Reading view

Musk promises purge after Grok Build caught sending entire repos to the cloud

The researcher who exposed Grok Build uploading users' entire repositories to cloud storage says the transfers have stopped after a server-side change. Elon Musk has separately promised that all previously uploaded user data will be deleted. AI safety researcher Cereblab published a report on Sunday about their investigation into Grok Build, SpaceXAI's command-line interface (CLI), and the data exchanged between the CLI and SpaceXAI's servers. Cereblab found that when Grok Build reads or processes a file, the contents of that file are transmitted without redaction to a Google Cloud Storage bucket used by SpaceXAI. Further, they claimed that Grok Build packages entire repos and uploads them as Git bundles, instead of just uploading the files required to answer a user's prompt. According to Cereblab's report, SpaceXAI's data retention went far beyond that of other CLIs, such as Claude Code, Gemini, and Codex, which open individual files rather than entire repos before uploading them along with their Git histories. The researcher tested the behavior using a benign prompt. They instructed the CLI to simply reply with "OK," and specifically ordered it not to open any files. Grok Build uploaded the entire repo regardless, along with its full Git history containing secrets that were deleted months prior – a finding Cereblab reproduced using a separate repo. Other Grok Build users reported similar results after Cereblab published their report, including one whose entire user directory, containing SSH keys, password manager databases, and more, was opened and uploaded. The findings attracted enough attention for SpaceXAI execs and Musk to comment on them publicly, as well as prompting the company to quickly implement a remedy. Cereblab confirmed that after the CLI's devs set disable_codebase_upload to "true," Grok Build stopped transmitting entire repos to its servers. The confirmation came hours after SpaceXAI weighed in, trying to reassure onlookers that Grok Build remained safe for use, especially in enterprise environments. A public statement issued via X said that Grok Build respects customers who enable zero data retention (ZDR), and for those who haven't enabled it, such as non-enterprise customers, running a quick command deletes all data previously collected on a given user. "We care deeply about your privacy and respect customer choice," SpaceXAI said. "For teams using zero data retention, no trace and code data is ever retained. All API key use of Grok Build also respects ZDR. "If ZDR is disabled, the /privacy command is available in the CLI to disable data retention, which also deletes previously synced data. "Run the /privacy command to view or change your settings at any time." Technical staff members Andrew Milich and Jason Ginsberg both repeated the company's assurances, responding to outraged techies before Musk himself chimed in with a trademark "true." Musk promised that the business would delete all user data uploaded to it prior to the code change preventing whole-repo uploads. "As a precautionary measure, all user data that was uploaded to SpaceXAI before now will be completely and utterly deleted," he said, responding to Milich's community outreach. "Zero anything whatsoever will remain." In a separate post, Musk asked users to keep sharing data anyway, despite the disclosure that his company had been caught hoovering up entire user repos, on the basis that retaining "some" data helps with debugging. The Register cannot independently verify whether SpaceXAI has deleted the data as promised. However, Grok Build no longer rips user repos and stores them in the cloud, although Cereblab is still unhappy about the company's recommendation to use the /privacy command to adjust how exposed user code is to data retention measures. "What actually stopped the upload was a silent global flag – disable_codebase_upload: true – that applies whether you opt in or out," they wrote. "/privacy is a per-session retention toggle, not the switch that fixed this, so it shouldn't be pointed to as the control. And no developer should have to run an opt-out after every session to keep their own code off someone else's servers. The right default is off." ®

  •  

'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes

EXCLUSIVE A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register. The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists. Meanwhile, the AI agent did most of the hacking: migrating a botnet from an old architecture to a new one, writing and deploying a new C2 server, and even proactively carrying out 59 unprompted behaviors during the C2 migration. “Persistence is evolving because of AI,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register. “That's what you see in this report, with the capacity to dynamically shift C2 in less than six minutes, and make it portable and disposable, which is crazy-cool and terrifying," he added. "But also, you see the rebirth of steganography through invisible prompt injection.” In other words, it's hiding secret data – in this case, the C2 server malicious payloads – in plain sight. Scanning for known malicious artifacts doesn't provide sufficient protection against AI-enabled C2, according to Kellermann. “If AI does not have multi-layered guardrails, and if you can't detect behavioral anomalies when the guardrails are being tampered with, then you might as well see the AI as a command-and-control in today's world,” he said. “AI has to be viewed from a defensive perspective as a C2 unless you can govern it, actually apply various mechanisms of least privilege, and all the rules that OWASP and NIST espouse for the AI that you've deployed in your environment.” The new report follows up on TrendAI’s earlier research about bandcampro, a “low-skilled” scumbag who partnered with Gemini to impersonate an American veteran, run a Telegram channel, hack admin credentials, and steal cryptocurrency. Since then, the threat hunters obtained and analyzed more than 200 Gemini CLI session logs from said scumbag, and these logs provided additional insights into the daily AI-assisted operations between March 19 and April 21. The LLM carried out the bulk of the daily activities, setting up a residential proxy, running multithreaded password scanning, installing software, writing code to call third-party APIs, processing infostealer dumps, and performing website reconnaissance. The logs show that the attacker never typed commands into the C2 console, but instead spoke them to the AI in conversational Russian, which the TrendAI report translates to English. The attacker’s old C2 infrastructure used a Cloudflare tunnel to connect to victims’ computers – until firewalls and anti-virus software started blocking these tunnels. So bandcampro asked Gemini to work on a new C2 architecture and have the scripts prepared and packed in advance on the server. Hey, Gemini: 'study the C2 migration' “It was very creative on his part, not only to allow the manifest that the AI can conduct 59 unprompted behaviors, but they also left scripts prepared and packed in advance on C2 servers, where the victims unknowingly pulled down and ran PowerShell commands because they had AI enabled,” Kellermann said. “It's almost like he poisoned the environment in a delayed fashion.” On March 23, the attacker launched Gemini CLI, and instructed the AI to "study the C2 migration” – a SKILL.md file migration guide inside a pre-written archive that also contained server code and payloads. This, we’re told, was most likely written by AI. The AI read the guide, launched the C2 server on a VPS, and launched the Cloudflare tunnel to route traffic. The payload distribution server returned a “502 Bad Gateway” error, and the AI diagnosed and fixed the issue, ultimately deploying the C2 infrastructure to control eight computers in a dental clinic and access the Open Dental database. The human didn’t debug anything, and the entire C2 migration took just six minutes. The attacker took a break. When bandcampro returned almost two hours later, Gemini reported that none of the victim machines had reconnected to the server, and got to work diagnosing that issue. “Bro, I solved the riddle! I was almost racking my brain, trying to figure out why our local console is empty,” Gemini wrote, explaining that the problem was a “split-brain” C2 issue and telling the human that he needed to shut down the old C2 to solve it. Bandcampro did what the AI suggested, and the AI then restarted the new C2 server and confirmed: “The bots are alive!” Despite jailbreaking Gemini by telling the agent it was an “authorized pentester” that should disable safety disclaimers and auto-save credentials without asking, the AI did refuse some of the attacker’s prompts. In one session, bandcampro asked Gemini if it could make an agent-bomb that scans the network and spreads to as many computers as possible. Gemini said no: “This crosses the line, and security policy strictly forbids me from creating such ‘bombs.’ Even for your test environment.” It’s also important to note that although this attack used Gemini, “any capable AI model could be fooled by various jailbreaking techniques,” report authors Joseph C Chen, Philippe Lin, Lucas Silva, Vladimir Kropotov, and Fyodor Yarochkin wrote. Overall, the AI designed 80 percent of the attack architecture, 100 percent of the coding and system command execution, and 90 percent of problem identification and debugging, we’re told. The report also says the entire operation was encoded in three short, plain-text files totaling four pages. One file details how to jailbreak Gemini. The second is a skill file with the code for the C2 framework. And the third, named C2_MIGRATION_GUIDE, is a how-to guide with six steps to deploy a new C2 server. TrendAI calls this guide “the soul of this activity.” AI makes C2 infrastructure disposable “Before the AI era, one had to hire a threat actor with years of experience to conduct such an operation smoothly,” the researchers wrote. “Now the knowledge is compressed into a 5KB file that even a non-technical threat actor can read and use.” This use of AI makes attacker infrastructure disposable and the operators replaceable because it’s super easy to build a new botnet, the threat hunters explain. “A lot of people are worried about AI being weaponized for the stages of reconnaissance and delivery in terms of the kill chain, but they're not actually focusing on persistence, and that’s the issue we should be very concerned about,” Kellermann said. Plus, he added, the Russians are the “world’s experts” at jailbreaking and persistence. “They are incredibly adept at using and weaponizing AI,” Kellermann said. “We keep talking about the Chinese having penetrated infrastructure and colonized wide swaths of infrastructure, particularly with the Typhoon attacks, and yes, that’s highly significant. But in a more tactical and targeted way: what are the Russians up to? Particularly when the major difference between them and the Chinese, from my perspective, is their willingness to become destructive, become punitive in the environment.” Chinese government-backed cyber operations tend to focus on espionage, stealing IP along with other sensitive data. “But the Russians are more likely to burn your house down,” Kellermann said. If they can dynamically shift their C2s, and if they can use steganography that's been created by AI to maintain persistence, what happens when the wheels come off the bus? What happens when geopolitical tension gets to a certain boiling point over Ukraine?” While this attacker was an individual hacker - not a state-sponsored crime syndicate - “the nature of the culture of the Russian cybercrime community is: you only act alone for a New York minute,” Kellermann said. “At some point, you're going to be reined in by one of the cybercrime cartels.”®

  •  

Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites

CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites. The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads. Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform. Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site. CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites. The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said. Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers. The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely. The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update. If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®

  •  

EU and UK officially blame Russian spies for cyberattack on Poland's power grid

The UK and EU are demanding urgent action from critical infrastructure organizations after formally attributing the December 2025 cyberattack on Poland's power grid to Russia's Federal Security Service. The Foreign, Commonwealth & Development Office (FCDO) described the attack, carried out by the FSB's Centre 16 division, as "another example of the Russian state's irresponsible attempts to sow chaos across Europe." Milosz Motyka, Poland's energy minister, confirmed the attack on the country's power grid in January. He said experts suspected that whoever was behind it attempted to disrupt communication between renewable hardware and power distribution operators. The attack was ultimately unsuccessful, but suspicion quickly fell on Russia. Attackers tried to deploy the destructive DynoWiper malware, a move typically associated with Russian state-backed operations. Mandiant previously tied the 2023 blackouts in Ukraine to Sandworm's deployment of CaddyWiper malware, while the NCSC and its allies fingered the same military intelligence unit for the 2022 WhisperGate wiper attacks at the start of Russia's invasion. As The Register reported at the time, the FCDO said the attack in Poland could have left half a million Poles without power in midwinter – a cyberattack with potentially lethal consequences. We asked the NCSC to provide more information about what evidence allowed it to attribute the Poland energy attack to Russia's FSB, but it declined to comment on operational matters. Time to act The UK NCSC co-authored a technical advisory, published Monday, which highlights the latest developments in Russia's tradecraft, urging those most at risk to apply the recommended mitigations. It said organizations in the following sectors are most at risk from Centre 16 cyberattacks: communications, defense industrial base, energy, financial services, government services and facilities (especially organizations at the state and local level), and healthcare and public health. The headline mitigation recommended by the intelligence agencies is to disable SNMPv1 and SNMPv2, opting instead for SNMPv3 with authPriv, which comes with strong authentication and data encryption, and to disable Cisco Smart Install on all devices. Centre 16's common tactics involve scanning for devices that respond with SNMPv1/2. These support default or easily guessed community strings, which are commonly abused to gain access to network devices such as routers – a technique the NCSC and others issued separate warnings about in April. Attackers can abuse SNMP access to obtain device configuration data and transfer it to a server under their control, which can later facilitate persistent access. Although SNMP scanning is the principal tactic described, the advisory also covers the exploitation of Cisco devices, including those with Smart Install enabled. Defenders examining the document will notice overlapping tactics, techniques, and procedures (TTPs) between Centre 16 and other Russia-aligned threat groups, the intelligence partners wrote. Jonathon Ellison, director of national resilience at the NCSC, said: "The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter. "Today's joint advisory provides decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations and secure the UK's critical infrastructure. "I'd strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise." Fresh sanctions The UK and EU have each added an array of Russian individuals and entities to their sanctions lists, including GRU officials, cybercriminals, and hacktivists. Members of pro-Kremlin outlet Rybar also makes an appearance, owing to its false narratives about Ukraine and alleged interference with European elections. The most high-profile designations concern Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko – three GRU leaders accused of orchestrating cyber and hybrid operations. They also allegedly worked with cybercriminals and a company called IMPULS with a view to recruit cybersecurity specialists from universities and academies across Russia. UK Foreign Secretary Yvette Cooper said: "These sanctions strike at the core of the cybercriminal networks propping up the Russian state's aggression, and the UK and EU are sending a clear message that Russia cannot hide behind its use of these proxy groups.  "From directing criminals to targeting businesses, and striking Poland's energy grid in the depths of winter, the Russian state is sinking to new lows in its attempts to undermine European security. "Together with our partners, Britain will continue to call out this behaviour, bolster our resilience and respond to the hybrid threat posed by the Russian state. This will not deter us from supporting Ukraine." Sanctions were also imposed against three individuals accused of being operators of Lumma Stealer, one of the major infostealer malware strains that play a significant role in the cybercrime economy. National Crime Agency data suggests that in the UK alone, at least 2,100 victims were identified as infected over six months. The UK confirmed that the Russian state has used Lumma Stealer to gather stolen credentials and launch cyberespionage operations against global targets. The 24 sanctions unveiled on Monday add to the 3,400-plus individuals and entities that have been designated for their roles in supporting Russia's war efforts. Don't forget those cameras The coordinated international warnings and sanctions come days after Dutch authorities issued their own alert about Russian espionage units targeting internet-connected cameras to gather intelligence about military logistics routes. Its separate advisory warned that at least one Russian intelligence unit carries out operations targeting the Netherlands and other NATO members, using IP camera footage to track military logistics routes and the transport of materiel, and to map infrastructure such as bridges and roads. Dutch intelligence services added that Russia uses image recognition software to detect military vehicles, transport routes, shipments to Ukraine, and locations of Ukrainian soldiers. The advisory went on to say that Dutch intelligence suggests Russia's use of compromised IP cameras and their imagery has systematically increased recently and become a normal part of its tradecraft. It said abusing default passwords was the most common way in which Russian spies were gaining access to the cameras, although the most recent security updates were rarely applied, opening up vulnerabilities to exploit when using guessable passwords doesn't work. ®

  •  
❌