Cloud Controls, AI Security Workflows, and Active Exploitation Roundup

Major cloud and AI platforms advanced security and observability features while investigators detailed active exploitation, supply chain abuse, and high‑impact breaches. New controls from hyperscalers focus on agentic AI gateways, hotpatching, and log analytics. In parallel, researchers flagged a critical client‑side SSH flaw with a public proof‑of‑concept, malicious developer packages and extensions, and data theft tied to a third‑party enterprise platform.

Cloud Controls and Logging Move Closer to the Edge

AWS WAF protection is now available for Amazon Bedrock AgentCore Gateway in all Regions where both services run, letting teams apply consistent web protections at the Gateway layer as agentic AI workloads move into production. Administrators can attach a protection pack that enforces IP‑based access controls, rate‑based throttling, and AWS Managed Rule Groups covering common attack patterns, known‑bad inputs, and Bot Control. Because the pack is configured once at the Gateway and enforced across downstream tools, agents, and integrations, it simplifies policy management and reduces misconfiguration risk while addressing threats specific to agentic architectures.

Amazon S3 server access logs can now be delivered directly to Amazon CloudWatch Logs, with an option to mirror into Amazon S3 Tables in Apache Iceberg format. CloudWatch delivery enables immediate querying, alarms on error rates, cross‑account and cross‑Region aggregation, and encryption with AWS KMS; Iceberg tables are queryable via standard SQL in services such as Amazon Athena and Amazon Redshift and other compatible engines. Available today in all AWS Regions except AWS China and AWS GovCloud (US), these options complement existing free delivery to S3 buckets, improving near‑real‑time incident investigation while preserving long‑term analytics choices.

The AWS Customer Incident Response Team detailed new and refreshed techniques in its catalog in a June 2026 update, highlighting repeat patterns seen in investigations. Focus areas include risks in Amazon EKS where attackers who gain credentials can modify running workloads or inject sidecars, the exposure risk of public Kubernetes APIs and misconfigured ingress controllers, and organization‑level trust abuse such as calling sts:AssumeRoot from a compromised management account. Compute hijacking across EKS remains common, often for crypto‑mining where resource quotas are absent. The update refines S3 object collection methods, ECS compute hijacking, and role assumption variations, and stresses detection using contextual signals in CloudTrail and Kubernetes audit logs, least privilege, admission controllers and image signing, SCPs, quotas, and GuardDuty EKS Protection.

Patching and Uptime: Hotpatching Extends Coverage

Microsoft extended hotpatch support for Windows Server 2022 Datacenter: Azure Edition through October 2027, as reported by BleepingComputer. The extension applies to devices enrolled in Hotpatch and preserves the current cadence, enabling security fixes to be applied in memory and reducing or eliminating restarts after monthly security updates. Other Windows Server 2022 SKUs are not covered, and restarts remain required for updates delivered via the regular (non‑Hotpatch) channel, including non‑Windows components. Microsoft has been expanding hotpatch capabilities across products, and plans to enable hotpatch security updates by default for eligible devices managed via Microsoft Graph API and Intune beginning with the May 2026 update cycle.

AI in Security Operations and Data Analytics

Google introduced the preview of the BigQuery AI.AGG() managed SQL function to synthesize insights across large volumes of unstructured or multimodal data using natural‑language instructions. The post explains a hierarchical aggregation scheme that splits inputs into batches, aggregates intermediate results, and produces a final synthesis, alleviating manual context‑window management. Practical notes include potential token increases with hierarchical aggregation, guidance to pre‑filter or LIMIT inputs, default model behavior unless a specific endpoint (e.g., gemini‑2.5‑flash) is provided, and output that is always a string even if JSON is requested. The function skips NULL rows automatically, cautions on STRUCT concatenation that may yield NULLs without fallbacks, and returns partial results when some rows fail, with job statistics reporting failures similar to other managed AI functions.

Google Cloud’s security leadership outlined an internal move toward an autonomous, agent‑driven SDLC in Cloud CISO Perspectives. Launches are routed through agent‑based review against more than 200 security requirements, while a multi‑agent orchestration framework, Mantis, builds hierarchical security summaries to cut token use by over 85% and coordinates specialized agents for research, deduplication, review, critique, and reproduction. Dynamic coverage is provided by an autonomous fuzzing pipeline whose agents author harnesses, execute builds and tests, and drive inputs into stateful APIs, with a Hallucination Cleaner repairing build issues. Discovered vulnerabilities feed an autonomous patching pipeline that reproduces issues, constructs fixes, and validates them before human review. Post‑deployment posture is managed by an ASPM system encoding standards as programmable skills, and a reflection agent consolidates execution logs and feedback into a knowledge store to improve future performance.

OpenAI’s flagship cybersecurity‑focused model entered limited preview as GPT‑5.6 Sol, with access restricted to vetted partners after consultations with U.S. officials. The GPT‑5.6 family introduces a three‑tier naming scheme (Sol, Terra, Luna), with broader availability promised within weeks as stakeholders align on a cyber executive order framework. OpenAI positions Sol as effective for long‑horizon tasks such as vulnerability research and exploit building blocks, noting that it did not cross its Cyber Critical threshold and did not autonomously produce complete working exploits in internal tests. The company cited extensive safety investments, built‑in refusals, and real‑time classifiers, and disclosed pricing of $5 per million input tokens and $30 per million output tokens, with lower‑cost tiers and a planned Cerebras launch.

Exploitation, Supply Chain Risks, and Breach Updates

A public proof‑of‑concept was released for CVE‑2026‑55200, a critical integer overflow in the libssh2 client library that can allow a malicious or compromised SSH server to trigger pre‑auth memory corruption and potentially code execution on connecting clients. The flaw, in ssh2_transport_read() (transport.c), affects releases up to and including 1.11.1 (CVSS 9.2). Maintainers merged a patch on June 12, and downstream projects are backporting while a tagged release is pending. Recommended actions include inventorying all software that links libssh2 (including statically bundled copies), applying patched builds or vendor backports, restricting outbound SSH to trusted hosts with verified host keys, monitoring for oversized‑packet anomalies and unexplained client crashes, and addressing related issues in the same batch.

Researchers exposed a supply‑chain campaign abusing two npm packages and 16 Go packages to deploy a multi‑stage loader and a Python infostealer, as detailed by The Hacker News. The malicious npm packages used a hidden VS Code task ("eslint‑check") configured with runOn: 'folderOpen' to execute when a developer opens a trusted workspace. JavaScript disguised as a font file fetched encrypted payloads from blockchain transactions (TronGrid, Aptos) and set up a socket.io backdoor, while a Python loader installed the InvisibleFerret stealer capable of extracting browser credentials, cryptocurrency wallets, password managers, OS stores, and developer artifacts. The technique aligns with prior activity that abuses auto‑running VS Code tasks; recommended mitigations include removing the packages, scanning for hidden .vscode folder‑open tasks, and rotating credentials and tokens.

Microsoft Threat Intelligence analyzed a malicious Chromium extension impersonating Perplexity that intercepted search queries and Omnibox keystrokes, routing them through an attacker‑controlled domain via Manifest V3 DNR rules. The extension, which declared itself a default search provider, logged incoming requests server‑side before redirecting users to legitimate results and was removed after disclosure. Indicators and hunting guidance are provided in Microsoft’s report, which recommends enforcing approved extension policies, verifying default search settings, monitoring for altered configurations and unusual domains, and treating AI‑branded tools with increased scrutiny.

Nissan disclosed an employee data breach linked to exploitation of an Oracle PeopleSoft zero‑day, part of a broader campaign previously associated with the ShinyHunters group, according to BleepingComputer. Exposed data may include contact details, banking and direct deposit information, Social Security and national IDs, tax and financial records, and dependent/beneficiary information affecting personnel in the U.S., Canada, Mexico, and Brazil. Nissan has engaged incident response, restricted payroll functions to company network computers and secured VPNs, added identity verification steps, and plans notifications and monitoring services where available. The disclosure references exploitation of CVE‑2026‑35273 and follows Oracle’s warning of widespread PeopleSoft breaches.

The U.S. National Association of Insurance Commissioners confirmed a breach via exploitation of an Oracle PeopleSoft zero‑day, noting that some accessed data was published, as reported by Infosecurity Magazine. The published material included statutory reporting information available through state sources, certain credit rating agency data, and potentially routine technical files; however, the association said personal data, payment details, and several regulatory systems were not compromised. NAIC contained the intrusion, engaged specialists, and is coordinating with the FBI; most operations have resumed, though PeopleSoft online invoice payments remain unavailable.

Acronis researchers attributed targeted intrusions against Indian government and hydropower‑related entities to Mustang Panda, documenting spear‑phishing with ZIP lures, DLL sideloading, and three tools—SHARDLOADER, MINIRECON, and ZOHOMURK—that leveraged a Zoho WorkDrive account as a dead‑drop for commands and exfiltration. The campaign’s use of typical cloud traffic to mask C2 and data theft, along with reused chains and code overlaps, aided attribution. Indicators and hunting guidance are provided in the report, which advises monitoring for persistence artifacts, suspicious domains, and non‑browser processes calling cloud APIs.

The U.S. Department of State announced a Rewards for Justice bounty of up to $10 million for information on UNC5792 and UNC4221, groups linked to Russian intelligence and military services, following campaigns that phished for Backup Recovery Keys on secure messaging platforms. The update, covered by BleepingComputer, states thousands of accounts were compromised via social engineering while reiterating that platform encryption remains intact. Authorities seek details on personnel, infrastructure, funding, and cryptocurrency transactions, and emphasize that legitimate support will not request verification codes or recovery keys within apps.