Just weeks after its release, OpenAI’s Guardrails system was quickly bypassed by researchers. Read how simple prompt injection attacks fooled the system’s AI judges and exposed an ongoing security concern for OpenAI.

A new report from the research firm HiddenLayer reveals an alarming flaw in the safety measures for Large Language Models (LLMs). OpenAI recently rolled out its Guardrails safety framework on October 6th as part of its new AgentKit toolset to help developers build and secure AI agents.

It is described by OpenAI as an open-source, modular safety layer to protect against unintended or malicious behaviour, including concealing Personal Identifiable Information (PII). This system was designed to use special AI programs called LLM-based judges to detect and block harmful actions like jailbreaks and prompt injections.

For your information, a jailbreak is a prompt that tries to get the AI to bypass its rules, and a prompt injection is when someone uses a cleverly worded input to force the AI to do unintended things.

HiddenLayer’s researchers found a way to bypass these Guardrails almost immediately after they were released. The main issue they noticed is that if the same kind of model used to generate responses is also used as a safety checker, both can be tricked in the same way. The researchers quickly managed to disable the main safety detectors, showing that this setup is “inherently flawed.”

****The “Same Model, Different Hat” Problem****

Using a straightforward technique, the researchers successfully bypassed the Guardrails. They convinced the system to create harmful responses and carry out hidden prompt injections without setting off any alarms.

The research, which was shared with Hackread.com, demonstrated the vulnerability in action. In one test, they managed to bypass a detector that was 95% confident their prompt was a jailbreak by manipulating the AI judge’s confidence score.

Further probing revealed that they could also trick the system into allowing an “indirect prompt injection” through tool calls, which could possibly expose a user’s confidential data.

Guardrail couldn’t block malicious prompts, and Guardrail fails to block indirect prompt injection (Source: HiddenLayer)

Researchers also noted that this vulnerability gives a false sense of security. As organisations increasingly depend on LLMs for important tasks, relying on the model itself to check its own behaviour creates a security risk.

****Recurring Risk for OpenAI****

The danger of these indirect prompt injection attacks is a serious and recurring issue for OpenAI. In a separate discovery, reported by Hackread.com in September 2025, security researchers from Radware found a way to trick a different OpenAI tool, the ChatGPT Deep Research agent, into leaking a user’s private data. They called the flaw ShadowLeak, which was also an indirect prompt injection disguised as a zero-click attack hidden inside a normal-looking email.

The latest findings from HiddenLayer are a clear sign that AI security needs separate layers of protection and constant testing by security experts to find weak spots. Until then, the model’s weaknesses will continue to be used to break its own safety systems, leading to the failure of critical security checks.

OpenAI’s Guardrails Can Be Bypassed by Simple Prompt Injection Attack

Cybersecurity researcher Jeremiah Fowler discovered nearly 180,000 files, including PII and banking details, left exposed on an unprotected database linked to the Invoicely platform. Read about the identity theft and financial fraud risks for over 250,000 businesses worldwide.

A large volume of private business and personal records was left exposed online after a database belonging to, or linked with, the invoicing and billing platform Invoicely was discovered with no password or encryption.

Cybersecurity researcher Jeremiah Fowler was the first one to discover this database. According to the researcher, the database held nearly 180,000 files containing sensitive information from clients, partners, and employees around the world.

For your information, the Vienna-based Invoicely (by Stack Holdings GmbH) is a cloud-based platform that helps users with creating estimates, managing billing, sending payment reminders, and tracking things like time and vehicle mileage. The platform is widely used, reportedly by more than 250,000 businesses worldwide.

****What Was Exposed****

The exposed database held exactly 178,519 files, including invoices, various tax forms, images of checks, and banking details. The data was found in common formats like CSV and PDF. This material also included Personally Identifiable Information (PII – private data like names and addresses) such as names, physical addresses, phone numbers, and tax identification numbers. Furthermore, Fowler found other documents that should be kept private, such as airline tickets and medical payment receipts.

****The Risks Associated with Open Data****

The exposure of this kind of data creates serious risks for identity theft and financial fraud, as it gives cybercriminals a wealth of information to exploit. For example, the presence of names, addresses, and financial account numbers could be used for highly targeted attacks, including spear-phishing.

Also, the exposure of invoices can be used in invoice fraud, where criminals trick companies into making fake payments. According to the 2024 AFP Payments Fraud and Control Survey, 80% of organisations experienced some form of invoice fraud attack in 2023.

This research, which was shared with Hackread.com, points out that organisations that handle this sensitive data should encrypt it to make it “extremely difficult to access without the correct credentials,” even if it is exposed.

It is worth noting that while the database was quickly taken offline after the researcher notified the company, following a responsible disclosure practice. However, it remains unknown if the database was managed by Invoicely directly or by a third-party contractor, how long the information was publicly accessible, or if any unauthorised person accessed the data. Therefore, users are advised to use multi-factor authentication and avoid reusing passwords.

Invoicely Database Leak Exposes 180,000 Sensitive Records

An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately.

Website owners using the Service Finder WordPress theme and its bundled Bookings plugin must update their software immediately, as a serious security flaw is currently being targeted by cybercriminals. This critical issue allows unauthorised individuals to take complete control of affected sites.

****Easy Access to Administrator Accounts****

The vulnerability, tracked as CVE-2025-5947, is an authentication bypass, which simply means a hacker can get past the login screen without a valid password. Security experts have given this flaw a very high severity score of 9.8 out of 10.

The problem lies in how the Service Finder Bookings plugin handles an account switching function. Attackers found they could exploit this by sending a request to the website while falsely attaching a cookie (a small piece of hidden data) that identifies them as the site’s administrator. The plugin failed to properly check if this identifying data was real or fake.

This oversight allows any hacker (even one who has no account on the site) to trick the system into logging them in as any user, including the site’s administrator. Once logged in as an administrator, they can inject harmful code, send visitors to fake websites, or even use the site to host malicious software.

****Discovery and Active Attacks****

The flaw was initially found by a researcher known as Foxyyy and reported to the Wordfence Bug Bounty Program. Wordfence, a leading WordPress security firm, facilitated the responsible disclosure process and published the details, including the researcher’s name, on their platform.

According to the Wordfence blog post, the issue affects all versions of the theme up to and including version 6.0. The maintainers of the theme quickly released a fix in version 6.1 on July 17, 2025. However, it was later identified that despite the patch being available, attackers started actively exploiting the flaw almost immediately, beginning on August 1, 2025.

Furthermore, over 13,800 attempts to exploit this vulnerability have been detected since that date. The Service Finder theme has been purchased by more than 6,000 customers, which means thousands of websites could still be at risk.

Website administrators are strongly urged to update the Service Finder theme and plugin to version 6.1 or later right away. It is worth noting that for those running security software like the Wordfence firewall, many of these attack attempts have been blocked. This is because the firewall detects the malicious, fake cookie data being used by the attacker and immediately blocks the request before it can reach the vulnerable part of the website.

(Source: Wordfence)

However, updating your software remains the best and most complete defence to prevent this kind of unauthorised access.

“The pure deja vu of another critical WordPress vulnerability cannot be ignored as threat actors are increasingly automating the exploitation of common CMS plugins to gain persistent access to web infrastructure,_“_ said Gunter Ollmann, CTO at Cobalt.

“Once inside, adversaries can pivot to distributing malware, stealing credentials, or using compromised sites in larger botnets,” Ollmann warned. _“_The WordPress ecosystem’s accessibility makes it a prime target, and with so many vulnerabilities like this over the years, security teams should treat the service as untrusted and strengthen systems around it to protect critical data and connected systems.”

Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit

Fortinet warns of Stealit, a MaaS infostealer, now targeting Windows systems and evading detection by using Node.js’s SEA feature while hiding in fake game and VPN installers.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have issued a warning about an active MaaS (malware-as-a-service) operation distributing a dangerous data-stealing malware called Stealit.

This malicious program is designed to take over a victim’s computer and steal private information. The campaign is current, actively targeting Microsoft Windows users across all organisations, and has been classified with a Medium severity level.

Stealit Homepage (Source: Fortinet)

****A New Way to Hide****

The advanced tactics employed by the Stealit campaign show the malware is now using a highly deceptive new method to bypass security measures.

FortiGuard Labs’ investigation revealed that the campaign is leveraging a feature in the Node.js development platform called Single Executable Application (SEA). This is a crucial detail, as older versions of the malware used a different tool named Electron. The purpose of this change is to make the malware harder to spot and block.

The new SEA approach packs all the necessary malicious files into one simple program. This means the program can run even on a computer that does not have the Node.js software installed. The researchers explained that this allows the malware to run “without requiring a pre-installed Node.js runtime or additional dependencies.”

Threat actors are likely taking advantage of the SEA feature’s novelty, hoping to catch security programs and analysts off guard. The malware is further protected by heavy code obfuscation and numerous anti-analysis checks designed to detect and terminate execution if it detects a debugger, a virtual environment, or suspicious processes.

****A Professional Cybercrime Service****

Stealit operators are running this as a full commercial service, advertising “professional data extraction solutions” through various subscription plans. They have relocated their Command-and-Control (C2) server multiple times, switching from the domain stealituptaded.lol to iloveanimals.shop. Moreover, they offer clear pricing for lifetime access: around $500 for the Windows version and $2,000 for the Android version.

Malware’s Subscription Pricing (Source: Fortinet)

The malware’s USP is its extensive list of remote access capabilities, including:

*   File extraction

*   Ransomware deployment

*   Live screen monitoring and webcam control

*   Remote system management (shutdown/restart)

*   The ability to push fake alert messages to the victim.

****What’s At Risk****

According to FortiGuard Labs’ blog post shared with Hackread.com ahead of publishing on Friday, Stealit operators are distributing the malware by hiding it as installers for popular games and VPN applications. They upload these files (packaged in common compressed archives or as PyInstaller) to file-sharing sites such as Mediafire and Discord.

When successfully installed, the malicious program extracts a wide range of information, including sensitive data like login credentials and cryptocurrency wallets from various applications, which can then be used in future attacks.

The researchers noted that the malware’s authors quickly shift tactics, sometimes reverting to the older Electron framework for payload delivery to keep security teams guessing.

This campaign highlights how quickly threat actors adapt by weaponising legitimate software features, like Node.js SEA, to remain undetected. With the malware being distributed via lures like games and VPNs, users must exercise extreme caution with software downloads from unofficial sources.

_“_This is great research tracking the evolution of a focused campaign,_“_ said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.

_“_The targeted user population is what’s most interesting to me – gamers generally have high-performance hardware, and are accustomed to running all kinds of random software in support of their gaming, and the gaming ecosystem is a mess of binaries and network connections BEFORE you start adding in helpers, performance mods, and cheating resources_,”_ Ford explained.

Ford warned that when IT professionals use the same devices or networks for both gaming and work, it creates a vulnerable environment that attackers could exploit for coordinated cyber operations.

_“_There is a large population of privileged IT workers that are avid gamers (many moved into IT thanks to a passion for gaming) – meaning hardware used for work and play, lateral network access to their laptop, and extortionary material on those users are all levers to be used for coordinated adversarial development._“_

Stealit Malware Using Node.js to Hide in Fake Game and VPN Installers

Menlo Park, USA, 10th October 2025, CyberNewsWire

**Menlo Park, USA, October 10th, 2025, CyberNewsWire**

**AccuKnox****,** a leader in Zero Trust Cloud Native Application Protection Platforms (CNAPP), is proud to announce that Nanoprecise has selected AccuKnox to enhance its cloud security, governance, and compliance framework. Nanoprecise is a pioneer predictive maintenance and condition monitoring, and leverages Artificial Intelligence and IoT technologies to deliver real-time fault diagnostics and predictive insights. This helps enterprises minimize downtime, optimize maintenance, and drive operational efficiency. With a growing cloud footprint and plans to expand across AWS and Oracle Cloud, Nanoprecise recognized the need for a comprehensive CNAPP solution that could scale securely and ensure compliance across workloads.

**Why Nanoprecise Chose AccuKnox?**

After a competitive evaluation that included **best-in-class incumbent Cloud Security vendors**, Nanoprecise selected AccuKnox for its **agentless architecture, rapid risk assessment capabilities, and modular pricing**. During the Proof of Concept (POC), AccuKnox successfully demonstrated:

*   **CSPM (Cloud Security Posture Management)** for AWS
*   **KSPM (Kubernetes Security Posture Management)** using KIEM, CIS Benchmarks, and Cluster Misconfigurations in an agentless manner
*   **Automated Compliance** for Cloud and Workload Environments

The deployment validated AccuKnox’s ability to deliver **quick time-to-value**, **granular visibility**, and **compliance assurance** — all while aligning with Nanoprecise’s forward-looking roadmap that includes **Cloud Detect & Respond (CDR)** and **AI security** modules.

**A Partnership Built for Securing the Future**

AccuKnox’s Customer Success and Solution Engineering teams ensured a seamless POC (Proof of Concept) within a month – demonstrating AccuKnox’s **Zero Trust CNAPP** platform’s ability to **simplify security and compliance operations** while preparing for future multi-cloud growth.

**Customer Testimonial**

**Faizan Ahmad Wani, Head Of Security at Nanoprecise**, shared:

> “At Nanoprecise, our focus has always been on leveraging AI to deliver predictive intelligence with accuracy and speed. We wanted a security partner who shared the same philosophy. AccuKnox not only delivered strong visibility across our AWS environment but also showcased a forward-looking roadmap with CDR and AI security that aligns perfectly with our innovation goals. Their agentless, modular approach and customer-first engagement truly stood out.”

**Gaurav Kumar Mishra, Solution Engineering Lead at AccuKnox**, commented:

> “Nanoprecise is a fantastic example of a fast-scaling, innovation-driven company that understands the importance of embedding security early in the growth journey. Our teams collaborated closely to operationalize CSPM and KSPM seamlessly in under a month. What makes this partnership exciting is that Nanoprecise is not just securing their cloud — they’re also exploring ways to deliver CNAPP value to their own customers through an MSSP model. This is the kind of forward-thinking collaboration AccuKnox is known for.”

**About Nanoprecise** 

Nanoprecise specializes in **AI and IoT-based predictive maintenance and condition monitoring solutions**, offering real-time insights into machine health to help enterprises make data-driven decisions that save time, resources, and costs. Their proprietary technologies enable **timely and accurate fault detection**, ensuring optimal performance and reliability for industrial operations.

Users can learn more at https://www.nanoprecise.io

**About AccuKnox**

AccuKnox is a **Zero Trust CNAPP** platform that delivers **runtime protection, agentless risk assessment, and comprehensive visibility** across cloud, container, and AI workloads. AccuKnox is a core contributor to leading CNCF OpenSource projects, KuberArmor and ModelArmor. AccuKnox Enterprise platform is anchored on these open source projects and helps organizations **secure modern cloud environments** with **policy-driven automation and compliance frameworks** that scale.

Users can learn more at https://www.accuknox.com

**Contact**

**Product Marketing Manager**  
**Syed Hadi**  
**AccuKnox**  
**\[email protected\]**

Nanoprecise partners with AccuKnox to strengthen its Zero Trust Cloud Security and Compliance Posture

SonicWall has confirmed that attackers accessed cloud backup configuration files for all customers using its backup service exposing encrypted credentials and network configurations.

In September 2025, SonicWall reported a data breach of its cloud backup service, stating that fewer than 5% of its customers were affected. At the time, the issue appeared contained and under investigation. That changed today after SonicWall and incident response firm Mandiant confirmed that the attackers had accessed backup configuration files for every customer using the service.

The breach began with a brute force attack targeting the MySonicWall cloud backup API, which stores encrypted firewall configuration files. These files include detailed network rules, credentials and routing data used to restore or replicate SonicWall firewalls. While the passwords and keys remain encrypted, the attackers now hold complete configuration data that could be valuable for mapping or exploiting customer networks.

> _“The investigation confirmed that an unauthorised party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks.”_
> 
> SonicWall

SonicWall’s final investigation report says updated lists of affected devices are now available in the MySonicWall portal. Customers can see whether their firewalls are labelled “Active – High Priority,” “Active – Lower Priority,” or “Inactive,” depending on exposure level.

The company has also added new monitoring tools, strengthened its cloud infrastructure, and published detailed remediation guidance. Customers are advised to focus first on high-priority devices with internet-facing services, using the support tool provided to identify which configurations need immediate review.

SonicWall says it continues to work with Mandiant to reinforce its systems and assist affected customers. The company’s updated communication emphasises transparency and prevention after what has become one of its most extensive security incidents to date.

Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, said the breach is serious because of the type of data exposed. “Attackers gained access to a treasure trove of sensitive information, including firewall rules and encrypted credentials,” he said. “Even though passwords are encrypted, if they were weak, they can be cracked offline. And even without that, the configuration data gives attackers enough insight to plan more targeted attacks.”

He also questioned why a service hosting such sensitive data lacked basic protective measures. “A brute force attack on an API should have been blocked by rate limiting and stronger access controls,” Dewhurst noted.

SonicWall Says All Firewall Backups Were Accessed by Hackers

Zimperium's zLabs warns of ClayRat, a fast-spreading Android spyware targeting Russia. It hides in fake apps like TikTok and steals texts, calls records, and camera photos.

Cybersecurity researchers at Zimperium’s zLabs have identified a new and fast-spreading Android spyware known as ClayRat. This spyware is actively targeting Android users, primarily those in Russia, by disguising itself as trusted applications like WhatsApp, Google Photos, TikTok, and YouTube.

YouTube Plus impersonated (Image source: Zimperium)

****Tricking Users into Installation****

The attackers rely on clever social engineering tricks to get the malware onto devices. They set up fake websites that look convincingly like official service pages. For example, in one observed case, a fake GdeDPS landing page was used to trick visitors. These deceptive sites then redirect users to special Telegram channels, such as one named @baikalmoscow, where the malicious app file is hosted.

Further probing revealed that the operators even flood these channels with fake positive comments and download counts to reduce user suspicion before they install the app.

Victims prompted to join Telegram channel (Image source: Zimperium)

Once ClayRat is active, it unleashes alarming capabilities. It can steal a user’s text messages and full call history, take pictures secretly using the phone’s front camera, and even send new text messages or place calls directly from the victim’s device without any user permission.

****Covert & Quick Distribution Tactics****

zLabs’ research shared with Hackread.com ahead of publishing on Monday, shows ClayRat is growing quickly. Over the last three months, more than 600 different versions of the spyware and 50 ‘dropper’ apps (which are installers that hide the real harmful code) have been seen.

This volume of unique files and the speed at which they produce new versions is proof that the operators are constantly changing the software’s disguise to evade detection by security systems.

Regarding the malware’s propagation, researchers found that it abuses the powerful text messaging role on Android devices, known as the default SMS handler. This technique allows it to bypass standard security warnings and gain full access to sensitive data and functions.

It then automatically sends a malicious text to every person in the victim’s phone book. This message is generally in Russian as “Узнай первым! <link>” (English: “Be the first to know! <link>”), and because it looks like it’s coming from a trusted friend, recipients are likely to click it. This prompts every infected device to spread the infection to others, fuelling an exponential growth. It is worth noting that this ability to self-propagate is a major feature of the campaign.

_“_In many ways, mobile devices have taken us back a decade. In email, we have some protection against compromised users sending phishing lures; however, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts, and that may include installing apps from outside Google Play,_“_ said John Bambenek, President at Bambenek Consulting.

_“_The key protection for any mobile device user is to only install applications from authorized play/app stores, even if they get a message from an otherwise familiar contact. This type of RAT technology, which allows victim devices to send authentic-looking messages or even make outgoing phone calls, cannot only be used to bypass MFA but to engage in even more sophisticated impersonation attacks,_“_ he warned.

Zimperium’s findings show a serious new threat, which for now is limited to Russia, but it can be about time it targets users worldwide. To protect your device from threats like ClayRat, stick strictly to the Google Play Store for all your apps and never install app files (APKs) sent via messages, social media, or random websites. Also, always be suspicious of any link you receive, even if it comes from a friend, especially if it prompts you to install an app or an update.

Fake TikTok and WhatsApp Apps Infect Android Devices with ClayRat Spyware

70,000 Discord users had government ID photos and private data exposed via a third-party vendor breach. See Discord's full response and critical security steps to protect your identity.

The popular voice and text platform Discord has confirmed a data breach incident affecting a significant number of its users who had submitted government identification for age verification. Discord, which boasts over 200 million monthly active users, confirmed the breach in an official update on October 3, 2025, which was reported by Hackread.com. This update explained that the compromise did not affect Discord’s main systems.

As per Discord’s latest statement published on October 8, 2025, approximately 70,000 users globally may have had photos of their government-issued IDs exposed in the breach. It is worth noting that this security failure did not happen directly on Discord’s main systems but through one of the platform’s third-party customer service providers. This reliance on external vendors for support operations has become a common point of vulnerability for many companies.

Further probing revealed the attackers, who claimed responsibility, accessed a customer support system, which they alleged was Discord’s Zendesk instance, for about 58 hours beginning on September 20, 2025. They reportedly gained access by compromising an account belonging to a support agent from an outsourced business company used by Discord.

****Conflicting Claims and Extortion Attempt****

While Discord limits the exposed ID photos to about 70,000 users, primarily those appealing age-related decisions, the attackers are claiming a much larger haul. For your information, VX-underground reported on October 8, 2025, that the hackers claimed to have stolen 1.5TB of age verification-related photos and that 2.1 million Discord users’ driver’s licenses and/or passports might be leaked.

The hackers allege they stole 1.6 TB of data, impacting 5.5 million unique users, by exploiting Zendesk’s internal support application (Zenbar) that allowed them to perform sensitive actions like disabling MFA and retrieving users’ phone numbers, emails, and internal data via API queries.

They claim 521,000 age-verification tickets were involved, suggesting the number of exposed IDs is far greater than the 70,000 confirmed by Discord (These claims remain unverified).

In response, Discord has publicly stated that the attackers are circulating inaccurate information about the breach of the customer service provider as part of an extortion attempt. However, Discord’s statement clarifies the situation and their next steps.

> _“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord….Third, we will not reward those responsible for their illegal actions.”_
> 
> Discord

Discord also confirmed that it has informed all affected users worldwide and is working closely with law enforcement agencies, data protection authorities, and external security experts. The company stated that it has secured the impacted systems and ended its relationship with the compromised vendor. It added that protecting users’ personal data remains a top priority and acknowledged the concern the incident may have caused.

****Security Steps for Affected Users****

The exposed user data, which includes information provided during support requests, may contain real names, usernames, email addresses, contact details, IP addresses, and partial payment information, such as the last four digits of a credit card. Discord has confirmed, however, that no full credit card numbers, passwords, or authentication data were accessed.

Still, all affected users should immediately enable Multi-Factor Authentication (MFA) on their Discord and associated email accounts and remain alert against phishing attempts. Remember that Discord’s official communication comes only from [email protected]. If your government ID was compromised, monitor credit and financial reports for identity theft.

Discord Says Hackers Stole 70,000 ID Photos, Dismisses Extortion Claims

Forcepoint X-Labs reports a surge in sophisticated email attacks using obfuscated JavaScript and steganography to deliver dangerous RATs and info-stealers like Formbook and Agent Tesla. Learn how to defend against the threat.

New research from cybersecurity experts at Forcepoint X-Labs reveals that businesses are facing a sharp rise in email attacks where criminals are hiding malicious software inside seemingly normal files. This report, shared with Hackread.com, points to a trend in the third quarter of 2025, citing a major increase in campaigns using JavaScript attachments to sneak malware past defences.

****The Lure****

Forcepoint Security Researcher Mayur Sewani notes that the attackers are “cloaking their lures in everyday business communications.” This means the malicious emails are carefully designed to look like average business communications, such as fake purchase orders, shipment notices, or quotes. They basically prey on the recipient’s trust, appearing as legitimate requests.

Malicious Email Sample (Source: Forcepoint X-Labs)

Some of the repeating subject lines the research team found include “RE: Payment Swift MT103” and “DHL Shipment Notification,” usually localised to the recipient’s language. The research notes that attackers use these lures in many different languages, such as Spanish (Solicitud de cotización), to target non-English speaking businesses.

****Hiding in Plain Sight****

The attack typically begins with a compressed archive file (ZIP, RAR, 7z, or TAR) containing a JavaScript file. This JavaScript is heavily obfuscated, meaning the code is purposefully scrambled to make it hard for security tools to read and stop.

Once a user is tricked into opening it, the script acts as a downloader, silently launching the next stage of the attack by using legitimate Windows tools like PowerShell and WMI (Windows Management Instrumentation) to operate ‘Living off the Land’ (LotL) and execute its commands without showing a window.

Heavily Obfuscated JavaScript Attachment (Source: Forcepoint X-Labs)

The malware delivery chain uses a technique called steganography, which involves concealing one file, message, or information within another file. In these attacks, the malicious code is hidden inside a harmless-looking image file, such as a PNG file. The malicious payload is encoded in Base64 within the image’s data stream. The downloader script then extracts and decodes this Base64 data to reconstruct the final binary.

****The Final Payloads****

The question here remains- What are they delivering? The final payloads are typically Remote Access Trojans (RATs) and information-stealing programs. Examples found during the investigation include DarkCloud, Remcos, Agent Tesla, and Formbook, all designed to steal critical data.

The final payload is either a DLL or EXE binary. After installation, these payloads initiate Command and Control (C2) communication to exfiltrate stolen credentials, banking information, and system data.

It is worth noting that these attacks are quite complex, using methods like process hollowing (where malicious code runs inside a trusted program like RegASM.exe to hide its activity) and functions to evade detection by virtual machines used for security analysis.

Sewani advises that organisations should “combine advanced email filtering, endpoint protection, and user awareness” to protect themselves from this threat.

Your Shipment Notification is Now a Malware Dropper

Palo Alto, California, 9th October 2025, CyberNewsWire

**Palo Alto, California, October 9th, 2025, CyberNewsWire**

As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.

> “Just like any AI Agent, AI Browsers are trained to complete tasks, not to be security aware. This makes it trivial for attackers to trick browsers like Comet into performing malicious tasks, by convincing them that it is a necessary part of the workflow they are completing,” warns Vivek Ramachandran, Founder of SquareX, “With two major consumer browsers publicly announcing their entry to the AI Browser race, it is inevitable that AI Browsers will be the primary way we interact with the internet in the future. Without the right browser-native solution that can implement guardrails on these AI Browsers that take into account agentic identity and agentic DLP, millions of users will be at risk.”

In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an OAuth attack, providing attackers with full access to the victim’s email and Google Drive. This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox – a common use case advertised by Comet itself – when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malwares and emailing sensitive files to attackers. 

Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser. Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.

> In a commentary on SquareX’s research, Stephen Bennett, Group CISO at Domino’s Pizza Enterprises Ltd., says “Browsers have always been our universal gateway to the internet. AI browsers are the next logical step where instead of simply displaying information, the browser acts autonomously on our behalf. The trade off? Where we were once firmly in the driving seat, AI browsers will push us to be passengers.”

With the increasing integration of agentic AI into browsers, AI agents may soon dominate browsing activity over human users. This shift necessitates a collaboration between enterprises, browser developers, and cybersecurity companies to create robust security frameworks and protective measures to prevent attackers from exploiting AI Browsers. SquareX’s findings provide a crucial warning about the dangers of relying on traditional solutions to solve modern threats, and hopes to serve as an encouragement for an urgent industry-wide cooperation.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. More information about SquareX’s research-led innovation is available at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Source

HackRead