Malicious npm packages have been identified distributing malware that steals credentials and attempts to spread across developer ecosystems.

According to new research from Socket, the activity mirrors earlier worm-style supply chain attacks that used blockchain-hosted infrastructure, including Internet Computer Protocol (ICP) canisters, for command and control (C2).

Impacted packages include multiple versions of @automagik/genie and pgserve, both linked to developer tooling workflows. Researchers found the malware executes during installation, harvesting sensitive data and attempting to republish compromised packages using stolen credentials.

Malware Focuses on Sensitive Data

The payload scans infected systems for secrets stored in environment variables and configuration files. Targeted data includes cloud credentials, CI/CD tokens, SSH keys and local developer artifacts such as .npmrc and shell histories.

It also attempts to access browser-stored data and cryptocurrency wallets, including Chrome profiles and extensions like MetaMask and Phantom.

Exfiltration occurs through two channels: a standard HTTPS webhook and an ICP endpoint. Data can be encrypted using AES-256 and RSA methods, though plaintext fallback is possible.

Self-Propagation and Possible Repository Compromise

A key feature of the malware  is its ability to spread. The malware extracts npm tokens, identifies accessible packages, injects malicious code, and republishes them, enabling further compromise across the ecosystem.

It also includes functionality to propagate via Python’s PyPI repository by generating malicious packages using .pth file injection when credentials are present.

Read more on similar threats: Malicious Machine Learning Model Attack Discovered on PyPI

Researchers observed similarities with prior TeamPCP-linked campaigns, including the use of post-install scripts and canister-based infrastructure. However, the exact source of the compromise remains under investigation.

Evidence suggests legitimate projects may have been hijacked. Some affected packages have active usage, with one showing over 6,700 weekly downloads. Inconsistencies between npm releases and Git tags further raise suspicion.

Socket said the situation is still evolving, with additional malicious versions continuing to emerge and the full scope of the attack not yet confirmed.

The risks facing industrial organisations are growing in both scale and variety while many critical national infrastructure operators are being asked to stretch budgets beyond what feels safe.

Organisations responsible for energy, transport, water and manufacturing are tasked with protecting increasingly complex operations from attackers who are using a much wider range of techniques than even a few years ago.

These organisations often find themselves defending essential systems while justifying every item of spend, causing some to cut back on security because the benefits are not always immediately visible.

But consequences of those decisions aren’t always immediate, often occurring when disruption is deeper and recovery slower. Once an industrial environment is interfered with, bringing it back online isn’t always instantaneous, and safety considerations can escalate well beyond what any budget expected.

And with digital transformation, attackers can and now do move laterally from the information technology side of a business or organisation, into planning systems, supplier connections, cloud interfaces and remote access points until they reach the technology that keeps production running.

This is why cyber resilience in critical infrastructure is essential to prevent breakdowns, protect uptime and keep critical services running.

Pressure Points That Attackers Understand

Recent rises in industrial ransomware show how urgently a stronger mindset is needed. According to the Dragos 2026 OT/ICS Cybersecurity Report, ransomware remained the most impactful threat to industrial organisations, with attacks increasing 64 percent year-over-year.

Dragos tracked 119 ransomware groups targeting industrial organisations in 2025, up from 80 the year before, collectively impacting 3,300 organisations. Manufacturing accounted for more than two-thirds of all victims, showing how attackers deliberately focus on sectors where disruption creates immediate pressure and quick leverage.

Most attacks in industrial environments still begin with predictable weaknesses. Exposed remote access tools, forgotten third party accounts and unpatched systems give attackers simple points of entry. Incidents in throughout 2025 showed how quickly these gaps escalate.

For example, in the UK Jaguar Land Rover saw operational disruption because of a ransomware attack, while further afield Asahi’s operations in Japan were also severely impacted by ransomware.

In each case, what started as a technical breach developed into an operational stoppage, then a supply chain delay and finally lost revenue and a hit to the company’s brand and reputation amongst its customers.

Sectors where downtime causes the greatest impact are feeling this pressure most sharply. Manufacturing still sees the highest number of incidents, but key industries ranging from transport and logistics to telecoms and government face significant threats too.

Attackers are also targeting engineering partners and suppliers, knowing that a single compromise further up the supply chain can open the door to many organisations at once.

At the same time, budget constraints are prompting teams to relax vendor checks or ease remote access rules, widening exposure precisely when it needs to be narrowing. Cutting corners may feel practical in the moment, but in today’s environment it is increasingly detrimental.

A Practical Path to Lowering Risk

There are steps that security leaders can take to ensure their organisation is best prepared for whatever threats may be around the corner.

Most crucially, they need to develop a clear understanding of the systems they depend on, who can reach them and which assets they can never afford to lose. This includes engineering workstations, remote access points and the business systems that keep operations moving at all times.

Strengthening access controls, patching exposed systems and tightening privileges removes many attacker entry routes. Network segmentation can limit how far an intruder can move, while reliable backups, tested properly, ensure recovery is possible even when there is a security breach.

Now is also the time for security leaders to increase their organisation’s readiness outside normal working hours and ensure both IT and OT teams work from clear, well-practiced playbooks that reflect current geopolitical threats.

They also need to act on real‑time threat intelligence, vet the resilience of suppliers and apply the SANS ICS Five Critical Controls consistently across all operations to reinforce their overall security.

Across the globe, boards now recognise that ransomware and other threats to industrial operations can have serious consequences for their organisations. Whether it’s grounded fleets, stalled production lines or major delays in services or operations, they can all bring about serious financial costs and reputational damage.

As a result, it’s crucial that leaders, both in security teams and all the way up to board level, understand the fundamentals of OT security. Being aware of which assets or suppliers might be most at risk and having incident response plans set in stone can be critical in getting operations up and running again quickly should they become a target.

Industrial organisations operating critical national infrastructure are facing a period unlike one we have previously seen. Existing cyber threats are evolving and new ones continue to emerge in differing forms, all at the same time as budgets continue to tighten.

However, the most effective defences remain the steady, uncomplicated practices that strengthen visibility, control and recovery. This will be the key to maintaining resilience amid a rising risk landscape in the years ahead.

The UK National Cyber Security Centre (NCSC) has unveiled a new technology designed to protect video connections from cyber-attacks.

The device, dubbed SilentGlass, was launched on April 22 at CYBERUK, the UK government’s flagship annual cybersecurity conference.  

SilentGlass is plug-and-play device designed to actively block anything unexpected or malicious between HDMI or display port connections and monitor screens. It is approved for use in even the most high-threat cybersecurity environments.

The device has already been successfully deployed on government estates, and now SilentGlass has been released for anyone to buy and use. 

The NCSC has partnered with Goldilock Labs and Sony UK to manufacture and sell SilentGlass globally. 

Monitors a Target For Cyber-Attacks

The NCSC has warned that monitors can be a attractive target for malicious threat actors because of how they are used to hold and process valuable, sensitive or personal data.

According to the agency, that means that cyber threat actors are likely to abuse access to monitors to infiltrate networks for malicious activities such as disruption or financial gain, taking advantage of a lack of mitigations in this area.

SilentGlass can been developed to help to shut down this attack vector.

“Display screens and monitors are everywhere in modern business environments, and the SilentGlass device will help protect previously vulnerable IT infrastructure with unprecedented ease,” said Ollie Whitehouse, CTO at NCSC.

“Its development and commercialization shows the impact that the NCSC can have, alongside industry partners, with an affordable and effective product now globally available. By helping to launch a UK company onto the global market with this world-class innovation, we are breaking new ground and helping to strengthen national prosperity,” he added.

Goldilock Labs, a UK-based small business described as experts in cyber security innovation, was awarded the contract license to manufacture SmartGlass, after what the NCSC described as “a competitive process.”

“SilentGlass addresses a gap that has been widely overlooked. The hardware interfaces people rely on every day have rarely been treated as security boundaries, despite being exposed to risk through supply chains, third-party servicing, and direct physical access,” said Stephen Kines, co-founder of Goldilock Labs.

“What was once confined to national security environments is now being applied with a low-cost, easy to deploy solution for CNI and businesses where the same risks exist.”

Goldilock, Sony and the NCSC said they expect rapid global adoption of SilentGlass by governments and risk-conscious organizations. The NCSC pointed to SilentGlass as an example of how government intellectual property can be successfully commercialized.

Now in it’s tenth year, with the 2026 edition hosted in Glasgow, Scotland, CYBERUK 26 kicked off with a speech by Richard Horne, CEO of the NCSC. He warned that a “perfect storm” of new technologies and geopolitical risks have created the risk of unprecedented cyber threats for the UK

“I would be surprised if Anthropic and OpenAI weren’t CVE Numbering Authorities by the end of 2026.”

“We’ve got some absolute geniuses at VulnCon, but we need more of them.”

One of today’s hot topics in infosec is Agentic AI.  For senior leaders it looks like magic – reduce your headcount, be more efficient and move more quickly.  But does the hype match the reality.  And do business leaders understand the security risks?

Agentic AI typically involves one AI system orchestrating multiple other tools or agents to execute a chain of tasks. In more advanced deployments, agents operate autonomously, selecting which tools to use and how to complete an objective without human intervention. While this architecture can drive efficiency, it also introduces a fragmented and dynamic attack surface.   And in some organizations a loss of control.

Without effective governance, visibility and control, risks can escalate rapidly. Until recently, these risks were largely theoretical; however, the OpenClaw investigation shows how quickly those concerns can become real.  And how quickly regulators can get involved too.

The OpenClaw Exposure

OpenClaw was built in late 2025 as a “weekend project” by its author, Peter Steinberger, and quickly gained traction. Steinberger said that his GitHub repository attracted around 2 million visitors in a single week, with many developers incorporating the code into their Agentic AI infrastructure.

However, on 9 February 2026, a report identified significant vulnerabilities. Researchers discovered more than 42,000 unique IP addresses hosting exposed OpenClaw control panels across 82 countries, many with full system access.

The report identified almost 50,000 instances where devices appeared vulnerable to remote code execution (RCE). In practical terms, this could allow an attacker to exploit the OpenClaw gateway to take control of the affected system.

OpenClaw deployments were heavily concentrated across major cloud and hosting providers. Depending on configuration, these vulnerabilities could also allow threat actors to access connected third-party services, including email, calendars, chat applications, social media and browser sessions.

Further concerns emerged when a cybersecurity investigation reportedly identified a misconfigured database exposing approximately 1.5 million authentication tokens, around 35,000 email addresses, and private communications between AI agents. Taken together, these issues point not just to isolated weaknesses, but to broader challenges around access control, credential management and system design.

Regulatory Concerns Are Emerging

Regulators have already begun to respond. On 12 February 2026, the Dutch data protection authority, Autoriteit Persoonsgegevens (AP), warned users and organizations against using OpenClaw and similar experimental systems. They noted that what it called “open-source tools” may not meet basic security requirements and advised against deploying them on systems containing sensitive or confidential data. 

The AP reminded organizations that it had powers under GDPR to get involved: under GDPR regulators can suspend processing, launch dawn raids or levy fines.  We’ve seen all three options used to police AI.

The AP’s warning includes the use of tools like OpenClaw in environments holding access credentials, financial information, employee data, private documents or identity records. The AP also emphasized that local deployment does not guarantee security, a point that remains widely misunderstood in practice.

Why Uninstalling OpenClaw is Not a Solution

For many organizations, fixing risks associated with OpenClaw is not be as simple as uninstalling the software. One challenge is visibility as some companies may not be aware if OpenClaw has been deployed, as the tool may have been adopted by developers or staff experimenting with AI tools without formal approval or oversight.

Shadow AI risk is already significant. A Microsoft study suggested that 71% of UK employees admitted using unapproved AI tools at work. Given the rapid adoption of AI since then, the true figure could now be higher.

OpenClaw also integrates with widely used communication and collaboration platforms, including WhatsApp, Telegram, Discord, Slack and Teams. If OpenClaw has been linked to multiple applications, manually resetting credentials and access tokens across those services could be a substantial task.

Practical Steps Organizations Should Consider

For many organizations, the OpenClaw case is a reminder that AI innovation must be matched with appropriate risk management. Some practical steps include:

• Looking at Technical Settings:  Organizations need to restrict the use of applications like OpenClaw on their networks. There are tools available to look at Shadow AI risk. If the organization has those tools, they need to add OpenClaw on to the list of prohibited applications.  It has been reported that it is currently not possible for humans to delete an account on OpenClaw at least by using common settings.  Organizations that think they have been exposed may want to take specialist advice.
• Check Your Socials:  It has been reported that OpenClaw collects X (formerly Twitter) user names, display names andpasswords.So it might be possible via OpenClaw for a threat actor to gain access to the organization’s social networking output, which again can lead to reputational risks and expose the organization to phishing attacks etc.
• Literacy is Key.  AI literacy has become a regulatory expectation, including under the EU AI Act, and staff need to understand both the opportunities and risks of AI systems.
• Take Measures to Protect Against Shadow AI: Whilst a literacy program will be part of this, organizations may want to include traditional software solutions like data loss prevention (DLP) software, and specialist Shadow AI monitoring and blocking services. 
• Look at Contracts and Developer Due Diligence: For some organizations the issue might stem from sub-contracted developers. Therefore, they need to ensure contractual protections are in place to meet their compliance and regulatory obligations.  This might also include specific insurance policies since developers with just 1 or 10 employees are unlikely to have the financial ability to pay up when things go wrong. 
• Do a Proper Data Protection Impact Assessment: This isn’t just common sense but may well be a legal requirement.  Whilst organizations want to move quickly in the new AI world, sometimes it is necessary to step back and see if an organization’s legal and compliance obligations are being considered.

A Broader Lesson

Agentic AI has the potential to transform the way organizations operate. However, the OpenClaw exposure highlights how quickly innovation can outpace governance. For security professionals, the issue is not just a single vulnerable tool, but a broader shift towards autonomous, highly integrated systems operating with extensive permissions and limited oversight. Without appropriate controls, these systems can introduce significant and systemic risk.

Organizations that improve visibility, strengthen governance and invest in AI literacy will be far better placed to realize the benefits of Agentic AI while managing its risks effectively.

Image credit: Stockinq / Shutterstock.com

Security researchers have warned of a “critical, systemic” vulnerability in the model context protocol (MCP) which could have a significant impact on the AI supply chain.

MCP is a popular open source standard created by Anthropic which allows AI models to connect to external data and systems.

However, in a report published on April 15, researchers at Ox Security claimed that a flaw in the protocol could enable arbitrary command execution on any vulnerable system, handing attackers access to sensitive user data, internal databases, API keys, and chat histories.

“This is not a traditional coding error,” warned the vendor.

“It is an architectural design decision baked into Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust. Any developer building on the Anthropic MCP foundation unknowingly inherits this exposure.”

It said that over 200 open source projects, 150 million downloads, 7000+ publicly accessible servers and up to 200,000 vulnerable instances in total could be exposed by the vulnerability.

Read more on MCP: Hundreds of MCP Servers at Risk of RCE and Data Leaks.

According to Ox Security, the exploit mechanism is fairly straightforward.

“MCP’s STDIO interface was designed to launch a local server process. But the command is executed regardless of whether the process starts successfully,” it explained. “Pass in a malicious command, receive an error – and the command still runs. No sanitization warnings. No red flags in the developer toolchain. Nothing.”

In effect, this could result in complete takeover of a target’s system.

Who’s to Blame?

Ox Security said it has repeatedly tried to persuade Anthropic to patch the vulnerability. However, according to the report, the AI giant said that this was “expected behavior.”

“Anthropic confirmed the behavior is by design and declined to modify the protocol, stating the STDIO execution model represents a secure default and that sanitization is the developer’s responsibility,” Ox Security said.

The company argued that pushing responsibility onto developers for securing their code, instead of securing the infrastructure it runs on, is dangerous given the community’s track record on security.

In the meantime, Ox Security has issued over 30 responsible disclosures and discovered over 10 high or critical-severity CVEs, to help patch individual open source projects.

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, said the research exposed “a shocking gap in the security of foundational AI infrastructure” and that the researchers did the right thing.

“We are trusting these systems with increasingly sensitive data and real-world actions. If the very protocol meant to connect AI agents is this fragile and its creators will not fix it then every company and developer building on top of it needs to treat this as an immediate wake-up call,” he added.

More than 337,000 patients of Cookeville Regional Medical Center (CRMC) in Tennessee have been notified that their personal and medical data was compromised in a July 2025 ransomware attack, the hospital confirmed this week.

The 309-bed facility began mailing breach notification letters on April 14, 2026, roughly nine months after the intrusion was detected.

Files were accessed or acquired by an unathorized party between July 11 and July 14, 2025, according to a filing with the Maine Attorney General’s Office. A total of 337,917 individuals have been affected. 

Inside the Rhysida Attack on CRMC

Rhysida, a ransomware-as-a-service operation linked to Russia and active since May 2023, claimed responsibility on August 2, 2025. The gang demanded a ransom of 10 Bitcoin, worth roughly $1.15m at the time, and posted sample files on its dark web leak site. It is unclear whether any ransom was paid.

Information accessed may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical record numbers, treatment information and health insurance data.

CRMC, which serves around 250,000 patients annually across 14 counties in the Upper Cumberland region, is offering 12 months of free identity theft protection through Experian.

Read more on Rhysida’s healthcare targeting: Rhysida Ransomware Analysis Reveals Vice Society Connection

A Year of Pressure on US Healthcare

The CRMC incident ranks as the eighth-largest US healthcare ransomware breach of 2025 by records compromised, according to Comparitech, which logged 134 confirmed attacks on US healthcare providers last year, exposing 11.7 million records.

Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed and an average demand of $1.2m.

Other recent Rhysida healthcare victims include:

• Florida Lung, Asthma & Sleep Specialists (FL), May 2025, $639,000 demand
• MedStar Health (MD), September 2025, $3.09m demand
• Spindletop Center (TX), September 2025, $1.65m demand
• MACT Health Board (CA), November 2025, $662,000 demand
• Heart South Cardiovascular Group (AL), November 2025, $630,000 demand

Rebecca Moody, head of data research at Comparitech, said the lengthy investigation timeline reflects the scale of forensic work required after a hospital ransomware hit.

“It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches,” Moody explained.

“While some organizations avoid using the word ‘ransomware’ and don’t issue any form of data breach notification for months,” she added, “this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns.”

Ransomware incidents at US hospitals routinely force extended downtime, canceled appointments and patient diversions even where clinical systems hold up. CRMC said it has put additional security measures in place since the attack.

AI companies like OpenAI and Anthropic should play a bigger role in software vulnerability disclosures in the future, according to a leader of the world’s largest vulnerability disclosure scheme.

Speaking at the opening of VulnCon26 in Scottsdale, Arizona, on April 14, Lindsey Cerkovnik said AI companies “should be better represented” in the Common Vulnerabilities and Exposures (CVE) program.

As chief of the Vulnerability Response & Coordination (VRC) Branch at the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the MITRE-run CVE program, Cerkovnik and her team manage coordinated vulnerabilities disclosures for the CVE program.

She acknowledged that the program has faced a rapid growth of reported vulnerabilities over the past year and that the evolution of AI platforms will likely accelerate that growth.

“With the arrival of new AI tools, some helping discover valid vulnerabilities, others perhaps finding things with less value, we’re at a turning point,” Cerkovnik said.

Anthropic, OpenAI Speed Up on AI-Powered Vulnerability Research

Cerkovnik’s VulnCon speech came just a few days after the launch of Claude Mythos Preview, Anthropic’s new large language model (LLM) that promises to autonomously find and fix cybersecurity vulnerabilities at scale.

Today, Mythos is only available to the 40 members of Project Glasswing. 

In testing, the model allegedly discovered thousands of zero-day vulnerabilities which had not previously been identified.

The model also autonomously found and chained several vulnerabilities in the Linux kernel, software used to run most of the world’s servers, which would allow an attacker to escalate from ordinary user access to complete control of a machine

Upon testing Mythos Preview in a simulation environment, researchers at the UK’s AI Security Institute (AISI) said they “cannot say for sure” whether Mythos Preview would be able to successfully attack “well-defended systems.” 

On April 14, OpenAI launched GPT-5.4-Cyber, a version of GPT-5.4 fine-tuned for cybersecurity use cases and only available to members of its “Trusted Access for Cyber Defense” program.

50,000 to 70,000 Expected CVEs in 2026

Notably, the speed of vulnerability disclosures was already accelerating long before the launch of Mythos and OpenAI’s GPT-5.4-Cyber.

The CVE program counts 327,000 unique CVE records to date. Of those , Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, observed 18,247 were reported in 2026, a 27.9% growth from the same period in 2025.

Additionally, Gamblin calculated average of 174 CVEs reported daily this year, compared to 132 in 2025.

In February 2026, the Forum of Incident Response and Security Teams (FIRST), which co-hosts VulnCon with the CVE program, forecast a record-breaking 50,000 additional CVEs to be reported in 2026.

Gamblin expects an even bigger growth, with a forecast of 70,135 CVEs by the end of this year. This would reflect a 45.6% growth rate compared to 48,171 in 2025.

AI Companies Could Become Official Vulnerability Reporters

Cerkovnik’s call for closer integration of AI companies into the CVE program aligns with the program’s broader diversification strategy.

This strategy was illustrated by the launch of two new forums in July 2025, the CVE Consumer Working Group (CWG) and the CVE Researcher Working Group (RWG).

One of the main objectives is to grow the number of CVE Numbering Authorities (CNAs), organizations that are allowed to publicly disclose a vulnerability and attributed it a CVE identifier.

At the end of March 2026, the CVE program announced it had reached over 500 contributors, with 502 CNAs now registered.

Diversification of the CVE program also means internationalization of the program, with more European-based CNAs to be vetted in the future, commented Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at the European Cybersecurity Agency (ENISA).

Speaking to Infosecurity, his colleague, Johannes Kaspar Clos, a responsible disclosure expert at ENISA, said he would welcome AI companies to also become CNAs.

“We need to include a diverse crowd of cybersecurity practitioners, from product and nationals computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) to researchers and vulnerability finders. Anthropic is one example of a company who identified vulnerabilities and therefore, is of course rightfully mentioned in being a potential CNA,” Clos said.

While he welcomed the launch of Claude Mythos and other AI-powered tools allowing researchers to find more vulnerabilities, Clos added said he would have preferred the capabilities of such models’ capabilities to be disclosed “before the products are pushed to the market.”

“Security testing should be implemented before users are put at risk,” he added.

CVE Program: A “Top Priority” for CISA

Finally, Cerkovnik said the CVE program is “a top priority” for CISA and its parent administration, the US Department of Homeland Security (DHS) and that the security agency will continue funding the program in the future.

Read now: CISA Launches Roadmap for the CVE Program

While she declined to provide any specifics, she said, “Contracts and funding for the CVE program are secure. Funding has never been an issue.”

However, she highlighted that DHS was still technically in a shutdown situation and that it currently complicates decision-making at CISA, including around spending for outreach opportunities like her coming to VulnCon.

Image credits: Koshiro K / gguy /Shutterstock.com

A large-scale campaign involving 108 malicious Chrome extensions has been uncovered, affecting roughly 20,000 users.

The extensions, spread across categories such as gaming, social media tools and translation utilities, appear legitimate but secretly collect sensitive data. All are linked to a single command-and-control (C2) infrastructure to enable operators to aggregate stolen information in one place.

The campaign, identified by security researchers at Socket, stands out for its breadth and coordination. Although published under five separate developer identities, the team found consistent backend systems and shared operational patterns across all extensions.

Several Attack Techniques

The research highlighted several distinct attack techniques deployed simultaneously. Among the most serious is a Telegram-focused extension that captures active web sessions every 15 seconds, allowing full account access without passwords or multi-factor authentication (MFA).

Other extensions harvest Google account details using OAuth2 permissions, inject ads by bypassing browser security protections or open arbitrary web pages through hidden backdoors. Many operate continuously in the background, even if users never actively interact with them.

Key behaviors identified include:

• 54 extensions collecting Google profile data

• 45 extensions containing a persistent backdoor triggered at browser start-up

• Multiple tools injecting scripts or ads into popular platforms like YouTube and TikTok

• One extension acting as a translation proxy through attacker-controlled servers

Dual Behavior Complicates Detection

According to Socket, the extensions often deliver on their advertised functionality, such as games or messaging tools, while masking malicious activity running in the background. This dual behavior makes detection difficult for users.

Read more on browser extension security risks: Experts Sound Alarm Over “Prompt Poaching” Browser Extensions

The infrastructure also supports a Malware-as-a-Service (MaaS) model, where stolen data and active sessions can be accessed by third parties. Researchers linked the entire operation to a single operator through shared cloud resources, reused code and overlapping account identifiers.

All 108 extensions were still available at the time of discovery. The appropriate security teams have been notified, and takedown requests have been submitted.

Infosecurity contacted Google for comment, but has not yet received a response. 

Image credit: Mijansk786 / Shutterstock.com

When something goes wrong in Microsoft 365, it’s rarely a single clean “incident.” It’s a chain: a credential reused, a misconfigured Conditional Access policy, a risky mailbox rule, a guest with too much access. Tenant resilience is about making sure that, even when those chains start forming, you stay in control of identity, configuration and collaboration – and can recover quickly without guesswork.

In this article we’ll look at what actually breaks tenants under pressure and how to harden Microsoft 365 against those failures.

Three Ways Microsoft 365 Fails under pressure

Most Microsoft 365 “bad days” fall into three patterns. Understanding them gives you a concrete blueprint for resilience.

1. Identity Goes Sideways

This is the classic story: a phishing email slips through, a user accepts a fake prompt, or an attacker buys leaked credentials on an underground market. They sign in legitimately, often bypassing poorly enforced policies.

Identity failures typically look like:

• Inconsistent MFA: high‑risk users and admins not fully covered
• Excessive standing privileges: too many global admins, or broad “just in case” admin roles
• Over‑trusted applications: Entra (Azure AD) apps and OAuth grants with powerful permissions no one is actively watching

From there, attackers hunt for:

• Ways to escalate privileges (unused admin roles, poorly scoped permissions)
• Weak Conditional Access coverage they can slip through
• Mailboxes or Teams spaces that give them useful intelligence

A resilient tenant assumes identity will be attacked constantly and designs controls to (a) make successful compromise less likely, and (b) ensure that, if it happens, the blast radius stays small.

Resilience Moves:

• Require MFA for all interactive users and admins, and retire legacy authentication wherever possible.
• Reduce standing admin privileges; move to scoped, task‑based roles and just‑in‑time access where you can.
• Inventory Entra apps and OAuth consents; retire unused apps and trim over‑privileged ones.

2. Configuration Drifts into Dangerous Territory

Microsoft 365 tenants are never static. Admins make changes to fix issues or support projects. Microsoft ships new features and adjusts defaults. Service owners tweak policies under pressure from the business. Over months and years, the environment can drift far from the “standard” that security teams think they’re enforcing.

Configuration failures often look like:

• Conditional Access policies quietly loosened for a specific project – then never tightened again
• Mailbox forwarding rules and transport rules changed, but not logged against a change ticket
• Sharing settings relaxed for one department and unknowingly applied more broadly
• Security features turned off temporarily to troubleshoot, and forgotten in that state

Individually, these changes might seem minor. Cumulatively, they can create:

• Hidden backdoors for attackers
• Unexpected lockouts when a later change interacts badly with an old exception
• Unclear responsibility – no one can say exactly when or why a risky change happened

Resilience moves:

• Define a practical baseline for critical settings (identity, mail, sharing, retention) and treat deviations as risk.
• Implement continuous configuration monitoring so that high‑impact changes trigger alerts, not surprises.
• Tie configuration changes to tickets or documented approvals so you can distinguish legitimate work from tampering.

3. Recovery is Slow, Manual and Uncertain

Many organizations have invested in backing up their Microsoft 365 data – such as mailboxes, SharePoint, OneDrive and Teams. That’s vital, but it addresses only one part of the recovery story.

When an attacker (or an admin mistake) disrupts tenant configuration, the real questions are:

• Can you regain control of admin and identity quickly?
• Can you roll back risky configuration changes without breaking everything else?
• Do you know which policies, rules, and settings changed – and what “good” looked like beforehand?

Without configuration resilience, recovery often comes down to:

• Manually clicking through portals to compare settings
• Trying to reconstruct policies from old screenshots, export files, or documentation
• Accepting “close enough” because no one can be sure what the exact previous state was

That’s slow, stressful, and risky. Especially under regulatory or customer pressure.

Resilience moves:

• Back up tenant configuration, not just data, across Entra ID, Exchange, SharePoint/OneDrive, Teams, and Purview.
• Practice restoring configurations in non‑production tenants so you understand what will happen when you roll back.
• Separate “emergency restore” scenarios (e.g., lockout, mass misconfiguration) from routine drift correction and prepare playbooks for both.

Copilot and AI: Accelerators of Both Value and Risk

Microsoft 365 Copilot changes the resilience equation by making content more discoverable to users – and, by extension, to anyone who compromises those users.

If a user has access to overly broad SharePoint sites, old Teams workspaces, or loosely governed OneDrive content, Copilot simply makes it faster to find and recombine that information. The same is true for compromised accounts: attackers can use AI‑driven search to map your environment far more quickly than before.

To keep Copilot from becoming a force multiplier for exposure:

• Tighten access and sharing before rollout: clean up over‑permissioned sites, groups, and Teams.
• Enforce sensitivity labels and DLP policies so that even discoverable content can’t be automatically exfiltrated.
• Review and govern plugins and connectors; treat them as additional integration points that must be vetted.
• Plan monitoring around Copilot usage to spot unusual patterns and potential misuse.

Resilient tenants treat Copilot as a reason to accelerate least privilege and data governance – not as an add-on feature.

A Practical Roadmap to a More Resilient Tenant

Rather than chasing every new feature or control, focus on a small set of high‑leverage steps:

Clamp down on identity risk

1. Enforce MFA and modern auth widely.
2. Reduce the number and scope of standing admin roles.
3. Review and clean up high‑impact Entra apps and OAuth consents.

Stabilize configuration

1. Decide what “good” looks like for key policies (CA, sharing, retention, DLP, external collaboration).
2. Implement continuous monitoring for changes to those policies.
3. Make sure ownership and approval paths for high‑risk settings are clear.

Add configuration‑level backup and restore

1. Introduce regular, comprehensive backup of tenant configuration.
2. Test “roll back to yesterday’s known‑good” scenarios in lower environments.
3. Clarify who declares a configuration emergency and who executes the restore.

Prepare for AI‑driven exposure

1. Clean up access and sharing; remove stale and excessive permissions.
2. Enforce labels and DLP where sensitive data lives.
3. Build Copilot and AI usage into your monitoring and incident response thinking.

These steps give you a foundation that makes future improvements easier and more reliable.

How CoreView Helps You Reach Your Tenant Resilience Goals

You can build resilience with native tools and custom automation, but it often requires stitching together exports, scripts, logs, and multiple admin portals. CoreView is designed to bring those resilience capabilities into a single operational model for Microsoft 365 teams.

With CoreView, organizations can:

• See and control who really has power in the tenant
  • Analyze admin roles and privileges, then define “just enough” permissions with fine‑grained scope.
  • Segment administration by region, business unit, or function so that no single admin has unnecessary global reach.
• Detect risky configuration changes before they become incidents
  • Continuously monitor changes across Entra ID, Exchange, SharePoint/OneDrive, Teams and Purview.
  • Focus alerts on high‑impact changes – like Conditional Access adjustments, mailbox forwarding rules, or sharing policy updates.
• Back up and restore tenant configuration, not just data
  • Capture configuration state across critical workloads on a regular cadence.
  • Restore configuration to a known‑good state after misconfigurations, attacks, or failed change deployments – without manually rebuilding policies.
• Govern collaboration and external access at scale
  • Get a clear view of guests, external users and high‑risk sharing patterns.
  • Apply consistent controls to keep collaboration productive without losing control of who can see what.
• Stay audit‑ready across multiple frameworks
  • Map real configuration and change history to requirements from NIST, CIS, CMMC, HIPAA and others.
  • Produce evidence of how your tenant is configured today, how it changed over time and how you would restore it after a disruption.

The result is a Microsoft 365 tenant that’s not just secure on paper, but actually resilient in practice: you know who has access, you know when important settings change and you have a reliable way to get back to a trusted state when something goes wrong.