DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
A recently discovered phishing campaign targets Interactive Brokers users by sending fake IRS Form W-8BEN renewal notices. The emails contain malicious links that direct victims to a spoofed login page designed to harvest their credentials and potentially compromise their financial investments.
Agentic LLM browsers introduce novel architectural vulnerabilities by bridging traditional web sandboxes with highly privileged AI agents. Attackers can exploit trusted origin models via XSS or prompt injection to hijack these agents, enabling unauthorized browser control, data exfiltration, and local file access.
The Canadian Centre for Cyber Security released a daily digest of five security advisories. The most critical update addresses CVE-2026-34621 in Adobe Acrobat, which is currently being exploited in the wild, alongside various updates for Linux kernels, ICS systems, and IBM enterprise products.
CISA has added seven actively exploited vulnerabilities affecting Microsoft, Adobe, and Fortinet products to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate remediation across all organizations to reduce exposure to cyberattacks.
A supply chain attack involving a compromised version of the Axios library (1.14.1) impacted OpenAI's macOS app signing workflow. The malicious package was executed in a GitHub Actions CI pipeline with access to sensitive code signing certificates, prompting OpenAI to revoke the certificates, rebuild applications, and force user updates, though no downstream compromise or data exfiltration was observed.
Anthropic's new AI capabilities, Project Glasswing and Claude Mythos Preview, are accelerating the discovery of zero-day vulnerabilities across major software platforms. Akamai asserts that this rapid discovery will widen the gap between vulnerability identification and patching, thereby increasing the critical need for robust runtime protection and edge security solutions to defend against potential exploits before patches are available.
Recent supply chain attacks in March 2026, including the compromise of the widely used Axios npm package by North Korean actors and CI/CD targeting by TeamPCP, highlight the increasing threat to the open-source ecosystem. These incidents underscore the necessity of supporting and securing open-source maintainers against sophisticated nation-state social engineering and credential theft campaigns, rather than abandoning open-source architecture.
Credential abuse via infostealer malware remains a primary initial access vector, with threat actors specifically targeting the accounts of executives and privileged users. By capturing authorization URLs alongside credentials, attackers can quickly identify and weaponize high-value access points, necessitating rapid detection and continuous monitoring of both corporate and personal VIP accounts.
The window for patching vulnerabilities has drastically collapsed, with threat actors leveraging automation, AI, and readily available PoC code to weaponize flaws like React2Shell within hours of disclosure. Organizations must prioritize risk management and rapid response as attackers industrialize exploitation against both new and legacy unpatched systems.
The article outlines how government agencies can leverage microsegmentation to achieve and maintain Criminal Justice Information Services (CJIS) compliance. By implementing software-defined, device-level security boundaries, organizations can enforce Zero Trust principles, restrict lateral movement, and secure legacy and hybrid environments effectively.
North Korean state actors compromised the lead maintainer of the popular Axios npm package through a highly targeted social engineering campaign. By establishing credibility via fake corporate personas and communication channels, the attackers tricked the developer into executing malware disguised as a software update, ultimately gaining unauthorized publish access to the npm registry.
The Canadian Centre for Cyber Security issued an advisory regarding vulnerabilities in Google Chrome for Desktop. Organizations must update Chrome to version 147.0.7727.55/56 for Windows/Mac and 147.0.7727.55 for Linux to mitigate potential security risks.
Sophos researchers successfully deployed the OpenClaw AI agent in a controlled red team engagement against a legacy on-prem network. By implementing strict safety guardrails and custom-built skills, the agent autonomously conducted Active Directory reconnaissance and exploitation, significantly reducing operational time while identifying 23 actionable security findings.
The article advocates for an intelligence-driven approach to third-party risk management, arguing that static security ratings are insufficient against modern supply chain threats. It highlights the necessity of integrating external hygiene data with real-time threat intelligence to proactively detect vendor compromises such as ransomware extortion and credential leaks.
An Android banking trojan is being distributed globally as a Malware-as-a-Service (MaaS) from scam centers in Cambodia, utilizing forced labor to conduct social engineering campaigns. The malware features extensive surveillance capabilities, including SMS interception and biometric capture, allowing attackers to bypass KYC and OTP protections to commit direct financial fraud.
North Korea's Contagious Interview campaign has launched a coordinated supply chain attack across five major open-source ecosystems. The threat actors published malicious packages masquerading as legitimate developer tools that act as staged loaders to deliver remote access trojans (RATs) and infostealers to developer workstations.
Trail of Bits has published a new C/C++ security checklist in their Testing Handbook, detailing common bug classes, API gotchas, and environment-specific vulnerabilities across Linux and Windows. The guide serves as a foundation for manual code review and highlights specific issues like libc quirks, Windows driver registry flaws, and seccomp/BPF sandbox bypasses.
Storm-2755 is a financially motivated threat actor targeting Canadian organizations with 'payroll pirate' attacks. By leveraging SEO poisoning and Adversary-in-the-Middle (AiTM) techniques, the actor steals session tokens to bypass legacy MFA, maintains persistence using the Axios HTTP client, and alters direct deposit information to steal employee salaries.
This threat intelligence newsletter highlights the emerging 'Platform-as-a-Proxy' (PaaP) technique, where attackers abuse legitimate SaaS notifications to bypass traditional email security. It also covers active campaigns, including Storm-1175 deploying Medusa ransomware via CVE-2026-1731, and UAT-10362 targeting Taiwanese organizations with a novel Lua-based malware called LucidRook.
Attackers are utilizing a fake Adobe Acrobat Reader lure to deploy a highly obfuscated VBScript loader that executes a .NET payload entirely in-memory. The attack chain leverages PEB manipulation for process masquerading and abuses auto-elevated COM objects to bypass UAC, ultimately installing the legitimate ScreenConnect remote access tool for malicious purposes.
