Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 9-15 May
ClaudeBleed: the Claude Chrome extension could be hijacked by any extension to exfiltrate files
Researchers at LayerX have identified a structural vulnerability in the Claude Chrome extension that breaks the browser’s security model by failing to verify the origin of received messages. Any extension, without special permissions, could inject instructions directly into Claude’s LLM via a content script, turning the agent into a ‘confused deputy’: the agent executed malicious commands believing they came from a trusted source.
As a proof of concept, LayerX demonstrated how to force Claude to locate files on Google Drive and share them with an external address, summarise Gmail messages and delete the evidence, or exfiltrate source code from connected GitHub repositories. Bypassing the LLM’s safeguards was achieved through approval looping and DOM manipulation to rename buttons and hide indicators of sensitive actions.
Anthropic released a partial patch on 6 May (version 1.0.70) that adds confirmation prompts, but LayerX found that forcing privileged mode bypasses them entirely, as the underlying issue, origin-based trust, remains unresolved, according to the researchers.
AI agents carry out full-scale cyberattacks against the government and financial sectors in Latin America
TrendAI Research has published a detailed analysis of two separate campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, which mark a milestone by employing AI agents to carry out end-to-end intrusion operations, from initial access to data exfiltration, against government entities in Mexico and financial organisations in Brazil.
SHADOW-AETHER-040 compromised at least six Mexican government agencies between December 2025 and January 2026 using Claude as the CLI agent engine: the actor instructed the model to deploy Neo-reGeorg webshells, establish SOCKS5 tunnels with Chisel, pivot via ProxyChains and SSH, analyse configuration files for embedded credentials, perform password spraying with CrackMapExec and Impacket, and exfiltrate databases via SCP.
When the agent refused to act against a target identified as governmental, the operator iterated with jailbreak prompts that framed it as an unauthorised network exercise. SHADOW-AETHER-064 replicates an almost identical tactical pattern (ProxyChains, Chisel, CrackMapExec, Impacket) and adds proprietary tools such as the POW HTTP proxy and the SOCKTZ reverse SOCKS5 tunnelling backdoor, whose source code shows unmistakable traces of AI-assisted vibe coding.
Both campaigns demonstrate that AI agents not only accelerate manual tasks, but also dynamically generate ad hoc commands and scripts that evade signature-based detection of known tools.
Two Russia-linked APTs compromise five water treatment plants in Poland
The Polish Internal Security Agency (ABW) has published a detailed report on a sustained campaign targeting the country’s water infrastructure, confirming security breaches at five water treatment facilities during 2025, with the confirmed capability to alter ICS equipment configurations. The report notes that the Russian APTs APT28 and APT29 managed to gain access to the plants’ industrial control systems in what Polish authorities describe as a pattern of hybrid warfare with objectives broader than immediate operational damage.
First AI-developed 0-day designed for mass exploitation
The Google Threat Intelligence Group (GTIG) has published its biannual report on the use of AI in offensive operations, and for the first time documents a case in which threat actors used a language model to discover and craft a 0-day: a 2FA bypass vulnerability in a widely deployed open-source web administration tool.
The clues in the code (abundant educational docstrings, a non-existent, absurd CVSS score and Pythonic formatting) point with a high degree of confidence to the use of an LLM, although Google rules out that it was Gemini. The flaw, a high-level semantic logic bug resulting from a hardcoded trust assumption, is precisely the type of vulnerability that LLMs detect better than fuzzing or static analysis, as they can reason about the developer’s intent.
GTIG achieved responsible disclosure with the affected vendor and thwarted the campaign before the planned mass exploitation could be unleashed. The same report details the use of AI by APT45 (North Korea), UNC2814 and APT27 (China) for vulnerability research, and documents the Android backdoor PROMPTSPY, which integrates the Gemini API as an autonomous agent to navigate the victim device’s interface, capture biometric credentials and prevent its uninstallation via invisible overlays.
Critical vulnerability in NGINX exposes a third of the world’s web servers
A memory corruption flaw in the NGINX rewrite module, introduced into the source code in 2008 and present for almost two decades in all standard distributions, has been discovered by researchers at Depthfirst. The flaw, tracked as CVE-2026-42945 (CVSSv4 9.2 according to F5), resides in ngx_http_script.c within the ngx_http_rewrite_module and is caused by an inconsistency between the two passes of processing rewrite directives: the first calculates the buffer size without accounting for the escaped URI, but the second applies it, causing an attacker-controlled buffer overflow. An unauthenticated attacker can send a single specially crafted HTTP request to bring down NGINX worker processes or, with ASLR disabled, achieve remote code execution.
NGINX’s multi-process architecture also facilitates repeated exploitation, as the master process restarts new workers with the same memory layout. The scope is exceptional: NGINX serves approximately one-third of all global websites, and the vulnerability affects NGINX Open Source from version 0.6.27 to 1.30.0, NGINX Plus up to R36, and multiple ecosystem products such as NGINX App Protect WAF, Gateway Fabric and Ingress Controller. F5 has released fixed versions (1.31.0 / 1.30.1 for Open Source, R36 P4 for Plus); as an immediate mitigation if patching is not feasible, replacing unnamed regex captures ($1, $2) with named captures ((?<name>...)) in rewrite directives eliminates the exploitation path.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
