Blog

Short updates, summaries, and notable threat writeups.

Recent posts

• Crypto supply-chain path to transaction authority
• watchTowr cPanel CVE-2026-41940 session-forgery analysis
• Outsider Enterprise smishing PhaaS
• Hunt.io payload analysis update for Operation DangerousPassword / axios npm compromise
• Splunk Enterprise CVE-2026-20253 pre-auth file write / RCE
• Operation Highland Velvet Ant authentication-stack backdoors
• Velvet Ant
• Chrome live-wallpaper extension ad-fraud network
• Atomic Arch AUR package hijack
• Arctic Wolf follow-up: PAN-OS GlobalProtect CVE-2026-0257 VPN sessions with Impacket-style SMB / NTLM reconnaissance
• Astro config blockchain C2 PR injection
• Void Dokkaebi Cython-compiled InvisibleFerret update
• Sentry MCP Agentjacking
• LangGraph checkpointer injection and unsafe deserialization
• Solana FakeFix npm / PyPI developer stealer
• Oracle PeopleSoft CVE-2026-35273 ShinyHunters exploitation
• ShinyHunters
• Ivanti Sentry CVE-2026-10520 exploitation
• GitHub Actions OIDC subject-claim collisions
• OceanLotus FireAnt MetaKit / SPECTRALVIPER domestic espionage update
• JDY SOHO / IoT reconnaissance botnet
• Unit 42 PAN-OS GlobalProtect CVE-2026-0257 exploitation pivots
• SHADOW-AETHER AI-augmented Latin America intrusions
• ServiceNow instance unauthenticated table-query exploitation
• Cloud logging control-plane tampering
• Arista EOS CVE-2026-7473 tunnel decapsulation exploitation
• Chrome V8 CVE-2026-11645 exploitation
• UAC-0226 / SHADOW-EARTH-066
• Trend Micro WinRAR CVE-2025-8088 follow-up on Gamaredon and UAC-0226
• AI-brand impersonation phishing and malvertising
• Linux nftables CVE-2026-23111 public LPE exploits
• Microsoft Teams external-chat phishing
• gpt-pilot force-push attempt in the Miasma / Mini Shai-Hulud campaign
• LiteLLM CVE-2026-42271 MCP stdio command injection
• Quest KACE SMA CVE-2025-32975 exploitation
• Check Point VPN CVE-2026-50751 exploitation
• UNK_DeadDrop developer repository phishing
• VerdantBamboo appliance BRICKSTORM operation
• VerdantBamboo
• Hades graph-ML PyPI import-hook wave in the Miasma / Mini Shai-Hulud campaign
• Hades PyPI wheel wave in the Miasma / Mini Shai-Hulud campaign
• Hunt.io global smishing infrastructure campaign
• Oman government Iranian-nexus webshell C2
• MiniPlasma Windows Cloud Filter LPE exploitation
• Telnyx PyPI TeamPCP compromise
• Developer-tool config auto-execution
• SafeDep documents Miasma source-repository auto-execution arm
• UNC3753 law-firm vishing extortion campaign
• TeamPCP Python toolkit / FIRESCALE fallback analysis
• Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation
• SolarWinds Serv-U CVE-2026-28318 exploitation
• Microsoft Claude Code Action runner-environment exposure case
• Azure/durabletask repository reinfection in the Miasma / Phantom Gyp wave
• OP-512
• Everest Forms Pro CVE-2026-3300 exploitation
• PCPJack cloud SMTP relay network
• Kali365 device-code phishing expansion
• TA4922
• Stock exchange executive mailbox espionage
• Operation GriefLure Southeast Asia LNK dropper
• binding.gyp npm CI/CD worm
• UNC6692 SNOW malware social-engineering campaign
• faster-axios / turbo-axios Epsilon Stealer npm campaign
• IronWorm npm Rust infostealer campaign
• Mirasvit Cache Warmer CVE-2026-45247 exploitation
• Browser-based developer IDE OAuth token theft
• Agent skill marketplace poisoning
• jqwik maintainer prompt-injection supply-chain pattern
• MCP stdio command-execution boundary
• Gamaredon GammaPhish / GammaWorm / GammaSteel chain
• Android Framework CVE-2025-48595 exploitation
• Linux Kernel CVE-2022-0492 cgroup release_agent exploitation
• Operation XENOFISCAL SideCopy XenoRAT campaign
• Operation FlutterBridge FlutterShell macOS malvertising
• WP Maps Pro CVE-2026-8732 exploitation
• Oracle WebLogic CVE-2024-21182 exploitation
• Operation Dragon Weave Azure Blob C2 campaign
• Miasma RedHat Cloud Services npm wave
• Cloud Atlas PowerCloud / reverse-tunnel campaign
• Ghostwriter / FrostyNeighbor JavaScript PicassoLoader chain
• Famous Chollima Packagist dev-branch loader
• Dutch Police / NCSC 17-million-device botnet disruption
• OX details Shai-Hulud copycat npm packages
• NATS-as-C2 KeyHunter credential-harvesting operation
• Microsoft details oob.moika.tech reconnaissance-first dependency-confusion cluster
• Pirated media SilentCryptoMiner RAT campaign
• Permiso ChatGPhish AI-summary phishing surface
• Marimo CVE-2026-39987 LLM-agent post-exploitation
• PraisonAI CVE-2026-44338 rapid exploitation
• GREYVIBE Russia-nexus AI-assisted Ukraine operations
• Socket details axios / plain-crypto-js RAT chain
• Kimsuky / Emerald Sleet / TA427
• The Gentlemen ransomware
• StegaBin Pastebin-steganography npm campaign
• BlackFile / UNC6671 vishing extortion operation
• Sicoob.Sdk NuGet banking certificate stealer
• Operation DangerousPassword axios npm compromise
• FortiClient EMS CVE-2026-35616 EKZ Infostealer campaign
• codexui-android OpenAI token stealer
• vpmdhaj OpenSearch npm cloud-secret stealer
• oob.moika.tech dependency-confusion environment stealer
• SafeDep live update on MicrosoftSystem64 / js-logger-pack
• TeamPCP extortion ecosystem update
• DAEMON Tools Lite supply-chain compromise
• Grandoreiro and BTMOB Latin America / Europe malware campaigns
• CISA adds Nx Console and TanStack supply-chain incidents to KEV
• Malware-Slop Claude user-data npm infostealer
• JINX-0164 crypto developer infrastructure campaign
• JINX-0164 actor profile
• Glassworm developer supply-chain botnet
• AI chatbot and SEO poisoning GPU-cryptojacking campaign
• Seedworm Dindoor / Fakeset U.S. network intrusions
• Chinese-language PhaaS wallet-tokenization ecosystem
• Fast16 nuclear-simulation sabotage framework
• forge-jsxy npm RAT
• Seedworm / MuddyWater signed-binary sideloading campaign
• Ababil of Minab MOIS-linked recovery-destruction campaign
• SafeDep details AntV / atool Mini Shai-Hulud indicators
• AI-augmented adversary operations
• KnowledgeDeliver CVE-2026-5426 ViewState exploitation
• Wiz details TeamPCP post-compromise cloud and GitHub abuse
• Funnull RingH23 and MacCMS supply-chain attacks
• Mr_Rot13 cPanel CVE-2026-41940 backdoor campaign
• Polymarket npm wallet-drainer packages
• Ghost CMS CVE-2026-26980 ClickFix poisoning
• RemotePE memory-only Lazarus RAT
• Socket details SAP CAP / Cloud MTA Mini Shai-Hulud compromise
• TrapDoor crypto-stealer cross-ecosystem campaign
• js-logger-pack Hugging Face exfiltration campaign
• ScarCruft Yanbian game-platform supply-chain attack
• APT28 LNK SmartScreen bypass and CVE-2026-32202 coercion chain
• Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation
• Trend Micro Apex One CVE-2026-34926 exploitation
• Xinference PyPI compromise
• Laravel-Lang Composer tag-rewrite compromise
• LiteSpeed cPanel CVE-2026-48172 active exploitation
• Ollama P2P cryptominer RAT campaign
• BufferZoneCorp RubyGems / Go module CI poisoning
• GitHub / Packagist postinstall hook campaign
• Drupal Core CVE-2026-9082 active exploitation
• First VPN criminal infrastructure takedown
• Ghostwriter UAC-0057 Prometheus-themed phishing
• Langflow CVE-2025-34291 exploitation
• Megalodon GitHub Actions workflow backdooring
• Screening Serpens 2026 espionage campaigns
• ROADtools Entra ID cloud-intrusion toolkit
• LiteLLM compromise
• Mini Shai-Hulud npm/PyPI worm campaign
• TeamPCP group profile
• Nx Console VS Code extension compromise
• Showboat Linux post-exploitation framework
• GitHub Actions deployment poisoning
• node-ipc 2026 npm maintainer-account compromise
• Bitwarden / Checkmarx Shai-Hulud Third Coming campaign
• Mini Shai-Hulud npm/PyPI worm campaign
• SANDWORM_MODE AI-toolchain npm worm
• art-template Coruna-style iOS watering-hole compromise
• shopsprint/decimal Go typosquat DNS backdoor
• actions-cool GitHub Actions tag compromise
• Webworm
• Fox Tempest
• TamperedChef-style productivity malware clusters
• Handala group profile
• ConnectWise ScreenConnect exploitation wave
• Codecov Bash Uploader compromise
• Okta support-system compromise
• CitrixBleed session-hijack wave
• CircleCI 2023 customer secret exposure incident
• CCleaner signed-update compromise
• Barracuda ESG zero-day backdoor campaign
• Accellion FTA exploitation campaign
• 3CX desktop app compromise
• 0ktapus phishing campaign
• JiaT75
• XZ Utils backdoor
• tj-actions and reviewdog compromise
• Trivy compromise