DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
The payment fraud ecosystem has industrialized through Malware-as-a-Service e-skimmer kits, automated card testing, and scalable purchase scams. This standardization allows defenders to proactively detect and map fraudulent infrastructure upstream before monetization occurs, rather than relying solely on reactive transaction monitoring.
Trail of Bits has introduced MuTON and mewt, advanced mutation testing tools designed to identify untested code paths in smart contracts and blockchain applications. These tools leverage Tree-sitter for accurate syntax parsing and integrate with AI agents to optimize testing configurations and triage results, addressing the historical performance limitations of mutation testing.
On March 31, 2026, the popular Axios npm package was compromised in a supply chain attack attributed to North Korean threat actor Sapphire Sleet. Malicious versions 1.14.1 and 0.30.4 included a fake dependency that silently executed a post-install script to download and install OS-specific Remote Access Trojans (RATs) on Windows, macOS, and Linux systems.
March 2026 saw a surge in sophisticated, multi-stage cyber attacks designed to evade early detection. Key threats included OAuth device code phishing (EvilTokens) for M365 account takeover, registry-hidden RAT staging (RUTSSTAGER), macOS backdoors delivered via ClickFix lures, and resilient botnets utilizing Dead Drop Resolvers.
A compromised maintainer account for the widely used axios npm package published backdoored versions that deliver a cross-platform Remote Access Trojan (RAT). The malicious payload, triggered via a postinstall hook in a decoy dependency, deploys identical C2 frameworks across Windows, macOS, and Linux systems while employing anti-forensic techniques to hide its tracks.
A critical supply chain attack compromised the popular Axios npm package, utilizing a malicious transitive dependency to execute cross-platform payloads during installation. The attack targets Linux, Windows, and macOS systems, deploying OS-specific Remote Access Trojans (RATs) capable of host profiling, command execution, and follow-on payload delivery. Detection engineering efforts should focus on anomalous process ancestry, such as Node.js spawning native OS shells to retrieve and background remote payloads.
The Canadian Centre for Cyber Security issued an advisory regarding a critical vulnerability in Google Chrome (CVE-2026-5281) that is currently being exploited in the wild. Organizations are urged to update Chrome for Desktop to the latest stable versions to mitigate this active threat.
CISA has added CVE-2026-5281, a Use-After-Free vulnerability in Google Dawn, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
Anthropic accidentally leaked the source code for its Claude Code CLI tool via an npm package source map. Threat actors are exploiting the high interest in this leak by creating fake GitHub repositories that distribute a Rust-based dropper, which subsequently installs Vidar infostealer and GhostSocks proxy malware on developer workstations.
Storm is a new Windows-based infostealer that evades endpoint detection by offloading browser credential decryption to attacker-controlled servers. It features an automated session hijacking capability that restores stolen cookies via SOCKS5 proxies, granting attackers immediate authenticated access to enterprise SaaS and cloud environments while bypassing MFA.
TrendAI presented research at RSAC 2026 highlighting the dual emergence of autonomous, agentic AI-driven cybercrime and systemic vulnerabilities in cyber-physical systems like EV charging infrastructure. The findings emphasize the necessity for organizations to adopt machine-speed, AI-driven defenses and comprehensive frameworks like NIST IR 8473 to mitigate these rapidly evolving threats.
The official Telnyx Python SDK on PyPI was compromised by the threat actor TeamPCP, who published malicious versions (4.87.1 and 4.87.2) containing credential-harvesting malware. The malware executes upon module import, utilizing audio steganography to deliver OS-specific payloads: a fileless in-memory harvester for Linux/macOS and a persistent binary for Windows, with exfiltrated data secured via hybrid encryption.
Cybercriminals are widely abusing the Keitaro ad tracking software as a Traffic Distribution System (TDS) to route victims to malware, crypto drainers, and scams. By utilizing cracked licenses, advanced traffic filtering, and third-party cloaking integrations, threat actors effectively evade detection while precisely targeting users based on device and geolocation.
Check Point Research discovered a zero-day vulnerability (CVE-2026-3502) in the TrueConf client update mechanism, exploited in 'Operation TrueChaos' against Southeast Asian governments. Attackers compromised on-premises TrueConf servers to distribute malicious updates, utilizing DLL sideloading and UAC bypass techniques to deploy the Havoc C2 framework.
A North Korea-nexus threat actor, UNC1069, executed a software supply chain attack by compromising the maintainer account of the widely used 'axios' NPM package. They introduced a malicious dependency that uses a postinstall hook to silently deploy the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux environments, enabling remote command execution and data theft.
The NCSC and international partners have issued an alert regarding increased targeting of high-risk individuals by state-sponsored threat actors via messaging apps like WhatsApp and Signal. Attackers utilize social engineering, phishing links, and malicious QR codes to steal account recovery codes, link unauthorized devices, and intercept sensitive communications.
Xloader is a highly obfuscated information stealer that evolved from Formbook. Recent versions (8.1+) introduce complex anti-analysis techniques, including out-of-order stack string construction and multi-layered RC4 encryption for its C2 communications, which utilize decoy servers to hide malicious traffic.
Ransomware tactics in 2025 have shifted heavily toward 'Living off the Land' (LotL) techniques, with threat actors leveraging valid accounts and built-in administrative tools like RDP, PowerShell, and PsExec to evade detection. Qilin has emerged as the most prolific ransomware group, utilizing double-extortion tactics, while manufacturing remains the most targeted industry.
Trail of Bits details their organizational shift to an AI-native workflow using Claude Code and autonomous agents. The post outlines their strategy for overcoming employee resistance, establishing an AI Maturity Matrix, and securing agent autonomy through sandboxing, curated marketplaces, and strict usage policies.
Elastic Security Labs identified a financially motivated operation dubbed REF1695 that distributes RATs and cryptominers via fake installer ISOs. The threat actor monetizes infections through Monero mining and CPA fraud, utilizing advanced evasion techniques like Themida packing, dynamic analysis tool detection, and a novel .NET implant named CNB Bot.
