unit42.paloaltonetworks.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-24.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-24 2026 | OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain ThreatAISupply Chain | Analysis of persistent malicious skills on ClawHub reveals three distinct AI supply chain threat categories: infostealers like macOS cluw, evasion techniques involving inflated file sizes, and novel agentic threats including runtime affiliate injection and front-running for financial gain. This research identified five unblocked skills, which were subsequently reported and removed, highlighting the evolving risks in AI agent ecosystems beyond traditional software supply chain vulnerabilities. |
| 2026-06-23 2026 | The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data ExfiltrationSSRF | Library detailing a universal bucket hijacking technique that impacts multiple cloud service providers (CSPs) like Google Cloud, AWS, and Azure. This method exploits the global namespace risk of cloud storage bucket names, allowing attackers to delete an organization's bucket and recreate it under their own account, thereby rerouting critical logs and sensitive data exfiltration. The library covers the attack flow, including simulations with Google Cloud Logging, Pub/Sub, and Storage Transfer Service, and the necessary permissions for exploitation. |
| 2026-06-20 2026 | Threat Brief: Mitigating Large-Scale Credential AttacksSecrets | Threat brief on "FortiBleed," a large-scale credential attack campaign targeting Fortinet, MSSQL, and Sophos devices, involving password spraying, configuration extraction, and offline cracking. The brief details threat actor techniques, recommends auditing remote access logs, and provides hardening guidelines such as requiring MFA, adopting Zero Trust Architecture, changing default credentials, disabling unused accounts, and updating software. Palo Alto Networks customers can leverage product protections and consulting services to defend against these attacks. |
| 2026-06-17 2026 | Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCEAIRCESupply Chain | Writeup detailing a "Pickle in the Middle" attack against Vertex AI model uploads in google-cloud-aiplatform SDK versions 1.139.0 and 1.140.0. The vulnerability arises from predictable default bucket names and a missing ownership check, allowing attackers to squat preemptively create a staging bucket in their own project and then replace a victim's model with a malicious one that exploits pickle deserialization for cross-tenant RCE. |
| 2026-06-16 2026 | Pickle in the Middle Hijacking Vertex AI Model Uploads for Cross-Tenant RCERCE | Toolchain vulnerability in the Google Cloud Vertex AI SDK for Python allows attackers to hijack model uploads for cross-tenant RCE. Exploiting predictable default bucket names and a missing ownership check, attackers can preemptively squat a bucket, cause legitimate model artifacts to be uploaded to their project, and then replace the model with a malicious version that leverages pickle deserialization to execute arbitrary code within the victim's Vertex AI serving infrastructure. This affects google-cloud-aiplatform SDK versions 1.139.0 and 1.140.0, with fixes available in v1.148.0. |
| 2026-06-13 2026 | Tracing Digital Intent: New MacOS Tahoe 26 Artifact DiscoveredOSINT | Reference detailing the App.MenuItem artifact in macOS Tahoe 26, a new Biome stream logging specific user menu selections. This stream, located at ~/Library/Biome/streams/restricted/App.MenuItem/local and formatted in SEGB, provides granular user intent by recording actions like file compression and trash emptying. Examiners can utilize open-source tools such as ccl-segb to parse this data, offering crucial context for reconstructing user workflows and investigating activities like data exfiltration, when correlated with file system logs. |
| 2026-06-12 2026 | Trust No Skill: Integrity Verification for AI Agent Supply ChainsAISupply Chain | Library for auditing AI agent skills using Behavioral Integrity Verification (BIV). BIV compares a skill's declared capabilities against its actual execution across metadata, code, and natural-language instructions. It identifies deviations, classifying them as developer oversight or adversarial intent, and detects multi-stage attack chains like credential exfiltration and remote code execution (RCE). |
| 2026-06-10 2026 | Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and VisibilityAuthZ | Analysis of techniques for abusing cloud logging services, specifically AWS CloudTrail and Google Cloud Logging, to achieve defense evasion and maintain attacker visibility. The article details methods such as stopping logging, deleting log storage destinations like S3 buckets or Google Cloud log buckets, removing log routers (trails or sinks), impairing logging via attacker-controlled encryption keys, and log poisoning. Understanding these attack vectors helps organizations implement stronger security configurations to detect and prevent misuse of these critical visibility tools. |
| 2026-06-08 2026 | Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell BackdoorMobile | Library for analyzing FlutterShell, a macOS backdoor deployed via Operation FlutterBridge malvertising. This payload, built with the Flutter framework, delivers adware with backdoor capabilities including shell command execution and file system manipulation. Some variants weaponize AI summarization features for data exfiltration. Operation FlutterBridge targets global audiences through Google Ads, employing shell companies to bypass vetting. The analysis details FlutterShell's WebView-based architecture, JavaScript-to-native bridge, and the challenges in dissecting Dart binaries. |
| 2026-06-08 2026 | The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)Supply Chain | Library for monitoring npm supply chain attacks, detailing incidents like the Shai-Hulud worm, Mini Shai-Hulud campaigns, and the @redhat-cloud-services namespace compromise. It analyzes evolving adversary TTPs including wormable propagation, infrastructure-level persistence, and multi-stage payloads, offering remediation playbooks for credential rotation and dependency purging. The library highlights attacks against various ecosystems, including enterprise infrastructure, AI tooling, and specialized packages, emphasizing the weaponization of trust in modern software development. |
| 2026-06-08 2026 | Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257RCE | Analysis of PAN-OS CVE-2026-0257 details active exploitation by an unknown threat actor bypassing authentication in GlobalProtect portal and gateway components. This vulnerability, added to CISA's KEV catalog, allows unauthorized VPN connections. The brief includes indicators of compromise such as specific IP addresses and suspicious host IDs for detection in GlobalProtect logs, and advises reviewing the Palo Alto Networks security advisory for mitigations. |
| 2026-05-07 2026 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionRCE | Writeup detailing CVE-2026-0300, a buffer overflow vulnerability in Palo Alto Networks PAN-OS's Captive Portal service, enabling unauthenticated remote code execution. Exploitation by state-sponsored actors involved injecting shellcode, deploying tools like EarthWorm and ReverseSocks5 for tunneling, and enumerating Active Directory using compromised credentials. The analysis highlights the attackers' operational restraint and reliance on open-source tools for stealthy compromise of edge network devices. |
| 2026-04-24 2026 | The npm Threat Landscape: Attack Surface and MitigationsSupply Chain | Library detailing the evolving npm threat landscape, focusing on the Shai-Hulud worm and subsequent systematic supply chain compromises. It analyzes significant incidents like the Axios and Bitwarden CLI compromises, highlighting adversarial tactics such as wormable propagation via token theft, CI/CD pipeline persistence, and multi-stage payloads. The library also covers remediation playbooks for credential rotation and dependency purging, and details the technical specifics of obfuscation and execution mechanisms used by malware targeting npm users and distribution channels like Docker Hub and GitHub Actions. |
| 2026-04-19 2026 | LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042)Mobile | Analysis of LANDFALL, a commercial-grade Android spyware targeting Samsung Galaxy devices, details its exploitation of CVE-2025-21042, a zero-day vulnerability in Samsung’s image processing library. Delivered via malicious DNG image files, potentially through WhatsApp, LANDFALL facilitates comprehensive surveillance. This operation, active since mid-2024 and patched in April 2025, predates public disclosures of similar exploit chains involving CVE-2025-21043 and iOS vulnerabilities, suggesting links to private-sector offensive actors in the Middle East. |
| 2026-04-19 2026 | Microsoft WSUS RCE (CVE-2025-59287) Actively ExploitedRCE | Analysis of CVE-2025-59287, a critical unauthenticated RCE in Microsoft WSUS, details its exploitation via unsafe deserialization through the GetCookie() or ReportingWebService endpoints. Observed attack chains involve PowerShell execution, network reconnaissance, and exfiltration to attacker-controlled webhooks. Affected systems include various Windows Server versions with the WSUS role enabled. Temporary mitigations include disabling the WSUS role or blocking ports 8530 and 8531. |
| 2026-04-11 2026 | GitHub Actions Supply Chain Attack: Coinbase to tj-actionsSupply Chain | Writeup of a GitHub Actions supply chain attack, detailing how attackers compromised tj-actions/changed-files and reviewdog/action-setup. This multi-layered attack initially targeted Coinbase's open-source project agentkit before escalating to impact thousands of repositories by injecting malicious payloads that leaked CI/CD runner secrets and credentials. The analysis highlights abuse of third-party actions and dependencies, emphasizing the need for detection and prevention steps for consumers and maintainers. |
| 2026-04-11 2026 | Shai-Hulud Worm Compromises npm EcosystemSupply Chain | Analysis of the Shai-Hulud 2.0 npm worm details its aggressive propagation through pre-install execution, bypassing static analysis. This campaign targets GitHub repositories, stealing credentials for AWS, GCP, and Azure, exfiltrating them to public GitHub repositories, and even attempting to destroy home directories as a fallback. The worm also automates its spread by injecting malicious code into other packages maintained by compromised developers, potentially crippling CI/CD pipelines and leading to significant cloud service compromises. LLMs may have assisted in generating its obfuscated payload. |
| 2026-04-11 2026 | Leaked Env Variables Allow Large-Scale Cloud ExtortionSecrets | Writeup of a cloud extortion campaign that successfully compromised and ransomed data by leveraging exposed environment variable files (.env). The campaign exploited credentials found in .env files, coupled with long-lived credentials and a lack of least privilege architecture, to gain initial access to victim AWS environments. Attackers utilized Tor, VPNs, and VPS endpoints for reconnaissance, lateral movement, and data exfiltration, targeting services like IAM, STS, S3, and SES. |
| 2026-04-11 2026 | CloudKeys in the Air: Exposed IAM Keys CryptojackingSecrets | Analysis of the EleKtra-Leak campaign details automated targeting of exposed AWS IAM keys on GitHub for cryptojacking. Threat actors quickly leverage compromised credentials to launch Amazon EC2 instances for Monero mining. Researchers used a Prisma Cloud HoneyCloud project to monitor this activity, observing hundreds of EC2 instances linked to the operation. The campaign employed automated tools to scan repositories and block identified AWS accounts, with researchers countering by creating randomized, non-attributable AWS accounts with overly-permissive IAM credentials to track actor movements. |
| 2026-04-11 2026 | Exposing a New BOLA Vulnerability in GrafanaAPI Sec | Writeup on CVE-2024-1313, a Broken Object Level Authorization (BOLA) vulnerability in Grafana, allows low-privileged users to delete dashboard snapshots from other organizations using snapshot keys. Versions 9.5.0 before 9.5.18, 10.0.0 before 10.0.13, 10.1.0 before 10.1.9, 10.2.0 before 10.2.6, and 10.3.0 before 10.3.5 are affected. The vulnerability, with a CVSS score of 6.5, arises from the dashboard snapshot APIs and could lead to data loss or integrity issues. Additionally, an endpoint allows any user to create snapshots with weak self-assigned keys, potentially enabling denial-of-service or brute-force attacks. |
| 2026-04-11 2026 | Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the WildAI | Writeup detailing observed in-the-wild indirect prompt injection (IDPI) attacks targeting AI agents. The analysis highlights real-world cases including AI-based ad review evasion, SEO manipulation for phishing, data destruction, and sensitive information leakage. It discusses 22 distinct payload engineering techniques and classifies attacker intents, emphasizing the growing weaponization of IDPI beyond theoretical risks. |
| 2026-04-11 2026 | New Prompt Injection Attack Vectors Through MCP SamplingAI | Writeup of new prompt injection attack vectors targeting the Model Context Protocol (MCP) sampling feature. Exploiting the implicit trust model and lack of built-in security controls, attackers can achieve resource theft, conversation hijacking, and covert tool invocation. The analysis details three proof-of-concept examples and evaluates mitigation strategies for MCP-based systems, highlighting vulnerabilities in this LLM integration standard. |
| 2026-04-10 2026 | SSRF Exposes Data of Technology, Industrial and Media OrganizationsSSRF | Analysis of CVE-2019-8451, a Server-Side Request Forgery vulnerability affecting Jira, reveals its potential to expose cloud infrastructure metadata. This vulnerability, exploitable without authentication, allows attackers to bypass firewalls and access sensitive information like credentials, configurations, and source code by redirecting requests to internal metadata APIs. Research indicates thousands of internet-exposed Jira instances remain vulnerable, with a significant portion leaking this critical data to technology, industrial, and media organizations. |
| 2026-04-10 2026 | RCE With Modern AI/ML Formats and Python LibrariesPython | Library vulnerabilities in NVIDIA's NeMo, Salesforce's Uni2TS, and Apple/ETH Zurich's FlexTok allow for remote code execution (RCE) when malicious metadata is loaded. These PyTorch-based AI/ML libraries, widely used on HuggingFace, leverage Hydra's `instantiate()` function to load configurations, inadvertently executing arbitrary code embedded in metadata. CVE-2025-23304 (NeMo) and CVE-2026-22584 (Uni2TS) have been assigned, with fixes released by the respective vendors. |
| 2026-04-06 2026 | Exposing Security Blind Spots in GCP Vertex AIAuthZ | Writeup on double agents in GCP Vertex AI, detailing how a misconfigured Per-Project, Per-Product Service Agent (P4SA) with excessive default permissions can be exploited. This research demonstrates obtaining privileged access to consumer project data and restricted Google-owned Artifact Registry repositories, including proprietary container images for the Vertex AI Reasoning Engine, by compromising a single service agent and exfiltrating its credentials. |
| 2026-04-02 2026 | Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security ControlsAI | Tool for fuzzing AI judges, called AdvJudge-Zero, exploits prompt injection vulnerabilities in LLM-based security gatekeepers. This fuzzer identifies stealthy control tokens, such as formatting symbols and structural phrases, that manipulate the AI's decision-making logic to bypass safety policies and allow prohibited content, or corrupt training data by awarding high scores to incorrect responses. The research demonstrates a 99% success rate in bypassing controls across various LLM architectures, highlighting the need for adversarial training to harden these systems. |