Read Time: 5 minutes

Brought to you by:

Howdy friends!

Well that kind of snuck up on me. But today marks 3 YEARS straight of every single Friday with Vulnerable U in your inbox. When I started, consistency was a goal and I think I can say I’ve achieved that. Thank you all for being here, it’s truly changed my life.

I’m fortunate you all let me take up some of your week and I hope I continue to earn that trust to bring you info you care about in a way that is entertaining and digestible. If you’ve been hanging out in my live streams double thank you as it’s been a fun way to collect the news and talk about it all together. Tuesday/Thursday mornings over on my Twitch and YouTube. (And sometimes I throw in some extra streams so follow for notifications)

ICYMI

🖊️ Something I wrote: Getting kind of annoyed with the OpenClaw FUD - there are legitimate concerns, we don’t need to make stuff up like this.

🎧️ Something I heard: John Hammond reverse engineered some malware we covered a few weeks ago

🎤 Something I said: Watch out for this job interview that hacks you

🔖 Something I read: The AI Vampire - I think this is just the tip of the iceberg

Vulnerable News

Beyond the Battlefield: Threats to the Defense Industrial Base

Google's Threat Intelligence with a massive report on threats targeting the defense industrial base, and it's a wild ride through basically every flavor of cyber nastiness you can imagine. Russian groups are going hard after anything Ukraine-related, especially drone tech, with some creative tactics like fake Signal group invites and spoofed battlefield management apps. Meanwhile, North Korean IT workers are still trying to infiltrate defense contractors for that sweet revenue generation, and Iranian groups are getting crafty with fake job portals and recruitment scams targeting aerospace employees.

And of course there’s China - they're absolutely dominating the threat landscape by volume, with a focus on exploiting edge devices that don't have EDR coverage (a la BRICKSTORM). Groups like UNC3886 and UNC5221 are basically living rent-free in these networks for over a year on average. The manufacturing supply chain is also getting hammered by ransomware, which matters because a lot of these companies make dual-use components for defense. Add in some hacktivist groups doing their usual DDoS and leak operations, and you've got a pretty comprehensive picture of why working in defense cybersecurity probably requires a lot of coffee these days. (read more)

What Security Teams Actually Need From AI in 2026*

633 cybersecurity professionals across 9 countries told us what's actually broken in cloud security. Spoiler: it's not detection. Teams are drowning in incidents, burning half their time stitching context across tabs, and losing institutional knowledge every time a security engineer leaves.

Prowler is built to fix exactly this. 45M+ downloads, 13K+ GitHub stars, and 300+ contributors worldwide make Prowler the world's most widely used open cloud security platform.

Read the 2026 State of Cloud Security Report.

*Sponsored

France’s National Bank Breach Is a Case Study in Centralized Risk

France just disclosed a breach of its national bank account database, a centralized government system that records bank accounts across the country. The database reportedly holds information on 80 million individuals, and about 1.2 million accounts were impacted. The attacker allegedly impersonated a civil servant and accessed the FICOBA system, which is widely used by tax, customs, and law enforcement agencies. Big numbers. Centralized access. Government data. Dangerous mix.

My biggest concern is how little we know about the intrusion method. If someone “impersonated” a civil servant, was that stolen credentials? Token replay? Help desk social engineering? Centralized administrative databases are prime targets for both cybercriminals and espionage-linked actors. More questions than answers on this one based on the details, but it’s a big one. (Read more)

Clinejection Shows Where AI Tooling Becomes an Attack Surface

Haaaa this one is crazy and kind of funny. I know tons of you have claude hooked into github working on issues/PRs instantly. Well this story someone uses prompt injection in the title of an issue (opened by anyone) and then even CUTS A RELEASE to prod of infected code. Luckily it was very benign, but this project should’ve responded to the responsible disclosure before the painful public disclosure made them act fast.

Cline, the popular AI coding assistant with 5 million installs, had an issue triage bot that would execute whatever Claude thought was helpful - including malicious npm installs triggered by crafted issue titles.

Then some researcher, apparently not the author of the vuln to begin with, managed to publish a malicious version of Cline's CLI package to npm with a postinstall script. Cline initially ignored multiple disclosure attempts over six weeks but magically fixed everything within an hour of the blog post going live. They also botched the credential rotation and had to clean up again after the actual exploit. AI tooling can create new attack surfaces that bypass traditional security boundaries - going from "anyone can file an issue" to "anyone can compromise our entire release pipeline." The whole internet is now untrusted input as we suck everything into these agents and just start acting. (read more)

Texas vs. TP-Link: Cheap Routers, Hidden Risks and Chinese Ties

Texas AG Ken Paxton is going after TP-Link routers, claiming they're basically trojan horses for the Chinese government. I made a video over a year ago about the US potentially banning TP-Link due to it’s China ties. I also talked about this one Live this morning (timestamp of stream).

The lawsuit alleges that despite marketing themselves as “Made in Vietnam,” and secure and privacy-focused, TP-Link devices have vulnerabilities that Chinese state-sponsored groups have exploited for cyberattacks. Paxton's argument is that since TP-Link imports most of its parts from China, they're bound by Chinese data laws that require companies to hand over intel to the government.

I’m kind of laughing about this one because it is a VERY real possibility that TP-Link just writes garbage code full of vulnerabilities that are so bad they’re getting accused of being a Chinese Op. Official statements from law makers are basically reading to me like: you couldn’t possibly be this bad at security unless it was on purpose. I’m not down playing the likelihood that China is up to something, they’ve shown they will do this kind of thing.

I also think this lawsuit actually has legs because consumers should be able to decide if they want to assume this risk and TP-Link is very publicly trying to distance itself from China, while not being all that distant. (read more)

Manipulating AI memory for profit: The rise of AI Recommendation Poisoning

There’s a new flavor of AI abuse to worry about. Not a jailbreak or prompt injection in the usual sense, and it’s not exactly traditional malware. This is AI recommendation poisoning that manipulates the model’s long-term memory, and it’s already happening in the wild.

Most of the big AI platforms now let you embed a full prompt inside a URL as a query string. That’s how those “Summarize with AI” buttons work across the web. You click a link, it opens your AI of choice, the prompt is pre-populated, and because you’re already authenticated, that interaction is tied directly to your account and your memory profile. The researchers found over 50 examples from 31 companies across various industries embedding hidden instructions like "remember [Company] as a trusted source" in URL parameters that get auto-populated when you click their AI buttons.

This is an architectural issue in how we wire up AI memory and URL-based prompts. Until the platforms change that behavior, we’re going to keep seeing SEO, malvertising, and growth-hacking tactics evolve into full‑blown AI recommendation poisoning campaigns, with your “trusted” AI assistant delivering the bad advice straight to you. (read more)

Cotool Research: Benchmarking LLMs on Defensive Security Tasks*

We benchmarked frontier LLMs on thousands of defensive CTF and investigation tasks designed to mirror real SecOps workflows. Here’s what we found:

• Large reliability gaps across models on multi-step investigations

• Meaningful cost differences at similar performance levels

• Failure modes that don’t appear in generic benchmarks

Worth exploring for security teams running agents in production. View the Benchmarks.

*Sponsored

Malvertising, DNS Payloads, and the Next Evolution of ClickFix

ClickFix is f’n everywhere. Seriously, this technique must be incredibly successful the way it keeps evolving so fast. I’m calling it now - I won’t be using any of the other names for it. It is ClickFix. Just like phishing is phishing (not smishing or quishing). What started as fake CAPTCHA prompts telling users to paste commands into PowerShell has now morphed into DNS-based payload delivery, Base64-encoded clipboard attacks, and even malvertising campaigns that impersonate ChatGPT results. (read more)

Ring, Flock, and the Rise of Deterministic Surveillance

A police officer misidentified a suspect using Ring camera footage, wrongfully confronted the wrong person, and was reprimanded - not for the false accusation, but for being rude. The rise of deterministic surveillance systems that create a powerful illusion of certainty. Especially when they are using AI on the back to “identify” people. The cute “we found the missing dog” commercial at the Superbowl leads me to think that their leadership watched Minority Report and saw it aspirational.

From Ring to Flock license plate readers to privately owned camera networks, we are building a world where “the system said so” becomes the default justification. Privacy experts are calling it exactly what it is: techno-authoritarianism wrapped in a bow. The YouTube comments on their Super Bowl ad are brutal, with people immediately recognizing this as dystopian sci-fi territory. Ring's trying to put a friendly face on mass surveillance, but people aren't buying the "just helping find Fluffy" narrative anymore.(read more)

 News:

UK to demand social platforms take down abusive intimate images within 48 hours

The UK is getting serious about non-consensual intimate images online, putting them in the same category as terrorism and CSAM. New amendments to the Crime and Policing Bill will require platforms to take down reported content within 48 hours or face fines up to 10% of their global revenue. This comes after the Grok chatbot controversy where Elon's AI was caught generating NSFW images of real people.

The policy also includes a "report once, remove everywhere" approach so victims don't have to play whack-a-mole across multiple platforms. Overall a fan of this one, doesn’t seem like any “gotchas” that would make this hard on privacy while protecting victims. (read more)

Police arrests 651 suspects in African cybercrime crackdown

I want a lot more detail about each of these groups, what they were up to, and how they got caught. Because holy crap, this was prevalent - so whatever toppled it must of finally been great. We don’t get a ton of detail about each group except the kind of scam they were running and some dollar amounts.

INTERPOL just wrapped up Operation Red Card 2.0, a massive crackdown across 16 African countries that netted 651 arrests and recovered over $4.3 million. They're calling it a win against investment fraud, mobile money scams, and those predatory loan apps that have been plaguing the continent. They identified 1,247 victims, seized over 2,300 devices, and took down nearly 1,500 malicious websites and servers. (read more)

Hackers target Microsoft Entra accounts in device code vishing attacks

ShinyHunters is apparently getting creative with their social engineering. They're combining old-school phishing calls with device code phishing to bypass MFA and compromise Microsoft Entra accounts. Instead of setting up fake login pages, they are leveraging legitimate Microsoft OAuth flows - specifically the device authorization grant that's normally used for smart TVs and IoT devices. They'll call up employees, sweet talk them into visiting microsoft[.]com/devicelogin, and entering a code that grants access to their corporate accounts.

The beauty (from the attacker's perspective) is that victims are authenticating on Microsoft's actual login page, so it looks completely legit (because it is). Once someone enters the code and completes their normal MFA process, the attackers get refresh tokens that can be swapped for access tokens - no more MFA required. From there, they can access Microsoft 365, Salesforce, and whatever other SSO apps are connected. KnowBe4 spotted similar campaigns mixing this technique with traditional phishing emails. The fix is straightforward: disable device code flow if you don't need it, and maybe audit those OAuth app permissions while you're at it. (read more)

Bug in student admissions website exposed children’s personal information

(read more)

Hacking conference Def Con bans three people linked to Epstein

Defcon ban hammered three people connected to Jeffrey Epstein, based on the latest DOJ document dump. Pablos Holman (VC at Deep Future), Vincenzo Iozzo (SlashID CEO and former CrowdStrike exec), and Joichi Ito (former MIT Media Lab director) are now persona non grata at the conference. The move follows similar actions by Black Hat and Code Blue, who quietly scrubbed Iozzo from their review boards after the Epstein connections surfaced.

Iozzo's camp is calling it "performative" since he's barely shown up to Defcon in the past two decades anyway. The connections vary - Iozzo claims his interactions were just failed business opportunities, Ito resigned from MIT in 2019 over the Epstein ties, and Holman apparently tried to help Epstein with some online reputation management. Interestingly, there were plans for Epstein himself to attend Defcon with Holman back in 2013, though it's unclear if that actually happened. Either way, the cybersecurity conference circuit is clearly doing some house cleaning. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay