Google brings Auto Browse and Skills to Chrome Enterprise – and a new ‘Gemini Summary’

Chrome Enterprise is turning into more of an AI workspace, with task automation, one-click workflows, and new IT security controls.

Latest news – ​Read More

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens.
The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data

The Hacker News – ​Read More

Targeting developers: real-world cases, tactics, and defense strategies | Kaspersky official blog

Lately, hackers have been turning up the heat on software developers. On the surface, this might seem like a puzzling move — why go after someone who’s literally paid to understand tech when there are plenty of less-savvy targets in the office? As it turns out, compromising a developer’s machine offers a much bigger payoff for an attacker.

Why developers are such high-value targets

For starters, compromising a coder’s workstation can give attackers a direct line to source code, credentials, authentication tokens, or even the entire development infrastructure. If the company builds software for others, a hijacked dev environment allows attackers to launch a massive supply chain attack, using the company’s products to infect its customer base. If the developer works on internal services, their machine becomes a perfect beachhead for lateral movement, allowing hackers to spread deeper into the corporate network.

Even when attackers are purely chasing cryptocurrency (and let’s face it, tech pros are much more likely to hold crypto than the average person), the malware used in these hits doesn’t just swap out wallet addresses; it vacuums up every scrap of valuable data it can find — especially those login credentials and session tokens. Even if the original attackers don’t care about corporate access, they can easily flip those credentials to initial access brokers or more specialized threat actors on the dark web.

Why developers are sitting ducks

In practice, developers aren’t nearly as good at understanding cyberthreats and spotting social engineering as they think they are. This misconception is a big reason why they often fall prey to cybercriminals. Professional expertise can often create a false sense of digital invincibility. This often leads technical professionals to cut corners on security protocols, bypass restrictions set by the security team, or even disable security software on their corporate machines when it gets in the way of their workflow. That mindset, combined with a job that requires them to constantly download and run third-party code, makes them sitting ducks for cyberattackers.

Attack vectors targeting developers

Once an attacker sets their sights on a software engineer, their go-to move is usually finding a way to slip malicious code onto the machine. But that’s just the tip of the iceberg — hackers are also masters at rebranding classic, battle-tested tactics.

Compromising open-source packages

One of the most common ways to hit a developer is by poisoning open-source software. We’ve seen a flood of these attacks over the past year. A prime example hit in March 2026, when attackers managed to inject malicious code into LiteLLM, a popular Python library hosted in the PyPI repository. Because this library acts as a versatile gateway for connecting various AI agents, it’s baked into a massive number of projects. These trojanized versions of LiteLLM delivered scripts designed to hunt for credentials across the victim’s system. Once stolen, that data serves as a skeleton key for attackers to infiltrate any company that was unlucky enough to download the infected packages.

Malware hidden in technical assignments

Every so often, attackers post enticing job openings for developers, complete with take-home test assignments that are laced with malicious code. For instance, in late February 2026, malicious actors pushed out web application projects built on Next.js via several malicious repositories, framing them as coding tests. Once a developer cloned the repo and fired up the project locally, a script would trigger automatically to download and install a backdoor. The attackers gained full remote access to the developer’s machine.

Fake development tools

Recently, our experts described an attack where hackers used paid search-engine ads to push malware disguised as popular AI tools. One of the primary baits was Claude Code, an AI coding assistant. This campaign specifically targeted developers looking for a way to use AI-assistants under the radar, without getting the green light from their company’s infosec team. The ads directed users to a malicious site that perfectly mimicked the official Claude Code documentation. It even included “installation instructions”, which prompted the user to copy and run a command. In reality, running that command installed an infostealer that harvested credentials and shuttled them off to a remote server.

Social engineering tactics

That said, attackers often stick to the basics when trying to plant malware. A recent investigation into a compromised npm package — Axios — revealed that hackers had gained access to a maintainer’s system using a shockingly simple “outdated software” ruse. The attackers reached out to the Axios repository maintainer while posing as the founder of a well-known company. After some back-and-forth, they invited him to a video interview. When the developer tried to join the meeting on what looked like Microsoft Teams, he hit a fake notification claiming his software was out of date and needed an immediate update. That “update” was actually a Remote Access Trojan, giving the attackers access to his machine.

Niche spam

Sometimes, even a blast of fake notifications does the trick, especially when it’s tailored to the audience. For example, just recently, attackers were caught posting fake alerts in the Discussions tabs of various GitHub projects, claiming there was a critical vulnerability in Visual Studio Code that required an immediate update. Because developers subscribed to those discussions received these alerts directly via email, the notifications looked like legitimate security warnings. Of course, the link in the message didn’t lead to an official patch; it pointed to a “fixed” version of VS Code that was actually laced with malware.

How to safeguard an organization

To minimize the risk of a breach, companies should lean into the following best practices:

Kaspersky official blog – ​Read More

French police arrest suspected hacker behind dozens of data breaches

French authorities have arrested a suspected hacker believed to be behind dozens of data breaches targeting public institutions, sports federations and private organizations across the country.

The Record from Recorded Future News – ​Read More

Cosmetics giant Rituals confirms data breach of customer membership records

The cosmetics retailer, which counts 41 million customers in its membership data, declined to provide an accurate total number of customers affected.

Security News | TechCrunch – ​Read More

AI Tools Are Helping Mediocre North Korean Hackers Steal Millions

One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months.

Security Latest – ​Read More

An AI app prepares me for my day now – and I’ve never been more organized

The free Huxe app combines your important events and emails with the news to create a personalized morning briefing. I’m finding it seriously useful and addictive.

Latest news – ​Read More

Mustang Panda Hits India and S. Korea with Updated LOTUSLITE Backdoor

Acronis reveals Mustang Panda is using a new LOTUSLITE backdoor to target Indian banks and Korean diplomats. Learn how this DLL sideloading attack works.

Hackread – Cybersecurity News, Data Breaches, AI and More – ​Read More

UK government says 100 countries have spyware that can hack people’s phones

The U.K.’s cybersecurity chief warned that U.K. businesses and critical infrastructure are underestimating the threat from spyware attacks and other cyberthreats, with more governments having access to the powerful surveillance technology than ever.

Security News | TechCrunch – ​Read More

More Attack Context for Faster Triage, Response, and Hunting. Now Available to Every SOC 

ANY.RUN has expanded access to Threat Intelligence capabilities for SOC and MSSP teams, backed by live attack data from 15,000 organizations. 

Here’s how your team can test TI’s impact on triage quality, response speed, and threat hunting workflows. 

See How Threat Intelligence Accelerates Your SOC 

ANY.RUN now offers 20 premium requests in Threat Intelligence Lookup and YARA Search as part of the Free plan.  

You can get immediate threat context for over 40 types of IOCs, IOBs, and IOAs belonging to the latest malware & phishing attacks. All data is sourced from real sandbox investigations by ANY.RUN’s community of 15,000 organizations and 600,000 security analysts and experts. 

AI assistant interprets a lookup request in natural language, helps select sandbox analyses of malware using a TTP

AI-assisted search is available directly in the query flow, allowing analysts to use natural language and move from question to results without manual query building. 

With this expanded access, SOC and MSSP teams can explore Threat Intelligence capabilities in their workflows and see how it affects core SOC processes for faster and more confident operations

  • Reduce triage time: Validate alerts against ANY.RUN’s threat database to get immediate verdicts, full context, and access to related samples and activity. 
  • Improve response accuracy: Pivot from a single indicator to connected infrastructure, artifacts, and behavior to understand how the attack unfolds and what else needs containment. 
  • Run more effective threat hunts: Test hypotheses against live attack data, find related samples with YARA Search, and confirm relevance before expanding the hunt. 
  • Build detections based on real attacks: Use discovered patterns and artifacts to create or refine detections aligned with current malware and phishing activity. 

This directly impacts key SOC metrics, including reduced time per investigation, lower escalation rates, and faster Mean Time to Respond. 

Accelerate security workflows for faster triage & response.
Test Threat Intelligence in your SOC or MSSP.



Contact us


AI Search for Streamlined Investigations 

To speed up investigations and simplify how analysts work with Threat Intelligence, TI Lookup now includes AI-assisted search directly in the search bar.  

AI Search suggesting a lookup parameter

Analysts can use natural language to query data, while the system automatically translates requests into structured queries with the correct parameters and wildcards. 

This removes time spent on query construction and reduces friction in the workflow. Analysts move faster from alert to context, run more queries in less time, and get consistent results without additional steps. 

Fueling Core SOC Workflows 

Threat intelligence becomes truly valuable when it integrates into everyday operations. Here’s how it reinforces the three pillars of any SOC. 

1. Triage: From Guesswork to Confident Decisions 

Alert volume is the defining operational challenge for most SOC teams. The ability to validate an alert quickly and to make a confident decision about whether to close it or escalate directly determines how efficiently a team can operate. 

With ANY.RUN’s threat intelligence, analysts can immediately check an incoming indicator against a broad base of real-world attack data. Known-malicious infrastructure, recognized malware patterns, and previously documented campaigns can be matched in seconds. This means: 

  • Faster, evidence-backed decisions on alert validity; 
  • measurable reduction in the percentage of escalations driven by uncertainty rather than confirmed risk; 
  • Lower analyst cognitive load during high-volume periods. 

destinationIP:”198.37.119.56″ 

Quick verdict on the suspicious IP, campaign relations, infrastructure, and IOCs

Analysts spend less time on inconclusive alerts and more time on confirmed threats. With documented context to support every decision. 

2. Response: Seeing the Bigger Picture 

Once an incident is confirmed, speed and precision matter. The quality of the response depends on how well the team understands the threat: its connections, its infrastructure, its behavioral patterns, and its likely next moves. Two clicks in TI Lookup search results cited above take your analyst to a sandbox session of malware detonation and attack chain exposure:  

Move from TI Lookup results to sandbox analyses exposing malware’s behavior

ANY.RUN’s threat intelligence enables response teams to map the relationships between indicators and the broader campaigns or actor groups behind them. Shared infrastructure, overlapping TTPs, and connected artifacts can be identified quickly, giving responders a structural understanding of what they are dealing with, not just a list of individual indicators. 

This translates into: 

  • More complete scoping of incidents, with fewer blind spots; 
  • Targeted containment and remediation actions grounded in evidence; 
  • Higher confidence in response decisions

Overreaction and underreaction are reduced at the same time. The response becomes targeted, not reactive. 

3. Threat Hunting: Testing Hypotheses Against Reality 

Proactive threat hunting requires the ability to test hypotheses against real-world data. Analysts need to move from a suspicion about adversary behavior to a confirmed or refuted finding with enough evidence to act. 

ANY.RUN’s threat intelligence gives hunters access to a rich, searchable base of behavioral data from real-world malware analysis. Campaign linkages, attacker infrastructure patterns, and behavioral signatures can all be researched in depth.  

YARA Search accumulating artifacts and sandbox analyses

YARA Rules Search adds a further dimension, allowing hunters to build and validate detection logic against current threat data. 

The result is a hunting capability that is grounded in current, real-world evidence rather than theoretical models. It enables teams to find genuine threats and build detection coverage that reflects how adversaries actually behave. Hunting shifts from speculative to evidence-driven. 

How Threat Intelligence Impacts Your Business Outcomes  

Behind every alert, investigation, and response action, there is a business impact quietly accumulating. 

For Security Operations Teams (SOCs & MSSPs):

  • Alert validation accelerates, reducing the time from detection to decision. 
  • Fewer escalations are driven by uncertainty; each escalation carries stronger evidentiary weight. 
  • Investigation time decreases as analysts access contextualized data without pivoting between tools. 
  • Analyst confidence improves, reducing the hesitation that slows response in high-pressure situations 

For the Organization:

  • Incident costs fall when threats are understood accurately and responded to precisely. 
  • Faster response timelines limit attacker dwell time and reduce the scope of potential damage. 
  • The risk of missing significant threats decreases as detection and investigation are backed by broad, current intelligence. 
  • Security investments deliver more measurable returns when team capacity is focused on real, confirmed risk. 

Scale SOC Performance with Full Access to Threat Intelligence from ANY.RUN 

The Free plan is a genuine starting point: a full-capability evaluation that lets teams verify the value of ANY.RUN’s intelligence on real workflows. For organizations ready to operationalize threat intelligence at scale, ANY.RUN offers paid plans designed for different operational needs. 

ANY.RUN’s TI plans & pricing

These include Live, Core, and Complete plans, allowing teams to choose the level of access and integration that fits their workflows and scale.  

Across these plans, organizations can leverage the full set of threat intelligence capabilities, including:  

1. Threat Intelligence Feeds 

Continuous streams of validated indicators enriched with behavioral context from the sandbox analyses, delivered directly into SIEM, EDR, IDS/IPS, and SOAR systems. This enables automated enrichment and faster detection pipelines. 

2. Threat Intelligence Reports: full access 

Structured analyses of active campaigns, malware families, and attacker techniques. These reports provide ready-to-use insights for both operational response and strategic planning.  

TI Reports: most pressing threats, most dangerous APTs

Close blind spots and reduce exposure to critical incidents.
Integrate ANY.RUN’s Threat Intelligence in your SOC.
 



Contact us


What makes them particularly useful in operations: 

  • Clear breakdowns of campaigns, including tactics, techniques, and procedures
  • Context around how attacks unfold in real environments
  • Indicators and infrastructure tied together into meaningful clusters
  • Ready-to-use insights that support both immediate response and long-term defense

Reports act as a bridge between raw telemetry and strategic understanding. They help teams not only react faster, but also recognize patterns before they escalate into incidents. 

3. Threat Landscape 

A contextual layer that maps threats to industries and geographies, helping organizations understand where specific risks are most relevant to their business. 

threatName:”vidar” 

Lookup shows: Vidar trojan now targeting education, government, IT, and telecom in Europe and Americas 

Together, these capabilities support key business objectives: 

  • Reducing mean time to detect and respond (MTTD/MTTR); 
  • Lowering operational costs of incident handling; 
  • Improving analyst efficiency and capacity utilization; 
  • Strengthening risk management and compliance posture. 
ANY.RUN TI plans

The result is a measurable improvement in how security operations contribute to overall business resilience. 

Final Thoughts

The gap between threat detection and effective response is not primarily a technology problem. It is a data problem. When analysts have access to rich, current, contextual intelligence at the moment they need it, decisions improve and outcomes follow. 

ANY.RUN’s unified threat intelligence — TI Lookup, TI Feeds, TI Reports, and YARA Search, all powered by real sandbox data from 15,000 organizations — gives SOC and MSSP teams that foundation. The free plan removes the evaluation barrier: any team can run it through real workflows, on real alerts, before committing to anything. 

For teams that operationalize it, the cumulative effect is a SOC that is measurably faster, more accurate, and more confident — and an organization that is measurably harder to compromise and cheaper to defend. 

About ANY.RUN   

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.   

It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.   

ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls. 

What is included in the expanded entry-level plan?

It includes 20 investigations in Threat Intelligence Lookup with AI-assisted search, access to YARA search, and the free Threat Intelligence Reports to evaluate real workflows.

How is this different from a typical trial?

It is not a limited demo. It allows teams to test threat intelligence directly within their SOC processes, using real alerts and investigations.

What data powers ANY.RUN’s threat intelligence?

It is generated from real-world malware analyses in the ANY.RUN Interactive Sandbox, enriched with behavioral data, infrastructure links, and campaign context.

How does AI search help analysts?

It simplifies query building by translating intent into structured search parameters, reducing time spent on syntax and accelerating investigations.

Can this be integrated into existing security infrastructure?

Yes, paid plans support integration with SIEM, SOAR, and other security systems, enabling automated workflows and enrichment.

Who is this most relevant for?

SOC teams, MSSPs, and security leaders who want to improve decision speed, reduce uncertainty, and lower incident response costs.

The post More Attack Context for Faster Triage, Response, and Hunting. Now Available to Every SOC  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More