top of page
ALL POSTS
Phishing Attacks Surge Across Fortune 100: Employee Data Exposed at 86% of Companies
Key Findings 86% of Fortune 100 companies had employee data exposed through phishing attacks in the past 12 months 78% of large organizations experienced increased phishing volume over the past year 84% report AI-generated phishing attacks are becoming more prevalent or harder to defend against Phishing attacks now target enterprise users five times more frequently than malware infections Only 38% of organizations can confidently detect and respond to credential theft within
Jun 172 min read
Developer Laptops Emerge as Prime Target for Credential Theft in 2026, GitGuardian Reports
Key Findings Developer laptops have become the primary attack vector for supply-chain compromises, with attackers harvesting plaintext credentials to move laterally into production systems and cloud infrastructure GitGuardian launched Developer Endpoint Protection to address a critical gap where existing endpoint detection and identity tools miss secrets stored at rest on developer workstations Beta testing revealed an average of 150 secrets per developer laptop, with private
Jun 163 min read
Fileless Infostealer Attacks Target Claude Code Users Through Counterfeit Anthropic Platforms
Key Findings Active credential theft campaign targeting Claude Code users exploiting rapid AI tool adoption Attack chain begins with SEO poisoning directing victims to spoofed Anthropic installation pages Fileless infostealer uses MP3/HTA polyglot payload and in-memory execution to evade detection Command and control infrastructure routes through Russian IP infrastructure at 185.177.239.255 Anthropic's systems have not been compromised; attack targets individual users lacking
May 313 min read
PCPJack Cloud Worm: Exploiting 5 CVEs to Steal Credentials and Spread Across Systems
Key Findings PCPJack is a credential theft framework targeting exposed cloud infrastructure across Docker, Kubernetes, Redis, MongoDB, and RayML The malware exploits five CVEs (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703) to spread worm-like across networks PCPJack actively removes TeamPCP artifacts from compromised systems, suggesting possible connection to former TeamPCP members Stolen credentials are exfiltrated via Telegram and include acc
May 73 min read
Microsoft Exposes Large-Scale Phishing Campaign Targeting 35,000 Users in 26 Countries
Key Findings Large-scale credential theft campaign targeted over 35,000 users across 26 countries between April 14-16, 2026 92% of targets were located in the U.S. across 13,000 organizations Healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology sectors (11%) were primary targets Attackers used legitimate email delivery services to distribute phishing messages disguised as internal code of conduct reviews Campaign employed..
May 54 min read
Bitwarden CLI Compromised in Supply Chain Attack Through Checkmarx
Key Findings Bitwarden CLI version 2026.4.0 was compromised through a malicious GitHub Action in the project's CI/CD pipeline, affecting the npm distribution mechanism The attack was part of the ongoing Checkmarx supply chain campaign, likely orchestrated by threat actor TeamPCP Malicious code in bw1.js executed a preinstall hook that stole GitHub tokens, npm credentials, SSH keys, cloud secrets, and shell history Stolen data was exfiltrated to a fake Checkmarx domain (audit.
Apr 243 min read
Hidden Passenger: Taboola's Routing of Authenticated Banking Sessions to Temu Exposed
Key Findings A European bank's approved Taboola pixel silently redirected authenticated users to a Temu tracking endpoint without bank knowledge or user consent The redirect chain exploited "first-hop bias" — security tools validate the declared origin domain but not the runtime destination of 302 redirects Temu's tracking pixel included Access-Control-Allow-Credentials headers, enabling cross-origin cookie access to the banking session Standard security controls including WA
Apr 173 min read
Marimo RCE Vulnerability CVE-2026-39987 Under Active Exploitation Since Disclosure
Key Findings Critical RCE vulnerability CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 9 hours 41 minutes of disclosure Unauthenticated attackers can obtain full interactive shell access on exposed instances through /terminal/ws WebSocket endpoint Affects all Marimo versions up to 0.20.4; patched in version 0.23.0 Unknown threat actor built working exploit from advisory alone, with no public PoC available Attacker conducted credential theft operation and reconnaissance,
Apr 102 min read
Massive CVE-2025-55182 Exploit Campaign Compromises 766 Next.js Servers in Credential Theft Attack
Key Findings At least 766 Next.js hosts across multiple geographic regions and cloud providers compromised through CVE-2025-55182 exploitation Threat cluster UAT-10608 attributed to the campaign by Cisco Talos Critical vulnerability (CVSS 10.0) in React Server Components and Next.js App Router enables remote code execution NEXUS Listener framework deployed post-compromise to harvest and exfiltrate credentials via web-based GUI Stolen data includes database credentials, SSH ke
Apr 32 min read
Fake Resumes and Malicious npm Packages: New Attack Vector Targeting Enterprise Credentials and Crypto Assets
Key Findings Campaign named FAUX#ELEVATE targets French-speaking corporate environments using fake resume documents delivered via phishing emails Heavily obfuscated VBScript files contain only 266 lines of executable code out of 224,471 total lines, with the rest being junk comments to evade detection Attack completes full infection chain in approximately 25 seconds, from initial execution through credential exfiltration Malware exclusively targets domain-joined enterprise ma
Mar 243 min read
bottom of page
