Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-tooling (4 articles)Clear

codexui-android npm steals OpenAI Codex auth tokens for a month - non-expiring refresh_token exfiltrated to fake Sentry endpoint

Aikido Security has disclosed that codexui-android, an npm package advertised as a remote web UI for OpenAI Codex with over 29,000 weekly downloads, has been silently exfiltrating users' Codex authentication tokens for the past month. Unlike a typosquat, the malware was embedded into a functional, actively-developed package roughly a month after publication to build trust; the GitHub repo stayed clean. The code reads ~/.codex/auth.json and ships the access_token, refresh_token, id_token, and account ID to sentry.anyclaw[.]store, a server masquerading as Sentry. The non-expiring refresh_token lets an attacker silently impersonate the developer indefinitely with full Codex account access. The package remains available; the npm account is 'friuns.'

Check
Inventory developer machines for the codexui-android npm package. If present, treat ~/.codex/auth.json as compromised. Search egress for traffic to sentry.anyclaw[.]store.
Affected
Developers who installed codexui-android (29K weekly downloads, still live). Stolen non-expiring Codex refresh_tokens give attackers persistent, silent impersonation of the victim's OpenAI Codex account.
Fix
Remove codexui-android. Revoke and re-issue OpenAI Codex sessions; the refresh_token does not expire, so rotation is mandatory. Pin dependencies and audit AI-tooling packages before install.

openDCIM RCE chain weaponized in the wild - Chinese attacker uses AI vuln scanner Vulnhuntr to drop PHP web shells

VulnCheck says attackers are chaining three critical bugs (CVE-2026-28515, CVE-2026-28517, CVE-2026-28516) in openDCIM, an open-source data center management web app, to drop PHP web shells on exposed installs. All three rate CVSS 9.3 and cover missing authorization, OS command injection, and SQL injection. They can be combined over five HTTP requests to land a reverse shell. The activity comes from a single Chinese IP using what VulnCheck describes as a customized version of Vulnhuntr, a public AI-driven vulnerability discovery tool. The campaign is one of the first publicly documented cases of an open-source AI vuln scanner being repurposed for real-world exploitation.

Check
Identify openDCIM installs in your environment (check internal asset inventory and external attack surface). Review web server logs for /report_network_map.php access patterns since February 2026.
Affected
openDCIM versions before the February 2026 fix that addressed CVE-2026-28515, CVE-2026-28517, and CVE-2026-28516. Internet-exposed instances are at highest risk.
Fix
Upgrade openDCIM to the patched release. Remove internet exposure and put the app behind an authenticated reverse-proxy or VPN. Block the Chinese IP cluster VulnCheck has flagged.

Backend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public

The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.

Check
Pull historical access logs for Fortinet and Cisco edge appliances and check for credentials matching infostealer log dumps, then hunt for NTLM relay activity consistent with CVE-2025-33073 in Windows event logs.
Affected
Organizations exposed to The Gentlemen include any running FortiGate or Cisco edge gear with CVE-2024-55591, CVE-2025-32433, or CVE-2025-33073 unpatched, and downstream clients of compromised IT service providers.
Fix
Patch CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Enforce MFA on every edge-management interface, rotate credentials that appear in infostealer logs, and load Check Point's 'Thus Spoke The Gentlemen' IoCs into your EDR and firewall blocklists.

Critical Ollama flaw lets unauthenticated attackers read server memory - 300,000 instances exposed (CVE-2026-7482)

Researchers at Cyera disclosed a critical bug in Ollama, the open-source tool that runs large language models locally on laptops and servers. The flaw, called Bleeding Llama (CVE-2026-7482), lets anyone with network access send a malformed model file and read raw process memory back - which typically contains API keys, environment variables, system prompts, and other users' chat history. Ollama ships without authentication by default, so an estimated 300,000 instances are exposed on the internet. Ollama 0.17.1 fixes it. Separately, Striga disclosed two unpatched Ollama Windows desktop flaws (CVE-2026-42248 and CVE-2026-42249) that chain into persistent code execution at login.

Check
Inventory all Ollama instances across servers and developer laptops. Check whether any are reachable from outside their host or trusted network, and verify the running version.
Affected
Ollama versions before 0.17.1 on every platform (CVE-2026-7482, CVSS 9.1, unauthenticated heap out-of-bounds read in the GGUF model loader exploitable via /api/create and /api/push). Ollama Windows desktop client on all currently-released builds (CVE-2026-42248 and CVE-2026-42249, CVSS 7.7 each, unpatched). Internet-exposed and developer-laptop instances are at highest risk.
Fix
Upgrade all Ollama servers to 0.17.1 or later immediately to fix Bleeding Llama. Restrict the Ollama API to localhost or an internal network only - never expose port 11434 to the internet. Place an authenticating reverse proxy in front of any shared Ollama deployment. For Windows desktop clients, monitor for an update that addresses CVE-2026-42248 and CVE-2026-42249; consider blocking auto-update traffic until a patched build ships.