Weekly Threat Intelligence Summary

Top 10 General Cyber Threats

Generated 2026-05-25T05:00:05.153395+00:00

1. Update Chrome now: Critical bugs could let attackers run code (www.malwarebytes.com, 2026-05-22T12:10:36)
   Score: 11.25
   This Chrome update fixes critical flaws attackers could exploit through malicious websites, but not the “Browser Fetch” vulnerability.
2. Microsoft Defender vulnerabilities are being exploited in the wild (www.malwarebytes.com, 2026-05-21T17:36:52)
   Score: 7.621
   CISA added seven known exploited vulnerabilities to its KEV catalog, including two Microsoft Defender flaws.
3. The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. (www.recordedfuture.com, 2026-05-21T00:00:00)
   Score: 7.499
   Boards are asking about AI-driven vulnerability discovery. The leaders who answer that question well will come out with more credibility and more resources. Here's how to be one of them.
4. Fake malware-signing service Fox Tempest dismantled by Microsoft (www.malwarebytes.com, 2026-05-20T15:33:02)
   Score: 7.44
   The service let malware authors sign malicious files with fraudulent Microsoft-issued certificates to bypass security checks.
5. May 2026 Patch Tuesday: no zero-days but plenty to fix (www.malwarebytes.com, 2026-05-13T11:00:45)
   Score: 7.242
   May’s Patch Tuesday may not be the giant release many expected, but there are still plenty of important fixes that shouldn’t be ignored.
6. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 (www.recordedfuture.com, 2026-05-19T00:00:00)
   Score: 7.165
   Frontier AI models like Mythos are making vulnerability discovery fast and cheap. Here's how defenders use threat intelligence and agentic processing to prioritize and act at the same speed.
7. Attackers replaced JDownloader installer downloads with malware (www.malwarebytes.com, 2026-05-15T12:45:47)
   Score: 6.587
   The JDownloader website was compromised and installer download links served malware for several days.
8. Why Malwarebytes blocks some Yahoo Mail redirects (www.malwarebytes.com, 2026-05-14T10:47:52)
   Score: 6.407
   Some Yahoo Mail users may see repeated Malwarebytes alerts caused by background connections to suspicious third-party domains. Here’s why.
9. NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals (www.recordedfuture.com, 2026-05-14T00:00:00)
   Score: 6.332
   NVD enrichment now covers only 15–20% of CVEs. Learn how Recorded Future Vulnerability Intelligence prioritizes risk using real attacker behavior signals.
10. April 2026 CVE Landscape (www.recordedfuture.com, 2026-05-15T00:00:00)
    Score: 6.299
    In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.

Top 10 AI / LLM-Related Threats

Generated 2026-05-25T06:00:19.748741+00:00

1. GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (cloud.google.com, 2026-05-11T14:00:00)
   Score: 42.746
   Executive Summary Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sop
2. Prompt Overflow: What the Guardrail Inspects Is Not What the Model Infers (arxiv.org, 2026-05-25T04:00:00)
   Score: 21.78
   arXiv:2605.23196v1 Announce Type: new
   Abstract: Guardrail models (a.k.a. safety checkers) are widely deployed to screen user inputs before they reach large language models (LLMs), serving as a primary defense against prompt injection attacks. Due to strict context constraints, these models handle overlength prompts through truncation or segmentation-based inspection. While prior work has focused on semantic adversarial inputs, the security implications of these long-input processing mechanisms
3. AI Security Research Should Better Incentivize Defense Research (arxiv.org, 2026-05-25T04:00:00)
   Score: 20.28
   arXiv:2605.23448v1 Announce Type: new
   Abstract: This work examines an imbalance in artificial intelligence (AI) security research: the field tends to produce more work on attacking AI systems than on defending them. Drawing on related academic papers, we find biased attack-to-defense ratios across subfields, including federated learning, speech recognition, membership inference, large language models, etc. The imbalance possibly means far beyond a simple count: attack papers are routinely evalu
4. PromptCOS: Towards Content-only System Prompt Copyright Auditing for LLMs (arxiv.org, 2026-05-25T04:00:00)
   Score: 17.78
   arXiv:2509.03117v3 Announce Type: replace
   Abstract: System prompts are critical for shaping the behavior and output quality of large language model (LLM)-based applications, driving substantial investment in optimizing high-quality prompts beyond traditional handcrafted designs. However, as system prompts become valuable intellectual property, they are increasingly vulnerable to prompt theft and unauthorized use, highlighting the urgent need for effective copyright auditing, especially watermar
5. Security of LLM-generated Code: A Comparative Analysis (arxiv.org, 2026-05-25T04:00:00)
   Score: 17.28
   arXiv:2605.23091v1 Announce Type: cross
   Abstract: The majority of software developers use or are planning to use Artificial Intelligence (AI) tools in their development processes. Their top reasons include improving productivity and faster learning. In fact, Large Language Model (LLM)-generated code is currently in production, including in major tech companies. However, concerns were raised about the risks associated with the use of AI tools to generate code. In this paper, we focus our attenti
6. Break the context window barrier with Amazon Bedrock AgentCore (aws.amazon.com, 2026-05-21T16:08:54)
   Score: 16.848
   In this post, you will learn how to implement Recursive Language Models (RLM) using Amazon Bedrock AgentCore Code Interpreter and the Strands Agents SDK. By the end, you will know how to process documents of varying lengths, with no upper bound on context size, use Bedrock AgentCore Code Interpreter as persistent working memory for iterative document analysis, and orchestrate sub-large language model (sub-LLM) calls from within a sandboxed Python environment to analyze specific document sections
7. Kernel-Based ReLU Approximation for Homomorphic Encryption-Compatible Privacy-preserving Deep Learning Models (arxiv.org, 2026-05-25T04:00:00)
   Score: 16.78
   arXiv:2605.23641v1 Announce Type: new
   Abstract: As privacy concerns in AI technologies continue to grow, Homomorphic Encryption (HE) offers a way to perform computations on encrypted data without the need of decryption during operations. However, HE is limited to addition and multiplication, making non-linear functions incompatible in their original form. This limitation has become more critical with the widespread use of Large Language Models (LLMs), where the non-linearity of activation funct
8. Build AI agents for business intelligence with Amazon Bedrock AgentCore (aws.amazon.com, 2026-05-21T16:04:17)
   Score: 16.547
   In this post, we show you how OPLOG developed three AI agents using the Strands Agents SDK, deployed them to Amazon Bedrock AgentCore, and integrated Amazon Bedrock with Anthropic’s Claude Sonnet and Amazon Bedrock Knowledge Bases for Retrieval Augmented Generation (RAG).
9. GenAI-Driven Threat Detection with Microsoft Security Copilot (arxiv.org, 2026-05-25T04:00:00)
   Score: 14.88
   arXiv:2605.20896v2 Announce Type: replace
   Abstract: Defending against today's increasingly sophisticated cyberattacks requires security analysts to continuously translate evolving attacker tradecraft into detection logic. This places defenders in a reactive posture, requiring constantly updated expertise across an increasingly fragmented security landscape. We introduce the Dynamic Threat Detection Agent (DTDA), an always-on adaptive agent that continuously investigates security incidents
10. What Does the Server See? Understanding Privacy Leakage from Large Language Models in Split Inference (arxiv.org, 2026-05-25T04:00:00)
    Score: 14.78
    arXiv:2605.23158v1 Announce Type: new
    Abstract: The deployment of large language models (LLMs) on resource-constrained devices remains challenging, spurring interest in split inference, where models are partitioned between client and server to reduce computational burden and enhance privacy by transmitting only intermediate activations. However, the privacy-preserving capabilities of split inference, particularly in the context of LLMs, have not been exhaustively investigated. To fill this gap,
11. Robust LLM Watermarking with Minimal Semantic Distortion for IP Protection (arxiv.org, 2026-05-25T04:00:00)
    Score: 14.78
    arXiv:2605.23175v1 Announce Type: new
    Abstract: Proprietary large language models (LLMs) face risks of intellectual property (IP) violation, as adversaries can replicate an LLM by collecting input-output pairs to train a surrogate model, causing financial setbacks. Watermarks offer a promising defense to verify ownership, but existing methods often struggle with semantic distortion, factual inconsistency, and adversarial attacks. In addition, key-conditioned watermarks for provider-specific det
12. CachePrune: Privacy-Aware and Fine-Grained KV Cache Sharing for Efficient LLM Inference (arxiv.org, 2026-05-25T04:00:00)
    Score: 14.78
    arXiv:2605.23640v1 Announce Type: new
    Abstract: Large Language Models (LLMs) rely on Key-Value (KV) caching to accelerate inference, and many serving systems further share the KV cache across users' requests to reduce redundant computation. While widely adopted, unrestricted cross-user sharing introduces side-channel vulnerabilities, allowing an adversary to infer user inputs by probing for cache reuse. Existing defenses disable sharing entirely to prevent leakage; yet such a coarse-graine
13. Leveraging Large Language Models for Sentiment Analysis: Multi-Modal Analysis of Decentraland's MANA Token (arxiv.org, 2026-05-25T04:00:00)
    Score: 14.78
    arXiv:2605.20192v1 Announce Type: cross
    Abstract: Decentraland, a decentralized virtual reality platform operating within the expanding Metaverse ecosystem, utilizes its native MANA token to facilitate virtual asset transactions and governance. This study investigates the integration of Discord community sentiment with multi-modal financial data to enhance cryptocurrency price prediction within virtual world economies. We address: (1) identifying sentiment patterns within Decentraland's Di
14. GradingAttack: Exposing Security Vulnerabilities in LLM Based Educational Grading Agents (arxiv.org, 2026-05-25T04:00:00)
    Score: 14.78
    arXiv:2602.00979v2 Announce Type: replace
    Abstract: Large language models (LLMs) are increasingly deployed as educational agents for automatic short answer grading (ASAG) in real-world educational environments, significantly boosting assessment efficiency and scalability. However, when these grading agents operate “in the wild'', their vulnerability to adversarial manipulation raises critical concerns about agent security and trustworthiness. In this paper, we introduce GradingAttack
15. Pwn2Own Berlin 2026 – Day One Results (www.thezdi.com, 2026-05-14T08:27:32)
    Score: 13.905
    Welcome to Day One of Pwn2Own Berlin 2026! Today, 22 entries took the Pwn2Own stage to target AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $523,000 for 24 unique 0-days! DEVCORE is currently in the lead for Master of Pwn, but a pack of teams are right on their heels. Stay tuned tomorrow for
16. Pwn2Own Berlin 2026: The Full Schedule (www.thezdi.com, 2026-05-13T16:23:07)
    Score: 13.746
    Willkommen! (Welcome!) Pwn2Own Berlin 2026 has arrived at OffensiveCon, and the world’s top security researchers are ready. This year’s enterprise-focused competition features AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. Earlier today, we held the random draw to determine attempt order. Below is the official schedule. All times are Berlin local time (CET) and may change as the competition progresses. Check back for live updates. In case you missed i
17. Are Frontier LLMs Ready for Cybersecurity? Evidence for Vertical Foundation Models from Dual-Mode Vulnerability Benchmarks (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2605.23243v1 Announce Type: new
    Abstract: We evaluate whether frontier LLMs are ready for cybersecurity through a dual-mode benchmark: white-box function-level vulnerability detection (VulnLLM-R, across C/Java/Python) and black-box web application security testing (five production-style applications with 118 ground-truth vulnerabilities across 20+ CWE families, which we will open-source). We test six frontier models (GPT-5.4, Codex~5.3, Claude Opus~4.6, Sonnet~4.6, Gemini~3.1~Pro and Gemi
18. Validating Threat Modeling Results with the Help of Vulnerable Test Applications (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2605.23695v1 Announce Type: new
    Abstract: Validating threat modeling results remains difficult because completeness is hard to judge without an external oracle. Existing studies often rely on expert-produced reference models and other human baselines, but these can contain omissions or disagreements. This paper evaluates a complementary, vulnerability-grounded validation approach. We apply threat modeling to intentionally vulnerable applications with a known vulnerability set to measure t
19. From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2605.23130v1 Announce Type: cross
    Abstract: AI coding assistants are now central to professional software development, yet their impact on how developers think about and practice security remains poorly understood. While prior work has documented vulnerability rates in AI-generated code, a more fundamental question persists: how do these tools transform security awareness in authentic, ongoing development practice? We conducted semi-structured interviews with 15 professional software engi
20. Through the Stealth Lens: Attention-Aware Defenses Against Poisoning in RAG (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2506.04390v2 Announce Type: replace
    Abstract: Retrieval-augmented generation (RAG) systems are vulnerable to attacks that inject poisoned passages into the retrieved context, even at low corruption rates. We show that existing attacks are not designed to be stealthy, allowing reliable detection and mitigation. We formalize a distinguishability-based security game to quantify stealth for such attacks. If a few poisoned passages control the response, they must bias the inference process mor
21. RAG-Pull: Turning Retrieval into a Code-Injection Channel via Invisible Unicode Perturbations (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2510.11195v2 Announce Type: replace
    Abstract: Retrieval-Augmented Generation (RAG) increases the reliability and trustworthiness of the LLM response and reduces hallucination by eliminating the need for model retraining. It does so by adding external data into the LLM's context. We develop a new class of black-box attack, RAG-Pull, that inserts hidden UTF characters into queries or external code repositories, redirecting retrieval toward malicious code, thereby breaking the models&#x
22. SUDP: Secret-Use Delegation Protocol for Agentic Systems (arxiv.org, 2026-05-25T04:00:00)
    Score: 12.48
    arXiv:2604.24920v3 Announce Type: replace
    Abstract: Agentic systems increasingly act with user secrets for APIs, messaging platforms, and cloud services. Today's agent runtimes typically implement authorization by exposure: enabling action often means placing a reusable secret, or a reusable artifact derived from it, inside the runtime, so a transient prompt-injection or tool-side compromise becomes durable account compromise. Existing defenses cover adjacent pieces such as secret storage,
23. Pwn2Own Berlin 2026 – Day Two Results (www.thezdi.com, 2026-05-15T07:29:43)
    Score: 12.134
    Day Two of Pwn2Own Berlin 2026 and the stakes continue to rise! Security researchers are back on the Pwn2Own stage, pushing enterprise systems to their limits as the competition heats up. More exploits, more surprises, and more standout moments are unfolding, so follow along here for live updates as the race for Master of Pwn intensifies. There were plenty of big targets on the schedule today, including SharePoint, Exchange, and Safari. Following an action-packed Day One where $523,000 was award
24. PoisonForge: Task-Level Targeted Poisoning Benchmark for Instruction-Tuned LLMs (arxiv.org, 2026-05-25T04:00:00)
    Score: 11.48
    arXiv:2605.23168v1 Announce Type: new
    Abstract: When practitioners fine-tune LLMs on unvetted datasets, an adversary can exploit the data supply chain through task-level poisoning: inserting a small number of crafted instruction-response pairs that cause the model to embed attacker-specified entities, such as a country, in outputs for a targeted task family while behaving normally elsewhere. We introduce PoisonForge, a benchmark that parameterizes this threat along four dimensions (bias type, p
25. Content-Aware Attack Detection in LLM Agent Tool-Call Traffic: An Empirical Study of Features, Architectures, and Evaluation Protocols (arxiv.org, 2026-05-25T04:00:00)
    Score: 11.48
    arXiv:2605.11053v3 Announce Type: replace
    Abstract: The Model Context Protocol (MCP) has become a widely adopted interface for LLM agents to invoke external tools, yet learned monitoring of MCP tool-call traffic remains underexplored. In this article, the proposed detector is presented as an attack detection framework for MCP tool-call traffic that encodes each agent session as a graph (tool calls as nodes, sequential and data-flow links as edges), enriches nodes with sentence-embedding feature

Auto-generated 2026-05-25