DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Security researchers identified a signal-reentrancy weakness in a signed macOS OpenSSL wrapper binary. The vulnerability arises from the intersection of legacy TLS capabilities and async-unsafe POSIX functions, which can be exploited via race conditions and forced TLS downgrades to cause Denial of Service (DoS) or potential memory corruption.
A software supply chain compromise impacted the Axios npm package, injecting a malicious dependency (plain-crypto-js@4.2.1) into versions 1.14.1 and 0.30.4. This dependency downloads multi-stage payloads, including a Remote Access Trojan (RAT), which communicates with a known malicious C2 domain.
The Canadian Centre for Cyber Security published a daily digest of six security advisories on April 20, 2026. The advisories cover critical vulnerabilities and updates for various IBM, Dell, Ubuntu, Red Hat, and ICS/SCADA products, including a specific NTP vulnerability (CVE-2020-11868) in Moxa Ethernet switches.
CISA has added eight actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, affecting various enterprise software including PaperCut, JetBrains TeamCity, Zimbra, and Cisco Catalyst SD-WAN Manager. Organizations are strongly urged to prioritize remediation of these flaws to reduce exposure to cyberattacks.
NIST has officially shifted the National Vulnerability Database (NVD) to a risk-based enrichment model, ceasing analysis for most new CVEs due to overwhelming submission volumes. This policy change leaves thousands of vulnerabilities without critical CVSS and CPE metadata, forcing organizations to rely on decentralized data sources and CNA-provided scores that often conflict with independent analysis.
Trail of Bits researchers successfully forged a zero-knowledge proof for a quantum circuit by exploiting memory safety and logic vulnerabilities in Google's Rust-based zkVM prover. By leveraging unsafe deserialization and register aliasing, they bypassed resource counters and quantum reversibility constraints, demonstrating critical attack surfaces in modern zero-knowledge proof implementations.
Varonis Threat Labs discovered a logging evasion vulnerability in AWS where anonymous requests to external S3 buckets via VPC endpoints failed to generate CloudTrail Network Activity events. This flaw allowed attackers to invisibly exfiltrate data or download malware from compromised VPCs, though AWS has since patched the issue to ensure these requests are properly logged.
Socket has been selected for OpenAI's Cybersecurity Grant Program, gaining API credits and access to frontier models via the Trusted Access for Cyber framework. This partnership enhances Socket's ability to detect malicious packages in open-source registries like npm and PyPI in near real-time, countering the increasing speed and automation of supply chain attacks.
Microsoft's April 2026 Patch Tuesday addresses 163 CVEs across 17 product families, including 8 Critical vulnerabilities and one actively exploited zero-day (CVE-2026-32201 in SharePoint). Organizations should prioritize patching the exploited SharePoint flaw, the publicly disclosed Defender bug (CVE-2026-33825), and a highly critical 9.8 CVSS RCE in Windows IKE (CVE-2026-33824).
The Canadian Centre for Cyber Security released a daily digest highlighting recent security updates for Microsoft Edge, HashiCorp Vault, and JetBrains YouTrack. Organizations are advised to apply the necessary patches to address vulnerabilities including Denial-of-Service and Server-Side Request Forgery.
Unit 42 observed active, automated exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, to deploy Mirai-like botnet malware. While the observed in-the-wild attacks were flawed and failed, technical analysis confirmed the vulnerability is exploitable if attackers authenticate using default credentials, allowing them to inject shell commands via the ssid1 parameter.
A third-party security researcher discovered a vulnerability in a staging environment via Server-Side Request Forgery (SSRF) probing. The incident underscores the critical importance of applying production-level security monitoring, access controls, and incident response capabilities to non-production environments to prevent them from becoming initial access vectors.
A recent Huntress survey reveals that modern security teams struggle primarily with alert fatigue and a shifting threat landscape rather than budget constraints. Organizations are increasingly vulnerable to identity-based attacks such as business email compromise and session hijacking, necessitating a strategic pivot from traditional endpoint-centric prevention to Identity Threat Detection and Response (ITDR) supported by AI.
A potentially unwanted program (PUP) signed by Dragon Boss Solutions LLC utilizes a silent update mechanism to deploy a sophisticated AV-killing PowerShell payload. The updater's primary domain was left unregistered, creating a severe supply chain vulnerability that exposed over 25,000 endpoints to arbitrary code execution before being sinkholed by researchers.
Threat actors are actively abusing the QEMU hardware emulator to create hidden virtual machines on compromised hosts, effectively shielding their attack toolkits from endpoint detection and response (EDR) solutions. Recent campaigns, including those linked to the PayoutsKing ransomware group, leverage this technique alongside vulnerability exploitation and legitimate remote access tools to establish persistence, harvest credentials, and exfiltrate data.
Payouts King is a sophisticated ransomware family operated by former BlackBasta affiliates. It gains initial access via social engineering tactics like spam bombing and Quick Assist, then deploys ransomware that utilizes direct system calls, custom API hashing, and robust RSA/AES encryption while actively evading EDR detection.
The Q1 2026 vulnerability landscape shows a continued rise in overall CVEs and KEVs, with a significant focus on software supply chain compromises and networking gear. A notable emerging threat is the abuse of the n8n AI workflow automation platform to bypass traditional security filters, alongside the discovery of the PowMix botnet targeting Czech workers and ongoing exploitation of legacy vulnerabilities.
Threat actors are increasingly utilizing business impersonation to exploit ecosystem gaps in the financial and retail sectors. By creating copycat corporate entities and AI-generated fake storefronts, fraudsters successfully bypass traditional security controls like Positive Pay and 3D Secure authentication to conduct commercial check fraud and card-not-present scams.
Sekoia TDR details their methodology for automating .NET malware analysis, focusing on an obfuscated Covenant Grunt implant used by APT28. The researchers demonstrate how to programmatically decrypt strings and decompile code using pythonnet and dnlib, culminating in the release of RePythonNET-MCP, a tool that enables AI-assisted reverse engineering and configuration extraction.
The article highlights a podcast discussion featuring Socket CEO Feross Aboukhadijeh on the escalating threats to the open-source supply chain, including the Axios backdoor attack and nation-state targeting of maintainers. It emphasizes the systemic risks of relying on unreviewed open-source code and the dual role of AI in both exacerbating and defending against these emerging threats.
