Triaging the Week 121
The Supply Chain Siege // MFA Bypass & Identity-Based Intrusions // Evading Detection (Fileless, Stealth & Living-off-the-Land) // Critical Vulns & the Vanishing Patch Window // Social Engineering Rem
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top News Stories
🧩 The Supply Chain Siege
Stories
🗞️ Sophisticated RCE Backdoor Infects 700+ Laravel Lang Package Versions — A compromise of repo credentials or release infrastructure let the actor rapidly republish and tag ~700 infected historical versions. Once active, the backdoor drops a cross-platform infostealer harvesting AWS metadata, Kubernetes tokens, Jenkins build secrets, and local browser data.
🗞️ Mass Automation Fuels Backdoor Exploitation across 5,500+ GitHub Repositories — “Megalodon” used forged Git author identities (build-bot, ci-bot) and throwaway accounts to blend into automation noise, running a dual payload: an aggressive mass variant (SysDiag) firing on every push/PR, and a dormant targeted variant (Optimize-Build) registered as a workflow_dispatch trigger that stays hidden until manually fired via the GitHub API.
🗞️ Cross-Registry ‘Trapdoor’ Crypto Stealer Targets npm, PyPI, and Crates.io — An advanced cross-platform supply chain threat distributing tailored, functionally identical payloads across three separate ecosystems simultaneously to scale the footprint before registry detection triggers.
🗞️ Global Tech Giants Execute Simultaneous Takedown of “Unkillable” Glassworm Botnet — To resist disruption, the botnet used a multi-layered C2 indirection architecture: server addresses encoded in Solana blockchain transactions, the BitTorrent network for distribution, and Google Calendar event titles as covert dead drops.
Recommendations
☑️ Audit lockfiles (composer.lock, package-lock.json, poetry.lock, Cargo.lock) for infected, unvetted, or typosquatted versions — treat any hit as a breach and immediately rotate all credentials and API tokens.
☑️ Audit commit histories for unlinked/forged author identities, enforce branch protection with signed commits and mandatory PR reviews, and default GitHub Actions workflow token permissions to contents: read to shrink the blast radius.
☑️ Integrate Software Composition Analysis and automated OSS security tooling into pipelines to block anomalous dependency behavior pre-build, restrict outbound network traffic from CI/CD runners, and enforce private registry mirrors (Nexus/Artifactory).
☑️ Sweep logs and endpoint telemetry for beacons to the CrowdStrike Glassworm sinkhole 164.92.88[.]210, and treat developer endpoints as tier-0 infrastructure under zero trust.
🔑 MFA Bypass & Identity-Based Intrusions
Stories
🗞️ The Rapid Evolution of Chinese-Language Phishing Services — Actors bypass carrier security by delivering lures over RCS and iMessage, use live admin panels to steal OTPs in real time, and immediately provision victims’ credit cards into digital wallets on attacker-controlled devices.
🗞️ FBI Warns of ‘Kali365’ PhaaS Kit Hijacking Microsoft 365 Access Tokens — Kali365 abuses legitimate device code authentication flows to hijack OAuth tokens, so attackers never need to intercept passwords or defeat traditional MFA prompts — combining Telegram delivery, AI-generated lures, and campaign-tracking dashboards.
🗞️ Charter Communications Extorted by ShinyHunters After Vishing Attack — A vishing campaign compromised an employee’s Microsoft Entra SSO account, turning the identity provider into a direct launchpad to export data from the company’s Salesforce instance.
🗞️ Carnival Cruise Confirms Massive Data Breach Affecting Nearly 6 Million People — No advanced malware or exploits — purely human deception via social engineering to bypass the perimeter and copy millions of sensitive files before containment.
Recommendations
☑️ Transition critical corporate and third-party SSO accounts away from SMS/push approvals toward phishing-resistant MFA (FIDO2/WebAuthn, hardware keys) to neutralize vishing and session hijacking.
☑️ Block device code flow via a Microsoft Entra ID conditional access policy (exclude only verified emergency-access accounts), audit legacy systems still depending on it, and block authentication-transfer policies to unmanaged devices.
☑️ Enforce risk-based verification, device fingerprinting, and behavioral monitoring during digital wallet provisioning to detect and block unauthorized card tokenization.
☑️ Run continuous SaaS Security Posture Management with DLP. Audit third-party OAuth permissions, alert on uncharacteristic mass queries or bulk exports in cloud CRMs, and segment privileged access.
☑️ Advise affected consumers to monitor financial statements, enroll in offered credit monitoring, and stay alert to follow-on targeted phishing.
👻 Evading Detection (Fileless, Stealth & Living-off-the-Land)
Stories
🗞️ Lazarus Group Deploying ‘RemotePE’ Memory-Only RAT in Stealthy Cyber Attacks — Lazarus replaced noisy initial tools with a memory-only RAT that uses DPAPI-encrypted loaders to run entirely in volatile memory, avoids the filesystem, and rotates its infrastructure to dodge detection.
🗞️ How the “GreyVibe” Blends Into Critical Infrastructure Networks Undetected — GreyVibe abandons standard malware payloads in favor of abusing native admin tools, routing C2 through heavily obscured WebSockets disguised as legitimate corporate web applications. 🔎 Threat Hunting Package
🗞️ GitHub and SourceForge Abused to Deliver Stealthy Deno RAT — “DinDoor” adopts the alternative JavaScript runtime Deno to evade signature detection, even injecting WebRTC code into a hidden Edge process via the Chrome DevTools Protocol to stream the victim’s screen peer-to-peer and bypass standard C2 network monitoring. 🔎 Threat Hunting Package
🗞️ AI Chatbots and Search Results Poisoned in Sophisticated GPU Cryptojacking Campaign — A precision-targeted operation that extends social engineering beyond search results into AI chatbot recommendations, gaining remote access via ScreenConnect and hiding GPU-mining loaders inside signed Microsoft .NET utilities. 🔎 Threat Hunting Package
Recommendations
☑️ Configure EDR for continuous memory-integrity inspection (unmapped code blocks, hollowed processes) — fileless malware completely bypasses disk-based antivirus.
☑️ Establish behavioral baselines for routine admin activity and tune EDR rules to LotL execution patterns, while restricting native utilities (PowerShell, vssadmin) via application control.
☑️ Audit firewall/proxy logs for persistent outbound WebSocket or peer-to-peer channels to unknown endpoints, and monitor hidden processes interacting with Edge via the CDP debugging protocol.
☑️ Audit for unauthorized RMM/ScreenConnect deployments, flag process hollowing inside Microsoft-signed .NET binaries, and alert on unexpected developer runtimes (Deno, Bun) launched by regular user profiles.
☑️ Build SIEM rules for anomalous DPAPI interaction, decrypting from temporary or non-standard directories, and restrict unsanctioned channels (Telegram) and untrusted meeting/scheduling links.
☑️ Mandate downloads only from official vendor sites, train users never to copy-and-run terminal commands from repos (e.g., curl | msiexec), and restrict standalone package managers like Scoop.
🩹 Critical Vulns & the Vanishing Patch Window
Stories
🗞️ Project Glasswing Reveals a New Cybersecurity Bottleneck — Advanced AI has drastically cut the time and cost of uncovering flaws, creating a precarious “patch gap” where the bottleneck shifts from finding bugs to how fast human teams can triage, verify, and patch them.
🗞️ CERT-In Establishes 12-Hour Patching Mandate — The first time a national cyber defense agency has formally tied compliance timelines directly to AI-accelerated exploit capabilities, signaling the death of calendar-based patch cycles in favor of continuous asset defense.
🗞️ Critical Ghost CMS Vulnerability CVE-2026-26980 Fueling ClickFix Attacks — Unauthenticated attackers extract internal DB configs and API secrets via a flaw in the public Content API endpoint; the campaign is now aggressive, with multiple groups competing over the same servers and overwriting each other’s implants. 🔎 Threat Hunting Package
🗞️ Zero-Day ViewState Deserialization Threatens KnowledgeDeliver LMS — Identical hardcoded ASP.NET machine keys across customer environments mean an actor who recovers the keys from a single instance can instantly crack the ViewState integrity controls of any other internet-facing installation globally.
🗞️ Critical Gitea Flaw Exposes “Private” Container Images for 4 Years Without Authentication — The “private” label was only a superficial UI control, not enforced at the OCI registry layer, so anyone on the internet could issue standard pull requests and download entire container snapshots full of proprietary code, internal endpoints, and hardcoded secrets.
Recommendations
☑️ Prioritize rapid containment (CERT-In’s 12-hour benchmark) for known exploited vulnerabilities on internet-facing systems, applying interim mitigations like network isolation or WAF updates when patching is delayed.
☑️ Patch now! Ghost CMS to ≥ 6.19.1 and Gitea to ≥ 1.26.2 (or the Forgejo parallel patch); rotate Admin API keys and invalidate sessions, and if a Gitea update isn’t immediate, force [service].REQUIRE_SIGNIN_VIEW = true.
☑️ Replace default/template secrets — overwrite static machineKey settings in web.config with unique, locally generated keys, and treat any exposed instance as breached, rotating embedded credentials, API keys, and TLS certificates.
☑️ Deploy detection at the edge and runtime — WAF rules to block Ghost Content API queries containing slug:[ / slug%3A%5B, plus monitoring of IIS w3wp.exe for anomalous child processes and Application Event ID 1316.
☑️ Accelerate patch cycles with authorized AI triage tooling, and build defense-in-depth (MFA, network hardening, comprehensive logging, SBOMs for provenance) so resilience doesn’t rely solely on instant patch deployment.
🎭 Social Engineering Remains Rampant
Stories
🗞️ Extortion Gang Implements In-Person Social Engineering to Steal Corporate Data — The Silent Ransom Group blends standard vishing with real-world, in-person physical intrusion, extracting files without tripping network alarms or leaving conventional digital footprints.
🗞️ FBI Warns of Spoofed FIFA Websites Targeting Fans Ahead of 2026 World Cup — Actors lean heavily on typo-squatting, minor misspellings (fiffa[.]com) and alternative TLDs (.org, .city), to deceive users making common typing errors and harvest PII through fake ticket, hospitality, and job scams. 🔎 Threat Hunting Package
🗞️ New Threat Actor “JINX-0164” Targets Crypto Developers via LinkedIn & macOS Malware — Rather than pivoting to cloud accounts, JINX-0164 weaponizes internal dev infrastructure, extracting pipeline secrets and pushing code to production branches with stolen GitHub tokens — turning the build process into a self-propagating infection channel. 🔎 Threat Hunting Package
Recommendations
☑️ Mandate strict out-of-band verification for all internal IT support requests, and train front-desk and facilities staff to physically verify credentials before granting unannounced “technicians” access to hardware.
☑️ Lock down the endpoint — block unauthorized USB/external drives and audit or whitelist legitimate RMM utilities to stop both physical and remote data theft.
☑️ Coach users to manually type or bookmark official URLs (www.fifa.com), inspect sites for low-quality artifacts, never share banking or PII on uncertain pages, and report fraudulent domains to the IC3 portal.
☑️ Brief development staff on high-fidelity fake LinkedIn recruiters and fake video-conferencing update prompts, enable GitHub Vigilant Mode with mandatory GPG/SSH commit signing, enforce least-privilege CI/CD tokens, and monitor for unauthorized corporate VPN use.
Feature Video
Most people use MISP like a personal threat intel notebook.
It was built to be a community.
If you’ve never configured sync between two MISP instances, you’re using only 10% of what’s in front of you, and if you’re part of an ISAC, that gap matters!
In part 3 of our MISP from scratch series, we close that gap by focusing on:
🔵 Distribution levels as concentric circles — five of them, from “your org only” all the way to “all communities.”
⬆️⬇️ Push vs Pull — Pull brings events in, Push sends them out. These are your go-to tools for sharing threat data.
🎛️ Filters that give you precision — use JSON to get granular on what is shared.
🔗 Sharing groups to expand your reach — this is how ISACs run paid tiers, IR working groups, and bilateral trust circles.
Learn how to start sharing threat data with MISP in this full walkthrough!
Feature Course
What Will You Learn?
Fundamental functions from the Python standard library.
How to parse various data formats (CSV, JSON, etc.)
Creating cross-platform executable files.
Building Python packages.
Jupyter notebooks.
Integrating multiple APIs to build powerful automations.
Web scraping.
Taking command line arguments
Learning Resources
Cyber Training
Zero-Point Security: Advanced training in red team operations, adversary simulation, and offensive development.
TCM Academy: A comprehensive suite of courses with a hands-on, practical approach to training that equips students with the real-world skills needed to succeed in cyber.
Blue Cape Security: A specialist in Digital Forensics and Incident Response (DFIR) training, offering courses to take you from complete beginner to expert.
Tools
Octoparse: A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your own custom cyber threat intelligence web-scraping tool!