Google brings Auto Browse and Skills to Chrome Enterprise – and a new ‘Gemini Summary’
Chrome Enterprise is turning into more of an AI workspace, with task automation, one-click workflows, and new IT security controls.
Latest news – Read More
Chrome Enterprise is turning into more of an AI workspace, with task automation, one-click workflows, and new IT security controls.
Latest news – Read More
Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens.
The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data
The Hacker News – Read More
Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move — why go after someone who’s literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developer’s machine offers a much bigger payoff for an attacker.
For starters, compromising a coder’s workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the company’s products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.
Even when attackers are purely chasing cryptocurrency (and let’s face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesn’t just swap out wallet addresses; it vacuums up every scrap of valuable data it can find — especially those login credentials and session tokens. Even if the original attackers don’t care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.
In practice, developers aren’t nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.
Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But that’s just the tip of the iceberg — hackers are also masters at rebranding classic, battle-tested tactics.
One of the most common ways to hit a developer is by poisoning open-source software. We’ve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, it’s baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victim’s system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.
Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developer’s machine.
Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their company’s infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included “installation instructions”, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.
That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package — Axios — revealed that hackers had gained access to a maintainer’s system using a shockingly simple “outdated software” ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That “update” was actually a Remote Access Trojan, giving the attackers access to his machine.
Sometimes, even a blast of fake notifications does the trick, especially when it’s tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didn’t lead to an official patch; it pointed to a “fixed” version of VS Code that was actually laced with malware.
To minimize the risk of a breach, companies should lean into the following best practices:
Kaspersky official blog – Read More
French authorities have arrested a suspected hacker believed to be behind dozens of data breaches targeting public institutions, sports federations and private organizations across the country.
The Record from Recorded Future News – Read More
The cosmetics retailer, which counts 41 million customers in its membership data, declined to provide an accurate total number of customers affected.
Security News | TechCrunch – Read More
One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months.
Security Latest – Read More
The free Huxe app combines your important events and emails with the news to create a personalized morning briefing. I’m finding it seriously useful and addictive.
Latest news – Read More
Acronis reveals Mustang Panda is using a new LOTUSLITE backdoor to target Indian banks and Korean diplomats. Learn how this DLL sideloading attack works.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
The U.K.’s cybersecurity chief warned that U.K. businesses and critical infrastructure are underestimating the threat from spyware attacks and other cyberthreats, with more governments having access to the powerful surveillance technology than ever.
Security News | TechCrunch – Read More
ANY.RUN has expanded access to Threat Intelligence capabilities for SOC and MSSP teams, backed by live attack data from 15,000 organizations.
Here’s how your team can test TI’s impact on triage quality, response speed, and threat hunting workflows.
ANY.RUN now offers 20 premium requests in Threat Intelligence Lookup and YARA Search as part of the Free plan.
You can get immediate threat context for over 40 types of IOCs, IOBs, and IOAs belonging to the latest malware & phishing attacks. All data is sourced from real sandbox investigations by ANY.RUN’s community of 15,000 organizations and 600,000 security analysts and experts.

AI-assisted search is available directly in the query flow, allowing analysts to use natural language and move from question to results without manual query building.
With this expanded access, SOC and MSSP teams can explore Threat Intelligence capabilities in their workflows and see how it affects core SOC processes for faster and more confident operations:
This directly impacts key SOC metrics, including reduced time per investigation, lower escalation rates, and faster Mean Time to Respond.
To speed up investigations and simplify how analysts work with Threat Intelligence, TI Lookup now includes AI-assisted search directly in the search bar.

Analysts can use natural language to query data, while the system automatically translates requests into structured queries with the correct parameters and wildcards.
This removes time spent on query construction and reduces friction in the workflow. Analysts move faster from alert to context, run more queries in less time, and get consistent results without additional steps.
Threat intelligence becomes truly valuable when it integrates into everyday operations. Here’s how it reinforces the three pillars of any SOC.
Alert volume is the defining operational challenge for most SOC teams. The ability to validate an alert quickly and to make a confident decision about whether to close it or escalate directly determines how efficiently a team can operate.
With ANY.RUN’s threat intelligence, analysts can immediately check an incoming indicator against a broad base of real-world attack data. Known-malicious infrastructure, recognized malware patterns, and previously documented campaigns can be matched in seconds. This means:

Analysts spend less time on inconclusive alerts and more time on confirmed threats. With documented context to support every decision.
Once an incident is confirmed, speed and precision matter. The quality of the response depends on how well the team understands the threat: its connections, its infrastructure, its behavioral patterns, and its likely next moves. Two clicks in TI Lookup search results cited above take your analyst to a sandbox session of malware detonation and attack chain exposure:

ANY.RUN’s threat intelligence enables response teams to map the relationships between indicators and the broader campaigns or actor groups behind them. Shared infrastructure, overlapping TTPs, and connected artifacts can be identified quickly, giving responders a structural understanding of what they are dealing with, not just a list of individual indicators.
This translates into:
Overreaction and underreaction are reduced at the same time. The response becomes targeted, not reactive.
Proactive threat hunting requires the ability to test hypotheses against real-world data. Analysts need to move from a suspicion about adversary behavior to a confirmed or refuted finding with enough evidence to act.
ANY.RUN’s threat intelligence gives hunters access to a rich, searchable base of behavioral data from real-world malware analysis. Campaign linkages, attacker infrastructure patterns, and behavioral signatures can all be researched in depth.

YARA Rules Search adds a further dimension, allowing hunters to build and validate detection logic against current threat data.
The result is a hunting capability that is grounded in current, real-world evidence rather than theoretical models. It enables teams to find genuine threats and build detection coverage that reflects how adversaries actually behave. Hunting shifts from speculative to evidence-driven.
Behind every alert, investigation, and response action, there is a business impact quietly accumulating.
The Free plan is a genuine starting point: a full-capability evaluation that lets teams verify the value of ANY.RUN’s intelligence on real workflows. For organizations ready to operationalize threat intelligence at scale, ANY.RUN offers paid plans designed for different operational needs.

These include Live, Core, and Complete plans, allowing teams to choose the level of access and integration that fits their workflows and scale.
Across these plans, organizations can leverage the full set of threat intelligence capabilities, including:
1. Threat Intelligence Feeds
Continuous streams of validated indicators enriched with behavioral context from the sandbox analyses, delivered directly into SIEM, EDR, IDS/IPS, and SOAR systems. This enables automated enrichment and faster detection pipelines.
2. Threat Intelligence Reports: full access
Structured analyses of active campaigns, malware families, and attacker techniques. These reports provide ready-to-use insights for both operational response and strategic planning.

What makes them particularly useful in operations:
Reports act as a bridge between raw telemetry and strategic understanding. They help teams not only react faster, but also recognize patterns before they escalate into incidents.
3. Threat Landscape
A contextual layer that maps threats to industries and geographies, helping organizations understand where specific risks are most relevant to their business.

Together, these capabilities support key business objectives:

The result is a measurable improvement in how security operations contribute to overall business resilience.
The gap between threat detection and effective response is not primarily a technology problem. It is a data problem. When analysts have access to rich, current, contextual intelligence at the moment they need it, decisions improve and outcomes follow.
ANY.RUN’s unified threat intelligence — TI Lookup, TI Feeds, TI Reports, and YARA Search, all powered by real sandbox data from 15,000 organizations — gives SOC and MSSP teams that foundation. The free plan removes the evaluation barrier: any team can run it through real workflows, on real alerts, before committing to anything.
For teams that operationalize it, the cumulative effect is a SOC that is measurably faster, more accurate, and more confident — and an organization that is measurably harder to compromise and cheaper to defend.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
It includes 20 investigations in Threat Intelligence Lookup with AI-assisted search, access to YARA search, and the free Threat Intelligence Reports to evaluate real workflows.
It is not a limited demo. It allows teams to test threat intelligence directly within their SOC processes, using real alerts and investigations.
It is generated from real-world malware analyses in the ANY.RUN Interactive Sandbox, enriched with behavioral data, infrastructure links, and campaign context.
It simplifies query building by translating intent into structured search parameters, reducing time spent on syntax and accelerating investigations.
Yes, paid plans support integration with SIEM, SOAR, and other security systems, enabling automated workflows and enrichment.
SOC teams, MSSPs, and security leaders who want to improve decision speed, reduce uncertainty, and lower incident response costs.
The post More Attack Context for Faster Triage, Response, and Hunting. Now Available to Every SOC appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More