Microsoft 365 Copilot 'SearchLeak' Enables One-Click Data Theft as Novo Nordisk Loses Internal AI Models to Extortionists

A heavy day for AI-adjacent security: a patched one-click Copilot exfiltration chain, a confirmed breach of Danish pharma giant Novo Nordisk that bled internal AI model checkpoints and training data, and a string of actively-exploited enterprise edge bugs (Fortinet, Cisco, Joomla, LiteSpeed, Palo Alto).

AI & Model Security

• Microsoft 365 Copilot “SearchLeak” chained prompt injection, a race condition, and a CSP bypass into a one-click data-exfiltration path that could pull emails, calendar data, indexed files, and even MFA codes — all via a link pointing at a legitimate microsoft.com domain, defeating URL filtering. Tracked as CVE-2026-42824 and now patched. Varonis Threat Labs, The Hacker News.
• Novo Nordisk (Danish, maker of Ozempic) confirmed an IT breach; the threat actor claims to have stolen a 16GB trained model checkpoint, a proprietary training dataset, full source code and training pipeline, 113 training-run logs, and internal HPC/Slurm/SSH infrastructure maps. A notable example of an internal AI program becoming the crown-jewel target. SecurityWeek, vx-underground.
• Google Vertex AI Python SDK flaw (“Pickle in the Middle”) let an attacker with no project access hijack a victim’s model upload via bucket squatting and gain cross-tenant RCE inside Google’s serving infrastructure. Found by Unit 42, fixed via bug bounty, no in-the-wild exploitation observed. Unit 42, The Hacker News.
• LiteLLM AI gateway can be fully taken over by a default low-privilege account chaining three bugs to admin and RCE — exposing every provider API key the proxy brokers. Disclosed by Obsidian Security. The Hacker News.
• 15 malicious JetBrains Marketplace plugins, all posing as DeepSeek/LLM-based coding assistants, were published in a coordinated campaign to exfiltrate developers’ AI provider keys. The Hacker News, BleepingComputer.
• 144 npm packages in the @mastra/ namespace (an AI-app framework) were compromised via a hijacked contributor account in a campaign tracked as “easy-day-js.” The Hacker News.
• GLM-5.2 dropped open weights with a 1M context window and is benchmarking as a top-3 model across open and proprietary — the release coincides with the US export-control directive that forced Anthropic to suspend foreign access to Fable 5 and Mythos 5, fueling bets on Chinese model providers. r/LocalLLaMA, Dark Reading.

Vulnerabilities & Exploits (Actively Exploited)

• Fortinet FortiSandbox: three flaws under active exploitation, including path-traversal CVE-2026-39813 (CVSS 9.1), plus CVE-2026-39808 and CVE-2026-25089; SOCRadar reports ~30,000 exposed/compromised Fortinet firewalls. The Hacker News, SecurityWeek.
• Joomla JCE plugin CVE-2026-48907 (CVSS 10.0) is being exploited for arbitrary PHP execution; CISA added it to KEV with a Friday patch deadline. BleepingComputer, The Hacker News.
• Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20262 (CVSS 6.5) — authenticated arbitrary file write enabling privilege escalation — exploited in the wild; CISA mandated remediation by June 29. SecurityWeek, The Hacker News.
• LiteSpeed cPanel plugin CVE-2026-54420 (CVSS 8.5) exploited for root privilege escalation on shared hosting; CISA gave agencies three days. BleepingComputer.
• Palo Alto PAN-OS GlobalProtect auth-bypass CVE-2026-0257 (CVSS 7.8) under active exploitation against portals/gateways by an unknown actor. The Hacker News.
• Microsoft Defender “RoguePlanet” zero-day: public PoC exploits a race condition to spawn a SYSTEM command prompt; Microsoft says a patch is in progress. BleepingComputer, SecurityWeek.
• OpenBSD patched a 27-year-old remote kernel auth bypass in its PPP/PPPoE stack (a null-auth flaw imported from FreeBSD in 1999), allowing credential-less traffic interception. Argus-Systems, r/netsec.

Threat Activity

• UNC6508 (China-nexus) lived undetected in North American medical, AI, and defense research networks for over a year (Sep 2023–Nov 2025), exploiting vulnerable REDCap servers to drop custom INFINITERED malware, then exfiltrating by rewiring victims’ own Google Workspace mail-forwarding rules. Google/Mandiant, BleepingComputer.
• DragonForce ransomware deployed a custom Go backdoor (Backdoor.Turn) that hides C2 traffic inside legitimate Microsoft Teams relay infrastructure to evade network detection. SecurityWeek, BleepingComputer.
• SprySOCKS (China-linked FishMonger) expanded from Linux to Windows with two new variants — WIN_DRV and WIN_PLUS — featuring kernel-driver rootkit capabilities and possible UEFI bootkit involvement, hitting government targets in Honduras, Taiwan, Thailand, and Pakistan. ESET attributes with high confidence. ESET/WeLiveSecurity, The Hacker News.
• SHEETCREEP (Pakistan-linked) targeted Indian military and political figures via a malicious .lnk delivering C# code that uses Google Sheets for C2 — but operators hardcoded the Google C2 sheet and embedded the access key in the payload, exposing their full target list (~91 monitored individuals). Securonix.
• SideCopy / APT36 (Transparent Tribe) targeted Indian defense personnel with a weaponized PowerPoint package and a double-extension .pptx.lnk shortcut launching a .NET CrimsonRAT loader. Nextron Research.
• ScarCruft (APT37) used spear-phishing impersonating Microsoft account security alerts to deliver NarwhalRAT. The Hacker News.
• Contagious Interview (Famous Chollima / North Korea) continues weaponizing developer recruitment and code-review themes to deliver malware through dev tools. The Hacker News.
• Rokarolla Android trojan targets 217 banking and crypto apps with 137 remote commands — overlays, keylogging, SMS interception, clipboard hijacking — spread via fake TikTok and Chrome downloads. The Hacker News, Dark Reading.
• ClickFix campaigns added three loaders — BabaDeda, Lorem Ipsum (possibly tied to Vice Society), and Potemkin — chaining compromised WordPress sites, EtherHiding blockchain dead-drops, and GULoader. Useful behavioral-detection material for purple teams. The Hacker News, sicuranext.

Offensive Tooling & Techniques

• DCOMIllusionist released by Synacktiv at x33fcon: new offensive DCOM techniques including a COMouflage variant for arbitrary executable execution and a fileless lateral-movement method based on .NET deserialization. Directly relevant for AD lateral-movement work. Synacktiv.
• GhostTree abuses recursive NTFS junctions to generate vast numbers of valid file paths, causing Microsoft Defender folder scans to never complete and leaving malware unscanned. BleepingComputer.

Supply Chain

• Arch Linux AUR suffered an ongoing compromise (“AtomicArch”) with 1,500+ packages backdoored to deploy a Rust infostealer and an eBPF rootkit via malicious PKGBUILD install hooks invoking npm install; a second obfuscated wave hit Node.js, Firefox, LibreWolf, and NeoVim packages. Arch suspended new AUR signups; Nextron published YARA rules. The Register, YARA rules.
• GitHub dismissed two formal vulnerability reports on design flaws researchers say are now being exploited by variants of the Shai-Hulud supply-chain worm to compromise hundreds of packages and developer accounts. The Record.
• OptinMonster WordPress plugin (1.2M sites) was hit via compromised CDN credentials, injecting malicious JavaScript that created backdoors and exfiltrated data. CyberInsider.
• Steam Workshop / Wallpaper Engine abused since late 2025 to distribute malware via wallpaper packages, hijacking accounts and primarily targeting gamers in China and Russia. Securelist, BleepingComputer.
• PolinRider/DPRK npm typosquats (tailwind-color-shades, twcompose-utils, classbreeze-utils) ship real plugins plus obfuscated droppers fetching OS-specific second stages (Beavertail → InvisibleFerret) from blockchain dead-drops and IP 194.11.226.41. Nextron Research.

Data Breaches & Extortion

• The Gentleman ransomware passed ~500 claimed victims, adding a European national healthcare org and one of Scandinavia’s most recognized national museums — worth flagging for Nordic exposure tracking. Ido Cohen.
• Instructure Canvas breach hit 275 million students: ShinyHunters exploited stored XSS in the support-ticket system, enabled by poor content isolation and shared infrastructure. Scott Helme.
• ShinyHunters added American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar to its leak site (claims unverified), and separately claims a PeopleSoft zero-day heist of ~297GB from the Council of Europe. Kodak and Infinite Campus (137K school staff via Salesforce) also confirmed/were named in ShinyHunters incidents. Daily Dark Web, SecurityWeek, BleepingComputer.
• KRYBIT emerged as a fast-moving ransomware operation — 49 victims across 20+ countries and all sectors since early April. Ido Cohen.
• iRhythm disclosed a breach of patient personal/health data stored on third-party-hosted apps, with attackers demanding ransom. BleepingComputer.

Industry & Policy

• The UK will require ID upload or facial age scan to create social media accounts and ban under-16s from spring 2027; reporting flags device-level enforcement that would render VPNs ineffective, plus new data-breach and surveillance risks. BleepingComputer, The Record.
• OpenAI burned $34 billion in operating costs last year, and Anthropic reversed its planned Claude Agent SDK billing overhaul — both signs of an intensifying model price war. The Decoder.