DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
A ClickFix social engineering campaign tricks users into executing a malicious command via a fake CAPTCHA on fraudulent background removal websites. This command uses the legacy finger.exe utility to download CastleLoader, an advanced Python-based loader that employs reflective PE loading and API evasion (such as ReplaceTextW hooking) to deploy NetSupport RAT and a custom .NET stealer (CastleStealer) for credential and data exfiltration.
CISA has added CVE-2026-31431, an 'Incorrect Resource Transfer Between Spheres' vulnerability affecting the Linux Kernel, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize the timely remediation of this vulnerability to reduce their exposure to cyberattacks.
The popular PyPI package 'lightning' was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3. The malicious package executes an obfuscated JavaScript payload via the Bun runtime to harvest cloud and developer credentials, poison GitHub repositories by impersonating Anthropic's Claude Code, and infect local npm packages.
A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.
The Silver Fox threat group is conducting a phishing campaign targeting organizations in Russia and India with tax-themed lures. The attack chain utilizes a modified RustSL loader featuring geofencing and Phantom Persistence to deploy ValleyRAT. ValleyRAT subsequently downloads a novel Python-based backdoor called ABCDoor, which masquerades as a Tailscale VPN client and provides remote control and screen broadcasting capabilities.
CVE-2026-31431, dubbed 'Copy Fail', is a CVSS 7.8 local privilege escalation vulnerability in the Linux kernel's algifaead module affecting kernels built since 2017. By chaining an AFALG socket operation with splice(), an unprivileged local user can overwrite page-cache-backed pages, such as setuid binaries, to obtain root privileges. With a public PoC available and vendor patches pending, immediate mitigation via module disabling or seccomp filtering is critical.
Recorded Future analyzes the cyber and geopolitical risks associated with the US strategic pivot toward the Western Hemisphere. The shift, characterized by increased military intervention against transnational criminal organizations, presents three potential scenarios that elevate risks of state-sponsored espionage, industrialized cybercrime, and the proliferation of commercial spyware and surveillance infrastructure.
A supply-chain attack was identified involving the unscoped npm package 'tanstack', which brand-squats the legitimate '@tanstack/*' organization. Versions 2.0.4 through 2.0.7 contain malicious postinstall scripts designed to silently exfiltrate environment variables and markdown files to an attacker-controlled Svix endpoint.
SHADOW-EARTH-053 is a China-aligned cyberespionage campaign exploiting legacy N-day vulnerabilities in Microsoft Exchange and IIS servers to target government and defense sectors primarily in Asia. The threat actors utilize GODZILLA web shells for persistence and deploy ShadowPad implants via DLL sideloading, sharing significant operational overlaps with another intrusion set tracked as SHADOW-EARTH-054.
The emergence of frontier AI models like Claude Mythos enables autonomous, machine-speed vulnerability discovery and exploit generation, rendering traditional patch-management cycles obsolete. Security leaders must adopt converged exposure management, automated response playbooks, and Zero Trust architectures to contextualize risk and reduce the reachable attack surface.
In Q1 2026, Microsoft observed 8.3 billion email-based phishing threats, characterized by a 146% surge in QR code phishing and rapid evolution in CAPTCHA-gated payload delivery. Despite disruption efforts against the Tycoon2FA adversary-in-the-middle (AiTM) platform, threat actors quickly adapted their infrastructure, while Business Email Compromise (BEC) remained highly prevalent using conversational social engineering.
The Canadian Centre for Cyber Security issued a daily digest highlighting recent security advisories for GitLab and GNU InetUtils. Critical vulnerabilities were addressed in GitLab CE/EE (patched in 18.11.2 and 18.10.5) and GNU InetUtils (patched in version 2.8, fixing two CVEs), requiring immediate patching by administrators.
CISA has added CVE-2026-41940, a missing authentication vulnerability affecting WebPros cPanel, WHM, and WP2, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The flaw allows malicious actors to access critical functions without authentication, posing a significant risk to affected enterprises.
cPanel and WHM are vulnerable to a critical authentication bypass (CVE-2026-41940) that allows unauthenticated attackers to gain root-level access. The flaw stems from a CRLF injection vulnerability in session file handling, enabling attackers to forge session attributes and bypass password validation mechanisms by manipulating the whostmgrsession cookie and Basic Authentication headers.
The 'mini Shai-Hulud' campaign is a software supply chain attack involving compromised npm packages associated with SAP's Cloud Application Programming Model (CAP). The malicious packages execute upon installation or runtime to harvest sensitive credentials, encrypt the stolen data, and exfiltrate it via public GitHub repositories. Package maintainers have released patched versions to mitigate the threat.
Varonis Threat Labs analyzed Bluekit, a comprehensive Phishing-as-a-Service platform that consolidates domain management, site creation, credential harvesting, and session token theft into a single dashboard. Notably, the kit integrates an AI Assistant powered by uncensored LLMs to draft phishing lures and features advanced post-login session hijacking capabilities, including automated cookie dumping and live target monitoring to bypass standard MFA controls.
Threat actors are leveraging Vendor Email Compromise (VEC) to distribute phishing links hosted on the legitimate AI platform Kuse.ai. By utilizing Markdown (.md) files containing blurred document lures, attackers successfully bypass traditional email filtering to redirect victims to credential harvesting pages masquerading as Microsoft logins.
Generative AI enables defenders to rapidly deploy highly adaptive honeypots that simulate complex environments like Linux shells or IoT devices. By leveraging LLMs to generate plausible responses to attacker inputs, organizations can deceive automated AI-driven attacks, shifting the defensive strategy from passive detection to active manipulation and intelligence gathering.
Trail of Bits detailed the technical process of integrating the LibAFL fuzzing engine into Ruzzy, their coverage-guided fuzzer for Ruby. The integration required resolving ELF linker constraints with .preinit_array sections and adjusting shared object loading to satisfy LibAFL's strict coverage map initialization requirements.
The Canadian Centre for Cyber Security issued an advisory highlighting unspecified vulnerabilities in Google Chrome for Desktop. Administrators are urged to update Windows, Mac, and Linux clients to the latest stable channel releases to mitigate potential exploitation.
