SecureNexus GRC
SECURENEXUS
  • Home
  • Blog
  • Case Studies
  • About
Get Started
SecureNexus GRCSECURENEXUS

Empowering digital organizations with unified security — through connected insights, trusted expertise, and end-to-end coverage.

A venture of

X-Biz TechVentureswww.xbizventures.com

Services

  • Regulatory Consulting
  • Red Teaming
  • Cloud Security
  • Security Operations
  • Security Training
  • Product Advisory

Products

  • Perimeter (CTEM)
  • Cloud Security Posture Management
  • Vulnerability Management
  • SOVA (SCA)
  • Third Party Risk Management

Company

  • About Us
  • Contact
  • Blog
  • Case Studies

Resources

  • Security Assessment
  • Breach Probability

Contact

[email protected]
+91 1800-266-8575

Certifications & Compliance

Certifications and Empanelment — D.U.N.S Registered, ISO 9001:2015, BQC, IAF, ISO 27001, Nasscom, ESC, CERT-IN Empanelled
Offices

Mumbai (HQ)

118-120 IJMIMA Complex, Mindspace, Malad West, Mumbai 400064

Pune (GCC)

Unit 2-B, 1st Floor, Cerebrum IT Park, Kalyani Nagar, Pune 411014

Mumbai (Tech & Innovation)

315, 3rd Floor, Lodha Supremus, Andheri East, Mumbai 400069

Dubai

M35, Warba Centre, Al Muraqqabat, Deira, Dubai

X-Biz TechVentures

© 2026 X-Biz TechVentures Pvt. Ltd. All rights reserved.

  1. Home
  2. Blog
  3. Security
Security

Security Articles

Best practices, frameworks, and strategies for building robust security postures and protecting your digital assets.

View All Articles

26 Articles

Stripping Three Layers of Defense Off a React Native Financial App
Security
2026-07-07
8 min read
Stripping Three Layers of Defense Off a React Native Financial App
A React Native financial app stacked three defenses — RASP root/Frida detection, OkHttp SSL public key pinning, and AES-256-CBC application-layer encryption. All three were bypassed with one 90-line Frida script. RASP checks were hooked to return false, traffic was captured at the React Native networking boundary above the TLS layer, and the hardcoded AES key was extracted from the Hermes bytecode bundle. Every defense relied on secrets shipped inside the APK.
frida
reactnative
sslpinningbypass
Vitish Bhardwaj
Read More
RoguePlanet: racing Windows Defender's own cleanup into a SYSTEM shell
Security
2026-06-10
10 min read
RoguePlanet: racing Windows Defender's own cleanup into a SYSTEM shell
RoguePlanet turns Microsoft Defender's own remediation workflow into a local privilege escalation, allowing a standard user to race Defender's privileged file operations and overwrite C:\Windows\System32\wermgr.exe with attacker-controlled code. The exploit chains together legitimate Windows features—including oplocks, NTFS junctions, VSS shadow copies, and Windows Error Reporting—to reliably escalate from an unprivileged account to an interactive SYSTEM shell. Despite requiring local code execution and relying on a race condition, the vulnerability affects fully patched Windows 10 and 11 systems and remains unpatched as of June 2026.
WindowsSecurity
PrivilegeEscalation
WindowsInternals
Vitish Bhardwaj
Read More
Two Attack Vectors, One Publisher: How SecureNexus SOVA Caught a Coordinated npm Typosquat Campaign
Security
2026-05-21
8 min read
Two Attack Vectors, One Publisher: How SecureNexus SOVA Caught a Coordinated npm Typosquat Campaign
A line-by-line analysis of two distinct malware payloads found in four npm typosquat packages: a postinstall dropper with cross-platform RCE, a hidden C2 beacon with TLS-disabled remote execution, and the 14-point sandbox evasion module they share.
Supply Chain Security
npm
Typosquat
Sunil Yadav
Read More
NGINX Rift (CVE-2026-42945): An 18-Year-Old Heap Overflow That Puts a Third of the Internet at Risk
Security
2026-05-14
5 min read
NGINX Rift (CVE-2026-42945): An 18-Year-Old Heap Overflow That Puts a Third of the Internet at Risk
A critical heap buffer overflow (CVSS 9.2) in NGINX's rewrite module — sitting undetected since 2008 — allows an unauthenticated attacker to crash or remotely execute code on any NGINX server using rewrite and set directives, with a single crafted HTTP request. Discovered in six hours by an autonomous AI analysis system, the flaw affects every NGINX Open Source release from 0.6.27 through 1.30.0, NGINX Plus R32–R36, and a wide range of F5 products including Kubernetes Ingress Controllers and Gateway Fabric. This post covers the root cause (a two-pass script engine state mismatch), the full exploit chain, a step-by-step lab reproduction using the public PoC, detection guidance, and a prioritized remediation checklist. Patches are available — upgrade to NGINX 1.30.1 or 1.31.0 now.
CVE-2026-42945
NGINX
NGINX Rift
Fagu Besra
Read More
What Attackers See Before They Ever Walk Through Your Door
Security
2026-05-21
14 min read
What Attackers See Before They Ever Walk Through Your Door
Before physical red team assessors ever set foot on-site, they build a detailed picture of a target facility using nothing but publicly available information. This blog walks through how organisations unknowingly expose their entry points, badge designs, security vendor relationships, and physical blind spots through everyday public sources. The core message is straightforward — the information needed to plan a physical intrusion already exists in public view, and understanding that exposure is the first step toward closing it.
Physical Security
Red Team Assessment
OSINT
Vitish Bhardwaj
Read More
Trust hijacked: how attackers forked legitimate Mini Shai-Hulud detection tools to ship the worm itself
Security
2026-05-03
12 min read
Trust hijacked: how attackers forked legitimate Mini Shai-Hulud detection tools to ship the worm itself
A single operator runs four burner GitHub accounts publishing fake Shai-Hulud detection tools that actually deliver a Windows credential-stealer kit (LuaJIT + obfuscated Lua, Mini Shai-Hulud / Trojan.Lazy family). SecureNexus SOVA detected the cluster on 2026-05-02 via capability-shift scanning. This writeup covers the four trust signals the lure exploits, byte-identical kit binaries across operator accounts, leaked operator emails, the 7-byte PEB-walk shellcode captured by our instrumented sandbox, the 37-victim census, and structural-fingerprint guidance defenders can deploy today.
Supply Chain Attack
Threat Intelligence
Mini Shai-Hulud
Mohit Kumar
Read More
India's Finance Minister Has Flagged Anthropic's Mythos as Unprecedented — Here's the CISO Playbook for AI-Driven Vulnerability Hunting
Security
2026-05-01
10 min read
India's Finance Minister Has Flagged Anthropic's Mythos as Unprecedented — Here's the CISO Playbook for AI-Driven Vulnerability Hunting
India's Finance Minister Nirmala Sitharaman has flagged Anthropic's Claude Mythos as an unprecedented cybersecurity threat to the banking sector and directed IBA-led hardening with CERT-In intelligence sharing. Mythos has already autonomously discovered thousands of zero-days across every major OS and browser at trivial cost. This is the preemptive playbook every CISO needs to run before similar capabilities reach the offensive ecosystem.
AI Security
Frontier AI
Claude Mythos
Sunil Yadav
Read More
A Supply Chain Attack Inside the SAP CAP npm Ecosystem: SOVA's Walkthrough of @cap-js and mbt
Security
2026-04-30
23 min read
A Supply Chain Attack Inside the SAP CAP npm Ecosystem: SOVA's Walkthrough of @cap-js and mbt
On April 29, 2026, four packages in the SAP Cloud Application Programming (CAP) ecosystem — @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and mbt — were trojanised in a three-hour window via a Shai-Hulud worm variant published through compromised GitHub Actions OIDC. SecureNexus SOVA flagged all four with deterministic BLOCK verdicts on tarball capability shape. This walkthrough covers the surgical drop pattern, deobfuscated payload internals, IMDSv2 credential harvesting, GitHub GraphQL exfiltration, and a capability-based gate policy you can deploy today.
Supply Chain Attack
SBOM
SOVA
Omkar Pote
Read More
TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise
Security
2026-04-23
9 min read
TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise
On April 22, 2026, Checkmarx disclosed a supply chain security incident affecting several of its publicly distributed artifacts. Malicious versions of KICS Docker images, a GitHub Action (ast-github-action 2.3.35), and two VS Code extensions (ast-results 2.63/2.66 and cx-dev-assist 1.17/1.19) were published during a short window. Previously published safe versions were not overwritten, so customers pinned to pre-window versions are not affected. Less than 24 hours later, the same campaign reached Bitwarden with a malicious @bitwarden/[email protected] published via a compromised CI/CD GitHub Action on npm. The authoritative C2 indicators are the typosquat domains checkmarx.cx (91.195.240.123) and audit.checkmarx.cx (94.154.172.43).
Checkmarx
cx-dev-assist
ast-results
Yash Kumar
Read More
The Publish Pipeline Is the New Attack Surface: Lessons from the Bitwarden Workflow Incident
Security
2026-04-23
8 min read
The Publish Pipeline Is the New Attack Surface: Lessons from the Bitwarden Workflow Incident
On April 22, 2026, a malicious version of @bitwarden/[email protected] was published to npm through a compromise of Bitwarden's own publishing workflow. The exposure window was approximately 93 minutes (5:57 PM to 7:30 PM ET). Bitwarden confirmed the compromise was connected to the ongoing Checkmarx supply chain incident disclosed the same day. End-user vault data, production systems, and the legitimate Bitwarden codebase were not impacted; only users who installed @bitwarden/[email protected] from npm during that narrow window were potentially affected. This post covers what Bitwarden has officially confirmed, the response steps for affected teams, and the broader lesson that CI/CD publishing pipelines are themselves the attack surface.
Bitwarden
Supply Chain Attack
npm
Yash Kumar
Read More
Inside forge-jsx: Anatomy of a Multi-Platform npm RAT Masquerading as an Autodesk Forge SDK
Security
2026-04-20
10 min read
Inside forge-jsx: Anatomy of a Multi-Platform npm RAT Masquerading as an Autodesk Forge SDK
npm package [email protected] — marketed as a Node.js integration layer for Autodesk Forge — is a multi-platform RAT and infostealer. This technical breakdown walks through the postinstall kill chain, the LaunchAgent/systemd/Task Scheduler persistence primitives, the .env and shell-history harvesting modules, and the AES-256-GCM-obfuscated C2 blob, with SecureNexus SOVA analysis evidence.
SOVA
SecureNexus SOVA
Supply Chain
Yash Kumar
Read More
The Protocol No One Secured: How Anthropic’s MCP Turns AI Agents into Remote Execution Engines
Security
2026-04-20
5 min read
The Protocol No One Secured: How Anthropic’s MCP Turns AI Agents into Remote Execution Engines
Anthropic’s MCP introduces a critical design flaw where AI agents can execute actions based on untrusted tool responses. This turns AI systems into unintended remote execution engines, exposing risks like RCE, data leaks, and full workflow compromise. The issue isn’t a bug—it’s a broken trust model requiring a shift to secure, zero-trust AI architectures.
Arjun Gupta
Read More
23