{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/genai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["genai","credential-access","persistence","collection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging GenAI agents to automate the discovery and exfiltration of sensitive information, including credentials, API keys, and tokens stored within files on compromised systems. The observed activity involves GenAI tools accessing critical files such as cloud credentials, SSH keys, browser password databases, and shell configuration files. Successful exploitation allows attackers to harvest credentials, gain unauthorized access to systems, and establish persistence mechanisms for continued access. The GenAI tools mentioned include ollama, textgen, lmstudio, claude, cursor, copilot, codex, jan, gpt4all, gemini-cli, genaiscript, grok, qwen, koboldcpp, llama-server, windsurf, zed, opencode, and goose. This activity highlights the emerging threat landscape of AI-assisted attacks and the need for robust detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system through an unrelated vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eInstallation or execution of a GenAI tool (e.g., ollama, lmstudio) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool is configured or instructed to scan the file system for sensitive files.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool accesses files containing credentials, such as \u003ccode\u003e.aws/credentials\u003c/code\u003e, browser password databases (\u003ccode\u003eLogin Data\u003c/code\u003e, \u003ccode\u003ekey3.db\u003c/code\u003e), or SSH keys (\u003ccode\u003e.ssh/id_*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe GenAI tool exfiltrates the harvested credentials and API keys to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to cloud resources, internal systems, or other sensitive accounts.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool attempts to modify shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e) to establish persistence.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user login, the modified shell configuration executes malicious commands, granting the attacker persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this threat can lead to significant data breaches, unauthorized access to critical systems, and persistent compromise of affected environments. Attackers can leverage stolen credentials to escalate privileges, move laterally within the network, and exfiltrate sensitive data. The number of victims and sectors targeted are currently unknown, but the potential impact is widespread given the increasing adoption of GenAI tools in various industries. Credential theft leads to financial loss, intellectual property theft, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Accessing Sensitive Files\u0026rdquo; to your SIEM to detect GenAI tools accessing sensitive files on endpoints.\u003c/li\u003e\n\u003cli\u003eEnable file access monitoring on systems where GenAI tools are used to capture access events for analysis.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of GenAI tools within the environment, especially concerning access to sensitive file paths.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e) as an indicator of persistence attempts.\u003c/li\u003e\n\u003cli\u003eImplement regular credential rotation policies to minimize the impact of stolen credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T22:46:51Z","date_published":"2026-05-01T22:46:51Z","id":"/briefs/2024-12-15-genai-sensitive-file-access/","summary":"This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.","title":"GenAI Tools Accessing Sensitive Files for Credential Access and Persistence","url":"https://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","genai","file-access","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers are increasingly exploiting GenAI tools to automate the discovery and exfiltration of sensitive information from compromised systems. This involves using GenAI agents to systematically scan file systems for credentials, API keys, tokens, and other secrets. Access to credential stores (.aws/credentials, .ssh/id_*) indicates credential harvesting, while modifications to shell configuration files (.bashrc, .zshrc) point to persistence attempts.  The observed activity leverages legitimate GenAI tool functionality, making it difficult to distinguish between benign use and malicious intent.  This technique has become more prevalent since late 2025, with attackers refining methods to instruct GenAI agents to specifically target and exfiltrate sensitive files. Defenders must monitor for unusual file access patterns by GenAI processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system via phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker installs or deploys a GenAI tool (e.g., LM Studio, Claude, Copilot) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the GenAI tool to scan the file system for specific file names and patterns associated with sensitive data (credentials, keys, cookies).\u003c/li\u003e\n\u003cli\u003eThe GenAI tool accesses files such as \u003ccode\u003e.aws/credentials\u003c/code\u003e, \u003ccode\u003e.ssh/id_rsa\u003c/code\u003e, browser login databases (e.g., \u003ccode\u003eLogin Data\u003c/code\u003e, \u003ccode\u003elogins.json\u003c/code\u003e, \u003ccode\u003eCookies\u003c/code\u003e), and other credential stores.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool may modify shell configuration files (\u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e) to establish persistence.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool stages the collected data for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the harvested credentials and data to an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to other systems or cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread credential compromise, allowing attackers to move laterally within a network, access sensitive data, and potentially disrupt critical business operations. A single compromised developer workstation could expose cloud infrastructure credentials, impacting hundreds of systems and services. The use of GenAI tools allows for rapid and automated credential harvesting, significantly increasing the scale and speed of potential breaches. Sectors at high risk include software development, cloud computing, and any organization that relies heavily on API keys and secrets for authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGenAI Process Accessing Sensitive Files\u003c/code\u003e to your SIEM to detect GenAI tools accessing sensitive files. Tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor file access events, specifically looking for GenAI processes (ollama, lmstudio, claude) accessing files with names like \u003ccode\u003ecredentials\u003c/code\u003e, \u003ccode\u003eid_rsa\u003c/code\u003e, \u003ccode\u003elogins.json\u003c/code\u003e, and \u003ccode\u003e.bashrc\u003c/code\u003e, as outlined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and monitoring for sensitive directories like \u003ccode\u003e.aws\u003c/code\u003e, \u003ccode\u003e.ssh\u003c/code\u003e, and browser profile directories.\u003c/li\u003e\n\u003cli\u003eRegularly audit and rotate credentials, API keys, and tokens, especially those stored in files.\u003c/li\u003e\n\u003cli\u003eEducate developers and users about the risks of using GenAI tools to handle sensitive data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T16:34:10Z","date_published":"2026-04-22T16:34:10Z","id":"/briefs/2024-01-genai-sensitive-file-access/","summary":"This brief outlines the threat of attackers leveraging GenAI tools to access sensitive files containing credentials, SSH keys, browser data, and shell configurations for credential access and persistence.","title":"GenAI Tool Access to Sensitive Files for Credential Harvesting and Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-genai-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Copilot","Cursor","GPT4All","Jan","LM Studio","Ollama","Windsurf","bunx","codex","claude","deno","gemini-cli","genaiscript","grok","koboldcpp","llama-cli","llama-server","npx","pnpm","qwen","textgen","yarn","Confluence Data Center"],"_cs_severities":["medium"],"_cs_tags":["genai","command and control","macos","network connection"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Atlassian","GitHub"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule \u003ccode\u003e9050506c-df6d-4bdf-bc82-fcad0ef1e8c1\u003c/code\u003e focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.\u003c/li\u003e\n\u003cli\u003eThe compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.\u003c/li\u003e\n\u003cli\u003eThe GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).\u003c/li\u003e\n\u003cli\u003eThe macOS system\u0026rsquo;s network stack resolves the attacker\u0026rsquo;s domain to its corresponding IP address.\u003c/li\u003e\n\u003cli\u003eThe GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised GenAI tool.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization\u0026rsquo;s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Connecting to Unusual Domain\u0026rdquo; to your SIEM and tune for your environment (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eBlock any identified malicious domains at the network level (see query in the provided source).\u003c/li\u003e\n\u003cli\u003eReview the GenAI tool\u0026rsquo;s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\u003c/li\u003e\n\u003cli\u003eRegularly update the list of allowed domains in the Sigma rule\u0026rsquo;s filter to account for legitimate updates to GenAI tool infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:30Z","date_published":"2024-05-02T14:22:30Z","id":"/briefs/2024-05-genai-unusual-domain/","summary":"This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.","title":"GenAI Process Connection to Unusual Domain on macOS","url":"https://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/"}],"language":"en","title":"CraftedSignal Threat Feed — Genai","version":"https://jsonfeed.org/version/1.1"}