Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Azure CLI password spray compromises 78 Microsoft accounts by bypassing MFA

Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.

Check
Review whether your multi-factor authentication and Conditional Access policies cover every sign-in path, including the Azure CLI and token-endpoint flows, not just web portals and admin accounts, and hunt for password-spray bursts.
Affected
Microsoft 365 organizations with weak or reused passwords, incomplete MFA, or Conditional Access gaps; attackers use a credential flow that skips interactive MFA to break in through the Azure CLI.
Fix
Enforce phishing-resistant MFA across all users, apps, and authentication flows, block legacy and password-based credential grants, apply Conditional Access to CLI access, and monitor sign-in logs for spray patterns and suspicious networks.

Microsoft warns poisoned MCP tool descriptions can make AI agents leak data

Microsoft is warning that attackers can hijack AI agents through poisoned tool descriptions, the plain-text notes that tell an agent what a tool does. Because agents connect to systems through the Model Context Protocol and read these descriptions to decide how to act, an attacker who updates a trusted third-party tool can bury a hidden instruction in its description, telling the agent to quietly collect and exfiltrate data on its next task. Many setups pick up description changes without re-approval, so the poisoned version goes live silently. Each step the agent takes looks legitimate and runs with the user's own permissions, so no alarm fires.

Check
Inventory the MCP tools and servers your AI agents can use, especially third-party ones, and check whether your setup re-approves or reviews tool descriptions when they change rather than trusting updates automatically.
Affected
Organizations running AI agents connected to third-party MCP tools without re-approval on description changes; a poisoned description can redirect the agent to exfiltrate data using the user's own permissions, invisibly.
Fix
Require review when tool descriptions change, pin and verify tool sources, scope agents with least privilege, log every tool invocation at the infrastructure layer, and gate sensitive actions behind human approval.

BioShocking attack convinces AI browsers they are in a game, then steals credentials

Researchers at LayerX detailed BioShocking, an attack that manipulates AI browser agents into ignoring their safety rules by convincing them they are inside a fictional game. Using a web page with a puzzle that rewards deliberately wrong answers, the attack gets the agent to accept a false reality, after which it treats a request to open a page and copy its contents as just another step. In the demonstration, that page redirected to the victim's work GitHub repository and the agent handed over SSH credentials, treating the theft as finishing the game. None of the six AI browser agents tested flagged it as a rule violation.

Check
Review where AI browser agents are used and what logged-in accounts they can reach, and test whether an agent follows instructions from web content telling it the normal rules no longer apply.
Affected
Users of AI browser agents that act on logged-in sessions; an attacker-controlled page can trick the agent into ignoring its rules and stealing credentials or data from sites the user uses.
Fix
Require user confirmation before an agent reads from logged-in accounts, limit which sites and data agents can touch, and prefer AI browsers that flag when content tries to override their instructions.

Microsoft pulls 119 Edge extensions that hid malware inside images and fonts

Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.

Check
Open your browser's extensions page and check installed add-ons against Microsoft's published list of StegoAd extension IDs, and review endpoints for the campaign's indicators of compromise across Chromium browsers.
Affected
Users who installed any of the 119 extensions, which posed as ad blockers, VPNs, and similar tools; stolen cookies and two-factor codes let attackers hijack sessions and accounts without passwords.
Fix
Remove any matching extension and treat the browser as compromised: reset Google and WordPress passwords, review sign-in activity, and prefer hardware security keys over SMS codes. Govern extensions with allowlists.

Djinn stealer harvests cloud and AI credentials through SimpleHelp RMM flaw

A new information stealer called Djinn is being used to grab cloud and AI service credentials, Dark Reading reports. Attackers deliver it by exploiting CVE-2026-48558, a critical authentication-bypass flaw in the SimpleHelp remote-management tool, then use Djinn to target the credentials that link developer and administrator environments to broader enterprise systems. The focus on cloud and AI secrets reflects where valuable access now lives: API keys and tokens for cloud platforms and AI services can unlock far more than a single machine. Organizations that run SimpleHelp, especially unpatched instances, are the immediate exposure point for this credential theft.

Check
Confirm SimpleHelp servers are patched against CVE-2026-48558, and review developer and admin systems for credential theft and any unexpected use of cloud or AI service API keys and tokens.
Affected
Organizations running SimpleHelp remote-management software vulnerable to CVE-2026-48558; Djinn specifically hunts the cloud and AI service credentials that bridge developer and admin environments to wider enterprise systems.
Fix
Patch SimpleHelp immediately, rotate cloud and AI service credentials that may have been exposed, enforce least privilege and short-lived tokens, and monitor for unusual API key usage.

Malicious Perplexity look-alike extension logged every search and keystroke typed

Microsoft found a malicious Chrome extension impersonating the AI search engine Perplexity that quietly logged users' searches and address-bar input. Calling itself "Search for perplexity ai" and using a look-alike domain, it set itself as the default search engine and routed every query through an attacker server, which logged it with the user's IP and browser details before redirecting to a real engine so results looked normal. Worse, it also pointed the browser's live search suggestions at the attacker, so each character typed in the address bar was sent before the user even pressed Enter. Microsoft found no password theft, but far more access than a search tool needs. Google removed it.

Check
Check whether anyone installed the 'Search for perplexity ai' extension, confirm the default search engine has not been changed, and watch for browser traffic to unfamiliar look-alike domains imitating AI services.
Affected
Users who installed the fake Perplexity extension; their searches and every character typed into the address bar were sent to an attacker-controlled server, exposing potentially sensitive queries and browsing intent.
Fix
Remove the extension, reset the default search engine, and allow only approved extensions through browser policy. Treat AI-branded tools with extra suspicion and verify the publisher and domain before installing anything.

Clean GitHub repos trick AI coding agents into fetching and running malware

Researchers at Mozilla's 0DIN found that an AI coding agent told to clone and set up a seemingly harmless GitHub repository can be tricked into running malware that stays invisible to security scanners, the agent itself, and human reviewers. The trick is that nothing malicious sits in the repository's files. Instead, a routine-looking setup command runs a script that fetches a value hidden in a DNS TXT record and executes it as a shell command, pulling down and running an attacker's payload like a reverse shell. Because the payload lives outside the repo and arrives over DNS at setup time, code review and static scanning see nothing wrong.

Check
Review how your AI coding agents and developers set up unfamiliar repositories, and check whether setup or build commands can make outbound network or DNS requests that fetch and execute external content.
Affected
Developers and teams that let AI coding agents automatically run setup steps for untrusted repositories; the malicious payload is fetched at setup time over DNS, so scanning the repository alone misses it.
Fix
Run repository setup for untrusted code in sandboxes without credentials, restrict outbound network and DNS during setup, and treat agent setup and build commands as untrusted code execution rather than safe automation.

Self-spreading Shai-Hulud worm hits more npm packages and reaches into Go

Socket reports a new wave of the self-spreading Shai-Hulud supply-chain worm, in its Miasma and Hades variants, that compromised more npm packages and, for the first time, reached the Go ecosystem. On June 24 attackers used a hijacked maintainer account to push trojanized versions of LeoPlatform and RStreams npm packages, tied to cloud and serverless workloads, and also poisoned a Go module from the Verana blockchain project. The malware harvests developer and CI/CD credentials, abuses GitHub Actions, and polls GitHub hourly for a marker commit to pull down its Hades payload. Researchers note the campaign keeps shifting ecosystems and indicators to stay ahead of detection rather than changing its core behavior.

Check
Check whether your projects or pipelines pulled affected LeoPlatform, RStreams, or related npm packages or the compromised Verana Go module, and review developer and CI/CD systems for credential theft.
Affected
Developers and CI/CD pipelines that installed the compromised npm packages or Go module; the worm steals cloud, registry, and GitHub credentials, then uses them to spread to more packages and repositories.
Fix
Remove affected versions, rotate developer, cloud, and CI/CD credentials, pin and verify dependencies, restrict install-time and build-time execution, and monitor for unexpected GitHub Actions activity and new exfiltration repositories.

Attackers abuse OpenAI organization invites to phish data from security firms

Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.

Check
Tell staff to treat unexpected invitations to join an organization on OpenAI or other SaaS platforms with suspicion, and monitor which external organizations employees' work accounts have joined.
Affected
Employees, including at security firms, who receive genuine-looking organization invitations from SaaS platforms; data typed into an attacker-controlled organization's chats or projects is exposed to the attacker.
Fix
Train staff to verify unexpected SaaS organization invitations through a separate channel, monitor SaaS organization memberships, and set policies on which platforms and tenants employees may join with work accounts.

Hotel phishing campaign launders email authentication to drop a Node.js implant

Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.

Check
Alert front-desk staff to complaint-themed emails carrying photo ZIP files, and hunt for Node.js running from user paths, new Defender exclusions, and beacons to non-standard ports such as 8443 or 56001.
Affected
Hotels and hospitality organizations in Europe and Asia whose reception and reservations staff open image or document attachments; the campaign laundered email authentication and installs a persistent Node.js implant.
Fix
Block and alert on the campaign's domains and ports, restrict execution of shortcut files from archives, monitor for unauthorized Node.js runtimes and Defender exclusions, and remove both registry persistence keys during cleanup.