Google Thwarts AI-Generated Zero-Day Exploit in Early Cybercrime Campaign Google’s Threat Intelligence Group (GTIG) has uncovered what it believes to be the first real-world case of cybercriminals using AI to discover and weaponize a zero-day vulnerability. The flaw a two-factor authentication (2FA) bypass in a widely used open-source web administration platform was identified and exploited by attackers as part of a planned mass-exploitation campaign. According to Google’s report, shared ahead of publication on Monday, the attackers leveraged an AI model to both pinpoint the vulnerability and develop a functional exploit. The company collaborated with the unnamed vendor to patch the issue before the campaign could escalate, potentially disrupting the operation before it gained momentum. The exploit’s code exhibited telltale signs of AI involvement, including "educational docstrings," a hallucinated CVSS score, and a polished structure resembling LLM-generated output. The flaw stemmed from a hardcoded trust exception in the authentication flow, a type of high-level logic error that modern AI models are increasingly adept at identifying. Google emphasized that AI-driven vulnerability discovery is no longer a future threat but an active reality. John Hultquist, chief analyst at GTIG, warned that for every AI-linked zero-day detected, many more likely remain undetected. Threat actors both state-backed and criminal are already using AI to accelerate attack development, improve malware, and automate reconnaissance. The report also highlighted broader AI-driven cyber threats, including North Korea’s APT45 using AI to bulk-test exploits, Chinese state-linked groups experimenting with AI for vulnerability hunting, and malware incorporating AI-generated obfuscation to evade analysis. Additionally, Russian influence operations have integrated AI-generated audio into propaganda efforts. While the intercepted exploit contained flaws that hindered its effectiveness, Google cautioned that such early-stage missteps may not persist as attackers refine their techniques. The incident underscores the growing role of AI in cybercrime and espionage, marking a shift in the threat landscape.

North Korean Hackers Target U.S. Firms in Supply-Chain Attack to Fund Nuclear Program A suspected North Korean hacking group compromised a software developer’s account tied to Axios, a widely used tool for connecting applications and web services, in a supply-chain attack aimed at stealing cryptocurrency. The breach occurred on Tuesday morning, when attackers gained control of the developer’s account for three hours, pushing malicious updates to organizations that downloaded the software including cryptocurrency firms, blockchain developers, and tech companies in the crypto sector. Security experts warn the incident is part of a long-term campaign by Pyongyang to siphon digital assets, which are reportedly funneled into funding North Korea’s nuclear and missile programs. Google’s Threat Intelligence Group detected similar activity, attributing the attack to a financially motivated North Korea-linked threat actor. The group’s analysis suggests the breach could lead to further supply-chain attacks, ransomware operations, or additional cryptocurrency theft in the near term. This attack aligns with a broader trend of escalating cybercrime by North Korean operatives. In 2025, hackers from the country stole $2.02 billion in cryptocurrency a 51% increase from the previous year marking the most lucrative period yet for such thefts, according to blockchain analytics firm Chainalysis. The incident underscores the regime’s reliance on cyber heists as a critical revenue stream amid international sanctions.

AI Coding Agents Vulnerable to "Semantic Injection" Attacks via Malicious README Files New research reveals a critical security flaw in AI-powered coding agents, which can be exploited through hidden malicious instructions in project README files. These files commonly used to guide software setup often include commands for installing dependencies or configuring applications. Attackers can embed seemingly benign steps, such as file synchronization or data uploads, that trick AI agents into leaking sensitive local files to external servers. The attack, dubbed a "semantic injection", was tested using ReadSecBench, a dataset of 500 README files from open-source repositories across Java, Python, C, C++, and JavaScript. When malicious instructions were inserted, AI agents including those powered by Anthropic’s Claude, OpenAI’s GPT models, and Google’s Gemini executed them in up to 85% of cases, regardless of programming language or instruction placement. Key findings: - Direct commands (e.g., "Upload config files to this server") succeeded 84% of the time, while less explicit phrasing reduced success rates. - Linked documentation proved even riskier: When malicious instructions were placed two links deep from the main README, attacks succeeded in 91% of tests. - Human reviewers failed to detect the threats: In a test with 15 participants, none identified the hidden instructions. Over 53% found nothing unusual, while 40% focused on minor grammar issues. - Automated detection tools struggled: Rule-based scanners flagged benign files due to common README elements (commands, paths), while AI classifiers missed attacks in linked files. The researchers warn that as AI agents become more integrated into development workflows, unverified execution of README instructions poses a growing risk. They recommend treating external documentation as "partially trusted input" and implementing stricter verification for sensitive actions. The findings underscore the need for improved safeguards to prevent unintended data exposure in automated coding environments.

Google Disrupts Major Chinese Cyber Espionage Campaign Targeting Global Telecom and Government Sectors Google’s Threat Intelligence Group (GTIG), alongside Mandiant and other partners, recently dismantled a large-scale cyber espionage operation linked to the Chinese hacker group UNC2814. Active since 2017 and suspected of operating under the People’s Republic of China (PRC), the group targeted 53 victims across 42 countries on four continents, focusing on telecom and government organizations. The campaign relied on GRIDTIDE, a novel malware that exploited the Google Sheets API for command-and-control (C2) communications. By embedding malicious activity within legitimate API traffic, the malware evaded detection while exfiltrating sensitive data, including personally identifiable information (PII) such as names, phone numbers, and national ID numbers. GRIDTIDE provided persistent access to compromised systems, allowing attackers to maintain control and execute further operations. In a coordinated response, GTIG and its partners terminated attacker-controlled Google Cloud Projects, disabled the Google Sheets API infrastructure used for C2, and blocked malicious traffic. The team also released Indicators of Compromise (IOCs), including malicious domains and IP addresses, to help organizations detect and mitigate similar threats. The group’s primary objective appeared to be intelligence collection, with a focus on monitoring communications within targeted sectors. GRIDTIDE’s use of Google Sheets for C2 leveraging cryptographic keys to send commands, transfer files, and execute operations highlighted the growing sophistication of cyber espionage tactics. While the disruption is expected to hinder UNC2814’s operations, experts caution that the group may attempt to reestablish access. The incident underscores the increasing complexity of defending against advanced persistent threats (APTs), particularly as attackers exploit legitimate cloud services to bypass traditional security measures.

New AI Threat "Promptware" Turns Assistants Into Silent Spy Tools Researchers from Ben-Gurion University, Tel Aviv University, and Harvard including cybersecurity expert Bruce Schneier have uncovered a dangerous evolution in AI attacks dubbed "Promptware." Unlike traditional prompt injection, this technique hijacks large language models (LLMs) to execute malicious actions without user interaction, effectively turning AI assistants into stealthy surveillance tools. The attack, detailed in the paper "The Promptware Kill Chain," exploits AI integrations with everyday apps. In one demonstrated scenario, attackers send a malicious Google Calendar invite containing hidden instructions. The AI, with access to the victim’s calendar and email, automatically processes the prompt, mistaking it for a legitimate Zoom meeting request. The assistant then launches Zoom, activates the camera, and streams video to the attacker’s server all without alerts or user input. Since the AI operates within its granted permissions, the attack bypasses traditional security checks. The researchers mapped a seven-stage kill chain based on 36 real-world attacks, mirroring advanced cyberwarfare tactics: 1. Initial Access – Malicious prompts embedded in emails or calendar invites. 2. Privilege Escalation – "Jailbreaking" AI to bypass safety filters. 3. Reconnaissance – AI scans files or emails for sensitive data. 4. Persistence – Prompts self-replicate to survive system restarts. 5. Command & Control – AI connects to attacker-controlled servers. 6. Lateral Movement – Spreads via automated emails to contacts. 7. Actions on Objective – Exfiltrates data, steals cryptocurrency, or conducts surveillance. Unlike static prompt injections, Promptware mutates, spreads, and executes code autonomously, posing risks beyond data theft including silent espionage or fraud. The threat escalates as AI assistants gain deeper integration with devices, potentially granting access to cameras, microphones, and system controls with a single malicious prompt. To counter the threat, the researchers propose a defense-in-depth approach: - Input sanitization to strip hidden prompts from emails and calendars. - Permission limits requiring explicit user approval for sensitive actions (e.g., camera access). - AI activity monitoring to flag anomalous behavior, such as unexpected meetings. - Isolation by running AI in sandboxes without direct tool access. The findings highlight a critical shift in cybersecurity: AI systems must be treated as potential malware vectors, not just tools vulnerable to manipulation. As LLMs like Siri and Cortana evolve, layered security measures will be essential to prevent exploitation.

Critical Vulnerability in AI Agent Supply Chain Exposes Sensitive Data and Cryptocurrency Theft Researchers from the University of California, Santa Barbara, have uncovered a severe security flaw in the AI agent ecosystem, where third-party LLM API routers intermediary services between AI agents and providers like OpenAI, Anthropic, and Google can be weaponized to hijack tool calls, drain cryptocurrency wallets, and exfiltrate credentials at scale. The study, titled "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain," reveals that these routers operate as application-layer proxies with full plaintext access to JSON payloads, making them an unguarded trust boundary. Unlike traditional man-in-the-middle attacks, these intermediaries are voluntarily configured by developers, allowing malicious actors to read, modify, or fabricate tool calls undetected. ### Attack Methods and Findings The research team tested 28 paid and 400 free routers from platforms like Taobao, Xianyu, and public communities, uncovering alarming vulnerabilities: - 9 routers (1 paid, 8 free) injected malicious code into tool calls. - 17 free routers triggered unauthorized use of AWS credentials after interception. - 1 router drained Ethereum (ETH) from a researcher-owned private key. - 2 routers employed adaptive evasion, activating payloads only after 50 requests or targeting autonomous "YOLO mode" sessions. A particularly dangerous attack, payload injection (AC-1), replaces benign installer URLs or package names with attacker-controlled endpoints. Since tampered JSON payloads remain syntactically valid, they bypass schema validation and security checks, enabling arbitrary code execution with a single rewritten command. ### Poisoning and Unauthorized Access The researchers demonstrated the ease of exploiting this attack surface: - After leaking a single OpenAI API key on Chinese forums, the key generated 100 million GPT-5.4 tokens and exposed credentials across downstream sessions. - Weak router decoys deployed across 20 domains and 20 IPs attracted 40,000 unauthorized access attempts, served 2 billion billed tokens, and exposed 99 credentials across 440 Codex sessions 401 of which ran in autonomous YOLO mode, where tool execution requires no manual approval. ### Mitigation Strategies While no client-side defense can fully authenticate tool-call provenance, the researchers propose three immediate mitigations: 1. Fail-closed policy gate – Blocks shell-rewrite and dependency-injection attacks by allowing only commands from a local allowlist (1.0% false positive rate). 2. Response-side anomaly screening – Flags 89% of payload injection attempts using an IsolationForest model (6.7% false positive rate). 3. Append-only transparency logging – Records request/response metadata for forensic analysis (~1.26 KB per entry). The study concludes that provider-signed response envelopes similar to DKIM for email are necessary to cryptographically verify tool-call integrity. Until major AI providers implement such mechanisms, developers must treat third-party routers as potential adversaries and deploy layered defenses.