Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories

A cluster of 23 deceptive Chrome browser extensions has been found stealthily overriding users’ default search engines and routing queries through monetization middleware before delivering results. “Each extension presents a different advertised purpose – satellite imagery, productivity tools, news readers, maps – while the actual business is search affiliate revenue,” security researcher Jean-Marie R. said. “The campaign spans at least 8 distinct monetization brokers and ~758,000 affected users. While this might look like simple adware, it is a real security risk. First, it is a massive privacy violation: every search a user makes is sent to anonymous third-party brokers. Second, because the operators control the web traffic, they can easily switch from showing regular search results to injecting phishing links or malicious downloads at any time – all without ever updating the extension code itself.”

A Russian-speaking attacker has been observed targeting victims mainly in Asia, North America, and Oceania across technology, media, and business services sectors using ClickFix lures to deliver an AppleScript-based infostealer to macOS users. The ClickFix pages masquerade as downloads for a malware scanning utility. “To evade detection, the entire infection chain, starting from the initial clipboard paste to payload execution, is completely fileless, leaving no static artifacts on disk until persistence is established,” Netskope Threat Labs said. “Victims are socially engineered into executing a curl command that fetches a gzip-compressed stager, which pipes the second-stage AppleScript directly into osascript memory.” The second-stage, codenamed “Meow (DEBUG),” uses a fake system dialog to harvest credentials, browser data, session cookies, and keychain contents. It’s also equipped with capabilities to trojanize legitimate desktop cryptocurrency wallet applications and maintain persistent command-and-control (C2) access, allowing the operator to run arbitrary payloads.

In another ClickFix campaign, threat actors have been spotted weaponizing Anthropic Claude’s shared chat feature, abusing the trust associated with a legitimate domain to deliver the MacSync credential-stealing malware. “Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ai’s own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware,” Trend Micro said. “The Asia-Pacific region bore the brunt of the campaign, accounting for 67.2% of all confirmed victims, with Taiwan alone representing 30.5% of total traffic, a concentration that points to deliberate geographic ad targeting rather than opportunistic spread.” As many as 106 unique malicious hostnames have been identified over a span of seven weeks across six distinct attack waves.Anthropic has since banned the accounts responsible, disabled the malicious shared conversations, and is implementing additional abuse mitigations for its shared chat feature.

Bitdefender haș warned of an ongoing phishing campaign impersonating hotels, resorts, and accommodation providers across more than 10 countries. “Unlike traditional travel scams that rely on generic phishing emails, this operation uses real booking information, localized messaging, and convincing hotel branding to trick travelers into handing over payment card details,” the Romanian cybersecurity company said. “Victims receive personalized messages containing names, stay dates, reservation details, and cancellation warnings. The campaign relies exclusively on WhatsApp, with no matching email or SMS infrastructure observed.” Observed languages include English, German, French, Spanish, Romanian, and Polish. Similar campaigns have been reported by Sekoia and Netcraft in the past.

Amazon Web Services (AWS) has announced a new artificial intelligence (AI)-powered security agent called AWS Continuum for code vulnerabilities, as models like Claude Mythos by attackers and defenders accelerate the ability to find and exploit vulnerabilities. AWS Continuum “addresses the full lifecycle of managing code vulnerabilities at machine speed. It continuously discovers vulnerabilities, validates which are genuinely exploitable, prioritizes them by business context, and helps you remediate them across the full stack within guardrails you define,” AWS said. The tech giant said the agent is model agnostic, and that it uses multiple frontier models where they perform best.

In a new report, WIRED said the U.S. government’s decision to restrict Anthropic’s Claude Fable 5 and Mythos 5 models came after it ordered the AI company to revoke South Korea-based SK Telecom’s access over its alleged ties to China.

Cisco has updated its February 2026 advisory for CVE-2026-20127, a critical privilege escalation flaw in Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, to note that the vulnerability also affects Catalyst SD-WAN Validator. The security flaw has been exploited as a zero-day since 2023 by a sophisticated threat actor known as UAT-8616. It allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request.

Manifold Security has flagged two high-severity local code-execution paths on a developer’s machine via a malicious repository in Cline, an AI coding agent VS Code extension with more than 4.3 million installs. The repository’s content, in turn, tricks the agent into executing attacker-supplied shell commands under the developer’s account, enabling access to credentials, source code, and other sensitive data. “Cline ships an Approve/Deny dialog and a “Safe Commands” auto-approve filter that are supposed to stop exactly this. Both fail,” Ax Sharma, head of research at Manifold Security, said. “Clicking the URL preview tile to verify where the agent is fetching from runs an OS-level command instead. The Approve/Deny dialog never gates the click. ‘Safe Commands’ doesn’t inspect commands. It asks the AI agent whether its own command is safe, and trusts the answer, even after the same agent has been manipulated by attacker content.” While the findings have been classified as “out of scope,” Cline plans to release fixes in an upcoming release.

Earlier this month, Calif used OpenAI’s Codex to discover an exploit called the HTTP/2 Bomb. Formally tracked as CVE-2026-49975, the vulnerability ironically chains together two features that were expressly designed to save internet bandwidth to help attackers amplify junk traffic by orders of magnitude. Imperva has since reported that attackers in the wild were “running specialized tools designed to map out” vulnerable servers. A working proof-of-concept (PoC) is publicly available. “Exposure in this set is led by communication services at 24.9% of observed assets, with information technology contributing 18.0% and healthcare close behind at 17.0%,” CyCognito said.

Cybersecurity researchers have discovered an “interesting attack” where an unknown actor leveraged a victim’s internet-facing terminal server as a phishing stager. Huntress said it recovered the full staging directory, including a legitimate bulk email software application (Gammadyne Mailer), a project file named dracii.mmp , and six target lists holding 8,894,920 email addresses. “The campaign impersonated the U.K. pharmacy chain Boots, using a ‘free gift’ survey as a lure,” the company said. “The payload it pointed victims at was hosted on a compromised Bolivian government website, ipelc.gob[.]bo.” The payload is a Boots phishing web page hosted within the /boots_store/ subdirectory that urges users to complete a survey and redeem a free gift by entering their personal and financial information.

An active phishing campaign is targeting banks to deliver Phantom Stealer, an infostealer that’s sold under a subscription model for between $70 to $240 by a threat actor operating under the alias Oldphantomoftheopera. “The attack begins with phishing emails containing malicious attachments disguised as business documents,” Fortra said. “Once executed, the malware runs entirely in memory, helping it evade traditional defenses. “The combination of targeted phishing delivery, advanced evasion techniques, broad credential harvesting capabilities, and a resilient multi-channel exfiltration infrastructure places this threat in the high-severity category.” Phantom Stealer targets major web browsers as well as Discord, Telegram, and Steam. It is also used to steal financial information, cryptocurrency assets, and collect keystrokes, screenshots, and clipboard data.

France’s cybersecurity agency ANSSI said it would stop certifying security products that lack quantum-resistant encryption starting from 2027. It also requires businesses to purchase only quantum-safe products by 2030.

According to local media reports, Estonia plans to implement additional security screening for emails sent from Russia’s .ru top-level domain before they reach government officials, citing heightened cyber risk. The new measures are expected to take effect starting August 31, 2026.

The U.S. Federal Trade Commission (FTC) revealed that Americans lost a staggering $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020. “These scams lured consumers through text, phone, email, social media, search engine results, and other means. Some of the costliest impersonation scams start with a fake security alert, often from a bank,” the FTC said. “People are convinced to move money to ‘protect’ it, with their losses often limited only by their available funds.” In all, about $16 billion has been reported lost in 2025 to all types of fraud.

Oleksii Oleksiyovych Lytvynenko, 44, has pleaded guilty to wire fraud conspiracy in connection with Conti, a ransomware variant that infected more than 1,000 computers and networks across the world. “Lytvynenko, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data,” the U.S. Department of Justice said. “Lytvynenko admitted to joining the Conti conspiracy no later than approximately September 2021. He admitted to possessing data from eight U.S. and four overseas victims, which had been stolen by Conti conspirators. Lytvynenko further admitted to joining a team run by a Conti conspirator during which time Lytvynenko was directed to work on coding a ‘loader,’ which is typically a type of malware, or malicious software, that is used to load programs necessary to execute other malicious attacks.” As of January 2022, Conti ransomware attacks resulted in at least $150 million in ransom payments. The Ukrainian national was extradited to the U.S. in October 2025. He is scheduled to be sentenced on September 10, 2026, and faces a maximum penalty of 20 years in prison.

Threat actors are abusing Steam Workshop to spread malware hidden in dozens of wallpaper packages, putting gamers’ accounts at risk. The activity has been active since late 2025. “The attackers are primarily targeting gamers in China and Russia, aiming to hijack their accounts,” Kaspersky said. “To pull this off, they are exploiting Wallpaper Engine – a popular live wallpaper app available on Steam – specifically leveraging its Workshop sharing feature. The malware is hidden inside the wallpaper packages users share with one another. Running one of these compromised wallpapers can lead to a stolen Steam account or leave the victim’s system infected with backdoors or crypto miners.”

Three npm packages, node-ci-utils@2.1.4, win-env-setup@3.0.6, macos-ci-utils@1.0.0, have been found to act as droppers for Linux, Windows, and macOS systems to deliver a previously undocumented post-exploitation framework codenamed NastyC2. “Written entirely in Rust, it implements over 80 commands spanning credential harvesting, Active Directory attacks, container escape, cloud metadata theft, and fileless execution,” Panther said. “The framework is comparable in scope to Cobalt Strike or Sliver, overlapping with both on BOF/COFF execution, reflective DLL loading, multi-technique process injection, AD-native Kerberoasting and DCSync, AMSI/ETW patching, SOCKS5 pivoting, and encrypted sleep.”

A malicious npm package named crypto-javascript@4.2.5 has been observed installing three different payloads, including a supply chain worm that spreads across six build ecosystems (Rust, Cargo, Python, CMake, and npm), a Monero cryptocurrency miner, and an exploit for Dirty Frag, a local privilege escalation (LPE) vulnerability impacting the Linux kernel. “All three run from memory, leaving no named file on disk,” Panther said. “The embedded kernel exploit carries a GCC build timestamp of 2026-04-30 1, seven days before public disclosure of the Dirty Frag vulnerability.” Although ELF timestamps can be forged, the development has raised the possibility that the threat actor may have had access to a working exploit code while details of the flaw were still under wraps.

An active campaign is leveraging a multi-stage loader called OnionDrop to deliver malware families like LegionLoader (aka CurlyGate), CGrabber, and Vidar Stealer. OnionDrop is an advanced piece of malware with extensive defense evasion and anti-analysis features. “The chain starts with a ZIP archive and a legitimate Adobe-signed executable used for DLL side-loading,” Cyderes said. “From there, the malicious DLL walks through four transformation stages: custom byte-pair decoding, Xpress Huffman decompression via RtlDecompressBufferEx, AES-256-CBC decryption with rotating key material, and final shellcode execution through TpPostWork callback abuse inside the Windows Thread Pool. This is a professionally engineered evasion framework that anyone with access can point at any target.”

The U.S. Federal Bureau of Investigation (FBI) has warned that scammers are instructing victims, usually senior citizens, to participate in cash pickups after engaging with them online by posing as individuals seeking business or romantic relationships. After establishing a relationship with the victim, the fraudster suggests investing in cryptocurrency and instructs the victim to download certain cryptocurrency trading applications and create investment accounts. “The scammers arrange for couriers to meet the victims in person to retrieve cash for fraudulent investments,” the FBI said. “Legitimate financial institutions may deny suspicious funds transfers by victims, so scammers inform victims in-person cash pickups are required to continue investing with the fraudulent investment firm or to pay purported fines to withdraw their investments. Alternatively, the fraudulent cryptocurrency exchange may inform victims their account has been ‘flagged,’ allowing the scammer to suggest the use of cash couriers as an alternative.” The dispatched couriers identify themselves using an agreed-upon code or a specific dollar bill serial number. When victims attempt to withdraw their perceived profits, the threat actors force them to pay non-existent taxes and penalties, again using couriers for cash pickups to continue the fraud.

CERT Polska has revealed that the Belarus-aligned Ghostwriter group has been running phishing campaigns targeting Gmail users through bogus messages designed to imitate official Gmail communications and trick recipients into clicking on malicious URLs that harvest their credentials. “These campaigns are carried out with high intensity, mainly on weekdays,” the agency said. “Notably, they enable the theft of two-factor authentication (2FA) credentials. In recent weeks, our team has observed the use of new domains serving phishing pages almost daily.” The campaign has targeted researchers, journalists, employees of public administration and law enforcement, and individuals connected to these groups through family or social relationships.

ReversingLabs has detailed a Microsoft 365 device code phishing campaign that makes use of Microsoft’s legitimate OAuth 2.0 Device Authorization Grant flow to obtain access to victim accounts. “The initial email sent to victims uses a lure that appears to be an approval for an estimate sent from a vendor to one of their customers,” security researcher Robert Simmons said. “Rather than stealing passwords through a counterfeit login page, the phishing kit persuades victims to complete a legitimate Microsoft authentication process that authorizes an attacker-controlled device.”

A new information stealer called OnyxC2 is being marketed on underground forums, giving customers access to a web panel and a payload builder. Most importantly, paying users are eligible for refunds if a build gets caught. “For $250 a month, operators get a kit that harvests browser credentials, password managers, two-factor authentication (2FA), and crypto wallets across roughly 210 applications and extensions, then ships it all back over an encrypted channel,” BlackFog said. “The stealer reaches 37 Chromium-based and 8 Gecko-based browsers, then 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication extensions. It also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients, with a further set of VPN, remote access, messaging, note-taking, and gaming targets.” A premium subscription is available for $500 per month. OnyxC2 also goes beyond a traditional steal by incorporating HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP, and a built-in TOR tunnel.

A new campaign has been observed delivering malicious files disguised as AI-related documents in phishing emails to install AsynRAT. The attachments are distributed in the form of ZIP archives containing a Windows Shortcut (LNK) file that acts as a starting point for a stealthy, multi-stage attack chain. “These lures are designed to target users actively seeking AI-related learning resources,” Fortinet FortiGuard Labs said. “The attack chain behind these files is remarkably complex, using multiple staged scripts to hide activity before ultimately deploying AutoHotkey-based loaders that reflectively inject a .NET remote access trojan [named clay_Client] and AsynRAT into memory for command-and-control communication and follow-on execution.”

Permiso Security said it discovered an “interesting and practically significant inconsistency” associated with serviceData, a field that has been deprecated in favor of metadata for obtaining service-specific information. “If serviceData were cleanly deprecated and services had migrated away from it, one would expect a predictable pattern: events after the deprecation date would stop populating the serviceData field and would start populating the relevant data in metadata instead,” security researcher Art Ukshini said. However, further testing has uncovered that some events still populate serviceData correctly, while others produce empty serviceData objects. The security company said this unreliable behavior of serviceData translates into a concrete set of security risks that can affect detection coverage, incident response, and compliance, requiring organizations to validate log telemetry end-to-end.

A variant of the Shai-Hulud worm has been found to include an adversarial prompt for “synthesizing weaponized biological agents suitable for aerosol dispersal” with an aim to target AI-powered malware scanners with an aim to trick the model into refusing a response for violating a safety guardrail, as opposed to classifying it as benign. “A refusal is supposed to be the safe outcome,” JFrog said. “It’s the model declining to do something harmful. Here, the refusal is the attack. If the scanner balks at the top of the file, it never reads the bottom, and the malware ships un-analyzed. Not because the model was fooled into trusting it, but because it was goaded into closing the book.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies, requiring them to remediate high-risk vulnerabilities within accelerated timeframes based on internet exposure, presence of a vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, whether exploitation can be automated for large-scale attacks, and if the exploitation can translate to partial or total control of a system. Based on these risk factors, agencies may have to address these flaws within three days. The development is a sign that AI is not only lowering the barrier to exploit development and accelerating vulnerability research, but also allowing attackers to quickly incorporate newly disclosed flaws into their arsenal. “Cyber threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation,” CISA said. “These factors provide federal agencies with a comprehensive risk picture to make informed decisions that significantly reduce risk without burdening IT managers with extra processes that do not change outcomes.”