Threat Intelligence
How actual threat actors operate right now. Analysis of recent incidents, attack patterns, and defense implications.
32 posts in this cluster
Node.js April 2026 Security Release: Every CVE Explained, What to Patch First
Node.js shipped v24.14.1 LTS and v25.9.0 on March 30, 2026 with seven security fixes. Fastify followed with three patches. Next.js dropped v16.1.7 and v15.5.13 with five fixes. Here is the technical breakdown of every CVE and the priority order for patching.
Fake Americans, Real Influence: Inside State-Sponsored Propaganda
Russia's IRA reached 126 million Americans. China's GoLaxy leak revealed 3,692 AI personas targeting US officials. A threat intelligence investigation into foreign state propaganda operations and defensive opsec.
A Hacker Spent Two Years Earning Trust to Backdoor the Internet
The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned into an SSH RCE by nation-state patience. A supply chain security and threat intelligence case study.
Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist
In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era. Incident response and security awareness training for the deepfake threat era.
The Backup Strategy That Actually Survives Ransomware in 2026
Most backup strategies fail against modern ransomware. Attackers encrypt backups before encrypting production. Here is the 3-2-1-1-0 backup architecture that actually works and the specific configurations that prevent the attacker from destroying your recovery path.
Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.
Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.
Your AI Chatbot Is a Fancy Calculator. Here Is Why.
LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecurity, social engineering, and threat intelligence.
Supply Chain Attacks in Early 2026: The Pattern Across Four Major Incidents
Q1 2026 saw four major software supply chain incidents: a targeted npm package takeover, a compromised GitHub Actions marketplace action, an IDE extension dropped malicious code, and a container image registry pushed back-doored images. The pattern tells us what defenders need to prioritize.
Claude Mythos 2 Preview: What Anthropic Just Shipped for Cybersecurity
Anthropic's April 2026 preview of Claude Mythos 2 claims breakthrough autonomous vulnerability research. We dig into what it actually does, what it does not, and what it means for pentest firms, bug bounty programs, and the 0-day market.
Okta Rate Limit Abuse in 2026: What Scattered Spider Is Doing Now
Scattered Spider evolved their Okta-targeted attacks after the 2023-2024 MGM and Caesars incidents. April 2026 intelligence shows the group hitting Okta tenants through a narrow rate-limit bypass plus social engineering of help desk staff. Here is what we are seeing and the detection rules that work.
Tor Browser Hardening: What the Defaults Don't Protect You From
Tor Browser out of the box is the strongest anonymity tool available to consumers. It's also defeated regularly by users who think downloading it is enough. A practical guide to what Tor actually protects against, the common mistakes that deanonymize users, and the configuration and operational changes that make Tor usable as a real privacy tool.
16 Billion Credentials Leaked in 2025: The Infostealer Epidemic
Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.
Your Phone Got Hacked and You Did Nothing Wrong
Pegasus, Predator, and other nation-state spyware deploy zero-click exploits that require no user interaction. A threat intelligence and mobile security explainer on NSO Group-class surveillance.
How North Korea Stole $6.75 Billion in Cryptocurrency
The Lazarus Group stole 60% of all cryptocurrency losses in 2024. $1.34 billion from a single Bybit breach. North Korea's cyber operations directly fund nuclear weapons. A threat intelligence and incident response deep dive.
23andMe: Why Genetic Data Breaches Never Heal
Your password can be changed. Your credit card can be reissued. Your genetic code cannot. The 2023 23andMe breach exposed personal and genetic information of nearly 7 million users. Data that will be usable against them for the rest of their lives and their children's lives. A deep dive into the breach, the unique permanence of genetic data exposure, and what every consumer DNA test user should understand.
Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day Exploited + Wormable TCP/IP RCE
Microsoft's April 2026 Patch Tuesday closed 167 flaws including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201), a publicly known Defender privilege escalation, and a potentially wormable Windows TCP/IP RCE. Adobe patched a Reader zero-day that had been exploited for four months. A prioritized patching guide for every IT team.
The Zero-Day Broker Market: How Governments Buy the Exploits That Spy on You
A working iOS zero-click exploit chain costs $10 million. A Chrome sandbox escape goes for $500,000. An Android full-chain is worth $5 million. The zero-day vulnerability brokerage market is a multi-billion-dollar industry that exists to sell exploits to governments. A deep dive into the players, the prices, the ethics, and what this means for the rest of us.
The 12-Minute Heist: Inside the Drift Protocol $285M Exploit
Drift Protocol lost $285M in under 12 minutes on April 1, 2026, when North Korean attackers weaponized a fake token with $5,000 in seeded liquidity to manipulate oracles and drain the treasury. A deep dive into durable nonces, oracle hardening, and the smart contract audit checklist that would have caught every step.
Mr. Racoon and Adobe: Why a Leaked Bug Bounty Queue Is Worse Than the 13M Tickets
A threat actor calling themselves 'Mr. Racoon' breached Adobe in April 2026, dumping 13 million customer support tickets, 15,000 employee records, and. Uniquely destructive. Adobe's entire bug bounty program submission queue. The first two categories are a standard bad day. The third is a vulnerability roadmap for every Adobe product.
Axios npm Backdoor: How 70 Million Weekly Downloads Got a North Korean RAT
On March 31, 2026, a social engineering attack on Axios maintainer jasonsaayman led to two backdoored npm releases being published. Axios@1.14.1 and axios@0.30.4. Dropping the WAVESHAPER RAT on Windows, macOS, and Linux across an ecosystem that pulls Axios 70 million times a week. A post-mortem and the supply chain hardening checklist every engineering team needs.
After LockBit: The Ransomware Landscape in 2026
Operation Cronos took down LockBit's infrastructure in February 2024. Two years later, ransomware is up 49%, healthcare is bleeding, and a dozen successor groups. Anubis, Lynx, TridentLocker, Qilin, Akira. Have filled the vacuum. What the takedown actually achieved, what it didn't, and what CISOs should expect from the 2026 ransomware landscape.
Volt Typhoon: The Chinese APT Already Inside US Critical Infrastructure
Volt Typhoon is a Chinese state-sponsored APT that has pre-positioned on US critical infrastructure networks. Water treatment, electrical grid, telecommunications. For years. Their strategy isn't espionage in the traditional sense. It's preparation to disrupt civilian systems at the moment of a geopolitical crisis. A deep dive into what the group is, what they've achieved, and what defenders should be doing.
Docker Registry Security: Anonymous Pulls, Image Tampering, and the Default Nobody Should Use
Docker Registry is where your container images live. Every production Docker deployment pulls from a registry on every deploy. The default Docker Registry deployment is exposed, unauthenticated, and allows image tampering. A practical walkthrough of the attack surfaces, metadata leakage, and the hardening every self-hosted Docker Registry needs. Plus when to stop self-hosting and use a managed alternative.
China Hacked America's Wiretap System. And They're Probably Still Inside
Chinese state-sponsored Salt Typhoon compromised US telecom carriers including AT&T, Verizon, and T-Mobile. The lawful intercept systems used for surveillance got owned. CISA called it the largest telecom hack in US history. A threat intelligence and nation-state cyber attack investigation.
GitHub Actions: How Pull Requests Exfiltrate Your Production Secrets
GitHub Actions is one of the most over-privileged, under-hardened CI/CD platforms in production. A malicious pull request against a public repo with the wrong workflow configuration can exfiltrate every secret in your GitHub organization. Production AWS keys, Stripe tokens, private repo access, everything. The specific attack patterns, the fix matrix, and the hardening checklist every engineering team should have.
SMS Two-Factor Is a $26 Million Lie
SIM swap attacks have stolen $200+ million in cryptocurrency from SMS-based 2FA users. Passkeys and hardware security keys are the only reliable defense. An authentication security and threat intelligence guide.
Jenkins: From Anonymous Read to Full RCE
Jenkins with anonymous read enabled exposes Groovy Script Console for authenticated remote code execution. Compromise one CI/CD server and you own every credential, every pipeline, every repo, every production deployment. A supply-chain attack and penetration testing walkthrough.
Sentry: Your Error Tracker Is Leaking Secrets
Sentry captures stack traces and error context, which routinely includes API keys, database URLs, and session tokens. Public Sentry orgs leak these during error reporting. A recurring finding in application security penetration tests and vulnerability assessments.
Supabase: When Row-Level Security Isn't Enough
Row-Level Security is Supabase's primary access control mechanism. But RLS only protects PostgREST queries. It doesn't cover service_role keys hardcoded in client bundles, anon key abuse through realtime channels, or storage bucket ACL misconfigurations that lead to data breaches. A penetration testing walkthrough for Supabase security audits.
Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if true gives any visitor full read/write access to every collection. This is a top source of cloud data breaches we uncover during Firebase penetration testing and security audits.
Elasticsearch: The Open Cluster Epidemic
Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index, and _cluster/settings exposes internal configuration. Thousands of clusters are publicly exposed with customer PII, logs, and credentials. A recurring pattern in data breach forensics and vulnerability assessments.
Redis: CONFIG GET requirepass Returns Empty
Redis deployed without authentication is one of the most exploited misconfigurations on the internet. Attackers use CONFIG SET to write SSH keys, webshells, and cron jobs for persistent remote code execution. A penetration testing reference for Redis security hardening and incident response.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.