ALL POSTS

Key Findings Vulnerability in Anthropic's Claude Chrome extension allowed zero-click prompt injection from any website without user interaction or permission prompts Attack chains two flaws: overly permissive origin allowlist and DOM-based XSS in Arkose Labs CAPTCHA component Successful exploitation could enable data theft, access token compromise, conversation history access, and account takeover Patch deployed December 27, 2025 (version 1.0.41); Arkose Labs fixed XSS compon

Key Findings Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1 Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery Code analysis reveals Coruna was designed with unified architecture rather than patchworked co

Key Findings Russian authorities arrested the alleged administrator of LeakBase, a major cybercrime marketplace operating since 2021 The suspect, a resident of Taganrog, is accused of running a platform with over 147,000 users trading stolen data and credentials LeakBase was dismantled in early March 2024 through "Operation Leak," a coordinated international effort involving 14 countries The forum hosted hundreds of millions of compromised account credentials, financial infor

Key Findings In September 2025, a state-sponsored threat actor deployed an AI coding agent that autonomously targeted 30 global organizations, handling 80-90% of tactical operations without human intervention AI agents operating inside corporate environments bypass traditional kill chain detection by leveraging legitimate access, permissions, and data workflows they were granted at deployment The OpenClaw crisis revealed that 12% of marketplace skills were malicious, with com

Key Findings GlassWorm campaign evolved to deliver multi-stage malware framework with data theft and remote access capabilities Operators use Solana blockchain transactions as dead drop resolvers to hide command-and-control infrastructure Malware includes hardware wallet phishing targeting Ledger and Trezor devices with fake recovery phrase prompts Chrome extension masquerading as "Google Docs Offline" steals browser data, cookies, and monitors cryptocurrency exchange session

Key Findings FCC bans all new foreign-made consumer routers from U.S. market effective immediately unless granted Conditional Approval by DoD or DHS Foreign routers pose unacceptable supply chain vulnerabilities and severe cybersecurity risks to critical infrastructure and American citizens Chinese state-sponsored actors including Volt Typhoon, Flax Typhoon, and Salt Typhoon have exploited compromised foreign routers to target U.S. critical infrastructure Ban applies only to

Key Findings Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors Packages published un

Key Findings Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration Malware exclusively targets domain-joined enterprise ma

Key Findings Citrix released patches for two critical NetScaler vulnerabilities affecting ADC and Gateway products CVE-2026-3055 (CVSS 9.3) is a memory overread flaw allowing unauthenticated attackers to leak sensitive data from appliance memory Vulnerability only affects systems configured as SAML Identity Providers, not default configurations CVE-2026-4368 (CVSS 7.7) is a race condition causing session mix-ups in gateway and AAA server deployments No public exploits current

Key Findings 26-year-old Russian citizen Aleksei Olegovich Volkov sentenced to 81 months in prison for ransomware facilitation Volkov operated as initial access broker, providing unauthorized network access to ransomware groups including Yanluowang Facilitated dozens of attacks causing over $9 million in confirmed losses and $24 million in intended losses Arrested in Italy January 2024, extradited to U.S., pleaded guilty November 2025 Must pay $9.1 million in restitution to v

Key Findings Hundreds of organizations compromised through AI-generated phishing campaign leveraging Railway cloud platform Attackers achieved massive scale increase starting March 3, with 50+ new compromises daily as of late March Campaign exploits Microsoft device authentication flow, granting 90-day OAuth tokens without passwords or MFA Affected sectors include construction, law, nonprofits, real estate, manufacturing, finance, healthcare, and government Huntress identifie

Key Findings Eight validated attack vectors discovered across AWS Bedrock environments, spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning Attack chains begin with low-level permissions and escalate to reach critical enterprise assets including Salesforce, SharePoint, Active Directory, and databases Knowledge bases and agents represent the highest-value targets due to their direct connectivity to

Key Findings North Korean threat actors tracked as WaterPlum are distributing StoatWaffle malware through malicious VS Code projects using the "tasks.json" auto-run feature The malware automatically executes when any file in a project folder is opened, with downloads occurring regardless of operating system StoatWaffle includes a credential stealer targeting browsers and a remote access trojan for command execution Attackers are targeting senior engineers, CTOs, and founders

Key Findings Single operator in China ran 373,000 fraudulent dark web sites offering CSAM and cybercrime services Operation Alice, led by German authorities with support from 23 countries, dismantled the network from March 9-19, 2026 Law enforcement seized 105 servers, identified 440 customers worldwide, and issued international arrest warrant for 35-year-old suspect Operator earned over €345,000 from roughly 10,000 customers through fake "packages" priced between €17 and €21

Key Findings Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries APT investigations and ransomware operations increas

Key Findings CISA added five critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including three Apple flaws, one Craft CMS code injection, and one Laravel Livewire vulnerability Three Apple vulnerabilities are linked to active exploitation by the DarkSword iOS exploit kit Craft CMS flaws have been actively exploited in the wild to breach servers and steal data Laravel Livewire vulnerability is associated with Iran-nexus APT group MuddyWater Federal agenc

Key Findings Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists Thousands of accounts have already been compromised worldwide through these operations Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or

Key Findings Oracle released an emergency patch for CVE-2026-21992, a critical remote code execution vulnerability in Identity Manager and Web Services Manager The flaw has a CVSS score of 9.8 and requires no authentication, allowing attackers to execute code over HTTP Affected versions are Identity Manager 12.2.1.4.0 and 14.1.2.1.0, plus Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0 Oracle classified the vulnerability as "easily exploitable" with low complexity No

Key Findings * Russian-aligned hackers targeting commercial messaging apps * Phishing campaigns compromising thousands of high-value accounts * Attacks do not break encryption, but exploit social engineering * Targets include government officials, military personnel, journalists * Methods involve tricking users into sharing verification codes or clicking malicious links Background Russian state-affiliated threat actors are conducting sophisticated phishing campaigns against p

Key Findings * TeamPCP cybercriminal group suspected behind supply chain attack * 47 npm packages compromised across multiple scopes * Self-propagating CanisterWorm uses ICP blockchain canister as command-and-control infrastructure * Attack leverages npm package postinstall hooks to execute malware * Worm can automatically spread using stolen npm authentication tokens * Decentralized C2 infrastructure makes takedown efforts difficult Background The supply chain attack targets