Brief #149: FortiClient EMS Zero-Day, EU Commission 340GB Breach, LinkedIn BrowserGate

Happy Sunday!

In this week's brief:

• Supply chain fallout intensifies: TeamPCP's Trivy compromise led to 340 GB stolen from the European Commission, Claude Code's accidental leak became a malware delivery vehicle, and Fortinet is patching its second critical zero-day in days.
• LinkedIn's hidden surveillance: A "BrowserGate" investigation revealed LinkedIn scans for 6,167 browser extensions on every page load, building intelligence profiles tied to real identities, without disclosure.
• AI agent security gaps: Google published its prompt injection defense playbook, Unit 42 exposed multi-agent exploitation paths in Amazon Bedrock, and a new report warns AI agents can cost more than employees without controls.

Fortinet FortiClient EMS Zero-Day Exploited in the Wild, CVSS 9.1 Emergency Hotfix Released

• Fortinet released an emergency hotfix for CVE-2026-35616, a critical pre-authentication API bypass in FortiClient EMS versions 7.4.5 and 7.4.6 that lets unauthenticated attackers execute arbitrary code without any user interaction or privileges.
• This is the second critical FortiClient EMS flaw exploited in days, following CVE-2026-21643 (also CVSS 9.1). watchTowr recorded exploitation attempts starting March 31, timed to hit during a holiday weekend when security teams run at half capacity.
• Security teams running FortiClient EMS should apply the hotfix immediately, restrict external access to the EMS management interface, and audit logs for anomalous unauthenticated API requests that could indicate prior compromise.

European Commission Breached via Trivy Supply Chain Attack, 340 GB of Data Stolen

• CERT-EU confirmed that threat group TeamPCP breached the European Commission's AWS environment by poisoning Aqua Security's Trivy vulnerability scanner, stealing an API key that gave them control over cloud accounts serving 71 clients across EU institutions.
• The attackers exfiltrated 340 GB of data including personal information, usernames, and email content from the Europa.eu hosting service. ShinyHunters published the stolen dataset on a dark web leak site on March 28, just days after initial compromise.
• Organizations using Trivy should immediately verify they're running a known-safe version, rotate all AWS credentials, pin GitHub Actions to immutable SHA hashes instead of mutable tags, and enable CloudTrail logging to detect anomalous STS calls.

Claude Code Source Leak Weaponized to Spread Vidar Stealer and GhostSocks Malware

• After Anthropic accidentally exposed 513,000 lines of Claude Code source via an npm packaging error on March 31, attackers created fake GitHub repositories offering "unlocked enterprise" versions that instead delivered a Rust-based dropper containing Vidar v18.7 infostealer and GhostSocks proxy malware.
• The malicious repos ranked near the top of Google search results for "leaked Claude Code," targeting developers who cloned what appeared to be legitimate forks. Zscaler ThreatLabz identified the campaign as part of a broader operation impersonating 25+ software brands since February 2026.
• Development teams should only use verified binaries from official sources, avoid cloning unverified repositories, and monitor developer workstations for anomalous outbound connections that could indicate credential theft or proxy tunneling.

LinkedIn Secretly Scans for 6,000+ Browser Extensions, Collects Device Data Without Disclosure

• A Fairlinked e.V. investigation dubbed "BrowserGate" revealed that LinkedIn injects hidden JavaScript that scans Chromium browsers for 6,167 extensions and collects 48 device characteristics on every page load, without any mention in its privacy policy or user consent.
• The scanned extensions include 509 job search tools, religious practice indicators, political orientation markers, neurodivergent support apps, and 200+ competitor products. Since LinkedIn ties to real identities and employers, this creates detailed intelligence profiles on the professional workforce at scale.
• Security teams should evaluate whether LinkedIn's undisclosed data collection practices conflict with internal privacy policies, consider browser isolation or switching to non-Chromium browsers for sensitive roles, and review third-party platform risk assessments.

GitGuardian Report: 29 Million Secrets Leaked on GitHub in 2025, AI Credentials Up 81%

• GitGuardian's State of Secrets Sprawl 2026 report found 29 million new hardcoded secrets on public GitHub in 2025, a 34% year-over-year increase and the largest single-year jump ever recorded. AI service credential leaks surged 81%, with orchestration tools like Firecrawl (+796%) and Supabase (+992%) leading the growth.
• Analysis of the Shai-Hulud 2 supply chain attack showed each compromised machine contained an average of 8 copies of the same secret spread across .env files, shell history, and build artifacts. 59% of compromised machines were CI/CD runners, not developer laptops, meaning secrets sprawl is now an infrastructure problem.
• Organizations should eliminate long-lived static credentials, adopt short-lived identity-driven access, implement secrets vaulting as the default workflow, and treat every service account, CI job, and AI agent as a governed identity with lifecycle management.

Akira Ransomware Achieves Initial Access to Encryption in Under One Hour

• Researchers documented Akira ransomware operators completing the full attack chain, from initial VPN access to deploying encryption, in under 60 minutes. The group exploited compromised VPN credentials lacking multi-factor authentication to gain entry, then moved laterally using RDP and standard admin tools.
• This speed leaves almost zero window for traditional detection and response. Most SOC teams operate with response times measured in hours, not minutes. Akira's pace means that by the time an alert triggers and an analyst investigates, encryption may already be complete.
• Incident response playbooks need to account for sub-hour ransomware execution. MFA on all remote access is no longer optional, and automated containment actions (network isolation on high-confidence alerts) should replace manual triage for initial response.

Google Details Layered Defense Strategy Against Indirect Prompt Injection in Workspace

• Google's GenAI Security Team published a detailed breakdown of how they defend Gemini in Workspace against indirect prompt injection, combining adversarial model training, proprietary ML-based content classifiers, markdown sanitization, suspicious URL redaction, and human-in-the-loop confirmation for sensitive actions.
• The approach treats prompt injection as a continuous arms race, not a one-time fix. Google uses both human and automated red-teaming plus its AI Vulnerability Reward Program to build one of the most advanced catalogs of generative AI attack patterns, feeding this data back into model hardening.
• As organizations roll out AI assistants that process emails, documents, and calendar data, this defense-in-depth model offers a practical reference architecture for building layered protections into enterprise AI deployments.

Palo Alto Unit 42: Multi-Agent AI Applications in Amazon Bedrock Open to Exploitation

• Palo Alto Networks Unit 42 published research showing how attackers can exploit Amazon Bedrock's multi-agent collaboration framework, where one compromised or poorly configured agent can manipulate other agents in the chain to access sensitive data or perform unauthorized actions.
• The research demonstrated that agentic architectures create new trust boundaries between AI agents that most security teams are not yet monitoring. When agents delegate tasks to other agents, traditional access controls break down because permissions compound across the chain.
• Security teams deploying multi-agent AI systems should enforce strict least-privilege access per agent, implement monitoring at inter-agent communication boundaries, and validate that no single agent can escalate its own permissions through delegation.

AI Agents Can Cost More Than Employees Without Proper Controls, Report Warns

• A new analysis warns that AI agents deployed without spending controls, usage monitoring, or governance frameworks can generate costs that exceed the salary of the employees they were meant to augment, driven by runaway API calls, redundant processing, and uncapped token usage.
• The report highlights cases where autonomous agents running in loops consumed thousands of dollars in compute costs within hours, with no alerting mechanism in place. Most organizations lack the financial visibility to track AI agent spending in real time.
• Before deploying autonomous AI agents, organizations should set hard spending limits per agent, implement real-time cost monitoring dashboards, and define clear escalation paths that require human approval for actions above spending thresholds.

Depthfirst Raises $80M Series B for AI-Native Software Security Platform

• Depthfirst, an applied AI lab founded by DeepMind, Databricks, and Faire alumni, raised $80M in Series B led by Meritech Capital, bringing total funding to $120M in under 90 days since emerging from stealth. The speed of back-to-back raises signals strong investor conviction in AI-native security.
• The company launched dfs-mini1, its first in-house security model for smart contract security, and reports 80% of its fix recommendations are accepted and merged by developers. Customers include ClickUp, Supabase, and Moveworks.
• The raise reinforces a broader market thesis: security-specific AI models trained on domain data will outperform general-purpose LLMs applied to security. Founders building in this space should watch how Depthfirst's "own the model" strategy plays out against wrapper-based approaches.

Censys Raises $70M to Expand Internet Intelligence Platform

• Censys closed $70M in strategic funding ($40M Series D + $30M debt), led by Morgan Stanley Expansion Capital, bringing total venture funding to $149M. The capital will fuel AI-driven solutions for attack surface management and threat hunting.
• The company is trusted by 300,000+ security practitioners and organizations representing over 50% of the Fortune 500. As internet infrastructure becomes the top attack vector, demand for real-time intelligence on exposed assets continues to grow.
• For security vendors, Censys's raise highlights how data-centric platforms that own proprietary intelligence are attracting premium valuations. The combination of equity and debt financing also suggests the company is approaching profitability.

Variance Raises $21.5M for AI Agent-Powered Compliance Investigation Platform

• Variance raised $21.5M to build an AI agent-powered platform that automates compliance investigations, targeting the manual, resource-heavy work of sifting through regulatory requirements and incident documentation.
• The funding signals growing investor interest in applying agentic AI to GRC (governance, risk, compliance) workflows, where most organizations still rely on spreadsheets, manual review, and consulting hours to handle investigations.
• Compliance-focused AI tools are an underserved segment with clear enterprise demand. Security founders should watch this space as traditional GRC vendors will likely need to add AI-native capabilities to compete.

GitGuardian Non-Human Identity Security

With 29 million secrets leaked on GitHub in 2025, GitGuardian's NHI security platform detects hardcoded credentials, API keys, and tokens across repositories and CI/CD pipelines. Directly relevant to this week's Secrets Sprawl report findings.

Cycode Secrets Detection and Scanning

Cloud-based secrets detection that scans code repositories for exposed credentials before they reach production. Useful for teams looking to implement the secrets vaulting and governance workflows recommended in this week's CISO Lens coverage.

FullHunt

Free external attack surface management tool for discovering exposed assets and services. Relevant this week given the Censys $70M raise and the growing importance of knowing what's internet-facing before attackers find it first.

Thank you for reading this week's brief.

Whenever you're ready, there are three ways I can help you:

• Get your cybersecurity product in front of 15,000 cybersecurity professionals on CybersecTools. Promote Your Product
• Position your product to sell to CISOs correctly. Positioning Advisory
• Analyze entire cybersecurity market with AI. Access CybersecTools MCP server

Talk to you in the next one.

Nikoloz