DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
This article is an employee spotlight featuring Kyle Kohler, a Senior Product Manager at Recorded Future, discussing his daily responsibilities and the company's broad approach to threat intelligence.
The U.S. Department of Health and Human Services (HHS) Notice of Proposed Rulemaking (NPRM) emphasizes that healthcare organizations must move beyond basic HIPAA compliance to achieve true cybersecurity resilience. To combat the rising threat of ransomware, organizations are urged to implement continuous asset monitoring and microsegmentation to contain lateral movement, reduce the blast radius of attacks, and protect electronic protected health information (ePHI).
The lead maintainer of the widely used Axios npm package fell victim to a sophisticated social engineering attack. Attackers tricked the maintainer into installing a Remote Access Trojan (RAT) during a fake MS Teams meeting, enabling session hijacking that bypassed 2FA and allowed the unauthorized publication of malicious Axios versions to the npm registry.
Threat actors are increasingly targeting VMware vSphere environments, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors, to establish deep persistence and bypass traditional EDR solutions. This defender's guide outlines a comprehensive strategy to secure the virtualization control plane against advanced malware like BRICKSTORM, emphasizing infrastructure hardening, Zero Trust network segmentation, and enhanced OS-level forensic visibility using auditd and AIDE.
Security researchers discovered a pre-authenticated Remote Code Execution (RCE) chain in Progress ShareFile Storage Zone Controller. By chaining an Execution After Redirect (EAR) authentication bypass (CVE-2026-2699) with an arbitrary file upload vulnerability (CVE-2026-2701), attackers can reconfigure the storage repository to the webroot and extract an ASPX webshell, achieving full system compromise.
The White House Office of the National Cyber Director (ONCD) has released a new National Cyber Strategy detailing six pillars of focus. The strategy emphasizes modernizing federal networks, securing critical infrastructure, maintaining superiority in emerging technologies like AI, and building cyber talent capacity.
A supply chain attack compromised Axios version 1.14.1 on npm by injecting a malicious dependency, plain-crypto-js. The attack's impact was significantly amplified by default semver range resolutions and dynamic execution tools like npx, which bypassed standard lockfile protections during the exposure window.
Organizations face a dual challenge of combating rapidly evolving polymorphic phishing attacks using AI-driven automation while ensuring these opaque security tools comply with strict data governance regulations like GDPR and DORA. Security teams must prioritize transparent, auditable AI solutions to bridge this compliance gap.
A critical supply chain attack compromised the widely used Axios npm package, publishing malicious versions that introduced a trojanized dependency. This dependency executes a multi-stage remote access trojan (RAT) across Windows, macOS, and Linux systems, utilizing obfuscation and anti-forensics to evade detection and establish persistence.
A DPRK-nexus threat actor, likely STARDUST CHOLLIMA, compromised the widely used Axios npm package using stolen maintainer credentials. The supply chain attack deployed updated, cross-platform variants of the ZshBucket malware capable of arbitrary command execution, payload injection, and file system enumeration, likely targeting the cryptocurrency and fintech sectors for financial gain.
Elastic outlines the methodology and operational benefits of Higher-Order Rules (HOR), which correlate atomic security alerts across entities, data sources, and timeframes. By aggregating signals from endpoints, network devices, and observability metrics, HORs significantly reduce alert fatigue and surface high-confidence malicious activity for prioritized SOC triage.
The Node.js project has paused its bug bounty program following the suspension of the Internet Bug Bounty (IBB) initiative, which provided its funding. The shift highlights ongoing challenges in open-source security funding and the strain caused by high volumes of low-quality, AI-generated vulnerability reports.
In 2025, the Latin America and the Caribbean (LAC) region faced escalating cybercriminal activity driven by rapid digital adoption and economic instability. Threat actors heavily utilized Telegram and dark web forums to distribute ransomware, banking trojans, and infostealers, increasingly targeting the healthcare, manufacturing, and government sectors while adapting to law enforcement disruptions.
Advancements in AI have democratized Business Email Compromise (BEC) attacks, allowing threat actors to efficiently target smaller organizations with tailored social engineering. Concurrently, attackers are exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications to harvest cloud and database credentials, while Qilin ransomware has been observed deploying a sophisticated EDR-killing payload.
Suspected DPRK state actors compromised the highly popular Axios npm package by taking over a maintainer's account and publishing malicious versions that deployed a cross-platform RAT via a phantom dependency. Concurrently, a threat group named TeamPCP conducted a cascading supply chain attack affecting Trivy, LiteLLM, and Telnyx to harvest CI/CD credentials. These incidents underscore the critical need for automated package monitoring, rapid credential rotation, and delayed dependency updates.
This article details behavioral detection engineering strategies for Linux rootkits, emphasizing the failure of static signatures against trivial binary modifications. It provides actionable detection logic for userland and kernel-space rootkits, including emerging threats leveraging eBPF and io_uring, alongside common persistence and defense evasion techniques.
This article is a high-level overview of digital transformation trends in Africa, focusing on the need for secure, scalable, and flexible cloud architectures. It highlights Akamai's solutions and upcoming presence at GITEX AFRICA 2026, containing no specific threat intelligence or technical indicators.
The Canadian Centre for Cyber Security issued two security advisories. Apple released extensive updates across its operating systems to mitigate vulnerabilities, specifically targeting web attacks from the DarkSword iOS exploit kit. WatchGuard patched an Arbitrary File Write via Path Traversal vulnerability affecting the Fireware Web UI in multiple versions of Fireware OS.
CISA has added CVE-2026-3502, a vulnerability in TrueConf Client involving the download of code without integrity checks, to its Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to potential cyberattacks.
The article introduces the concept of 'Quantum Geopolitics' to describe the current fluid and interconnected state of international relations. It emphasizes that cybersecurity is now a core enterprise risk, requiring organizations to adopt continuous scenario planning, invest in operational resilience, and improve cross-functional communication to navigate geopolitical uncertainties.
