According to a recent report by The Register, Cupertino’s software engineers are scrambling to patch a keyboard interface flaw that inadvertently removed a specific special character necessary for unlocking devices configured with custom alphanumeric passcodes.

The issue first gained public attention when a 21-year-old university student, Connor Byrne, shared his predicament on Reddit.

As The Register reported, Byrne opted not to use the standard four- or six-digit PIN on his iPhone 13. Instead, he enhanced his device security by setting a complex, custom alphanumeric string as his primary passcode.

While cybersecurity professionals highly recommend complex passcodes to thwart brute-force attacks, Byrne’s specific password combination triggered an unexpected software trap.

He utilized the caron or háček (ˇ) symbol from the iPhone’s Czech keyboard layout. When Apple released iOS 26 to the general public in September 2025, the company unknowingly removed this specific character from the lock screen keyboard.

Without the ability to type the required symbol, Byrne was permanently locked out of his smartphone. The only native solution provided by the device was a full factory reset.

However, a reset would permanently erase months of valuable photographs and personal files stored locally on the device. Choosing to preserve his data, the user has remained locked out while waiting for a potential software patch.

Following the viral social media post, Apple’s internal engineering team reportedly began investigating the issue. The Register notes that Apple is now working on a targeted fix to restore the missing character, which is expected to roll out in an upcoming major iOS 26 release.

Interestingly, despite Apple’s engineers responding within 9 days after the issue surfaced online, the extended lockout has permanently damaged the user’s trust.

According to The Register, Byrne has decided to migrate to an Android device, specifically eyeing the Samsung Galaxy S26 Ultra.

He cited both the software quality assurance oversight, noting that the current keyboard’s flaws duplicate characters side-by-side, and a preference for alternative camera hardware. Apple has not yet issued an official public comment on the fix’s timeline.

• Backup Data Regularly: Always maintain up-to-date iCloud or physical backups. If a critical lock screen glitch occurs after an update, you can safely perform a factory reset without losing your data.
• Review Custom Passcodes: If you use a custom alphanumeric passcode, ensure it relies on standard characters that are universally available across different keyboard layouts to avoid getting locked out.
• Monitor Software Updates: Be cautious when adopting major operating system upgrades immediately upon release. As this incident highlights, unexpected interface bugs can temporarily sever device access.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Apple Works on Fix for iPhone Passcode Bug Linked to Missing Czech Keyboard Character appeared first on Cyber Security News.

Moving beyond theoretical warnings, the researcher successfully utilized Claude Opus to construct a fully functional exploit chain targeting Google Chrome’s complex V8 JavaScript engine.

The experiment highlights a persistent vulnerability in the modern software ecosystem: the patch gap. Many popular desktop applications built on the Electron framework, such as Discord, Notion, and Slack, bundle their own Chromium builds.

These bundled versions often lag weeks or months behind the upstream Chrome releases, leaving known vulnerabilities unpatched and exposing users to n-day exploits.

For this test, the researcher targeted the Discord desktop application, which was running on the outdated Chrome 138 engine.

Because Discord operates without a sandbox on its main window, the exploit required only two vulnerabilities to achieve a full chain, circumventing the need for a third dedicated sandbox escape.

Chaining the Vulnerabilities

Through a series of guided interactions, Claude Opus was tasked with developing an exploit using specific unpatched flaws. The AI successfully chained together two complex vulnerabilities to achieve Remote Code Execution (RCE):

• CVE-2026-5873: An out-of-bounds (OOB) read and write vulnerability in V8’s Turboshaft compiler for WebAssembly. Fixed in Chrome 147, this bug allowed the attacker to bypass bounds checks after tier-up compilation, enabling arbitrary memory manipulation within the V8 heap.
• V8 Sandbox Bypass: A Use-After-Free (UAF) flaw in the WebAssembly Code Pointer Table (WasmCPT). By corrupting the import dispatch table and exploiting type confusion, the exploit escaped the V8 sandbox entirely, granting full read and write access to the entire virtual address space.

Using these chained primitives, the model generated a payload capable of redirecting execution flows to the system’s dyld cache, ultimately launching arbitrary system commands on a macOS target.

Despite the impressive outcome, the process was far from fully autonomous. The researcher noted that Claude Opus required extensive human oversight, scaffolding, and operational management.

The AI frequently suffered from context collapse during long conversations, speculated on memory offsets instead of verifying them, and struggled to recover independently when stuck in logical loops.

Over the course of a week, the experiment consumed roughly 2.3 billion tokens across 1,765 requests, costing approximately $2,283 and requiring 20 hours of hands-on guidance.

The researcher had to continually feed the debugger (LLDB) back into the model to keep it on track, as reported by Hacktron AI.

Economic Reality and Future Threats

While the process was labor-intensive, the economics of AI-assisted exploitation are striking. Spending around $2,300 and a few days of effort to generate a reliable Chrome exploit is highly profitable when compared to commercial bug bounties, which frequently pay upwards of $10,000 for similar submissions, or the highly lucrative underground exploit market.

This experiment serves as a stark warning for the cybersecurity industry. While current models like Claude Opus still require expert babysitting to weaponize vulnerabilities, the technological trajectory is clear.

As next-generation models like Anthropic’s Mythos emerge with enhanced reasoning and coding capabilities, the barrier to generating sophisticated exploits will drop drastically.

Ultimately, the shrinking gap between automated exploit generation and slow vendor patching cycles threatens to empower less sophisticated threat actors to compromise vulnerable software at an unprecedented scale.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Researcher Uses Claude Opus to Build a Working Chrome Exploit Chain appeared first on Cyber Security News.

According to a recent disclosure on Hacker News, an insecure file-hosting configuration has exposed personal identifiable information (PII), including completed tax forms, that were exchanged between freelancers and clients.

The Cloudinary Misconfiguration

The root of the data exposure lies in how Fiverr handles file sharing within its internal messaging system.

The platform relies on a third-party service called Cloudinary to process and host images and PDF documents, including final work products delivered to clients.

While Cloudinary operates similarly to an Amazon S3 digital storage bucket and supports secure, expiring web links, Fiverr reportedly configured the service incorrectly.

Instead of requiring authentication, Fiverr opted to generate fully public URLs for these sensitive attachments. Because these files were left open to the public, search engines like Google were able to crawl and index them.

This suggests that the public file links may have been exposed through unprotected HTML pages somewhere on Fiverr’s network.

The impact of this oversight is severe, as anyone can allegedly use specific Google search queries to surface private documents.

For example, running a site-specific search for “form 1040” on Fiverr’s Cloudinary domain instantly reveals private tax documents containing highly sensitive financial and personal data.

Interestingly, the researcher highlighted a troubling contradiction. Fiverr actively purchases Google Ads for tax preparation services, yet the platform fails to secure the resulting financial work products.

This exposure raises immediate regulatory concerns. By failing to lock down financial documents properly, the platform and its tax preparation freelancers could be in direct violation of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which mandate strict protections for consumer financial data.

The researcher who discovered the issue claims to have followed standard responsible disclosure protocols. A detailed vulnerability report was sent to Fiverr’s designated security team 40 days before the public release.

After receiving no response or remediation efforts from the company, the researcher opted to publish the findings on Hacker News to warn affected users.

Key Takeaways and Mitigations

Until Fiverr resolves this public exposure, users are at risk of identity theft and financial fraud. Both freelancers and clients should take immediate precautions:

• Halt sensitive transfers: Users should temporarily stop sending sensitive documents, such as tax forms or medical records, through Fiverr’s messaging system.
• Implement signed URLs: Fiverr must urgently update its Cloudinary integration to utilize signed, time-limited URLs for all user-to-user file transfers to ensure files expire after being downloaded.
• Request search de-indexing: The company needs to issue urgent takedown requests to Google to remove the exposed domain directories from public search results.
• Monitor for identity theft: Clients who purchased financial or tax preparation gigs on Fiverr should monitor their credit reports for unauthorized activity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Fiverr Allegedly Leaks User Information to Google Indexing, Researchers Say appeared first on Cyber Security News.

According to recent threat research published by Fortinet’s FortiGuard Labs, threat actors are exploiting a known command injection vulnerability to hijack TBK DVR systems and construct a large-scale Distributed Denial-of-Service (DDoS) botnet.

Fortinet researchers report that the campaign specifically targets TBK DVR-4104 and DVR-4216 models by exploiting CVE-2024-3721. This OS command injection flaw allows attackers to deliver a downloader script by manipulating arguments within the device system.

During the exploitation phase, network traffic reveals a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic,” leading FortiGuard Labs to attribute the campaign to a relatively unknown threat actor identified as the “Nexus Team“.

Once the downloader script executes, it fetches multi-architecture payloads supporting ARM, MIPS, and x86-64 environments, subsequently displaying a console message stating “nexuscorp has taken control”.

Technical Capabilities and Infection Mechanisms

Fortinet’s analysis reveals that Nexcorium shares fundamental architecture with traditional Mirai variants, utilizing XOR-encoded configurations and modular components. The technical operation relies on several core mechanisms:

• Modular Architecture: The malware deploys standard Mirai features, including a watchdog module to distinguish sub-processes, a scanner for network propagation, and an attacker module for DDoS execution.
• Legacy Exploit Integration: To maximize its infection radius, Nexcorium incorporates the older CVE-2017-17215 vulnerability, which targets Huawei router devices.
• Aggressive Brute-Forcing: The malware launches Telnet-based brute-force attacks against other networked hardware using a hardcoded list of common and default credentials.
• Self-Preservation: Nexcorium verifies its own integrity using FNV-1a hashing algorithms; if the binary is altered or unreadable, it dynamically duplicates itself under a new filename to evade detection.

To maintain long-term access to compromised systems, the malware establishes persistence through four distinct mechanisms rather than relying on a single configuration file. The botnet secures its foothold by:

• Modifying /etc/inittab to ensure automatic process restarts if the malware is terminated.
• Updating /etc/rc.local to guarantee execution during the device’s system startup sequence.
• Creating a dedicated systemd service named persist.service for persistent background operation.
• Planting scheduled tasks via crontab for reliable post-reboot execution.

Following this extensive setup, Fortinet notes that Nexcorium deletes its original binary from the execution path to thwart security analysts.

The primary objective of the Nexus Team campaign is launching devastating DDoS attacks. Based on FortiGuard Labs’ decryption of the malware’s configuration table, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives.

Instead of a narrow attack scope, the botnet is equipped with a versatile arsenal of flood techniques. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors like VSE query floods and UDP blast attacks.

The discovery of Nexcorium highlights the continuous weaponization of legacy IoT devices. Security experts strongly advise organizations to immediately patch CVE-2024-3721, replace default manufacturer credentials, and isolate critical infrastructure from vulnerable IoT endpoints using network segmentation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations appeared first on Cyber Security News.

While this marks a significant 40% decline from the 10.1 million servers observed in 2024, the presence of this decades-old protocol continues to pose an exposure risk due to widespread insecure default configurations.

The Censys report highlights that the dominant story of FTP exposure in 2026 is not purpose-built file transfer infrastructure, but rather an accumulation of platform defaults on shared hosting networks and broadband providers.

The State of Encryption and Regional Risks

When it comes to securing these servers, the data reveals a mixed landscape. Censys found that roughly 58.9% of observed FTP hosts completed a Transport Layer Security (TLS) handshake, meaning they support encrypted connections.

However, this leaves approximately 2.45 million hosts without observed evidence of encryption, potentially allowing them to transmit files and credentials in cleartext.

The lack of encryption adoption varies significantly by region. According to Censys data, mainland China and South Korea have the lowest TLS adoption rates among the top 10 hosting countries, at 17.9% and 14.5%, respectively.

Meanwhile, Japan accounts for 71% of all FTP servers globally that still rely on outdated, deprecated legacy encryption protocols such as TLS 1.0 and 1.1.

The security posture of these 6 million servers is heavily influenced by the default settings of the software daemons running them.

Key technical observations from the Censys report include:

• Pure-FTPd Dominance: Operating on roughly 1.99 million services, this is the most common FTP daemon, largely driven by its inclusion as a default in cPanel hosting environments.
  
• The IIS FTP Configuration Trap: Over 150,000 Microsoft IIS FTP services return a “534” error response, indicating TLS was never configured.
  
  While IIS defaults to a policy that appears to require encryption, it does not bind a security certificate upon a fresh installation.
  
  Consequently, the server accepts cleartext credentials, even though the configuration appears to enforce TLS.
  
• Hidden Nonstandard Ports: Relying only on port 21 scans miss a significant portion of the attack surface.
  
  Tens of thousands of FTP services run on alternate ports, such as 10397 or 2121, often tied to specific telecom operations or network-attached storage devices.

Mitigation and Hardening Strategies

For enterprise defenders and infrastructure administrators, Censys strongly recommends evaluating whether FTP is truly necessary before attempting to harden it.

Organizations should consider the following mitigation strategies:

• Migrate to Secure Alternatives: Whenever possible, replace FTP with SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
  
• Enforce Explicit TLS: If legacy FTP infrastructure must remain online, administrators should configure their daemons to enforce Explicit TLS (FTPS) and refuse cleartext connections.
  
• Fix IIS Certificate Bindings: Windows Server administrators using IIS FTP must ensure that a valid certificate is bound to the FTP site and verify that the SSL policy actively enforces encryption.

Ultimately, while the internet’s reliance on FTP is slowly shrinking, millions of instances continue to run quietly in the background.

As Censys warns, the primary risk is not advanced zero-day attacks, but the simple failure to update default configurations that leave systems unnecessarily exposed.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Nearly 6 Million Internet-Facing FTP Servers Still Exposed in 2026, Censys Warns appeared first on Cyber Security News.

The flaw allows an unauthenticated attacker to execute arbitrary operating system commands as root, the highest privilege level, without requiring any login credentials.

The vulnerability was originally discovered in November 2025 and has now been made public following Fortinet’s patch release in April 2026.

Security researchers and defenders are urged to apply the fix immediately, as a working exploit is now freely available on GitHub.

CVE-2026-39808 is an OS command injection vulnerability affecting Fortinet’s FortiSandbox, a widely used sandboxing solution designed to detect and analyze advanced threats and malware. The flaw resides in the /fortisandbox/job-detail/tracer-behavior endpoint.

How Simple Is the Attack?

An attacker can inject malicious operating system commands through the jid GET parameter by using the pipe symbol (|) a common technique used to chain commands in Unix-based systems.

Because the vulnerable endpoint fails to properly sanitize user input, the injected commands are executed directly by the underlying operating system with root-level privileges.

FortiSandbox versions 4.4.0 through 4.4.8 are confirmed to be affected by this vulnerability.

What makes CVE-2026-39808 especially alarming is how easy it is to exploit.

According to researcher samu-delucas, who published the PoC on GitHub, a single curl command is enough to achieve unauthenticated remote code execution (RCE) as root:

curl -s -k --get "http://$HOST/fortisandbox/job-detail/tracer-behavior" --data-urlencode "jid=|(id > /web/ng/out.txt)|"

In this example, the attacker redirects command output to a file stored in the web root, which can then be retrieved through a browser.

This means an attacker could read sensitive files, drop malware, or fully compromise the host system all without ever logging in.

Fortinet’s Response

Fortinet patched the vulnerability and published its official advisory under FG-IR-26-100 through its FortiGuard PSIRT portal.

The advisory confirms the severity of the flaw and outlines affected versions. Organizations running FortiSandbox 4.4.0 through 4.4.8 should upgrade to a patched version without delay.

• Patch immediately:  upgrade FortiSandbox to a version beyond 4.4.8 as specified in Fortinet’s official advisory.
  
• Audit exposed instances: check whether FortiSandbox management interfaces are exposed to untrusted networks or the public internet.
  
• Review logs:  look for unusual GET requests to the /fortisandbox/job-detail/tracer-behavior endpoint as indicators of exploitation attempts.
  
• Apply network segmentation: restrict access to FortiSandbox administrative interfaces to trusted IP ranges only.

With a working PoC now publicly available, the window for exploitation is open. Security teams should treat this as a critical-priority patch and act immediately to secure affected systems.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post PoC Exploit Released for FortiSandbox Vulnerability that Allows Attacker to Execute Commands appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2023-33538, affects multiple TP-Link models that no longer receive vendor updates, leaving users with no official patch to apply.

The affected routers include the TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10).

These devices share a common weakness in their web management interfaces, where a specific parameter inside an HTTP GET request is not properly checked for harmful content.

This missing input validation gives attackers a clear opening to inject and run commands on the router without triggering any warning on the device.

The attacks work by sending malicious HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint. The requests carry commands embedded in the ssid parameter, which the router’s firmware processes without filtering harmful input.

Once the router accepts the request, the commands instruct it to download an ELF binary named arm7 from a remote server at IP address 51.38.137[.]113, assign it full execution permissions, and run it immediately.

Unit 42 analysts and researchers at Palo Alto Networks identified this malicious activity after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog in June 2025.

Their telemetry systems detected large-scale, automated exploitation attempts around that same period, with multiple probes targeting the same vulnerable endpoint across numerous devices in the wild.

The downloaded arm7 binary is a variant of the Condi IoT botnet malware, a Mirai-based family tied to previous campaigns. Once running on the infected router, the malware connects to a command-and-control (C2) server and folds the device into a larger botnet.

The C2 domain cnc.vietdediserver[.]shop is directly associated with these Mirai-like botnet operations and was confirmed malicious.

Inside the Arm7 Malware Binary

After gaining access to the device, the arm7 binary carries out a structured set of tasks to maintain its presence and grow the botnet.

It waits for specific byte-pattern commands from the C2 server and responds by sending heartbeat signals, triggering self-updates, and launching internal HTTP server functions.

One particularly notable behavior is the self-update routine. The binary uses the update_bins() function to connect back to 51.38.137[.]113 on TCP port 80 and pull fresh copies of itself built for eight different CPU architectures, including arm6, mips, sh4, and x86_64.

The IP address and port are hard-coded directly inside the binary, as confirmed during disassembly.

The arm7 binary also starts an HTTP server on the infected device using a port randomly chosen between 1024 and 65535.

Once active, this server delivers fresh malware copies to other devices that connect to it, spreading the infection further without requiring any additional input from the attacker.

This allows each newly infected host to go on recruiting more victims. Despite their scale, the in-the-wild exploit attempts observed by researchers carried technical errors.

The attackers targeted the ssid parameter rather than the correct and vulnerable ssid1 parameter, and their injected commands depended on wget, a utility absent from the router’s limited BusyBox environment.

Even so, the research team confirmed that the underlying vulnerability is real and that a more accurate attacker using the correct parameter could successfully exploit it.

Regarding recommendations, TP-Link confirmed the affected devices are end-of-life and no vendor patches will be made available. The company advises users to replace these units with currently supported hardware.

Changing the default admin:admin login credentials is also strongly recommended, as exploitation of this vulnerability requires authenticated access to the router’s web interface.

Administrators should monitor outbound traffic for connections to known malicious domains and retire any affected TP-Link router models still active on their networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Target TP-Link Routers With Mirai Malware in CVE-2023-33538 Exploitation Attempts appeared first on Cyber Security News.

The surge was largely tied to a single piece of malware that silently spread through phishing emails, reaching ICS networks in every region of the world within just two months.

At the center of this threat wave is a backdoor worm known as Backdoor.MSIL.XWorm, a malware built to settle into infected systems and hand attackers full remote control over compromised machines.

What makes this outbreak particularly alarming is that this threat had no presence on ICS computers in the previous quarter, yet it appeared across all global regions in Q4 2025, representing a sudden and widespread jump.

The overall percentage of ICS computers on which worms were blocked rose by 1.6 times to 1.60% during this period, a sharp uptick driven almost entirely by this single campaign.

Securelist analysts identified that the active spread of Backdoor.MSIL.XWorm through phishing emails was closely tied to a specific malware obfuscation technique that threat actors used heavily during mass phishing campaigns throughout Q4 2025.

These campaigns, known since 2024 under the name “Curriculum-vitae-catalina,” relied on a deceptively simple but effective trick.

Attackers sent emails to HR managers, recruiters, and employees involved in hiring decisions, disguising malicious messages as job applications with subject lines such as “Resume” or “Attached Resume.”

The emails carried a malicious executable file presented as a curriculum vitae, typically named Curriculum Vitae-Catalina.exe, which infected the system the moment it was opened.

The infection did not unfold all at once. In Q4 2025, the threat rolled out in two distinct waves. The first hit in October, targeting Russia, Western Europe, South America, and North America, specifically Canada.

A second spike followed in November, spreading to additional regions before the campaign finally slowed in December.

The highest infection rates were recorded in Southern Europe, South America, and the Middle East, which are regions where ICS computers have historically faced elevated risks from email-based threats.

In Africa, the worm also found a different path in through removable storage devices, reflecting how diverse the spread vectors became.

Regionally, the percentage of ICS computers with blocked malicious objects ranged from 8.5% in Northern Europe to 27.3% in Africa in Q4 2025, showing just how wide the gap in exposure levels remains across the globe.

The oil and gas sector stood out as the only industry to see an increase in blocked threats during this period, particularly in Russia and Central Asia.

While the broader trend across all surveyed industries has been a gradual decline over multiple years, the worm-driven spike in Q4 2025 served as a clear reminder that email remains a powerful entry point into even the most sensitive industrial environments.

Inside the Infection Mechanism

The way Backdoor.MSIL.XWorm operates reveals a calculated approach to gaining and holding access inside industrial networks.

When a target opens the fake resume file, the malware quietly executes in the background, establishing persistence on the system so it survives reboots and routine maintenance.

From that point, it opens a channel for remote control, allowing attackers to monitor activity, move through the network, and potentially interfere with operational technology processes.

The obfuscation techniques used during the “Curriculum-vitae-catalina” campaigns helped the worm slip past standard detection tools by disguising its true behavior inside layered scripts and encoded payloads.

This is why the malware went undetected on ICS computers in Q3 2025, only to surge dramatically the very next quarter.

Southern Europe recorded the steepest increase, with worm-blocking activity rising by 2.16 times, largely because that region already had the highest rate of email-sourced threats among ICS environments globally.

Security teams managing ICS or OT environments should treat any unsolicited email with an executable attachment as a serious risk, even when those emails appear to come from genuine job seekers.

Organizations are advised to enforce strict email filtering policies that block executable attachments before they reach end users.

Employees in HR roles and anyone with access to OT-adjacent systems should receive focused training on identifying phishing attempts that mimic hiring communications.

Removable media policies should also be tightened, particularly in regions like Africa where USB-based infection proved to be an active vector during this campaign.

Keeping ICS endpoints updated and running behavior-based detection tools is essential to catching threats like XWorm that are specifically designed to evade signature-based defenses.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Email-Borne Worm Surge Drives New Threat Wave Across Industrial Control Systems appeared first on Cyber Security News.

Unlike attacks that exploit software flaws, this campaign relies entirely on social engineering, manipulating people rather than bypassing technical defenses.

The attack begins with a convincing story. Sapphire Sleet poses as a job recruiter on professional networking platforms, builds trust through career conversations, and schedules a fake technical interview.

At a critical point, the victim is directed to download a file called “Zoom SDK Update.scpt,” a compiled AppleScript that opens in the macOS Script Editor app.

Since the Script Editor is a trusted, Apple-built application, macOS raises no flags, and the user sees routine upgrade instructions while thousands of blank lines below conceal malicious code ready to execute.

Microsoft Threat Intelligence analysts identified this campaign and noted that the specific combination of execution patterns, including the use of AppleScript as a dedicated credential-harvesting component, had not been previously observed from Sapphire Sleet.

After discovering the activity, Microsoft shared findings with Apple through responsible disclosure, and Apple has since deployed XProtect signature updates and Safe Browsing protections in Safari to detect and block infrastructure linked to this campaign.

Sapphire Sleet primarily targets individuals and organizations in cryptocurrency, finance, venture capital, and blockchain sectors.

Once active, the malware harvests the victim’s login password, steals Telegram session data, browser credentials, crypto wallet keys from applications like Ledger Live and Exodus, SSH keys, and macOS keychain databases.

All stolen data is compressed and uploaded silently to attacker-controlled servers over port 8443.

The malware bypasses macOS security layers including Gatekeeper and Transparency Consent and Control.

By convincing the user to manually run the file, Sapphire Sleet shifts execution into a user-initiated context where these protections no longer apply, placing behavioral awareness at the center of any meaningful defense.

Inside the Infection Chain

Once the victim opens the lure file, the attack moves through a fast chain of commands.

The script invokes the legitimate macOS “softwareupdate” binary with an invalid parameter to mimic a real system process, then uses “curl” to fetch a remote AppleScript payload and pass it directly to the “osascript” interpreter.

This pattern repeats across five stages, each tracked by user-agent strings mac-cur1 through mac-cur5, allowing Sapphire Sleet to manage payload delivery and monitor campaign progress.

The mac-cur1 stage acts as the orchestrator, collecting system details, registering the infected machine with Sapphire Sleet’s command-and-control servers, and deploying a host monitoring binary called “com.apple.cli.”

A backdoor named “services” simultaneously installs a launch daemon called “com.google.webkit.service.plist,” named to closely mimic legitimate Apple and Google services so it persists across reboots without drawing attention.

The mac-cur2 stage delivers the credential harvester, “systemupdate.app,” which displays a native password dialog identical to a real system prompt.

When the user enters their password, the malware validates it against the local authentication database and immediately sends it to Sapphire Sleet via the Telegram Bot API.

A second fake application named “softwareupdate.app” then displays a “system update complete” message so the victim has no reason to grow suspicious.

To reach protected data, the mac-cur3 stage manipulates the TCC database by directing Finder to rename the TCC folder temporarily, allowing the malware to insert permissions that let osascript access sensitive files without triggering a consent prompt.

A 575-line exfiltration script then collects nine categories of data and uploads them to attacker servers.

Users and organizations should treat any unsolicited request to run terminal commands during an online interview as a clear warning sign.

Blocking compiled AppleScript (.scpt) files, auditing LaunchDaemon plist files for unexpected entries, and monitoring the TCC database for unauthorized changes are all effective defensive steps.

Keeping macOS updated ensures Apple’s latest XProtect signatures and Safari Safe Browsing protections remain active to block known components of this campaign.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Fake Zoom SDK Update Delivers Sapphire Sleet Malware in New macOS Intrusion Chain appeared first on Cyber Security News.

The flaw, tracked as CVE-2026-39987, allows remote code execution without authentication, making it a dangerous entry point for threat actors leveraging it to install a new variant of the NKAbuse malware through a fake Hugging Face Space.

The advisory, identified as GHSA-2679-6mx9-h9xc, was published on GitHub on April 8, 2026. Within just 9 hours and 41 minutes, the first active exploitation was recorded.

From April 11 to April 14, 2026, attackers from 11 unique IP addresses across 10 countries launched 662 exploit events against exposed marimo instances.

What began as early scanning quickly escalated into a full-scale, multi-actor campaign targeting AI developer workstations.

Researchers at the Sysdig TRT identified and documented these attacks as they unfolded, noting four distinct post-exploitation patterns: credential harvesting, reverse shell attempts, DNS-based data exfiltration, and deployment of a previously undocumented NKAbuse variant.

The speed of weaponization confirmed that multiple threat actors were independently targeting the same vulnerability within days of its public disclosure.

The most alarming finding was the deployment of a Go-based backdoor named kagent through a typosquatted Hugging Face Space called vsccode-modetx, built to mimic a legitimate VS Code tool.

Using a simple curl command against a marimo endpoint, the attacker pulled and executed a shell dropper that downloaded the kagent binary to the victim system.

The Hugging Face domain carried zero malicious flags across 16 reputation sources at the time, allowing the payload to bypass standard security filters without raising any alarms.

The attack impact extended beyond a single compromised notebook. Attackers quickly pivoted from exploiting marimo to accessing connected PostgreSQL databases and Redis instances using credentials pulled from environment variables.

One operator extracted AWS access keys, database connection strings, and OpenAI API tokens, demonstrating that one exposed marimo instance could open a foothold into broader cloud infrastructure.

NKAbuse Variant and Persistence Tactics

The kagent binary is a stripped, UPX-packed Go ELF file that unpacks from 4.3 MB to 15.5 MB and communicates with a command-and-control server over the NKN blockchain network.

the NKN protocol uses decentralized relay nodes, there is no single IP address or domain to block, and C2 traffic blends with normal blockchain activity, making detection difficult with conventional tools.

The dropper script establishes persistence using three sequential methods: first creating a systemd user service at ~/.config/systemd/user/kagent.service, then adding a crontab @reboot entry, and finally installing a macOS LaunchAgent at ~/Library/LaunchAgents/com.kagent.plist.

All output is silently redirected to ~/.kagent/install.log, hiding activity from standard process monitoring. Defenders must check all three locations to fully remove the implant.

Compared to the original NKAbuse from December 2023, this 2026 variant targets AI developer tooling using a brand-new vulnerability, uses Hugging Face for delivery, and disguises the binary as a legitimate Kubernetes agent named kagent, where the original exploited a six-year-old Apache Struts flaw against Linux desktops and IoT devices.

The Sysdig TRT shared the following steps for defenders:

• Update marimo to version 0.23.0 or later immediately, as the vulnerability requires no authentication and is actively targeted.
• Hunt for the ~/.kagent/ directory, the kagent.service systemd entry, and any running kagent process on systems that ran marimo.
• Block vsccode-modetx.hf.space at the proxy or DNS level to stop the known payload delivery URL.
• Rotate all credentials on exposed marimo instances, focusing on DATABASE_URL, AWS keys, and API tokens stored in environment variables.
• Monitor network traffic for NKN blockchain relay patterns that indicate active C2 communication from an infected host.
• Audit Hugging Face Spaces and AI/ML dependencies, and restrict access to verified publishers only.
• Deploy runtime behavioral detection, as signature-based tools cannot catch zero-detection malware hosted on trusted platforms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Weaponize CVE-2026-39987 to Spread Blockchain-Based Backdoor Via Hugging Face appeared first on Cyber Security News.