AI guardrails under fire from researchers and regulators

Scattered Spider suspect extradited to US, House panel accuses Korea of targeting Coupang, cyberattack hits Malaysian parking app, Aflac Japan breach affects 4.4M customers, AI agent carries out extortion attack, Ukraine stops 16K Russian cyberattacks, ChocoPoC RAT hides in GitHub PoCs, much more.

Share
AI guardrails under fire from researchers and regulators
Image by She is gone from Pixabay

Important Publishing Notice: Metacurity will be on a brief publishing break starting tomorrow, July 3. We resume publication on Monday, July 6.


Metacurity is the cybersecurity industry's daily reality check—independent, agenda-free coverage that cuts through vendor hype, social media noise, and recycled talking points to explain what matters and why.

Trusted by thousands of cybersecurity professionals, including many of the industry's most influential security leaders, Metacurity delivers the context, analysis, and perspective that busy readers don't have time to assemble themselves.

If you find value in that work, please consider becoming a paid subscriber. Metacurity remains independent because its readers choose to support it.


A series of developments this week highlights the increasingly difficult balancing act facing AI companies as governments push for greater oversight of advanced models while researchers continue to probe their cyber capabilities.

The most concrete example came from WIRED, which reported that security researcher Ian Carroll used Anthropic's Claude Opus 4.7 to help identify and exploit a flaw in Front Gate Tickets, a Live Nation subsidiary that handles ticketing for major US music festivals. Carroll said Claude helped him navigate the application, bypass firewall controls, and ultimately reach the point where he could issue high-value festival tickets. He reported the flaw rather than abusing it. Front Gate said it patched the issue within 24 hours and found no evidence of exploitation, customer-data compromise, or ticket impact.

The incident illustrates the dual-use challenge confronting AI developers. Anthropic said Carroll participated in its Cyber Verification Program, which gives vetted security researchers access to advanced model capabilities. Yet the episode also demonstrated how quickly a frontier model can assist a skilled researcher in uncovering and exploiting vulnerabilities.

Questions about model safeguards surfaced elsewhere as well. Check Point researchers reported that DeepSeek-generated code could be adapted into browser-based ransomware. While the code was incomplete, researchers found that it assembled enough components to create a plausible attack chain involving social engineering and abuse of the browser's File System Access API.

Independent researcher Alec Armbruster reported that Anthropic's recently restored Fable 5 model remained willing to assist with cybercrime-related activity despite safety measures introduced before its rerelease. According to Armbruster's testing, relatively minor prompt modifications were sufficient to persuade the model to help plan attacks against internet-connected devices using default credentials.

These reports arrive as the Trump administration is negotiating voluntary standards with leading AI developers. According to the Financial Times, US officials are discussing benchmarks, release procedures, and restrictions governing access to advanced AI models both domestically and internationally. The talks reportedly follow recent government scrutiny of model releases by both Anthropic and OpenAI.

At the same time, the relationship between AI companies and Washington appears to be deepening in other ways. The Financial Times reported that OpenAI has discussed giving the US government a 5 percent ownership stake as part of a broader proposal under which leading AI companies would dedicate a portion of their equity to a public vehicle. According to the report, OpenAI chief executive Sam Altman has argued that Americans should share in the economic gains generated by artificial intelligence, drawing comparisons to mechanisms such as the Alaska Permanent Fund. The discussions were described as preliminary, and any such arrangement would likely require congressional action.

One report circulating this week deserves considerably more skepticism. Possibly citing an inaccessible report from The Information, Semafor reported that Anthropic was rolling back code allegedly used to identify whether Claude Code users were affiliated with Chinese AI organizations.

However, the report relied heavily on claims from International Cyber Digest, a cybersecurity publication with no public masthead and unclear ownership or editorial structure. Until additional evidence emerges from more transparent sources, the allegation should be treated as unverified.

These developments underscore how AI safety debates are increasingly converging with cybersecurity and public policy concerns. Researchers continue to demonstrate ways that advanced models can assist with offensive cyber activity, while policymakers seek greater influence over how those systems are deployed and governed. (Andy Greenberg / Wired, George Hammond / Financial Times, Cristina Criddle and George Hammond / Financial Times, Jessica Lyons / The Register, J.D. Capelouto / Semafor, Alec Armbruster)

Related: The Record, International Cyber Digest, r/ClaudeAI, CheckPoint, Notebookcheck, Ian Carroll, Reuters, The Information, Alec.is

Peter Stokes, ‌a dual citizen of the US and Estonia, who is accused of being a member of the criminal hacking group "Scattered Spider," was extradited to the US from Finland to ​face federal conspiracy charges in Illinois, the Justice Department said.

Stokes faces conspiracy, computer intrusion and fraud charges, according to a criminal complaint unsealed on Tuesday.

He was arrested by Finnish authorities in April after the ​issuance of an Interpol Red Notice and extradited to the US last week, ​the department said. He made an initial appearance on Tuesday in federal ⁠court in Chicago and was ordered to remain in custody, it said.

Allison Nixon, the chief research officer with ​cybersecurity firm Unit 221B, said that Stokes was part of a ​group of ⁠hackers that had threatened her as long ago as 2022. Nixon, who has tangled with other hackers from the Com, said stricter punishments were needed to deter the cybercriminals.

"It is ⁠my ​hope that society can understand the stubbornly malicious nature ​of people from these online gangs, and how current diversion efforts are insufficient," she said. (Daphne ​Psaledakis, Christian Martinez, Raphael Satter and AJ Vicens / Reuters)

Related: Justice Department, Security Affairs, The Record, CBS News,  Security AffairsDecryptBleepingComputerInfosecurityITProThe Cyber Express, Cyber Security News, BBC News, CNBC, Sky NewsThe Guardian, Digital Music News, The VergePYMNTSCoinDeskRTÉEngadgetWGN, Business StandardBloombergSemaforReutersThe DecoderFortuneForbesThe Next WebCNNTelegraphSeoul Economic DailyNeowinBenzingaTimes of IndiaCointelegraphThe Straits TimesThe Economic Times, Fortune India,  r/politics, r/StockMarketr/pcmasterrace, r/OpenAI

The US House Judiciary Committee said in an interim report that South Korean authorities have consistently discriminated against US-based Coupang, ‌a campaign that escalated with numerous investigations after a data breach at the e-commerce firm last year.

Those actions were part of long-standing economic discrimination against US and other foreign companies, the report said, adding ​that such discrimination "directly violates" a recent bilateral trade agreement.

Coupang, the ​biggest online retailer in South Korea but based in Seattle, became the target of much regulatory scrutiny and public ire ​last year after news of the breach became known. A former employee was able to access customer information associated with as many as 33.7 million accounts. Coupang later said the person only stored and retained information relating to about 3,000 accounts. (Joyce Lee and Kyu-Seok Shim / Reuters)

Related: House Judiciary Committee, Associated Press, Coupang, CNBC, UPI

Smart Selangor Parking in Malaysia announced on June 30 that its Flexi Parking and Smart Selangor Parking experienced temporary service disruption, which left users unable to pay for parking digitally, due to a cyberattack.

Services have now been restored. (Fintech Malaysia)

Related: Paul Tan's Automotive News, The Straits Times, Fintech Malaysia

In a filing with the US Securities and Exchange Commission, American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary's systems and stole personal and bank account information of 4.38 million customers.

Aflac is now investigating the incident with the help of external cybersecurity experts and has revealed that the threat actors have gained access to some sensitive information stored on the affected systems.

Aflac Japan says it has alerted Japanese authorities to the incident and will notify affected individuals of the data breach.

One year ago, Aflac disclosed another data breach amid a broader campaign targeting insurance companies across the United States, saying that the attackers may have gained access to documents containing sensitive information about customers, beneficiaries, employees, agents, and other individuals.

While Aflac didn't attribute last year's breach to a specific threat group, the incident had all the signs of a Scattered Spider attack. (Sergiu Gatlan / Bleeping Computer)

Related: SEC, BankInfoSecurity, Japan Times, Nikkei Asia, Security Affairs, Security Week, Insurance Business, Infosecurity Magazine, The Record, Nippon.com

Researchers at Sysdig report that they have now documented a case in which the human factor appears to have been replaced by a large language model (LLM) agent, with a full extortion operation carried out from initial access to database destruction.

They named the operator JADEPUFFER and described it as an agentic threat actor, meaning the attack execution came from an AI agent, not a human-controlled toolkit. The company said the campaign began with an exposed Langflow instance and ended with a destructive database extortion attack on a separate production server.

Langflow is an open-source framework for building LLM applications and agent workflows. The entry point was CVE-2025-3248, a missing authentication flaw in Langflow’s code validation endpoint that lets a remote unauthenticated attacker execute arbitrary code on affected hosts, with NVD rating the flaw 9.8 critical under CVSS 3.1.

Once inside, the agent (JADEPUFFER) listed system details, searched for API keys and cloud credentials, dumped Langflow’s Postgres data, checked reachable internal services, and probed MinIO storage using default credentials. The payloads used in the attack were Base64-encoded Python sent through the Langflow remote code execution endpoint. (Waqas / HackRead)

Related: Sysdig, CyberPress

The Cyber Security Department of the Security Service of Ukraine (SBU) report that Ukraine has neutralized more than 16,000 Russian cyberattacks and critical cyber incidents since the beginning of the war.

The SBU announced this, citing the head of its Cyber Security Department, Brigadier General Volodymyr Karasteliov, Ukrinform reports.

According to Karasteliov, a number of Russia's cyberattacks have targeted Ukrainian media outlets. (Ukrinform)

Related: SBU, The New Voice of Ukraine, Liga.net

Researchers at Sekoia and YesWeHack say they found multiple weaponized proof-of-concept (PoC) exploits on GitHub delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.

ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.

The packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.

Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.

Researchers warn that the new malware delivery technique allows keeping the exploit intact by assigning the malicious behavior to packages that seem harmless on their own. (Bill Toulas / Bleeping Computer)

Related: YesWeHack, CyberPress, GBHackers

ChocoRAT infection chain. Source: Sekoia

Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw.

The vulnerability (tracked as CVE-2026-46817) was found in the File Transmission component of EBS's Oracle Payments product and allows malicious actors without privileges and with HTTP network access to take over vulnerable systems through low-complexity attacks.

Oracle has patched this flaw with security updates released as part of its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately. (Sergiu Gatlan / Bleeping Computer)

Related: CyberPress

Japanese industrial manufacturer Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year.

Its North American division includes facilities that produce tractors, mowers, and utility vehicles.

Following an investigation into the incident, the company determined that between March 16 and April 20, the threat actor accessed files with personal information for employees and their dependents.

At the time of writing, no data extortion groups or ransomware gangs have assumed responsibility for the attack at Kubota. The company did not mention facing any operational or business disruptions as a result of this incident. (Bill Toulas / Bleeping Computer)

Related: Kubota

Researchers at SOCRadar report that the massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.

 They discovered this link after identifying a Windows server used as part of the FortiBleed infrastructure.

"Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors' modus operandi," SOCRadar told BleepingComputer.

"During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group."

SOCRadar shared screenshots with BleepingComputer showing browser sessions accessing the administration panels for both ransomware groups. The images show negotiation dashboards containing victim chats used during ransomware negotiations.

According to the researchers, this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups' negotiation platforms.

The company also says it identified more than 200 additional operational servers beyond those originally associated with the campaign, discovered victim information harvested during FortiBleed that overlaps with organizations later listed on the INC ransomware leak site, and uncovered evidence suggesting the operation consists of roughly 20 members with defined roles. (Lawrence Abrams / Bleeping Computer)

Related: SOCRadar, CyberPress, Techzine, Tech Times, Security Affairs, Cyber Press, GBHackers, CyberSecurityNews

Chrome just released version 150.0.7871.46/47 for Windows and macOS and 150.0.7871.46 for Linux to the stable channel. With it, the developers have fixed just under 400 security vulnerabilities, some of which are considered critical. According to Google, none of the patched flaws are being exploited in the wild yet.

In the Chrome Releases blog post, Daniel Yip lists 382 security vulnerabilities that have been fixed, stating that Google discovered 358 of these by itself. The remaining flaws were identified and reported by external security researchers. Google has awarded these researchers a total of nearly $90,000 in bounties.

Fifteen of the vulnerabilities are classified as critical: CVE-2026-13774 to CVE-2026-13788. The majority of those critical flaws are use-after-free (UAF) vulnerabilities in various components, such as the Dawn graphics library. Three vulnerabilities can be exploited due to insufficient validation of input data (including user input). (Frank Ziemann/ PC World)

Related: Chrome, Heise Online, CyberPress, Forbes

McAfee researchers are warning cryptocurrency users worldwide about a malicious browser extension that hides behind the name “Google Notes” while changing wallet addresses during transactions.

In cybersecurity terms, this is clipper malware, more specifically a crypto clipper delivered through a malicious browser extension.

McAfee says the campaign uses unsigned installers to place a malicious extension inside Chromium-based browsers, including Google Chrome, Brave, and Microsoft Edge.

The extension presents itself as a simple note-taking tool, but its main purpose is to watch for copied cryptocurrency wallet addresses and replace them before the user pastes them into a payment field.

Thereafter, anyone sending crypto by copy and paste could miss the swap unless they check the address closely. Since most cryptocurrency transfers cannot be reversed, one successful swap can mean permanent loss.

Behind the fake notes app, the extension asks for access that does not match its claimed purpose. McAfee found requests for access to all websites, browsing history, and the clipboard, permissions that would be unusual for a basic note-taking extension. (Waqas / HackRead)

Related: McAfee, SC Media

The fake Google Notes browser extension (left) – Threat blocked by McAfee (right) – Image via McAfee

US District Judge David Lawson threw out digital evidence seized from computers in the hacking case against former University of Michigan football co-offensive coordinator Matt Weiss after his attorneys said the material was illegally obtained, but refused to toss evidence FBI agents seized from Weiss' iCloud account.

The mixed ruling came three weeks after he heard oral arguments in Detroit in a case that accused Weiss of hacking into the personal accounts of thousands of female college athletes. Prosecutors said he stole intimate photographs and videos, including some showing students engaged in explicit sexual acts from 2015-23.

Weiss was charged with 24 crimes in March 2025, including 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. (Robert Snell and Angelique S. Chengelis / The Detroit News)

Related: The Detroit Free Press, The Michigan Daily

Cisco Talos reports that it found an operator panel dubbed ARToken, which shares infrastructure and other things in common with, and as an affiliate to, the EvilTokens phishing-as-a-service operation built to bypass multi-factor authentication and compromise Microsoft 365 accounts.

EvilTokens has reportedly seen a dramatic increase in its phishing attacks — by 1,380% early this year compared to the same period last year — with an assist from artificial intelligence integration.

ARToken is notable, though, for the capabilities that go beyond what’s been made public about EvilTokens so far by companies like Sekoia and Microsoft itself, such as inbox rule manipulation and shared access links. (Greg Otto / CyberScoop)

Related: Cisco Talos

A sample ARToken phishing email. Source: Cisco Talos.

Researchers at Bitdefender uncovered a hacking campaign targeting small businesses, in which the threat actor poses as an Interpol investigator to deliver a ransomware payload.

The unnamed threat actor is contacting its victims via email and warning them that Interpol has observed some kind of suspicious activity on their network.

“Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible,” analyst Alina Bizga said in a blog post.

The email contains a Proton Drive link and a password to open an archived file containing the “evidence”. However, the video file is fake and instead deploys what appears to be a relatively unsophisticated ransomware payload that encrypts files across multiple drives. (David Hollingworth / Cyber Daily)

Related: Bitdefender


AI is not a cybersecurity strategy.

Organizations with strong security programs will use AI to move faster. Organizations with weak security programs will use AI to create bigger, faster failures.

That's why I wrote The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. The book moves beyond compliance checklists and theory to show how real organizations succeed—or fail—when security fundamentals break down.

If you're trying to build a resilient security program in the age of AI, this book provides a practical roadmap grounded in actual incidents and operational experience.

Wiley is offering Metacurity readers a 20% discount with code ENG20. Order your copy today, and contact me about bulk orders or customized editions for your organization.


Researchers at Fortinet's FortiGuard Labs report that a banking trojan long used against victims in Brazil has been retooled to target banking customers in Spain and Portugal, using phishing PDFs, steganography, and geofencing to stay hidden.

They say the malware, known as Ousaban, has been active against the two countries since May 2026.

A banking trojan from the same Latin American family as Casbaneiro, it now comes wrapped in extra layers of evasion designed to keep it in front of intended victims and away from researchers. (Alessandro Mascellino / Infosecurity Magazine)

Related: SC Media, Fortinet

Healthcare device firm Medtronic is notifying affected customers about a data breach that exposed their personal data to an unauthorized third party.

The company previously confirmed that its IT systems were compromised by hackers, and the infamous data extortion group ‘ShinyHunters’ claimed the attack.

The threat actor said that they were holding 9 million Medtronic records with personally identifiable information (PII) and internal corporate data.

ShinyHunters typically publishes stolen data if ransom negotiations with the victim organization fail to secure payment.

The hackers listed Medtronic on their dark web extortion portal on April 18 and threatened to release the stolen data, allegedly over 9 million records, if a ransom payment wasn’t made by April 21.

However, the Medtronic entry was removed from ShinyHunters' listing later the same month. In the notification to customers, Medtronic emphasizes that the stolen data was not exposed online. (Bill Toulas / Bleeping Computer)

Related: Medtronic, TechTarget, BankInfoSecurity

Researchers at Huntress report that an aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period.

The threat actor tried to authenticate via Microsoft's Azure command-line interface (CLI) using still valid username and password combinations that had been exposed in past breaches.

Microsoft's Azure CLI is used for managing Azure cloud resources, enabling administrators to manage virtual machines, deploy applications, manage databases, and automate cloud operations.

Overall, Huntress observed a more than 155-fold increase in password-spraying attacks, with organizations now averaging 1,964 failed login attempts per tenant each month.

It is unclear who is behind the latest campaign, but Huntress notes that the activity originates from an IPv6 range owned by LSHIY LLC (AS32167).

The researchers disclosed their findings to LSHIY through the company's abuse reporting portal, but had not received a response by the time their report was published. (Bill Toulas / Bleeping Computer)

Related: Huntress, SC Media, Cyber Press, Security Week

Activity peak on June 22. Source: Huntress

Huntress CEO Kyle Hanslovan said he is aware of “questionable, long-term threat actor communications” between a threat hunter who is still employed with the security firm and a cybercriminal, and called this “poor judgment.”

“In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor,” Hanslovan said in a blog post, addressing a former employee’s accusations that the current Huntress analyst is an insider threat to the company. “While this disclosure was not illegal, it reflected poor judgment,” he wrote.

The incident came to light last week when former Huntress security operations analyst Ben Folland, who left the company in February, alleged that “another Huntress employee passed communications from US law enforcement to a cybercriminal, Devman, who is actively and publicly targeting my family and me.”

Devman is a ransomware operator, believed to be located in Russia, who uses modified DragonForce code built on top of the leaked Conti source code.

Folland alleged that this insider, still employed by Huntress, was “caught by the FBI,” and that their involvement with Devman “would cause significant reputational damage to Huntress and, in my view, continues to put clients at risk.” (Jessica Lyons / The Register)

Related: Huntress, SC Media

Best Thing of the Day: Offer to Carry Their Books, and They Will Give You the World

A red-team exercise showed how a simple act of helpfulness—including shoveling snow for a company employee—ultimately helped security testers gain network administrator access.

Bonus Best Thing of the Day: Don't Do More AI, Do Smarter AI

Companies across tech, entertainment, banking, and many other industries are throttling their employees’ use of AI and pleading with workers to use less powerful models to stop AI costs from spiraling out of control.

Worst Thing of the Day: The US Doesn't Need a Functioning Intel Community Anyway

Donald Trump said that acting spy chief Bill Pulte, widely derided for his lack of qualifications, can declassify “whatever” records he wants and can declassify “almost everything,” a sweeping green light that has alarmed former intelligence officials, who warn that careless releases could expose sensitive intelligence capabilities and sidestep standard review processes with other spy agencies.

Bonus Worst Thing of the Day: Ignorance Is Bliss

Office of Management and Budget Director Russell Vought said that the White House is not planning to review the so-called Department of Government Efficiency’s performance as the Elon Musk-launched project that eviscerated large swaths of federal agencies winds down.

Closing Thought