain attacks by Checkmarx, SafeDep, and AWS security researcher Chi Tran aimed at poisoning open-source package repositories and stealing valuable data -

  • A cluster of at least eight trojanized "pyrogram" forks published by a threat actor operating under multiple identities between November 2025 and June 2026, including a hidden backdoor that grants them full remote control over any server running the infected PyPI package by running arbitrary Python code or shell commands sent by the attacker. The results of the command execution are exfiltrated via Telegram. The activity has been codenamed Operation Navy Ghost by Checkmarx.
  • A cluster of 30 npm packages mimicking Polymarket tooling and general mathematics libraries published by 10 npm maintainer accounts that targeted DeFi developers to deliver a JavaScript infostealer that reads crypto wallet vaults, browser credentials, SSH keys, AWS credentials, npm tokens, Docker configurations, shell history, and password manager databases.
  • A cluster of 25 npm packages published under the @marketfront scope by an npm account named "marketfront" that contains a postinstall credential harvester that reads 20 credential and secret files, including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, and shell history, and exfiltrates the data.
  • A Python package named "security-alerts-sdk" that claims to be a data breach-monitoring tool but harbors code to launch a backdoor that periodically polls an external server ("142.93.211[.]30:5000") for commands and exfiltrates SSH private keys, AWS credentials, Docker/npm/PyPI/git tokens, .env files, and browser credential databases to the same server.
  • A cluster of 15 npm packages published by a single threat actor operating under 13 npm scopes that triggers a postinstall JavaScript payload responsible for downloading and executing a Rust-compiled ELF binary hosted on GitHub, which then harvests a wide range of data from cryptocurrency wallets, web browsers, and other applications, including cloud provider tokens, SSH keys, messaging platform sessions, database client configurations, and developer credentials.
  • An npm package named "events-runtime" that typosquats the "events" package and conditionally spawns a cryptocurrency wallet stealer, exfiltrates host reconnaissance data over Slack and Telegram, opens a bidirectional Slack command channel, and reads configuration and payload chunks from an Ethereum smart contract used as a dead drop resolver. The malicious logic is fired only when the event ID is "eventId0."
  • An npm package named "o3forms" that steals cloud service provider credentials, scans developer secrets and CI/CD environments, performs internal network reconnaissance, and exfiltrates the data to an attacker-controlled Cloudflare Workers endpoint. "The attacker split the attack into a deliberately benign, registry-published package and a GitHub-pinned *-utils sub-dependency that carries both the install hooks and the actual malware," Tran said. "This structure is designed specifically to defeat the static and lifecycle-script scanning that most registry-side and CI-side tooling relies on."

Users who have installed any of the aforementioned packages are advised to remove them from their workstations, assume compromise and rotate credentials, block the malicious egress channels, and enable dependency scanning in CI/CD pipelines to flag newly published or suspicious packages.



from The Hacker News https://ift.tt/xJp7iNH
via IFTTT

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan.

"Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis."

The attacks are also characterized by the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim's profile.

The Russian cybersecurity vendor said Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under the moniker Eagle Werewolf, which has been active since May 2023. The hacking group has a track record of targeting government and defense organizations, specifically those involved in UAV development and manufacturing, using droppers, remote access Trojans (RATs), and utilities for establishing SSH tunnels.

"Threat actors may use compromised Telegram channels to distribute the malware," BI.ZONE notes in its description of the threat actor. "While the group's primary motivation is cyber-espionage, campaigns aimed at stealing funds from victims have also been recorded."

Back in February 2026, Eagle Werewolf was observed compromising a drone‑focused Telegram channel to distribute AquilaRAT via a Rust dropper that masquerades as a checklist for Starlink device activation. Also put to use in the attacks is Go2Tunnel to establish a reverse SSH tunnel to a command-and-control (C2) server using a private key.

The latest findings show that the threat actor has also employed a previously unreported Python-based information stealer named BusySnake Stealer targeting Windows systems, one version of which includes a module for stealing cookies from web browsers. The exact origins of Armored Likho remain unknown.

The starting point of the attack chain is a spear-phishing email that uses lures related to official government notices or social programs to distribute a RAR archive containing EXE binaries that serve as droppers for additional payloads retrieved from a GitHub repository, including the stealer payload.

The dropper malware also creates two Visual Basic Script (VBScript) files that are responsible for erasing traces of the initial execution as well as launching the stealer by means of a scheduled task.

Alternate chains utilize Windows shortcuts (LNK) instead of EXE payloads that weaponize a now-patched vulnerability related to how Windows handles such files, resulting in remote code execution. The flaw, tracked as CVE-2025-9491 (aka ZDI-CAN-25373), was addressed by Microsoft as part of its Patch Tuesday updates for November 2025. Evidence unearthed by Trend Micro last year revealed that the shortcoming had been weaponized by a dozen hacking groups since 2017.

In the attack chain documented by Kaspersky, the shortcut vulnerability is abused to trigger the execution of an obfuscated PowerShell command that launches a loader responsible for displaying a decoy document, while preparing the environment for the execution of the Python stealer. The malware then establishes persistence through a combination of a VBScript file and a scheduled task, as before.

The stealer, called BusySnake, implements multiple evasion techniques to complicate static analysis and sidestep detection. Its primary goal is to establish communication with a C2 server and then await incoming instructions. It also supports the following functionality -

  • Steal data from the system clipboard.
  • Enumerate files across the system and log their metadata in a local database.
  • Upload user documents to the C2 server.
  • Capture screenshots and stage them in a local directory.
  • Archive captured screenshots and remove previously created archives from the disk.
  • Prevent multiple instances of the stealer from running concurrently on the infected host.
  • Ensure persistence by checking if the scheduled task exists, and if not, drop a VBScript to register a new scheduled task.

Furthermore, the commands issued by the C2 server allow it to take screenshots at a designated interval, log keystroke data, gather cryptocurrency wallet files with a JSON extension, collect Telegram session and credential data, establish a reverse SSH tunnel using Go2Tunnel, install RustDesk, and extract cookies from Mozilla Firefox and Chromium-based browsers, along with passwords.

If RustDesk is already installed on the machine, the open-source remote desktop software is started, and the victim is prompted to enter their credentials, following which the stealer grabs a screenshot of the credentials and exfiltrates it to the C2 server.

"The malware dynamically decrypts its bytecode only at the exact moment a function is called, re-encrypting the data immediately afterward," Kaspersky said. "Additionally, the malware runs in the background without spawning a console window, as indicated by its PYW file extension."

Kaspersky said it also identified a newer version of BusySnake that iterates upon the predecessor's architectural design to include a new task-management framework to handle incoming C2 commands and dynamically assign them operational statuses, such as SCHEDULED, IN_PROGRESS, SUCCEEDED, or FAILED, for improved reporting back to the server.

The threat actor's ties to Eagle Werewolf also stem from overlaps between AquilaRAT and BusySnake Stealer, particularly in the manner both malware families receive tasks from the C2 server, register persistence via scheduled tasks, and utilize similar endpoints for C2 communications.

There are also signs that the first-stage payloads comprising loaders and stagers were likely generated with assistance from artificial intelligence (AI) tools, given the presence of redundant comments and code blocks.

"This campaign highlights several concurrent trends: the growing technical maturity of Armored Likho, tool polymorphism, and a shift toward more complex schemes aimed at bypassing security solutions – ranging from Python source code obfuscation to embedding network mechanisms directly into the malware code," Kaspersky said.

"In parallel, the group is aggressively refining and modifying its core toolkit. While Go2Tunnel previously operated as a standalone utility, its reverse-tunneling functionality has now been integrated directly into the stealer as a built-in feature that ingests parameters from the C2 server."



from The Hacker News https://ift.tt/PFdtcMT
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good | Authorities Apprehend Iranian Cybercriminal & Extradite UNC3944 Hacker

Montenegrin law enforcement, alongside the FBI, have apprehended a 39-year-old dual Iranian and Turkish citizen wanted by the U.S. government for several cybercrime offenses. Arrested in Kotor, the suspect faces charges in the Southern District Court of New York for conspiracy to commit computer fraud, hacking, and identity theft.

Since 2013, this individual allegedly orchestrated mass cyberattacks against more than 150 American universities and inflicted damages estimated at over $3.4 billion. Investigators say the stolen data and compromised academic credentials directly benefited the Islamic Revolutionary Guard Corps and various Iranian state entities. The case now proceeds to a High Court judge for formal extradition hearings. The arrest follows recent warnings from U.S. cybersecurity agencies regarding escalating Iranian state-sponsored operations targeting critical domestic infrastructure.

A 19-year-old dual United States and Estonian citizen, Peter Stokes, has been extradited to face federal charges for his role as a core member of the UNC3944 (aka Scattered Spider, oktapus) cybercrime syndicate. Finnish authorities initially apprehended Stokes at the Helsinki airport as he attempted to board a flight to Japan. Prosecutors are accusing him of orchestrating multiple high-profile corporate breaches, using intense social engineering tactics against IT helpdesks to bypass multi-factor authentication controls.

Source: U.S. DoJ

In one notable May 2025 incident, UNC3944 compromised a multibillion-dollar retailer, demanding an $8 million ransom while inflicting over $2 million in operational disruption and remediation costs. UNC3944 operators are also responsible for more than 100 network intrusions globally, all of which yield upwards of $100 million in illicit extortion payments. Stokes remains in federal custody in Chicago, facing charges of fraud, conspiracy, and computer intrusion.

The Bad | Russian Intelligence Exploit Phishing Campaigns To Steal Signal Backup Keys

CISA and the FBI are warning that Russian state-sponsored threat actors have made large strides in evolving their phishing operations to target the backup recovery keys of Signal users. In an update to their March 2026 advisory, the two agencies attribute this ongoing activity to Russian Intelligence Services (RIS), including Russia’s Federal Security Service (FSB) Border Guards and the country’s military.

Tracked as UNC5792 and UNC4221, these campaigns specifically target high-value individuals, including government officials, military personnel, journalists, and policy analysts. Previously, operators focused on harvesting standard verification codes or tricking users into silently linking unauthorized devices. Now, they employ social engineering to access private communications without compromising the application’s underlying end-to-end encryption.

During targeted intrusions, attackers masquerade as official Signal support personnel and send direct messages falsely claiming the platform requires mandatory two-factor verification following alleged international cyberattacks. The operators systematically guide victims through the specific process of enabling the Secure Backups feature, instructing them to paste their newly generated recovery key directly into the chat interface.

Once adversaries obtain this critical key, they seamlessly download and decrypt the victim’s entire historical message archive onto their own controlled devices. Simply registering a new account under the same phone number does not natively invalidate a compromised key – users must actively generate a new backup key within their application settings to effectively secure future communications.

Source: U.S. Rewards for Justice Program

The U.S. Department of State recently announced a substantial reward of up to $10 million for information leading to the identification or location of these operatives. Through the Rewards for Justice program, federal authorities actively seek actionable intelligence regarding the syndicates’ operational infrastructure, illicit funding mechanisms, and direct affiliations with Russian intelligence services.

The Ugly | Unknown Hackers Breach Department of Homeland Security Information Network

The Department of Homeland Security is actively investigating a cyberattack that recently compromised its Homeland Security Information Network (HSIN). The network is an information sharing platform used by federal, state, local, and private-sector partners, specifically to share sensitive but unclassified data amongst the government and internationally.

According to an initial report, an unidentified threat actor orchestrated the intrusion between late May and early June. Investigators indicate that the attackers targeted the HSIN’s core servers alongside a SharePoint environment designed for extensive interagency collaboration.

Source: dhs.gov

While officials have not yet attributed the breach to a specific foreign government or syndicate, the full extent of data exposure remains unclear. The compromised platform routinely supports real-time incident management, intelligence exchange regarding persons of interest, and operational coordination. Because the United States is overseeing security for World Cup matches across the country, experts raise concerns that the intrusion could have exposed critical security planning, response procedures, and communication protocols.

In a public statement to the press, a departmental spokesperson confirmed the incident, clarifying that the breach strictly involved an unclassified legacy information-sharing environment. Security personnel promptly isolated the affected systems and mitigated the underlying vulnerability before starting forensics.

Officials emphasized that the attack did not impact classified networks, and the primary system remains operational for authorized partners. As the investigation continues, authorities strongly urge U.S. government staff, contractors, and associated partners to remain vigilant while defense teams harden the underlying infrastructure against further unauthorized network access attempts.



from SentinelOne https://ift.tt/5Sj2C6X
via IFTTT

European Parliament Member Investigating Spyware Was Hacked With Pegasus

A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc.

"Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations," the Citizen Lab researchers John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis, and Ron Deibert said.

The infections have not been attributed to a particular government at this time, and there is no evidence that the Greek government is behind the activity. However, the Canadian interdisciplinary research laboratory noted that it identified an overlap between the first infection and a previous campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.

This indicates that a Pegasus customer with authorization to spy in multiple European countries is likely responsible for the effort, the Citizen Lab added.

Kouloglou was a member of the European Parliament's "Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware" from March 24, 2022, to July 18, 2023. The PEGA Committee was set up on March 10, 2022, to probe alleged misuses of commercial spyware offerings under E.U. law, specifically focusing on gathering information on the extent to which member states and other countries are using such tools in contravention of the region's rights and freedoms.

The Citizen Lab said that a forensic analysis of artifacts collected from his iPhone in May 2026 has found that it was compromised with Pegasus spyware on or around October 21, 2022, and again on March 6 and 7, 2023.

"On 2022-10-21 10:16, there was a lookup for a HomeKit email address rauharepo888[@]gmail.com. Two minutes later, a Pegasus process used mobile data," the researchers explained. It's assessed that a zero-click exploit in Apple's smart home software, codenamed PWNYOURHOME, was used to deliver the spyware. The issue was addressed by Apple in iOS 16.3.1.

The subsequent Pegasus activity observed in March 2023 is also said to have weaponized the same exploit. At both times, Kouloglou's device was running iOS 15.5. Further analysis of the phone has revealed that Kouloglou received Apple threat notifications about being targeted with mercenary spyware on three occasions: March 2, 2023, August 29, 2023, and April 10, 2024.

Interestingly, during the first time Kouloglou's phone was hacked, he was admitted to a hospital for elective surgery and had been visited by Greek investigative journalist Thanasis Koukakis, who had his own phone compromised with Intellexa's Predator spyware and had testified before the PEGA Committee a month before.

The timing of the second infection in March 2023 is also significant, as it coincided with the intense discussions related to the final drafting process, followed by a series of PEGA hearings. The incident took place two months before the adoption of the first PEGA Committee report.

The development marks the first time a member of the PEGA Committee has been publicly identified as a victim of Pegasus spyware while serving on the committee.

The connection between Kouloglou's case and the campaign targeting Russian and Belarusian-speaking independent journalists and opposition activists based in Europe is based on the use of the same email address "rauharepo888[@]gmail.com."

"In our understanding of Pegasus infection infrastructure during this period, we believe that these emails are unique to specific operators," the Citizen Lab said. "We are unable to say whether the second infection in 2023 is similarly connected to this operator, or a different operator."

"Based on what we know of NSO Group's licensing, this would likely indicate that the customer had a license that enabled infections in multiple E.U. jurisdictions, narrowing the list of potential Pegasus operators that could be responsible for this case."

The findings raise fresh concerns about how governments leverage spyware ostensibly marketed for combating serious crimes, such as terrorism and child sexual abuse, for spying on the communications of journalists, lawmakers, dissidents, and critics.

The development comes days after the Citizen Lab revealed that Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite announced it would stop offering its tools and services to Russia and Belarus.

"The authorities searched Pivovarov's devices for key organizations and contacts, as well as high-profile opposition figures," the Citizen Lab said. "Search terms included Mikhail Khodorkovsky, who founded Open Russia, Anastasiya Burakova, who was at the time a human rights lawyer at Open Russia and currently leads a prominent anti-war group, and Open Russia's former coordinator and Pivovarov's partner, Tatiana Usmanova."

Some of these individuals, including Burakova, were later targeted in a phishing campaign orchestrated by a Russian hacking group known as COLDRIVER, raising the possibility that the use of Cellebrite's tools may have helped facilitate reconnaissance and enable further targeting and surveillance of other regime opponents abroad.

Back in April, the Citizen Lab also uncovered two distinct, long-running spying campaigns that are abusing well-known weaknesses in the global telecoms infrastructure to track people's locations. Notably, these attacks do not necessitate malware deployment, making them stealthy and harder to detect.

One of two campaigns worked by sending a special type of text message with malicious hidden SMS commands to targets in an effort to "turn the device into a covert tracking beacon," the report said. The second campaign relied on weaknesses in Signaling System No. 7 (SS7) and Diameter signaling protocols to track an individual's whereabouts without requiring access to their devices.

The two campaigns are said to have abused three specific telecom providers, namely 019Mobile, Airtel Jersey (part of Sure Group), and Tango Networks U.K., that act as "surveillance entry and transit points within the telecommunications ecosystem" and "allow traffic to move through trusted signalling interconnections while granting access to threat actors that hide behind their infrastructure."

"Both actors used customized surveillance tooling to spoof operator identities, manipulate signalling protocols, and steer traffic through specific interconnect network paths to evade defenses and mask attribution," the digital rights organization said.

"The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years."



from The Hacker News https://ift.tt/6q81i4N
via IFTTT

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data.

The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source clipboard manager. It has been codenamed PamStealer owing to its ability to validate the victim's login password through the macOS Pluggable Authentication Modules (PAM) before capturing it.

The malware is delivered in two stages: A compiled AppleScript distributed inside a disk image that's designed to download and stage a follow-on payload. The secondary artifact is a Rust-based infostealer capable of credential theft, browser data collection, persistence, and exfiltration.

The initial access vector for the malware is a lookalike site ("maccyapp[.]com") that mimics Maccy ("maccy[.]app"). The AppleScript ("Maccy.scpt") present within the disk image executes a self-contained JavaScript for Automation (JXA) downloader that fetches and stages the stealer payload using native Objective-C APIs.

What's notable here is that the script, once launched via the Script Editor, displays instructions to run it using the "⌘ + R" keyboard shortcut or clicking the Run button from the Script Editor, causing the malicious logic hidden in the file below a large block of empty lines to be executed.

"Notably, this works even when the file still carries the com.apple.quarantine attribute, which is what makes the approach attractive to attackers as Apple continues to tighten Gatekeeper and Terminal," security researcher Thijs Xhaflaire said. "Combined with a Rust-based second stage and a password capture workflow that validates credentials locally through PAM, the result is a quieter execution chain than we typically observe in commodity macOS stealers."

The AppleScript dropper incorporates environment-aware features that allow the execution to continue only after fingerprinting the host and determining it's running on Apple Silicon. It does this by deriving a key based on the fingerprint, which includes details like the CPU architecture, locale, keyboard layout, and the time zone, and then using it to unlock an encrypted configuration that contains the payload URL and install path.

On Intel-based Macs, the derived decryption key differs and fails to decode the configuration, resulting in the termination of the dropper. The script also avoids execution within sandboxed or analysis environments, as well as systems whose time zone, system locale, and keyboard input resolve to countries located in Eastern Europe, such as Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Turkmenistan, and Georgia.

Once the checks pass, the script reaches out to the external server and downloads a Mach-O binary written in Rust that masquerades as the Finder app and is responsible for harvesting data from web browsers, cryptocurrency wallet extensions, iCloud Keychain, and clipboard content. The captured information is then encrypted and exfiltrated to attacker-controlled infrastructure ("avenger-sync[.]live") over an outbound HTTP request.

Besides coercing the user into granting it full file system access, the stealer serves a native password prompt that collects the victim's system password, and then validates the entered password by cross-checking it via the PAM API. If the validation fails, it asks the user to re-enter the password, and repeats the loop until the correct password is supplied.

"Once a valid password is captured, the stealer shows a second, counterfeit alert: 'Maccy is damaged and can't be opened. You should move it to the Trash,' a close copy of the genuine Gatekeeper message," Jamf said. "This is a decoy. By the time it appears, the payload has already run, captured the password and registered for persistence, so the message serves only to make the victim discard the lure and assume the download was broken."

Also built into the Rust binary is a small arm64 Mach-O that impersonates macOS System Settings and is used for setting up persistence.

The development has prompted Alex Rodionov, the developer of Maccy, to include a warning on their website and the GitHub repository, stating, "Beware of fake websites impersonating Maccy. Malicious sites (such as maccyapp[.]net and maccyapp[.]com) distribute malware disguised as Maccy. maccy.app is the only official website."

"Together, these behaviors illustrate how commodity macOS stealers continue to evolve, adopting quieter execution chains and native implementations that reduce traditional detection opportunities while remaining compatible with standard macOS features," Jamf said.



from The Hacker News https://ift.tt/H3bv7AV
via IFTTT

Thursday, July 2, 2026

Improving security posture across the Microsoft partner ecosystem

The Deputy CISO blog series is where Microsoft  Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this article, Raji Dani, Vice President and Deputy CISO for Microsoft business functions, finance, and marketing dives into the importance of securing customer service solutions.

Following up on our previous post about managing risk in customer support operations, I wanted to share insight into how we manage the potential risk associated with another critical element of our ecosystem: Microsoft partners that we work with to help our customers deploy and manage some of our products.

While organizations often rely on a wide range of partners, including hardware suppliers and application developers, this post focuses on a specific category of trusted partners that many enterprises use to manage and maximize the value of their technology investments. For Microsoft, these partners are Microsoft Cloud Solution Providers (CSPs), and they help customers buy, manage, and optimize cloud services like Microsoft 365 and Microsoft Azure.

Like many organizations, Microsoft has a strong partner network that is a core part of the success of its services. Partners play a critical role in reaching and enabling broad customer segments and are core to our commercial business and go-to-market strategy. It’s therefore critical that we understand and manage risk in this space. This helps us ensure that the Microsoft partner ecosystem remains healthy, compliant, and effective, and ultimately helps drive the best outcomes for our customers. Keep reading to learn about the approach we have taken at Microsoft to secure this ecosystem, along with our roadmap for upcoming work in this space.

The risks facing partner ecosystems

As with the other business areas we have written about, the risks here are not theoretical. Threat actors, including nation-states, look to exploit partners as a vector to attack customers. Microsoft relies on its partners to engage deeply with customers across multiple scenarios. Cyberattackers in turn see this as a potential opportunity to exploit those customers through the infrastructure and platforms used by Microsoft partners.

CSPs often manage a large set of downstream customers, which means compromise of a CSP can have a large impact.

If not securely configured, a cyberattacker with access to a CSP’s tenant could potentially gain access to a broad set of customers managed by that CSP. As a result, CSPs can become targets of cyberattackers looking to steal large quantities of customer data or compromise customer resources in Azure. Again, these risks are not theoretical. We have seen nation-state attackers target our CSPs with this exact goal in mind.

This is a particularly challenging problem because securing this ecosystem depends on work taken on by both Microsoft and its partners. Microsoft provides the platforms that CSPs use to operate, while each partner manages their own tenants used for CSP operations. We need to ensure every element of this space is secure, since threat actors can exploit weaknesses in any part of the ecosystem.

How Microsoft secures its partner ecosystem

As with other key business areas, it is the goal of Microsoft to enable business success while managing risk. In the CSP scenario, this means building strong protections into the platforms that our CSPs depend on, enabling robust visibility into potential misuse of those platforms, and working with our CSPs to continually raise security standards within their own environments.

We continue to invest in strengthening security in this space at Microsoft. Our approach is guided by a set of core principles that can be applied broadly across partner ecosystems, helping organizations reduce risk and improve resilience. The following sections outline these principles and how Microsoft is implementing them in practice.

1. Partner vetting

Before an organization can begin operating as a CSP, it goes through a vetting process ensuring its validity. This process verifies the identity of the organization and ensures that it legitimately intends to operate as a CSP. This complements the work we are doing to improve CSP security posture. Partner vetting helps ensure that only legitimate organizations can enter the ecosystem, while CSP security posture improvements help enhance the operating standards of organizations already in the ecosystem. We continue to enhance these vetting capabilities based on an understanding of threat intelligence and cyberattacker trends.

2. Enhancing security posture of CSP tenants

Security in the CSP ecosystem is a shared responsibility, with Microsoft enforcing controls at the platform and control plane layer through mechanisms like granular delegated administrative privileges (GDAP), while CSPs are responsible for maintaining the security posture of their tenants. To reduce the risk of tenant compromise and limit negative downstream effects on customers, we have evolved CSP authorization to incorporate mandatory security requirements as a condition for obtaining and retaining authorization. This establishes a clear expectation that maintaining a strong security posture is not optional, but a prerequisite for operating as an authorized CSP.

As the threat landscape continues to evolve, we will periodically reassess the expectations associated with CSP authorization to ensure they remain aligned with the risks facing the ecosystem. This may, over time, result in refinements to the security baseline we define for our partners. We will continue to collaborate closely with our partners to maintain clarity and alignment as these expectations evolve.

3. Least privilege for access to downstream customers

CSPs require access to customer environments to perform their management operations. But this does not mean that a CSP needs unfettered access to those customer environments. Instead, access from a CSP to a customer tenant should follow the principles of least privilege and have strong role-based access control (RBAC). Access should only be granted with customer consent and should be constrained both in terms of scope and duration. The GDAP protocol enables CSPs to manage downstream customers based on these principles.

As part of this access control principle, we have built capabilities that allow internal Microsoft security teams to rapidly revoke a CSP’s GDAP access to customers when required. This capability can be used in a range of scenarios, including incident response, changes in partner status, or termination of a partner relationship. It helps ensure that access can be quickly withdrawn and contained when risks are identified, limiting potential impact to downstream customers.

4. Strong monitoring and response capabilities throughout the stack

Microsoft is responsible for providing strongly secured common platforms and key to that promise is robust telemetry, monitoring, and incident response capabilities across those platforms. We collect a high volume of diverse telemetry signals from across our platforms and analyze them to detect suspicious activity. This enables our security response teams to quickly identify and respond to CSP-targeting threats that arise from our platforms. Containing risk in this way is an important reason that Microsoft reserves the right to revoke a CSP’s GDAP access to downstream customers when required.

In short, we have made a set of improvements to the security posture across the CSP ecosystem, both at the Microsoft platform layer and at the partner tenant layer. Like all other areas of security, our work here is never completely done. We plan to continually enhance security across all of these areas as we learn more about cyberattacker trends and risks to the ecosystem.

Protecting partners and customers means protecting the ecosystem

The key lesson here remains that the platforms we provide to partners cannot be an afterthought when it comes to security. Even though these partner platforms are not directly part of the product or service infrastructure we maintain, Microsoft must treat them just like it does its “core” infrastructure. Cyberattackers do not care whether a given system is considered internal or marked for external use. If it gives them a way to achieve their goals (in this case the compromise of customers) they will look to exploit it.

This applies broadly to any organization working with partners. As the provider of a partner platform, there is a responsibility to protect both partners and customers by ensuring these platforms meet the highest security bar, and that is what we at Microsoft are working diligently to do.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

A professional man working on a laptop at his desk in a modern office setting.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Improving security posture across the Microsoft partner ecosystem appeared first on Microsoft Security Blog.



from Microsoft Security Blog https://ift.tt/N2FMWhE
via IFTTT

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API.

"In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources."

The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser's management console in headless mode via a remote debugging port.

Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API. The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor.

What's notable about the attack is that it's viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode, connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources.

Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.

ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group's use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies.

The cybersecurity company said it discovered Umbrij during what it described as a "threat hunting operation," as part of which a scheduled task impersonating its software ("KasperskyEndpointSecurityEDRAvp") was used to launch a digitally signed file. The signed file then employed DLL side-loading to launch Umbrij.

To accomplish this task, three legitimate binaries susceptible to DLL side-loading were abused -

  • BDSubWiz.exe, a component of the Submission Wizard in Bitdefender ConnectAgent
  • VSTestVideoRecorder.exe, a component of the video-recording tool used for testing with Microsoft Visual Studio
  • GoogleDesktop.exe, a discontinued Google Desktop Search application used for indexing files and performing quick searches on a local Windows computer

Regardless of the executable used, the end result is the same: launching the rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator. The tool can also be invoked along with command-line parameters that specify which browsers to target (Google Chrome or Microsoft Edge), instruct it to save a screenshot of the user profile as a PDF file, and provide the system username under which the tool will run.

Umbrij workflow diagram

Umbrij, once launched, performs a series of preparatory actions on a compromised Windows host to breach the Gmail account -

  • Verify the availability of the port that will be designated for browser debugging.
  • Retrieve the user context by searching for the "explorer.exe" process and duplicating the token of the first such process it encounters in order to retain all of that logged-in user's privileges. Alternatively, the -user <username> switch can be used alongside the tool to specify the target user whose token needs to be duplicated.
  • Construct the path to the web browser application folder within the user's local application data repository and then parse the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles.
  • Enumerate all profiles and scan them for a field named "user_name" that includes an email address. It's worth noting that the presence of an email address signals that the user is authenticated to a Google service.
  • Create a directory called "BackupFiles" within "%LOCALAPPDATA%\Google\Chrome\" and "%LOCALAPPDATA%\Microsoft\Edge\."
  • Copy the following files and folders of each target user profile into them: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. Should these files be locked by other processes, the tool includes a force-copy mechanism.
  • Search the "Program Files" and "Program Files (x86)" folders for the browser installation folder for Chrome and Edge.
  • Launch the browsers in headless mode by using the user profile copied to the "BackupFiles" folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.
  • Use Puppeteer, a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, to connect to the remote debugging port and send an authorization code request to direct the browser to a "accounts.google[.]com/o/oauth2/v2/auth/identifier" URL containing a "client_id" that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application. Use JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks.
  • Redirect the browser session to a local address specified in the initial request and extract the OAuth authorization code from it.

"Umbrij, like most other tools in ToddyCat’s arsenal, logs its actions in detail and saves them to a file," Kaspersky said. "It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host." 

"The acquired authorization code is then exchanged for an OAuth access token. The threat actors use that token to connect to the Gmail account through the API, thus compromising corporate email communications."

To counter the threat, it's advised to review the authorization codes granted to applications by navigating to "myaccount.google[.]com/connections" and then looking for applications named "Google Workspace Migration for Microsoft Outlook" or "Google Workspace Sync for Microsoft Outlook." If either of those applications is present and is not actually used within the organization, it's essential to revoke their access to invalidate the OAuth tokens.

"The ToddyCat APT group continues to search for ways of compromising corporate email communications," Andrey Gunkin, senior malware analyst at Kaspersky, said. "Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills."



from The Hacker News https://ift.tt/HFyew81
via IFTTT

Identity Lifecycle Management Wasn't Built for AI Agents 

Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date. AI agents have none of those. As autonomous principals proliferate across enterprise environments, the governance model built for humans develops structural blind spots that traditional IGA tools weren't designed to detect. This guide covers where that model breaks, what it fails to govern, and what extending it to agents actually requires.

What Identity Lifecycle Management Was Designed to Handle

To understand why identity lifecycle management breaks down around AI agents, you need to understand what it was built to do well and who it was built for. The entire architecture rests on a single foundational assumption: every identity maps to a human being whose organizational status changes through documented, HR-driven events.

The identity lifecycle management process governs access from an identity's first provisioning event through every modification it accumulates to its eventual deactivation. At its core, it's an event-driven control system built around three canonical transitions: joiner, mover, and leaver.

HR as the Authoritative Engine

The HR platform, whether Workday, SAP SuccessFactors, or ServiceNow HR, functions as the system of record that drives the entire identity and access management lifecycle. A new hire record triggers automated provisioning into Active Directory or Azure AD, which propagates entitlements to downstream applications through IGA connectors. A department transfer updates role attributes and recalculates the appropriate entitlement set. A termination event triggers deprovisioning workflows across all connected systems.

The strength of the model is its determinism. Access rights reflect a verifiable organizational fact: a person holds a specific role in a specific team under a specific manager. Role-based access control maps those attributes to defined entitlement sets, delivering the right permissions at onboarding without manual negotiation per account.

Identity governance lifecycle management builds accountability on top of that structure. Access certification campaigns route to the identity manager or application owner for attestation. Separation-of-duties controls detect conflicting permissions. Audit logs tie every provisioning action back to the originating HR event and the approver who authorized it, providing the compliance evidence that frameworks such as SOX, HIPAA, and PCI DSS require.

What the Identity Lifecycle Management Phases Enforce in Practice

When an employee changes roles, attribute updates automatically recalculate entitlements, revoking what the new role doesn't require and granting what it does. When an employee leaves, the HR termination event triggers deprovisioning across all connected applications. Certification campaigns run on a defined cadence to fill the gaps between events, requiring managers to attest to current access against current role requirements.

Every control in the standard identity lifecycle management phases assumes a human principal with an employment record, a manager relationship, and a predictable transition pattern. Access review workflows route to humans. Provisioning triggers are triggered by humans entering or changing their status in the HR system. Offboarding fires when a human's organizational status changes.

The model is coherent, auditable, and well-supported by decades of IGA tooling. It reliably governs the human identity population. The problem begins precisely at its edges, where the principals accumulating access inside enterprise environments no longer have employment records, managers, or departure dates.

Where AI Agents Fall Outside That Model

AI agents don't arrive through HR. They don't have employment records, reporting structures, or defined role profiles that map to entitlement sets. They are created by engineers, orchestration frameworks, or automated deployment pipelines, and they land in production with whatever permissions the developer scoped at creation time or whatever the platform granted by default.

That origin story breaks every assumption the identity lifecycle management model depends on.

No Authoritative Source, No Governed Entry Point

Standard identity and access management lifecycle controls require an authoritative source to initiate provisioning. For humans, that source is the HR system. For AI agents, provisioning typically happens through a developer committing a configuration file, a platform API call that instantiates a new agent runtime, or an orchestration layer like LangChain, AutoGen, or AWS Bedrock Agents spinning up a new execution context. None of those events touches an IGA platform. None generates a provisioning record tied to a defined identity owner.

The agent arrives with credentials already attached: a manually created service account, an API key generated and stored in an environment variable, or an OAuth grant issued through a developer consent flow. The IGA platform, if it sees the credential at all, treats it as a static machine identity with a fixed purpose. What it's actually dealing with is an autonomous principal that will make access decisions, traverse API boundaries, and accumulate behavioral scope in ways no static service account ever does.

Dynamic Scope in a System Built for Fixed Roles

Role-based access control works because human job functions are, within limits, predictable. A database administrator needs specific permissions. A finance analyst needs access to a defined set of systems. Entitlement sets get designed around those functions and updated when roles change through documented HR events.

AI agents don't operate within fixed functional boundaries. An agent built to summarize internal documents may, through tool-calling or RAG retrieval patterns, end up querying APIs it wasn't explicitly provisioned for, writing outputs to storage systems outside its original scope, or chaining actions across multiple enterprise systems to complete a task. The access surface expands at runtime, driven by the agent's objective-seeking behavior rather than by any policy decision made in advance by a governance team.

Identity lifecycle management phases weren't designed to govern runtime-expanding scope. They were designed to govern access defined at provisioning and adjusted at known transition points.

Simultaneous Multi-Environment Instantiation

A human identity exists in one place at a time. An AI agent can run as dozens of parallel instances across cloud environments, containerized workloads, and SaaS API surfaces simultaneously. Each instance may carry its own credential set, its own tool permissions, and its own session context, none of which is correlated in any IGA system.

In multi-agent architectures, the complexity compounds further. Orchestrator agents spawn sub-agents, delegate tasks, and pass credentials between execution contexts. The identity and access management lifecycle has no native model for a principal that forks, delegates, and recombines access rights dynamically across a distributed execution graph.

When an IGA platform encounters an agent identity, it sees a service account with an API key or an OAuth client credential. Identity governance lifecycle management tooling applies the same governance logic it applies to any machine identity: it checks for an owner, verifies the credential age, and notes whether the account appeared in the last access review.

What it doesn't see is that the account is actively making authorization decisions, traversing application boundaries, and operating with a degree of autonomy that no traditional service account possesses. The governance record looks static. The actual access behavior is anything but.

The Lifecycle Events Agents Never Trigger

The joiner-mover-leaver model works because human employment generates a continuous stream of structured events that governance systems can act on. AI agents generate none of them. Every control point in the standard identity lifecycle management phases depends on a signal that agent deployments never produce by design.

No Joiner Event, No Governed Entry

When a new employee joins, the creation of an HR record triggers provisioning. Access gets scoped to a role definition, routed through an approval chain, and recorded in the IGA platform with an owner attached. The identity enters the governance boundary on day one.

An AI agent enters production through a deployment pipeline, a Terraform apply, or a direct API call to an agent orchestration platform. No IGA workflow fires. No access request gets submitted. No manager approves the entitlement set. The agent's credentials, whether a service account, an OAuth client, or an API key, are created inline with the deployment, often by the same automated process that provisions the compute environment. The identity and access management lifecycle never receives a joiner signal, so the governance record for that agent starts as a blank.

No Mover Event, No Entitlement Recalculation

When a human employee changes roles, HR attribute updates flow into the IGA platform, triggering entitlement recalculation. Access appropriate to the old role gets revoked. Access required by the new role gets provisioned. The governance record reflects the current organizational reality.

AI agents change scope constantly, and none of those changes generate a mover event. An agent retooled to access a new data source, extended to call additional APIs, or redeployed against a different environment doesn't update any HR system. No IGA connector receives an attribute change. No access review fires to reconcile what the agent now reaches against what it was originally provisioned for. Identity governance lifecycle management has no visibility into scope expansion that happens entirely within the deployment layer.

No Access Review Signal

Periodic access certification depends on a manager or application owner receiving a review task tied to a specific identity. That routing logic requires an identity with a human owner on record and an organizational relationship that the IGA platform can traverse.

Agent identities accumulate permissions across deployment iterations without generating any of the signals that recertification workflows depend on. Each new tool integration, each additional API scope, and each expanded OAuth grant layer is added to the agent's access profile without triggering a review. The what is identity lifecycle management question, answered honestly for agents, is a model that produces no certification record, no attestation history, and no evidence of ongoing governance.

No Leaver Event, No Deprovisioning

Offboarding fires when an HR termination record closes the employment relationship. The agent equivalent, a deployment being retired, a workflow being deprecated, or a project being shut down, produces no equivalent signal.

Retired agent credentials persist in secrets managers, environment variable stores, and OAuth authorization servers long after the workload they served stopped running. An identity lifecycle management solution built around HR-triggered deprovisioning has no mechanism to detect that an agent is gone. The credentials remain valid. The access paths remain open. The governance record shows an active identity because, from the IGA platform's perspective, nothing has changed.

What This Means for Provisioning, Reviews, and Offboarding

The governance gaps described above aren't theoretical edge cases. They produce concrete risks, compounding them at every operational stage of an agent's existence. When provisioning has no defined scope, when reviews produce no actionable signal, and when offboarding has no trigger, the access surface expands in only one direction.

Provisioning: Over-Permission as the Default Starting Point

Human provisioning starts from a role definition. The IGA platform maps job functions to an entitlement set, and the new identity receives access calibrated to what that function requires. Scope is defined before the identity exists.

Agent provisioning works in reverse. A developer needs the agent to complete a task and grants access broad enough to ensure success. The path of least resistance across major cloud and SaaS platforms is permissive: AWS IAM policies default toward broad resource access when scoped to wildcards, OAuth consent flows issue all requested scopes without challenging individual permissions, and service account creation in Azure AD or Google Workspace carries no built-in entitlement governance check.

The agent arrives in production over-permissioned from its first moment of operation, with no minimum-necessary baseline, no approval chain, and no IGA record linking the granted access to a defined business requirement.

Access Reviews: Routing Logic That Finds No Owner

Certification campaigns in standard identity governance lifecycle management platforms route review tasks based on identity attributes, specifically manager relationships and application ownership records. A reviewer receives a list of identities and their entitlements, confirms each access grant remains appropriate, and submits an attestation.

Agent identities break the routing logic at its foundation. Most carry no manager attribute. Many have no defined human owner in the IGA platform. Where application ownership records exist, they typically point to a team rather than an individual, and that team's familiarity with what the agent currently accesses rarely matches what was originally provisioned.

When certification campaigns do reach agent identities, reviewers attest to the access record in the IGA system, which reflects what was provisioned at creation rather than what the agent has accumulated through iterative deployment changes. The attestation is formally complete and operationally meaningless.

Offboarding: Credentials That Outlive Their Workload

HR-triggered deprovisioning is deterministic. A termination record closes, the IGA platform sends deprovisioning instructions to every connected application, and the access path closes at a defined moment.

Agent deprecation generates no equivalent signal. A development team retires a workflow, archives the repository, and decommissions the compute environment. The service account persists in Active Directory or Entra ID. The API key remains valid in the secrets manager. The OAuth authorization grant remains valid on the authorization server. None of the systems that issued those credentials received a revocation instruction because no system monitored the agent's operational status in the first place.

Stale agent credentials aren't a minor hygiene issue. A long-lived API key with production database access, attached to a workload that no longer runs, is an ungoverned access path with no owner, no review history, and no expiration. In environments running large numbers of agents across iterative deployment cycles, those credentials accumulate faster than any manual audit process can keep up with.

The identity and access management lifecycle, as currently implemented across most enterprise environments, has no mechanism to detect agent inactivity, flag credential age against operational status, or trigger revocation when a workload goes dark.

How to Extend Identity Lifecycle Management to Cover Agents

Extending identity lifecycle management to cover AI agents doesn't mean retrofitting HR-driven workflows onto a principal type for which they were never designed. It means rebuilding the governance logic around the agent's actual operational characteristics: how it gets created, how its scope evolves, and how its operational life ends.

Automated Discovery Across Every Deployment Surface

Agent identities get created across cloud provider IAM systems, SaaS OAuth authorization servers, Kubernetes service accounts, secrets managers, and CI/CD pipeline credential stores. No single system maintains a complete inventory, and agents deployed through automated pipelines frequently appear in none of the places a traditional IGA platform looks for them.

A genuine identity lifecycle management solution for agents requires continuous, automated discovery that instruments the environments where agents actually live: reading IAM policy attachments in AWS and Azure, extracting OAuth client registrations from authorization servers, surfacing service account configurations from Kubernetes namespaces, and identifying API keys embedded in runtime configurations. Discovery has to be ongoing because agent deployments change faster than any quarterly audit cycle can capture.

Attribute Modeling Built Around Agent Behavior

Human identity attributes map to organizational structure: department, job title, manager. Those attributes anchor entitlement decisions and review routing. Agent identity requires an entirely different attribute model.

Each agent identity needs a documented owning team, a defined operational purpose, a bounded list of the systems and APIs it's authorized to reach, a deployment timestamp, and an expected operational lifetime tied to the workload it serves. Behavioral attributes matter equally: which APIs the agent calls, how often, and across which data surfaces. An identity governance lifecycle management approach built for agents treats observed access patterns as governance inputs, using behavioral baselines to surface permission grants the agent holds but never exercises.

Policy-Driven Provisioning Scoped to Agent Function

Rather than granting access at deployment time and reviewing it later, provisioning for agent identities should follow the same least-privilege logic that mature IAM program frameworks apply to privileged human accounts: define the minimum access the agent requires to perform its documented function, enforce that scope through policy at credential issuance, and attach the credential to a defined owner who carries accountability for any scope changes.

In practice, this means integrating agent provisioning into IGA intake workflows rather than leaving it entirely within the deployment pipeline. When an agent requires access to a production API or a sensitive data store, that request routes through an access governance control, not around it.

Continuous Behavioral Monitoring as the Review Substitute

Periodic access certification produces no actionable signal for agent identities. The operational substitute is continuous behavioral monitoring: tracking what each agent actually calls, comparing observed access against the provisioned entitlement set, and flagging divergence in real time.

When an agent starts calling APIs outside its provisioned scope, that divergence is a governance event requiring immediate response, not a finding to surface at the next quarterly review. Behavioral monitoring closes the gap left by recertification campaigns across the identity and access management lifecycle for agent principals.

Deprecation Workflows Triggered by Operational Status

Offboarding for agents requires a trigger mechanism that reflects operational reality. Inactivity monitoring tied to credential usage logs provides the signal: an API key that hasn't generated an authenticated request within a defined window is a candidate for revocation review. Scope change detection flags when a deployment modifies the permissions attached to an agent credential, generating a governance event that routes to the owning team for reauthorization.

Connecting those signals to automated revocation workflows, integrated with AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault, closes the offboarding gap without requiring a manual discovery step. The identity lifecycle management phases for agents end when operational status ends.

Where Orchid Security Fits In

Most enterprise IAM stacks govern the identity population they can see through their existing connectors. Agent identities, ungoverned credentials, and authentication paths that bypass the corporate IdP fall into the space that those connectors don't reach. That's the gap Orchid Security was built to close.

Continuous Discovery Across the Full Identity Surface

Orchid deploys lightweight orchestrators that instrument applications directly, extracting authentication flows, authorization logic, account configurations, and credential storage patterns from both managed and unmanaged environments. The result is a continuously updated identity inventory that reflects what the environment actually contains, including every agent identity, service account, and API credential that never passed through an IGA intake workflow.

For organizations asking what identity lifecycle management is in practice, Orchid's answer starts with visibility: you govern what you've found, and most programs haven't found everything.

An Identity Graph That Reflects Agent Reality

Orchid's identity graph maps every principal, human and non-human, to the authentication flows, entitlements, and application access paths it actually uses. For agent identities specifically, the graph surfaces the owning team, the provisioned permission set, observed behavioral patterns, and credential age, producing the attribute model that identity governance lifecycle management for agents requires, but traditional IGA platforms don't generate.

Guardrails for Autonomous Identity

Orchid's guardrails for the autonomous identity apply policy-driven controls directly to agent identity populations: scoped provisioning tied to documented agent function, continuous monitoring of behavioral divergence from provisioned entitlements, and deprecation workflows triggered by inactivity signals rather than HR events.

The platform integrates with existing IAM, PAM, and IGA infrastructure, routing remediation through the tools organizations already operate rather than replacing them. Governance scope expands to match the actual identity surface, including agent identities, and the identity and access management lifecycle extends to cover the principals that every traditional identity lifecycle management solution leaves outside its boundary.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/ZBK7j2Q
via IFTTT

XenServer 9 is here. You already own it. Now it’s time to put it to work.

Enterprises are under pressure from three directions at once: rising virtualization costs, increasing licensing uncertainty, and growing operational complexity. At the same time, many business-critical workloads remain on-premises or in hybrid environments. For these organizations, control over cost, performance, governance, and data sovereignty matters as much as agility.

For Citrix customers, the answer is closer than most realize. XenServer 9, generally available today, is included in the existing Citrix Platform License (CPL), Universal Hybrid Multi Cloud (UHMC), and Citrix for Private Cloud (CPC) entitlements, with up to 10,000 sockets at no additional cost. That changes the economics of the rethink entirely.

XenServer 9 for enterprise virtualization: reducing cost and operational complexity

XenServer 9 is built for organizations actively reassessing their virtualization strategy under cost pressure. It reduces operational complexity, strengthens security, and provides predictable lifecycle management across on-premises and hybrid environments. Beyond licensing, XenServer 9 simplifies infrastructure operations. A consolidated management plane, predictable lifecycle updates, and native integration with Citrix DaaS mean fewer tools, fewer handoffs, and a clearer upgrade path for environments that have grown over years.

How XenServer 9 simplifies virtualization operations and lifecycle management

While cost is often the initial driver for evaluation, long-term platform decisions are ultimately determined by operational impact. XenServer 9 is designed to reduce that burden by simplifying lifecycle management, upgrades, and ongoing system maintenance.

Instead of requiring large, disruptive upgrade cycles, XenServer 9 enables a more incremental and controlled approach to change. This helps infrastructure teams reduce operational risk while maintaining stability in production environments—particularly in large-scale or distributed infrastructures.

Improving performance, security, and reliability with XenServer 9

XenServer 9 strengthens the underlying platform, improving performance, security, and operational continuity. Workloads benefit from more efficient resource utilization and improved hardware alignment, helping deliver more consistent application performance across modern infrastructure environments.

At the same time, the platform introduces stronger security foundations, including hardware-level protections that help ensure system integrity from boot onwards. This reduces exposure to low-level threats and strengthens the overall security baseline for enterprise deployments.

Lifecycle and driver management have been improved to reduce disruption during updates and hardware changes. This allows organizations to maintain compatibility with modern infrastructure while reducing operational overhead during maintenance cycles.

While XenServer 9 is supported with any workload, it also enhances operational alignment in Citrix DaaS environments. By improving visibility at the infrastructure layer, it helps administrators understand the potential impact of maintenance and change activities on running workloads and end-user sessions. This supports more informed operational decisions and helps reduce the risk of unintended disruption during infrastructure changes.

How XenServer 9 helps regain control of virtualization cost and complexity

Taken together, these capabilities reinforce a clear message: XenServer 9 is a pragmatic response to the pressure infrastructure teams are facing today. It reflects a market reality in which cost, operational simplicity, and stability are tightly interconnected requirements that must be addressed together.

In this context, platforms are no longer defined by feature breadth, but by their ability to deliver predictable economics and operational stability over time. XenServer 9 is built for exactly that shift. It helps organizations regain control over their virtualization environments, reduce operational complexity, and establish a stable foundation for both current and future workloads across on-premises and hybrid environments.

Getting started with XenServer 9

XenServer 9 is available today at no extra cost for customers on CPL, UHMC, and CPC licenses.

To learn more about XenServer 9 or evaluate its fit for your environment, connect with your Citrix representative or explore the XenServer webpage.



from Citrix Blogs https://ift.tt/XeHTR5L
via IFTTT

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions.

"An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time," SOCRadar said in a new report published Wednesday.

The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.

The large-scale credential-harvesting operation, which came to light last month, involved the threat actors systematically scanning the internet for exposed Fortinet devices, attempting to break into them using known credential combinations, and then deploying custom packet sniffers to passively gather credentials and other authentication data from network traffic.

The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. The activity was exposed after an operational security error on the part of the attackers left a server containing credentials stolen from thousands of Fortinet appliances exposed on the internet.

The Golang sniffer is estimated to have been installed on about 12,000 Fortinet devices, making it a subset of the total number of networking gear targeted.

The latest findings from SOCRadar show that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels, with victims listed by INC Ransom overlapping with data from the campaign. The links are based on one of the 200 newly discovered servers associated with the FortiBleed infrastructure that granted visibility into internal files, logs, and operational documentation.

Tooling, logs, and working hours indicate that the activity is the work of a Russian-speaking threat actor who likely operates as an initial access broker. Much of the targeting has singled out manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions.

SOCRadar also said it discovered an internal document that indicates it's an organized operation comprising about 20 people with a clear division of labor. "A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff," it added.

In addition, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. The threat intelligence firm said it's actively coordinating with the affected vendor.

The disclosure comes as eSentire said it observed threat actors exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616, CVSS score: 9.1) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell. 



from The Hacker News https://ift.tt/bxMPvVG
via IFTTT