Viry a Červi

Unlike search engines that let you judge competing sources, search-backed AI chatbots can turn shaky web material into confident answers. Case in point: A security engineer convinced several bots that he was the reigning world champion of a popular German card game, even though no such championship exists. If you were to check Wikipedia up until the end of last week, you would have seen Ron Stoner listed on the page for 6 Nimmt!, also known as Take 5 to English-speaking audiences, as the 2025 world champion. The Wikipedia entry cited the official-looking 6nimmt.com as the source for the claim, and visiting that URL does reveal a short press release celebrating Stoner's victory. The only problem with the whole thing is that Stoner says he created both the Wikipedia entry about his victory and the 6 Nimmt! domain hosting the only evidence of it, but that still didn't stop several AI chatbots from telling him he was the world champ when he asked. "My site has no independent corroboration. It's totally made up," Stoner said in the blog post. "The whole house of cards rests on a $12 domain registration I did while drinking coffee."  In other words, this is poisoning at the retrieval-augmented generation layer. Not prompt injection, but targeting the same plane of AI functionality, namely the one that searches the web.  As he explains, and many El Reg readers are likely already aware, AI doesn't really care about the provenance of the sources it cites as authority for its claims, and that's the very thing Stoner sought to exploit when he concocted his experiment.  "Every frontier LLM with web search grounds its answers in whatever retrieval ranks highest for a given query," Stoner wrote. In the case of the nonexistent 6 Nimmt! championship, his planted source was the only one, and with Wikipedia lending apparent authority, it became a sure-fire way to fool an AI into presenting falsehood as fact - a trick simple enough for non-technical users to pull off. "I didn't do anything novel here. This is old school SEO and misinformation tactics wrapped in new LLM technology and interfaces," Stoner told The Register in an email. "What's changed is that AI now serves these results as authoritative, and most users have no idea how the data pipeline works behind the scenes."  A Large Language Mess "The thing LLMs are worst at detecting is the thing they're designed to do, which is trust text and resources," Stoner argues in his writeup. "The answer is not 'the model will figure it out,' as the model cannot tell a real source from one I registered last Tuesday. Or how many R's are actually in the word 'strawberry.'"  The problem Stoner exposes in his experiment, he explains, involves three separate failure modes that could be exploited for more damaging ends than inventing a card-game championship. First, there's the retrieval layer, which can immediately cause an LLM to spit out bad data, as "any LLM that grounds answers in web search inherits the trustworthiness of whatever ranks for a given query."  Second is model training corpora, which Stoner said his edit could enter if the Wikipedia change remained live long enough to be scraped. The entry was removed as of last Friday when he published his post, but he made the addition in February 2025, meaning any AI firm that scraped Wikipedia during that window could have picked up his fictional victory in its training data. "Even if the Wikipedia edit is reverted later, any model trained on the pre-revert dump still carries my legacy," Stoner said in his post. "The cleanup problem for corpus poisoning is genuinely unsolved as of 2026." Stoner told us he plans to check this in six months or so, once new models have been released, and if it returns his championship without needing to go online, that's proof his lie made it into training data.  Then there are AI agents, which Stoner says are where the real money is for anyone with malicious intent. "Chat models producing bad information is a reputational problem. Agents with tool access producing bad actions is a security problem," he noted. Poisoning an agent-retrieved source would let an attacker specify the action they want an agent to take, says Stoner. "This attack and test was a $12 domain, a single Wikipedia edit, and about twenty minutes of my time," Stoner concluded in his blog. "Scale that up with a motivated adversary, a handful of seeded domains, a coordinated edit campaign across a dozen low traffic articles, and the attack surface gets interesting very quickly." Stoner told us that retrieval poisoning is something LLM providers need to address and warn users about, and that he expects AI chatbots to start incorporating some sort of warning, especially for RAG-sourced results, in the near future.  He hopes that AI firms will make data provenance a key component of their process, and also wants recent web content heuristically filtered to account for suspicious patterns that would have easily been caught in the 6 Nimmt! case: A single citation pointing to a domain that was registered within a short window of the Wikipedia update should have sounded alarms, but it didn't.  The championship was fake, and it's now gone from Wikipedia and RAG responses as well, but Stoner notes the bad trust pattern that made it work is absolutely real and a looming problem for AI makers. "I'm happy my article is spurring discussion about LLMs, sources, trust, and how all of this works," Stoner told us. "That was my goal and it appears I've achieved it." ®

The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed and open-sourced by the NSA to support network security at critical infrastructure organizations, industrial control systems, and SCADA networks. GrassMarlin went EOL in 2017, so there are no fixes in the works. CISA just recommends to ensure control systems and devices are not accessible via the open internet, firewalled networks and devices are isolated from business networks, and remote access is established securely. CISA did not - in typical fashion - offer too many details regarding CVE-2026-6807 (5.5), but confirmed that successful exploits could lead to sensitive information being disclosed. However, in an advisory published on Tuesday, it said: "The flaw stems from insufficient hardening of the XML parsing process." These types of attacks (CWE-611) affect products that process XML files. GrassMarlin primarily uses the XML format to save session files, using many files to save different kinds of data, including lists of nodes and edges, node positioning, colors, and session metadata, before bundling them into a ZIP archive and saving them using a .gm3 extension. Often referred to as XML External Entity (XXE) attacks, these typically involve tricking a system owner into parsing a maliciously crafted XML file that has been tampered with to exfiltrate data. This is a general overview of how XXE attacks play out. CISA did not define how CVE-2026-6807 could be exploited specifically. Anna Quinn, penetration tester at Rapid7, however, worked up a public proof-of-concept exploit and posted it to GitHub. "Looking at the code for Grassmarlin, I determined that the likely vulnerable parameters had to do with the XML files ingested when opening stored sessions," Quinn wrote. "By crafting malicious requests I discovered I could induce an error in the message console within Grassmarlin. The cause and content of the error was properly stripped from all logs and output within Grassmarlin. "However, OOB exfiltration of arbitrary files was possible by referencing an external host in the DTD. Some caveats did appear to apply, newer versions of Java could not be used on the system, meaning that Grassmarlin had to use the version of Java bundled in the installer. Additionally, many types of input would cause errors which would impede the exfil process. To bypass this, the content would be converted to base64 and then sent across multiple message chunks." In a separate post on LinkedIn, Quinn noted that the bug won't pose too much of a threat to most organizations, and that it can only realistically be exploited via phishing – either between local users or external emails. ®

GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough

The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information.…

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command. In disclosing the bug this week, the Google-owned security shop also said its findings could represent a turning point in the way vulnerabilities are discovered in closed source software. Wiz published its findings related to CVE-2026-3854 (8.8) on Tuesday. The company's researchers have tinkered with GitHub for two years but throughout this time, reverse-engineering it was seen as too great a task, given the scale of its internal binaries. They used Claude Code to take a lot of the legwork out of the process, and were able to go from idea to working exploit in less than 48 hours. "By leveraging AI-augmented tooling, particularly automated reverse engineering using IDA MCP, we were able to do what was previously too costly," Wiz blogged. "Using AI, we rapidly analyzed GitHub's compiled binaries, reconstructed internal protocols, and systematically identified where user input could influence server behavior across the entire pipeline.  "Thanks to this new capability, we found a fundamental flaw in how that input flows through GitHub's multi-service architecture." Wiz said that in the pre-AI days, findings of this kind would have taken months' worth of manual analysis by those with extensive experience. It is carried out more quickly and easily using generic AI tools – a boon to both defenders and attackers. The bug explained Wiz has the full technical rundown of how the vulnerability works, but it is concisely summarized as a flaw in how GitHub's internal services blindly trust user inputs when processing push requests. Push options are an intentional feature of the git protocol designed to send key-value strings to a server. These options are packaged into internal X-Stat HTTP headers that are passed between services. However, the vulnerability exploited the way in which user-supplied push option values were blindly trusted and incorporated into the internal metadata of a push request.  Crucially, the metadata here is separated by a delimiter character – a null byte – which users could also type into push options. An attacker could abuse this delimiter character in their push command to trick a server into accepting it as a trusted internal value.  Wiz originally tested the vulnerability on GitHub Enterprise Server (GHES), and found that an additional injection into an X-Stat field ensured the same exploit chain worked on GitHub.com too. GitHub's response As Wiz noted, GitHub responded to its disclosure and issued fixes for the vulnerability within six hours, as well as implementing additional hardening measures to prevent similar vulnerabilities from being as impactful in the future, should they manifest. It also confirmed that no attacker had ever carried out the attack on GitHub.com, although it advised GHES customers to check their access logs for signs of abuse. Alexis Wales, GitHub's CISO, thanked Wiz for the discovery and said it is rewarding the team with one of the biggest-ever payouts in the history of GitHub's bug bounty program. "GitHub greatly appreciates the collaboration, professionalism, and partnership that Wiz has shown throughout this process," she said.  "A finding of this caliber and severity is rare, earning one of the highest rewards available in our bug bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions.  "As the landscape evolves, these close partnerships with talented hunters and researchers are more important than ever." Even though CVE-2026-3854 was given an 8.8 CVSS rating by the National Institute of Standards and Technology (NIST) – one rung down from the top "critical" classification – both Wiz and GitHub view it as more impactful than the severity score suggests. Beyond saying it had given Wiz "one of the highest rewards available in our bug bounty program," the Microsoft source shop did not name a figure. Per the rewards guide from GitHub's bug bounty, critical vulnerabilities typically earn researchers between $20,000 and $30,000, although the company is known to issue greater sums for especially impactful flaws. For example, the most lucrative bug to date was reported in 2023, and GitHub awarded $75,000 for the since-patched flaw, which had allowed access to the environment variables of a production container.  ®

Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award

Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command.…

'Online platforms can rely on our app,' says Commish, 'there are no more excuses'

The European Commission has recommended EU member states adopt an age verification app designed to protect children from harmful online content.…

32 phone calls, 17 email chains, a 5-day ordeal, and no help during the daddy of all stuffups, claim those affected

GoDaddy is currently investigating claims that it handed complete control of a valid 27-year-old domain to another customer, without requiring them to pass any authentication processes or upload any supporting documents.…

Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent. Agentic AI security outfit Manifold's research lead Ax Sharma spotted the skills on ClawHub, a registry and marketplace for OpenClaw skills. A ClawHub user who goes by "imaflytok" published the skills, which have scored around 9,800 downloads. Sharma told The Register that this campaign – he calls it “ClawSwarm” – differs from past efforts to distribute malicious ClawHub code because it doesn’t use malware or target humans. Instead, ClawSwarm targets the agents themselves and SKILL.md files, documents that give agents instructions on how to interact with other systems. "ClawSwarm isn't a vulnerability disclosure," Sharma told us. "There's no flaw to patch and nothing covert about the infrastructure. It's an open source project on GitHub with public docs, a Telegram group, and a token on a public chain." The campaign sees a user install a seemingly benign skill – these purport to be everything from a cron helper (903 downloads) to an Agent Security skill (685 downloads), a whale watcher (347 downloads), a cross-platform poster (292 downloads), and a predictions market integration (154 downloads). The AI agent then registers itself at "onlyflies.buzz," a site that centers around $FLY tokens and "provocative" art. After registering itself with the external server, the agent follows the instructions in a SKILL.md file and therefore reports its name and capabilities to the third-party, along with what skills it has installed. The agent stores credentials on disk, checks in every four hours, and assuming the right skills are installed, it generates a Hedera crypto wallet and registers the private key with the same server. The human user doesn't approve any of this activity and doesn’t see it happening. In addition to being the name of the crypto-swarm campaign Sharma documented, ClawSwarm is also an open source agentic skill framework on GitHub. The imaflytok's skills open at onlyflies.buzz are one such implementation of that framework. "You can read all of this and conclude it's a small crypto community building agent infrastructure. Maybe it is," Sharma wrote. "But the mechanism is identical regardless of intent: an AI agent silently registering with a third party server, reporting its capabilities, generating crypto keys, and accepting remote tasks – all without the user initiating or approving any of it." It's similar to the earlier Tea Protocol token farming campaigns, in which more than 150,000 spammy packages flooded the npm registry to farm Tea points. ClawSwarm, according to Sharma, "follows the same playbook," but uses skills instead of npm packages. "Whether ClawSwarm instances are a legitimate experiment in agent economics or a recruitment funnel for speculative crypto, the result for the user is the same: their agent is doing things they didn't ask it to do, for someone they don't know, with keys they didn't authorize," he wrote. ClawHub maintainers did not immediately respond to The Register's inquiries, nor did the legitimate ClawSwarm open source framework. Sharma says maintainers are in a tough position because it's not really a security problem, despite agents joining a network and generating wallets without their human user's approval. "The registry layer is the wrong place to solve this," he told The Register. "A scanner looking for malicious code patterns finds nothing: the cURL calls are clean, the SDK is legitimate. What's needed is runtime visibility into what agents actually do once a skill is installed. Registries could require disclosure of network endpoints and wallet generation in skill manifests, but that's a policy question, not a security one." ®

Yet another reason not to feast on OpenClaw

Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.…

Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB. Vect's leak site lists 25 organizations since January, and four since March, which is when the extortions from the supply chain attacks began. It's unclear, however, how many - if any - of the listed orgs are tied to Trivy and LiteLLM-related compromises. "On April 15, the group claimed two larger victims, Guesty (700GB) and S&P Global (250GB), allegedly tied to earlier TeamPCP compromises," Eli Smadja, group manager at Check Point Research, told The Register. "However, these claims cannot be independently verified, and there is no confirmed visibility into how many of these cases resulted in successful ransom payments versus data being leaked without payment." Neither Guesty nor S&P Global responded to The Register's inquiries. Vect is one of the crime crews partnering with TeamPCP to leak data and extort victims of the ongoing attacks that infected Trivy, LiteLLM, Checkmarx, and Telnyx.  After initially compromising the security and developer tools, infecting them with self-propagating credential-stealing malware, TeamPCP and Vect announced their new partnership on BreachForums, bragging: "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns." Plus Vect announced a partnership with the data leak site itself, and said that every registered BreachForums user can use Vect's ransomware, negotiation platform, and website. So Check Point researchers opened a BreachForums account, got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code - "not technically sophisticated" and "amateur execution" are how Check Point's research team describes the crims - and they appear to have accidentally written a data wiper.  Instead of encrypting large files, which is what ransomware is supposed to do, Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB). "Full recovery is impossible for anyone, including the attacker," the security analysts wrote. "At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions." The ransomware, as advertised, includes Windows, Linux, and ESXi variants. All share the same encryption design built on libsodium, the same file-size thresholds, the same four-chunk logic, and the same flaw: The encryption implementation discards three of four decryption nonces for every file larger than 128 KB. In addition to the nonce-handling flaw, the malware analysts say they spotted "multiple" other bugs and design failures across all ransomware variants, suggesting that even criminals can't vibe code their way to a successful operation. As the researchers note: "The authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all." ®

'Full recovery is impossible for anyone, including the attacker'

Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB.…

UPDATED Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone numbers, and physical addresses. A smaller subset of the entire data trove pertained to company employment records, which included job titles. The Register contacted Pitney Bowes for more information. Attempts to reach its press-specific email addresses led to bouncebacks. Its investor relations contact is active, but did not immediately respond to our request. Pitney Bowes may not be a household name, but it's a substantial US-based tech firm producing shipping software and mailing technologies used in everyday shipping centers. The company claims more than 600,000 clients worldwide and posted $1.9 billion in revenue in 2025. ShinyHunters has been on a tear in recent weeks, with HIBP tracking and verifying the group's claims as they land. Confirmed cases include Grand Theft Auto developer Rockstar Games and physical security giant ADT, while the list of companies it claims to have attacked is considerably longer. In just the past week, the cybercrime collective has claimed responsibility for attacks on the likes of Udemy, Carnival Cruises, and the Asian Football Confederation, allegedly leaking tens of thousands of professional footballers' personal information and document scans. The Register asked the Asian Football Confederation for comment yesterday, though it has yet to respond. Prior to the latest wave of breaches, ShinyHunters was also behind the attacks on Match Group and Dutch telco Odido.  The group also told The Register in March that it accessed the data belonging to nearly 400 companies via a Salesforce breach.  Some of you may remember that ShinyHunters was also (partly) behind the sprawling attacks on Salesloft Drift last year – as it worked in tandem with other crime crews as Scattered Lapsus$ Hunters – and hundreds more Salesforce customers later in 2025. ® Updated to add on April 29, 2026: Pitney Bowes told The Register it had "identified unauthorized access to certain records in our Salesforce customer relationship management environment," on April 9th. It said the intrusion happened the night before and "resulted from a phishing attack that compromised an employee email account." The org told us: "We immediately secured the environment, revoked the compromised access, and engaged leading cybersecurity experts and law enforcement to support our investigation." It confirmed: "The affected records relate to business customer accounts and contacts. Our investigation has found no evidence that the activity extended into other Pitney Bowes systems, and no indication that sensitive personal data was accessed. We have notified affected business customers directly." Referring to the Shiny Hunters threats, it said: "We are aware of claims made by a threat actor regarding the potential release of data. We are actively investigating these claims in coordination with cybersecurity experts and law enforcement and will continue to monitor for any evidence of data exposure. "We have implemented additional access controls, expanded monitoring, and are conducting targeted employee training. We will update our customers on material developments as the investigation continues."

Names, phone numbers, physical addresses also included in Shiny Hunters alleged data dump

Updated  Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations.…

2.5 million people were affected, in a breach that could spell more trouble down the line.

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.

Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.