Vulnerable U | #171

Meta's AI disaster, Whitehouse executive order on AI security, more npm worms, and more publicly disclosed vulns from researchers

Author

Matt Johansen
June 05, 2026

Read Time: 9 minutes

Brought to you by:

Howdy friends!

Writing you from a balcony in Grand Cayman. What started as a little newsletter I made to get back into content creation after leaving my tour in big finance where it wasn’t allowed has really turned into something crazier than I anticipated. Vulnerable U was just a way for me to blog again and talk about current events and things I was passionate about like mental health, personal development, and helping security practitioners be the best they can be.

Now I’m here giving a keynote at a conference abroad with our logo all over the place as one of the sponsors. Just really grateful in this moment that I can employ a team and support the industry all based on what started right here. Literally in this text box.

The other lesson here is - you can just do things. I didn’t ask anyone’s permission to start this, nor did I wait for someone to tell me it was a good idea. I just started 171 weeks ago and haven’t stopped. What do you think if you did for 171 weeks straight would change in your life? I don’t want to be some bullshit lifestyle influencer, but it is hard to not have that reflection in this moment. Thanks for indulging the cringe and honestly we should all lean into a little cringe from time to time.

ICYMI

🖊️ Something I wrote: Been working hard for the last few weeks getting PADI scuba certified.

🎧️ Something I heard: Maybe we were wrong - Primeagen

🎤 Something I said: Microsoft is threatening researchers

🔖 Something I read: Jen Easterly’s take on the AI executive order

Vulnerable News

What could possibly go wrong when you give an AI help desk chatbot write access over everyone's account, including password reset functions? Apparently …everything! Over the last few days, Instagram was vulnerable to a remarkably simple attack where people could convince Meta's AI support assistant to send password reset information to a brand-new email address that wasn't associated with the account at all. This wasn't some advanced AI jailbreak or cutting-edge hacking technique. The AI was just being helpful in exactly the wrong way.

The attack itself was almost laughably simple. Attackers connected to a VPN in roughly the same geographic region as the account owner, opened a chat with the AI support system, claimed they had lost access to their account, and asked for verification information to be sent to a new email address. In many cases, the AI simply complied. Some attackers even used anonymous one-time email services and still received account recovery codes. Once they had access, they followed a well-rehearsed playbook: reset the password, terminate active sessions, delete backup codes, and take complete ownership of the account. (read more)

The AI-attack era has arrived. Thousands of zero-days in the pipeline. Target-specific exploits generated in minutes. Unattributed, one-off attacks that bypass detection - while your dashboard stays green.

runZero is built for this reality. Know every asset on your attack surface, uncover every exposure, map every attack path, and validate your segmentation - before the exploit drops. We deliver deep intelligence across IT, OT, IoT, cloud, and mobile, so defenders can win by default. Even against AI.

*Sponsored

AI Agents Are Now Undoing Security Protections They Run Into That They Don’t Like

This AI agent found a security protection that was put in place to make sure that it didn't install malware and it turned it off. If you guys have seen any of my videos on all of the NPM worms, PyPy worms, all the giant malware that's going around right now in the software supply chain, one of the main recommendations for people is to set your minimum release age to seven days. Give all the packages that show up on npm a bit of time for the security community to find the malware. Then you download it a few days later to catch any updates for any security bugs that might be in the software.

Well, this is a screenshot from Cursor, which is an AI coding IDE, which said, 'Hey, by the way, I noticed that your pnpm policy has got this minimum release age thing set to seven days, which is too slow in my personal AI agent expert opinion. You're missing super useful features at speed. So I went ahead and set that back to zero.” Uh, you did... What?

Five Eyes intelligence agencies are sounding the alarm about a pretty slick Chinese recruitment operation that's been going after government and military personnel through fake job postings. Chinese military intelligence is basically running a catfish scheme on LinkedIn, Indeed, and Upwork - posing as HR reps from legit-looking consultancies and think tanks to lure people with security clearances. They're not just going after the obvious targets either; academics, journalists, and anyone with even peripheral access to government info are fair game.

The playbook is methodical: start with a normal-looking job ad, conduct virtual interviews while probing for access levels, then gradually escalate from "write us a harmless report on China's bilateral relations" to "hey, can you share some classified stuff?" They're paying anywhere from hundreds to thousands per report through PayPal, crypto, and other platforms. What's particularly crafty is how they eventually move conversations to encrypted messaging apps once they've got someone hooked. If you've got a clearance and you're getting unsolicited job offers that seem too good to be true, they probably are. (read more)

Trump dropped a new executive order on AI cybersecurity that's got some interesting moves. The big theme is "America First" AI dominance while ditching what he calls the "bureaucratic constraints" from the previous administration. Key highlights include setting up an AI cybersecurity clearinghouse run by Treasury, expanding the Tech Force hiring pipeline, and creating a voluntary framework where AI companies can get their frontier models assessed by NSA before release.

What's catching attention is the "covered frontier models" classification system - basically a way to flag advanced AI systems that could have serious cyber capabilities. Companies can voluntarily submit their models for a 30-day government review before release, but notably there's explicit language saying this isn't creating a mandatory licensing system. (read more)

The attacker's playbook has changed. Do we even stand a chance?*

Data breaches don't start with malware, they start with trust. Varonis Threat Labs mapped how attackers are exploiting identity, AI, and cloud workflows at every stage of the kill chain, from Cookie-Bite MFA bypasses to AI copilots leaking sensitive data with a single prompt. If you're defending modern infrastructure, take a look to understand how threats are actually getting in. (read more)

*Sponsored

Another day, another npm supply-chain attack. This time it's IronWorm, a Rust-based infostealer that managed to hit 36 packages before getting squashed. The malware hides behind an eBPF rootkit, phones home over Tor, and targets things you’d expect, OpenAI keys, AWS creds, and SSH keys. It self-propagates by stealing npm publishing credentials and then pushing out trojanized versions of packages.

The attack started from a compromised account called 'asteroiddao' and has some similarities to the Shai Hulud malware we've seen before. It uses GitHub Actions as a data exfiltration method - it disguises stolen secrets as innocent build artifacts that anyone with access can download. The good news is that security folks caught this one early before it could spread to more popular packages. (read more)

Marcus Hutchins is also on the “responsible disclosure requires a responisble vendor” train and is releasing some zero day publicly after the report he submitted multiple times was ghosted.

He found a remote kernel vulnerability that lets you crash any system running Comodo's firewall with a single IPv6 packet - and it works even if the firewall blocks everything because the bug happens during packet parsing, before any rules kick in.

The bug is an integer underflow in the IPv6 extension header parser that doesn't validate the payload length field. While there's potential for out-of-bounds read and write primitives, Marcus thinks RCE is unlikely due to various constraints. They have no bug bounty program, so here we are with a public zero-day because vendors gonna vendor. He's provided a PoC so people can test if they're vulnerable. (read more)

Researchers managed to trick Google Gemini through everyday notifications. They figured out a way to inject malicious prompts through WhatsApp, Slack, SMS, and pretty much any messaging app that sends push notifications. They’re calling this technique "Fake Context Alignment,” where they hide malicious instructions in foreign languages or muted hyperlinks, so when you think you're just saying "yes" to end a conversation, you're actually authorizing Gemini to open your smart home windows or start a Zoom call streaming your video.

The researchers could fake messages from trusted contacts without even knowing their names beforehand - just grab whatever name pops up in your notifications and attribute their malicious message to them. They also managed to poison Gemini's long-term memory for persistent access across all your devices. Google's already patched these issues after the disclosure. But boy are us AppSec nerds loving everyone learning about untrusted input sources all over again as AI agents seem to just read prompts from anywhere. XSS who? (read more)

Someone just spent five months methodically stealing a stock exchange executive's entire email history, and honestly, it's impressive how patient and disciplined they were. The attackers used a custom tool built around Aspose (a legitimate .NET library) to slice Outlook OST files into bite-sized chunks, then exfiltrated everything through Dropbox and OneDrive Personal to blend in with normal cloud traffic. They grabbed emails incrementally over two-to-four-week windows, making sure not to trigger any alarms with massive data transfers.

The opsec was pretty solid too - they masqueraded their tools as Adobe and OneDrive services, used scheduled tasks that looked like Lenovo health checks, and even switched to hard-coded Microsoft IPs instead of hostnames to avoid DNS logging. Five months of dwell time is serious commitment for what was essentially a glorified email theft operation. No attribution yet since they stuck to public tools and legitimate cloud services, but for an exchange executive's mailbox full of market-moving intel, someone clearly thought it was worth the long game. (read more)

Here we go again with Microsoft and security researchers butting heads. Ammar Askar just dropped a working VS Code exploit that can steal GitHub tokens with a single click, and he intentionally bypassed Microsoft's disclosure process to do it. His beef is that Microsoft apparently "silently" fixed a previous bug he reported without giving him credit and claimed it had no security impact. So now he's going full public disclosure on VS Code bugs.

The attack is to craft a malicious Jupyter notebook, victim clicks the link to open it in github.dev, and hidden code simulates keystrokes to install a rogue extension that exfiltrates their GitHub token. That token gives full read/write access to everything they can touch, private repos included.

This is getting spicy because it's part of a bigger trend where researchers are fed up with Microsoft's vulnerability handling. The timing is interesting to me since this comes right after TeamPCP breached thousands of GitHub repos through a poisoned VS Code extension. Hard to blame them for getting frustrated with being ignored. (read more)

Google's rolling out a solution to the growing deepfake voice scam problem. Their new "fake call detection" feature for Android 12+ devices works by having the caller's phone send a silent, encrypted confirmation signal to the recipient. If that signal doesn't show up, your phone automatically pings your actual contact to ask "hey, are you calling me right now?" If they say no, you get a warning to hang up immediately.

Impersonation scams hit $2.95 billion in losses last year alone. The feature only works if both people are using Phone by Google with RCS enabled, so adoption might be the real challenge here. I like that instead of trying to detect if a voice sounds fake, they're just verifying the call is actually coming from where it claims to be. Smart move, especially as AI voice cloning gets cheaper and more convincing. (read more)

What started as a Microsoft 365-focused credential stealer has now expanded to target AWS, Okta, Xerox DocuShare, and some interesting Russian platforms including MAX Messenger - a state-backed messaging service with 80 million users. The kit specializes in device code phishing, which is where they trick you into entering a legitimate OAuth code on a real login page, completely bypassing your MFA in the process.

Arctic Wolf recently tracked down 126 active malicious hosts all serving the same Kali365 kit between early and late May. They're impersonating everything from Microsoft Outlook to German email providers to major Russian services like Mail[.]ru and Yandex. It's part of a bigger trend with at least 14 different device code phishing kits floating around now. (read more)

Anthropic's Claude Mythos Preview model is absolutely tearing through codebases right now. Since launching Project Glasswing in April, this thing has surfaced over 10,000 high or critical software vulnerabilities. They're now expanding access to about 150 more organizations across critical infrastructure sectors - power, water, healthcare, the works. Cloudflare alone found 2,000 bugs using it, including 400 rated high or critical, with better accuracy than human testers.

Now we’ve got a human bottleneck of actually fixing everything. Mozilla found 271 vulnerabilities in Firefox 150, which is 10x more than previous versions using earlier models. The broader concern is that we're heading into a world where AI can find bugs faster than defenders can patch them, potentially giving attackers the upper hand. Anthropic's keeping Mythos locked down for obvious reasons, but they did release a public version called Claude Security that's already helped patch over 2,100 vulnerabilities in three weeks. (read more)

Attackers are exploiting Palo Alto Networks defect that initially flew under the radar

Here's a fun lesson in how vulnerability ratings can age like milk. Palo Alto Networks dropped CVE-2026-0257 as a "medium" severity bug on May 13, but by the time Rapid7 spotted active exploitation just four days later, it got the full critical upgrade treatment. CISA quickly tossed it onto the KEV.

The exploit itself is simple - just forge an authentication cookie using the device's own TLS certificate and boom, you've got VPN access with a single HTTP request. Multiple threat groups are already swarming this opportunity, with Rapid7 tracking waves of attacks hitting their customers. A quote from the Rapid7 research sums it up well:

“The implication here is that anyone who knows the public key for the certificate used by the authentication override feature to encrypt and decrypt cookies, can successfully forge and encrypt an arbitrary authentication override cookie. The question then becomes, how does an attacker learn the correct public key to use in this attack?

This brings us back to the vendor's advisory where they state “do not reuse the portal or gateway certificate, and do not share this certificate with other features or users”.

If a GlobalProtect portal or gateway has reused the certificate for encrypting and decrypting cookies with another feature, such as the HTTPS service of the portal or gateway, then a remote unauthenticated attacker can discover the public key for that certificate.” (read more)

Microsoft with a good deep dive on "Miasma," the latest npm supply chain attack that hit 32 Red Hat Cloud Services packages. The attackers compromised the upstream CI/CD pipeline and used legitimate GitHub Actions OIDC workflows to publish trojanized packages with authentic provenance signatures - making malware look officially blessed. The attack triggered automatically during npm install via preinstall hooks, then downloaded the Bun JavaScript runtime and executed a heavily obfuscated 4.29MB payload that could steal credentials from pretty much everywhere: GitHub, AWS, Azure, GCP, HashiCorp Vault, you name it.

Once it steals your npm tokens, it republishes poisoned packages under your name with forged SLSA provenance to keep the cycle going. The malware even scrapes GitHub Actions runner memory directly to bypass secret masking and can escalate privileges using passwordless sudo. Oh, and there's a fun destructive tripwire: if you mess with their planted decoy token, it tries to nuke your home directory with rm -rf ~/. "if we can't have it, nobody can.” (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay