Blog
Short updates, summaries, and notable threat writeups.
Recent posts
- DEBULL device-code phishing and GraphSpy post-exploitation
- GraphSpy
- Kali365 device-code phishing expansion: ZeroBEC DEBULL / GraphSpy chain
- Agentic workflow trust-boundary failures: GitLost and WriteOut
- UNK_MassTraction Roundcube university mailserver campaign
- Tenda firmware CVE-2026-11405 hidden authentication backdoor
- BeyondTrust RS / PRA CVE-2026-40138 / CVE-2026-40139 authentication bypass
- Cavern
- Cavern Manticore
- Januscape KVM CVE-2026-53359 guest-to-host escape
- Gitea Docker CVE-2026-20896 probing
- Kali365 device-code phishing expansion: Kaspersky legal-portal / Microsoft Identity Platform chain
- QuimaRAT
- Agent skill marketplace poisoning: SkillCloak scanner evasion and SkillDetonate runtime auditing
- ScreenConnect freeware / AsyncRAT SEO campaign
- FatFs CVE-2026-6682 to CVE-2026-6688 embedded-filesystem bug cluster
- Kairos data-extortion government payment
@marketfront/@tqm-mfedependency-confusion stealer- Linux Bad Epoll CVE-2026-46242 local privilege escalation
- Avalon / CrownX malware framework
- CrownX
- Citrix NetScaler CVE-2026-8451 memory overread
- Armored Likho BusySnake campaign
- BusySnake Stealer
- Armored Likho
- PamStealer
- NetNut / Popa residential proxy network disruption
- ToddyCat Umbrij Gmail OAuth operation
- Umbrij
- ToddyCat
- JADEPUFFER Langflow agentic ransomware
- Adobe ColdFusion APSB26-68 CVE bonanza
- ChocoPoC fake PoC supply-chain campaign
- ChocoPoC
- Anubis ransomware CitrixBleed 2 / RMM / cloudflared intrusions
- Argo CD repo-server unauthenticated RCE
- PolinRider cross-ecosystem supply-chain campaign
- VEIL#DROP Blogger-hosted PureLogs stealer chain
- Microsoft SharePoint CVE-2026-45659 RCE exploitation
- Progress Kemp LoadMaster CVE-2026-8037 active exploitation attempts
- ClickFix CPaaS API-driven payload delivery
- Azure CLI LSHIY password-spray campaign
- Lazarus-linked Rollup polyfill npm malware
- Phantom squatting: AI-hallucinated domains
- Silent Swap Google Notes crypto clipper
- RustDuck
- MCP tool-description poisoning
- GuardFall AI-agent shell-guard bypass
- AI-augmented adversary operations: BioShocking AI-browser context manipulation
- SimpleHelp CVE-2026-48558: TaskWeaver and Djinn Stealer exploitation chain
- TaskWeaver
- Djinn Stealer
- Oracle E-Business Suite CVE-2026-46817 exploitation
- VPN Go browser-extension clipboard stealer
- Mustang Panda ZOHOMURK / MINIRECON India campaigns
- Mustang Panda
- SimpleHelp CVE-2026-48558 authentication-bypass exploitation
- Perplexity AI-spoofing Chromium extension search hijacker
- DCloud Uni-App scam infrastructure ecosystem
- StegoAd Edge extension steganography campaign
- Gamaredon 2025 tunnels, workers, dead drops, and cloud exfiltration
- Gamaredon
- Turla
- Operation DragonReturn India tax-season DcRAT campaign
- Banana RAT / SHADOW-WATER-063 Brazilian banking fraud
- Leo Platform npm Miasma-style compromise: JFrog Hades marker / SEED_PAT follow-up
- Russian intelligence Signal backup-key phishing
- Immobiliare Labs Backstage plugins npm compromise
- Amazon Q CVE-2026-12957 MCP auto-execution
- Linux pedit COW CVE-2026-46331 local privilege escalation
- Linux DirtyClone CVE-2026-43503 local privilege escalation
- Turla STOCKSTAY backdoor operations
- Turla
- STOCKSTAY
- Photo ZIP hospitality Node.js implant campaign
- Malicious infrastructure provider concentration: Hunt.io Eastern Europe C2 sprawl update
- CL-STA-1062 Southeast Asia government and energy intrusions
- Leo Platform npm Miasma-style compromise: Sonatype affected-package clarification
- PTC Windchill / FlexPLM CVE-2026-12569 exploitation
- Leo Platform npm Miasma-style compromise: Socket Go/source-repository expansion
- Adblock for YouTube BadBlocker remote-script injection risk
- Backdoor.Mistic / KongTuke ModeloRAT activity
- macOS.Gaslight Rust backdoor
- Leo Platform npm Miasma-style compromise
- simonecorsi/mawesome GitHub Action compromise
- StrikeShark SharkLoader / Cobalt Strike campaign
- GitHub Actions deployment poisoning: Cordyceps CI/CD composition flaws
- codfish semantic-release-action tag compromise
- html-to-gutenberg / fetch-page-assets VS Code blockchain stealer
- StealC / Amadey infrastructure disruption
- Thailand healthcare RAR / Python stealer campaign
- xlabs_v1 DDoS-for-hire IoT botnet
- WhatsApp VBScript ManageEngine RMM campaign
- Agent skill marketplace poisoning: Unit 42 OpenClaw marketplace follow-up
- Ubiquiti UniFi OS CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 exploitation
- Lantronix EDS5000 CVE-2025-67038 exploitation
- Agent skill marketplace poisoning: AIR external-document skill swap
- wshu.net npm credential-stealer campaign
- Agent skill marketplace poisoning: Snyk / JFrog developer-environment update
- Langflow CVE-2026-33017 cryptominer SSH worm
- Fake-reputation crypto clipboard hijacker
- Cloud bucket namespace hijacking
- AI-agent memory poisoning
- Storm-2603 parallel SharePoint ransomware intrusion
- postcss-minify-selector-parser npm RAT
- FFmpeg PixelSmash CVE-2026-8461 media-file RCE
- AryStinger legacy-router recon proxy network
- MYRA RAT
- Oracle PeopleSoft CVE-2026-35273: PSIGW / PSEMHUB chain analysis
- UNC6508
- SprySOCKS Windows backdoor variants
- FishMonger
- ClickOnce COM hijacking abuse
- Agent localhost control-plane RCE: AutoJack PyPI pre-release caveat
@withgoogle/stitch-sdkscope squat- Malicious infrastructure provider concentration
- Gravity SMTP CVE-2026-4020 exploitation
- Operation Endgame SocGholish disruption
- FortiBleed Fortinet credential exposure: Arctic Wolf impact-count update
- The Gentlemen ransomware: GentleKiller EDR-killer framework update
- JetBrains AI plugin API-key theft
- Ababil of Minab MOIS-linked recovery-destruction campaign: Hunt.io exposed-staging follow-up
- Klue Salesforce OAuth token abuse
- npm install explicit-trust controls: developer package-config drift update
- Agent localhost control-plane RCE
- GHOST STADIUM FIFA World Cup ticket phishing
- procwire / routecraft npm Windows dropper
- Splunk Enterprise CVE-2026-20253 KEV exploitation update
- AI scanner anti-analysis
- Vertex AI staging-bucket squatting
- Microsoft follow-up: Mastra
easy-day-jspostinstall payload details - LiteSpeed cPanel Plugin CVE-2026-54420 exploitation
- Cisco Catalyst SD-WAN Manager CVE-2026-20262 arbitrary file write update
- Joomla JCE CVE-2026-48907 exploitation
- Glassworm / GlassWASM Open VSX extension wave
- Crypto Clipper Tor / USB worm
- Mastra
easy-day-jsnpm scope compromise - Crypto supply-chain path to transaction authority
- watchTowr cPanel CVE-2026-41940 session-forgery analysis
- Outsider Enterprise smishing PhaaS
- Hunt.io payload analysis update for Operation DangerousPassword / axios npm compromise
- Splunk Enterprise CVE-2026-20253 pre-auth file write / RCE
- Operation Highland Velvet Ant authentication-stack backdoors
- Velvet Ant
- Chrome live-wallpaper extension ad-fraud network
- Atomic Arch AUR package hijack
- Arctic Wolf follow-up: PAN-OS GlobalProtect CVE-2026-0257 VPN sessions with Impacket-style SMB / NTLM reconnaissance
- Astro config blockchain C2 PR injection
- Void Dokkaebi Cython-compiled InvisibleFerret update
- Sentry MCP Agentjacking
- LangGraph checkpointer injection and unsafe deserialization
- Solana FakeFix npm / PyPI developer stealer
- Oracle PeopleSoft CVE-2026-35273 ShinyHunters exploitation
- ShinyHunters
- Ivanti Sentry CVE-2026-10520 exploitation
- GitHub Actions OIDC subject-claim collisions
- OceanLotus FireAnt MetaKit / SPECTRALVIPER domestic espionage update
- JDY SOHO / IoT reconnaissance botnet
- Unit 42 PAN-OS GlobalProtect CVE-2026-0257 exploitation pivots
- SHADOW-AETHER AI-augmented Latin America intrusions
- ServiceNow instance unauthenticated table-query exploitation
- Cloud logging control-plane tampering
- Arista EOS CVE-2026-7473 tunnel decapsulation exploitation
- Chrome V8 CVE-2026-11645 exploitation
- UAC-0226 / SHADOW-EARTH-066
- Trend Micro WinRAR CVE-2025-8088 follow-up on Gamaredon and UAC-0226
- AI-brand impersonation phishing and malvertising
- Linux nftables CVE-2026-23111 public LPE exploits
- Microsoft Teams external-chat phishing
gpt-pilotforce-push attempt in the Miasma / Mini Shai-Hulud campaign- LiteLLM CVE-2026-42271 MCP stdio command injection
- Quest KACE SMA CVE-2025-32975 exploitation
- Check Point VPN CVE-2026-50751 exploitation
- UNK_DeadDrop developer repository phishing
- VerdantBamboo appliance BRICKSTORM operation
- VerdantBamboo
- Hades graph-ML PyPI import-hook wave in the Miasma / Mini Shai-Hulud campaign
- Hades PyPI wheel wave in the Miasma / Mini Shai-Hulud campaign
- Hunt.io global smishing infrastructure campaign
- Oman government Iranian-nexus webshell C2
- MiniPlasma Windows Cloud Filter LPE exploitation
- Telnyx PyPI TeamPCP compromise
- Developer-tool config auto-execution
- SafeDep documents Miasma source-repository auto-execution arm
- UNC3753 law-firm vishing extortion campaign
- TeamPCP Python toolkit / FIRESCALE fallback analysis
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation
- SolarWinds Serv-U CVE-2026-28318 exploitation
- Microsoft Claude Code Action runner-environment exposure case
- Azure/durabletask repository reinfection in the Miasma / Phantom Gyp wave
- OP-512
- Everest Forms Pro CVE-2026-3300 exploitation
- PCPJack cloud SMTP relay network
- Kali365 device-code phishing expansion
- TA4922
- Stock exchange executive mailbox espionage
- Operation GriefLure Southeast Asia LNK dropper
- binding.gyp npm CI/CD worm
- UNC6692 SNOW malware social-engineering campaign
- faster-axios / turbo-axios Epsilon Stealer npm campaign
- IronWorm npm Rust infostealer campaign
- Mirasvit Cache Warmer CVE-2026-45247 exploitation
- Browser-based developer IDE OAuth token theft
- Agent skill marketplace poisoning
- jqwik maintainer prompt-injection supply-chain pattern
- MCP stdio command-execution boundary
- Gamaredon GammaPhish / GammaWorm / GammaSteel chain
- Android Framework CVE-2025-48595 exploitation
- Linux Kernel CVE-2022-0492 cgroup release_agent exploitation
- Operation XENOFISCAL SideCopy XenoRAT campaign
- Operation FlutterBridge FlutterShell macOS malvertising
- WP Maps Pro CVE-2026-8732 exploitation
- Oracle WebLogic CVE-2024-21182 exploitation
- Operation Dragon Weave Azure Blob C2 campaign
- Miasma RedHat Cloud Services npm wave
- Cloud Atlas PowerCloud / reverse-tunnel campaign
- Ghostwriter / FrostyNeighbor JavaScript PicassoLoader chain
- Famous Chollima Packagist dev-branch loader
- Dutch Police / NCSC 17-million-device botnet disruption
- OX details Shai-Hulud copycat npm packages
- NATS-as-C2 KeyHunter credential-harvesting operation
- Microsoft details oob.moika.tech reconnaissance-first dependency-confusion cluster
- Pirated media SilentCryptoMiner RAT campaign
- Permiso ChatGPhish AI-summary phishing surface
- Marimo CVE-2026-39987 LLM-agent post-exploitation
- PraisonAI CVE-2026-44338 rapid exploitation
- GREYVIBE Russia-nexus AI-assisted Ukraine operations
- Socket details axios / plain-crypto-js RAT chain
- Kimsuky / Emerald Sleet / TA427
- The Gentlemen ransomware
- StegaBin Pastebin-steganography npm campaign
- BlackFile / UNC6671 vishing extortion operation
- Sicoob.Sdk NuGet banking certificate stealer
- Operation DangerousPassword axios npm compromise
- FortiClient EMS CVE-2026-35616 EKZ Infostealer campaign
- codexui-android OpenAI token stealer
- vpmdhaj OpenSearch npm cloud-secret stealer
- oob.moika.tech dependency-confusion environment stealer
- SafeDep live update on MicrosoftSystem64 / js-logger-pack
- TeamPCP extortion ecosystem update
- DAEMON Tools Lite supply-chain compromise
- Grandoreiro and BTMOB Latin America / Europe malware campaigns
- CISA adds Nx Console and TanStack supply-chain incidents to KEV
- Malware-Slop Claude user-data npm infostealer
- JINX-0164 crypto developer infrastructure campaign
- JINX-0164 actor profile
- Glassworm developer supply-chain botnet
- AI chatbot and SEO poisoning GPU-cryptojacking campaign
- Seedworm Dindoor / Fakeset U.S. network intrusions
- Chinese-language PhaaS wallet-tokenization ecosystem
- Fast16 nuclear-simulation sabotage framework
- forge-jsxy npm RAT
- Seedworm / MuddyWater signed-binary sideloading campaign
- Ababil of Minab MOIS-linked recovery-destruction campaign
- SafeDep details AntV / atool Mini Shai-Hulud indicators
- AI-augmented adversary operations
- KnowledgeDeliver CVE-2026-5426 ViewState exploitation
- Wiz details TeamPCP post-compromise cloud and GitHub abuse
- Funnull RingH23 and MacCMS supply-chain attacks
- Mr_Rot13 cPanel CVE-2026-41940 backdoor campaign
- Polymarket npm wallet-drainer packages
- Ghost CMS CVE-2026-26980 ClickFix poisoning
- RemotePE memory-only Lazarus RAT
- Socket details SAP CAP / Cloud MTA Mini Shai-Hulud compromise
- TrapDoor crypto-stealer cross-ecosystem campaign
- js-logger-pack Hugging Face exfiltration campaign
- ScarCruft Yanbian game-platform supply-chain attack
- APT28 LNK SmartScreen bypass and CVE-2026-32202 coercion chain
- Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation
- Trend Micro Apex One CVE-2026-34926 exploitation
- Xinference PyPI compromise
- Laravel-Lang Composer tag-rewrite compromise
- LiteSpeed cPanel CVE-2026-48172 active exploitation
- Ollama P2P cryptominer RAT campaign
- BufferZoneCorp RubyGems / Go module CI poisoning
- GitHub / Packagist postinstall hook campaign
- Drupal Core CVE-2026-9082 active exploitation
- First VPN criminal infrastructure takedown
- Ghostwriter UAC-0057 Prometheus-themed phishing
- Langflow CVE-2025-34291 exploitation
- Megalodon GitHub Actions workflow backdooring
- Screening Serpens 2026 espionage campaigns
- ROADtools Entra ID cloud-intrusion toolkit
- LiteLLM compromise
- Mini Shai-Hulud npm/PyPI worm campaign
- TeamPCP group profile
- Nx Console VS Code extension compromise
- Showboat Linux post-exploitation framework
- GitHub Actions deployment poisoning
- node-ipc 2026 npm maintainer-account compromise
- Bitwarden / Checkmarx Shai-Hulud Third Coming campaign
- Mini Shai-Hulud npm/PyPI worm campaign
- SANDWORM_MODE AI-toolchain npm worm
- art-template Coruna-style iOS watering-hole compromise
- shopsprint/decimal Go typosquat DNS backdoor
- actions-cool GitHub Actions tag compromise
- Webworm
- Fox Tempest
- TamperedChef-style productivity malware clusters
- Handala group profile
- ConnectWise ScreenConnect exploitation wave
- Codecov Bash Uploader compromise
- Okta support-system compromise
- CitrixBleed session-hijack wave
- CircleCI 2023 customer secret exposure incident
- CCleaner signed-update compromise
- Barracuda ESG zero-day backdoor campaign
- Accellion FTA exploitation campaign
- 3CX desktop app compromise
- 0ktapus phishing campaign
- JiaT75
- XZ Utils backdoor
- tj-actions and reviewdog compromise
- Trivy compromise