Update: Palo Alto Networks Confirmed in OAuth Supply-Chain Breach
Palo Alto Networks has confirmed that it was among the companies affected by the ongoing OAuth supply-chain campaign, which first came to light with the Salesloft Drift breach. Attackers leveraged compromised tokens to infiltrate Palo Alto’s Salesforce environment, exfiltrating business contact information, internal sales data, and support case records. While the company emphasized that no products, systems, or customer-facing services were directly impacted, the exposure remains significant nonetheless. Support tickets often contain operationally sensitive details, and in this case, researchers observed attackers scanning the stolen data for credentials, secrets, and keys tied to AWS, Snowflake, VPN access, and single sign-on configurations. The threat group, tracked by Google as UNC6395, used automated tools with distinctive user-agent strings and deleted their queries to obscure activity, blending credential harvesting with anti-forensic measures that make detection and remediation more difficult. The Palo Alto breach underscores how this campaign is expanding beyond earlier ShinyHunters-linked Salesforce compromises and reflects a broader systemic risk in the OAuth trust model. By focusing on CRM support data rather than just customer records, attackers gain a foothold in enterprise cloud ecosystems, with stolen secrets potentially enabling lateral movement into additional platforms. Palo Alto, Salesforce, and Google have responded by revoking the compromised tokens, disabling Drift integrations, and rotating credentials. Still, the impact ripples outward as other victims—including Zscaler, Cisco, and Google itself—face similar fallout. The incident highlights that even cybersecurity leaders can become victims when supply-chain authentication flows are abused, reinforcing the urgent need for stricter OAuth app governance, tighter control over Salesforce data exposure, and continuous monitoring for abnormal API queries. Organizations relying on Salesforce must assume attackers will attempt to mine support case data for pivot opportunities and respond with both preventive access controls and rapid containment protocols.
TinkyWinkey: Stealthy Windows Keylogger With Advanced Persistence
A new keylogger known as TinkyWinkey has been uncovered on underground forums, first surfacing in late June 2025. The malware is built to blend into Windows systems using a dual setup that combines a service-based loader with a DLL injected into trusted processes. By registering a service named “Tinky,” it ensures persistence across reboots and then launches the main payload (winkey[.]exe) directly within the user’s session. Once active, it captures every keystroke through low-level hooks, while also monitoring which applications are in use and recording changes in keyboard layouts. This allows attackers to collect not only raw keystrokes but also context about what the victim was doing, making stolen data, such as credentials and messages, more valuable. The malware also performs detailed system profiling, pulling CPU, memory, OS, and network information to enrich logs with environmental details. Together, these features make TinkyWinkey a powerful surveillance tool that is both stealthy and difficult to detect. The malware’s loader goes beyond basic persistence by injecting its DLL into trusted processes like explorer[.]exe, ensuring the payload runs invisibly under legitimate system activity. This approach helps it bypass many endpoint security controls that primarily monitor standalone executables. Once injected, it maintains a continuous message loop to track and log activity, writing results to structured files in the temporary directory. Analysts note that TinkyWinkey’s design demonstrates an apparent effort to maximize stealth and maintain a long-term presence, while providing attackers with complete insight into a victim’s system and activity. Because this level of monitoring poses a significant risk to enterprises and individuals, defenders should focus on detecting unusual service activity, monitoring DLL injection attempts, and reviewing logs for hidden persistence mechanisms. Regular endpoint visibility, stronger monitoring of system APIs, and limiting permissions for service creation can reduce the risk of compromise.
Prompt Injection Turns AI Security Agents Into Attack Vectors
Researchers from Alias Robotics and Oracle have demonstrated that large language model–based security agents can be manipulated through advanced prompt injection techniques, exposing a systemic weakness in how these systems process input. AI security frameworks, including open-source projects like Cybersecurity AI (CAI) and commercial platforms like PenTestGPT, are designed to autonomously scan, analyze, and exploit vulnerabilities. However, when these agents retrieve external content from target servers, attackers can embed hidden instructions inside what appears to be harmless data. In tests, payloads masked under banners like “NOTE TO SYSTEM” coerced the agents into launching reverse shells within seconds, granting attackers full system control. Seven categories of attacks were documented, from layered Base64/Base32 encoding and Unicode homographs to dynamic environment variable abuse and deferred script generation, achieving success rates as high as 100% against unprotected deployments. These findings highlight that the vulnerability is not a coding oversight but a fundamental flaw in how transformers blend instructions with data, comparable to the persistent risks posed by cross-site scripting in web applications. To counter this, researchers proposed a four-layer defensive architecture combining sandboxing, HTTP response filters, script-blocking restrictions, and multi-layer validation to detect and neutralize injection attempts. In extensive testing, these safeguards successfully mitigated all 140 exploit attempts across 14 variants, with minimal performance penalty, suggesting that layered controls can effectively reduce the threat. Still, experts caution that each advance in AI capability may create new openings for attackers, making this an ongoing arms race rather than a problem with a permanent fix. For organizations, the lesson is clear: while AI security agents promise efficiency, deploying them without isolation, continuous monitoring, and hardened guardrails could lead to catastrophic compromise. Until the technology matures, enterprises should treat these agents as experimental, high-risk tools and avoid placing them at the core of critical defense infrastructure.
Android Droppers Evolve to Evade Google Defenses
Droppers have long been a key delivery method for Android malware, historically used to bypass security checks and sneak banking trojans past them. Their role is changing. ThreatFabric researchers report that droppers are now being used even for relatively simple threats, including SMS stealers and spyware, especially in India and other Asian regions. This shift is tied to Google’s Pilot Program, an extension of Play Protect that blocks risky apps before installation if they request high-risk permissions. To bypass these checks, attackers are building droppers that look harmless at first, showing only an “update” screen and avoiding suspicious permissions. Once installed, the dropper can fetch or unpack the actual malware, which then requests the necessary permissions to steal data. This tactic enables attackers to bypass Google’s front-line protections and adapt their campaigns with minimal modifications. One example is RewardDropMiner, originally a dropper that also hid a Monero miner but later stripped down to focus on payload delivery after public exposure. Other droppers—SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper—have been observed in recent campaigns, some associated with banking trojans and others with spyware distributed through messaging apps or fake websites. Google confirmed no such apps have been found in the Play Store, but third-party installs remain a risk. Attackers are also using malvertising to push trojans, with Bitdefender linking Facebook ads for fake trading apps to Brokewell malware. Together, these trends show that droppers are no longer a niche tool for advanced malware but a universal method to bypass defenses and deliver almost any payload. Users and organizations should avoid sideloading, monitor for permissions abuse, and apply mobile threat defense tools to catch hidden payloads.
