🛡️ CISO Intel — Thursday, 28-05-2026

Due to API rate limiting, here is today’s briefing:

Alright, listen up. It’s Thursday, and the wire’s buzzing. Perfect time for the bad guys to get creative while everyone’s mentally checking out for the weekend. We’ve got some nasty stuff hitting, especially in the AI space.

🔴 Critical Threats & Active Exploitation

Google Chrome — CVE-2026-2441 (CVSS 9.5) — This is a use-after-free vulnerability in Chrome’s CSS engine. Attackers are actively exploiting it in the wild via crafted web pages to get remote code execution. You visit a malicious site, and boom, they own your endpoint. Patch immediately. Digital Knowledge KnowledgeDeliver — Zero-day — Mandiant caught a campaign exploiting a zero-day in this e-learning platform, popular in Japan. Attackers used deserialization via hardcoded web.config values, dropping Cobalt Strike backdoors. If you’re running this, anything prior to Feb 24, 2026, is exposed. Assume compromise if you haven’t patched. Google Cloud Apigee — CVE-2026-2264 (CVSS 9.2) — A critical SSRF vulnerability in the Apigee SetIntegrationRequest policy. If an admin set up an insecure API proxy, attackers can exfiltrate service account access tokens. That’s cloud keys, folks. Check your configurations NOW.

🛡️ CVEs Worth Your Attention

CVE-2026-40933 | Flowise | CVSS N/A (High Impact) | One-click RCE in this open-source LLM workflow platform via Custom MCP tool support. Importing a crafted chatflow executes arbitrary server-side code without sandboxing. This is a bad day for anyone running it. PoC: Yes (Advisory implies public disclosure and fixes).

⚡ New TTPs & Attack Research

“SymJack” Attack via AI Coding Agents — Adversa AI dropped a report on “SymJack,” a novel supply chain attack. Attackers use malicious repos and disguised symlinks to trick AI coding agents into installing attacker-controlled servers. This allows stealing secrets, compromising CI/CD, and deploying malicious code. It’s not a bug in the agent itself; it’s exploiting their inherent trust. Think T1195.003 (Compromise of Third-Party Software Supply Chain) with an AI twist. PoC is on GitHub. AI-Developed Zero-Day Exploits — Google’s Threat Intelligence Group confirmed the first case of a threat actor using an AI-developed zero-day. This wasn’t a classic bug; it was a logical contradiction in code that only AI could spot, bypassing 2FA in a popular web system. Nation-state groups (Russia, China, North Korea) are already weaponizing AI for vuln hunting and malware dev. This is a game changer. T1587.006 (Develop Capabilities: AI/ML Capabilities). Return-to-Tool (RTT) Exploits — Trend Micro is detailing RTT, a nasty subclass of indirect prompt injection. Injected instructions cause AI agents to misuse their authorized tools, leading to data theft (customer records, internal docs) or unauthorized actions. Imagine a crafted support ticket making your AI agent encrypt your entire customer database. That’s T1552.001 (Unsecured Credentials) via AI. Multi-Turn Prompt Injection — Cisco research reveals major AI models (OpenAI, Anthropic, Google, Amazon, xAI) are far more vulnerable to multi-turn malicious prompts than single-turn. Success rates hit up to 88%. This blows a hole in vendor safety claims and means our current AI security benchmarks are inadequate. Attackers are iterating, just like they always do. T1648 (Prompt Injection). Phishing via Nested Google Domains — Threat actors are chaining legitimate Google services (Meet, Search Redirect, Ad Service) to hide phishing links. This “Nested Delivery Matrix” bypasses most Secure Email Gateways because every hop looks legitimate. It’s a clever way to weaponize trust. T1566.002 (Phishing: Spearphishing Link).

🏗️ DevSecOps & Cloud Security

GlassWorm Botnet Takedown — Big win for the good guys. CrowdStrike, Google, and Shadowserver Foundation coordinated to take down the GlassWorm botnet. This persistent supply chain campaign targeted software developers since early 2025. It spread via malicious VS Code extensions, npm, and Python packages to steal credentials and crypto wallets. They used blockchain, P2P, and even Google Calendar event titles for resilient C2. This highlights the ongoing developer supply chain risk. T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools). Open-Source LLM Workflow Platform Risks — The Flowise RCE (CVE-2026-40933) reminds us that many open-source AI tools prioritize functionality over security. Default insecure configurations, especially in hosted single-user apps, are a huge risk when deployed in enterprise environments. Sandboxing and strict access controls are non-negotiable.

🔧 Patches & Vendor Releases

Google Chrome — Version 148.0.7778.96 for Windows, macOS, and Linux. This is an emergency patch for CVE-2026-2441. Get it deployed. 🟢 solid fix Flowise — Patches for CVE-2026-40933 have been released, adding flag validation and hardening Custom MCP. If you’re running Flowise, update immediately. 🟢 solid fix Google AI Threat Defense — Google Cloud launched a new AI-powered platform to autonomously detect and remediate threats. It integrates Gemini, Mandiant, and Wiz. This is a proactive move to combat AI-driven attacks. 🟢 solid fix (new capability) Snyk Evo Continuous Offensive Security — Snyk released an AI-native offensive testing solution for continuous pentesting of AI-generated code. Acknowledges that traditional pentesting can’t keep up with AI-driven development. 🟢 solid fix (new capability)

🧪 Threat Intel & Malware

GlassWorm Botnet — This botnet, likely Russia-based, was a sophisticated long-game operation targeting developers. It leveraged VS Code extensions, npm, and Python packages. Its C2 infrastructure was built for resilience, using blockchain and P2P networks. The takedown is a significant disruption to their operations, but the underlying threat model (targeting developers) remains.

🌐 Industry, Brand & Internet Security

Charter Communications Data Breach — The ShinyHunters extortion group claims to have breached Charter Communications (Spectrum), exfiltrating 42 million customer records. The entry point was a vishing attack on a Microsoft Entra account, followed by a pivot to Salesforce to pull data. Charter confirms an incident but disputes the scale and sensitivity. ShinyHunters’ ransom deadline was yesterday, so expect data to hit the dark web if no payment. This is T1560.001 (Archive Collected Data: Archive via Compression) and T1567 (Exfiltration Over Web Service). AI Security Market Shift — Google Cloud’s launch of AI Threat Defense intensifies the competition in the AI-native cybersecurity space, following similar moves from Anthropic (Project Glasswing) and OpenAI (Daybreak). This signals a major industry pivot towards AI-powered defenses to counter increasingly automated AI attacks. Cybersecurity stocks saw a dip as investors reacted to Google’s aggressive entry.

🤖 AI & LLM Security

AI-Developed Zero-Day Exploits Confirmed — As mentioned, Google’s Threat Intelligence Group has confirmed an AI-developed zero-day in the wild. This isn’t just theoretical research anymore; it’s active exploitation. This changes the game for vulnerability management. LLM Prompt Injection Blind Spots — Cisco’s research confirms that current AI models are highly susceptible to multi-turn prompt injection attacks, far more than single-turn tests suggest. This means our current safety evaluations are missing critical attack vectors. We need to re-evaluate how we test and secure LLMs. Return-to-Tool (RTT) Exploits — Trend Micro’s research on RTT exploits highlights how AI agents can be weaponized through indirect prompt injection to perform unauthorized actions using their legitimate tools. This is a fundamental flaw in how agents handle trusted data and tool calls. Claude Code Source Leak Impact — The recent leak of Claude Code’s source code is a gift to attackers. It provides unprecedented insight into agentic AI internals, making it easier to craft sophisticated prompt injection payloads and increase the success rate of indirect attacks. That’s a huge boost for red teams and threat actors alike. Flowise RCE — The 1-click RCE in Flowise (CVE-2026-40933) is a stark reminder that LLM workflow platforms and vector databases are new attack surfaces. Their default configurations often lack enterprise-grade security, making them low-hanging fruit for attackers. Google AI Overview Glitch — Google’s AI Overview temporarily broke when processing the word “disregard,” essentially prompt-injecting itself. While not malicious, it demonstrates the inherent fragility and unpredictable nature of LLMs to adversarial inputs.

📋 Compliance & Regulatory

[Clear — enjoy it]

💡 Marcus’s Take

The AI arms race is officially on, and it’s moving faster than anyone predicted. We’ve got AI-developed zero-days in the wild, AI coding agents being turned into supply chain delivery mechanisms, and our LLMs are far more vulnerable to sustained attacks than vendors admit. Defenders are now fighting machine-speed adversaries with human-speed processes. That’s a losing battle. Prioritize securing your AI development pipelines, rigorously testing your LLM deployments for prompt injection and RTT, and assume any AI-integrated system has a target on its back. If you’re not using AI to defend, you’re already behind.