Summary: Sysdig’s analysis of the Marimo CVE-2026-39987 intrusion is the first publicly documented case of a threat actor using a large language model as the autonomous driver of post-exploitation activity — not as a support tool, but as the decision-making engine. The attacker achieved four sequential pivots in under two minutes: CVE exploitation, cloud credential extraction, AWS Secrets Manager key retrieval, and SSH bastion access followed by full PostgreSQL database exfiltration. Sysdig identified four forensic indicators that defenders can operationalize immediately: schema-agnostic command improvisation, machine-optimized output formatting, value handoffs from prior tool output, and an in-stream planning comment written in Chinese.

Why It Matters: This is the specific LLM-agent post-exploitation threat model the AI security community has theorized about for two years — now confirmed against real enterprise infrastructure. The four forensic indicators constitute a detection signature that does not exist in current SIEM rule libraries. MAESTRO Layer 3 (agentic orchestration) threat surfaces are no longer theoretical.

View Full Research Note

Summary: Permiso Security’s disclosure of ChatGPhish reveals that ChatGPT’s web-summarization feature implicitly trusts all Markdown links and image URLs on any third-party page it processes. Any web page a user asks ChatGPT to summarize — a GitHub README, SaaS documentation, or news article — can silently carry attacker-injected instructions into the model’s response, surfacing tracking pixels, fake security alerts, and phishing links inside the trusted ChatGPT interface. The attack leaks the user’s IP address, User-Agent, and Referer to attacker infrastructure with zero user interaction beyond the summarization request. Permiso reported the vulnerability to OpenAI via Bugcrowd on April 29, 2026; no patch has been issued.

Why It Matters: This confirms that AI assistant UI components must be treated as untrusted rendering environments. The attack surface is every enterprise productivity workflow that uses ChatGPT for research or document summarization — a near-universal use case. The trust-transfer vulnerability class was previously documented against Microsoft Copilot; this confirms it extends to ChatGPT.

Read Full Research Note

Summary: Threat actors are actively exploiting CVE-2026-35616 (CVSS 9.1), a pre-authentication API bypass in FortiClient Endpoint Management Server, to deliver the EKZ credential stealer disguised as a legitimate Fortinet endpoint update. Arctic Wolf’s analysis confirmed that attackers used the trusted EMS update delivery pathway — the exact infrastructure enterprises deploy to enforce endpoint security policy — to simultaneously push malware to every managed endpoint in the environment, requiring no separate intrusion path per device. This mirrors the Palo Alto GlobalProtect CVE-2026-0257 pattern active in the same cycle, indicating systematic threat actor interest in weaponizing trusted administrative planes.

Why It Matters: The attack surface is the security tooling itself. The blast radius scales directly with product deployment coverage — the better-protected the environment, the wider the exposure. This pattern now recurs across Fortinet, Palo Alto, and similar platforms with sufficient frequency to warrant a unified threat model, not just individual CVE response.

View Full Research Note

Summary: Wiz’s May 28, 2026 “State of Post-Quantum Cryptography” report — the first large-scale analysis of PQC deployment status across enterprise cloud environments — confirms a structural gap: most organizations lack a cryptographic asset inventory, have no PQC migration roadmap, and continue to rely on RSA-2048 and ECDH key exchanges already being harvested by nation-state actors. Three research papers published between May 2025 and March 2026 collectively reduced the estimated quantum resource requirement for breaking RSA-2048 from 20 million qubits to fewer than 100,000 — a 200× reduction in 12 months. NIST finalized PQC standards (ML-KEM, ML-DSA, SLH-DSA) in August 2024; Google has set a 2029 internal migration deadline. Enterprise adoption lags badly.

Why It Matters: The “harvest now, decrypt later” threat has moved from theoretical to actively probable. Unlike most security debt, deferral of PQC migration is uniquely irreversible: data harvested today cannot be un-harvested. Every month of deferral extends the window of long-term exposure for currently encrypted sensitive data.

View Full Research Note