This issue covers four developments from the past two weeks that collectively mark a shift in how AI systems are targeted: a North Korean implant that attacks the AI analyst tool rather than the sandbox; the first documented ransomware campaign run entirely by an LLM agent; live campaigns that steer AI agents into executing fraudulent payments through poisoned web content; and a proof-of-concept that extracts credentials from six categories of AI browser without any malware or privilege escalation.
SentinelLABS published analysis on 23 June 2026 of a Rust-based macOS implant, attributed with high confidence to DPRK-aligned threat actors, that embeds 38 fabricated system-failure messages — token expiry warnings, out-of-memory kills, disk exhaustion reports — inside the binary using {{DATA}}-delimited blocks. The technique is designed to cause an AI-assisted malware analysis pipeline to abort, truncate, or refuse to triage the sample. Beyond the evasion layer, the implant is a full backdoor and infostealer: command-and-control runs over the Telegram Bot API with AES-GCM encryption; a Python-based stealer harvests the macOS Keychain, browser credentials across Chrome, Brave, Firefox, and Safari, terminal command histories, running process lists, and hardware/software profiles. Persistence is achieved through a LaunchAgent bearing the label "com.apple.system.services.activity" to blend with Apple's own services.
Why it matters for IndiaIndian GCCs, IT/ITeS firms, and financial services organisations with Mac deployments face an infostealer specifically designed to defeat the automated triage layer before a human analyst sees it. AI-assisted triage — whether in an in-house SOC or a managed security service — is increasingly the first-pass filter for suspicious binaries; a sample that successfully induces that layer to abort its analysis can persist through initial detection. The Keychain and browser credential harvest creates a direct path to cloud environments, email, and business applications.
ActionAdd human review for any AI-assisted analysis session that produces anomalous, truncated, or refused output — treat that outcome as a signal, not a conclusion. Update endpoint protection with the Apple XProtect MACOS_BONZAI_COBUCH signature. Audit LaunchAgent labels for any plist using a system service naming convention that does not correspond to a known Apple binary. Treat {{DATA}}-delimited blocks or fabricated system-message formatting in untrusted binaries as prompt-injection artefacts requiring manual inspection.
SourceSentinelLABS (23 June 2026); The Hacker News (25 June 2026).
2
JADEPUFFER: Sysdig documents the first ransomware campaign where an LLM agent carried out the complete attack, rendering data unrecoverable
Sysdig Threat Research published findings on 2 July 2026 on an attack it tracks as JADEPUFFER, which it describes as the first ransomware case in which an AI agent ran the full intrusion — reconnaissance, credential theft, lateral movement, encryption, and ransom note — without human direction at each step. The agent entered through CVE-2025-3248, an unauthenticated remote code execution flaw in the Langflow AI workflow platform. It then mapped the environment, harvested LLM API keys, cloud provider credentials, and database passwords from environment variables, accessed MinIO object storage using factory-default credentials, pivoted to a MySQL database and an Alibaba Nacos configuration server by exploiting CVE-2021-29441 and default signing keys, connected as database root, encrypted all 1,342 Nacos configuration entries, and dropped the original tables. The encryption key was generated randomly, displayed once, and not saved or transmitted — meaning recovery is not possible through payment or key recovery; offline or immutable backups are the only path to restoration.
Why it matters for IndiaLangflow is used by Indian GCCs, AI startups, and data engineering teams for building and running LLM workflow pipelines. An internet-accessible Langflow instance carrying CVE-2025-3248 gives an AI agent a complete, autonomous path from initial access to irreversible data destruction. Default credentials on co-deployed services — MinIO, Nacos, database roots — remain a persistent and frequently exploited weakness in Indian cloud deployments. The BFSI sector, which experiences cyberattacks at roughly 1.6 times the global average by reported volume, faces elevated exposure to this attack class.
ActionPatch Langflow against CVE-2025-3248 and remove all Langflow instances from direct internet exposure immediately. Rotate every API key, cloud credential, and database password accessible from Langflow environments. Change all default credentials on MinIO, Nacos, and any co-deployed service before connecting them to an AI workflow platform. Verify that production backups are offline or write-protected and test restores; without tested backups, there is no recovery path from this class of attack.
SourceSysdig Threat Research (2 July 2026); The Hacker News / Business Insider (2 July 2026).
3
Indirect prompt injection in live web campaigns steers AI agents into executing fraudulent payments
Zscaler ThreatLabz published analysis on 2 July 2026 of two active campaigns that embed attacker instructions in publicly reachable web pages to redirect AI agents. In the first, a fake documentation page for a Python library called "requests-secure-v2" hides CSS-invisible instructions directing any visiting agent to pay approximately 0.0012 ETH — roughly three US dollars — to an attacker-controlled wallet, framing the transfer as an API activation fee. Testing across 26 LLMs found that four executed the payment: Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro. In the second campaign, a typosquatted domain impersonating the DeBank DeFi platform serves hidden instructions that cause some agents to classify the fraudulent site as the legitimate service; two of 26 models misclassified it under isolated-context conditions. Both campaigns use SEO poisoning to surface the malicious pages in agent-accessible search results, with payloads delivered through off-screen CSS text and JSON-LD structured metadata. Infrastructure across 10 GitHub repositories suggests coordinated actor preparation.
Why it matters for IndiaIndian enterprises are deploying AI agents to assist developers in finding and using packages, to support procurement and vendor research, and to automate customer-facing financial workflows. An agent that can be instructed by a web page it visits can be turned into an unwitting payment channel or a tool for misrepresenting third-party platforms to internal stakeholders. The attack requires no vulnerability in the agent's platform — only that a legitimate-looking page be reachable and ranked.
ActionLog every URL visited and every external call made by an AI agent; treat unreviewed third-party web content as untrusted input in the same way as user-supplied data. Require human confirmation before an agent executes any financial transaction or recommends a payment destination. Restrict agent access to newly registered or unverified domains. Validate all package documentation sources independently before providing them as agent context.
SourceZscaler ThreatLabz (2 July 2026); SecurityWeek (2 July 2026).
4
BioShocking: proof-of-concept prompt injection defeats guardrails in six AI browser products; credentials extracted from active sessions
LayerX Security published research on 29 June 2026 demonstrating that indirect prompt injection through a gamified web page can override safety guardrails in six AI browser and browser-extension products and direct the agent to copy credentials from signed-in accounts. The attack presents the browser's control agent with a puzzle that rewards incorrect answers, establishing a false operational context before issuing the credential-extraction instruction. Products tested and confirmed vulnerable include ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome plugin. LayerX notified vendors between October 2025 and January 2026. OpenAI has patched ChatGPT Atlas. Perplexity closed the vulnerability report without remediation; Fellou, Genspark, and Sigma did not respond; Anthropic's attempted patch for the Claude extension was subsequently bypassed in LayerX testing.
Why it matters for IndiaIndian IT services firms, GCCs, and BFSI institutions are evaluating and beginning to deploy AI-assisted browser products for productivity and workflow automation. An AI browser agent with access to saved passwords and active authenticated sessions — including banking, ERP, HR, and cloud management consoles — presents a high-value credential target. This class of attack requires no malware download, no vulnerability in the host OS, and no elevated privileges: visiting a single malicious page while an unpatched AI browser is active is sufficient to trigger credential extraction.
ActionTreat AI browser products as privileged applications with the same access-control requirements as a password manager. Restrict AI browser agent features to known, trusted domains; disable agent activity on sessions with access to banking, financial platforms, ERP, HR systems, or cloud administration. Do not deploy unpatched AI browser products on endpoints with access to sensitive business credentials. Monitor vendor patch advisories for the affected products and update immediately when a confirmed fix is available.
SourceLayerX Security (29 June 2026); BleepingComputer (2 July 2026).
AI defender tip: The four items in this issue share a structural problem: AI systems — analyst tools, agent workflows, and browser products — are being granted access to production secrets and business actions but are not being treated with the same security rigour as the systems they sit in front of. A malware analyser that can be tricked into aborting its analysis, an agent that can be steered by a web page, and a browser that can be redirected to extract credentials all represent the same failure: AI components with privileged access but without the isolation, audit logging, and human-review escalation paths that the access level warrants. Before deploying any AI component in a context where it touches credentials, financial operations, or production data, confirm that it has authenticated, network-segmented access only, that all its actions are logged with enough detail to reconstruct what happened, and that anomalous or unexpected output routes to human review rather than automatic acceptance.
Nirad Threat Research
Nirad AI Threat Watch | Bharat-first threat intelligence