The outage began at 8:08 PT / 15:08 UTC on June 5, 2026, when Anthropic’s status page flagged elevated errors across several Claude models. An investigation was immediately launched, with Anthropic confirming disruptions across claude.ai, the Claude API (api.anthropic.com), Claude Code, and Claude Cowork services.

Recovery was staggered across model versions, according to Anthropic’s official status page:

• Opus 4.6 — recovered at 15:25 UTC
• Sonnet 4.6 — recovered at 16:23 UTC
• Opus 4.8 — recovered at 16:59 UTC
• Opus 4.7 — recovered at 17:12 UTC
• Opus 4.5 — recovered at 17:29 UTC

Full service restoration was confirmed by 18:27 UTC (6:28 p.m. UTC), with Anthropic stating: “Success rates across all models have returned to expected levels. We are continuing to monitor closely to ensure no further issues will recur.”

Anthropic engineers attributed the outage to infrastructure issues rather than a security breach, and as of 5:00 p.m. EDT, the company had not confirmed any customer data exposure.

However, the incident echoes prior security concerns. A January 2026 GitHub advisory documented a vulnerability in Claude Code’s project-load flow that allowed malicious repositories to exfiltrate Anthropic API keys.

This is not an isolated event. Anthropic’s Claude platform has experienced multiple outages throughout 2026, including a notable networking-related disruption in March affecting Opus 4.6 and Sonnet 4.6, and a worldwide outage in May 2026.

Claude.ai currently reports 99.3% uptime over the past 30 days, though security analysts warn that an AI system’s single-vendor dependency creates dangerous single points of failure.

Organizations integrating Claude API into production pipelines should consider the following mitigations in light of this incident:

• Implement exponential backoff and retry logic for API calls to handle elevated error states gracefully.
• Deploy AI-specific observability tooling to track token throughput anomalies and regional error spikes.
• Audit single-vendor AI dependencies and architect fallback model routing across providers.
• Monitor for cross-tenant data anomalies in inference outputs, especially during known degradation windows.

The incident underscores the growing challenge AI providers face as demand for large frontier models intensifies, where infrastructure strain can blur the line between performance degradation and potential data integrity failures.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Anthropic’s Claude Services Down — claude.ai, Claude Code, and Cowork Affected [Updated] appeared first on Cyber Security News.

The package, named “parsimonius,” was crafted to look almost identical to the widely used “parsimonious” library, a popular Python tool for building expression grammar parsers.

The single missing letter was no accident. It was a calculated move designed to trick developers into installing the wrong package without realizing it.

The attack relied on a technique called typosquatting, where a threat actor registers a package name that closely resembles a trusted one.

To make things worse, the attacker assigned the malicious package a version number that appeared newer than the legitimate release.

This made developers even more likely to install it, especially those relying on automated dependency resolution or who simply did not verify the full package name before clicking install.

Security analysts at Zscaler ThreatLabz identified the malicious package and shared their findings in a report with Cyber Security News (CSN).

According to the report, the package had already been downloaded 2,474 times before it was pulled from the repository.

That number, reached within just a matter of days, highlights how quickly supply chain attacks can cause widespread exposure across developer environments.

What made this campaign particularly crafty was how the attacker masked the malicious intent. The package actually included the real parsimonious parsing functionality, so developers using it would see completely normal behavior on the surface.

Underneath that legitimate facade, however, a Telegram-based backdoor was silently being deployed across every affected system.

Once the backdoor was active, attackers gained remote access to compromised environments and could harvest sensitive data directly from victims.

Their focus was specifically on .env files and bot authentication tokens, both of which are commonly packed with credentials, API keys, and secrets that open doors to much wider infrastructure access.

Hackers Publish Malicious Python Package

The malicious package was set up to operate on two levels at the same time. On the visible level, it behaved like a fully working parser library, keeping developers completely unsuspicious during normal use.

On the hidden level, it established communication with a Telegram bot, using the messaging platform as a command and control channel to receive instructions and quietly send stolen data out of the environment.

Using Telegram as a backdoor channel is a growing trend among threat actors because the platform is widely trusted and its traffic is far less likely to be flagged by standard network monitoring tools.

This makes it an attractive option for data exfiltration without triggering security alarms. Once established, the backdoor gave the attacker persistent remote access to every system where the package had been installed.

The version number was also chosen strategically. By setting it to appear more current than the real parsimonious package, the attacker increased the odds that automated tools or developers searching for the latest release would pull the malicious version without a second look.

Telegram-Based Backdoor and Data Theft Risks

The data targeted in this campaign was far from random. Focusing on .env files and bot tokens points to a deliberate effort to access broader infrastructure.

A single stolen .env file can expose database passwords, cloud service credentials, and secret keys that let attackers move laterally across entire systems or connected services.

Bot authentication tokens are equally dangerous in the wrong hands. Attackers who obtain them can take full control of bots embedded in business workflows, automated pipelines, or customer-facing services.

The downstream damage from that level of access can extend well beyond the original compromised machine.

Developers are strongly encouraged to always verify the exact spelling of any package name before installation. Using dependency audit tools that flag suspicious or newly registered packages adds a meaningful layer of defense.

Organizations should also rotate credentials immediately if a supply chain compromise is suspected and limit what sensitive data lives inside .env files in the first place.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser appeared first on Cyber Security News.

This shift is reshaping how attacks unfold, and the numbers are hard to ignore. According to ANY.RUN’s Q1 2026 Cyber Risk Report, based on over 2.1 million malware and phishing investigations, three trends are redefining the threat landscape.

Credential theft climbed by 14.7%, loader-based attacks spiked by 98.3%, and Living-off-the-Land Binary and Script attacks leveraging JavaScript surged by 58.4%. These figures describe attackers who are becoming quieter and faster at the same time.

Analysts at ANY.RUN noted that the growing reliance on trusted tools is making attacks much harder to detect. When attackers use the same software administrators rely on to run their systems, traditional signature-based detection often fails to raise an alarm.

The challenge is no longer just finding malicious files but understanding whether a normally safe tool is being abused.

ANY.RUN said in a report shared with Cyber Security News (CSN) that early-stage compromise is one of the most overlooked risks in modern security operations.

The report found it takes just 21 seconds for an attacker to establish persistence after initial access, and only 16 seconds for Living-off-the-Land execution to begin. These margins do not allow a slow response.

The broader concern is that the gap between infection and full system compromise is narrowing fast. Security teams not equipped to investigate threats in real time are at increasing risk of falling behind before they even realize an attack has started.

Hackers are Increasingly Weaponizing Trusted Tools

The concept of “living off the land” refers to attackers using tools already present on a target’s system, such as PowerShell, Windows Script Host, or JavaScript environments, rather than deploying external malware.

This approach makes malicious activity blend with normal operations, drastically cutting detection chances.

The Q1 2026 report shows LOLBAS attacks using JavaScript grew by 58.4% during the quarter. Attackers exploit built-in scripting tools to execute malicious code without dropping a traditional malware file on disk.

This fileless approach is particularly effective against endpoint solutions that rely on file scanning rather than behavioral monitoring.

What makes this trend especially alarming is the speed at which these attacks unfold. When initial access is gained, persistence is established within seconds, leaving a razor-thin window for defenders to respond.

Credential abuse combined with native tool exploitation allows attackers to operate quietly for long periods without triggering any alerts.

Detection in this environment demands a new approach entirely. Behavior-based monitoring and anomaly investigation are now essential for any organization serious about security. Waiting for a known malicious file to appear is simply no longer a viable strategy.

The Rising Cost of Delayed Detection

Perhaps the most striking insight from the report is not the variety of attack techniques but how quickly they play out. Persistence can be established in just 21 seconds after initial compromise, exposing a serious gap in how most organizations approach threat detection today.

Loader-based attacks grew by 98.3%, nearly doubling in a single quarter. These tools operate in the earliest phases of an attack to download and execute additional malware on a compromised system.

Their rapid growth signals that threat actors are focused on securing a foothold first and escalating later. Identity remains a primary target, with credential theft rising by 14.7%.

Attackers armed with valid credentials can move through a network appearing as legitimate users, making it very hard to separate malicious behavior from normal activity. This is where behavioral analytics and rapid triage become critical.

The report recommends that security teams prioritize early-stage threat visibility and invest in real-time investigation capabilities.

Reducing investigation delays, confirming exposure faster, and strengthening detection coverage across all major platforms are the core priorities for Q2 2026. Organizations acting on these findings will be far better positioned to limit damage when the next wave arrives.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware appeared first on Cyber Security News.

Researchers have found a Magecart attack that uses Stripe, the widely used online payment service, as both its command center and its data dump.

Instead of pointing stolen card data to a shady server, attackers are routing everything through infrastructure that online stores already fully trust.

What makes this attack especially dangerous is how invisible it is to most security tools. The malware never loads from a domain the attacker owns.

Instead, both the payload and the stolen card data travel through api.stripe.com, a domain that virtually every e-commerce store allows by default. That means the traffic filters and security policies that would normally catch a skimmer simply let this one pass through.

Analysts at Sansec, a firm specializing in e-commerce security, identified this Magecart family and published their findings on June 4, 2026.

According to a Sansec report shared with Cyber Security News (CSN), Sansec said the attacker stores the card-stealing code inside a Stripe customer’s metadata, then runs it on checkout pages before writing stolen card numbers back into the same account disguised as fake customers. Stripe is being used as free criminal infrastructure.

The attack also relies on Google Tag Manager to deliver its initial loader. Real GTM containers, including one identified as GTM-P6KZMF63, were planted with a custom tag and served directly from googletagmanager.com.

This lets the loader blend in alongside a store’s legitimate analytics tags, making it much harder to detect without a careful manual audit.

The campaign appears to have been running since at least December 2025, based on the creation date of the Stripe account used in the attack.

The record was created on December 24, 2025, using what looks like a default template from Stripe’s own sample data, complete with a placeholder name and email address.

New Magecart Attack

The malware splits its work into three steps. First, the loader embedded inside a real GTM container fires on every page it loads.

When it detects a checkout page, it reaches out to a specific Stripe customer record controlled by the attacker and pulls down the skimmer code in chunks stored across multiple metadata fields.

Once downloaded, the skimmer attaches itself to the checkout button and waits. The moment a shopper clicks to complete a purchase, it captures the full card number, expiration date, CVV, billing address, and order total.

That data is then XOR-encoded and quietly stored in the browser’s local storage rather than being sent right away.

The actual theft happens on a delay. A separate routine checks for stored card data one second after each page load, and again every 60 seconds after that.

When it finds a record, it splits the data in half and posts it to Stripe’s customer API as a fake entry. The attacker can later retrieve all stolen cards by simply listing customers in their own Stripe account.

A Second Variant Using Google Firestore

Sansec also found a related variant that swaps Stripe for Google Firestore, Google’s cloud-hosted database service.

This version pulls its skimmer payload from a Firestore document inside a project named braintree-payment-app, a name chosen to look like normal payment traffic and avoid raising any flags.

Both variants follow the same core idea: abuse a mainstream, trusted cloud service as a hidden channel that no standard security rule would block.

The Firestore variant shows the attacker group is actively building out multiple delivery channels for their skimmer toolkit.

Sansec recommends that store owners audit all client-side scripts for any Stripe secret keys, since no legitimate front-end code ever carries one.

Any api.stripe.com or firestore.googleapis.com calls found in browser JavaScript should be treated as a sign of compromise. Store owners should also review every tag inside their Google Tag Manager account and remove anything they did not personally add.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Magecart Attack Turns Stripe into a Malware Command Server appeared first on Cyber Security News.

Hola Browser for Windows, used by millions of users around the world, was found distributing an unexpected executable file alongside its legitimate installer.

The file, named me.exe, was not part of the browser’s declared software package, and it appears to have been silently dropped onto users’ systems without their knowledge or consent.

The issue came to light during a routine certification review conducted through the AppEsteem Windows Certified Application program.

AppEsteem, an AMTSO-certified organization founded in 2016, runs periodic validation tests to confirm that certified software matches its declared and approved installation footprint.

During one such test involving Hola Browser version 1.251.91.0, the unexpected file was detected sitting inside the browser’s installation directory at C:\Program Files\Hola\me.exe.

Analysts at Sophos X-Ops identified the suspicious file and flagged it as a Potentially Unwanted Application during the certification test.

According to Sophos report shared with Cyber Security News (CSN), Sophos noted that the binary was not code signed, carried no timestamp, contained obfuscated code, and had memory-write capability.

While each of these traits alone might not raise an alarm on its own, together they painted a clear picture of something that had absolutely no business being bundled with a certified application.

Further investigation revealed that the file did not appear in every single test run, which ruled out the possibility of it being hardcoded into the installer itself.

This inconsistency pointed instead to a delivery-path issue, suggesting that the binary was being pushed through the update distribution pipeline under specific conditions.

In short, AppEsteem had certified one clean version of Hola Browser, but some users were receiving more than what had been certified.

After the issue was escalated through AppEsteem to Hola, the company confirmed that me.exe was never meant to be part of their installer.

Hola’s CEO Avi Raz Cohen acknowledged that their internal monitoring had also detected the anomaly, and independent cybersecurity firm Sygnia was brought in to conduct a thorough forensic review.

Sygnia’s findings confirmed this was a supply chain compromise, with the incident affecting roughly 0.1% of users and no user data accessed or exfiltrated at any point.

Hola Browser for Windows Delivery Pipeline Compromised

The me.exe binary appears to be based on XMRig, a well-known open-source crypto-mining tool. When run with administrative rights, the file copies itself to a new path within the Hola directory and registers itself as a Windows service named hola_monitor_svc.

This service is set to autostart and activates specifically when the host machine is idle, making it harder for the average user to notice any unusual activity or performance slowdown.

To avoid detection, the binary also performed a Windows Defender exclusion, effectively asking the operating system to ignore its presence entirely.

The strings found inside the file, including references to stopping the miner when a user becomes active, suggest it was carefully designed to run quietly in the background at all times. Sophos has classified this particular threat under the detection name Troj/GoMiner-B.

Supply Chain Risk and Pipeline Integrity

This incident is a strong reminder that even certified and trusted software can become a vehicle for malicious payloads when the delivery pipeline itself is compromised.

The fact that the file did not appear consistently across test environments made it harder to catch through standard certification checks alone.

It took a combination of third-party testing and security vendor telemetry working together to ultimately surface the full scope of the issue.

Following the discovery, Hola rebuilt its distribution pipeline from the ground up, introduced advanced code-signing verification, and tightened access controls across its entire infrastructure.

The company also committed to continuous monitoring to ensure that only declared and properly signed components ever reach end users going forward.

The outcome here represents the certification ecosystem working as intended, with an integrity problem caught, escalated, and fully resolved before it could grow into something far more damaging.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer appeared first on Cyber Security News.

The malware exploits a stack buffer overflow flaw in the UPnP service of affected routers, letting attackers gain full access without any credentials. Once inside, it works to actively recruit the compromised device into a rapidly growing botnet network.

What sets C0XMO apart from earlier Gafgyt versions is its modular design and ability to target multiple Linux processor architectures at once.

Attackers built the malware to compile and deliver architecture-specific payloads, giving it a broader reach than most IoT-targeting threats seen before. It also includes Python-based scanning scripts that help it move laterally across networks and locate new targets automatically.

Analysts from Fortinet’s FortiGuard Labs identified and analyzed the C0XMO variant, with a report shared with Cyber Security News (CSN).

According to FortiGuard Labs, the malware was first discovered in March and has since been observed actively exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of certain DD-WRT router firmware.

The flaw is triggered when an oversized ST:uuid value is sent in a crafted M-SEARCH request over UDP port 1900.

The broader impact of C0XMO is still being assessed, but the threat is significant given how widely DD-WRT firmware is deployed across home offices and small businesses worldwide.

Attackers are not only targeting routers — the malware also attempts to exploit exposed Android Debug Bridge connections to take over Android devices. This cross-platform approach signals growing sophistication among IoT botnet operators.

Beyond its primary attack path, C0XMO can launch distributed denial-of-service attacks once a device is recruited.

It also leverages CVEs targeting D-Link devices, GLPI project software, and Avtech DVR cameras, widening the attack surface considerably. Security teams managing mixed device environments should treat this threat as active and ongoing.

New Gafgyt Variant Targets Multiple Linux Architectures

One of the most technically notable aspects of C0XMO is how it separates lateral movement into a standalone Python script.

This design lets the botnet scan and probe networks independently of the main malware body, making it more flexible and harder to detect. The script identifies reachable hosts and determines the target’s architecture before delivering the appropriate payload.

The malware targets a range of Linux architectures including ARM, MIPS, and x86, covering routers, IoT sensors, and embedded devices broadly.

For each type, it downloads and executes the correct compiled binary, letting the botnet grow across different hardware in a single campaign.

This modular, multi-architecture design was previously more common among advanced threat actors, and its presence in an IoT botnet marks a clear escalation.

Fortinet researchers also observed the malware connecting to a command-and-control server after infection, waiting for DDoS commands and expansion orders.

The scanning modules run continuously in the background, identifying new devices and forwarding details to operators. Brute-force authentication attempts against reachable services were also noted as part of its traversal routine.

Exploitation of Known CVEs and Defensive Recommendations

C0XMO’s success depends on known, unpatched vulnerabilities that have had available fixes for some time. CVE-2021-27137 in DD-WRT, CVE-2015-2051 in D-Link devices, CVE-2022-35914 in GLPI project software, and multiple Avtech DVR camera flaws are all part of its exploit toolkit.

The persistence of these flaws reflects how slowly patching tends to happen across the IoT space. Users running affected devices should prioritize firmware updates right away.

Disabling UPnP on DD-WRT routers where it is not needed eliminates the primary entry point C0XMO relies on. Blocking external access to UDP port 1900 with firewall rules can also reduce exposure considerably.

Monitoring network traffic is equally important for catching infections early. Unusual outbound connections, unexpected UDP traffic spikes on port 1900, and brute-force login attempts are all signs of possible compromise.

Security teams should focus attention on older and unmanaged IoT devices, which often remain unpatched and make ideal targets for campaigns like this one.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation appeared first on Cyber Security News.

The issue affected Windows devices configured with policies designed to prevent automatic updates, particularly in enterprise environments where strict update governance is enforced.

Despite these controls, some users observed that drivers were being installed without administrative approval, raising concerns about policy enforcement and endpoint integrity.

The incident, tracked under Microsoft reference MO1332784 and NHSmail reference INC46841357, was first reported on June 3, 2026, and officially resolved on June 4, 2026.

According to Microsoft’s investigation, the root cause was linked to a failure in a caching service used by Windows Update.

Microsoft 365 Degradation Bypassed Windows Driver

This service temporarily dropped device enrollment information, which is critical for identifying systems managed under enterprise policies such as Microsoft Intune or other MDM solutions.

When this enrollment data was lost, affected systems were mistakenly classified as non-enrolled devices. As a result, standard driver approval restrictions were not applied, allowing drivers to be installed automatically.

Microsoft clarified that all drivers deployed during this period were officially signed and approved by Microsoft.

The company emphasized that these drivers do not pose a direct security threat, as they passed Microsoft’s standard validation and signing processes.

However, the incident highlights a significant gap in policy enforcement mechanisms, particularly in environments that rely on strict compliance and change-control procedures.

From a security perspective, although no malicious activity was involved, the event raises concerns about trust boundaries and update channels.

Unauthorized or unexpected changes to system drivers can still impact system stability, compatibility, and audit compliance.

In regulated sectors such as healthcare and finance, even approved changes outside defined processes can trigger incident reviews.

Microsoft stated that the issue has been fully mitigated following validation from affected users. Systems have resumed normal behavior, and configured policies once again govern driver installations.

The company is continuing its internal review to understand how the caching service failure occurred and to improve resilience against similar disruptions.

This incident serves as a reminder that even trusted update mechanisms can introduce operational risks when underlying service dependencies fail.

Security teams are advised to review endpoint logs for unexpected driver installations during the affected timeframe and to ensure monitoring is in place to detect policy deviations.

Microsoft’s ongoing analysis is expected to lead to improvements in detection and recovery mechanisms within Windows Update services, reducing the likelihood of similar issues in future deployments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls appeared first on Cyber Security News.

The updated build, now called Reaper, spreads through fake websites that impersonate popular software, luring unsuspecting users into a trap.

Once inside a system, it can silently drain everything from browser credentials to cryptocurrency wallets before the victim ever notices anything is wrong.

What makes this version particularly worrying is the attack method it uses to get onto your Mac. Instead of relying on the old trick of asking users to copy and paste a script into their Terminal, Reaper automates the process entirely.

It uses a fake webpage to silently open your Mac’s Script Editor, pre-loaded with malicious code, and all a user has to do is click one button to unknowingly launch the infection.

Researchers at Moonlock identified and reported on this new SHub Reaper campaign, noting this is already the third time in under two months that this automated ClickFix technique has appeared across separate macOS malware campaigns. 

Moonlock said in a report shared with Cyber Security News (CSN) that the trend of automating ClickFix is picking up speed among macOS threat actors who tend to copy proven tactics from one another.

The campaign also goes to great lengths to appear trustworthy. Attackers spoof well-known brands and host malware payloads on domains that look nearly identical to legitimate ones.

They pass off malware downloads as Apple security updates and use fake Google Software Update pathways to plant persistent backdoors deep inside the victim’s Mac.

This level of deception is what makes SHub Reaper stand out even among other Mac stealers. By blending into the familiar look of trusted software tools and brands, the malware significantly lowers a user’s guard.

The result is a stealthy, multi-stage attack that ends with stolen data, drained wallets, and an attacker-controlled backdoor running quietly in the background.

SHub Stealer Targets Browsers and Crypto Wallets

The Reaper build is a significant upgrade over previous versions of SHub Stealer. Earlier builds could already steal browser data, macOS Keychains, iCloud account data, and Telegram session information.

The new version goes much further, now targeting Chrome, Firefox, Brave, Edge, Opera, Vivaldi, Arc, and Orion browsers, along with their extensions.

What truly sets Reaper apart is how it handles cryptocurrency. Rather than installing a fake wallet app, Reaper digs into the code of legitimate desktop wallet applications already on the Mac and quietly modifies them to steal funds.

Targeted wallets include Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite. The malware also carries an AMOS-style Filegrabber that hunts through Desktop and Documents folders for valuable files, including .docx, .wallet, .key, .csv, .xls, and .json formats.

Once it collects everything, Reaper bundles the stolen data and quietly sends it to an attacker-controlled server using curl, a legitimate macOS command. Before exiting, it installs a disguised backdoor that registers itself as a Google update service to survive reboots and remain hidden.

How to Protect Yourself From SHub Reaper

Staying safe from Reaper starts with understanding how it gains entry. The malware relies heavily on social engineering, tricking users into doing something that appears normal but actually hands over system access.

If a webpage suddenly opens your Script Editor or Terminal and asks you to click Play, close that window immediately. That is not how legitimate software behaves.

Users should never enter their Mac system password into a pop-up that appears right after installing software. If any program asks for your password the moment after installation, treat that as a clear warning sign.

For those holding cryptocurrency, moving funds to an offline cold wallet or a separate dedicated device is far safer than keeping wallets on your primary Mac.

Keeping your operating system and security software consistently updated gives your defenses a much better chance of catching new stealer variants before they cause lasting damage.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets appeared first on Cyber Security News.

That trust, it turns out, is being quietly exploited. A growing wave of malicious Google Chrome extensions is secretly harvesting those conversations and sending them off to unknown servers, all while pretending to help users get more out of their AI tools.

The scale of this problem is hard to ignore. As of March 2026, AI-related Chrome extensions had already accumulated roughly 115 million users worldwide, according to Chrome Statistics 2026.

That enormous user base makes these extensions an attractive target for threat actors looking to scoop up valuable data with little effort and even less visibility.

Analysts at G Data published a report shared with Cyber Security News (CSN) exposing three specific extensions: Urban VPN, Smart Sidebar: ChatGPT, Claude and DeepSeek, and AI Assistant, now rebranded as Chat AI.

These add-ons carried strong ratings and large user counts on the Chrome Web Store, giving them a false air of credibility while their true behavior lurked beneath the surface.

What makes this campaign dangerous is the type of information being put at risk. Users routinely share deeply personal details, confidential business data, and medical information with AI platforms.

Whoever intercepts these conversations gains access to material that can be weaponized for fraud, blackmail, or corporate espionage with alarming ease.

The method these extensions use is calculated and deliberate. They quietly inject scripts into the browser, intercept outgoing network requests, and siphon off conversation data before it reaches its intended destination. Victims rarely notice because the AI platforms continue to function exactly as expected.

Malicious Browser Add-Ons

Urban VPN is the most widely recognized name in this group. Marketed as a free, privacy-focused tool with a 4.7-star rating, version 5.10.3 contained a hidden JavaScript file called “content.js” that targeted conversations across eight AI platforms, including ChatGPT, Claude, Copilot, Gemini, and DeepSeek.

Data collection ran continuously in the background, regardless of whether the VPN was even switched on.

The extension injected an executor script that intercepted network requests before they left the device, rerouting data through its own code.

Smart Sidebar took a similar approach: in version 1.9.6, it embedded a file called “aiResponder.js” inside a directory labeled “gptprocessor,” monitoring visits to ChatGPT and DeepSeek and capturing each chat interaction as it occurred.

Smart Sidebar’s collected data was encoded in Base64 and sent via a POST request to the domain “deepaichats[.]com,” already flagged by multiple security vendors on VirusTotal.

The encoded payload carried the unique chat ID, the AI platform visited, a timestamp, and the full conversation, forming a complete record of everything the user typed and received.

iFrame Injection and the Chat AI Threat

The third extension, AI Assistant, now called Chat AI, used a different but equally concerning approach. Despite holding a “Featured” badge from the Chrome Web Store and over 70,000 users, version 3.3.4 embedded a remotely loaded chat interface inside a hidden iframe.

It pulled user preferences from browser storage and forwarded that data to a newly registered, unverified external URL through a messaging system.

This iframe injection allowed the extension to sit between the user and the AI platform, quietly observing everything passing through it. Because the interface looked and behaved like a real assistant, users had no reason to suspect anything was wrong.

G Data recommends installing extensions only from trusted, official sources. Applying the Principle of Least Privilege is also key, meaning extensions should only receive the minimum permissions they need for their intended function.

Users should regularly review installed add-ons and remove anything requesting access it does not need. In organizational settings, administrators should enforce group policies that restrict browser extensions from accessing sensitive platforms, including AI tools.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users appeared first on Cyber Security News.

Agentic AI, which refers to AI that can plan and carry out multi-step tasks on its own, is now a target for attackers in ways that go beyond what traditional security models were built to handle.

As these systems move from research labs into real-world production environments, the threats they face are becoming more varied and more difficult to detect.

For much of the past year, security researchers have been putting agentic AI systems through rigorous testing to understand where they break down.

What they found was not just a handful of edge cases but a consistent pattern of exploitable weaknesses spanning supply chains, inter-agent communication, and the safeguards meant to keep humans in control.

The most alarming finding was that attackers can build chains that bypass human oversight entirely, from start to finish, without any additional interaction from a person.

Analysts at Microsoft identified and formally documented these findings through a comprehensive red team program targeting deployed agentic AI systems. 

Microsoft said in a report shared with Cyber Security News (CSN) that twelve months of real-world engagements informed a major update to their Taxonomy of Failure Modes in Agentic AI Systems, moving it from version 1.0 to version 2.0 with seven entirely new failure mode categories added.

The scale of the ecosystem being targeted became clear when the open-source framework OpenClaw launched in January 2026 and accumulated over 336,000 GitHub stars within 48 hours.

A security audit shortly after identified 512 vulnerabilities, including CVE-2026-25253, a one-click remote code execution flaw via WebSocket hijacking. Over 1,800 exposed instances were leaking API keys and credentials in that first week alone.

The Model Context Protocol, or MCP, which became the standard way for AI models to connect with external tools, also became a significant attack surface.

In 2025, researchers documented 99 CVEs tied to MCP-related software, and tool poisoning shifted from a theoretical concern to something attackers were actively doing in the wild.

Zero-Click Human-in-the-Loop Bypass Attack Chains

The finding that drew the most serious attention was how reliably red teamers bypassed human-in-the-loop controls, the checkpoints designed to require human approval before an AI agent takes a sensitive action.

Attackers achieved this through consent fatigue, gradually wearing down the review process with repeated low-stakes requests until a high-impact action slips through.

More critically, several engagements produced zero-click end-to-end chains where no human interaction was required beyond the initial agent launch, yet the outcome included data exfiltration or lateral movement through the target environment.

These chains worked by combining multiple failure modes, each individually subtle, into a compound attack that no single checkpoint could catch.

Session context contamination, where early-stage injected data quietly shaped the agent’s reasoning in later steps, proved especially hard to detect because nothing about any individual step looked suspicious on its own.

Seven New Failure Modes Defined

The updated taxonomy introduces seven new categories that reflect what red teamers actually encountered during live engagements.

These include agentic supply chain compromise, goal hijacking, inter-agent trust escalation, computer use agent visual attacks, session context contamination, MCP and plugin abuse, and capability or architecture disclosure.

Each describes a distinct way an agentic system can be manipulated that either did not exist or was not adequately covered before.

Microsoft’s mitigations for these risks are practical and architectural. Organizations are advised to generate a software bill of materials for every deployed agent that includes plugins, MCP servers, and prompt templates.

Agent identity should be verified cryptographically, not assumed from its position in a workflow. Human-in-the-loop controls should be hardened against compound action decomposition and semantic laundering, where an agent rewrites an approval description to obscure what it is requesting.

Tiered approvals based on action reversibility and monitoring for unusual approval request patterns round out the recommended controls.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains appeared first on Cyber Security News.