Runtime Defenses Rise Amid Exploited Bugs and Social Engineering

Platform hardening led the day as new runtime controls for AI agents and orchestration updates aimed to tighten guardrails, while defenders also faced confirmed exploitation and social engineering waves. A detailed Defender blog outlines real-time checks that intercept tool use by Copilot Studio agents before execution. On the response side, the CISA KEV catalog expanded with a VMware vCenter flaw under active exploitation, reinforcing the need to prioritize patching and monitoring.

Runtime controls meet workflow governance

To reduce prompt-injection and reprogramming risks, the runtime model described in the Defender research treats every agent tool invocation as a privileged event. Before any topic, tool, or knowledge action runs, the orchestrator sends a webhook to security controls describing the intended action, parameters, and context; the system then permits or blocks the call and records the decision, surfacing alerts for review. Walk-throughs show runtime checks stopping attempted knowledge exfiltration, SharePoint document abuse, and chatbot capability probing. The approach preserves agent flexibility while adding precise oversight at execution time.

Orchestration and agent operations also gained governance features. Google Cloud introduced Airflow 3.1 on Cloud Composer with Human‑in‑the‑Loop approvals, Deadline Alerts, UI localization, and a React plugin system for extensibility. In contact centers, Amazon Connect Step‑by‑Step Guides added conditional UI logic and configurable real‑time refresh, helping agents see only relevant fields and current data. For macOS build farms, new EC2 Mac instances on M4 Max target heavy CI/CD and testing with increased CPU/GPU headroom and faster I/O—useful for scaling secure, isolated pipelines.

Advisories and exploited vulnerabilities

Active exploitation continued against Fortinet devices via a FortiCloud SSO authentication bypass that some attackers used even on fully updated systems at the time of compromise. Reporting notes automated creation of VPN‑enabled admin accounts, configuration downloads, and SSO logins tied to cloud‑init@mail.io and an IP address observed across incidents; administrators are advised to restrict internet‑facing management, disable FortiCloud SSO, rotate credentials, and treat affected devices as compromised while a comprehensive fix is developed. Details and indicators are compiled by BleepingComputer.

On federal patch priorities, CISA added a vCenter out‑of‑bounds write to the KEV catalog, signaling confirmed exploitation and urging swift remediation. Separately, the agency also confirmed ongoing exploitation of four other flaws spanning developer and enterprise tooling (Vite, Versa Concerto, a trojanized eslint-config-prettier chain, and Zimbra). Agencies covered by BOD 22‑01 face a February 12, 2026 deadline to remediate those four, with versions and mitigations summarized by BleepingComputer. Why it matters: KEV listings reflect observed in‑the‑wild activity; aligning patching with KEV helps cut risk from broadly targeted attacks.

Social engineering and account takeover playbooks

Extortion group ShinyHunters claimed voice‑phishing campaigns against SSO accounts at major providers, using live kits that coach victims through credential capture and MFA prompts. Once inside an SSO dashboard, operators can pivot to connected services to harvest data at scale. Recommended defenses include phishing‑resistant MFA, tighter conditional access, least‑privileged administration, and targeted vishing awareness. Coverage comes via BleepingComputer.

Relatedly, Microsoft observed a multi‑stage adversary‑in‑the‑middle phishing and BEC campaign against energy firms that abused trusted platforms (SharePoint and other file‑sharing) to mask credential theft. Attackers created inbox rules to hide traces, maintained sessions after credential changes, and expanded phishing from compromised accounts. Microsoft recommends revoking session cookies, removing attacker rules, and deploying phishing‑resistant MFA with continuous access evaluation. Full technical context is summarized by The Hacker News.

Supply chains and destructive operations

Developer ecosystems saw supply‑chain exposure on the VSCode Marketplace: two popular AI‑themed extensions (“ChatGPT – 中文版” and “ChatMoss”) delivered advertised functionality while covertly exfiltrating editor contents, harvesting up to 50 files on command, and loading analytics SDKs to fingerprint devices. The risk spans private source code, configuration files, and embedded secrets. Researchers advise tightening extension vetting, isolating workspaces, and enforcing secret scanning. Findings are detailed by BleepingComputer.

Separately, an attempted December wiper attack against Polish energy systems was linked by researchers to Sandworm, with a new destructive payload dubbed DynoWiper. Public sources report limited technical details and no accessible sample for verification; key questions around initial access and dwell time remain. The episode underscores the operational stakes for industrial environments and the importance of backup validation and network segmentation. Attribution and impact context is captured by BleepingComputer. In parallel, commentary on recent evaluations highlights AI models’ growing ability to chain exploits with minimal supervision, emphasizing the continued value of rapid patching and basic hygiene; see the Schneier blog for examples and mitigations.