DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
A large-scale npm supply chain attack compromised hundreds of packages, notably within the @antv ecosystem, using a malware variant known as Mini Shai-Hulud. The malware executes upon installation to harvest sensitive developer and CI/CD secrets, exfiltrating them to a hardcoded C2 server or via a GitHub repository fallback, and leverages stolen npm tokens to propagate itself to other packages.
Cisco Talos disclosed a series of vulnerabilities affecting TP-Link routers, Adobe Photoshop, OpenVPN, and Norton VPN. Notably, a privilege escalation flaw in Norton VPN (CVE-2025-58074) was exploited in the wild before a patch was available, while the TP-Link flaws allow for remote code execution via command injection and buffer overflows.
Fox Tempest is a financially motivated threat actor providing malware-signing-as-a-service (MSaaS) to the cybercrime ecosystem. By abusing Microsoft Artifact Signing via stolen identities, they generate short-lived, fraudulent code-signing certificates that allow threat actors like Vanilla Tempest to bypass security controls and deploy payloads such as the Oyster backdoor and Rhysida ransomware.
The Canadian Centre for Cyber Security (CCCS) released a daily digest highlighting recent security advisories for various Industrial Control Systems (ICS) and Microsoft Edge. Organizations are advised to review the specific CISA ICS advisories for products from ABB, Siemens, and others, and to update Microsoft Edge to version 148.0.3967.70 or later.
Trend Micro MDR analyzed Banana RAT, a sophisticated banking trojan operated by SHADOW-WATER-063 targeting Brazilian financial institutions. The malware utilizes a server-side polymorphic build pipeline to deliver unique, AES-encrypted PowerShell payloads that execute filelessly in memory. Once active, it enables operator-driven fraud through remote input control, keylogging, deceptive banking overlays, and a specialized Pix QR code interception subsystem.
Cisco Talos has identified a commodity BadIIS malware ecosystem operating under a Malware-as-a-Service (MaaS) model, primarily used by Chinese-speaking threat actors for SEO fraud and traffic manipulation. The developer, known as 'lwxat', provides a dedicated builder and sophisticated service-based installers that ensure persistence on compromised Windows IIS servers while evading detection through custom Base64 encoding and service impersonation.
WantToCry is a remote ransomware operation that targets internet-exposed SMB services using brute-force authentication. Instead of deploying local malware, attackers exfiltrate files, encrypt them on their own infrastructure, and write the encrypted versions back to the victim's network via authenticated SMB sessions, effectively bypassing traditional process-based EDR detections.
The emergence of advanced AI models capable of rapid vulnerability discovery and exploit prototyping has rendered traditional reactive patching cycles obsolete. Organizations must transition to a Modern Defensible Architecture (MDA) utilizing Zero Trust, active deception, and automated containment to defend against machine-speed threats.
The article highlights the critical need for foundational security architecture before deploying AI at scale, emphasizing that AI amplifies risks associated with exposed attack surfaces and lateral movement. It advocates for Zero Trust principles to make AI models invisible to the internet and restrict unauthorized access paths, preventing minor compromises from becoming systemic breaches.
Recent versions of the popular npm package node-ipc (9.1.6, 9.2.3, 12.0.1) were compromised to include an obfuscated credential stealer. The malware executes upon CommonJS module load, harvests sensitive developer and cloud credentials, and exfiltrates the compressed data via DNS TXT queries to attacker-controlled infrastructure.
CVE-2026-42945, dubbed 'NGINX Rift', is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module (ngxhttprewrite_module). It allows unauthenticated attackers to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE) by sending crafted HTTP requests to servers configured with specific rewrite directives containing unnamed PCRE captures and a question mark.
This article highlights the severe security risks associated with using common, easily guessable passwords. It details how threat actors leverage weak credentials through brute force, password spraying, and credential stuffing attacks to gain unauthorized access to systems, emphasizing the need for robust identity protection and password management.
The article outlines 19 critical cloud security challenges facing organizations, emphasizing that misconfigurations, weak identity and access management (IAM), and human error are the primary drivers of cloud compromise. It highlights emerging threats such as AI-powered deepfake social engineering, MFA fatigue, and cloud-targeted extortion, underscoring the need for unified visibility and robust configuration management.
Threat actors are increasingly employing defense evasion techniques to actively disable or blind endpoint security controls like AV and EDR. Common methods include manipulating Windows Firewall rules to block telemetry, uninstalling agents via rogue RMMs, and leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks to terminate protected security processes from the kernel.
A recent phishing campaign impersonates Zoom meeting invitations to trick users into downloading a malicious VBS script disguised as a software update. This script silently installs ConnectWise ScreenConnect, a legitimate RMM tool, granting attackers persistent remote access to the compromised system for potential follow-on attacks such as credential theft, lateral movement, or ransomware deployment.
Autonomous AI agents introduce significant security risks by operating within trust boundaries using delegated credentials, effectively bypassing traditional perimeter defenses. Effective security requires "agentic governance," focusing on strict identity management, granular action-level permissions, approval gates for high-risk operations, and comprehensive logging to mitigate threats like prompt injection and scope creep.
Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants.
In Q1 2026, mobile banking Trojans saw a significant surge, with Mamont variants driving a 50% increase in malicious installation packages. Additionally, a sophisticated new variant of the SparkCat crypto stealer was identified in official app stores, employing custom virtual machines and OCR techniques to compromise both Android and iOS users.
Developer Supply Chains Under Siege as Edge Device Exploits Surge The dominant narrative this week is the coordinated weaponization of the software supply chain, as threat actors like TeamPCP and Mini Shai-Hulud aggressively target developer tools to steal cloud credentials. Because these attackers compromise trusted build systems like GitHub Actions, a single malicious package—such as the compromised TanStack libraries—can cascade into massive downstream breaches, allowing criminals to hold development environments hostage and even deploy destructive dead-man switches if their access is cut off. In parallel, attackers are bypassing traditional network defenses by exploiting internet-facing edge devices and logging in with stolen credentials. Threat clusters are actively exploiting critical flaws in Cisco Catalyst SD-WAN and Microsoft Exchange, while ransomware groups like The Gentlemen and state-sponsored actors like Secret Blizzard use these footholds to live off the land, hijacking legitimate IT tools to stay hidden for months. These trends together suggest that perimeter-focused defenses and basic patching are no longer sufficient. Organizations must immediately isolate their CI/CD pipelines from cloud credentials, enforce phishing-resistant multi-factor authentication on all internet-facing systems, and assume that trusted vendor tools may already be compromised.
Some honeypots don't exist to catch attackers. They exist to make the environment around them convincing enough that sophisticated actors commit real tooling to the traps that do.
