Dossier
cloud credentials
Coverage of cloud credentials in the Nexus archive.
- Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
An unknown threat actor used an LLM agent for post-compromise actions after exploiting a publicly-accessible Marimo network via CVE-2026-39987, extracting cloud credentials from the compromised system.
- New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
A new Python-based backdoor framework called DEEP#DOOR uses tunneling services to establish persistent access and steal browser and cloud credentials from compromised hosts. The attack begins with a batch script ('install_obf.bat') that disables Windows security controls and dynamically extracts sensitive data.