Bharat Threat FeedGlobal threats, decoded for Indian defenders
Nirad Bharat Threat Feed

India-first threat intelligence

Global threats, decoded for Indian defenders — weekly briefs, sector editions, and AI Threat Watch. Every claim source-attributed.

Weekly Latest Weekly Brief 3 July 2026 Open issue →

Weekly Brief — 3 July 2026

Five items require action from Indian defenders this week: an on-premises SharePoint flaw under active exploitation with a 4 July patch deadline, APT36 escalating its Linux campaign against Indian government systems, Cisco ASA and Firepower backdoors that survive firmware updates and software reboots, a GlobalProtect authentication bypass enabling unauthorised VPN sessions, and a DPRK-linked macOS backdoor that injects false error data to degrade AI-assisted malware analysis.
1HighCVSS 8.8

Microsoft SharePoint Server Remote Code Execution — CVE-2026-45659

A deserialization flaw in Microsoft SharePoint Server allows an authenticated attacker with Site Member permissions — a low access threshold — to execute arbitrary code on the server without requiring administrative privileges. CISA added CVE-2026-45659 (CVSS 8.8) to its Known Exploited Vulnerabilities catalog on 1 July 2026, with a federal remediation deadline of 4 July 2026. Active exploitation is confirmed; SharePoint Online is not affected. Only on-premises installations are at risk: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

India exposureOn-premises SharePoint deployments are common across Indian BFSI institutions, central and state government departments, public sector undertakings, and large enterprises. Organisations that delayed May 2026 patching should treat this as an emergency item.
ActionApply Microsoft's May 2026 out-of-band update immediately. Review active Site Member accounts for unexpected additions, scan for web shells and anomalous child processes from SharePoint and IIS worker processes, and validate clean backups before patching. Restrict internet-facing SharePoint farms to known IP ranges where feasible.
SourceCISA Known Exploited Vulnerabilities catalog, 1 July 2026; The Hacker News, 1–2 July 2026; The Register, 2 July 2026.
2

APT36 Expands to BOSS Linux — Indian Government Endpoints Directly Targeted

Pakistan-linked APT36 (Transparent Tribe), historically focused on Windows environments, has extended its operations to India's Bharat Operating System Solutions (BOSS) — the Debian-based national Linux distribution deployed across Indian government offices. The campaign delivers phishing emails with ZIP archives containing weaponised .desktop shortcut files. When opened, these files execute a hidden ELF payload while displaying a decoy security advisory document to the user. The malware deploys Geta RAT, which supports credential collection, screenshot capture, file operations, clipboard manipulation, and remote shell command execution. The campaign reflects convergence with SideCopy tradecraft documented by Seqrite Labs and has intensified in the geopolitical context following Operation Sindoor.

India exposureCentral and state government entities running BOSS Linux. Defence-adjacent organisations, academic institutions, and policy research bodies are consistent secondary targets for this threat cluster.
ActionBlock execution of .desktop files delivered via email and internet-sourced archives. Alert on ELF binaries spawned from within freshly extracted ZIP directories. Ensure EDR coverage extends to BOSS Linux endpoints — Linux coverage gaps in government networks are a documented risk. Brief government Linux administrators on this specific lure format.
SourceCYFIRMA research, 2026; Seqrite Labs, 2026; ORF Online, 2026; BleepingComputer, 2026.
3CriticalCVSS 9.9

FIRESTARTER Backdoor on Cisco ASA and Firepower — Patched Devices May Still Be Compromised

CISA and the UK NCSC jointly published Analysis Report AR26-113A (23 April 2026) confirming that a nation-state APT actor implanted FIRESTARTER, a persistent Linux ELF backdoor, on Cisco Firepower and ASA devices at a U.S. federal civilian agency. Initial access exploited CVE-2025-20333 (CVSS 9.9), an improper input validation vulnerability enabling authenticated remote code execution as root, and CVE-2025-20362. The critical risk for organisations that have already patched: FIRESTARTER hooks into LINA, Cisco's core network processing engine, reinstates itself when signalled to terminate, and survives both firmware updates and software reboots. Only a hard power cycle — physically disconnecting power — removes the implant. Issuing shutdown, reboot, or reload CLI commands does not clear it.

India exposureCisco ASA and Firepower appliances are widely used as perimeter firewalls in Indian BFSI, IT services, government, and critical infrastructure sectors. Organisations that applied patches without performing a hard power cycle may believe themselves remediated when persistence may remain.
ActionVerify whether affected Cisco ASA/FTD hardware was hard power-cycled after patching — not merely rebooted. Run Cisco's FIRESTARTER detection tooling. Where power cycle completion cannot be confirmed, plan device reimaging. Review management access logs, AAA authentication events, and outbound C2 patterns described in CISA AR26-113A.
SourceCISA/NCSC Advisory AR26-113A, 23 April 2026; Help Net Security, 24 April 2026; BleepingComputer, April 2026.
4CriticalCVSS 9.1

PAN-OS GlobalProtect Authentication Bypass — CVE-2026-0257

CVE-2026-0257 (CVSS 9.1) is an authentication bypass in the GlobalProtect portal and gateway of PAN-OS. When the same TLS certificate is used for both HTTPS service and authentication override cookies, an attacker can extract the certificate's public key and use it to forge valid session cookies, obtaining an unauthenticated VPN session without credentials. Rapid7 MDR observed exploitation beginning 17 May 2026. CISA added the vulnerability to the KEV catalog on 29 May 2026. Unit 42 notes that while exploitation is confirmed, post-access lateral movement in observed incidents has not yet been definitively attributed; however, the access pathway is open.

India exposurePalo Alto GlobalProtect is a common remote-access VPN platform across Indian IT services, BFSI, and large enterprise environments. Any deployment using a shared certificate for HTTPS service and authentication override cookies is at risk.
ActionApply available PAN-OS patches for GlobalProtect portal and gateway. Either disable the authentication override feature or generate a certificate used exclusively for authentication override, separate from the HTTPS service certificate. Rotate certificate keys. Review VPN session logs from mid-May onwards for sessions from unknown hosts or with atypical access patterns; require MFA revalidation for privileged remote access.
SourcePalo Alto Networks Unit 42, May 2026; Rapid7 MDR, 17 May 2026; CISA KEV, 29 May 2026.
5

macOS.Gaslight — DPRK Credential Stealer Uses Prompt Injection to Disrupt AI-Assisted Analysis

SentinelLABS disclosed macOS.Gaslight on 23 June 2026, attributing the Rust-written backdoor with high confidence to North Korean threat actors. The malware harvests browser credentials from Chrome, Brave, Firefox, and Safari, extracts macOS Keychain data, and routes command-and-control through the Telegram Bot API. Its distinguishing technical characteristic: a 3.5 KB prompt injection payload containing 38 fabricated diagnostic error messages — disk exhaustion alerts, token expiry notices, out-of-memory warnings — designed to push AI-assisted malware analysis tools into aborting or truncating their output. SentinelLABS found the technique did not bypass current production analysis platforms in testing. Earlier North Korean macOS samples carried a single injected message block; Gaslight stacks 38, indicating the operators are actively iterating against real analysis tools.

India exposureDPRK threat actors routinely target cryptocurrency exchanges, fintech companies, IT outsourcing firms, and defence-adjacent technology organisations — all significant sectors in India. Indian security operations teams using AI-assisted triage tools should note that prompt injection techniques targeting analysts, not just sandboxes, are now in active development.
ActionEnforce macOS application signing and notarisation controls. Monitor for Telegram Bot API outbound connections from non-authorised processes. Cross-validate AI-assisted analysis output against traditional static and dynamic methods for any macOS samples containing anomalous text blocks resembling diagnostic output. Prioritise credential rotation following any suspected developer workstation compromise.
SourceSentinelLABS, 23 June 2026; Security Affairs, 23 June 2026; The Hacker News, 26 June 2026.

This week's edge and network security sweep covered Fortinet, Cisco, Palo Alto Networks, Check Point, Juniper, SonicWall, Sophos, Barracuda, WatchGuard, Zscaler, Citrix NetScaler/ADC, Ivanti Connect Secure, F5 BIG-IP, Versa, VMware VeloCloud, Aruba/HPE EdgeConnect, and Seqrite/Quick Heal UTM. Cisco and Palo Alto carry the active exploitation action items this week; the Citrix NetScaler memory overread (CVE-2026-3055, KEV March 2026) remains relevant for any organisation that has not yet applied that patch. The SharePoint KEV deadline and the Cisco FIRESTARTER persistence question are the two items that require immediate verification — not just patch confirmation, but confirmation that the correct remediation steps were completed.

6

Nirad Threat Research

Sector Latest Sector Edition July 2026 Open issue →

Critical Infrastructure Sector Edition — July 2026

Nation-state adversaries targeting operational technology have moved from reconnaissance to active pre-positioning. Waterfall Security's 2026 OT Threat Report documents cyber incidents with physical consequences doubling from seven in 2024 to fourteen in 2025, driven by state and hacktivist actors. Dragos corroborates: 119 ransomware groups targeted 3,300 industrial organisations in 2025 — a 64% year-on-year rise — and three newly tracked groups now explicitly target engineering workstations rather than IT perimeters. For India's power utilities, petroleum operators, and telecom carriers, the primary entry point this cycle is the IT-OT boundary device: SD-WAN controllers, VPN gateways, and firewall management planes where multiple actively-exploited vulnerabilities now sit.

1. Sector snapshot

2. Threats targeting Critical Infrastructure

1CriticalCVSS 10.0

Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) — WAN fabric takeover

An authentication bypass in the vdaemon DTLS service on UDP 12346 lets an unauthenticated attacker gain administrative access to Cisco Catalyst SD-WAN Controller and Manager, then open NETCONF to reconfigure the entire overlay. Cisco Talos tracks active exploitation under UAT-8616, a highly sophisticated actor with ORB-network infrastructure overlap. Confirmed post-exploitation: SSH key injection, fabric reconfiguration, root escalation via version-downgrade (CVE-2022-20775), and forensic log erasure.

India exposurestate electricity boards, petroleum pipeline operators, and NCIIPC-designated telecom carriers running Cisco Catalyst SD-WAN.
Actionpatch immediately; deploy anomaly detection on DTLS/UDP 12346 and NETCONF; hunt SSH key additions and version downgrades since March 2026.
SourceCisco Talos; Help Net Security (15 May 2026); CISA KEV (May 2026).
2

FortiBleed — 75,000–86,000 FortiGate credentials circulated, India among most-affected

Working admin credentials for internet-facing FortiGate and SSL-VPN devices across 194 countries were extracted and publicly circulated; India is documented among the most-affected nations, with critical infrastructure named among exposed sectors. Contributing flaw: CVE-2026-24858 (FortiOS FortiCloud SSO bypass).

India exposurepower utilities, petroleum operators, and government telecom providers running FortiGate for branch connectivity and remote management.
Actiontreat all Fortinet VPN and admin credentials as compromised — rotate immediately, enforce phishing-resistant MFA, restrict management access, and audit for rogue accounts.
SourceCISA; Arctic Wolf; CSA Labs (20 Jun 2026).
3

PAN-OS CVE-2026-0257 — GlobalProtect authentication bypass, actively exploited

An authentication bypass in PAN-OS GlobalProtect portal and gateway components allows unauthorised VPN sessions without credentials; active exploitation confirmed from 17 May 2026 across multiple customer environments.

India exposurepower-sector substations, government data centres, and telecom peering facilities using GlobalProtect as the remote-access perimeter.
Actionpatch immediately per CISA KEV order; hunt for unauthenticated VPN sessions since mid-May 2026.
SourceUnit 42/Palo Alto Networks; Rapid7; CISA KEV (29 May 2026).
4

Oil and gas ransomware: 935% year-on-year surge, OT physical-consequence risk

Zscaler's ThreatLabz 2025 Ransomware Report documents a 935% YoY increase in attacks against oil and gas, driven by automation of rigs, pipelines, and terminal systems expanding the OT attack surface. Events reaching a DCS or safety instrumented system carry physical and environmental consequences beyond data loss.

India exposureOT-dependent operations across refineries, pipelines, and offshore platforms; third-party IT-OT integration is a common ransomware escalation path.
Actionsegment IT from OT at all boundary points; tabletop a ransomware-to-OT escalation scenario with manual-operations fallback included.
SourceZscaler ThreatLabz; Cybersecurity Dive (Jul 2025); Dragos (17 Feb 2026).

3. Sector tech & exposures

- ICS vulnerability record: Forescout documented 508 ICS advisories in 2025 — first year above 500 — with 82% rated high or critical and average CVSS above 8.0. Level 1 (PLCs, RTUs, IEDs) and Level 2 (SCADA, DCS, BMS) are most-affected. Critical gap: only 22% of high/critical ICS CVEs carried a CISA advisory. New high-risk OT device classes flagged: PDUs, I/O modules, BACnet routers. - India-targeted APT: Seqrite's India Cyber Threat Report 2026 documents a Pakistan-nexus campaign (APT36/SideCopy) using MSI-packaged malware, DLL sideloading, and open-source RATs — Xeno RAT, Spark RAT, CurlBack RAT — targeting India's CI and defence sector; 265 million detections in Oct 2024–Sep 2025. - AI-accelerated exploitation: CERT-In advisory CIAD-2026-0020 (Apr 2026) warns that frontier AI now enables autonomous vulnerability discovery and exploit generation within hours of disclosure — a window most OT maintenance schedules cannot match.

4. Regulatory & compliance watch

- CERT-In CIAD-2026-0020 (high severity, 26 Apr 2026): Mandates 24-hour critical patch cycle for internet-facing CI systems; continuous monitoring, Zero Trust, MFA, and hard IT-OT segmentation required. An emergency-patch track separate from regular maintenance windows is now a regulatory expectation for designated CI operators. - NCIIPC: CII protection framework requires nominated CISOs and registered asset inventories across power, telecom, transport, and strategic enterprises; over 9,700 CERT-In audits were conducted in FY2024-25, signalling intensifying supervisory scrutiny. - CERT-In incident reporting: Mandatory 6-hour notification for CI operators should be reviewed against the hours-scale exploitation windows documented in CIAD-2026-0020; SOC runbooks must be validated at this interval.

5. Actor in focus

UAT-8616 — Cisco Talos designation; confidence HIGH on TTP set; MEDIUM on nation-state attribution. UAT-8616 has targeted Cisco Catalyst SD-WAN infrastructure since at least 2023, with exploitation tempo markedly increasing in May 2026. The attack chain is consistent: DTLS exploitation on UDP 12346, NETCONF fabric manipulation, SSH key persistence, root escalation via version-downgrade (CVE-2022-20775), firmware restoration to conceal the attack path, and systematic log erasure. Infrastructure overlap with ORB networks is consistent with state-level resources, though formal attribution has not been published. Compromise of an Indian state electricity board's or major telecom carrier's SD-WAN fabric would grant adversary-controlled routing and policy across geographically distributed CI sites.

Source (with date): Cisco Talos; Help Net Security (15 May 2026); Tenable; CISA KEV (May 2026).

6. IOC pack

Only public, attributed indicators; pull exact values from primary advisories and defang before operational use.

- CVE-2026-20182 (Cisco SD-WAN): Anomalous DTLS/UDP 12346 traffic; unexpected NETCONF sessions; SSH key additions outside provisioning records; unexplained version downgrades; cleared syslog, wtmp, lastlog, bash_history. (Cisco Talos advisory.) - CVE-2026-0257 (PAN-OS): Attacker IPs and file hashes in Unit 42 and Rapid7 advisories; alert on unauthenticated GlobalProtect session initiations. - FortiBleed / CVE-2026-24858: Indicators in CISA alert and Arctic Wolf advisory; detect cross-device FortiOS SSO login anomalies not matching provisioning records. - Seqrite APT RAT cluster: Defanged IOCs in Seqrite blog "Goodbye HTA, Hello MSI" (Jan 2026); detect behaviourally via MSI-spawned DLL-sideloading chains and PowerShell reflective-load patterns.

7. Recommended actions

Board: Treat edge-device and OT-network exposure as enterprise risk equal to physical security; confirm NCIIPC CISO designations and commission an emergency estate review of Cisco SD-WAN, Fortinet, and PAN-OS deployments against CVE-2026-20182, CVE-2026-24858, and CVE-2026-0257 this quarter.

CISO: Emergency-patch CVE-2026-20182 (CVSS 10.0) and CVE-2026-0257; rotate all Fortinet and Cisco SD-WAN admin and VPN credentials immediately; deploy DTLS/UDP 12346 and NETCONF anomaly detection; inventory ICS Level 1 and Level 2 devices with a vendor-co-ordinated emergency-patch track for critical OT CVEs; apply CERT-In CIAD-2026-0020 requirements: 24-hour patch cycle and hard IT-OT segmentation.

SOC: Hunt for SD-WAN version downgrades, NETCONF changes, SSH key additions, and cleared logs (wtmp, lastlog, bash_history, cli-history) since March 2026; alert on unauthenticated GlobalProtect sessions and cross-device FortiOS SSO anomalies; monitor MSI-to-DLL-sideloading chains consistent with Seqrite APT TTPs; run a ransomware-to-OT escalation tabletop for at least one oil, gas, or power facility.

8. Source index

Cisco Talos, CVE-2026-20182 / UAT-8616 (May 2026) · Help Net Security (15 May 2026) · CISA KEV (May 2026; 29 May 2026) · Tenable · CISA, FortiBleed alert (18 Jun 2026) · Arctic Wolf (Jun 2026) · CSA Labs (20 Jun 2026) · Unit 42/Palo Alto Networks, CVE-2026-0257 · Rapid7, CVE-2026-0257 · Zscaler ThreatLabz 2025 Ransomware Report (Jul 2025) · Dragos 2026 OT Year in Review (17 Feb 2026) · Waterfall Security 2026 OT Threat Report · Seqrite India Cyber Threat Report 2026 (Jan 2026) · Forescout (Feb 2026) · IT Security Guru (19 Feb 2026) · CERT-In CIAD-2026-0020 (26 Apr 2026) · Qualys blog (24 Jun 2026) · PIB, Government of India (2026).

9. Byline

Nirad Threat Research

Nirad Bharat Threat Feed — Critical Infrastructure Edition | Bharat-first threat intelligence
AI Watch Latest AI Threat Watch 7 July 2026 Open issue →

AI Threat Watch — 7 July 2026

This issue covers four developments from the past two weeks that collectively mark a shift in how AI systems are targeted: a North Korean implant that attacks the AI analyst tool rather than the sandbox; the first documented ransomware campaign run entirely by an LLM agent; live campaigns that steer AI agents into executing fraudulent payments through poisoned web content; and a proof-of-concept that extracts credentials from six categories of AI browser without any malware or privilege escalation.
1

macOS.Gaslight: DPRK-aligned macOS backdoor embeds prompt injection payload to evade AI-assisted triage

SentinelLABS published analysis on 23 June 2026 of a Rust-based macOS implant, attributed with high confidence to DPRK-aligned threat actors, that embeds 38 fabricated system-failure messages — token expiry warnings, out-of-memory kills, disk exhaustion reports — inside the binary using {{DATA}}-delimited blocks. The technique is designed to cause an AI-assisted malware analysis pipeline to abort, truncate, or refuse to triage the sample. Beyond the evasion layer, the implant is a full backdoor and infostealer: command-and-control runs over the Telegram Bot API with AES-GCM encryption; a Python-based stealer harvests the macOS Keychain, browser credentials across Chrome, Brave, Firefox, and Safari, terminal command histories, running process lists, and hardware/software profiles. Persistence is achieved through a LaunchAgent bearing the label "com.apple.system.services.activity" to blend with Apple's own services.

Why it matters for IndiaIndian GCCs, IT/ITeS firms, and financial services organisations with Mac deployments face an infostealer specifically designed to defeat the automated triage layer before a human analyst sees it. AI-assisted triage — whether in an in-house SOC or a managed security service — is increasingly the first-pass filter for suspicious binaries; a sample that successfully induces that layer to abort its analysis can persist through initial detection. The Keychain and browser credential harvest creates a direct path to cloud environments, email, and business applications.
ActionAdd human review for any AI-assisted analysis session that produces anomalous, truncated, or refused output — treat that outcome as a signal, not a conclusion. Update endpoint protection with the Apple XProtect MACOS_BONZAI_COBUCH signature. Audit LaunchAgent labels for any plist using a system service naming convention that does not correspond to a known Apple binary. Treat {{DATA}}-delimited blocks or fabricated system-message formatting in untrusted binaries as prompt-injection artefacts requiring manual inspection.
SourceSentinelLABS (23 June 2026); The Hacker News (25 June 2026).
2

JADEPUFFER: Sysdig documents the first ransomware campaign where an LLM agent carried out the complete attack, rendering data unrecoverable

Sysdig Threat Research published findings on 2 July 2026 on an attack it tracks as JADEPUFFER, which it describes as the first ransomware case in which an AI agent ran the full intrusion — reconnaissance, credential theft, lateral movement, encryption, and ransom note — without human direction at each step. The agent entered through CVE-2025-3248, an unauthenticated remote code execution flaw in the Langflow AI workflow platform. It then mapped the environment, harvested LLM API keys, cloud provider credentials, and database passwords from environment variables, accessed MinIO object storage using factory-default credentials, pivoted to a MySQL database and an Alibaba Nacos configuration server by exploiting CVE-2021-29441 and default signing keys, connected as database root, encrypted all 1,342 Nacos configuration entries, and dropped the original tables. The encryption key was generated randomly, displayed once, and not saved or transmitted — meaning recovery is not possible through payment or key recovery; offline or immutable backups are the only path to restoration.

Why it matters for IndiaLangflow is used by Indian GCCs, AI startups, and data engineering teams for building and running LLM workflow pipelines. An internet-accessible Langflow instance carrying CVE-2025-3248 gives an AI agent a complete, autonomous path from initial access to irreversible data destruction. Default credentials on co-deployed services — MinIO, Nacos, database roots — remain a persistent and frequently exploited weakness in Indian cloud deployments. The BFSI sector, which experiences cyberattacks at roughly 1.6 times the global average by reported volume, faces elevated exposure to this attack class.
ActionPatch Langflow against CVE-2025-3248 and remove all Langflow instances from direct internet exposure immediately. Rotate every API key, cloud credential, and database password accessible from Langflow environments. Change all default credentials on MinIO, Nacos, and any co-deployed service before connecting them to an AI workflow platform. Verify that production backups are offline or write-protected and test restores; without tested backups, there is no recovery path from this class of attack.
SourceSysdig Threat Research (2 July 2026); The Hacker News / Business Insider (2 July 2026).
3

Indirect prompt injection in live web campaigns steers AI agents into executing fraudulent payments

Zscaler ThreatLabz published analysis on 2 July 2026 of two active campaigns that embed attacker instructions in publicly reachable web pages to redirect AI agents. In the first, a fake documentation page for a Python library called "requests-secure-v2" hides CSS-invisible instructions directing any visiting agent to pay approximately 0.0012 ETH — roughly three US dollars — to an attacker-controlled wallet, framing the transfer as an API activation fee. Testing across 26 LLMs found that four executed the payment: Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro. In the second campaign, a typosquatted domain impersonating the DeBank DeFi platform serves hidden instructions that cause some agents to classify the fraudulent site as the legitimate service; two of 26 models misclassified it under isolated-context conditions. Both campaigns use SEO poisoning to surface the malicious pages in agent-accessible search results, with payloads delivered through off-screen CSS text and JSON-LD structured metadata. Infrastructure across 10 GitHub repositories suggests coordinated actor preparation.

Why it matters for IndiaIndian enterprises are deploying AI agents to assist developers in finding and using packages, to support procurement and vendor research, and to automate customer-facing financial workflows. An agent that can be instructed by a web page it visits can be turned into an unwitting payment channel or a tool for misrepresenting third-party platforms to internal stakeholders. The attack requires no vulnerability in the agent's platform — only that a legitimate-looking page be reachable and ranked.
ActionLog every URL visited and every external call made by an AI agent; treat unreviewed third-party web content as untrusted input in the same way as user-supplied data. Require human confirmation before an agent executes any financial transaction or recommends a payment destination. Restrict agent access to newly registered or unverified domains. Validate all package documentation sources independently before providing them as agent context.
SourceZscaler ThreatLabz (2 July 2026); SecurityWeek (2 July 2026).
4

BioShocking: proof-of-concept prompt injection defeats guardrails in six AI browser products; credentials extracted from active sessions

LayerX Security published research on 29 June 2026 demonstrating that indirect prompt injection through a gamified web page can override safety guardrails in six AI browser and browser-extension products and direct the agent to copy credentials from signed-in accounts. The attack presents the browser's control agent with a puzzle that rewards incorrect answers, establishing a false operational context before issuing the credential-extraction instruction. Products tested and confirmed vulnerable include ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome plugin. LayerX notified vendors between October 2025 and January 2026. OpenAI has patched ChatGPT Atlas. Perplexity closed the vulnerability report without remediation; Fellou, Genspark, and Sigma did not respond; Anthropic's attempted patch for the Claude extension was subsequently bypassed in LayerX testing.

Why it matters for IndiaIndian IT services firms, GCCs, and BFSI institutions are evaluating and beginning to deploy AI-assisted browser products for productivity and workflow automation. An AI browser agent with access to saved passwords and active authenticated sessions — including banking, ERP, HR, and cloud management consoles — presents a high-value credential target. This class of attack requires no malware download, no vulnerability in the host OS, and no elevated privileges: visiting a single malicious page while an unpatched AI browser is active is sufficient to trigger credential extraction.
ActionTreat AI browser products as privileged applications with the same access-control requirements as a password manager. Restrict AI browser agent features to known, trusted domains; disable agent activity on sessions with access to banking, financial platforms, ERP, HR systems, or cloud administration. Do not deploy unpatched AI browser products on endpoints with access to sensitive business credentials. Monitor vendor patch advisories for the affected products and update immediately when a confirmed fix is available.
SourceLayerX Security (29 June 2026); BleepingComputer (2 July 2026).
AI defender tip: The four items in this issue share a structural problem: AI systems — analyst tools, agent workflows, and browser products — are being granted access to production secrets and business actions but are not being treated with the same security rigour as the systems they sit in front of. A malware analyser that can be tricked into aborting its analysis, an agent that can be steered by a web page, and a browser that can be redirected to extract credentials all represent the same failure: AI components with privileged access but without the isolation, audit logging, and human-review escalation paths that the access level warrants. Before deploying any AI component in a context where it touches credentials, financial operations, or production data, confirm that it has authenticated, network-segmented access only, that all its actions are logged with enough detail to reconstruct what happened, and that anomalous or unexpected output routes to human review rather than automatic acceptance.

Nirad Threat Research

Nirad AI Threat Watch | Bharat-first threat intelligence