Expert analysis on threats, compliance, and the evolving security landscape.
India's Finance Minister Nirmala Sitharaman has flagged Anthropic's Claude Mythos as an unprecedented cybersecurity threat to the banking sector and directed IBA-led hardening with CERT-In intelligence sharing. Mythos has already autonomously discovered thousands of zero-days across every major OS and browser at trivial cost. This is the preemptive playbook every CISO needs to run before similar capabilities reach the offensive ecosystem.
2026-06-10 · 10 min read
RoguePlanet turns Microsoft Defender's own remediation workflow into a local privilege escalation, allowing a standard user to race Defender's privileged file operations and overwrite C:\Windows\System32\wermgr.exe with attacker-controlled code. The exploit chains together legitimate Windows features—including oplocks, NTFS junctions, VSS shadow copies, and Windows Error Reporting—to reliably escalate from an unprivileged account to an interactive SYSTEM shell. Despite requiring local code execution and relying on a race condition, the vulnerability affects fully patched Windows 10 and 11 systems and remains unpatched as of June 2026.
By Vitish Bhardwaj
2026-05-21 · 8 min read
A line-by-line analysis of two distinct malware payloads found in four npm typosquat packages: a postinstall dropper with cross-platform RCE, a hidden C2 beacon with TLS-disabled remote execution, and the 14-point sandbox evasion module they share.
By Sunil Yadav
2026-05-14 · 5 min read
A critical heap buffer overflow (CVSS 9.2) in NGINX's rewrite module — sitting undetected since 2008 — allows an unauthenticated attacker to crash or remotely execute code on any NGINX server using rewrite and set directives, with a single crafted HTTP request. Discovered in six hours by an autonomous AI analysis system, the flaw affects every NGINX Open Source release from 0.6.27 through 1.30.0, NGINX Plus R32–R36, and a wide range of F5 products including Kubernetes Ingress Controllers and Gateway Fabric. This post covers the root cause (a two-pass script engine state mismatch), the full exploit chain, a step-by-step lab reproduction using the public PoC, detection guidance, and a prioritized remediation checklist. Patches are available — upgrade to NGINX 1.30.1 or 1.31.0 now.
By Fagu Besra
2026-05-21 · 14 min read
Before physical red team assessors ever set foot on-site, they build a detailed picture of a target facility using nothing but publicly available information. This blog walks through how organisations unknowingly expose their entry points, badge designs, security vendor relationships, and physical blind spots through everyday public sources. The core message is straightforward — the information needed to plan a physical intrusion already exists in public view, and understanding that exposure is the first step toward closing it.
2026-05-03 · 12 min read
A single operator runs four burner GitHub accounts publishing fake Shai-Hulud detection tools that actually deliver a Windows credential-stealer kit (LuaJIT + obfuscated Lua, Mini Shai-Hulud / Trojan.Lazy family). SecureNexus SOVA detected the cluster on 2026-05-02 via capability-shift scanning. This writeup covers the four trust signals the lure exploits, byte-identical kit binaries across operator accounts, leaked operator emails, the 7-byte PEB-walk shellcode captured by our instrumented sandbox, the 37-victim census, and structural-fingerprint guidance defenders can deploy today.
By Mohit Kumar
2026-05-01 · 10 min read
2026-04-30 · 23 min read
On April 29, 2026, four packages in the SAP Cloud Application Programming (CAP) ecosystem — @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and mbt — were trojanised in a three-hour window via a Shai-Hulud worm variant published through compromised GitHub Actions OIDC. SecureNexus SOVA flagged all four with deterministic BLOCK verdicts on tarball capability shape. This walkthrough covers the surgical drop pattern, deobfuscated payload internals, IMDSv2 credential harvesting, GitHub GraphQL exfiltration, and a capability-based gate policy you can deploy today.
By Omkar Pote
2026-04-23 · 9 min read
On April 22, 2026, Checkmarx disclosed a supply chain security incident affecting several of its publicly distributed artifacts. Malicious versions of KICS Docker images, a GitHub Action (ast-github-action 2.3.35), and two VS Code extensions (ast-results 2.63/2.66 and cx-dev-assist 1.17/1.19) were published during a short window. Previously published safe versions were not overwritten, so customers pinned to pre-window versions are not affected. Less than 24 hours later, the same campaign reached Bitwarden with a malicious @bitwarden/[email protected] published via a compromised CI/CD GitHub Action on npm. The authoritative C2 indicators are the typosquat domains checkmarx.cx (91.195.240.123) and audit.checkmarx.cx (94.154.172.43).
By Yash Kumar
2026-04-23 · 8 min read
On April 22, 2026, a malicious version of @bitwarden/[email protected] was published to npm through a compromise of Bitwarden's own publishing workflow. The exposure window was approximately 93 minutes (5:57 PM to 7:30 PM ET). Bitwarden confirmed the compromise was connected to the ongoing Checkmarx supply chain incident disclosed the same day. End-user vault data, production systems, and the legitimate Bitwarden codebase were not impacted; only users who installed @bitwarden/[email protected] from npm during that narrow window were potentially affected. This post covers what Bitwarden has officially confirmed, the response steps for affected teams, and the broader lesson that CI/CD publishing pipelines are themselves the attack surface.
Page 1 of 3
