Digital Forensics & Incident Response
Forensic Readiness
Audit Readiness
Weekly Threat Watch
July 13, 2026
2
MIN READ
AI Agentic Ransomware, VS Code Workspace Hijacking, and Mass Zero-Day Leaks

Share this post

TABLE OF CONTENT

This week’s intelligence indicates a dramatic escalation in the weaponization of the software supply chain and the emergence of autonomous, machine-speed attacks. Threat actors are bypassing traditional security scanners by implanting malware directly into developer IDE configurations, utilizing AI agents to execute end-to-end ransomware operations, and exploiting foundational Linux kernel memory flaws that leave zero forensic footprint on disk.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Autonomous Malware and Advanced Espionage

Adversaries are transitioning to autonomous frameworks and abusing legitimate enterprise management interfaces to operate undetected.

  • JADEPUFFER Agentic Ransomware — A fully autonomous Large Language Model (LLM) agent is executing end-to-end extortion playbooks. Exploiting Langflow (CVE-2025-3248) for initial access, the AI agent dynamically harvests credentials, pivots laterally to Alibaba Nacos/MySQL databases, and actively rewrites exploit code if initial attempts fail. Due to a model hallucination, it fails to save the encryption keys, resulting in permanent, unrecoverable data destruction.
  • Mustang Panda Abuses Zoho WorkDrive — A China-aligned APT is targeting Indian government and energy sectors using DLL sideloading to deploy ZOHOMURK. This novel implant abuses legitimate Zoho WorkDrive API endpoints as a "dead drop resolver" to bypass Data Loss Prevention (DLP) controls and blend into trusted corporate traffic.
  • ToddyCat APT Employs "Umbrij" Tool — This APT group targets Chromium-based browsers to compromise corporate Gmail accounts. Using a technique called "Shadow Token via Remote Debug," Umbrij launches the victim's browser in headless mode to silently request OAuth 2.0 tokens from the Google API, maintaining long-term mailbox access without triggering MFA.

2. Supply Chain and Developer IDE Hijacking

Attackers have shifted from traditional package lifecycle scripts to subverting the IDE workspace itself, ensuring malware executes the moment a project is opened.

  • Jscrambler Multi-Platform Compromise — The official jscrambler npm package was hijacked to deliver a 7.5 MB multi-platform native infostealer. On Linux, it injects an embedded eBPF program directly into the kernel layer. The malware specifically hunts for cloud provider metadata, cryptocurrency wallets, and configurations for emerging AI coding assistants (Claude Desktop, Cursor, Windsurf).
  • PolinRider Supply Chain Campaign — Linked to North Korea, this campaign compromises legitimate open-source maintainer accounts. It utilizes heavily obfuscated JavaScript hidden in fake .woff2 font files and rewrites Git histories with backdated commits to evade audits.
  • VS Code Autorun Supply Chain Attacks — Both the PolinRider campaign and compromised npm packages like html-to-gutenberg abuse the VS Code .vscode/tasks.json configuration file. By injecting the "runOn": "folderOpen" directive, arbitrary malware executes automatically when a developer opens the repository. These payloads use public blockchains (TronGrid, Aptos) as dead drops to retrieve secondary infostealers.

3. Critical Infrastructure & Mass Zero-Day Disclosures

Core enterprise data layers and secure file transfer mechanisms are under immediate threat following public drops of functional proof-of-concept (PoC) code.

  • "Exploitarium" Mass Zero-Day Leak — An anonymous researcher publicly released a cache of zero-day exploits targeting 15 major open-source projects, utilizing AI-assisted fuzzing. Critical inclusions involve a libssh2 heap buffer overflow (CVE-2026-55200) enabling pre-auth RCE, a Gitea authentication bypass (CVE-2026-20896), and an Nmap out-of-bounds read (CVE-2026-58058).
  • Oracle EBS & libssh2 Vulnerabilities (Dual Advisory) — Attackers are actively exploiting an unauthenticated takeover flaw in Oracle Payments (CVE-2026-46817, CVSS 9.8) via crafted XML payloads. Concurrently, the recently disclosed libssh2 integer overflow (CVE-2026-55200) allows malicious SSH servers to execute arbitrary code on connecting clients without user interaction.

4. Kernel-Level Flaws & Privilege Escalation

Local vulnerabilities are proving disastrous, allowing attackers who have secured a low-level foothold to effortlessly escalate to root privileges and break out of container environments.

  • CVE-2026-46331 ("pedit COW") Linux Kernel LPE — A critical flaw in the Linux kernel's traffic-control (tc) subsystem allows local attackers to write out-of-bounds directly into shared page-cache memory. The public packet_edit_meme exploit overwrites /bin/su in volatile memory, bypassing static disk-hashing EDR tools to grant an interactive root shell.
  • CVE-2026-46242 ("Bad Epoll") Linux Kernel LPE — A critical Use-After-Free race condition in the epoll subsystem affects kernels 6.4+. Triggered by multi-threaded applications concurrently closing monitored file descriptors, this flaw grants unprivileged local users or containers highly reliable (99%) root privileges.

5. Identity Evasion & Financial Fraud

Social engineering campaigns are bypassing perimeter security by executing payloads directly within the browser DOM and utilizing severe geofencing.

  • "Ghost Phishing" via EvilTokens PhaaS — This campaign evades Secure Email Gateways (SEGs) by encrypting the landing page's HTML using AES-GCM, decrypting it dynamically only within the victim's browser DOM. It then tricks users into completing a legitimate Microsoft OAuth device authorization flow, allowing attackers to harvest persistent access tokens and bypass MFA entirely.
  • Ousaban Banking Trojan — Geofenced to the Iberian Peninsula, this campaign uses phishing PDFs that redirect victims to malicious portals. It employs aggressive device fingerprinting to drop a highly obfuscated VBScript, which unpacks the Ousaban trojan from a steganographic PDF icon to log keystrokes and intercept banking portals.

Proactive steps for the week

  • Deactivate Automated IDE Workspace Tasks: Configure a global corporate restriction policy for Visual Studio Code and Cursor to completely disable the automatic execution of tasks when a folder is opened (workbench.action.tasks.manageAutomaticTasks set to disable for untrusted workspaces). This completely neutralizes the initial execution trigger for both the PolinRider and html-to-gutenberg supply chain campaigns.
  • Harden Linux Kernels Against Local Escalation: Prioritize upgrading enterprise Linux environments to kernel patches resolving "Bad Epoll" (a6dc643c6931) and "pedit COW" (CVE-2026-46331). For systems where updates must be delayed, immediately disable unprivileged user namespaces (sysctl -w kernel.unprivileged_userns_clone=0) and blacklist the packet-editing module (echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf).
  • Isolate AI Orchestration and Default Data Tiers: Remove all Langflow and LLMOps application-building interfaces from the public internet, placing them behind a secure corporate proxy or VPN layer to block JADEPUFFER's unauthenticated RCE avenue (CVE-2025-3248). Concurrently, audit object storage environments like MinIO to ensure default administrative credentials (minioadmin:minioadmin) have been disabled.
  • Monitor Browser Architecture for Remote Debugging Flags: Configure EDR behavioral rules to trigger a high-severity alert the moment Google Chrome or Microsoft Edge is launched with the --remote-debugging-port command-line flag, especially when running in a headless state or initiated by an unexpected parent process. This directly targets the core mechanism used by ToddyCat’s Umbrij tool to acquire shadow tokens.
  • Secure Financial Gateways and Outbound Client Connections: Apply the Oracle May 2026 Critical Patch Update immediately to secure Oracle Payments endpoints against active XML exploitation (CVE-2026-46817). In parallel, restrict outbound SSH traffic (Port 22) from critical internal systems and mandate strict host key verification to prevent rogue servers from triggering the newly leaked libssh2 heap overflow vulnerabilities.
  • Audit Non-Browser Cloud API Ingestions: Implement network logging to flag and examine instances where non-standard endpoint processes or standalone background DLLs initiate connections to legitimate public cloud services, such as Zoho WorkDrive (*.zoho.com). This disrupts Mustang Panda's ability to seamlessly hide exfiltration traffic inside whitelisted enterprise SaaS channels.
  • Deploy Content Disarm and Reconstruction (CDR) for PDFs: Configure email security gateways to sanitize incoming external PDF attachments, stripping embedded JavaScript objects and hyperlinked update button hooks to break the initial access vector of geofenced financial threats like the Ousaban banking trojan.

Explore our DFIR Solutions to discover how our advanced incident response support, compromise assessments, and threat hunting frameworks can insulate your enterprise infrastructure against these campaigns.

SHARE THIS POST