Listen to this Post

Introduction
The asymmetry between offensive and defensive cybersecurity capabilities has never been more pronounced. This morning’s briefing delivered a cascade of revelations: 119 malicious browser extensions with 2.6 million installs hiding payloads inside image files for four years in the official Microsoft Edge store, a CVSS 10.0 vulnerability in Google’s Gemini CLI enabling full supply chain compromise, CISA-mandated patching for an actively exploited Cisco Unified CM flaw, a new VS Code supply chain attack vector with no script to detect, Russian state hackers stealing Signal Backup Recovery Keys with a $10M U.S. bounty on their heads, and the simultaneous release of GPT-5.6 Sol (restricted to 20 U.S.-approved organizations) and China’s open-weight GLM-5.2—which matches it on vulnerability detection benchmarks and is available for anyone to download.
This is the asymmetry we are living in. The attacker toolkit is open-source and unrestricted. The defender toolkit is locked behind executive orders. Security professionals must understand each of these threats to build resilient defenses.
Learning Objectives
- Objective 1: Understand the StegoAd campaign mechanics, steganographic payload concealment, and browser extension threat vectors.
- Objective 2: Analyze the Gemini CLI CVSS 10.0 vulnerability and its implications for CI/CD supply chain security.
- Objective 3: Identify and mitigate the Cisco Unified CM SSRF-to-RCE flaw (CVE-2026-20230) before the CISA deadline.
- Objective 4: Detect and prevent VS Code `.vscode/tasks.json` supply chain attacks targeting developers.
- Objective 5: Recognize social engineering tactics used to steal Signal Backup Recovery Keys and implement countermeasures.
- Objective 6: Evaluate the geopolitical asymmetry created by restricted U.S. AI models versus open-weight Chinese alternatives.
- StegoAd: Four Years of Malicious Browser Extensions Hiding in Plain Sight
Microsoft’s threat-hunting team dismantled the StegoAd campaign, a sophisticated operation involving 119 malicious Edge extensions with approximately 2.6 million combined installs. The campaign, active since at least 2021, used steganography to hide malicious JavaScript payloads inside PNG icons, WebP images, SVG graphics, and WOFF2 font files.
The extensions masqueraded as legitimate tools—ad blockers, VPNs, translators, video downloaders, calculators, and coupon extensions—and actually delivered basic functionality to build trust. After installation, they remained dormant for three to five days before activating. Critically, some extensions only went rogue in approximately 10% of installs, leaving 90% of victims untouched to evade detection.
What they stole:
- Google credentials and 2FA codes at sign-in
- WordPress admin logins
- Bulk cookies for session hijacking
- Affiliate link manipulation for financial gain
Detection and Mitigation Commands:
Linux/macOS – Check for Suspicious Browser Extensions:
List all Edge extensions with their IDs (Linux - Chromium-based)
ls ~/.config/microsoft-edge/Default/Extensions/
Check extension manifest for suspicious permissions
find ~/.config/microsoft-edge/Default/Extensions/ -1ame "manifest.json" -exec grep -l "\"permissions\".\"cookies\"" {} \;
Monitor for unexpected network connections from browser processes
sudo netstat -tunap | grep -i "edge|chrome|brave"
Windows PowerShell – Extension Audit:
List all Edge extensions
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
Check for recently installed extensions
Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions" |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-30) }
Monitor Edge network connections
netstat -ano | findstr "edge"
Step-by-Step Guide:
- Audit all installed browser extensions against Microsoft’s published list of malicious extension IDs.
- Remove extensions with excessive permissions—especially those requesting
cookies,tabs, and `webRequest` permissions unnecessarily. - Implement extension allowlisting using enterprise policies (GPO for Windows, plist for macOS).
- Deploy real-time security solutions that block connections to known malicious domains and C2 servers.
- Educate users that even official stores can harbor malicious extensions—trust is not guaranteed.
Microsoft concluded that static code review alone is no longer sufficient, as extensions can download malicious code long after installation.
- Gemini CLI CVSS 10.0: When AI Agents Become Supply Chain Attack Vectors
Google’s Gemini CLI—an open-source AI assistant with over 101,000 GitHub stars—contained a critical vulnerability that earned a CVSS score of 10.0 (maximum severity). The flaw, assigned GHSA-wpqr-6v78-jr5g, enabled unauthenticated remote code execution in CI/CD environments.
The Attack Chain:
- Attacker creates a public GitHub issue on a repository using the Gemini CLI GitHub Action
- Malicious prompts are hidden in the issue text
- Gemini CLI in `–yolo` mode (which auto-approves all tool calls) processes the issue
- The AI agent extracts internal secrets from the build environment
- Attacker pivots to a token with full write access to the repository
- Full supply chain compromise—attacker pushes arbitrary code to the main branch, shipping to every downstream user
At least eight other Google repositories had the same vulnerable workflow template deployed.
Vulnerable Configuration Example:
.github/workflows/gemini-triage.yml - VULNERABLE name: Gemini Issue Triage on: issues: types: [bash] jobs: triage: runs-on: ubuntu-latest steps: - name: Run Gemini CLI uses: google-github-actions/[email protected] with: mode: yolo DANGEROUS - auto-approves all tool calls prompt: ${{ github.event.issue.body }}
Fixed Configuration:
.github/workflows/gemini-triage.yml - PATCHED steps: - name: Run Gemini CLI uses: google-github-actions/[email protected] Updated version with: mode: interactive Requires approval OR use yolo with allowlist mode: yolo tool-allowlist: "read_file,search_content" Explicit allowlist
Step-by-Step Mitigation:
- Update to Gemini CLI version 0.39.1 or later immediately.
- Never use `–yolo` mode in CI/CD pipelines without explicit tool allowlisting.
- Review all GitHub Actions that use Gemini CLI and verify they reference the updated action version.
- Implement workspace trust controls—the update also fixed a lax trust issue that automatically trusted any workspace folder.
- Rotate all secrets that may have been exposed in CI workflows that used vulnerable versions.
“From those credentials, the attacker pivots to a token with full write access on the repository. Full supply-chain compromise.” — Pillar Security
- Cisco Unified CM: CISA Says Patch by Sunday or You’re Exposed
Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME) contain a critical vulnerability tracked as CVE-2026-20230 (CVSS 8.6). The flaw—improper validation of specific HTTP requests—allows unauthenticated, remote attackers to mount Server-Side Request Forgery (SSRF) attacks, write arbitrary files to the underlying operating system, and escalate privileges to root.
Critical Facts:
- PoC exploit code is already public
- Active exploitation has been confirmed in the wild
- CISA set a June 28 remediation deadline for federal agencies
- Only appliances with WebDialer service enabled are vulnerable—but it’s off by default
Vulnerability Check Commands:
Cisco Unified CM CLI – Check WebDialer Status:
SSH to Unified CM publisher admin:show service-status | grep -i webdialer Check if WebDialer is enabled admin:show webdialer config
Network Scanning for Vulnerable Instances (Nmap):
Scan for Unified CM web interfaces nmap -p 443,8443 --script http-title -oG cisco_cm_scan.txt <target_network> Check for specific vulnerable endpoints (SSRF test) curl -k "https://<target>/webdialer/..." -H "Host: <internal_host>"
Patch Commands:
Cisco Unified CM Upgrade:
Check current version admin:show version active Upgrade to fixed versions: 14SU6 or 15SU5 admin:software install /path/to/patch/COP Verify patch installation admin:show version active
Step-by-Step Mitigation:
1. Patch immediately to version 14SU6 or 15SU5.
- If patching is not immediately possible, disable the WebDialer service:
admin:utils service stop Cisco WebDialer admin:utils service disable Cisco WebDialer
- Implement network segmentation—restrict access to Unified CM administrative interfaces to trusted management networks only.
- Monitor logs for suspicious SSRF attempts targeting the WebDialer endpoint.
- Review CISA’s Known Exploited Vulnerabilities (KEV) catalog for additional guidance.
Cisco warned that proof-of-concept code targeting the vulnerability exists, and the first exploitation attempts were observed.
- Supply Chain Attack Hides in VS Code Tasks — No Script to Detect
A new supply chain attack vector weaponizes .vscode/tasks.json—a configuration file that executes automatically when a folder is opened in Visual Studio Code. Security researchers at Jamf uncovered malicious GitHub repositories in January 2026 that leveraged this technique.
How It Works:
1. Developer clones a seemingly legitimate repository
- Upon opening the folder in VS Code, the `.vscode/tasks.json` file executes automatically
- Malicious shell commands run silently in the background
- Attackers gain access to the developer’s environment, credentials, and source code
The technique has been adopted by DPRK-linked threat actors (Lazarus Group, PolinRider) who have compromised over 1,900 GitHub repositories through malicious npm packages and VS Code artifacts.
Detection Commands:
Linux/macOS – Scan for Suspicious VS Code Tasks:
Find all .vscode/tasks.json files
find . -1ame "tasks.json" -path "/.vscode/" 2>/dev/null
Check for suspicious shell commands in tasks
find . -1ame "tasks.json" -exec grep -H -E "(curl|wget|bash -c|sh -c|eval|base64|decrypt)" {} \;
Look for tasks that run on folder open (preLaunchTask, dependsOn)
find . -1ame "tasks.json" -exec grep -H -E "(preLaunchTask|dependsOn|presentation.silent)" {} \;
Windows PowerShell:
Recursively find all .vscode/tasks.json files Get-ChildItem -Recurse -Filter "tasks.json" -Path ".vscode" Check for suspicious commands Get-ChildItem -Recurse -Filter "tasks.json" | Select-String -Pattern "(curl|wget|powershell -|cmd /c|base64)"
Step-by-Step Mitigation:
- Never open untrusted repositories without reviewing `.vscode/` contents first.
- Disable automatic task execution in VS Code settings:
{ "task.autoDetect": "off", "workbench.action.terminal.toggle": false } - Review all `.vscode/tasks.json` files for suspicious commands before opening projects.
- Implement repository scanning in CI/CD pipelines to detect malicious task files.
- Educate developers about this attack vector—security awareness is the first line of defense.
The attack is completely wormable and self-propagating, targeting hidden metadata folders.
- Russia’s Signal Hackers Are Stealing Backup Recovery Keys — Your ENTIRE Message History
The U.S. Department of State is offering up to $10 million for information on UNC5792 (associated with Russian FSB Border Guards) and UNC4221 (working on behalf of Russian military services). These groups are conducting widespread phishing campaigns against Signal and WhatsApp accounts belonging to U.S. government officials, military leaders, journalists, and NGOs supporting Ukraine.
The Attack:
- Attackers impersonate Signal support agents in direct messages
- They claim users must complete mandatory two-factor verification
- Victims are tricked into sharing their Signal Backup Recovery Key
- Attackers gain access to entire message histories—even if victims create new accounts
Thousands of individual accounts have been compromised through these tactics.
Protection Checklist:
- ✅ Signal support teams never ask for verification codes or backup recovery keys
- ✅ Treat unexpected support messages with extreme caution
- ✅ Verify support claims through official websites, not through direct messages
- ✅ Enable registration lock in Signal settings
- ✅ Store backup recovery keys offline—never share them
Security Hardening Commands:
Signal Desktop – Verify Installation Integrity:
Linux - Verify Signal binary signature gpg --verify Signal-linux-x64.deb.sig Signal-linux-x64.deb macOS - Check code signature codesign -dv /Applications/Signal.app Windows - Check file hash Get-FileHash "C:\Users\$env:USERNAME\AppData\Local\Programs\signal-desktop\Signal.exe"
Network Monitoring for Phishing Domains:
Monitor DNS queries for suspicious domains sudo tcpdump -i any -1 port 53 | grep -i "signal|whatsapp" Check for typosquatting domains in logs grep -E "signal[-<em>][a-z]+.com|whatsapp[-</em>][a-z]+.com" /var/log/dns.log
Step-by-Step Protection:
- Enable registration lock in Signal: Settings → Account → Registration Lock
- Store backup recovery keys in a password manager or offline safe—never share them
- Verify sender identity before responding to any support-related messages
- Report suspicious messages to security teams when using messaging apps for work
- Provide targeted training on messaging app phishing to all employees
The platforms themselves were not compromised—attackers are targeting users directly through social engineering.
- GPT-5.6 Sol vs. GLM-5.2: The Asymmetry of AI Access
OpenAI released GPT-5.6 Sol, its most powerful model, to approximately 20 government-approved partners—the first time a frontier model launched under a government-managed access list. Sol excels at coding, biology, and cybersecurity tasks. The release follows a direct request from the Trump administration to stagger access.
Meanwhile, China’s Zhipu AI released GLM-5.2, a 744-billion-parameter open-weight model under a permissive MIT license. Independent testing by Semgrep found GLM-5.2 scored a 39% F1 score on IDOR vulnerability detection—ahead of Claude Code’s 32-37%. The model finds vulnerabilities at approximately $0.17 each, roughly one-sixth the cost of using frontier models.
The Asymmetry:
- Mythos: Lives behind a gated API that Anthropic—or a U.S. regulator—can switch off
- GLM-5.2: Anyone can download and run locally with no vendor oversight, no usage logging, no moderation
“The variable that matters here isn’t raw capability, it’s containment. A frontier-adjacent vulnerability-finding model that nobody can revoke access to is a fundamentally different risk profile.” — Forbes analysis
Step-by-Step AI Security Assessment:
- Inventory all AI tools used in your organization—both sanctioned and unsanctioned.
- Assess data leakage risks—what sensitive data is being sent to AI APIs?
- Implement AI usage policies that distinguish between allowed and prohibited use cases.
- Monitor for open-weight model usage in development environments.
- Build internal AI capabilities to reduce dependency on vendor-controlled models.
What Undercode Say
- Key Takeaway 1: Browser extensions remain a potent and evolving attack surface. Steganographic concealment techniques make static code review obsolete—security teams must adopt dynamic analysis and behavioral monitoring.
-
Key Takeaway 2: The Gemini CLI vulnerability demonstrates that AI agents integrated into CI/CD pipelines introduce unprecedented supply chain risks. Every AI tool must be treated as a potential attack vector with strict permission controls.
The asymmetry between attacker and defender toolkits has never been more stark. Attackers leverage open-source AI models freely available to anyone, while defenders are restricted to government-vetted, gated access to the most capable defensive AI systems. This is not a sustainable equilibrium. Organizations must build internal AI capabilities, invest in open-source security tools, and prepare for a future where the most dangerous threats come from AI systems that no one can control. The StegoAd campaign running for four years in an official store proves that trust in centralized platforms is no longer sufficient. Defense must be proactive, layered, and assume breach.
Prediction
- +1 The democratization of AI-powered vulnerability detection through open-weight models like GLM-5.2 will accelerate security research globally, enabling smaller organizations and independent researchers to find and fix vulnerabilities at scale.
-
-1 The unrestricted availability of advanced open-weight AI models will empower threat actors to automate vulnerability discovery and exploit development, leading to a surge in zero-day exploits and supply chain attacks.
-
-1 Government restrictions on frontier AI models will create a two-tier cybersecurity landscape where only U.S.-approved organizations have access to the most advanced defensive AI, while adversaries freely access comparable capabilities—widening the defensive asymmetry.
-
+1 The StegoAd takedown demonstrates that proactive threat hunting and collaboration between platforms (Microsoft Edge security team) and security vendors can dismantle sophisticated, long-running campaigns.
-
-1 The Signal backup key phishing campaign proves that even end-to-end encrypted platforms are vulnerable when attackers target the human element. Social engineering will remain the most effective attack vector regardless of encryption strength.
-
-1 The VS Code supply chain attack vector—hidden in
.vscode/tasks.json—represents a fundamental flaw in how development tools trust project configurations. Until IDEs implement strict sandboxing for project-level automation, every repository opened is a potential compromise. -
+1 The public disclosure of the Gemini CLI vulnerability and Google’s rapid patch (within days) shows that responsible disclosure and swift vendor response can prevent widespread exploitation—even for CVSS 10.0 flaws.
-
-1 The Cisco Unified CM flaw with public PoC and active exploitation demonstrates that patch cycles are still too slow. Organizations must adopt vulnerability management practices that prioritize CISA KEV catalog entries and assume that public PoC means active exploitation is imminent.
-
-1 The four-year duration of the StegoAd campaign reveals that current store review processes are fundamentally broken. Platform security must evolve beyond initial review to continuous monitoring of extension behavior post-installation.
-
+1 The $10M bounty on Russian hackers signals increased government commitment to disrupting state-sponsored cyber operations, potentially deterring future attacks through financial and operational risk to threat actors.
▶️ Related Video (78% Match):
https://www.youtube.com/watch?v=hQRqYbWrQWk
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Aiwithchastity Cyberaisafe – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


