Threat actors are creating OpenAI tenants that impersonate legitimate companies and inviting employees to join them, in what appears to be a ploy to trick targets into submitting sensitive company information in chats and projects.

Push Security discovered what they dub as the “Poisoned Tenant” campaign after multiple employees received invitations to join an OpenAI organization named “Push Security Inc.”  While the invite was legitimate, coming directly from OpenAI, the ChatGPT tenant had been created by an attacker using Gmail addresses rather than by the company.

The invitation emails were sent from OpenAI’s legitimate notification address, noreply@tm.openai.com, passed email authentication checks, and were identical to a normal invitation to join an organization’s ChatGPT workspace.

Push Security told BleepingComputer that other customers have also received similar invitations and that all are in the cybersecurity or technology space.

Attacker-controlled OpenAI organizations

According to a new report by Push Security, the invitations targeted specific employees using their work email addresses, suggesting the attackers had researched the employees who work at the company before launching the campaign.

Although OpenAI includes a warning stating that the inviter’s email domain does not match the recipient’s company domain, the notice appears as a single line within the legitimate invitation email.

To better understand the attack’s goal, Luke Jennings, VP, Research & Development at Push Security, accepted one of the invitations.

After accepting, the researcher was immediately added to the fraudulent organization, which impersonated Push Security and contained a single attacker-controlled account with a Gmail address that posted as the company’s CEO, Adam Bateman.

The invited employees had all been assigned Owner privileges within the organization, giving them administrative permissions over the tenant.

As they had administrative access, they could view other pending invitations and confirm that none of the targeted employees had joined the fake ChatGPT organization. They also found that a Visa credit card had already been attached to the organization’s billing account, adding further legitimacy.

Push Security told BleepingComputer that the project was empty and contained no existing chats or projects, making it unclear what the goal of the attack was.

Push Security believes the attackers’ objective is to convince employees to use the ChatGPT workspace as if it were a legitimate corporate platform, which would then allow the attackers to collect any sensitive information that was submitted.

“An attacker who just wants to spray scam content through a trusted email channel doesn’t name the organization after their target, research individual employees, or attach a credit card,” wrote Push.

“That investment only pays off if employees actually join the organization and start using it. And on an AI platform, the data people put into prompts can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans.”

The company also believes that attaching a payment method removes another potential warning sign, allowing invited users to use premium features without questioning whether the organization is legitimate.

Push Security says the campaign reflects a broader trend of attackers abusing legitimate invitation and notification features built into SaaS platforms.

Unlike normal phishing campaigns, these invitations originate from the platform’s own infrastructure, and because they are legitimate, they are more likely to bypass email security controls.

To reduce the risk of these types of attacks, Push recommends training employees to verify unexpected organization invitations and monitoring SaaS organization memberships.

BleepingComputer contacted OpenAI to ask whether it has received additional reports of similar campaigns, what protections organizations can use against these attacks, and whether it plans to introduce additional safeguards to prevent attackers from creating organizations impersonating legitimate companies. We will update this article if we receive a response.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

what-to-expect-at-the-next-samsung-galaxy-unpacked

A wider Galaxy Z Fold 8

Sam Rutherford for Engadget

Galaxy Z Fold 8 Ultra

Sam Rutherford for Engadget

Galaxy Z Flip 8

Mat Smith for Engadget

Galaxy Watch 9 and Watch Ultra 2

Amy Skorheim for Engadget

Android XR glasses

Google

Polymarket says it will fully reimburse customers who lost an estimated $3 million after hackers injected a malicious script into the platform’s frontend following a breach at a third-party vendor.

The company states in a brief announcement that the hack was the result of a supply-chain attack that impacted a dependency on its website.

Polymarket is one of the world’s largest cryptocurrency-based prediction markets that allows users to trade contracts with prices that reflect the market’s collective estimate of an event’s outcome.

It offers predictions for sports, economic indicators, weather patterns, awards, political and legislative outcomes, and even military conflicts.

Founded in 2020, the platform is currently valued at $9 billion, handles billions of dollars in trading volume, and serves as an influential source of information on market expectations.

During the attack, unsuspecting users were tricked into approving fraudulent transactions on the official Polymarket website after malicious JavaScript was injected through a frontend vendor.

Polymarket’s own servers and backend infrastructure were not impacted by the incident.

The company did not share many details about the event, but independent blockchain intelligence firms estimate the losses at roughly $3 million, stolen from a small number of accounts.

According to blockchain security firm PeckShield, the incident was a phishing campaign that stole approximately $3 million worth of ParyonUSD from users. The stolen funds were later swapped for 1,893 Ether.

“The attacker bridged the stolen funds from #Polygon to #Ethereum and swapped them into ~1,893 $ETH,” PeckShield says.

Based on visual analytics company Bubblemaps, the incident has impacted less than 15 accounts. The company published a list of some of the affected accounts as well as the wallets holding the stolen funds.

BleepingComputer has contacted Polymarket to request more details about the incident, but we have not received a response by publication time.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

security

Researchers warn many AI coding assistants now execute commands from project configurations

A high-severity flaw in Amazon’s AI coding assistant for Visual Studio Code meant that opening the wrong Git repository could allow an attacker to execute code on a developer’s machine and potentially hand them the keys to the dev’s cloud environment.

The bug, tracked as CVE-2026-12957 and assigned a CVSS 4.0 score of 8.5, centers on how Amazon Q handled Model Context Protocol (MCP) server configurations. Wiz found the extension would automatically load a repository’s .amazonq/mcp.json file and execute the commands it contained when a developer opened the project and activated Amazon Q.

“The security model assumes the user explicitly configures these servers. After all, you’re granting an AI assistant permission to run arbitrary commands on your machine. This should require informed consent,” the researchers write. “The vulnerability arose when this assumption was violated: Amazon Q automatically loaded MCP configurations from .amazonq/mcp.json within the workspace – no prompt, no consent, no workspace trust check.”

MCP lets AI assistants launch local processes to carry out tasks. In Amazon Q’s case, those processes inherited the developer’s environment, giving them access to AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session.

“The combination meant that a single malicious config file could execute arbitrary commands with full access to the developer’s credentials – no user interaction required beyond opening the folder and activating Amazon Q,” Wiz said.

To prove the attack worked, Wiz built a repository with a malicious MCP configuration. Opening the project and activating Amazon Q caused the extension to execute a command against AWS using the developer’s existing credentials.

Amazon fixed the bug in version 1.65.0 of its language server, which powers Amazon Q’s IDE integrations. Existing installations should receive the patched component automatically unless you’ve blocked automatic updates.

“We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0,” Amazon said in an advisory, though it didn’t respond to The Register’s questions. 

Wiz argues the bug is less an Amazon problem than an industry one. More and more AI coding assistants are adopting MCP to connect models to local tools and services, allowing them to execute commands on developers’ machines. 

According to the researchers, similar workspace configuration flaws have recently surfaced in other AI coding tools. It suggests attackers have found a new place to lurk: the hidden files that developers rarely think twice about trusting. ®

Nvidia has dominated the AI chip market for years, but the era of total dependence might be ending.  

OpenAI just shared its plans to spice things up with Jalapeño, its custom inference chip built with Broadcom, joining Google, Apple, and SpaceX in a growing list of companies building their way out of single-supplier risk. The goal is less of a clean break and more of a hedge. Custom silicon means more control, hardware tuned to specific needs, and the kind of performance gains Apple unlocked when it ditched Intel. 

On this episode of TechCrunch’s Equity podcast, hosts Kirsten Korosec, Anthony Ha, and Sean O’Kane dig into what the custom chip trend means for the industry and a few deals of the week worth watching. 

Subscribe to Equity on YouTube, Apple Podcasts, Overcast, Spotify and all the casts. You also can follow Equity on X and Threads, at @EquityPod. 

This will impact Home Assistant users and those who rely on similar third-party tools.

The announcement comes amid a race between organisations to build semiconductors that can handle increasingly demanding AI workloads.

Multinational technology giant IBM has announced the creation of what it claims is the world’s first ​technology capable of producing chips smaller than one nanometre.  

According to IBM, the chip has a transistor architecture of 0.7 nanometres and can hold nearly 100bn transistors on a “fingernail”-sized surface, achieving roughly double the density of its 2-nanometre chip unveiled in ​2021. 

In order to create the chip, IBM reportedly developed a new transistor design called a nanostack, which lays transistors on top of each other in three dimensions, rather than the standard method of laying them flat, effectively fitting more into the same amount of available space.  

Commenting on the achievement, Jay Gambetta, a director of IBM Research, said, “With our new nanostack architecture, we’re not just making smaller transistors, we’re reinventing how chips are built to deliver ​dramatically more power and ​energy efficiency.”

According to IBM, the new nanostack technology will also be capable of shrinking a type of memory circuit called SRAM by 40pc when compared to its previous chip technology. Production is expected to begin within the next five years and the organisation has yet to name a manufacturing partner for this technology, if there is one. 

IBM’s announcement comes at a time when many organisations all over the globe are racing to become the most prominent name in the manufacturing of advanced chip technology and artificial intelligence. 

In late May, leading chipmakers Micron and SK Hynix both surpassed $1trn in market value. Global semiconductor company Infineon Technologies announced earlier in June that it is set to open a new €5bn chip factory in Dresden, Germany, representing Infineon’s single largest investment. Last month, Analog Devices announced it was acquiring AI power delivery provider Empower Semiconductor in a deal valued at $1.5bn.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

from the good-deals-on-cool-stuff dept

flowkey is a fun, interactive piano learning platform that helps anyone go from absolute beginner to confident player — at their own pace. It combines step-by-step courses with thousands of songs you know and love, tailored for every skill level, from first-time learners to advanced pianists. The app listens as you play and gives instant feedback so you can improve faster, practice technique, and master sheet music with confidence. Whether you’re learning scales or your first full song, flowkey makes piano practice easy, fun, and rewarding. A one year subscription is on sale for $40, two years for $60, or five years for $80.

Note: The Techdirt Deals Store is powered and curated by StackSocial. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Filed Under: daily deal