ChatGPT Atlas from OpenAI
Comet from Perplexity
Anthropic’s Claude browser
Fellou
Genspark browser
Sigma browser
LayerX experts made a proof-of-concept (PoC), which was tested against these agentic AI browser products. The findings revealed that only one browser addressed the issue after receiving the report.
An AI browser can streamline the entire workflow for the users. If you switch it to agent mode, it can click type, and visit sites that the user has already logged into. Access is the key point hare, which also becomes the problem.
Experts made a (PoC) in which an infected webpage showed a BioShock-themed puzzle that rewards wrong answers. This tricks the browser that normal rules are not applicable.
The trap works because of how these AI-powered browsers read. The webpage and instruction surface as a single stream of text, which allows a malicious page access in commands mimicking ordinary content or game rules. The agent can not tell which is which. Experts have termed this indirect prompt injection.
For instance, the compromise starts with a web page made as a puzzle. 3+4+=9 is a wrong answer but the browser rewards it. When the agent accepts that wrong answer is the reward, it follows game puzzle logic not security logic. Following this, the puzzle asks the browser to record login credentials. All six browsers could not flag it as something malicious. To win the game, the agent is commanded to go to a GitHub repository and share the data in the code, such as sensitive data like passwords.
When the link is sent to the target's GitHub repository, it retrieves SSH login credentials and sends them to the hackers. The main issue here is that browsers can’t differentiate between real scenarios and malicious fictional ones.
According to LayerX, “Once the agents figured out the rules and learned that 'incorrect' actions are acceptable, they were no longer tied to reality.” “When tasked with the final step of the puzzle – compromising user credentials – all 6 agents failed to identify it as going against their safety guardrails,” the experts continued.
The PoC did not execute any malicious commands but warned that it could do so.
According to experts, only OpenAI implemented a working patch for BioShocking in its browser.
Anthropic tried to fix the issue on its chrome login, but the patch was not working against the PoC. Perplexity did not fix the issue, and closed the report.
LayerX advises that AI vendors should add specific user acknowledgement for sensitive work, and stronger security checks.
According to cybersecurity firm Huntress, the attacks originated from the IPv6 address range 2a0a:d683::/32, which is operated by internet infrastructure provider LSHIY LLC (AS32167).
"Between June 12 and June 26, the threat actor behind it made more than 81 million login attempts and successfully compromised at least 78 Microsoft accounts across 64 organizations," Huntress said in a statement. "The targeting of these attacks seems to be based entirely on password prevalence on compromised password combo lists, and is not specific to business type or industry."
Researchers noted that the campaign stands out not only because of its scale but also because many of the affected organizations had Conditional Access Policies (CAPs) enabled. The attackers exploited the deprecated Resource Owner Password Credentials (ROPC) OAuth flow, allowing them to bypass certain Conditional Access protections.
ROPC is an outdated OAuth 2.0 authentication method in which users provide their usernames and passwords directly to a client application. The application then exchanges these credentials with an authorization server to obtain an access token. The authentication method was officially deprecated under OAuth 2.1 due to its security risks.
Microsoft has long advised organizations against using the ROPC authentication flow because it does not support multi-factor authentication (MFA).
"In most scenarios, more secure alternatives are available and recommended," Microsoft states. "This flow requires a very high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable."
Huntress found that successful credential and token spray attacks occurred consistently between June 12 and June 21, 2026, compromising roughly two to four accounts each day. On June 19, attackers breached 12 user accounts, while the campaign intensified significantly on June 22, affecting 30 identities across 23 organizations.
Overall, the attackers compromised 78 user accounts spanning 64 organizations. Most of the malicious login attempts originated from infrastructure associated with LSHIY LLC, with some IP addresses resolving to the United States and others to China.
"These attacks are part of a large wave of credential spray attacks across a few different ASNs," Huntress said, adding that it has witnessed the volume of credential spray attacks surge by over 155 times across its customer base. "Attacks surged in particular in late May through early June, with a current mean value of about 1,964 failed attacks per month per Huntress-protected tenant."
Investigators believe the attackers primarily relied on previously leaked username and password combinations that organizations had failed to change after earlier data breaches. By exploiting the ROPC authentication flow, threat actors successfully accessed enterprise accounts even when MFA had been deployed, provided the security policies were not configured to cover Azure CLI ROPC logins.
The campaign succeeded in environments where:
Huntress also revealed that eight affected organizations had not implemented any MFA policy.
"While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn't work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents."
To reduce the risk of similar attacks, researchers recommend enforcing MFA for all users, all cloud applications, and all client application types when implementing Conditional Access Policies. Organizations should also restrict Azure CLI access for non-administrative users and prioritize incident response based on credential validity.
"This attack reveals cracks in CAPs that haven't been appropriately configured," Huntress researchers concluded. "There are still potential weaknesses in how CAPs are deployed that can allow threat actors to slip through. One glaring error here is that legacy protocols like ROPC can bypass some poorly-configured CAPs entirely since they don't go through the authorization endpoint where policies are enforced."
China's latest open-weight artificial intelligence model is drawing attention within the cybersecurity community after independent evaluations indicated that it can rival some of the vulnerability detection capabilities of leading U.S. frontier AI systems. The findings are fueling renewed debate over whether restricting access to advanced American AI models is enough to slow the spread of powerful cyber capabilities.
Chinese AI company Zhipu AI, also known as Z.ai, released its GLM-5.2 model on June 13 under a permissive open-weight license. Unlike proprietary AI systems that are only accessible through controlled cloud services, open-weight models allow researchers and developers to download the model weights and run them on their own hardware. This approach enables offline deployment, customization through fine-tuning, and unrestricted experimentation without requiring ongoing approval from the model developer.
The release stands in contrast to Anthropic's Claude Mythos, one of several advanced AI systems whose availability has been limited under U.S. export controls because of concerns that highly capable models could be misused for offensive cyber operations. While GLM-5.2 still falls behind leading models from Anthropic and OpenAI across many general-purpose reasoning benchmarks, recent testing suggests it performs remarkably well in one highly specialized area: identifying software vulnerabilities.
Independent benchmarking conducted by Semgrep found that GLM-5.2 achieved an F1 score of 39% when detecting Insecure Direct Object Reference (IDOR) vulnerabilities. IDOR flaws arise when applications expose internal object identifiers without properly verifying whether a user is authorized to access the requested resource, making them a common source of unauthorized data access and privilege abuse. Under the same evaluation conditions, Claude Code recorded scores ranging from 32% to 37%, placing GLM-5.2 slightly ahead in this specific cybersecurity task.
The benchmark also underlined a notable economic advantage. Researchers estimated that GLM-5.2 identified vulnerabilities at an average cost of approximately $0.17 per finding, roughly one-sixth of the cost associated with comparable Claude-based workflows. Lower operating costs could make advanced AI-assisted vulnerability research accessible to a much broader range of organizations, independent researchers, and software security teams.
Additional benchmarking conducted by Graphistry reached similar conclusions, reinforcing the view that an openly downloadable Chinese model can compete with frontier U.S. AI systems in narrowly focused cybersecurity applications. The independent evaluations are particularly noteworthy because they relied on standardized testing methodologies designed to reduce benchmark contamination and minimize vendor-specific bias.
The findings arrive amid growing concern in Washington over the national security implications of frontier artificial intelligence. The Trump administration has increasingly treated advanced AI models such as Mythos and Fable as strategic technologies because of their ability to automate complex cybersecurity tasks, including discovering previously unknown software vulnerabilities that could potentially be weaponized in cyber operations.
Those concerns have shaped U.S. export control policies that restrict access to some advanced AI systems for foreign organizations, including researchers based in China. The underlying assumption behind these controls is that limiting access to the most capable American models would delay competing nations from acquiring comparable cyber capabilities. GLM-5.2's performance is prompting renewed questions about whether restricting model access alone can achieve that objective when capable alternatives are being developed elsewhere.
The discussion is further informed by Anthropic's Project Glasswing, which previously demonstrated the cybersecurity potential of frontier AI by identifying more than 10,000 critical software vulnerabilities during its initial research phase. The project illustrated how advanced language models can assist security researchers in reviewing large codebases, prioritizing weaknesses, and accelerating vulnerability discovery. If open-weight models begin approaching similar levels of performance, comparable capabilities may no longer remain exclusive to a small number of tightly controlled AI providers.
The latest development also comes shortly after OpenAI introduced GPT-5.6 with limited availability because of concerns surrounding misuse. Together, these decisions reflect a broader effort by U.S. AI developers to place increasingly capable models behind controlled access mechanisms while balancing innovation with national security considerations.
Cybersecurity researchers note that advances in open-weight models create opportunities as well as risks. Defensive teams could use these systems to automate code reviews, strengthen secure software development practices, and accelerate vulnerability remediation. At the same time, threat actors may attempt to exploit the same capabilities to identify weaknesses in software before organizations have an opportunity to patch them. Because GLM-5.2 can be downloaded and operated locally, these capabilities are available globally regardless of whether users have access to commercial U.S. AI services.
The emergence of GLM-5.2 does not necessarily indicate that Chinese AI has surpassed American frontier models across every benchmark. However, its strong performance in specialized cybersecurity evaluations suggests that the technological gap is narrowing in selected high-value domains. The development is likely to intensify debate over whether hardware restrictions and access controls alone are sufficient to preserve leadership in AI-driven cybersecurity, or whether future policy must place greater emphasis on strengthening defensive capabilities, accelerating software patching, and preparing for a world where advanced vulnerability discovery tools become increasingly accessible worldwide.