Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.
Microsoft is warning that attackers can hijack AI agents through poisoned tool descriptions, the plain-text notes that tell an agent what a tool does. Because agents connect to systems through the Model Context Protocol and read these descriptions to decide how to act, an attacker who updates a trusted third-party tool can bury a hidden instruction in its description, telling the agent to quietly collect and exfiltrate data on its next task. Many setups pick up description changes without re-approval, so the poisoned version goes live silently. Each step the agent takes looks legitimate and runs with the user's own permissions, so no alarm fires.
Researchers at LayerX detailed BioShocking, an attack that manipulates AI browser agents into ignoring their safety rules by convincing them they are inside a fictional game. Using a web page with a puzzle that rewards deliberately wrong answers, the attack gets the agent to accept a false reality, after which it treats a request to open a page and copy its contents as just another step. In the demonstration, that page redirected to the victim's work GitHub repository and the agent handed over SSH credentials, treating the theft as finishing the game. None of the six AI browser agents tested flagged it as a rule violation.
Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.
A new information stealer called Djinn is being used to grab cloud and AI service credentials, Dark Reading reports. Attackers deliver it by exploiting CVE-2026-48558, a critical authentication-bypass flaw in the SimpleHelp remote-management tool, then use Djinn to target the credentials that link developer and administrator environments to broader enterprise systems. The focus on cloud and AI secrets reflects where valuable access now lives: API keys and tokens for cloud platforms and AI services can unlock far more than a single machine. Organizations that run SimpleHelp, especially unpatched instances, are the immediate exposure point for this credential theft.
Microsoft found a malicious Chrome extension impersonating the AI search engine Perplexity that quietly logged users' searches and address-bar input. Calling itself "Search for perplexity ai" and using a look-alike domain, it set itself as the default search engine and routed every query through an attacker server, which logged it with the user's IP and browser details before redirecting to a real engine so results looked normal. Worse, it also pointed the browser's live search suggestions at the attacker, so each character typed in the address bar was sent before the user even pressed Enter. Microsoft found no password theft, but far more access than a search tool needs. Google removed it.
Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.
Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.
Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.
Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.