Threat Vectr Weekly — week of Jul 6
Stories covered this week
White House Puts OpenAI and Anthropic Models on a Short Leash Pending Cybersecurity Review
The Trump administration is vetting frontier AI releases before they reach the public — and both major labs are complying.
libssh2 Clients Get a Nasty Surprise: PoC Lands for CVE-2026-55200
A malicious SSH server can corrupt memory on any client built against libssh2 1.11.1 or earlier. No creds required.
DirtyClone: New Linux Kernel Flaw Hands Unprivileged Users the Root Keys
A page-cache manipulation bug related to DirtyFrag lets local, unprivileged attackers escalate to root — no credentials required beyond a shell.
Harvest Now, Decrypt Later: Why Credentials Are the First Casualty of Q-Day
Captured ciphertext today becomes plaintext tomorrow. Credentials sit at the top of the target list.
Gamaredon's 2025 Phishing Surge: 35 Campaigns, Fresh Loaders, and Identity Tradecraft
The Russia-aligned group has spent the year refining spear-phishing lures against Ukrainian targets, leaning harder on cloud services and credential theft.
Prompt Injection in Git Repos Can Turn Claude Code Into a Reverse Shell Launcher
Malicious instructions buried in a repository's files can hijack Anthropic's Claude Code agent and open a backdoor on the developer's own machine — no obvious malware required.
Mustang Panda Turns Zoho WorkDrive Into C2 in Twin Campaigns Against Indian Government
The China-aligned crew is running parallel operations against New Delhi ministries and hydropower operators, abusing a legitimate cloud collaboration service to move commands past network defenses.
WhatsApp Starts Username Reservations, Finally Decoupling Identity From Phone Numbers
The optional handle system lets users be reachable without exposing an E.164 number — a meaningful identifier change for a 3-billion-user directory.
Transcript
Narrated by two AI anchors. Lightly formatted for reading.
Welcome to Threat Vectr Weekly, your briefing for the week of July sixth. I'm Marcus, joined as always by Elena, and we have a packed ten minutes for you. This week: the White House puts the two biggest AI labs on an approved-customer leash before their newest models can ship. A public proof-of-concept lands for a critical SSH library flaw that flips the usual threat model completely on its head — the server attacks the client. And a China-aligned espionage crew is hiding command-and-control traffic inside a legitimate cloud collaboration tool that Indian government networks already trust. All that, plus six more stories. Let's get into it.
We start with something that doesn't usually land in a security briefing alongside ransomware and criminal infrastructure, but absolutely belongs here. The Trump administration is vetting frontier AI releases before they reach the public. OpenAI confirmed it is restricting access to its newest model at the explicit request of the White House. Hours later, Anthropic announced it cleared a limited release only after receiving government approval. Two of the most capable AI labs in the world, gating their products at the direction of the executive branch. The stated rationale is cybersecurity review. No agency has been publicly named, no criteria disclosed, no timeline given for full release. Why does this matter to practitioners? Because frontier language models are already documented tools for threat actors — phishing lure generation, malware variant drafting, social-engineering scripts. A government vetting process that slows broad access to the most capable models has real implications for how quickly those capabilities spread from vetted commercial users into the criminal ecosystem. That's not nothing.
Exactly, and it also raises questions we don't have answers to yet — who's on the approved-customer list, and how do smaller actors get evaluated. Worth watching closely. I'll take the next one, and this one is urgent. There is now a public proof-of-concept for CVE-2026-55200, a critical memory corruption bug in libssh2 — the widely embedded client-side SSH library. Every release up to and including 1.11.1 is affected. CVSS four-point-zero scores it at 9.2, and that score is earned. Here's the part that should make you pause: the attacker is the server. A malicious or compromised SSH endpoint can trigger memory corruption on a connecting client, with code execution on the table. No credentials. No user interaction beyond initiating the connection. Ops teams are wired to treat SSH servers as the crown jewels. The client is assumed to be the trusted party. This bug says: connect to the wrong host once, and you're eating a corrupted heap. And libssh2 isn't a niche library — it's baked into Git tooling, backup agents, CI runners, network automation frameworks, and a long tail of vendor appliances. Patch now, and audit what in your environment initiates outbound SSH connections.
That supply-chain angle is real — any of those tools connecting to an attacker-controlled or hijacked host are fully in scope. Next up, a Linux kernel privilege escalation that's been dubbed DirtyClone. It's a variant of DirtyFrag, which itself sits in the same lineage as DirtyCow and DirtyPipe — a family of bugs that keep finding Linux kernel memory-management primitives doing things their designers never intended. DirtyClone lives in the page cache. An unprivileged local user — a shared hosting tenant, a containerized process with a foothold, a low-privilege service account — can manipulate page-cache state in a way the kernel doesn't expect, and climb all the way to root. Full game-over on the affected host. Local privilege escalation bugs don't always get the alarm they deserve because defenders fixate on remote code execution. But LPE is what turns a foothold into a crown. The page cache is especially consequential territory because nearly every file read, every mmap call, every write-back passes through it. Subtle violations there produce effects far beyond the immediate call site. If you have shared compute environments or containerized workloads, this one belongs at the top of your patch queue this week.
A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.
Good reminder that MFA would not have helped here either — this is about what happens after someone already has a shell. Moving to a story that operates on a much longer time horizon, but the urgency is real: harvest now, decrypt later. The threat model is uncomfortable but simple. Adversaries with the patience and the storage budget — state-aligned collectors, primarily — are capturing encrypted traffic today on the assumption that a sufficiently capable quantum computer will eventually break the public-key cryptography protecting it. No machine in operation today can break RSA or elliptic-curve cryptography. That's not the question. The question is what an attacker who hoarded TLS sessions in 2024 can read in 2032 or 2035. Credentials are the natural first target, because unlike a captured memo, credentials retain operational value long after capture. A static API key, a service account password, a long-lived OAuth refresh token — rotate these rarely, and you've pre-positioned a future intrusion against yourself. NIST finalized the first post-quantum standards in August 2024 — ML-KEM for key encapsulation, ML-DSA for digital signatures. CISA says: inventory your cryptography now, and prioritize data with a long shelf life. Start there.
The inventory step is where most organizations are still stuck, honestly. Over to you for Gamaredon.
Gamaredon — also tracked as Armageddon, Primitive Bear, and Shuckworm — ran at least 35 distinct spear-phishing campaigns against Ukrainian targets in 2025. The group isn't subtle, and it doesn't need to be. Targeting hasn't shifted much: government bodies, defense entities, Ukrainian public-sector organizations. The delivery does the heavy lifting — LNK files, HTA droppers, Office documents dressed up as internal correspondence or military paperwork. What has shifted is the post-compromise focus. GammaSteel variants this year are pulling browser-stored credentials, cookies, and session tokens — the kind of artifacts that let an attacker walk past a password prompt entirely. The group is also continuing to abuse legitimate cloud services for command-and-control staging and exfiltration — Telegram, Cloudflare tunnels, Dropbox have all appeared in campaign infrastructure this year. If your detection logic relies on spotting novel domains or suspicious executables, activity riding over legitimate SaaS is going to be much harder to catch. Behavioral detections on session-token theft and unusual cloud egress matter here.
And the volume — 35 campaigns in a year — is a signal about resourcing and tempo that defenders should register. Next story, and this one is genuinely unsettling if you're a developer using agentic coding tools. Researchers have demonstrated that prompt injection payloads buried inside a repository's files can hijack Claude Code — Anthropic's agentic coding assistant — and cause it to open a reverse shell on the developer's own machine. Here's how it works: a developer clones what looks like a clean repository. Claude Code reads the project files as context. Hidden inside a README, a config stub, or a comment block is an instruction telling the model to spawn a reverse shell. The developer never runs a suspicious binary. The model does the work. This isn't a classical vulnerability — there's no CVE. The problem is architectural. Agentic AI tools that read arbitrary file content and execute system commands inherit the trust level of whatever they read. Once that reverse shell is established, an attacker has an interactive terminal operating under the developer's credentials — lateral movement, secrets from environment variables, cloud provider tokens in dot-aws or dot-config. The repository doesn't have to look hostile. A typosquatted open-source package, a transitively pulled dependency, a shared internal template — any of those can carry the payload. Anthropic had not issued a fix as of publication.
The invisible-to-humans angle is what makes this so insidious — the injection text is written for the model, not for you. Developers using these tools need to treat cloned repositories with the same suspicion they'd give an executable. Now, Mustang Panda. The China-aligned espionage group — also tracked as Earth Preta, Bronze President, and TA416 — has been caught running two parallel campaigns inside Indian government networks. Researchers at Acronis Threat Research Unit identified one operation targeting Indian government ministries and a second aimed at hydropower operators, with intrusions reaching machines belonging to senior administrative staff. The group has been active since at least 2017, collecting intelligence against governments, NGOs, and infrastructure operators across South and Southeast Asia and beyond. What makes the current campaigns notable is the command-and-control plumbing. Instead of standing up attacker-controlled infrastructure that defenders can blocklist, Mustang Panda is routing tasking and exfiltration through Zoho WorkDrive — a legitimate enterprise file-sharing service that's already in widespread use across Indian government environments. Traffic looks like routine SaaS activity. That is a meaningful detection problem. Coordinated remediation is underway with affected entities, according to Acronis.
Living-off-trusted-services is the pattern to watch. Blocklisting attacker infrastructure stops working the moment the attacker borrows yours. Last story this week, and it's a different kind of identity news — WhatsApp is rolling out global username reservations, letting its three-billion-plus user base claim a handle that can stand in for the phone number that has anchored every account since 2009. The feature is opt-in. Users can reserve a username now; the ability to actually reach someone by that handle follows in a later update. The phone number isn't going away as the underlying account identifier, but the discoverability layer is changing. And that matters. E.164 phone numbers are genuinely bad identifiers. They're recyclable, regionally portable, often tied to government ID, and trivially enumerable — the 2021 scrape that exposed over 500 million WhatsApp numbers worked precisely because the namespace is ordered and guessable. Usernames don't fix all of that on their own, but they let a user share a contact handle without leaking a number that doubles as an SMS two-factor authentication target and a SIM-swap lure. The questions worth asking now: namespace squatting is already a concern with reservations opening up, and how the system handles handle changes will determine whether this becomes a phishing surface of its own.
That's the week. Eight stories, a lot to act on. Patch libssh2, take DirtyClone seriously in any shared compute environment, and if your developers are using agentic coding tools, have a conversation about what those tools are allowed to read and execute. For deeper dives, links to the underlying research, and our weekly threat digest, head to threatvectr dot com slash newsletter — sign up there and we'll have next week's briefing waiting in your inbox. Thanks for listening to Threat Vectr Weekly. Stay sharp.