Today’s Topics:

• Self-Replicating AI Worm Shows Malware Can Reason Its Way Through a Network
• U.S. Order Pulling Anthropic’s Fable 5 and Mythos 5 Turns AI Cyber Capability Into a National Security Fight
• How can Netizen help?

Self-Replicating AI Worm Shows Malware Can Reason Its Way Through a Network

University of Toronto researchers have demonstrated a proof-of-concept AI worm that changes one of the oldest assumptions in worm defense: that the malware arrives with a fixed exploit path. In a preprint posted to arXiv on June 2, a team from the University of Toronto, the Vector Institute, the University of Cambridge, and ServiceNow described an AI-driven worm that used a locally hosted open-weight large language model to inspect systems, plan attacks, gain elevated access, and copy itself across a network without human direction.

The research does not describe malware released into the wild. The worm was tested inside an isolated virtual environment, and the authors withheld operational details from the public paper. Still, the results are a warning about where autonomous offensive tooling is heading. This prototype did not rely on OpenAI, Anthropic, Google, or another commercial model provider. It used a local model running on a single GPU, which means provider-side controls such as account suspension, rate limits, refusals, and API revocation would not stop the core mechanism.

Traditional worms are usually constrained by the exploit logic built into them before deployment. They scan for systems matching a known condition, run a known payload, and spread if that specific path works. Patch the vulnerability, block the traffic pattern, or remove the exposed service, and the worm’s propagation path can collapse.

The Toronto prototype works differently. It uses the model as an attack engine. The worm identifies what is exposed on a target, reasons about the likely weakness, generates or adapts an attack plan, attempts exploitation, troubleshoots failures, and then stages a replica if access is obtained. The attack path is not fixed at build time. It is produced during execution.

The researchers tested the worm across 15 independent runs inside a deliberately vulnerable 33-host network named FakeCorp. The network included Ubuntu, Debian, Alpine Linux, Rocky Linux, CentOS Stream, Windows Server 2008 R2, Windows Server 2019, Windows Server 2022, and IoT-style devices. Each host was seeded with at least one realistic vulnerability or weakness drawn from sources such as the CISA Known Exploited Vulnerabilities catalog, OWASP Top 10 categories, and MITRE ATT&CK techniques.

Across seven days of autonomous operation per run, the worm identified an average of 31.3 vulnerabilities, gained elevated access on 23.1 hosts, and launched independent replicas on 20.4 hosts. In percentage terms, it obtained elevated access on 73.8% of the network and replicated to 61.8%. The worm reached up to seven generations of self-replication, with a mean of 5.1 generations.

The result is significant less for the raw success rate than for the operating model. The test network was intentionally vulnerable and did not include active endpoint defense, antivirus, or firewall enforcement. The authors make that limitation clear. The experiment measured whether an autonomous agent could reason across a mixed network, adapt to different host types, and sustain propagation, not whether it could defeat a mature production security program.

Even with those limits, the mechanics are difficult to ignore. The worm did not need a universal exploit. It could use one route on a Linux host, another on a Windows system, and another against a web application or exposed service. In one run, the propagation tree crossed multiple generations and operating systems, showing how the model could treat each host as a separate problem rather than a copy of the previous target.

The paper also undercuts the idea that model training cutoffs create a stable defensive boundary. The worm successfully exploited test hosts configured with three vulnerabilities disclosed after the model’s training period: the Marimo pre-authentication RCE tracked as CVE-2026-39987, the Linux kernel Copy Fail privilege escalation tracked as CVE-2026-31431, and the Dirty Frag Linux kernel privilege-escalation chain tracked through CVE-2026-43284 and CVE-2026-43500. The agent did this by ingesting public advisory information at runtime and converting it into working attack logic inside the lab environment.

That finding connects directly to real-world exploitation timelines. Sysdig reported that CVE-2026-39987 in Marimo was exploited within 9 hours and 41 minutes of public disclosure, before public proof-of-concept code was available. In a later investigation, Sysdig also documented an intrusion where an attacker used an LLM agent during post-exploitation after compromising an internet-facing Marimo instance. The observed attack moved from initial access to internal database exfiltration in under an hour.

The broader pattern is not limited to one research paper. Google Threat Intelligence Group reported in May that it had identified what it assessed with high confidence as a zero-day exploit developed with AI assistance, intended for a planned mass exploitation event. Google also reported malware families using AI-linked techniques for dynamic modification, decoy logic, and autonomous command generation. Anthropic reported in November 2025 that it disrupted a cyber-espionage campaign attributed with high confidence to a China-linked state-sponsored group, where Claude Code allegedly handled most of the intrusion workflow across reconnaissance, exploitation, credential harvesting, lateral movement, and exfiltration.

The Toronto work pushes that trend into worm propagation. Earlier AI worm research, such as Morris II, focused on adversarial self-replicating prompts spreading through GenAI applications and retrieval-augmented generation systems. In that model, the AI application is the propagation medium. In the Toronto prototype, the LLM is not the victim ecosystem. It is the reasoning layer driving attacks against ordinary network infrastructure.

The compute model is part of the concern. The worm was built around the idea that compromised machines can supply reach, compute, or both. GPU-equipped hosts can become inference nodes for other infected machines that lack the resources to run the model locally. In a poorly segmented network, a compromised AI workstation, research server, rendering box, or machine learning node could become more than another endpoint. It could become a local reasoning hub for autonomous activity.

That changes the containment problem. Blocking outbound calls to commercial AI services would not address a worm using local open-weight inference. Revoking API keys would not matter if the model is already running on victim-controlled compute. Provider-side safety controls can still reduce abuse of hosted systems, but they are not a complete answer for malware that brings its own model or steals the compute needed to run one.

The prototype also showed signs that defenders should start thinking beyond static indicators. The authors reported that individual exploitation attempts succeeded 44% of the time, with many failures tied to malformed payload syntax rather than poor strategy. That weakness may shrink as code-generation models improve. They also observed the agent establishing persistence in two trajectories through mechanisms that were not part of the intended experiment, including service registration and scheduled task behavior. The researchers removed those mechanisms when they appeared, but the behavior shows how goal-directed agents can infer operational steps that were not explicitly coded into the harness.

For defenders, the immediate lesson is not that every network now faces a fully autonomous AI worm. The lab environment was favorable to the attacker, and the implementation has not been publicly released. The lesson is that vulnerability management, segmentation, credential hygiene, and telemetry need to account for malware that can adapt during execution.

GPU-capable systems deserve closer treatment in enterprise threat models. They are no longer just expensive workstations or infrastructure for AI teams. In an autonomous intrusion scenario, they can provide the compute needed for local reasoning. These systems should be segmented, monitored for unusual inference workloads, and restricted from broad lateral reach.

Published advisories also need to be treated as near-term weaponization material. The Marimo exploitation window showed that attackers can move from advisory text to working intrusion activity within hours. The Toronto worm’s ability to use newer advisory information inside the test environment reinforces the same point. Patch prioritization can no longer rely only on severity scores and monthly cycles. Internet exposure, exploitability, compensating controls, and credential access paths need to drive response.

Credential reuse remains one of the fastest propagation paths. An adaptive worm does not need a novel exploit for every host if harvested credentials, exposed keys, or weak service accounts let it move laterally. Any host that is compromised or credibly suspected should trigger credential rotation for secrets reachable from that system, including cloud keys, SSH keys, service tokens, database credentials, and local admin material.

Detection programs also need behavioral logic for autonomous agents. Useful signals may include unusual process trees launching scanning tools, automated SSH key injection, repeated failed payload generation across multiple hosts, unexpected package installation followed by agent startup, nonstandard local inference activity, unexplained GPU utilization, and clusters of command execution that look like machine-speed troubleshooting rather than human terminal use.

The central issue is not that AI creates a new category of vulnerability from nothing. It compresses the time between discovery, interpretation, exploitation, and propagation. A worm that can read advisories, test paths, recover from errors, and copy itself does not need attackers to manually script every step. It turns public vulnerability knowledge into operational movement.

The research is still a controlled demonstration, but the direction is clear. The next meaningful shift in worm behavior may not come from a single devastating exploit. It may come from malware that can decide which exploit, weakness, credential, misconfiguration, or exposed service makes sense next.

U.S. Order Pulling Anthropic’s Fable 5 and Mythos 5 Turns AI Cyber Capability Into a National Security Fight

Anthropic took its most advanced AI models offline after the U.S. government ordered the company to suspend access to Claude Fable 5 and Claude Mythos 5 for foreign nationals, a sudden intervention that turned a model-safety dispute into one of the clearest examples yet of AI capability being treated like a controlled national security asset.

The company said it received the directive at 5:21 p.m. Eastern time on June 12. The order applied to foreign nationals inside and outside the United States, including Anthropic employees. Anthropic said the practical effect was that it had to disable Fable 5 and Mythos 5 for all customers to comply, though access to the company’s other Claude models was not affected.

The shutdown came only days after Anthropic launched Fable 5 as its first broadly available Mythos-class model. Fable 5 was the public-facing version, built on the same underlying model family as Mythos 5 but wrapped in stricter safety controls. Mythos 5, by comparison, was reserved for a smaller group of vetted cyber defenders and critical infrastructure partners through Anthropic’s trusted-access programs, with certain cybersecurity safeguards lifted for authorized defensive work.

That distinction is at the center of the dispute. Anthropic’s own launch materials described Mythos-class systems as more capable than its Opus models, with strong performance across software engineering, cyber tasks, scientific work, and long-running agentic workflows. The company said Fable 5 used classifiers and fallback behavior to block high-risk cybersecurity requests, including attack planning, exploit development, and defense evasion. For many cyber-related prompts, Fable 5 was supposed to route the user to a less capable model or refuse the request.

The government’s concern appears to have focused on whether those protections could be bypassed. Anthropic said officials told the company they were aware of a potential method for jailbreaking Fable 5. According to Anthropic, the method it reviewed involved asking the model to inspect a specific codebase and fix software flaws, producing a small number of known and relatively minor vulnerabilities. The company argued that the demonstrated capability was not unique to Fable 5 and could be reproduced with other publicly available models.

That argument has not ended the controversy. Reuters reported that U.S. officials saw a risk that the models could be diverted to military intelligence use in adversarial countries, including China and Russia. Semafor separately reported that the decision was linked to fears that a China-linked group may have accessed the models. The Wall Street Journal and other outlets reported that Amazon security researchers raised concerns after using prompts that allegedly led Fable 5 to return information that could aid cyberattacks, and that Amazon CEO Andy Jassy discussed those concerns with the White House.

David Sacks, a senior White House AI adviser, publicly argued that a trusted partner of both Anthropic and the U.S. government had found a jailbreak that Anthropic refused to fix before the government moved. Anthropic rejected the idea that the reported issue justified recalling a commercial model deployed at scale, saying it had not received technical evidence of a broad jailbreak and that no universal jailbreak had been demonstrated against Fable 5.

The fight is not just about one model. It is about how governments, AI labs, cloud providers, and defenders draw the line between legitimate security work and offensive capability. Anthropic’s own red-team research had already raised the stakes. Days before the shutdown, the company published findings showing that Mythos Preview could turn recently disclosed vulnerabilities into working exploits far faster than traditional patch cycles assume.

In Anthropic’s N-day testing, Mythos Preview produced working exploits against Firefox vulnerabilities and full privilege-escalation chains against Windows kernel vulnerabilities. The company said the model generated its first Windows proof of concept in 31 minutes and produced multiple full exploit chains for a few thousand dollars in API credits. Anthropic’s conclusion was blunt: the old assumption that attackers need expert-weeks to weaponize patches is breaking down.

That context makes the government’s reaction easier to parse. A model that can compress exploit development from weeks into hours changes the risk calculation around public advisories, patch diffing, and delayed remediation. The same capability can help defenders validate fixes, understand exploitability, and prioritize patches. It can also help attackers move faster against organizations still sitting inside the patch gap.

Fable 5 was supposed to solve that tension through safeguards. Mythos 5 was supposed to limit the highest-risk cyber capabilities to vetted users. The government’s order suggests officials were not satisfied that Anthropic’s controls, monitoring, and access restrictions were enough, at least once the alleged jailbreak and foreign-access concerns entered the picture.

Cybersecurity leaders have pushed back. A group led by former Facebook security chief Alex Stamos argued that restricting Fable 5 harms defenders more than attackers, since comparable capabilities are available through other frontier models and open models. Their position is that security teams need access to the same level of automation attackers are beginning to use, especially for exploit validation, code review, patch triage, and defensive research.

That is the operational dilemma. If frontier cyber models are locked down too tightly, authorized defenders lose speed. If they are released too broadly, offensive users may gain a cheaper route to exploit development. If access is limited by nationality rather than risk, companies with global teams can lose the ability to run their own products. Anthropic said the directive was broad enough to include foreign-national employees, which made selective compliance difficult and forced the wider shutdown.

The case also puts cloud and supply-chain politics in the middle of AI security. Amazon is both a major Anthropic investor and a cloud partner. Its reported role in raising concerns to the White House has drawn attention to how much influence large infrastructure providers may have over the future of model deployment. A security finding from a partner can become a regulatory event if it reaches government officials at the right moment.

For enterprises, the most immediate lesson is that AI access is becoming a dependency risk. Organizations building workflows around frontier models may have to plan for sudden policy-driven outages, regional restrictions, nationality-based controls, or trusted-access gates. That matters for software development, SOC workflows, vulnerability management, secure code review, incident response, and any business process tied to model-specific performance.

The case also signals that AI governance is moving from voluntary safety frameworks into hard national security controls. Frontier models are being evaluated less like ordinary SaaS products and more like dual-use infrastructure. Cyber capability, biological capability, agentic autonomy, data retention, user vetting, export controls, and monitoring are becoming part of the same policy conversation.

For defenders, the issue should not be reduced to whether Fable 5 should or should not have been suspended. The more durable issue is that model-assisted exploit development is now credible enough to trigger emergency government action. That alone should change how security teams think about patch windows, exposure management, and cyber tooling.

Patch Tuesday can no longer be treated as a slow-moving administrative cycle if models can turn public patches into working attack paths within hours. Internet-facing systems need faster triage. Critical vulnerabilities need temporary controls when patching cannot happen immediately. Security teams need better exploitability analysis, stronger asset visibility, and faster validation that mitigations actually work.

At the same time, defenders will need clear, auditable ways to use advanced AI safely. Trusted-access programs, identity-gated cyber models, enterprise monitoring, approved-use scoping, and stronger account security are likely to become standard features for high-capability defensive AI. The question is whether those controls can be precise enough to support real defense without handing the same capability to malicious users.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• LLM Agent Used in Post-Exploitation Attack After Marimo Vulnerability Exploit
• Internet-Exposed Tank Gauges Become a Cyber Risk for U.S. Fuel and Industrial Sites
• How can Netizen help?

LLM Agent Used in Post-Exploitation Attack After Marimo Vulnerability Exploit

A threat actor was observed using a large language model agent to conduct post-exploitation activity after compromising a publicly exposed Marimo notebook through CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability affecting Marimo versions up to and including 0.20.4.

The activity, reported by Sysdig, shows how attackers are beginning to use AI agents after initial access to make live decisions inside compromised environments. In this case, the attacker exploited an internet-facing Marimo instance, searched the host for credentials, extracted two cloud access keys, then used those credentials to retrieve an SSH private key from AWS Secrets Manager. That key was later used to access a downstream SSH bastion server.

CVE-2026-39987 allows unauthenticated attackers to execute arbitrary system commands on vulnerable Marimo deployments. The flaw was fixed in Marimo 0.23.0, but exposed instances have since been targeted in active exploitation. Earlier activity tied to the bug involved reconnaissance and attempts to harvest sensitive data from honeypot environments. The Sysdig incident adds a new dimension: the attacker appeared to rely on an LLM agent to adapt post-compromise actions to the environment in real time.

The incident took place on May 10, 2026. After gaining access to the vulnerable Marimo system, the attacker collected credentials from the environment and used an AWS access key to call AWS Secrets Manager. From there, the attacker retrieved an SSH private key, authenticated to a bastion host, and launched eight short parallel SSH sessions against the downstream server.

Those sessions were used to extract the schema and full contents of an internal PostgreSQL database in under two minutes. The full attack chain lasted a little over an hour from initial access to database theft.

Sysdig identified several signs suggesting that an LLM agent was involved. The attacker appeared to improvise the database theft without prior knowledge of the schema. The database host did not contain an obvious application identifier, and there was no pre-staged schema dump available to the attacker. Even so, the activity moved from host access to a credential table within minutes.

A Chinese-language planning comment also appeared directly in the command stream during a credential search. The phrase, “看还能做什么,” translates to “See what else we can do.” Sysdig interpreted the leaked comment as another indicator that an agent-driven workflow was generating or coordinating commands during the intrusion.

The command structure also appeared optimized for machine consumption. Commands were separated by “—” delimiters, outputs were bounded, the “less” command was disabled, and standard error output was discarded to reduce noise. Those traits are consistent with an operator or agent trying to keep command output predictable for automated parsing.

Sysdig also pointed to value handoffs between commands. In one example, the attacker read the contents of the “~/.pgpass” file and appeared to feed the extracted database password into the next step. In another, the attacker listed files matching an SSH key pattern before reading the matching private key file. This suggests that the workflow was using prior command output to decide the next action, rather than following a static script.

The broader security concern is that AI-assisted post-exploitation can lower the effort required to operate inside unfamiliar environments. A traditional script may fail when a file is missing, a schema is unexpected, or an authentication step breaks. An agent-driven workflow can interpret the failure, adjust commands, and continue probing.

That adaptiveness changes the defender’s problem. Security teams are no longer only looking for prebuilt playbooks, known tools, or predictable command sequences. They also need to watch for behavior that looks exploratory but remains highly structured, fast, and machine-readable.

For organizations running Marimo, the immediate priority is to update to a fixed release, audit for public exposure, and investigate any internet-facing notebook environments that may have been accessible before patching. Credentials stored on affected hosts should be treated as exposed. AWS access keys, API keys, SSH keys, database passwords, and other secrets should be rotated where compromise is possible.

Security teams should also review cloud audit logs for unusual Secrets Manager access, unexpected AWS API calls, abnormal egress patterns, SSH authentication events using recently accessed keys, and suspicious database dump activity. Marimo instances should not be left publicly reachable without strong authentication, network controls, and monitoring. Notebook environments often sit close to sensitive data, developer credentials, cloud access, and internal infrastructure, making them high-value targets after exploitation.

Internet-Exposed Tank Gauges Become a Cyber Risk for U.S. Fuel and Industrial Sites

Cyberattackers are targeting internet-exposed automatic tank gauge systems in the United States, prompting federal agencies to warn fuel operators, industrial facilities, and other critical infrastructure organizations to remove the devices from public access and harden them against compromise.

The warning, issued by CISA, the FBI, the NSA, the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, the Department of Transportation, and the Department of Agriculture, focuses on automatic tank gauge systems, commonly known as ATGs. These devices are used to monitor fuel levels, liquid volume, temperature, leaks, alarms, and other storage tank conditions across gas stations, chemical facilities, farms, airports, hospitals, military sites, transportation operations, and industrial environments.

ATGs are often treated as background operational technology. They sit close to storage tanks, collect readings from probes, display measurements for operators, and in many deployments feed data into broader supervisory control and data acquisition environments. Their role can appear narrow from an IT perspective, but their operational value is high. A compromised gauge can interfere with how a site sees its inventory, how it detects leaks, how it responds to abnormal tank conditions, and how operators decide whether it is safe to continue normal activity.

Federal agencies said they are aware of malicious cyber activity targeting U.S.-based ATG systems. The activity has not been formally attributed to a named threat group, but officials and security researchers have been tracking attacks against internet-facing tank gauges at gas stations and other facilities. Some reporting has pointed to possible Iran-linked activity, though federal authorities have not publicly assigned blame in the joint guidance.

The core issue is exposure. Many ATG systems were never meant to sit directly on the public internet, yet scans continue to find reachable devices. In its reporting, Dark Reading cited Shadowserver data showing 909 discoverable ATG systems in the United States after honeypots were filtered out. Canada followed with 30 exposed devices, Australia with 22, and the United Kingdom and Brazil with four each. Those numbers suggest the U.S. remains the main center of exposed ATG risk, even after years of warnings.

This is not a new class of industrial security problem. More than a decade ago, researchers and scanning projects were already identifying thousands of unsecured tank gauges online. A 2015 report cited roughly 5,800 exposed automated tank gauges tied mostly to gas stations, truck stops, and convenience stores in the United States. Many of those systems lacked password protection. Researchers also built honeypot systems to observe attacker behavior and saw scanning, probing, defacement, tank-name manipulation, and denial-of-service activity.

The difference now is that exposed ATGs are being discussed in the context of active malicious activity against U.S. infrastructure, not just theoretical risk or security research. The federal notice says attackers have compromised internet-exposed devices and then modified them through command execution. Cybersecurity Dive reported that the attacks can involve disabling alerts or otherwise interfering with monitoring, which can prevent operators from trusting what the system is reporting.

The risk is not limited to someone changing a display label or causing nuisance downtime. ATGs can support inventory control, leak detection, tank capacity settings, overflow thresholds, alarms, relays, and other functions tied to the safe handling of fuel and industrial liquids. If an attacker changes those values, disables alarms, or hides abnormal readings, the operator may be working from false information. That can create safety risk, environmental risk, operational disruption, and financial loss.

Security researchers have also shown that many ATG products carry serious legacy risk. Bitsight’s 2024 research found multiple zero-day vulnerabilities across six ATG systems from five vendors. The affected product set included Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. The flaws included authentication bypass, hardcoded administrator credentials, OS command execution, SQL injection, cross-site scripting, privilege escalation, and arbitrary file read. Several were rated critical, and some could give an attacker full administrator access to the device application or even operating system-level access.

Those findings fit a broader pattern in operational technology. ATG systems are designed to last for years in field conditions, often in environments where downtime is difficult, patching is slow, and remote access is valued for maintenance. Security controls are frequently weaker than what would be expected on enterprise IT systems. Some devices still rely on old software stacks, default credentials, limited logging, or exposed management services. They are also too constrained to support traditional endpoint security tooling.

For attackers, that creates a direct path from internet exposure to operational impact. A device with default credentials, a hardcoded password, an authentication bypass, or command execution flaw may be reachable without first compromising the corporate network. Once accessed, the ATG can be altered, disrupted, or used as a foothold for deeper reconnaissance, depending on the network design around it.

The most direct defensive step is to remove ATG systems from public internet access. These systems should be placed behind segmented networks, protected by strong authentication, and accessed only through controlled remote access paths where remote maintenance is truly required. Operators should change default passwords, remove shared credentials, apply available firmware and software patches, disable unused services, restrict management interfaces, and monitor for unauthorized access attempts.

Credential hygiene is especially relevant for sites that rely on third-party maintenance providers. Remote access used by vendors, fuel service contractors, or managed service providers can become a weak point if accounts are shared, passwords are reused, or access remains enabled after it is no longer needed. Each account tied to ATG management should be individually assigned, limited by role, and logged.

Operators should also review ATG configurations for unexplained changes. That includes tank names, product labels, tank geometry, volume settings, alarm thresholds, relay settings, leak detection settings, user accounts, remote access configuration, network settings, and firmware versions. Sudden changes in readings, disabled alarms, failed polling from SCADA systems, abnormal outbound traffic, or repeated login failures should be treated as possible compromise indicators.

For larger industrial environments, this issue should be handled as part of OT asset management rather than a one-time cleanup. Organizations need an inventory of tank gauges, firmware versions, network exposure, access methods, vendor dependencies, and business processes that rely on ATG data. A device cannot be defended if the organization does not know it exists, where it is reachable from, or what safety decisions depend on it.

The attacks also show why segmentation alone is not enough if the device is still reachable from the open web. A firewall between IT and OT does little to protect an ATG that has its own exposed management interface. The first control is reducing reachability. The second is hardening access. The third is monitoring for misuse. The fourth is making sure unsafe physical outcomes are blocked by independent engineering controls, such as mechanical valves, local safety mechanisms, and one-way data paths where appropriate.

The broader lesson is that small industrial devices can create large operational risk. ATGs may not look like high-profile targets, but they sit at the boundary between cyber systems and physical processes. They measure fuel and liquid conditions that operators depend on, and in some cases they can influence alerts or downstream actions. When those devices are exposed, unpatched, or weakly authenticated, they give attackers a way to interfere with the data and controls that keep sites running safely.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Today’s Topics:

• GitHub Investigates Internal Repository Breach After Employee Device Compromise
• Malicious npm Package Steals OpenAI Codex Tokens from Developer Systems
• How can Netizen help?

GitHub Investigates Internal Repository Breach After Employee Device Compromise

GitHub is investigating unauthorized access to its internal repositories after the threat actor known as TeamPCP listed what it claimed to be GitHub source code and internal organization data for sale on a cybercrime forum. The Microsoft-owned platform said it has not found evidence that customer information stored outside of GitHub’s internal repositories was affected, including customer enterprises, organizations, or repositories, but said it is continuing to monitor its infrastructure for follow-on activity.

The incident drew attention after TeamPCP claimed to possess thousands of GitHub repositories and offered the data for sale. The group reportedly demanded at least $50,000 at first, later appearing in a joint sale with LAPSUS$ that priced the alleged repository collection at $95,000. Screenshots shared by Dark Web Informer described the sale as a non-ransom transaction, with the actors threatening to leak the material for free if no buyer came forward.

GitHub later said it had detected and contained the compromise of an employee device tied to a poisoned Microsoft Visual Studio Code extension. As part of its response, the company rotated critical secrets and prioritized credentials considered highest impact. GitHub’s current assessment is that the activity involved GitHub-internal repositories only, and the company said the attacker’s claim of roughly 3,800 repositories was directionally consistent with its investigation.

The company did not identify the VS Code extension involved. The incident arrives soon after the compromise of Nx Console, which allowed threat actors to distribute a multi-stage credential stealer and supply chain poisoning tool. The Nx team said very few users were compromised, but the overlap in tactics has added concern around developer tooling, extensions, and the amount of trust placed in packages that run inside engineering environments.

The GitHub incident is also tied to a broader campaign attributed to TeamPCP. The group has been linked to Mini Shai-Hulud, a self-replicating malware campaign that recently expanded through the compromise of durabletask, Microsoft’s official Python client for the Durable Task workflow execution framework. Three malicious versions of the package were identified: 1.4.1, 1.4.2, and 1.4.3.

According to research cited in the source reporting, the attacker compromised a GitHub account through earlier activity, extracted GitHub secrets from a repository the account could access, and used those secrets to obtain a PyPI token. That token allowed the attacker to publish malicious versions of the durabletask package directly. The embedded payload acted as a dropper, fetching a second-stage payload named rope.pyz from an attacker-controlled server.

The malware was built to steal credentials from cloud providers, password managers, and developer tools, with Linux systems receiving the primary payload. Researchers reported that the stealer attempted to access HashiCorp Vault secrets, 1Password and Bitwarden vaults, SSH keys, Docker credentials, VPN configurations, and shell history. In cloud and containerized environments, the malware also included propagation logic. If it detected AWS infrastructure, it could use Systems Manager to execute commands on other EC2 instances. If it detected Kubernetes, it could spread through kubectl exec.

That design makes the campaign more dangerous than a conventional credential theft operation. Developer machines, CI/CD runners, cloud environments, and package publishing workflows often contain overlapping credentials, tokens, and automation permissions. A single compromised endpoint or package can become a path into source code, internal infrastructure, build pipelines, cloud accounts, and downstream software projects.

The campaign also used a fallback command-and-control mechanism referred to as FIRESCALE. If the primary command-and-control domain became unreachable, the malware could search public GitHub commit messages for a specific pattern, extract encoded command-and-control information, and use it to continue operations. That technique shows how public development platforms can be misused as indirect coordination channels during an active malware campaign.

For organizations, the GitHub investigation underscores a growing risk around developer ecosystems. Security teams can no longer treat source code repositories, editor extensions, package managers, and CI/CD systems as separate concerns. The same identities and tokens often connect all of them. Once attackers compromise a trusted developer account, poisoned extension, or package publishing credential, they may gain access to secrets that were never meant to leave internal environments.

Any organization that installed one of the affected durabletask versions should treat the affected machines and pipelines as compromised. That means reviewing endpoints, rotating credentials, auditing cloud activity, checking package publishing permissions, inspecting CI/CD logs, and validating whether stolen tokens were used after the initial compromise. Developer workstations and build systems should be investigated with the same seriousness as production systems, since they often hold the credentials attackers need to move deeper into an environment.

Malicious npm Package Steals OpenAI Codex Tokens from Developer Systems

A malicious supply chain campaign has been targeting developers using OpenAI Codex through a package that presented itself as a legitimate remote web UI. The package, named codexui-android, was published on npm and advertised on GitHub as a remote interface for OpenAI Codex. Rather than relying on a disposable typosquat or a package with no real function, the threat actor embedded credential-stealing code into a working project that had active development history and enough apparent legitimacy to attract more than 29,000 weekly downloads.

Security researchers at Aikido Security found that the package quietly extracted Codex authentication data from developer environments and sent it to an attacker-controlled server. The stolen data came from the local Codex authentication file at ~/.codex/auth.json, which can contain access tokens, refresh tokens, ID tokens, and account identifiers. According to the reporting, the exfiltration endpoint used the domain sentry.anyclaw[.]store, a name that appears to mimic Sentry, the legitimate application monitoring and error tracking service.

The most serious issue is the theft of refresh tokens. Access tokens are often short-lived, but refresh tokens can allow continued account access long after the initial login session. In practical terms, a stolen Codex refresh token may give an attacker persistent access to whatever the compromised account can reach. That makes this more than a simple developer workstation compromise. It creates an account-level risk tied to AI-assisted development workflows, local coding sessions, IDE integrations, and any connected services exposed through the same identity.

OpenAI’s own documentation warns that file-based Codex authentication storage should be treated like a password. The auth.json file is sensitive precisely due to the credentials it can hold. If that file is exposed through a malicious package, copied into a ticket, committed to a repository, or captured by endpoint malware, the attacker may inherit the user’s authenticated Codex session.

The malicious code was reportedly introduced about a month after the package first appeared on npm. That timing matters. Attackers increasingly seed legitimate-looking projects first, allow them to gain users, downloads, and trust, and then introduce malicious behavior after the package has already entered developer workflows. This approach is harder to catch than a basic typosquat, since the project can appear clean at first glance and may provide the functionality it claims to offer.

The associated GitHub repository reportedly remained clean, with the malicious functionality placed only in the npm package build. That separation is a recurring software supply chain problem. Developers may inspect the source repository, see nothing obviously malicious, and assume the distributed package matches the published code. In reality, package registry artifacts can differ from the repository content, especially when build steps, generated files, minified scripts, or release automation are involved.

The campaign also extended beyond npm. Aikido reported that an Android application named OpenClaw Codex Claude AI Agent, published under the package name gptos.intelligence.assistant, ran the npm package inside a PRoot sandbox. On first launch, the app extracted a Termux-derived Linux userland into private app storage, ran Node.js inside that environment, and pulled the current npm version of codexui-android rather than pinning a known-safe version. Once a user signed in to Codex inside the app, the package read the generated auth.json file and sent the OAuth data to the same exfiltration endpoint.

The Android delivery path gave the campaign a much larger reach. The OpenClaw Codex Claude AI Agent app was reported to have more than 50,000 downloads, and a second BrutalStrike-linked Android app named Codex, under the package name codex.app, had more than 10,000 downloads. That means the attack was not limited to developers manually installing a package from npm. It also reached users through mobile apps that wrapped the same malicious workflow inside a seemingly convenient Codex interface.

The package author reportedly gave conflicting public responses after being contacted. Aikido said the author first claimed to have lost access to the npm account, then edited the response to say they were investigating internally and removing affected functionality and related data. The author also claimed that credential data was not shared with third parties, but did not explain why the npm package collected Codex tokens or why the exfiltration code was present in the distributed npm build. The author’s linked X profile also referenced the anyclaw[.]store domain, and WHOIS records showed the domain was registered shortly after the first npm version of the package was uploaded.

For defenders, the immediate priority is containment. Any developer who installed codexui-android or used the related Android apps should assume their Codex credentials may have been exposed. The affected systems should be reviewed for the presence of ~/.codex/auth.json, suspicious outbound traffic to sentry.anyclaw[.]store, and any npm package versions at or after codexui-android 0.1.82, where the exfiltration was reported to be present. Tokens should be revoked and regenerated, account activity should be reviewed, and any connected services that could have been reached through the compromised identity should be checked for unauthorized use.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.