AI Security Threats Shift: MFA Bypass, Crypto Malware, and Shadow AI Access Risks Dominate

Attackers are rapidly evolving their tactics beyond password theft, exploiting multi-factor authentication (MFA) workflows and trusted platforms like GitHub and YouTube to deploy malware and compromise accounts, according to recent research and upcoming industry briefings. A live webinar scheduled for July 8, 2026, will examine how Device Code phishing bypasses MFA entirely, while separate reports detail a crypto-stealing malware campaign that uses fake social engagement to appear legitimate.

Device Code phishing, a technique that tricks users into authorizing access through legitimate Microsoft authentication pages, allows attackers to obtain persistent access tokens without ever stealing credentials. This method undermines the effectiveness of MFA because the user completes a real login and MFA challenge themselves.

Cryptocurrency Malware Campaign Abuses GitHub and YouTube

Researchers at Check Point have identified an active campaign distributing cryptocurrency-stealing malware through inflated GitHub activity, fake software reviews, and YouTube tutorials. The malicious tools are packaged as cryptocurrency sniper bots and gambling predictors, promising users quick profits but instead stealing digital assets.

• The attackers used fake GitHub stars and favorable VirusTotal comments to build trust in the malicious repositories.
• YouTube tutorials were created to demonstrate the supposed functionality of the tools, driving downloads from unsuspecting users.
• The malware targets both individual investors and traders looking for automated trading solutions.

Shadow AI Threat Shifts from Data Leakage to Access Control

Security experts note that the primary risk of Shadow AI, the use of unsanctioned AI tools by employees, has moved from data leakage to access control. The average enterprise security team now manages 40 or more security tools, often generating siloed alerts that leave analysts overwhelmed and breach dwell times averaging around 43 days.

Behavioral AI is emerging as a countermeasure, helping security operations centers (SOCs) detect compromised accounts faster by analyzing unusual activity patterns rather than relying solely on traditional email defenses, credential monitoring, or MFA. The July 8 webinar, presented by Dan Nickolaisen of Abnormal AI and Eric Danneker of Novant Health, will explore practical approaches for automating detection and response to account takeover (ATO) and business email compromise (BEC) attacks.

Industry observers argue that organizations must move beyond simple usage policies and domain blocks to address the access control risks posed by shadow AI, as attackers increasingly target identity and authentication workflows rather than just passwords. The convergence of these threats points to a need for more adaptive, behavior-based security architectures.