AI-Powered Cyberattacks Surge as Hackers Outpace Defenses In 2025, cyberattacks have escalated at an unprecedented rate, fueled by AI’s ability to automate and refine malicious software. Cybersecurity firm Palo Alto Networks reported a fourfold increase in daily attacks among its clients compared to 2024, with hackers leveraging AI to develop adaptive malware, accelerate data theft, and bypass traditional defenses. Former Yahoo and Facebook security chief Alex Stamos warned of a "crazy amount of offensive activity," noting that organizations including banks, hospitals, and government agencies are being breached daily. The shift stems from AI’s dual role in both offense and defense. Advanced models like Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5-Cyber have demonstrated near-human hacking capabilities, prompting their restricted release to select government and corporate partners. These tools have already uncovered thousands of long-standing vulnerabilities in open-source software, with Mozilla using Mythos to patch 400+ bugs in Firefox in April alone 20 times its typical monthly rate. Yet, despite these efforts, the window to respond to threats has collapsed: Moody’s Ratings found that attackers now exploit known vulnerabilities in just 44 days, down from over 700 days in 2020. The threat landscape is further complicated by open-source AI hacking tools, which lower the barrier for less skilled criminals. The hacking group ShinyHunters, linked to AI-assisted attacks, recently disrupted Canvas (impacting thousands of schools) and breached Oracle’s HR system, potentially exposing data from over 100 organizations. Meanwhile, the U.S. government has restricted public access to Mythos, limiting its defensive applications. Legacy systems and under-resourced sectors such as hospitals, utilities, and municipal agencies are particularly vulnerable. Many rely on outdated code written by retired or deceased developers, lacking the funds or expertise to modernize. Hospitals, already targeted by ransomware, face heightened risks as AI amplifies attacks. Experts warn of potential blackouts, banking disruptions, or large-scale data breaches in the coming years, with Anthropic estimating that a single attack on one of its partners could affect 100 million people. While AI-driven security tools offer some defense, the pace of innovation has outstripped preparedness. Mozilla’s CTO, Raffi Krikorian, compared the urgency to Y2K-scale upgrades, but with months not years to act. As AI continues to evolve, the cycle of discovery and exploitation may persist, leaving organizations and individuals scrambling to adapt.

Google and Mozilla Patch Critical Memory Safety Flaws in Chrome and Firefox Google and Mozilla released urgent security updates this week to address multiple memory safety vulnerabilities in Chrome and Firefox, including critical flaws that could enable arbitrary code execution. Chrome 147 Update Google’s latest Chrome update (version 147.0.7727.137/138 for Windows/macOS, 147.0.7727.137 for Linux) fixes 30 security issues, four of which are critical-severity use-after-free vulnerabilities: - CVE-2026-7363 (Canvas) - CVE-2026-7361 (iOS) - CVE-2026-7344 (Accessibility) - CVE-2026-7343 (Views) Use-after-free flaws occur when an application references deallocated memory, potentially leading to crashes, data leaks, or remote code execution. The remaining 26 patches primarily address high-severity memory safety bugs, including out-of-bounds reads, buffer overflows, and type confusion issues. Google awarded $30,000 in bug bounties, with the highest payout ($16,000) for a GPU-related use-after-free flaw. Firefox 150.0.1 Update Mozilla’s Firefox 150.0.1 resolves four vulnerabilities, including three critical/high-severity memory safety bugs (CVE-2026-7322, CVE-2026-7323, CVE-2026-7324) that could allow arbitrary code execution. A fourth flaw, CVE-2026-7320, is an information disclosure issue in the Audio/Video component. The fixes extend to Firefox ESR 140.10.1 and 115.35.1, which also patch a medium-severity sandbox escape. Both updates mitigate risks of exploitation, with Mozilla noting that some of the patched bugs showed signs of memory corruption. Users are advised to apply the updates immediately.

Firefox and Tor Browsers Affected by Privacy-Tracking Vulnerability Security firm Fingerprint uncovered a privacy flaw in Firefox and the Tor Browser that could allow websites to track users even in private browsing or anonymity-focused modes. The vulnerability, stemming from low entropy in how browsers retrieve non-sensitive metadata, created unique system fingerprints that persisted despite privacy protections. Mozilla addressed the issue in Firefox 150, released on April 21, 2026, after Fingerprint responsibly disclosed the flaw. The weakness exploited inconsistencies in database metadata retrieval, enabling tracking across sessions undermining the privacy assurances of private browsing and Tor’s anonymity features. The discovery highlights broader risks in browser security, particularly as AI-driven tools like Anthropic’s Claude Mythos may uncover similar vulnerabilities in the future. While the patch resolves the immediate threat, the incident underscores the ongoing challenges in maintaining robust privacy protections.

North Korean Threat Actor Targets Developers in Large-Scale Phishing Campaign A likely North Korean threat actor has conducted a sophisticated phishing campaign, targeting nearly 100 organizations primarily in the U.S. with fake job offers and code-review requests to steal cryptocurrency and credentials. The operation, tracked by Proofpoint as UNK_DeadDrop, sent over 250 malicious emails in April and May 2026, focusing on employees in technology, education, finance, and cryptocurrency firms. ### How the Attack Worked The campaign used shifting pretexts including fake full-stack developer roles, AI payment agent projects, and ERC-4626 smart-contract testing to lure victims into cloning malicious GitHub or GitLab repositories. Once opened in VS Code or Cursor, a hidden tasks.json file executed automatically, exploiting a legitimate editor feature. - VS Code displayed a trust prompt, but Cursor ran the payload silently without user interaction. - The malware installed a fake Google-themed VS Code extension, ensuring persistence by relaunching on macOS and Linux whenever the editor reopened. - Linux/macOS systems received a Go-based remote access trojan (RAT) from the open-source Overlord framework, while Windows ran JavaScript directly in the editor, leaving no disk footprint. ### Data Theft & Wallet Drainage The malware targeted cryptocurrency wallets and browser credentials, including: - Browser extensions: MetaMask, Phantom, Keplr - Desktop wallets: Exodus, Electrum, Ledger Live - Saved passwords & cookies from Chrome, Brave, Edge, and Firefox To bypass security: - macOS/Linux displayed a fake password prompt, using the input to escalate privileges and dump keychains. - Windows bypassed Chrome’s app-bound encryption to extract data. After exfiltration, the malware deleted itself to evade detection. ### Attribution & Distinct Tactics While resembling Contagious Interview a long-running North Korean operation Proofpoint tracks UNK_DeadDrop separately due to its email-led delivery, large-scale repository creation, and self-contained payloads that persist even after infrastructure takedowns. Though attribution remains unconfirmed, the campaign aligns with North Korea’s history of targeting developers since 2022.

AI-Powered Cyber Threats Outpace Defenses as Anthropic’s Mythos Model Unleashes Unprecedented Exploits In April 2026, Anthropic released its advanced AI model, Mythos, to a limited group of twelve partners under a controlled preview deemed too dangerous for public release. Within just 14 days, the model generated 181 working Firefox exploits, dwarfing the previous state-of-the-art model’s output of two. It also uncovered thousands of zero-day vulnerabilities across major operating systems and browsers, including a 27-year-old flaw in OpenBSD, an OS renowned for its security. Over 99% of these vulnerabilities remain unpatched in production environments. The incident underscores a broader shift: offensive cyber operations now move at machine speed. Earlier in 2026, AWS Threat Intelligence documented a single low-skill attacker leveraging AI to compromise 2,516 FortiGate devices across 106 countries in minutes, exploiting known CVEs and misconfigurations faster than defenders could respond. The window between vulnerability disclosure and exploitation has collapsed. In 2018, the median time from CVE publication to in-the-wild exploitation was 2.3 years; by 2026, it has shrunk to just 10 hours. This acceleration renders traditional vulnerability management assumptions obsolete every disclosed flaw is now a potential immediate threat, with exploits generated via simple prompts rather than specialized expertise. Defensive gaps are further exposed by organizational inefficiencies. While AI-driven attacks complete compromises in 73 seconds, human-led response workflows spanning SIEM alerts, manual SOAR playbooks, and cross-team ticketing stretch patching timelines to 24 hours or more. The bottleneck isn’t tooling but fragmented handoffs between teams, where delays accumulate in Slack messages, PDF reports, and approval queues. To counter this, security programs must prioritize three pillars of resilience: 1. Identify – Comprehensive visibility across networks, endpoints, and cloud environments, with aggressive attack surface management to eliminate blind spots. 2. Protect – Tightly tuned controls focused on credential access, lateral movement, and privilege escalation, rather than generic vendor rules. 3. Validate – Continuous breach and attack simulation (BAS) and autonomous penetration testing to measure real-world exploitability, not just theoretical risk. Without validation, defensive AI becomes guesswork at scale. The Mythos incident reveals a stark reality: AI-driven offense has outpaced human-speed defense, leaving organizations vulnerable to exploits that emerge and spread before patches can be deployed. As boards now treat AI cyber risk as existential, security teams face pressure to adopt autonomous validation closing the gap between detection and remediation before attackers exploit it first.

Mozilla Patches High-Severity Firefox Vulnerability in libvpx Video Codec On February 16, 2026, Mozilla released an urgent security update for Firefox to address a high-severity heap buffer overflow vulnerability (CVE-2026-2447) in the libvpx video codec library. The flaw affects video processing for VP8 and VP9 formats, which are widely used across Firefox’s desktop and mobile platforms. Discovered by security researcher Jayjayjazz, the vulnerability allows attackers to exploit malformed or oversized video data, potentially leading to arbitrary code execution, browser crashes, or full system compromise. Exploitation requires no user interaction beyond visiting a malicious website or playing rigged video content, making it a prime target for drive-by attacks. The issue stems from a heap buffer overflow, where data is written past the allocated memory buffer in the heap, enabling attackers to overwrite adjacent memory. Remote hackers could leverage this by embedding exploit payloads in seemingly innocuous media streams. Mozilla rated the vulnerability as high-impact in its MFSA 2026-10 advisory, warning of risks to millions of users on Windows, macOS, and Linux. While no active exploits have been reported in the wild, the ease of remote triggering heightens the threat. Affected and Patched Versions: - Firefox < 147.0.4 → Patched in 147.0.4 - Firefox ESR < 140.7.1 → Patched in 140.7.1 - Firefox ESR < 115.32.1 → Patched in 115.32.1 The update underscores the critical role of libvpx in multimedia-heavy browsing and the importance of timely patching, as similar vulnerabilities have been exploited in past campaigns targeting media players.

Russian Hackers Exploit Zero-Click Vulnerabilities in Windows and Firefox to Target Europe and U.S. Security researchers at ESET have uncovered a sophisticated cyberattack campaign attributed to the Russian hacking group RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596), which leveraged two critical vulnerabilities to gain full remote control over targeted systems without requiring any user interaction. The attack combined CVE-2024-9680, a flaw in Mozilla Firefox, Tor Browser, and Thunderbird, with CVE-2024-49039, a vulnerability in Windows’ Task Scheduler. Victims were lured to a malicious website, which exploited the Firefox flaw upon visit, creating a backdoor. The attackers then triggered the Windows vulnerability, executing a PowerShell process to deploy malware from a remote server. This "zero-click" technique allowed compromise without any user action, making detection particularly challenging. The campaign primarily targeted Europe and the United States, with France among the hardest-hit nations. While the initial distribution method of the malicious link remains unclear, the infection process was nearly instantaneous once accessed. Mozilla released patches for Firefox and Tor Browser on October 9, followed by Thunderbird on October 10 just 25 hours after being notified. Microsoft issued its fix for the Windows vulnerability on November 12. The swift response highlights the severity of the flaws, though the attack underscores the growing threat of zero-click exploits in cyber espionage.

GhostPoster Campaign Exploits Firefox Extensions with Steganography, Infecting 50,000+ Users Researchers at Koi have exposed GhostPoster, a large-scale malware campaign targeting Firefox users through malicious browser extensions. The attack leverages steganography hiding executable JavaScript within PNG icon files to evade detection, infecting over 50,000 users via seemingly legitimate add-ons. The campaign spans at least 17 Firefox extensions, including Free VPN Forever (16,000+ installs), which remains available on the Firefox Add-ons marketplace. These extensions masquerade as benign tools offering VPN access, translation, weather updates, or ad blocking while delivering a multi-stage malware payload that compromises browser security. ### How GhostPoster Works 1. Initial Infection: Extensions load their icon files, which contain hidden JavaScript marked by a `===` sequence. The code executes upon each extension load, bypassing static scans since the image appears normal. 2. Loader Stage: The embedded script retrieves additional payloads from attacker-controlled domains (liveupdt[.]com or dealctr[.]com), using a unique signature to track infections. 3. Evasion Tactics: The malware checks in every 48 hours and downloads payloads just 10% of the time, making detection difficult. Payloads are obfuscated via Base64, XOR encryption, and runtime ID-based encoding, storing data in browser memory rather than disk. 4. Browser Takeover: Once active, the malware hijacks affiliate links, injects tracking code (using Google Analytics IDs), strips security headers (e.g., Content-Security-Policy), and enables remote code execution. Additional capabilities include CAPTCHA bypass, ad fraud, and dynamic cleanup to avoid forensic traces. ### Impact & Broader Trends GhostPoster exploits user trust in browser extensions, a growing attack vector. By embedding malware in images and distributing it through official marketplaces, attackers bypass traditional security measures. The campaign highlights the risks of implicit trust in extensions, reinforcing the need for zero-trust principles in cybersecurity. Firefox has not yet removed all affected extensions, leaving users vulnerable to persistent browser compromise.

New Windows Stealer "BoryptGrab" Spreads via Fake GitHub Repositories in Large-Scale Campaign A sophisticated malware campaign is distributing BoryptGrab, a Windows information stealer, through fake GitHub repositories masquerading as free tools, game cheats, and cracked software. The operation, active since at least April 2025, leverages SEO-optimized README files to rank malicious repositories near legitimate projects in search results, tricking users into downloading infected ZIP archives. ### How the Attack Works Attackers have created over 100 public GitHub repositories advertising enticing but fake software, including: - "Voicemod Pro download tool" - "Valorant performance boost" - "CS2 skin changers" - Cracked utilities and cheat-style tools Victims are redirected through GitHub-hosted pages containing Russian-language comments and base64/AES-based URL redirection logic, ultimately landing on a fake GitHub download page that dynamically generates a malicious ZIP file. ### Infection Chain & Malware Capabilities Once executed, the malware employs multiple infection vectors: - DLL side-loading (via a malicious `libcurl.dll` that decrypts an embedded launcher using XOR + AES-CBC). - VBS/PowerShell downloaders that bypass security controls (e.g., adding Microsoft Defender exclusions) and fetch the BoryptGrab stealer from attacker-controlled servers. - Golang-based downloader (HeaconLoad), which persists via Run-key registry entries and scheduled tasks, beaconing to command-and-control (C2) servers on port 8088. - TunnesshClient, a PyInstaller-packed backdoor that establishes reverse SSH tunnels, allowing attackers to execute commands, exfiltrate files, or use the victim as a SOCKS5 proxy. Some variants also deliver obfuscated Vidar stealer payloads via an `/api/custom_exe?build={BUILD_NAME}` endpoint, using XOR encryption and dynamic API resolution to evade detection. ### What BoryptGrab Steals The C/C++-based stealer includes anti-VM and anti-analysis checks and targets: - Browser data (Chrome, Edge, Firefox, Opera, Brave, Vivaldi, Yandex, etc.), including stored passwords (bypassing Chrome’s App-Bound Encryption). - Cryptocurrency wallets (Exodus, Electrum, Ledger Live, Atomic, Binance, Trezor, and dozens more). - System details, screenshots, Telegram data, and Discord tokens. - Files with specific extensions (via a "Filegraber" module). - Installed applications and hardcoded timestamps. Collected data is compressed and exfiltrated to attacker servers, often followed by the deployment of TunnesshClient for persistent remote access. ### Attribution & Infrastructure - Russian-language comments and log strings in malware components, along with Russian-hosted IP addresses, suggest a Russian-speaking threat actor, though formal attribution remains unconfirmed. - C2 servers communicate over ports 5466 and 8088, with build names (e.g., Shrek, Leon, CryptoByte, Sonic, Yaropolk) used to track infection branches. The campaign demonstrates a mature, evolving ecosystem, combining SEO poisoning, multi-stage downloaders, and SSH-based backdoors to maximize persistence and data theft.

Mozilla released Firefox 136.0.4 to address a critical security vulnerability tracked as CVE-2025-2857, an error leading to sandbox escapes on Windows systems. This flaw, discovered by Mozilla developers, could potentially be similar to a Chrome zero-day exploited earlier. While the flaw was promptly patched in the stated Firefox versions, the lack of technical details provided by Mozilla implies the risk was significant. Previously, Firefox faced zero-days exploited in targeted cyber-espionage campaigns and by cybercrime groups, emphasizing the ongoing battle against sophisticated threats.

The Russian RomCom group targeted Mozilla's Firefox and Tor Browser with zero-day vulnerabilities, compromising user systems through a sophisticated chain of exploits that required no user interaction. Attackers hosted malicious websites that redirected victims and downloaded the RomCom backdoor, leading to up to 250 victims per country between October 10 and November 4, 2024. The zero-day vulnerabilities CVE-2024-9680 and CVE-2024-49039 exploited animation timelines and Task Scheduler privilege escalation flaws respectively. The attackers also employed advanced techniques such as Reflective DLL Injection and backdoors. Mozilla responded promptly with a fix within 25 hours, demonstrating their commitment to security.