This week, the line between offensive AI and the tools your employees use every day disappeared. Russian threat actor GreyVibe is using ChatGPT and Gemini to craft phishing lures. Attackers deployed LLM agents for post-exploitation after compromising a Marimo notebook environment. ChatGPT share links are being weaponized to distribute malware. And AI chatbots are redirecting users to cryptojacking sites. The defensive narrative — "AI will help us catch threats faster" — is still true. But the offensive side has no ethics board, no responsible disclosure policy, and no patch cycle. Every AI tool your organization uses is now also a potential attack surface. The question isn't whether AI will be used against you. It already is.

01 —

TrapDoor hits npm, PyPI, and Crates.io simultaneously — 34+ malicious packages, 384+ versions

🔴 Supply chain / cross-ecosystem attack

TrapDoor is a coordinated supply chain campaign distributing credential-stealing malware across three major package ecosystems at once — npm, PyPI, and Crates.io. With 34+ malicious packages spanning 384+ versions, the attack targets the full breadth of modern software dependencies in a single operation.

Editor's noteHitting three ecosystems simultaneously is the escalation. Until now most supply chain attacks were single-ecosystem plays. TrapDoor changes the calculus: if your stack touches npm for frontend, PyPI for ML/data, and Rust for performance-critical components — you're exposed on all three fronts at once. Audit your dependency inventory now, not after an alert fires. Software composition analysis (SCA) tooling needs to cover all three registries, not just the primary one your team uses.

Read on The Hacker News

02 —

Palo Alto GlobalProtect VPN auth bypass CVE-2026-0257 under active exploitation

🔴 Critical / active exploitation

An authentication bypass vulnerability in Palo Alto PAN-OS and Prisma Access is being actively exploited in targeted attacks against corporate networks. The flaw enables attackers to circumvent VPN authentication controls and gain unauthorized access to enterprise infrastructure without valid credentials.

Editor's noteVPN is the front door. An auth bypass here means attackers walk in without knocking. If you're running GlobalProtect and haven't patched, that's the priority above everything else this week. If you can't patch immediately, restrict access to known IP ranges and enable enhanced logging on authentication events — you need to know if someone has already used this against you before the patch lands.

Read on The Hacker News

03 —

Microsoft Copilot Cowork exfiltrates files via prompt injection — pre-authenticated OneDrive links

🟣 Agentic AI / data exfiltration

A vulnerability in Microsoft Copilot Cowork allowed attackers to exploit prompt injection to send unapproved emails embedding pre-authenticated OneDrive links, effectively exfiltrating enterprise files through the AI agent itself. Authorization controls failed to prevent the agent from being weaponized against its own users.

Editor's noteThis is the agentic AI risk that security teams have been warned about but haven't fully operationalized defenses for. The agent had legitimate access to OneDrive — that's the feature. The attack turned that legitimate access into an exfiltration channel. The lesson: agents need least-privilege controls not just on what data they can read, but on what actions they can take autonomously. If your Copilot deployment hasn't been reviewed for prompt injection attack surface, that review is overdue.

Read on Simon Willison

04 —

ChatGPhish + ChatGPT share link abuse — two attack vectors on the same platform in one week

🟣 AI platform abuse / phishing

Two separate vulnerabilities targeting ChatGPT emerged this week. ChatGPhish exploits the platform's web summary feature to inject malicious Markdown links via prompt injection, bypassing email security controls entirely. Separately, threat actors are abusing ChatGPT share links to host convincing fake outage pages that deliver malware masquerading as the ChatGPT desktop app.

Editor's noteTwo vectors, one platform, one week. The shared thread: employees trust ChatGPT more than they trust a cold email or a search result — and attackers know it. That implicit trust is the attack surface. User awareness training needs to explicitly cover AI platform abuse, not just email phishing. And security teams should be monitoring for ChatGPT-related downloads on managed endpoints — that's a new indicator worth adding to your detection stack.

Read on The Hacker News

05 —

2,000 exposed vibe-coded apps reveal the new shadow IT: AI-generated apps in production

🟢 Research / governance gap

A new report analyzed 2,000 exposed AI-built applications and found a critical governance gap: employees are deploying AI-generated apps directly to production without security review, creating a new category of shadow IT that bypasses traditional controls entirely. The attack surface isn't just prompt misuse anymore — it's fully autonomous AI-generated software running in enterprise environments.

Editor's noteShadow IT used to mean a rogue SaaS subscription. Now it means a full application, generated in minutes, deployed to production, with no security review, no SBOM, no vulnerability scanning. The speed advantage of vibe-coding is real — but so is the risk. Enterprises need a policy answer to this now, before the first breach from an AI-generated app hits the news. The policy doesn't have to be "no" — it has to be "not without a review gate."

Read on The Hacker News

Share this issue