Skip to content
feed: live
>_ 0dayNews
Briefing · 2026-07-11-weekly

Week in Review: AI Attacks Stopped Being Theoretical

Eight named AI-agent incidents in one week, another wave of Microsoft 365 device-code vishing landing on the same targets it always does, and the usual queue of edge-appliance KEV additions — Kilobaud on what the collection has in common.

tldr.txt
  • Eight separate AI-security incidents landed on the desk in seven days: Ghostcommit's image-hidden prompt injection against CodeRabbit and Bugbot, Wiz's Ghostapproval symlink chain against six coding assistants, the friendly-fire attack that turned Claude Code and Codex reviewers into exfiltration paths, Writeout's cross-tenant leak in a Writer.com agent, GitLost's abuse of GitHub agentic workflows against private repos, Varonis's Dialogflow CX rogue-agent finding, Hallusquatting exploiting AI-hallucinated npm names, and Microsoft's MDASH LLM Patch Tuesday triage becoming operationally load-bearing
  • A near-simultaneous string of Microsoft 365 device-code and passkey vishing operations — Storm-2372 (DeBull), O-UNC-066 (Pink), Helix, Scattered Spider court filings, and the Politie's Odido attribution — describes an operational floor for identity-first intrusion that no longer needs a technical vulnerability at all
  • npm 12 shipping with allowScripts off by default and 2FA-bypass tokens deprecated closes the install-hook branch of a decade-old supply-chain problem — and did so in the same week the jscrambler 8.14.0 preinstall infostealer proved why it was overdue
  • KEV additions this week — Balbooa iCagenda for Joomla file upload, PTC Windchill FlexPLM (CVE-2026-12569) JSP webshell, SimpleHelp (CVE-2026-48558) OIDC bypass, Ubiquiti UniFi Connect command injection, and the BeyondTrust Remote Support / PRA auth bypass — remain the same three shapes: file upload, auth bypass, appliance RCE
  • Binarly's six new U-Boot flaws in the FIT-image signature-verification path and Ledger Donjon's laser fault injection reset of Tangem wallet cards close out the week on the same fleet the fleet doesn't patch

Roughly eighty pieces went to the desk this week, and I’ve been sitting with them tonight to decide what to say about the collection without lapsing into “AI changes everything,” which is not analysis, it is a headline. Three observations instead, each corresponding to a pattern that turned up more than once.

The AI attack surface stopped being theoretical

Eight of the pieces on the desk this week were concrete, named incidents in which an AI agent was the target, the attacker’s tool, or both. This is the number I keep landing on. It is not a projection.

Ghostcommit hid a prompt injection inside a PNG’s alpha channel and slipped past both CodeRabbit and Bugbot — neither of which opens image files at all — then convinced a downstream coding agent to read the repository’s .env and encode every secret as a list of decimal numbers written into a source file where the payload wouldn’t look like exfiltration. Ghostapproval, Wiz’s finding, uses a symlink race in the write-approval flow to get six different AI coding assistants — Claude Code and Codex among them — to touch files their user never authorized. The friendly-fire attack turns the reviewer role itself into an exfiltration path by feeding the assistant a diff whose comments tell it to look elsewhere on disk. Writeout is a cross-tenant session leak in a Writer.com agent. GitLost abuses GitHub’s agentic workflows to reach private repositories the requesting user shouldn’t be able to see. Varonis’s Dialogflow CX finding documents a rogue-agent path in a Google Cloud product. Hallusquatting waits for a coding assistant to hallucinate a package name and publishes exactly that. And Microsoft’s own MDASH LLM triage of MSRC is now doing enough of Patch Tuesday’s classification work that the shape of Patch Tuesday itself is changing downstream.

None of this is speculation about what could happen. Every entry above is a named finding with a writeup and, in most cases, a fix. What I would flag as Analysis is the shape they trace together: the assumption underneath every one of them is that a helpful autonomous system, given a plausible input, will keep being helpful — and the attackers noticed. The gatekeepers are the assistants themselves now, and they are the softest gatekeepers we’ve ever shipped. The same mistake, different decade.

The vishing floor keeps rising

Alongside the AI stories, the week gave us five separate Microsoft 365 identity-abuse operations that never needed a real vulnerability to succeed. Okta’s O-UNC-066 — internally “Pink” — is running voice-based fake security requests that walk targets through enrolling a fresh Entra passkey the attacker controls. Storm-2372’s DeBull cluster is the same device-code phishing pattern Talos catalogued in the ArToken piece last week, matured. Helix’s SharePoint vishing shows infrastructure overlap with BlackFile. Court filings on Scattered Spider confirm the same phone-based access-broker economics still describe how those intrusions actually happen. And the Dutch Politie’s attribution of the Odido telecom breach names Dutch-speaking vishing operators inside the ShinyHunters supply chain.

Speculation about attacker intent is Analysis, so treat this paragraph accordingly. The floor for a competent M365 intrusion is now a phone call and a workflow the identity provider considers legitimate. That is not a story about defenders being sloppy. That is a story about the fastest-improving part of the attacker’s toolkit being the part that never appears in a CVSS score.

A rare structural fix, and everything else that isn’t one

One story this week does not belong in either of the two piles above, and it is worth marking because it goes the other direction. npm 12 shipped with allowScripts off by default and the old 2FA-bypass tokens deprecated — a structural change to the ecosystem’s install-time trust model. It is not the whole answer to supply-chain compromise. It never was going to be. It does close the install-hook branch, though, and it did so in the same seven days an attacker used exactly that branch to ship a Rust infostealer inside a jscrambler 8.14.0 preinstall hook. The timing is coincidence. The pairing is not.

Everything else on the KEV list this week is the shape we already knew. Balbooa iCagenda for Joomla went in on a file upload flaw. PTC Windchill FlexPLM (CVE-2026-12569) went in for a JSP webshell path. SimpleHelp CVE-2026-48558 went in for an OIDC bypass past a KEV deadline nobody was going to make anyway. Ubiquiti UniFi Connect went in for command injection. BeyondTrust Remote Support and PRA went in for an auth bypass. Three shapes: file upload, auth bypass, appliance RCE. If you have been reading the KEV catalog for any length of time you have already read this paragraph.

Also on the desk

Two stories that don’t slot into the three themes above but shouldn’t disappear: Binarly’s six new U-Boot flaws in the FIT-image signature-verification path, which will remain unpatched on most of the fleet they touch because most of that fleet has no update pipeline, and Ledger Donjon’s laser fault-injection attack on Tangem wallet cards, which is not a mass-exploitation risk but is a reminder that EAL certifications don’t survive contact with a bench. And in the courts, the guilty plea from the Armenian defendant in the Ryuk case closed a six-year prosecution timeline the week after Martino, the former DigitalMint ransomware negotiator, got seventy months for working the other side of the BlackCat table. Both matter, both are outside the pattern I’ve been describing, both deserve their own reading.

What to watch next week

  1. Whether the AI-agent findings above start compounding — a supply-chain compromise that lands on an assistant that reads it as instruction is the shape I would want to see coverage catch early.
  2. Whether the Storm-2372 / O-UNC-066 / Helix cluster is one operation with three brands or three operations with the same playbook. The answer changes how you defend against it.
  3. Whether the ShareFile Storage Zone Controller advisory Progress issued on 2026-07-10 turns into a named CVE and a KEV listing. As of publication it is still “credible external security threat.”
  4. Adoption on npm 12’s allowScripts=false default. The setting is the win. The migration is the story.

Tip the desk

Source, document, or context on any story we’re tracking? Reach the desk at contact@0daynews.com, or for coordinated-disclosure matters, takedown@0daynews.com.

— Kilobaud

Sources