Malicious 'Perplexity AI' Chrome extension intercepts address-bar keystrokes

Microsoft Defender researchers found a malicious Chrome extension ("Search for perplexity ai") that abused Chrome's search-settings override API — specifically the suggest_url parameter — to exfiltrate every character typed into the address bar in real time before redirecting to legitimate results (Microsoft Security Blog, 2026-06-29 · The Hacker News, 2026-06-30). It used declarativeNetRequest rules for a two-hop redirect: the first hop shipped the query plus live autocomplete keystrokes to attacker infrastructure (server-side Node.js logging full headers, UA, and source IP), the second returned real results so the user noticed nothing. Google pulled the extension after disclosure. It is part of a broader AI-brand-impersonation trend Microsoft is tracking.

Why it matters to us: AI-brand impersonation is an easy lure for staff reaching for popular assistant tools. Enforce an enterprise extension allowlist via Group Policy / Intune, and monitor Chromium policy for unexpected changes to DefaultSearchProviderSuggestURL on endpoints with access to sensitive systems.

Palo Alto Networks Unit 42 (2026-06-23) documented five malicious skills published to ClawHub, the third-party skill marketplace for the OpenClaw AI-agent platform, active February–May 2026 (Unit 42, 2026-06-23; corroborated by Trend Micro). Two skills delivered the cluw macOS infostealer (an Atomic macOS Stealer / AMOS variant) by redirecting the agent to paste-site URLs (rentry.co, glot.io) carrying Base64-encoded curl | bash droppers. A third, omnicogg, padded its README to 22 MB to exceed the file-size threshold of both ClawScan and VirusTotal, slipping its payload past automated scanning. The most novel two cross a line into agentic abuse: money-radar fetches an attacker-controlled referrals.json at runtime to silently rewrite the financial referral links the agent recommends (revenue redirection with no re-publish), and letssendit coordinates a pool of agents to accumulate Solana ahead of operator-timed token launches — Unit 42's described first weaponisation of an AI-agent botnet for pump-and-dump fraud.

Why it matters to us: The skill-marketplace attack surface behaves like a package registry but is barely covered by existing supply-chain tooling, and "installation results in complete control over the agent's identity." For any organisation piloting agentic AI, treat skills as untrusted code: review them line-by-line before install, validate publisher provenance, and watch for agent processes spawning curl/shell, reaching paste sites, or creating cron persistence (T1195.001 supply-chain compromise, T1204.003/T1202 indirect execution, T1053.003 cron, T1555 credential access). The file-padding evasion is a reminder that a scanner with a content-size cutoff is a control with a documented bypass.

A new macOS ClickFix variant (Palo Alto Unit 42, via BleepingComputer 2026-06-23) drops the visible-DMG step: the fake-CAPTCHA Terminal lure now has the user paste a curl command that uses hdiutil attach -nobrowse to mount the disk image without it appearing in Finder or on the desktop, then launches a self-signed app via open (BleepingComputer, 2026-06-23). The payload is Atomic macOS Stealer (AMOS): it presents a fake System Preferences authentication prompt to capture the local password, then steals browser credentials across numerous Chromium- and Firefox-derived browsers, cryptocurrency-wallet data, and Keychain contents. [SINGLE-SOURCE] — BleepingComputer attributes to Unit 42 but a separate primary Unit 42 article for this specific technique was not located this run (see § 7). Detection on macOS: hdiutil attach -nobrowse invoked by a shell parented by Terminal; Terminal executing pasted commands referencing external download URLs; apps launched from /Volumes/ mounts; user awareness that legitimate CAPTCHAs never require Terminal input (T1204.001, T1105, T1555).

Aikido Security documented a coordinated campaign of at least 15 IDE plugins published under seven vendor accounts on the JetBrains Marketplace between October 2025 and June 2026, posing as AI coding assistants (built on DeepSeek, OpenAI, SiliconFlow) with roughly 70,000 combined installs (Aikido Security, 2026-06-16). The plugins function as advertised but hook the plugin settings-save handler so that the moment a user enters an AI provider API key and clicks Apply, the credential is exfiltrated to an attacker-controlled server; stolen keys are then resold as discounted "paid-tier" access while the legitimate owner pays the bill (Infosecurity Magazine, 2026-06-17). The two largest plugins (CodeGPT AI Assistant, DeepSeek AI Assist) account for most of the ~70,000 installs. Maps to T1195.001 and T1552.001 (credentials in IDE storage). Defenders should not assume the plugins have been removed from the Marketplace — inventory JetBrains plugin installs across developer fleets, rotate any AI provider keys entered into an AI-assistant plugin since October 2025, and move to IDE plugin allowlisting where possible.

UPDATE (originally covered 2026-06-06): The Miasma/Mini-Shai-Hulud supply-chain lineage previously tracked across npm and GitHub has opened a PyPI front dubbed "Hades": Socket and others identified 37 malicious wheel artifacts across 19 packages abusing Python's .pth site-module startup mechanism to auto-execute on interpreter start without an import (The Hacker News, 2026-06-09). The payload downloads the Bun runtime from GitHub and runs triple-encrypted JavaScript that sweeps GitHub/CI tokens, npm/PyPI/cloud (AWS/GCP/Azure) keys, Kubernetes and Vault configs, SSH keys and AI-tool configs, and plants backdoor config in AI coding-assistant workspaces so future agent sessions execute attacker instructions (Socket, 2026-06-07).

Affected packages spanned developer tooling and a bioinformatics cluster (relevant to university/research compute), all since removed. Hunt for *-setup.pth creation under site-packages, Bun binary downloads from github.com/oven-sh/bun, and the $TMPDIR/.bun_ran sentinel via Sysmon EID 1 with parent python/pip (T1547.013, T1059.007, T1555). Pin dependencies and install with --ignore-scripts; audit recently-installed PyPI packages on research endpoints.

If you did nothing this week: attackers with netadmin access to your Catalyst SD-WAN Manager can execute arbitrary commands as root and, per NCSC-CH's 5 June advisory update, push malicious configurations to every downstream edge device. No patch exists.

CVE-2026-20245 is a command injection in SD-WAN Manager's CLI file-upload handler (Cisco PSIRT; daily 2026-06-06). An authenticated attacker with netadmin privileges injects arbitrary OS commands that execute as root (T1059.004). In observed limited incidents, exploitation of CVE-2026-20245 resulted in malicious configurations pushed to downstream edge devices — extending attacker control from the management plane into the forwarding plane (NCSC-CH advisory 12579, updated 2026-06-05). The realistic attack path is a three-CVE chain: CVE-2026-20182 provides unauthenticated management-interface access (T1190), CVE-2026-20127 escalates to netadmin (T1078), and CVE-2026-20245 executes OS commands as root. The first two CVEs are patched in post-14-May SD-WAN Manager builds; CVE-2026-20245 has no fix — Cisco's only guidance is management-plane access restriction.

The forwarding-plane impact is the operationally critical new fact from this week: in transit-mode SD-WAN deployments, attacker-controlled edge-device configurations can cascade into routing-table manipulation, traffic interception, and service disruption across every site managed from the compromised Manager instance. Defender actions: apply the post-14-May SD-WAN Manager builds (patches chain entry points CVE-2026-20182/20127); ACL the management interface to a dedicated management VLAN; enforce MFA for netadmin and rotate Manager credentials; hunt the CLI audit log for anomalous file-upload events; and treat any unscheduled edge-device config-push as a hunting trigger.

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

On 2026-05-14, three malicious versions of the node-ipc npm package (versions 9.1.6, 9.2.3, and 12.0.1 — node-ipc is a widely-used Node.js IPC library, with CSO Online reporting approximately 700 K weekly downloads and inclusion as a transitive dependency in hundreds of projects including Vue CLI and various webpack tooling) were published simultaneously by the long-dormant maintainer account atiertant, whose registered email domain atlantis-software.net had expired in January 2025 and was re-registered by an attacker via Namecheap on 2026-05-07 (Socket Security, 2026-05-14 · StepSecurity, 2026-05-14 · The Hacker News, 2026-05-14 · CSO Online, 2026-05-14). The attacker used the recovered domain to receive an npm password-reset email and then published the backdoored versions. The malicious payload is an 80 KB obfuscated Immediately-Invoked Function Expression appended to node-ipc.cjs (the CommonJS bundle); it fires unconditionally on every require('node-ipc') via setImmediate(), and notably does not use an npm lifecycle hook (preinstall, postinstall), which lets it bypass npm audit and conventional install-time scanning that only inspects lifecycle-script execution. Four-layer obfuscation (string-array shuffling, control-flow flattening, dead-code injection, custom reversed-nibble base-16 encoding) defeats static signature analysis. The collector enumerates approximately 90 file-path patterns covering AWS / Azure / GCP / OCI / DigitalOcean / Hetzner / Fly / Vercel credentials and configs, SSH private keys, Kubernetes service-account tokens, GitHub CLI configurations, npm and Git tokens, Terraform state, .env files, shell history, and macOS Keychain databases; data is GZIP-compressed then exfiltrated over two simultaneous channels — DNS TXT queries to the bt.node.js suffix and HTTPS POST to sh.azurestaticprovider[.]net:443. Version 12.0.1 carries an additional SHA-256 fingerprint check targeting specific high-value projects; the 9.x versions fire universally. The ESM entry point is unaffected. Socket's AI scanner flagged the publish within ~3 minutes; the malicious versions were removed from the registry shortly thereafter. MITRE ATT&CK: T1195.002 Compromise Software Supply Chain, T1555 Credentials from Password Stores, T1048.003 Exfiltration Over Alternative Protocol (DNS), T1083 File and Directory Discovery. Defender action: enumerate node-ipc installs (npm ls node-ipc across the build graph, including transitive); on any workstation or CI runner that installed one of the three flagged versions between 2026-05-14 publish time and registry removal, treat every secret available in the environment (cloud SDK profiles, SSH keys, npm / Git tokens, Kubernetes contexts) as compromised and rotate. Enforce npm ci --ignore-scripts in CI, pin via lockfile, and monitor for outbound DNS queries to *.bt.node.js.

Flare researcher Assaf Morag documented PamDOORa, a Linux post-exploitation backdoor implemented as a malicious Pluggable Authentication Module targeting x86_64 systems, offered for sale on the Rehub Russian-language cybercrime forum (Flare.io, 2026-05-07 · The Hacker News, 2026-05-08). Rather than replacing pam_unix.so (which would be immediately visible in lsmod output and PAM stack configuration), PamDOORa installs a separate pam_linux.so module, gaining privileged insertion into the authentication pipeline without triggering obvious tampering indicators. Capabilities: (1) SSH access via a magic-password and specific TCP port combination, bypassing standard credential validation; (2) credential harvesting — all cleartext passwords submitted by legitimate users authenticating through the system are XOR-encrypted and written to a dynamically-named file in /tmp; (3) anti-forensic log manipulation — lastlog, btmp, utmp, and wtmp are scrubbed to remove the attacker's authentication events. The vendor ("darkworm") listed it at $1,600 USD for source code, later reduced to $900, suggesting limited uptake. A prior PAM backdoor family (Plague, 2025) is the only other public comparator. Flare rates the seller's technical credibility as medium-to-high based on cross-forum persona analysis.

Detection concepts: diff /etc/pam.d/sshd (and all files under /etc/pam.d/) against a known-good baseline; audit for unexpected .so files in /lib/security/ or /usr/lib64/security/; monitor for SSH logins that produce no corresponding pam_unix syslog entries; alert on /tmp files with high-entropy filenames created at authentication time. The Sysmon Linux equivalent (auditd rules) should cover openat syscalls on PAM configuration files and write syscalls to /lib*/security/.