AI in Cybersecurity: New Attack Vectors and Advanced Threat Discoveries
Introduction
Artificial intelligence and cybersecurity create a complex environment. AI acts as both a powerful defense and a new way for sophisticated attacks. Recent developments show this dual nature: AI agents are targeted through new injection techniques, and AI helps uncover long-standing vulnerabilities. Understanding these dynamics is critical for handling the current threat environment.
This article summarizes key cybersecurity events where AI has played a central role, either as a target or a defense tool. It analyzes incidents from advanced prompt injection attacks on developer tools to AI-driven zero-day discoveries and evolving infostealer tactics. These analyses provide insight into changing security approaches and operational considerations for businesses using AI.
How are AI Agents Being Exploited? The Rise of Comment and Control Prompt Injection
A new cross-vendor attack, called "Comment and Control," escalates prompt injection attacks against AI-powered development agents in GitHub workflows. This technique uses GitHub's native automation triggers, such as pull requests, issue creation, issue comments, and PR titles, to inject malicious instructions directly into AI agents. This method allows attackers to initiate AI execution by submitting crafted PR titles or issue content, requiring no direct user interaction. The attack parallels Command and Control (C2) in malware operations but operates entirely within the GitHub ecosystem, which complicates detection.
Research indicates that Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and GitHub Copilot Agent are all vulnerable to variations of this attack. For Claude Code, unsanitized PR titles are injected directly into the AI prompt. This allows context breaks and execution of system-level commands, exposing environment variables, including API keys and tokens. Similarly, Gemini CLI Action integrates issue content into its prompt context, allowing manipulation of "trusted sections" to leak sensitive credentials like the GEMINI_API_KEY via public issue comments.
The exploitation chain against the GitHub Copilot Agent was the most advanced, bypassing several built-in defenses. These included environment variable filtering, secret scanning, network restrictions, and protection for child processes. Attackers extracted sensitive credentials by reading the parent process memory space via system commands, bypassing logic that specifically protected child processes. To further evade detection, stolen data was encoded and exfiltrated through legitimate Git operations, making the activity appear normal within CI/CD workflows. Additionally, hidden HTML comments within issue bodies were used to conceal malicious payloads from human reviewers while remaining readable to the AI agent. This scenario shows the inherent security risks for autonomous AI agents, especially concerning prompt injection vulnerabilities, as detailed in our analysis of autonomous AI agents security risks. The specific exploit exposing AI risk in Microsoft Copilot further shows these challenges, as discussed in Microsoft Copilot zero-click.
This collective vulnerability across multiple platforms points to a systemic architectural flaw. AI agents receive direct access to untrusted external inputs. They operate in environments with high-value secrets and powerful execution tools. This combination allows routine GitHub interactions to become automated credential theft and command execution pipelines. This pattern also appears in other AI systems integrated into enterprise workflows, such as Slack bots, Jira automation, email assistants, and deployment pipelines, where untrusted content and sensitive execution privileges coexist.
Remediation efforts for this attack class involve several key measures:
- Strict separation of untrusted external input (GitHub issues, PRs, comments) from AI agent prompt contexts. Raw user-controlled content should not be directly injected into system or instruction prompts.
- Prompt sanitization and normalization layers must be enforced to strip or neutralize injection patterns (e.g., instruction-like phrases, role-switching attempts, system prompt delimiters) before data reaches the AI model.
- Least-privilege access control (Zero Trust model) should be applied to all AI agents, preventing them from running with unrestricted access to environment variables, CI/CD secrets, or production tokens.
- Direct access to sensitive credentials from AI runtime environments should be removed. Instead, short-lived, scoped, and audit-logged tokens with minimal permissions should be used.
- Tool-use allowlisting must be implemented, ensuring AI agents can only execute explicitly approved commands and cannot spawn arbitrary shell processes or access system-level utilities like
/proc,env, or debugging tools. - AI agents should be isolated in sandboxed execution environments (container or VM isolation) with no access to host-level environment variables or secret stores.
- Output filtering and secret detection layers need to be added to prevent accidental leakage of API keys, tokens, or sensitive data in logs, PR comments, commits, or issue responses.
- CI/CD triggers must be hardened by requiring human review or approval gates before AI-generated actions (e.g., code changes, commits, workflow execution) are applied.
- Content trust boundaries should be used, clearly labeling and treating all GitHub PR/issue data as untrusted input, regardless of repository source or contributor status.
- All AI agent actions require monitoring and logging with behavioral anomaly detection. This flags unusual patterns such as credential access attempts, unexpected command execution, or large data exfiltration.
- AI agents should be disabled or restricted from processing hidden or non-rendered content (e.g., HTML comments) unless explicitly required and validated.
- Regular red-team testing and prompt injection audits against AI-integrated workflows are essential for identifying new injection vectors.
What Privilege Escalation Risks Exist in AI Identity Management? The Microsoft Entra Agent ID Flaw
Cybersecurity researchers at Silverfort, an identity protection firm, identified a vulnerability in Microsoft Entra Agent ID, an identity and authorization framework for AI agents. This flaw allowed privilege escalation and tenant takeover through abuse of Service Principals. Microsoft Entra Agent ID assigns identities to AI agents, enabling them to log into systems and access resources similar to human users. To manage this system, Microsoft established a specific directory role: the Agent ID Administrator.
Silverfort researchers Noa Ariel and Yoav S determined that this directory role had a critical scope gap. While intended to manage agent-related objects like Blueprints and Agent Identities, the role could modify nearly any Application Service Principal within a tenant. A Service Principal functions as a digital identity for software. Taking one over is like identity theft for an application. If an attacker gains ownership of a Service Principal, they can create their own secret key to authenticate. These digital accounts often hold high-level permissions for data movement or configuration changes, so their compromise enables an attacker to control the system while remaining covert.
The attack chain involved a user with the Agent ID Administrator role performing enumeration using the Microsoft Graph API or Azure CLI. This action aimed to locate accounts with elevated permissions, specifically targeting Service Principals with high-impact Graph permissions such as RoleManagement.ReadWrite.Directory. The attacker then exploited the role's capabilities to add themselves as an owner of a non-agent Service Principal. This was possible because the role permissions for updating owners were not strictly confined to agent-backed objects. Following ownership acquisition, attackers performed "credential injection" by adding a new password or certificate to the compromised account, then authenticating as that Service Principal.
Researchers documented that "ownership is a takeover primitive," meaning becoming an owner allows for complete identity theft of the account. This technique constitutes a form of privilege escalation, granting an attacker total control over the tenant. To validate this risk, researchers demonstrated an Agent ID Administrator successfully hijacking a Global Administrator account. By authenticating with these stolen credentials, full control over the entire network was achieved. Such incidents emphasize the need for strong breach detection and continuous supply-chain risk monitoring as new platforms and roles are introduced into enterprise environments.
This flaw had widespread implications. Approximately 99% of business networks possess at least one privileged Service Principal. Although the Agent ID Administrator role is relatively new, over half of the organizations surveyed were already using agent identities. Some operated more than 100 active agents, creating a scenario where the security rules for the role did not match its actual power. Silverfort identified the flaw on February 24, 2026, and reported it to the Microsoft Security Response Center (MSRC) on March 1. Microsoft confirmed the vulnerability on March 26, and a full fix was rolled out across all cloud environments by April 9. This patch prevented the Agent ID Administrator role from managing owners of regular, non-agent Service Principals. Organizations are urged to review AuditLogs for any changes to account ownership or the creation of new secrets on sensitive accounts.
How is AI Transforming Vulnerability Discovery? Claude Mythos AI Finds 271 Zero-Day Vulnerabilities in Firefox
The collaboration between Anthropic and Mozilla is a significant advancement in cybersecurity, with their latest AI model, Claude Mythos Preview, uncovering 271 zero-day vulnerabilities in Mozilla Firefox. All these vulnerabilities received patches in the Firefox 150 release, making it the largest single collection of security fixes in the browser's history. This achievement shows a shift toward AI-driven vulnerability discovery at a scale and speed previously unattainable through traditional human-led security testing. This capability provides a new dimension for cyber threat intelligence platforms.
This breakthrough builds upon earlier initiatives using Claude Opus 4.6, which identified 22 vulnerabilities (14 of which were high severity) within two weeks. These fixes were delivered in Firefox 148. Encouraged by these results, Mozilla expanded its use of advanced AI models for deeper scans of Firefox's codebase. The outcome was a high discovery rate, exceeding historical trends. For context, Mozilla addressed approximately 73 high-severity vulnerabilities across all of 2025; this single AI-driven effort showed roughly four times greater impact.
The power of Claude Mythos comes from its ability to autonomously identify and exploit vulnerabilities across multiple platforms without human intervention after initial setup. Benchmark results show this leap, with scores of 93.9% on SWE-bench and 97.6% on USAMO. Within Firefox's JavaScript shell, the model successfully exploited 72.4% of discovered flaws and achieved register control in an additional 11.6% of cases. This demonstrates not only detection capability but also advanced exploitation potential, mirroring real-world attacker behaviors.
Beyond Firefox, the model has also revealed long-hidden vulnerabilities in critical systems, including decades-old flaws in OpenBSD, FFmpeg, FreeBSD, and other key software. These discoveries show AI's capacity to uncover deeply embedded risks that have evaded detection for years. This collaboration indicates a shift in cybersecurity dynamics. It could narrow the gap between attackers and defenders, making the objective of eliminating exploitable vulnerabilities more achievable. Proactive measures for organizations include:
- Immediate update to Mozilla Firefox version 150 or later to ensure all 271 zero-day vulnerabilities are patched.
- Enable automatic browser updates for timely application of future security fixes.
- Implement a strong patch management process across all systems and software.
- Utilize endpoint protection and EDR solutions for real-time detection and blocking of exploitation attempts.
- Restrict unnecessary browser extensions and only install trusted, verified add-ons.
- Implement least privilege access controls to minimize the impact of successful exploitation.
- Isolate sensitive environments (e.g., admin systems) from regular browsing activities.
- Continuously monitor logs and network traffic for suspicious behavior linked to browser exploits.
- Conduct regular vulnerability scanning and penetration testing to identify weaknesses early.
- Adopt AI-powered security tools to proactively detect vulnerabilities, similar to those found by Claude Mythos Preview.
- Educate users on safe browsing practices to minimize exposure to malicious websites and payloads.
What are the Latest Tactics of Infostealers? Vidar Infostealer Evolves with Hidden Payloads
New research from the Lat61 Threat Intelligence Team at Point Wild shows attackers are now concealing malicious code within common files like JPEG images and text documents to deploy a new version of the Vidar infostealer. This version of Vidar has changed significantly, moving from a simple password-stealing tool to an adaptable attack framework that uses a multi-stage infection chain. This represents a new challenge for breach detection and requires more advanced capabilities like dark web monitoring service and underground forum intelligence.
Threat actors increasingly shift from technical exploits to social engineering. A prominent method involves exploiting a recent source code leak known as Claude Code. Attackers establish fake repositories on GitHub to entice developers into downloading malicious files, posing as free or unlocked versions of the tool. They also use platforms like Reddit and Discord to offer fabricated video game cheats. Furthermore, compromised WordPress websites display fake CAPTCHA prompts, known as ClickFix pages, which instruct users to execute specific commands for human verification. This action, however, initiates a multi-stage infection chain. The Lat61 research details this chain, which begins with VBScript and PowerShell scripts leading to the deployment of a Go-compiled loader.
"Building on these insights, our analysis shifts focus beyond initial compromise and into the post-exploitation phase, where the true impact of the infection unfolds. This analysis by Point Wild highlights a sophisticated, multi-stage malware campaign that uses layered obfuscation, staged payload delivery, and trusted Windows components to achieve stealthy execution and persistence," researchers stated in their blog post. The real-time ransomware intelligence from platforms like PurpleOps offers insights into such evolving malware deployment tactics.
The 2026 version of Vidar infostealer exhibits heightened stealth. Upon device infection, the malware uses an IP-based delivery infrastructure to download files like '160066.jpg' and various TXT files from the address 62.60.226.200. These seemingly normal image and text files are actually payload containers embedding Base64 data. The malware also employs Living-off-the-Land (LotL) techniques, abusing trusted Windows binaries such as WScript, PowerShell, RegAsm.exe, and other trusted Windows binaries to integrate into normal system processes. Through steganography, it scans these files for secret markers to extract Base64-encoded data. Instead of downloading a separate virus file, it reconstructs the final Vidar payload from this hidden data. Using .NET reflective loading, the code executes directly in the computer's memory. This fileless method poses a significant threat because the malicious code is never stored on the hard drive, allowing it to bypass detection by many security scanners. Monitoring telegram threat monitoring channels can also provide early warnings of such distributed malware campaigns.
The primary objective of this Vidar variant is data exfiltration. It is capable of stealing data from over 200 browser extensions across Google Chrome and Microsoft Edge, specifically targeting crypto wallets, login credentials, session data, and cookies. The stolen data is transmitted back to the attackers' server via Telegram and Cloudflare-fronted domains, which aids in concealing their tracks. The development of a live ransomware API could improve defensive capabilities by providing immediate insights into such data exfiltration patterns.
Dr. Zulfikar Ramzan, head of the Lat61 Threat Intelligence Team, noted that using image files as "covert carriers" is a clever tactic to make the attack resemble normal web traffic. He explained, "Threat actors weaponized the recent Claude Code leak by seeding fake GitHub repositories with trojanized tools that delivered Vidar infostealer. The payload delivery evolved through steganographic techniques such as using JPEG and TXT files as covert carriers and executing everything in memory to thwart forensics." Developers are advised to avoid executing commands without understanding their impact and to refrain from downloading files from unofficial GitHub pages or suspicious pop-up prompts.
How are AI and Social Engineering Converging in Financial Scams? The Fake CAPTCHA IRSF and Keitaro Campaigns
A recent telecommunications fraud campaign uses fake CAPTCHA verification tricks to deceive users into sending international text messages, resulting in charges on their mobile bills. This International Revenue Share Fraud (IRSF) scheme generates illicit revenue for threat actors who lease the phone numbers. The operation has been active since at least June 2020, employing social engineering and back button hijacking in web browsers. As many as 35 phone numbers across 17 countries have been observed as part of this IRSF campaign. This activity requires continuous brand leak alerting to protect corporate identities from being used in such schemes.
The fake CAPTCHA process involves multiple steps, with each message preconfigured to send SMS to over a dozen phone numbers. Victims are not charged for a single message but for sending SMS to more than 50 international destinations. This scam also benefits from delayed billing, as international SMS charges often appear weeks later, by which time the victim may have forgotten the fake CAPTCHA interaction. This threat's convergence of revenue share fraud and malicious traffic distribution systems (TDSs) is notable. This infrastructure, traditionally used to route traffic to malware or phishing pages through redirection chains to evade breach detection, is now being repurposed for large-scale SMS scams.
IRSF schemes involve fraudsters illegally acquiring international premium rate numbers (IPRN) or number ranges. They then artificially inflate the volume of international calls or messages to these numbers to receive a share of the revenue generated from termination charges paid by the originating carrier. Infoblox found that the campaign specifically registers phone numbers in countries with high termination fees or lax regulations, such as Azerbaijan, Kazakhstan, or certain premium-rate number ranges in Europe. They collude with local telecom providers to execute the scam.
The campaign unfolds when a user is redirected to a bogus webpage via a commercial TDS, which then serves a CAPTCHA instructing them to send an SMS to "confirm you are human." This triggers a multi-stage "verification" chain. Each step initiates a separate SMS message to server-designated numbers by programmatically launching SMS apps on both Android and iOS devices with pre-filled phone numbers and message content. This process can result in sending as many as 60 SMS messages to 15 unique numbers after four CAPTCHA steps, potentially costing a user $30. While seemingly small per user, this amount can quickly accumulate for threat actors when executed at scale. The list of phone numbers spans 17 countries, including Azerbaijan, the Netherlands, Belgium, Poland, Spain, and Turkey.
The campaign relies on cookies to track progression through the fake verification flow, using values stored in specific cookies (e.g., "successRate") to determine the next action. If a user is deemed unsuitable for the campaign, the page redirects them to a different CAPTCHA page, likely part of another campaign or controlled by a different actor. Another strategy involves back button hijacking, using JavaScript to alter browsing history. This traps users in a navigation loop. If they try to navigate away, the page redirects them back to the fake CAPTCHA page, unless they fully exit the browser.
This operation simultaneously defrauds individuals and telecommunication carriers. Individual victims face unexpected premium SMS charges and may struggle to identify and report the fraud due to its unexpected origin. Telecom carriers pay revenue share to the perpetrators and likely absorb losses from customer disputes or chargebacks. Effective cyber threat intelligence platforms are crucial for tracking these complex, multi-faceted fraud schemes.
The disclosure follows a three-part analysis by Infoblox and Confiant detailing the abuse of Keitaro TDS (also known as Keitaro Tracker). This platform is exploited, sometimes with stolen or cracked licenses (as seen with TA2726), by various threat actors for malicious activities. These include malware delivery, cryptocurrency theft, investment scams, and phishing. The scams claim to use artificial intelligence (AI) to automate trading and promise high returns. The scams often use Facebook Ads to lure victims to fraudulent AI-powered platforms. In some cases, they resort to fabricating celebrity endorsements through fake news articles and deepfake videos to promote the investment scheme. The use of synthetic videos has been attributed to a threat actor named FaiKast.
Keitaro functions as a self-hosted advertising performance tracker designed to conditionally route visitors. Threat actors adapt this mechanism, transforming a Keitaro server into an all-in-one tool acting as a traffic distribution system, tracker, cloaking layer, and analytics platform. Over 120 distinct campaigns have exploited Keitaro's TDS for link delivery between October 2025 and January 2026. Infoblox recorded approximately 226,000 DNS queries spanning 13,500 domains associated with Keitaro-related activity during this period. Following responsible disclosure, Keitaro has canceled over a dozen accounts linked to these activities.
By combining traditional investment fraud with modern AI technologies, threat actors have launched large-scale cyber campaigns. Approximately 96% of Keitaro-linked spam traffic promoted cryptocurrency wallet-drainer schemes, via fake airdrop/giveaway lures centered on AURA, SOL (Solana token), Phantom (wallet), and Jupiter (DEX/aggregator).
Technical Takeaways
- Prompt injection attacks on AI agents in GitHub workflows (Comment and Control) use native automation triggers to exfiltrate credentials and execute commands, bypassing standard defenses.
- The Microsoft Entra Agent ID flaw allowed the Agent ID Administrator role to modify non-agent Service Principals, enabling privilege escalation and tenant takeover through credential injection.
- AI models like Claude Mythos Preview can autonomously discover hundreds of zero-day vulnerabilities at an unprecedented scale, changing vulnerability management.
- Vidar infostealer has evolved to use steganography (hiding payloads in JPEGs and TXT files) and fileless execution via .NET reflective loading, enhancing stealth and breach detection avoidance.
- IRSF campaigns use fake CAPTCHA prompts and malicious Traffic Distribution Systems (Keitaro TDS) to defraud users through international SMS charges and promote AI-driven cryptocurrency scams.