ThreatsDay Bulletin: Shady Browser Add-Ons, AI Chat Abuse, and Memory-Only macOS Attacks Highlight Emerging Cyber Risks

This week’s cybersecurity activity illustrates how attackers utilize legitimate internet mechanisms for malicious purposes. Threats include shady browser add-ons siphoning search queries, AI chat links serving as malware delivery mechanisms, sophisticated macOS attacks running solely in memory, and cloud agents being exploited as open shells.
What happened
Cybercriminals have increasingly employed methods that exploit standard internet technologies and services rather than relying on traditional break-ins. Malicious browser extensions have been used to redirect and siphon user searches, compromising browsing privacy and security. Meanwhile, AI chat services became vectors through which malicious actors distributed malware by embedding harmful links within chat interactions.
On macOS platforms, attackers executed sophisticated in-memory assaults that avoid leaving significant forensic traces, complicating detection and response. In cloud environments, agents typically deployed for legitimate management purposes were manipulated by adversaries as open shells, effectively granting unauthorized control without immediate detection. Additional risks such as exposed edge devices, contaminated software packages, and social engineering scams further contribute to a diverse attack landscape.
Why it matters
These developments underscore a shift from exploiting technical vulnerabilities alone toward leveraging legitimate tools and trusted services as attack vectors. The exploitation of browser add-ons and AI chat links reflects how attackers blend into normal user workflows, making malicious activity harder to differentiate from routine operations.
Memory-only attacks on macOS and misuse of cloud agents highlight challenges for traditional security defenses, which often rely on persistent artifacts and known indicators. This evolving threat environment demands heightened vigilance and adaptive security practices to mitigate risks that arise from normal internet usage patterns being subverted for malicious intent.
What security teams should do
Security teams should conduct thorough reviews of browser add-on installations to ensure only trusted and verified extensions are present. Monitoring AI chat platforms for suspicious links or behavior can help identify potential delivery of malicious payloads.
For macOS environments, implementing advanced endpoint detection tools capable of memory analysis can improve identification of stealthy attacks. In cloud deployments, auditing agents and access logs is essential to detect unauthorized use of cloud components. Ensuring proper configuration and limiting agent permissions will reduce risk exposure.
Key technical details
The attacks leveraged commonplace technologies: browser add-ons that intercepted and rerouted user searches, and AI chat interactions embedding links that led to malware installations. MacOS threats executed fully in volatile memory to evade persistent logs or files on disk.
Cloud agents, typically intended as administrative helpers, were repurposed by attackers as open command shells, allowing remote execution and control without traditional intrusion signatures. The bulletin also referenced other vectors like compromised edge devices, poisoned software packages, and scams employing cash courier methods, illustrating multi-faceted attack methods.
Affected organizations/products
The advisory highlights impacts across multiple platforms including web browsers, AI chat services, macOS endpoints, and cloud infrastructure. While no specific vendor or product names were disclosed, the breadth of affected environments includes end-user devices and cloud agent deployments, suggesting widespread potential exposure.
Source attribution
https://thehackernews.com/2026/06/threatsday-bulletin-claude-chat-abuse.html