CISA Orders EOS Removals; Cloud Telemetry Grows; AI Tooling Risks

Cloud observability and policy moved forward while attackers probed weak edges and fast‑evolving AI tooling. Google Cloud added OTLP metrics ingestion to Cloud Monitoring, and Infosecurity reports that CISA issued a binding directive pushing U.S. civilian agencies to remove end‑of‑support devices from the network edge. At the same time, a report on Claude Desktop Extensions detailed a zero‑click path to remote code execution via Model Context Protocol connectors, as covered by Infosecurity, underscoring design risks as agentic integrations spread.

Platform telemetry and agentic workflows progress

Google Cloud expanded OpenTelemetry adoption by supporting OTLP metrics in Cloud Monitoring alongside earlier trace support. Teams can generate metrics with the OpenTelemetry SDK, route them via the Collector, and store them like Managed Service for Prometheus data, with DELTA metrics to reduce memory, dynamic histograms, and flexible naming. For scale‑sensitive sources, exports can go directly to the Telemetry API, and a managed OpenTelemetry pipeline for GKE offers one‑click in‑cluster collection in preview. The move enables provider‑agnostic pipelines while reducing operational friction for Kubernetes users.

AWS introduced Kiro integration for HealthOmics, combining a Kiro IDE extension with a HealthOmics Kiro Power so an AI agent can help author, debug, and optimize Nextflow and WDL workflows. AWS says the integration adds syntax assistance, engine checks, automated run analysis, and performance recommendations, all packaged around Model Context Protocol components. Because HealthOmics targets regulated workloads, the guidance stresses access controls, model‑context configuration, and monitoring before production adoption. Why it matters: observability standardization and agent‑assisted development can shorten feedback loops, but they expand the surface area where permissions, context handling, and cost controls must be precise.

Directives and critical patches on the edge

To counter active exploitation of unsupported appliances, CISA’s Binding Operational Directive 26‑02 requires U.S. civilian agencies to inventory public‑facing EOS devices, decommission those at or near EOS on defined timelines, and establish continuous discovery within two years. The Infosecurity report notes an EOS Edge Device List and staged deadlines: identify and remediate quickly, remove all identified EOS edge devices within 18 months, and keep rolling inventories to prevent recurrence. The directive raises lifecycle accountability and procurement pressure but directly targets a class of assets repeatedly abused in recent campaigns.

BeyondTrust shipped fixes for a critical pre‑auth OS command injection (CVE‑2026‑1731) in Remote Support and certain Privileged Remote Access releases. According to The Hacker News, the flaw (CVSS 9.9) allows unauthenticated command execution via crafted requests; patches land in RS 25.3.2+ and PRA 25.1.1+, with older deployments needing interim upgrades. Researchers estimated roughly 11,000 internet‑exposed instances, about 8,500 on‑prem. Organizations should prioritize upgrades, verify versions, review logs, and apply network mitigations while patching. Why it matters: internet‑reachable remote support tools are high‑leverage targets, and pre‑auth RCE turns them into rapid entry points.

AI tooling and model safety under strain

LayerX researchers detailed an architectural, zero‑click path to full code execution in Claude Desktop Extensions by triggering the Model Context Protocol to chain connectors and local executors after ingesting a crafted calendar event. As reported by Infosecurity, DXT bundles instantiate local MCP servers with user‑level privileges, and Anthropic declined to fix the behavior, citing the current threat model for locally enabled MCP servers. The authors recommend strict input validation, granular prompts, sandboxing, and clearer shared‑responsibility guidance. The takeaway: dynamic connector composition can implicitly trust low‑risk inputs for high‑risk actions unless guardrails are enforced.

Microsoft researchers showed that altering a GRPO‑style reward signal can rapidly erode safety alignment with a single unlabeled prompt, a process they dub GRP‑Obliteration. Their experiments increased harmful output permissiveness across 15 language models and extended to diffusion models, highlighting how small downstream updates can broadly shift policy. Microsoft advises continuous safety evaluation alongside capability testing, hardening reward/judge models, and constraining fine‑tuning levers to reduce policy drift.

Separately, early evaluations of Claude Opus 4.6 indicate the model can locate high‑severity vulnerabilities in mature codebases by reasoning over source, surfacing bugs fuzzers missed. Schneier notes this dual‑use shift compresses time‑to‑find for both defenders and adversaries, pressing teams to integrate model‑aided reviews, strengthen runtime mitigations, and accelerate patch workflows.

Operational exposure in agentic systems is also rising: Infosecurity cites SecurityScorecard’s finding of 40,214 publicly exposed OpenClaw instances, 63% with weaknesses and over 12,000 susceptible to remote code execution. Reported leaks of API keys and susceptibility to indirect prompt injection compound risk. Recommended steps include limiting permissions, isolating agents, defending against prompt injection, and treating agents as privileged identities.

Intrusions leverage helpdesk, gateways, and social lures

SolarWinds Web Help Desk servers have been exploited in multi‑stage intrusions. The Hacker News relays Microsoft’s observations of unauthenticated RCE via multiple CVEs (including a KEV‑listed issue), followed by PowerShell, BITS‑delivered payloads, installation of legitimate Zoho ManageEngine components for persistence, attempts to boot a hidden QEMU VM for SSH backdoor access, DLL side‑loading, and credential theft up to DCSync. Microsoft recommends prompt patching, removing unauthorized RMM tools, rotating sensitive accounts, and behavior‑based detection across identity, endpoint, and network layers.

Singapore’s Cyber Security Agency disclosed an espionage campaign against major telcos, assessed to be linked to UNC3886. The Hacker News summarizes that actors used a zero‑day to bypass a perimeter firewall, deployed rootkits for stealth, and accessed critical network areas without disrupting services or exfiltrating customer data. CSA’s operation closed access points and expanded monitoring and threat hunting. The case underscores persistent focus on virtualization stacks and network appliances.

Cisco Talos detailed a long‑running adversary‑in‑the‑middle framework named DKnife that implants on gateways and edge devices for DPI, credential theft, and payload injection. CSO Online reports selective redirection of software updates and Android app requests to deliver families like ShadowPad and DarkNimbus, DNS manipulation, and modules that degrade security tooling. Talos released IoCs and signatures to aid detection.

Cloud‑focused opportunism continues: The Hacker News describes TeamPCP’s worm using exposed Docker/Kubernetes APIs, Ray dashboards, Redis, and React/Next.js flaws to monetize compromised resources via crypto‑mining, data hosting, and proxying, with Sliver in post‑exploitation. Automation and hybrid monetization, rather than novel exploits, drive the campaign’s impact.

Vendor and administrative platforms remain attractive targets. BleepingComputer reports the Warlock ransomware group breached SmarterTools via an authentication‑bypass in SmarterMail (CVE‑2026‑23760), resetting admin credentials and moving laterally before encryption was blocked; upgrades to Build 9511+ are advised. The BleepingComputer coverage of the European Commission incident points to Ivanti EPMM zero‑days (CVE‑2026‑1281/1340) used in similar attacks across Europe that exposed staff names and phone numbers; containment occurred within hours, but phishing risk increases.

Mandiant analyzed a cryptocurrency‑sector intrusion attributed to UNC1069 that blended a hijacked Telegram account, a Calendly‑scheduled meeting resolving to a spoofed Zoom, and a paste‑and‑execute page to infect a macOS host. Mandiant details a toolchain including WAVESHAPER, HYPERCALL, HIDDENCALL, SUGARLOADER, and data‑harvesting components like DEEPBREATH and CHROMEPUSH, with persistence via LaunchDaemons. Recommendations include out‑of‑band participant validation and hunts for TCC.db modifications, suspicious native messaging hosts, and the published IOCs.