Can’t wait until Amazon’s Big Spring Sale to upgrade your gaming setup? Now at Best Buy, you can save hundreds on gaming laptops, consoles, and more.
Latest news – Read More
The company will invest in R&D, product expansion across AI frameworks, and in scaling go-to-market and sales efforts.
The post Oasis Security Raises $120 Million for Agentic Access Management appeared first on SecurityWeek.
SecurityWeek – Read More
A rogue AI agent at Meta took action without approval and exposed sensitive company and user data to employees who were not authorized to access it. Meta confirmed the incident to The Information on March 18 but said no user data was ultimately mishandled. The exposure still triggered a major security alert internally.
The available evidence suggests the failure occurred after authentication, not during it. The agent held valid credentials, operated inside authorized boundaries, passing every identity check.
Summer Yue, director of alignment at Meta Superintelligence Labs, described a different but related failure in a viral post on X last month. She asked an OpenClaw agent to review her email inbox with clear instructions to confirm before acting.
The agent began deleting emails on its own. Yue sent it “Do not do that,” then “Stop don’t do anything,” then “STOP OPENCLAW.” It ignored every command. She had to physically rush to another device to halt the process.
When asked if she had been testing the agent’s guardrails, Yue was blunt. “Rookie mistake tbh,” she replied. “Turns out alignment researchers aren’t immune to misalignment.” (VentureBeat could not independently verify the incident.)
Yue blamed context compaction. The agent’s context window shrank and dropped her safety instructions.
The March 18 Meta exposure hasn’t been publicly explained at a forensic level yet.
Both incidents share the same structural problem for security leaders. An AI agent operated with privileged access, took actions its operator did not approve, and the identity infrastructure had no mechanism to intervene after authentication succeeded.
The agent held valid credentials the entire time. Nothing in the identity stack could distinguish an authorized request from a rogue one after authentication succeeded.
Security researchers call this pattern the confused deputy. An agent with valid credentials executes the wrong instruction, and every identity check says the request is fine. That is one failure class inside a broader problem: post-authentication agent control does not exist in most enterprise stacks.
Four gaps make this possible.
No inventory of which agents are running.
Static credentials with no expiration.
Zero intent validation after authentication succeeds.
And agents delegating to other agents with no mutual verification.
Four vendors shipped controls against these gaps in recent months. The governance matrix below maps all four layers to the five questions a security leader brings to the board before RSAC opens Monday.
The confused deputy is the sharpest version of this problem, which is a trusted program with high privileges tricked into misusing its own authority. But the broader failure class includes any scenario where an agent with valid access takes actions that its operator did not authorize. Adversarial manipulation, context loss, and misaligned autonomy all share the same identity gap. Nothing in the stack validates what happens after authentication succeeds.
Elia Zaitsev, CTO of CrowdStrike, described the underlying pattern in an exclusive interview with VentureBeat. Traditional security controls assume trust once access is granted and lack visibility into what happens inside live sessions, Zaitsev said. The identities, roles, and services attackers use are indistinguishable from legitimate activity at the control plane.
The 2026 CISO AI Risk Report from Saviynt (n=235 CISOs) found 47% observed AI agents exhibiting unintended or unauthorized behavior. Only 5% felt confident they could contain a compromised AI agent. Read those two numbers together. AI agents already function as a new class of insider risk, holding persistent credentials and operating at machine scale.
Three findings from a single report — Cloud Security Alliance and Oasis Security’s survey of 383 IT and security professionals — frame the scale of the problem: 79% have moderate or low confidence in preventing NHI-based attacks, 92% lack confidence that their legacy IAM tools can manage AI and NHI risks specifically, and 78% have no documented policies for creating or removing AI identities.
The attack surface is not hypothetical. CVE-2026-27826 and CVE-2026-27825 hit mcp-atlassian in late February with SSRF and arbitrary file write through the trust boundaries the Model Context Protocol (MCP) creates by design. mcp-atlassian has over 4 million downloads, according to Pluto Security’s disclosure. Anyone on the same local network could execute code on the victim’s machine by sending two HTTP requests. No authentication required.
Jake Williams, a faculty member at IANS Research, has been direct about the trajectory. MCP will be the defining AI security issue of 2026, he told the IANS community, warning that developers are building authentication patterns that belong in introductory tutorials, not enterprise applications.
Four vendors shipped AI agent identity controls in recent months. Nobody mapped them into one governance framework. The matrix below does.
None of these four vendors replaces a security leader’s existing IAM stack. Each closes a specific identity gap that legacy IAM cannot see. Other vendors, including CyberArk, Oasis Security, and Astrix, ship relevant NHI controls; this matrix focuses on the four that most directly map to the post-authentication failure class the Meta incident exposed. [runtime enforcement] means inline controls active during agent execution.
|
Governance Layer |
Should Be in Place |
Risk If Not |
Who Ships It Now |
Vendor Question |
|
Agent Discovery |
Real-time inventory of every agent, its credentials, and its systems |
Shadow agents with inherited privileges nobody audited. Enterprise shadow AI deployment rates continue to climb as employees adopt agent tools without IT approval |
CrowdStrike Falcon Shield [runtime]: AI agent inventory across SaaS platforms. Palo Alto Networks AI-SPM [runtime]: continuous AI asset discovery. Erik Trexler, Palo Alto Networks SVP: “The collapse between identity and attack surface will define 2026.” |
Which agents are running that we did not provision? |
|
Credential Lifecycle |
Ephemeral scoped tokens, automatic rotation, zero standing privileges |
Static key stolen = permanent access at full permissions. Long-lived API keys give attackers persistent access indefinitely. Non-human identities already outnumber humans by wide margins — Palo Alto Networks cited 82-to-1 in its 2026 predictions, the Cloud Security Alliance 100-to-1 in its March 2026 cloud assessment. |
CrowdStrike SGNL [runtime]: zero standing privileges, dynamic authorization across human/NHI/agent. Acquired January 2026 (expected to close FQ1 2027). Danny Brickman, CEO of Oasis Security: “AI turns identity into a high-velocity system where every new agent mints credentials in minutes.” |
Any agent authenticating with a key older than 90 days? |
|
Post-Auth Intent |
Behavioral validation that authorized requests match legitimate intent |
The agent passes every check and executes the wrong instruction through the sanctioned API. The Meta failure pattern. Legacy IAM has no detection category for this |
SentinelOne Singularity Identity [runtime]: identity threat detection and response across human and non-human activity, correlating identity, endpoint, and workload signals to detect misuse inside authorized sessions. Jeff Reed, CTO: “Identity risk no longer begins and ends at authentication.” Launched Feb 25 |
What validates intent between authentication and action? |
|
Threat Intelligence |
Agent-specific attack pattern recognition, behavioral baselines for agent sessions |
Attack inside an authorized session. No signature fires. SOC sees normal traffic. Dwell time extends indefinitely |
Cisco AI Defense [runtime]: agent-specific threat patterns. Lavi Lazarovitz, CyberArk VP of cyber research: “Think of AI agents as a new class of digital coworkers” that “make decisions, learn from their environment, and act autonomously.” Your EDR baseline human behavior. Agent behavior is harder to distinguish from legitimate automation |
What does a confused deputy look like in our telemetry? |
The matrix reveals a progression. Discovery and credential lifecycle are closable now with shipping products. Post-authentication intent validation is partially closable. SentinelOne detects identity threats across human and non-human activity after access is granted, but no vendor fully validates whether the instruction behind an authorized request matches legitimate intent. Cisco provides the threat intelligence layer, but detection signatures for post-authentication agent failures barely exist. SOC teams trained on human behavior baselines face agent traffic that is faster, more uniform, and harder to distinguish from legitimate automation.
No major security vendor ships mutual agent-to-agent authentication as a production product. Protocols, including Google’s A2A and a March 2026 IETF draft, describe how to build it.
When Agent A delegates to Agent B, no identity verification happens between them. A compromised agent inherits the trust of every agent it communicates with. Compromise one through prompt injection, and it issues instructions to the entire chain using the trust of the legitimate agent already built. The MCP specification forbids token passthrough. Developers do it anyway. The OWASP February 2026 Practical Guide for Secure MCP Server Development cataloged the confused deputy as a named threat class. Production-grade controls have not caught up. This is the fifth question a security leader brings to the board.
Inventory every AI agent and MCP server connection. Any agent authenticating with a static API key older than 90 days is a post-authentication failure waiting to happen.
Kill static API keys. Move every agent to scoped, ephemeral tokens with automatic rotation.
Deploy runtime discovery. You cannot audit the identity of an agent you do not know exists. Shadow deployment rates are climbing.
Test for confused deputy exposure. For every MCP server connection, check whether the server enforces per-user authorization or grants identical access to every caller. If every agent gets the same permissions regardless of who triggered the request, the confused deputy is already exploitable.
Bring the governance matrix to your next board meeting. Four controls deployed, one architectural gap documented, and procurement timeline attached.
The identity stack you built for human employees catches stolen passwords and blocks unauthorized logins. It does not catch an AI agent following a malicious instruction through a legitimate API call with valid credentials.
The Meta incident proved that it is not theoretical. It happened at a company with one of the largest AI safety teams in the world. Four vendors shipped the first controls designed to find it. The fifth layer does not exist yet. Whether that changes your posture depends on whether you treat this matrix as a working audit instrument or skip past it in the vendor deck.
Security | VentureBeat – Read More
The AI industry is driving up prices for RAM and SSDs, but we found a great deal on the WD Black SN850P.
Latest news – Read More
Welcome to this week’s edition of the Threat Source newsletter.
I found myself watching the Oscars ceremony in its entirety for the first time in a few years. I’m in the U.K., so I watched it the following day. With next week’s Year in Review launch looming and several pieces of content still to finalise, two hours of sleep didn’t seem like the best idea.
My overriding thought from the ceremony was: How much poorer would this have been without “Sinners?”
A purely original film (deservedly the winner of Best Original Screenplay), “Sinners” is set in 1932 in the Jim Crow-era Mississippi Delta. The storytelling is rooted in survival, connections to the past and the future, and cultural identity. And the music. Oh man, the music.
It is also (mild spoiler warning) a vampire movie.
Under the direction and quill of Ryan Coogler, the vampires take on an identity I haven’t seen before — they’re colonists. Some of them belong to the KKK. And they occasionally jig.
In “Sinners,” they feed on vitality they can’t generate themselves. They circle a juke joint run by twin brothers Smoke and Stack, both played by (now Oscar winner) Michael B. Jordan in performances(emphasis on the plural) so clever and distinct you could almost believe they were played by different actors.
My husband insists he enjoyed the film right up until the vampires appeared. After that, he says, it became less interesting.
He is, of course, terribly and demonstrably wrong.
Vampire stories are awesome. And they come with generally well-agreed rules:
Cue the perilous segue to a security topic…
In our upcoming 2025 Talos Year in Review, attacks on identity emerged as the dominant theme across multiple vectors. Attackers are not so much trying to batter down doors with noisy exploits. Increasingly, they’re looking to be invited in as a recognisable user. And once inside, their goal is to operate as if they own the place.
Most organisations have boundaries. Segmentation. Authentication. But when consent is manipulated (e.g., through social engineering), the system can authorise the intrusion itself.
One of the most common techniques we see involves attackers persuading victims to read out their multi-factor authentication request code in real time, often over the phone, posing as IT support or a trusted vendor. In other cases, adversary-in-the-middle phishing kits proxy the legitimate login page and capture the one-time code as it’s entered.
The code is valid.
The authentication succeeds.
The session is issued.
In 2025, nearly a third of MFA spray attacks targeted identity access management (IAM) applications. Add to that a 178% surge in fraudulent device registration events, and the trend is clear: Attackers are targeting the mechanisms that issue invitations in the first place.
“We talkin’ numbers now. And numbers always gotta be in conversation with each other.” - Smoke
In vampire mythology, the barrier holds until someone inside grants entry. In cybersecurity, the same principle applies. Access is increasingly granted, not forced.
If you want to understand how measurable that shift has become, our 2025 Year in Review will be available on Monday on the Talos blog.
Late on Friday, Cisco Talos updated our blog on the developing situation in the Middle East. Talos assesses that the recent cyber attack on the medical equipment manufacturing firm, Stryker, likely represents an opportunistic compromise rather than a systematic shift toward targeting the health care sector specifically. Nevertheless, the broader threat landscape remains elevated due to ongoing military operations in Iran, necessitating that all organizations increase vigilance and strengthen their defensive capabilities against destructive cyber activity.
Destructive malware, often leveraged by Iranian threat actors, can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Disruptive cyber attacks against organizations in a target country may unintentionally spill over to organizations in other countries. The broader threat landscape remains elevated across all sectors amid ongoing military operations in Iran.
Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response for such an event. Defenders should ensure security fundamentals are being adhered to, such as robust patching for known vulnerabilities, visibility into end-of-sale (EOS)/end-of-life (EOL) devices in your network with a plan to upgrade, and requiring multi-factor authentication (MFA) for remote access and on critical services. Patches for critical vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment should be prioritized. Organizations can also implement a patch management program that enables a timely and thorough patching cycle.
We will update this blog with further developments accordingly.
New .NET AOT malware hides code as a black box to evade detection
This new Ahead-of-Time (AOT) method strips metadata away, turning the code into a black box, which forces experts to rely on manual, native-level tools to see what is actually happening under the hood. (HackRead)
SideWinder espionage campaign expands across Southeast Asia
The suspected India-linked threat group targets governments, telecom, and critical infrastructure using spear-phishing, old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access. (Dark Reading)
Threat actor targeting VPN users in new credential theft campaign
The campaign started in mid-January, luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection. (SecurityWeek)
Sears AI chatbot chats and audio files found exposed online
A researcher discovered three publicly exposed, unprotected databases containing a total of 3.7M chat logs, audio recordings, and text transcripts of phone calls from 2024 to 2026. (Mashable)
BeatBanker Android trojan uses silent audio loop to steal crypto
Most modern phones kill background apps to save battery, but these actors found a clever loophole. The app plays a tiny, five-second audio file on a loop. Your phone thinks it’s an active music player, so it won’t shut the app down. (HackRead)
Everyday tools, extraordinary crimes: the ransomware exfiltration playbook
Attackers use trusted tools for data theft, making traditional detection unreliable. The Exfiltration Framework enables defenders to spot exfiltration by focusing on behavioral signals across endpoints, networks, and cloud environments rather than static tool indicators.
Transparent COM instrumentation for malware analysis
Cisco Talos presents DispatchLogger, a new open-source tool that delivers high visibility into late-bound IDispatch COM object interactions via transparent proxy interception.
It’s the B+ Team: Matt Olney returns
Matt is back to talk with the crew about about the most random things, including TikTok diagnosing us with ADHD, K-Pop Demon Hunters, ransomware in hospitals (the serious bit), attacker use of AI, and why 1999-era tricks are still undefeated.
Modernizing your threat hunt
David Bianco joins Amy to explore the evolution of the PEAK Threat Hunting framework and talk through how security teams can modernize their approach to identifying risks before they escalate.
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: https_2915b3f8b703eb744fc54c81f4a9c67f.exe
Detection Name: Win.Worm.Coinminer::1201**
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQ9305.dll
Detection Name: Auto.90B145.282358.in02
SHA256: 5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811
MD5: f3e82419a43220a7a222fc01b7607adc
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5bb86c1cd08fe5e1516cba35c85fc03e503bd1b5469113ffa1f1b9e10897f811
Example Filename: Accounts Final-2024 .exe
Detection Name: Win.Dropper.Suloc::1201**
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg**
SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55.js
Detection Name: W32.38D053135D-95.SBX.TG
Cisco Talos Blog – Read More
A newly discovered Android malware is masking itself within television streaming apps in order to steal users’ passwords and banking data and spy on their personal notes, researchers have found.
The Record from Recorded Future News – Read More
You can easily use your old phone as a live home security camera and get alerts, two-way audio, and even recordings.
Latest news – Read More
Can an AI tool successfully detect not just standard scams, but those created with the same technology? I put NordVPN’s new offering to the test with advanced recruitment scams filling my inbox.
Latest news – Read More
The information was stolen from a marketing tool after an employee fell victim to a targeted phone phishing attack.
The post Security Firm Aura Discloses Data Breach Impacting 900,000 Records appeared first on SecurityWeek.
SecurityWeek – Read More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone
The Hacker News – Read More