Threat Intelligence
How actual threat actors operate right now. Analysis of recent incidents, attack patterns, and defense implications.
61 posts in this cluster
cisco SD-WAN CVE-2026-20182: a missing else-if branch gave UAT-8616 god-mode over the corporate WAN fabric of every Catalyst customer that didn't patch in 3 days
CVE-2026-20182 in Cisco Catalyst SD-WAN Controllers is CVSS 10.0 / pre-auth / unauthenticated / remote. The bug is a missing else-if branch in the vdaemon peering authentication service that handles device_type messages on UDP/12346 (DTLS). The switch statement handles vBond, vSmart, vEdge — but the device_type=2 (vHub) case has no verification branch, so the controller unconditionally flips the authenticated flag for anyone who claims to be a vHub. From there: SSH key injection into /home/vmanage-admin/.ssh/authorized_keys, NETCONF on TCP/830 as the high-priv internal vmanage-admin account, then root. CISA KEV added 2026-05-14 with the tightest federal mitigation window of 2026 (3 days, due May 17, ED 26-03). Attribution: UAT-8616 — the threat cluster that has been camping on Cisco SD-WAN since 2023, previously caught burning CVE-2026-20127 / 20133 / 20128 / 20122. Blast radius is the entire enterprise WAN fabric: OMP route tables, TLOC entries, branch-to-branch segmentation, policy distribution. A single controller pop = god-mode over every cEdge/vEdge in the overlay. This post: full bug walkthrough, affected versions and patches (20.9 → 20.18 and 26.1), hunt indicators across SSH/NETCONF/DTLS/config-plane/webshell layers, pre-patch mitigations (no Cisco workaround so perimeter ACL + management-plane lockdown), the post-patch credential rotation list, and Snort SIDs 66482-66483 for IPS detection.
exchange CVE-2026-42897: every news outlet is calling this "RCE." it isn't. it's OWA XSS — and the threat model is completely different.
CVE-2026-42897 in on-prem Microsoft Exchange Server is being reported as RCE across every major security outlet this week. It is not RCE. CWE-79 — Cross-Site Scripting in Outlook Web Access. The bug fires when a victim opens a crafted email in OWA. Javascript executes in the victim's authenticated browser session, not on the Exchange server. That distinction completely changes the response playbook: the box is not owned, the user's session is. Patch posture: no permanent fix for Exchange 2016/2019 unless you're enrolled in the Period 2 paid Extended Security Updates program. Exchange SE will receive the public patch. Exchange Online: not affected. This post: why every outlet has the framing wrong, what the post-XSS hunt actually looks like (inbox-rule abuse, EWS post-message-read patterns, MSExchange Management event log), the EEMS M2 mitigation everyone should already have auto-applied, the manual EOMT path for air-gapped boxes, and the PowerShell block to hunt persistence in the last 24 hours. CISA KEV due date for federal mitigation: 2026-05-29.
tanstack npm supply-chain compromise: 84 malicious package versions, a self-spreading worm, and a file-watcher wiper that triggers if you try to revoke your tokens
On May 11 2026 at 19:20 UTC the TanStack ecosystem on npm was compromised. 42 packages, 84 malicious versions, published in a six-minute window with valid Sigstore provenance. The attacker chained three GitHub Actions vulnerabilities — pull_request_target pwn-request, cache poisoning, and runner-process OIDC token extraction — to mint a valid npm publish token and ship malicious releases of @tanstack/react-router, @tanstack/start, @tanstack/solid-router, @tanstack/vue-router and dozens more. The payload harvests AWS / GCP / Kubernetes / Vault / GitHub / npm / SSH credentials and exfils over Session messenger (not HTTP — most egress filters won't catch it). It self-propagates by minting npm tokens for every other package the victim publishes, with forged Sigstore attestations. And it installs a file watcher on the host that detects API-key revocation attempts and triggers a destructive wiper payload — try to clean up from the compromised box and the box gets nuked. This post: full list of 42 affected packages with bad and safe versions, the deobfuscated payload capability matrix, all IOCs (file hashes, persistence locations, network indicators), and the correct air-gap-first remediation order (revoke from a different machine, image before you wipe, block *.getsession.org at the egress). Campaign: Mini Shai-Hulud — same crew that hit Mistral, UiPath, Squawk, Intercom, Lightning AI, SAP CAP. 169+ packages this wave.
ivanti EPMM CVE-2026-6973: the 'RCE' everyone's misreading. it's authenticated admin RCE, and that changes the playbook.
Ivanti disclosed CVE-2026-6973 in Endpoint Manager Mobile (EPMM): an authenticated admin RCE actively exploited in the wild. CVSS 7.2. Patched in 12.6.1.1 / 12.7.0.1 / 12.8.0.1. Most news coverage drops the 'authenticated' qualifier and treats this as a generic 0-day RCE. It's not. The auth requirement means your real threat model is 'attacker who has, or can get, admin creds' (phishing, password spray, breach corpus) not 'any internet scanner.' Different posture, different mitigation, different rotation list. This post: who's actually exposed (internet-facing admin consoles), the post-exploit blast radius (full mobile device control plane — push apps, push certs, push VPN configs to every managed device), the detection commands for admin-session anomalies, the patch order across HA pairs, the post-patch credential rotation list most teams skip, and the medium-term architecture fix (admin console off the public internet, period).
cPanel CVE-2026-29201, 29202, 29203: arbitrary file read, Perl code injection, DoS. three bugs in one disclosure, and the perl one is RCE.
cPanel disclosed and patched three CVEs on May 8, 2026 affecting cPanel & WHM and the WP Squared platform. CVE-2026-29201 is an arbitrary file read in the cPanel daemon (exposes /etc/userdomains, mysql credentials in ~/.my.cnf, api tokens, and the whostmgr admin secret). CVE-2026-29202 is Perl code injection in the handler dispatcher that lands as the cPanel user, chainable with any kernel local-privesc to escape tenant isolation and pivot across every customer on the box. CVE-2026-29203 is a DoS on the WHM daemon that becomes a force multiplier during IR. The detection runbook for cPanel admins: version check, world-writable Perl handler audit, access log grep for pre-disclosure 0day attempts, the patch order, customer communication template, the long-tail problem of customer-installed Perl scripts that aren't covered by the cPanel patch, and the full IR runbook if you find evidence of compromise.
PAN-OS CVE-2026-0300: an unauthenticated root RCE in the firewall you paid $80K for. Patch order, detection, what to do tonight.
Palo Alto Networks confirmed today (May 6, 2026) that CVE-2026-0300 — an unauthenticated buffer overflow in the PAN-OS User-ID Captive Portal yielding full root RCE — is being actively exploited in the wild. CVSS 9.3. Patches stagger to May 13/22/28. This post is the defender's runbook: what the captive portal exposes (your SSL decryption keys, GlobalProtect secrets, syslog forwarding), the post-exploitation pattern observed in early IR, detection commands for the management plane, the patch order across HA pairs, the workaround if you can't patch tonight, and what to do if you find evidence of compromise. If you operate Palo Alto firewalls, read this before lunch.
The new phishing campaign weaponizing Google + Outlook calendar invites — credential theft, OTP interception, and RMM in one click.
GBHackers and a handful of corporate IR teams broke a US-targeting campaign today: fake calendar invites — sent through legitimate Google Calendar / Outlook scheduling APIs — land credential-phishing pages that capture username + password + TOTP, then drop signed RMM agents (ConnectWise, TeamViewer, Atera, Splashtop) for unattended remote access. Calendar invites bypass every gut-check users have been trained on. This post: the exact KQL hunts for unauthorized RMM installs, Exchange Online transport rules to quarantine suspicious invites, OAuth-grant audits in Google Workspace, mandatory hardware-key migration for execs, and the full IR playbook if a workstation has been popped.
Apache HTTP/2 CVE-2026-23918: a double-free in the protocol everyone runs. The patch order, detection, and why CVSS 8.8 understates the risk.
Apache pushed an HTTP Server security release yesterday (May 5, 2026) patching CVE-2026-23918 — a double-free in mod_http2's stream-reset path that the ASF describes as 'double free and possible RCE.' CVSS 8.8. Apache HTTP runs on 22-31% of internet-reachable web servers and HTTP/2 has been the default since 2.4.17. Detection commands for HTTP/2 advertisement across your fleet, container-image rebuild order, the access-log fingerprint of exploitation, and the simple workaround (disable HTTP/2 with one Protocols line) if you can't patch in 48 hours. The patch matrix across Debian, Ubuntu, RHEL, Amazon Linux, and the cloud-managed Apache services is laid out below.
MetInfo CMS CVE-2026-29014: a 9.8 PHP code-injection RCE in a CMS most Western admins have never heard of. The detection runbook for the long tail.
VulnCheck published yesterday on CVE-2026-29014 — an unauthenticated PHP code-injection RCE in MetInfo CMS 7.9, 8.0, 8.1. CVSS 9.8. The campaign has been running since April 5 against the Chinese-language SMB CMS that dominates the Asian-diaspora SMB website market in the US, Canada, Australia, and Europe. If you operate shared hosting, you have MetInfo installs in your customer base you don't know about. The detection runbook: find every MetInfo across customer accounts (one find command), version-scan each install, hunt for the campaign's signature webshells, mod_security rules to block the vuln URL pattern at the host level, and the customer-communication workflow for proprietors who don't speak English.
The NHS just walled off hundreds of GitHub repos because of Anthropic Mythos. The institutional reaction has started.
The Register reports the UK's NHS has ordered tech leaders to wall off hundreds of public GitHub repos over advanced-AI scanning concerns, naming Anthropic's Mythos directly. This is the first major government-scale institutional reaction to Mythos-class capability. Tre called this in March; here's the playbook every defender should run in the next ten business days — repo inventory, gitleaks + trufflehog full-history sweep, the four-question test, default-private new repos, and the OSS hardening checklist for libraries you have to keep public.
Weaver E-cology CVE-2026-22679: a 9.8 RCE actively exploited since mid-March. The patch + IR runbook.
CVSS 9.8 unauthenticated RCE in Weaver E-cology via /papi/esearch/data/devops/ — actively exploited since mid-March 2026, weeks before today's public disclosure. Affects E-cology 10.0 prior to build 20260312. E-cology is the dominant OA platform across China and a hidden footprint in Western multinationals via their Chinese subsidiaries. Owning E-cology = owning every contract, HR record, and approval that flowed through the company. Detection commands, exact patch order, JSP webshell hunting, database compromise audit, PIPL/GDPR/state-law notification obligations, and the Tre-pattern-recognition take on enterprise admin platforms exposed to the public internet.
Itron disclosed an internal network breach via SEC 8-K. The utility you've never heard of runs your power meter.
Itron — the smart-meter and utility-software vendor used by ~8,000 utilities globally — filed an 8-K disclosing internal-network compromise in late April 2026. The disclosure is light on detail. The pattern is heavy. OT vendor breaches inherit the trust relationships the vendor has with hundreds of utility customers simultaneously. This is the Volt Typhoon shape applied to civilian critical infrastructure. What utility CISOs ask Itron, what they audit internally, and why SEC 8-K disclosures are a poor instrument for understanding the actual incident.
cPanel CVE-2026-41940: 40,000 servers hit by "Sorry" ransomware. The exact patch order to run today.
BleepingComputer and SecurityWeek are reporting 40,000+ cPanel servers compromised in an ongoing 'Sorry' ransomware wave exploiting CVE-2026-41940 — an authentication bypass in WHM that hands attackers root-equivalent control of shared-hosting boxes. This is the defender's runbook: detection commands, exact patch order, what to rotate, what to do if Sorry.txt is already in /home/, and what to demand from your hosting provider in the next 48 hours.
Mini Shai-Hulud: the SAP npm worm that runs before `npm install` finishes
Four SAP-published npm packages (mbt, @cap-js/sqlite, @cap-js/postgres, plus a fourth pending disclosure) got poisoned with a worm that runs in the preinstall hook — meaning malicious code fires before npm install even resolves the dependency tree. Steals AWS / GCP / Azure credentials, GitHub tokens, Cursor and Claude Code auth, and every .env in the working directory. Persists in the local npm cache so future installs of unrelated packages re-trigger the payload. Here's how to detect, contain, and finally fix the npm threat model with ignore-scripts=true.
Zero-day discovery at machine speed: what changes when AI does the bug hunting
CybersecurityNews reports threat actors automating zero-day discovery and exploitation at machine speed. From the offensive seat: a working pentester walks through what AI-augmented vuln research actually looks like in production, why short-term offense advantages will flip to long-term defensive economics within 5 years, and the 7-step priority list every defender should run in the next quarter. Includes specifics on Anthropic's Mythos / Glasswing program, GitHub Advanced Security with Copilot Autofix, Snyk DeepCode, Semgrep Pro, and what to do if your CI pipeline still doesn't run AI-driven SAST in 2026.
ADT got popped because someone called the help desk. 5.5 million records out the door.
ADT confirmed a 5.5M-customer data breach in late April 2026. The chain, per ShinyHunters and corroborated by ADT's disclosure: vishing call to the help desk, Okta MFA reset, Salesforce bulk export. Same playbook as MGM, Caesars, Coinbase, M&S, Co-op, Harrods. The help desk is the choke point. Multi-channel verification, SSO reset alerting, and Salesforce Event Monitoring break the chain — none of which most companies have deployed.
CVE-2026-33824: an unauthenticated 9.8 in Windows IKE. The next WannaCry shape, if it gets weaponized.
Microsoft's April 2026 Patch Tuesday shipped a fix for an unauthenticated, network-reachable, no-user-interaction RCE in Windows IKE Service Extensions. CVSS 9.8. UDP 500/4500. Affects Windows Server 2016-2025, all Windows 10/11. Microsoft assessed exploitation 'more likely.' This is the WannaCry shape — wormable, pre-auth, exposed at scale on Always On VPN deployments. Patches landed April 14. The window before public PoC closes is short.
PyTorch Lightning shipped credential-stealing malware to PyPI for 42 minutes. Every AI/ML team is a target.
On April 30, 2026, an attacker pushed malicious lightning 2.6.2 and 2.6.3 to PyPI. Forty-two minutes live before quarantine — long enough to hit any CI run with floating dependencies in the window. The payload steals env vars, cloud credentials, and GitHub tokens, then propagates via cached git creds. Mini Shai-Hulud campaign. AI training infrastructure is the dominant victim profile because CI runners hold the highest-value credentials in the industry.
GitPython's command injection (GHSA-rpm5-65cw-6hj4): the multi-options bypass and what it means for your CI runners.
Two GitPython advisories on April 26 2026 — both command-injection bugs that fire when validation runs before the shlex.split transformation that introduces the injection vector. GitPython is the silent dependency in CI runners, repo-scanning security tools, AI agent frameworks that read repos, and webhook handlers. If user input reaches multi_options, it's RCE. The validate-the-final-form-not-the-input-form pattern, plus a fix-flow audit checklist for every callsite.
OpenAI leaked GPT-5.5, arcanine, and glacier-alpha for a few minutes. Nobody is calling it what it is.
On April 22 2026, OpenAI's Codex model picker briefly surfaced four unreleased models — GPT-5.5, oai-2.1, arcanine, and multiple glacier-alpha checkpoints — to a slice of Pro users before the picker was pulled. The AI press is covering it as a hype story. In product-security terms it is a textbook feature-flag exposure: an internal-only UI leaked across the staff-to-customer tenant boundary. Breakdown of the six failure modes that produce this class of bug, what actually leaked beyond the names, and why AI labs should stop treating release hygiene as a marketing concern.
I built an npm audit tool in one night and ran it on my own site
I shipped npm-postinstall-audit last night. Zero runtime deps, stdlib only Node, parses npm / pnpm / yarn lockfiles, flags lifecycle scripts against ten attack patterns. First thing I did was run it on my own site. It fired three false positives on legitimate es-shims polyfills. Here's what the tool caught, what I tuned in v0.2.0, and why typosquat detection without an allowlist is unusable.
MCP Server Security: The 2026 Attack Surface No One Is Auditing
Every engineering org is deploying MCP servers and almost nobody is auditing them. This post walks the MCP threat model in April 2026: prompt injection into tool arguments, credential theft via exposed resources, supply chain compromise of MCP packages, SSRF via fetch tools, and session hijack on shared servers. Plus a 10-point MCP audit checklist we use on client engagements.
Salesforce Guest User Enumeration: How Attackers Pull 45M Records ShinyHunters-Style
Technical anatomy of the Salesforce Experience Cloud guest user attack behind McGraw-Hill's 45M record breach. Five misconfigurations that enable it (public objects on guest profile, sharing rules rolled up via hierarchy, API access enabled for guests, Apex without sharing, related lists leaking data). Detection signals, audit checklist, and remediation steps. Same pattern hit AT&T, Ticketmaster, Santander.
Vercel April 2026 Security Incident: The Env-Var Rotation Runbook
Vercel disclosed on April 18-19 that a compromised third-party AI tool's Google Workspace OAuth app gave attackers read access to environment variables not marked Sensitive. This is the focused rotation runbook: what to rotate, in what order, how to propagate to systems that share the secret, and a 10-point hardening checklist to reduce blast radius on the next platform incident.
April 2026 Breach Wave: Vercel, McGraw-Hill, Adobe, Rockstar, Drift Protocol
Five high-profile breach disclosures hit in April 2026. Vercel disclosed on April 18-19 that a compromised third-party AI tool's OAuth app gave attackers read access to environment variables not marked Sensitive. McGraw-Hill lost 45M Salesforce records to ShinyHunters. Rockstar Games hit again. Drift Protocol lost $280M after a 6-month recon operation. Adobe leaked 13M support tickets. Walkthrough of each incident and what to do about Vercel's in particular if you run on the platform.
Fake Americans, Real Influence: Inside State-Sponsored Propaganda
Russia's IRA reached 126 million Americans. China's GoLaxy leak revealed 3,692 AI personas targeting US officials. A threat intelligence investigation into foreign state propaganda operations and defensive opsec.
A Hacker Spent Two Years Earning Trust to Backdoor the Internet
The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned into an SSH RCE by nation-state patience. A supply chain security and threat intelligence case study.
Medusa Ransomware in 2026: CISA Advisory Walkthrough + The Defensive Baseline
CISA AA25-071A walked through. What Medusa actually does across initial access, privilege escalation, lateral movement, exfiltration, and encryption. The 11 technical controls that break the chain at multiple stages. Detection indicators mapped to specific TTPs. The incident response playbook for when you get hit.
RansomHub: The Affiliate-Led Operation That Absorbed LockBit Crew
Post-Operation-Cronos, LockBit affiliates migrated. RansomHub became the largest operation by victim count in 2025 with explicit 90% affiliate share recruitment. The affiliate model means the playbook persists across takedowns. Change Healthcare double-extortion, Halliburton, Kawasaki. Defensive priorities that hold regardless of which brand runs the operation next.
Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist
In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era. Incident response and security awareness training for the deepfake threat era.
The Backup Strategy That Actually Survives Ransomware in 2026
Most backup strategies fail against modern ransomware. Attackers encrypt backups before encrypting production. Here is the 3-2-1-1-0 backup architecture that actually works and the specific configurations that prevent the attacker from destroying your recovery path.
Scattered Spider / UNC3944: The English-Speaking Crew Still Running The Casino Playbook
Scattered Spider is the most-discussed threat actor of the last three years. English-speaking, young, affiliate-aligned with ALPHV then RansomHub then DragonForce. The specific help-desk-to-Okta-to-cloud playbook that burned MGM and Caesars. Why social engineering beats technical controls. And the defensive baseline that actually breaks the chain.
Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.
Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.
Your AI Chatbot Is a Fancy Calculator. Here Is Why.
LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecurity, social engineering, and threat intelligence.
OWASP Top 10 for LLM Applications: The 2026 Walkthrough
Category-by-category walkthrough of the OWASP Top 10 for LLM Applications (2025 edition). Real attacks per category (Samsung ChatGPT leak, LangChain CVEs, Air Canada chatbot, Microsoft AI training data leak), practical mitigations, and the detection patterns that map to each. A requirements checklist for any product shipping an LLM.
The Claude Code Source Leak: How Anthropic Shipped Their Own Crown Jewels via npm
March 31 2026: Anthropic accidentally published the complete Claude Code source as a 59.8 MB source map bundled into @anthropic-ai/claude-code v2.1.88 on npm. ~513K lines of unobfuscated TypeScript across 1,906 files, including feature flags for unreleased capabilities, mirrored to GitHub within hours. A Bun build default + missing .npmignore did it. What leaked, why it happened, and the pre-publish CI gate every dev team should add today.
Claude Mythos 2 Preview: What Anthropic Just Shipped for Cybersecurity
Anthropic's April 2026 preview of Claude Mythos 2 claims breakthrough autonomous vulnerability research. We dig into what it actually does, what it does not, and what it means for pentest firms, bug bounty programs, and the 0-day market.
Tor Browser Hardening: What the Defaults Don't Protect You From
Tor Browser out of the box is the strongest anonymity tool available to consumers. It's also defeated regularly by users who think downloading it is enough. A practical guide to what Tor actually protects against, the common mistakes that deanonymize users, and the configuration and operational changes that make Tor usable as a real privacy tool.
16 Billion Credentials Leaked in 2025: The Infostealer Epidemic
Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.
How to Check if Your Data Is on the Dark Web: The Actually-Useful Guide
Skip the $30/month "dark web scan" services. HIBP, Mozilla Monitor, DeHashed, data broker searches, Google dorking. Class-by-class response for each type of exposure (email + password, phone, home address, full identity, medical). Credit freeze, IP PIN, phone number hardening. The realistic ongoing-hygiene program that works.
Your Phone Got Hacked and You Did Nothing Wrong
Pegasus, Predator, and other nation-state spyware deploy zero-click exploits that require no user interaction. A threat intelligence and mobile security explainer on NSO Group-class surveillance.
Phishing Defense 2026: Why the Old Controls Stopped Working and What Replaces Them
Phishing adapted faster than defenses. Adversary-in-the-middle proxies defeat ordinary MFA. OAuth consent phishing skips MFA entirely. AI-generated personalization at industrial scale. Vendor thread hijacking. This is the complete 2026 phishing defense guide. Every attack variant in current use. Five defense layers. Conditional access. OAuth consent governance. The honest limits of user training. Incident response flow.
How North Korea Stole $6.75 Billion in Cryptocurrency
The Lazarus Group stole 60% of all cryptocurrency losses in 2024. $1.34 billion from a single Bybit breach. North Korea's cyber operations directly fund nuclear weapons. A threat intelligence and incident response deep dive.
Ransomware Defense: The Complete Playbook for 2026
Monday 3:47 AM. Your phone rings. Systems are down. A ransom note wallpapered across every server. This is the complete ransomware defense playbook for 2026. Current threat landscape with the modern playbook operators actually run. The ten prevention controls that move the needle. Detection. The six-phase incident response procedure. Pay-or-don-t-pay decision framework. Recovery timelines by organization size. Insurance reality. Specific 2026 patterns.
23andMe: Why Genetic Data Breaches Never Heal
Your password can be changed. Your credit card can be reissued. Your genetic code cannot. The 2023 23andMe breach exposed personal and genetic information of nearly 7 million users. Data that will be usable against them for the rest of their lives and their children's lives. A deep dive into the breach, the unique permanence of genetic data exposure, and what every consumer DNA test user should understand.
Incident Response Plan: The Complete Template + Implementation Guide for 2026
I've reviewed maybe 60 IR plans in three years. Maybe five would survive first contact with a real incident. The rest are compliance artifacts. This is the complete 2026 IR plan + implementation guide. Three-document structure. Incident Commander role. Severity classification that drives response. Phase framework. Six specific scenario runbooks. Exercise cadence. Reporting obligations across federal, state, international. Insurance + legal coordination.
BCP + DR Complete Guide: Testing, RTO/RPO, and What Breaks in Real Incidents
Most BCPs are paper artifacts produced once, never tested. This is the complete BCP + DR guide. BCP vs DR distinction. Business Impact Analysis. RTO/RPO target setting that isn't aspirational. Testing cadence (tabletop, partial, full DR, scenario-specific). Cloud-native + SaaS-dependent architecture patterns. Backup strategy integration. The 10 failure patterns we see in post-incident BCP reviews. Budget framework.
The Zero-Day Broker Market: How Governments Buy the Exploits That Spy on You
A working iOS zero-click exploit chain costs $10 million. A Chrome sandbox escape goes for $500,000. An Android full-chain is worth $5 million. The zero-day vulnerability brokerage market is a multi-billion-dollar industry that exists to sell exploits to governments. A deep dive into the players, the prices, the ethics, and what this means for the rest of us.
After LockBit: The Ransomware Landscape in 2026
Operation Cronos took down LockBit's infrastructure in February 2024. Two years later, ransomware is up 49%, healthcare is bleeding, and a dozen successor groups. Anubis, Lynx, TridentLocker, Qilin, Akira. Have filled the vacuum. What the takedown actually achieved, what it didn't, and what CISOs should expect from the 2026 ransomware landscape.
Volt Typhoon: The Chinese APT Already Inside US Critical Infrastructure
Volt Typhoon is a Chinese state-sponsored APT that has pre-positioned on US critical infrastructure networks. Water treatment, electrical grid, telecommunications. For years. Their strategy isn't espionage in the traditional sense. It's preparation to disrupt civilian systems at the moment of a geopolitical crisis. A deep dive into what the group is, what they've achieved, and what defenders should be doing.
Docker Registry Security: Anonymous Pulls, Image Tampering, and the Default Nobody Should Use
Docker Registry is where your container images live. Every production Docker deployment pulls from a registry on every deploy. The default Docker Registry deployment is exposed, unauthenticated, and allows image tampering. A practical walkthrough of the attack surfaces, metadata leakage, and the hardening every self-hosted Docker Registry needs. Plus when to stop self-hosting and use a managed alternative.
China Hacked America's Wiretap System. And They're Probably Still Inside
Chinese state-sponsored Salt Typhoon compromised US telecom carriers including AT&T, Verizon, and T-Mobile. The lawful intercept systems used for surveillance got owned. CISA called it the largest telecom hack in US history. A threat intelligence and nation-state cyber attack investigation.
GitHub Actions: How Pull Requests Exfiltrate Your Production Secrets
GitHub Actions is one of the most over-privileged, under-hardened CI/CD platforms in production. A malicious pull request against a public repo with the wrong workflow configuration can exfiltrate every secret in your GitHub organization. Production AWS keys, Stripe tokens, private repo access, everything. The specific attack patterns, the fix matrix, and the hardening checklist every engineering team should have.
SMS Two-Factor Is a $26 Million Lie
SIM swap attacks have stolen $200+ million in cryptocurrency from SMS-based 2FA users. Passkeys and hardware security keys are the only reliable defense. An authentication security and threat intelligence guide.
Jenkins: From Anonymous Read to Full RCE
Jenkins with anonymous read enabled exposes Groovy Script Console for authenticated remote code execution. Compromise one CI/CD server and you own every credential, every pipeline, every repo, every production deployment. A supply-chain attack and penetration testing walkthrough.
Sentry: Your Error Tracker Is Leaking Secrets
Sentry captures stack traces and error context, which routinely includes API keys, database URLs, and session tokens. Public Sentry orgs leak these during error reporting. A recurring finding in application security penetration tests and vulnerability assessments.
Supabase: When Row-Level Security Isn't Enough
Row-Level Security is Supabase's primary access control mechanism. But RLS only protects PostgREST queries. It doesn't cover service_role keys hardcoded in client bundles, anon key abuse through realtime channels, or storage bucket ACL misconfigurations that lead to data breaches. A penetration testing walkthrough for Supabase security audits.
Cloud Security Incident Response: The Complete Playbook for AWS, Azure, and GCP
It's 2:14 AM. Your phone rings. Unusual outbound data transfer from a production EC2 instance. The cloud IR playbook you didn't write is now mission-critical. This is the complete cloud IR guide. Pre-incident preparation (break-glass, IR roles, logging architecture). Six-phase IR process. AWS / Azure / GCP-specific playbooks. Common attack patterns in 2026. When to bring in external forensics.
Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if true gives any visitor full read/write access to every collection. This is a top source of cloud data breaches we uncover during Firebase penetration testing and security audits.
Elasticsearch: The Open Cluster Epidemic
Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index, and _cluster/settings exposes internal configuration. Thousands of clusters are publicly exposed with customer PII, logs, and credentials. A recurring pattern in data breach forensics and vulnerability assessments.
Redis: CONFIG GET requirepass Returns Empty
Redis deployed without authentication is one of the most exploited misconfigurations on the internet. Attackers use CONFIG SET to write SSH keys, webshells, and cron jobs for persistent remote code execution. A penetration testing reference for Redis security hardening and incident response.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.