~ $ whoami

A trojanized Atera RMM installer disguised as a bank eStatement PDF grants attackers persistent remote access including terminal, remote desktop, and arbitrary code execution — all through legitimately signed, commercially trusted infrastructure. Zero public detections at time of analysis. Likely Luna Moth / Silent Ransom Group campaign.

On March 24, 2026, threat actor TeamPCP published backdoored versions of the LiteLLM Python package (3.4M daily downloads) after compromising Trivy and Checkmarx security scanners to steal PyPI credentials from CI/CD pipelines. The malware harvested credentials, deployed Kubernetes worms, and established persistent C2 — all triggered by a Python .pth file that fires on every interpreter startup.

Microsoft Threat Intelligence published a technique profile on malicious npm lifecycle scripts — the mechanism behind Shai-Hulud 2.0, Contagious Interview, and multiple North Korean campaigns. This post breaks down how lifecycle scripts work as an attack vector, the real-world campaigns exploiting them, and a layered defense strategy for dev teams and CI/CD pipelines.

The Problem with Current Coding Benchmarks Most benchmarks for LLM coding agents — HumanEval, SWE-bench, Terminal-bench — share a fundamental blind spot: they only test whether an agent can produce a one-shot fix. Pass the test suite once, and you’re done. ...

Introduction Google Looker Studio, a powerful Business Intelligence platform, connects live to your data sources—BigQuery, PostgreSQL, MySQL, Google Sheets, Cloud Storage—enabling real-time dashboards and reports. But a series of nine critical cross-tenant vulnerabilities (dubbed “LeakyLooker”) turned this strength into a major attack surface. Attackers could execute arbitrary SQL, exfiltrate sensitive data, and modify records without victim interaction or permission. ...

Introduction If you work in threat detection, malware analysis, or threat intelligence, you’ve likely wrestled with a fundamental problem: how do you find connections between thousands of threats at scale without breaking your budget? This is where embeddings come in. Embeddings—numerical representations of text, code, and other data—let security teams compare and correlate threats efficiently. But previous embedding models had trade-offs. You could get good quality or keep costs reasonable, but rarely both. ...

TLP: WHITE — This analysis is cleared for public release. All victim PII has been redacted. No credentials were submitted during analysis. IOCs are provided at the end for detection use. Overview A live QR phishing (“quishing”) campaign was captured in the wild targeting corporate employees via a weaponized PDF disguised as an employee handbook. This isn’t a commodity phish — it’s a toolkit-grade, multi-stage attack built specifically to defeat automated email scanners, security sandboxes, and network proxies. ...

Google GTIG and iVerify independently disclosed Coruna, an iOS exploit kit containing 23 exploits across 5 full chains targeting iOS 13 through 17.2.1. Originally built for a commercial surveillance vendor, it proliferated to a Russian espionage group (UNC6353) for watering hole attacks against Ukraine, then to a Chinese financially motivated actor (UNC6691) mass-deploying it via fake crypto sites to steal wallet credentials. This post breaks down the exploit chains, payload architecture, detection artifacts, and IOCs.

A BEC phishing email impersonating a Stewart Title escrow officer sends fake closing documents via a compromised law firm. Five-stage chain abusing Lovable (AI app builder), a CAPTCHA gate, triple-encrypted JavaScript with anti-debug traps and a remote kill switch, a server-side AiTM credential router, and a pixel-perfect Google Sign-In proxy capturing credentials and session tokens in real-time.

A real-world BEC phishing email impersonating a payment advice notification. Three-stage attack chain abusing systeme.io, a fake CAPTCHA gate, and a real-time Adversary-in-the-Middle Google credential harvester with full 2FA interception.