News

When Trust Becomes the Attack Surface

Written by Digital Frontier Partners | 15 July 2026 12:08:31 AM

For many years, cyber security programs focused on protecting networks, endpoints and applications. This week’s intelligence highlights a different reality: attackers are increasingly targeting the systems, platforms and processes that organisations trust the most.

Whether it's a trusted content management system, a legitimate Microsoft 365 authentication flow, a widely used software package, or an AI development tool, threat actors are achieving success by disguising their activities within normal business operations.

Public-Facing Systems Under Sustained Attack

One of the most significant developments this week is the continued exploitation of internet-facing applications and content management systems.

The Australian Cyber Security Centre has warned that vulnerable CMS platforms and plugins are being actively targeted in a broad campaign affecting many Australian organisations, particularly small and medium-sized businesses. Attackers are exploiting weaknesses in WordPress, Joomla, Craft CMS and other web platforms to deploy web shells, steal credentials and establish persistent access.

At the same time, several web application vulnerabilities affecting Joomla extensions and Langflow are being actively exploited to gain remote access and deploy malicious payloads.

The message is straightforward: organisations should prioritise patching externally accessible systems ahead of internal remediation backlogs. The risk associated with an exposed application remains significantly higher than unpatched systems that are not internet-facing.

Identity Attacks Continue to Evolve

Identity-based attacks remain one of the most effective pathways into corporate environments, but the techniques used are becoming increasingly sophisticated.

Rather than attempting to steal passwords, threat actors are now manipulating legitimate authentication mechanisms. Recent campaigns targeted Microsoft 365 users through voice phishing, convincing victims to register attacker-controlled Microsoft Entra passkeys. Once enrolled, attackers gain ongoing access without needing credentials or traditional phishing techniques.

Other campaigns leveraged device-code phishing and fraudulent authenticator enrolment processes to obtain persistent access to Microsoft 365, SharePoint and OneDrive environments. These attacks demonstrate how threat actors are adapting to widespread MFA adoption by targeting the administrative and human processes surrounding authentication instead.

For organisations relying heavily on Microsoft 365, authentication controls, help-desk procedures and passkey management should receive urgent attention.

Supply Chain Risks Remain a Critical Threat

The software supply chain continues to provide attackers with an efficient method for compromising large numbers of organisations simultaneously.

This week saw multiple incidents involving trusted development packages. The compromise of the jscrambler npm package introduced a Rust-based information stealer capable of harvesting cloud credentials, browser sessions, cryptocurrency wallets and application secrets across Windows, macOS and Linux environments. Separately, a compromised Injective Labs package was modified to steal private cryptocurrency keys and seed phrases before being distributed through npm repositories.

These incidents highlight an ongoing challenge for development teams. Modern software relies heavily on third-party libraries, automated updates and open-source ecosystems, meaning that a compromise of a single package can quickly affect thousands of downstream environments.

Organisations should regularly audit dependencies, strengthen CI/CD controls, rotate credentials used within development environments and closely monitor software repositories for unusual activity.

AI Is Creating New Security Challenges

Artificial intelligence continues to reshape both attack and defence capabilities, but this week's reporting demonstrates that AI itself is rapidly becoming a target.

Researchers uncovered multiple techniques that allow attackers to manipulate AI coding assistants and autonomous agents into leaking data, modifying sensitive files or executing malicious instructions embedded within repositories. Other attacks use hidden prompts, malicious package references and deceptive repository structures to influence AI-generated actions.

Cloud-connected AI platforms were also shown to create new attack pathways. In one case, attackers compromised an AI gateway connected to Amazon Bedrock and leveraged it for cryptomining activity, demonstrating how AI infrastructure can expose credentials, APIs and enterprise data if not properly secured.

As more organisations adopt AI-enabled development and productivity tools, governance and security controls must extend beyond users and endpoints to include AI agents, integrations and supporting infrastructure.

Ransomware Operators Continue to Improve Their Tradecraft

Ransomware activity this week reflects a continued focus on disabling security controls before launching encryption or extortion operations.

The GodDamn ransomware group was observed using a signed kernel driver in a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint protection products prior to executing ransomware. This enables attackers to neutralise security tools that would otherwise detect or prevent malicious activity.

Researchers also detailed increasingly automated extortion operations capable of exploiting vulnerabilities, stealing data and issuing ransom demands with limited human intervention. The convergence of automation, AI and ransomware is likely to increase both the speed and scale of future attacks.

Defenders should assume that modern ransomware campaigns will involve credential theft, data exfiltration and defence evasion well before encryption begins.

Infrastructure and Edge Devices Require Greater Attention

While much attention focuses on applications and identities, critical infrastructure components continue to present opportunities for attackers.

This week's disclosures included serious vulnerabilities affecting U-Boot bootloaders, routers, collaboration platforms and remote access products. Particularly concerning were public warnings relating to exposed ShareFile Storage Zone Controllers, Citrix NetScaler appliances and Gitea deployments, with some vulnerabilities already under active exploitation.

Because these systems often sit at the edge of corporate networks and provide access to critical services, they represent attractive targets for both criminal and nation-state actors.

What Australian Organisations Should Do Now

Based on this week's intelligence, organisations should prioritise:

  • Patching internet-facing web applications, CMS platforms and plugins.
  • Reviewing Microsoft 365 passkey enrolment, MFA and help-desk verification processes.
  • Auditing third-party software packages and CI/CD environments.
  • Monitoring developer environments for credential theft and repository compromise.
  • Implementing governance controls around AI agents, assistants and integrations.
  • Reviewing externally exposed file-transfer, remote-access and collaboration platforms.
  • Strengthening detection of web shells, anomalous authentication activity and privilege escalation attempts.

Final Word

This week's threat landscape demonstrates that the most dangerous attacks increasingly originate from trusted sources—trusted software, trusted authentication workflows, trusted platforms and trusted business processes. Attackers understand that bypassing security is often easier when they can appear legitimate.

For Australian organisations, resilience will depend on validating trust continuously rather than assuming it. The organisations that succeed will be those that verify identities, scrutinise dependencies, monitor AI systems and treat every internet-facing service as a potential entry point.

In today's environment, trust is no longer a security control—it is a security risk that must be managed.