- Credential theft is an immediate business risk. AI‑powered infostealers can move from initial compromise to full credential exfiltration in as little as 72 minutes.
- These attacks bypass perimeter defenses by abusing trusted identities. Stolen credentials blend into normal activity, making breaches difficult to detect until damage is already done.
- The credential risk surface has expanded to SaaS. In the browser, attackers now target SaaS and AI credentials used in everyday workflows.
- One compromised account can lead to organization-wide exposure. Modern attackers routinely target endpoints and SaaS, leveraging one compromised credential to compromise an entire system.
- Endpoint security alone is not sufficient. Once credentials are stolen, prevention must happen at the identity and access layer, not after attackers authenticate as legitimate users.
- LastPass reduces exposure where these attacks succeed. By centralizing credentials, enforcing FIDO2 MFA, monitoring for compromised credentials, and identifying Shadow SaaS and AI usage, LastPass limits blast radius and reduces breach impact.
For years, you focused on keeping attackers out. Now the harder question is, "What do you do if they're already inside and look like legitimate users?" AI-powered infostealers have fundamentally changed the threat landscape. They're evading endpoint detection, adapting in real time, and exfiltrating data faster than ever.
According to Palo Alto's Unit 42 researchers, AI-powered infostealers have compressed the average time from infection to data exfiltration to just 72 minutes.
In that time, they can harvest dozens of logins across SaaS and internal systems ... while your team is still determining which accounts are affected.
The bottom line is: identity has become the perimeter and the first thing attackers are targeting.
If you don't have a dedicated SOC, you aren't alone. Most small and mid‑market teams are expected to manage credential risk without the speed and coverage large enterprises take for granted.
And that's exactly why credential-based attacks succeed. Attackers now move faster than your detection tools and blend into normal login activity.
Get the visibility you need now with a free LastPass trial.
What are AI-powered infostealers?
Before we talk about defense, let's start with definitions. AI-powered infostealers are a class of credential-stealing malware that uses large language models (LLMs) to generate code, increasingly for Command & Control-like logic.
This just means the infostealer uses the LLM as a dynamic command layer to direct attacks in real time. An example is 2025's LameHug, the first publicly documented case of malware using an LLM to generate command chains in real time to drive reconnaissance and data theft.
Unlike traditional infostealers that follow fixed scripts, AI-powered variants use LLMs to assess target environments, generate evasion logic, and adapt their behavior to avoid triggering detection.
Unit 42 researchers confirmed two more variants in active circulation as of March 2026:
- The first integrates OpenAI's GPT-3.5 Turbo to generate real-time obfuscation techniques and craft social engineering text.
- The second is written in Golang and uses an LLM to evaluate system telemetry before deciding whether to deploy its payload.
The second variant replaces hardcoded detection logic (e.g. allow lists, deny lists) with LLM-based holistic reasoning. Why? To decide whether an environment is "safe" to proceed with infection.
The result is infostealers that are smarter, stealthier, and significantly harder to catch.
In practical terms, this means attackers are automating their reconnaissance and deciding when and how to act based on LLM signals. If your team relies on alerts that trigger after credentials are stolen or reused, you're already behind the attack timeline.
How do AI-powered infostealers steal your credentials?
The attack chain is deceptively simple and brutally effective.
Stage 1: Delivery via trusted surfaces
Attackers distribute infostealers in a number of ways, including phishing emails, malicious VS Code extensions, malvertising redirect chains, and ClickFix social engineering prompts instructing users to paste commands into their Terminal.
Meanwhile, macOS-targeting variants like Atomic macOS Stealer disguise themselves as legitimate app installers, a distribution method that bypasses IT oversight entirely.
Stage 2: Environment assessment
AI-gated variants like the Golang dropper (described by Unit 42) collect network information and send this telemetry to a cloud-hosted LLM.
The LLM returns a JSON response, telling the malware whether to proceed with the attack. If insufficient telemetry is returned, the payload waits.
Stage 3: Credential harvesting
Once deployed, infostealers extract browser passwords, session cookies, authentication tokens, SSH keys, and AWS credentials.
Infostealers like Vidar now target AI agent configuration files like openclaw.json, device.json and soul.md, along with memory files. These are files that define an AI agent's identity, permissions, behavior, and context.
Stage 4: Exfiltration
Stolen credentials are exfiltrated over HTTPS to attacker-controlled servers.
Files like MEMORY.md give attackers a psychological profile of you, which includes your favorite projects, trusted connections, and private anxieties, providing fodder for social engineering campaigns against you. This is what researchers call Cognitive Context Theft.
Stage 5: Stealer logs packaged and weaponized
Finally, harvested credentials are compiled into stealer logs that contain login credentials, API keys, session cookies, and VPN keys, everything an attacker needs to authenticate as a legitimate user.
At this stage, attackers are logging in with legitimate (stolen) credentials.
If this happened in your environment today, would you know which browser-saved passwords, API keys, or SaaS credentials were already exposed?
To use dark web scanning to see which business credentials attackers actively trade and reuse, try LastPass for free.
Why are AI-powered infostealers harder to detect than traditional malware?
Three properties make AI-powered infostealers harder to detect than traditional malware:
#1 Adaptive evasion
Traditional malware uses hardcoded allowlists and denylists to avoid detection.
AI-gated variants outsource that logic to external LLMs that evaluate holistically, removing the fixed pattern your EDR needs to trigger an alert.
#2 Forensic noise
Some AI-integrated samples generate fake evasion logs and non-functional obfuscation calls. This creates forensic noise that slows incident response and obscures the actual exfiltration path, buying attackers time to avoid exposure.
#3 Expanding credential surface
Under certain conditions, some deployments of Cursor, GitHub Copilot, and other agentic coding tools can store authentication credentials in plaintext local files.
So, any malware running with user-level permissions can read them without privilege escalation.
Critical: Endpoint tools are designed to detect files and behavior. But once credentials are stolen, attackers no longer need malware to stay active. They can authenticate as trusted users.
Preventing the damage that follows requires control before credentials are reused: visibility into where credentials live, how they're accessed, and whether they've already been exposed.
Why infostealers make credential hygiene a business decision
The most dangerous aspect of AI‑powered infostealers isn't the malware itself but what breaks once credentials are stolen.
When attackers log in using valid credentials, your detection tools assume the activity is legitimate.
Endpoint tools can detect files but can't prevent attackers from reusing stolen credentials that already look authorized. Once credentials leave your environment, the only control that still matters is how identities are stored, monitored, and revoked.
If this attack hit your environment today, would you know which credentials were already exposed?
LastPass helps you identify browser‑stored passwords, exposed credentials, and Shadow SaaS and AI tools attackers actively target --- before stolen logins are reused.
See which business credentials are already at risk: Run a free Dark Web scan with a LastPass free trial.
Who's being targeted and why does company size not protect you?
The answer is: Everyone with credentials worth stealing is a potential target. This means every organization with a SaaS stack, cloud infrastructure, and remote workforce are at risk.
The data from Unit 42 is stark:
- Identity was implicated in nearly 90% of incidents.
- 65% of initial access is from credential theft, MFA bypass, or misconfigured access controls — not zero-day exploits.
- Attacks by AI-enabled adversaries have increased 89% YoY.
The misconception that size provides protection is costly. Midmarket organizations are often the most prized targets, as they possess valuable data but have fewer dedicated security resources than a Fortune 500 company.
Granular access control (scoping permissions tightly to role and context) is non-negotiable. In this threat environment, it can mean the difference between a contained incident and a systemic breach.
What can attackers do with one stolen credential?
More than most businesses realize.
Consider the Change Healthcare case. The 2024 ransomware attack that resulted in a $22 million payout and nearly $2.9 billion in total costs had one entry point: a single VPN credential stolen from an infostealer-infected machine.
How does LastPass protect against AI-powered credential theft?
LastPass protects against AI-powered credential theft with AES-256 encryption, encrypted vault item URLs, granular access controls that limit the blast radius of any one compromised account, and dark web monitoring.
The gap AI-powered infostealers exploit isn't technical but structural.
Credential theft succeeds because organizations lack real-time visibility into what employees store in browsers, which AI tools they're authenticating with, and whether any of those credentials have already been compromised.
What changes when credential security is enforced at the identity layer
Instead of reacting after accounts are breached, you regain visibility and control before attackers can escalate access or move laterally.
Here's how LastPass helps you close the visibility gap:
- Military-grade encryption: LastPass stores all your credentials in an AES-256 encrypted vault, and all vault item URLs are similarly encrypted. Even on a compromised machine, a directory sweep will return nothing exploitable.
- Dark web monitoring: LastPass continuously monitors dark web forums for stealer logs containing your corporate credentials. When a compromised credential is identified, you receive an immediate alert before an attacker can exploit it.
- Strong access controls: LastPass enables your admins to enforce granular access controls, scoping which credentials each role can access, under what conditions, and from which devices. This directly addresses the visibility gap that makes a single stolen credential so dangerous.
- Centralized credential management: A fragmented credential store, with passwords scattered across browsers, spreadsheets, shared drives, Post-it notes, and config files, is the infostealer's hunting ground. LastPass provides centralized credential management to give you full visibility into credential usage and provisioning.
- SaaS Monitoring & Protect: Shadow AI and SaaS discovery identifies which AI tools your team is already authenticating with --- so you know your credential exposure before attackers map it for you.
See how LastPass surfaces exposed credentials, Shadow SaaS, and AI tool usage in your environment. Book a 20-minute demo and get a breach‑readiness assessment.
How does LastPass compare to other top identity and access management vendors for infostealer defense?
When evaluating solutions for infostealer-driven threats, features alone aren't enough. The real question is whether a platform helps you identify exposed credentials, enforce access policies, and limit blast radius across SaaS and AI tools, before stolen logins are reused.
With that lens, here's how LastPass compares.
| Capability | LastPass Business Max | 1Password | Keeper | Bitwarden |
|---|---|---|---|---|
| Dark Web Monitoring | Yes | Watchtower | BreachWatch | Data Breach report using the Have I Been Pwned service |
| Admin-enforced MFA policies | Yes | Yes | Yes | Yes, with Bitwarden Enterprise |
| Shadow IT/AI discovery | Yes, browser-level monitoring detects SaaS and AI apps users log into | Yes, but more complex to deploy and less transparent pricing compared to LastPass | No | No |
| Advanced SSO | Yes | Yes | Yes | No |
| Passwordless/passkey support | Yes | Yes | Yes | Yes |
To understand which business accounts are already at risk, run a free Dark Web scan with a free trial of LastPass.
What your team should do in the next 24 hours
The decision criteria for defending against AI-powered infostealers comes down to three questions.
- Exposure: Where are your credentials stored right now?
- Detection: How quickly will you know when a credential is compromised?
- Blast radius: If one employee's credentials were stolen, how many systems, SaaS apps, or vendors could an attacker access — before you could stop them?
These questions map directly to the controls LastPass enforces: credential hygiene, real-time exposure detection, and access policies. With LastPass, you can reduce risk immediately without infrastructure changes.
Sources
- ERP Today: AI compressing breach timelines as identity weaknesses drive 90% of incidents (2026)
- Palo Alto Networks: Analyzing the current state of AI use in malware
- AI agents' most downloaded skill Is discovered to be an infostealer
- Microsoft: Infostealers without borders: macOS, Python stealers, and platform abuse (2026)
- ClawdBot: The new primary target for infostealers in the AI era (2026)
- CYFIRMA. The convergence of infostealers and ransomware: From credential harvesting to rapid extortion chains
- SC Media: Infostealer exfiltrates sensitive OpenClaw files (2026)
- The Hacker News: Infostealer steals OpenClaw AI agent configuration files and gateway tokens
- Bitwarden: Vault health reports
- Bitwarden: Company enforced MFA policies
- 1Password: Pricing for XAM
