Clankerusecase
Windows detection coverage
 ← Back to main site
Home/ Targets/ Windows

🪟Windows detections

Clankerusecase tracks 1434 detection use cases covering the Windows attack surface across 301 MITRE ATT&CK techniques.

Detections targeting Windows endpoints — Sysmon / Security event log / Defender DeviceProcessEvents.

Open Detection Library → View on the matrix
1434Use cases
301Techniques
60Articles
6Kill-chain phases

Top techniques on Windows (25)

T1204.002Malicious File290T1195.002Compromise Software Supply Chain247T1071.001Web Protocols200T1190Exploit Public-Facing Application137T1059.007JavaScript133T1105Ingress Tool Transfer124T1059.004Unix Shell105T1552.001Credentials In Files90T1059.001PowerShell75T1059.006Python71T1041Exfiltration Over C2 Channel58T1567Exfiltration Over Web Service56T1036.005Match Legitimate Resource Name or Location56T1059Command and Scripting Interpreter47T1059.003Windows Command Shell39T1027Obfuscated Files or Information37T1546Event Triggered Execution37T1053.005Scheduled Task33T1505.003Web Shell33T1547.001Registry Run Keys / Startup Folder33T1068Exploitation for Privilege Escalation31T1546.016Installer Packages27T1543.003Windows Service23T1611Escape to Host23T1195.001Compromise Software Dependencies and Development Tools22

Reconnaissance (14)

[LLM] Reconnaissance probes to Splunk version/info endpoints Bespoke recon · hunting DSΣPDDCS [LLM] Bulk Matrix profile/room-member enumeration against Tchap endpoint Bespoke recon · hunting DSPDDCS [LLM] Defender Offline Scan initiation - GreatXML vulnerability precondition Bespoke recon · hunting DSΣPDDCS [LLM] Vulnerable meta-ads-mcp installation inventory (CVE-2026-48039) on managed hosts Bespoke recon · hunting DSPDDCS [LLM] JDY-style outbound recon scanning originating from internal IoT / network appliances Bespoke recon · hunting DSPDDCS [LLM] Web-facing exposure of dev.env / .env config file (returns 200) Bespoke recon · alerting DSΣPDDCSCW [LLM] github.com/dhax/go-base supply-chain footprint in go.mod / build artifacts Bespoke recon · hunting DSΣPDDCSCW [LLM] Internal host clones / curls github.com/dhax/go-base or raw dev.env Bespoke recon · hunting DSΣPDDCS [LLM] Browser writing oversized OPFS file (potential FROST SSD-timing side-channel) Bespoke recon · hunting DSΣPDDCS [LLM] Vulnerable vm2 (<= 3.11.3) present on host — CVE-2026-47210 exposure Bespoke recon · hunting DSPDDCS [LLM] Algernon vulnerable installation discovery (CVE-2026-45721 exposure inventory) Bespoke recon · hunting DSPDDCS [LLM] Vulnerable utcp-cli package (<= 1.1.1) inventory hunt for CVE-2026-45369 Bespoke recon · hunting DSPDD [LLM] Vulnerable Marten library (CVE-2026-45288) present on host — proactive exposure hunt Bespoke recon · hunting DSPDDCS [LLM] n8n host inventory hunt — surface vulnerable instances < 1.123.43 / 2.20.7 / 2.22.1 Bespoke recon · hunting DSPDDCS

Delivery (126)

Email attachment opened from external sender Internal delivery · hunting DSP Phishing-link click correlated to endpoint execution Internal delivery · alerting DSP [WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD [WEEKLY] Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Internal delivery · alerting DSΣPDD [LLM] Atomic Arch: makepkg child spawning npm install atomic-lockfile or bun install js-digest Bespoke delivery · alerting DSΣPDDCS [LLM] Internet-facing web service spawning interactive SSH into management subnet Bespoke delivery · alerting DSΣPDDCS [LLM] Raviral.com Sniper Dz kit endpoints accessed (k_fac.php / track.js) Bespoke delivery · alerting DSΣPDDCS [LLM] Brand-impersonating phishing pages on abused free-hosting platforms (Sniper Dz pattern) Bespoke delivery · hunting DSPDDCS [LLM] External / non-internal HTTP access to Ivanti Sentry /mics admin portal Bespoke delivery · hunting DSΣPDD [LLM] First-seen device/user authenticating to Tchap (tchap.gouv.fr) matrix endpoint Bespoke delivery · hunting DSPDDCS [LLM] ShinyHunters staging-server IP connections — SimpleHTTP on TCP/8888 Bespoke delivery · hunting DSΣPDDCSCW [LLM] Talos prevalent malware hash dropped to disk (DeviceFileEvents pivot) Bespoke delivery · hunting DSΣPDDCS [LLM] Phantom Gyp: small binding.gyp written into node_modules during npm install Bespoke delivery · hunting DSΣPDDCS [LLM] Editor/AI tool auto-execute config file dropped into project tree by package manager or git Bespoke delivery · hunting DSΣPDDCS [LLM] Unauthenticated POST to /mcp endpoint on TCP 8080 (CVE-2026-48039) Bespoke delivery · alerting DSΣPDDCS [LLM] Miasma supply-chain worm leaked repo clone, install or fetch Bespoke delivery · alerting DSΣPDDCS [LLM] FortiGate SSL-VPN / admin credential brute-force or spray from single source Bespoke delivery · alerting DSPDD [LLM] FireAnt Metakit.exe spawns unsigned setup.exe from update path (SPECTRALVIPER supply-chain delivery) Bespoke delivery · alerting DSΣPDDCS [LLM] FireAnt Metakit updater spawning unexpected child (supply-chain compromise) Bespoke delivery · hunting DSΣPDDCS [LLM] npm install pointing at non-default registry via --registry or config Bespoke delivery · hunting DSΣPDDCS [LLM] Cargo dependency manifest or download pinned to compromised onering 1.4.1 Bespoke delivery · hunting DSPDDCS [LLM] ISO File Dropped to Downloads — RoguePlanet Defender Exploit Precursor Bespoke delivery · hunting DSΣPDDCS [LLM] Unauthenticated WebSocket / HTTP 101 upgrade to phoenix_storybook playground routes Bespoke delivery · hunting DSΣPDDCS [LLM] Outlook preview-pane Type Confusion exploit chain (Outlook → Word → LOLBin) Bespoke delivery · alerting DSΣPDDCS [LLM] Malicious _hooks.py / _runtime.bin files created in Pythagora gpt-pilot checkout Bespoke delivery · alerting DSΣPDDCS [LLM] pip / uv install of known-compromised Hades Campaign PyPI package versions Bespoke delivery · alerting DSΣPDDCS [LLM] Miasma/Shai-Hulud typosquat PyPI package installation (rsquests, tlask, langchain-core-mcp, durabletask) Bespoke delivery · alerting DSΣPDDCS [LLM] Miasma-tainted package install: binding.gyp dropped into known-compromised npm package paths Bespoke delivery · alerting DSΣPDDCS [LLM] Earth Dahu / Gamaredon HTA-to-VBScript chain (mshta.exe spawning wscript/cscript) Bespoke delivery · alerting DSΣPDDCS [LLM] Hades/Miasma PyPI poisoned package installation (26 named packages) Bespoke delivery · alerting DSΣPDDCS [LLM] Activity involving ommicrosoft.com Cloaked-Ursa Teams typosquat Bespoke delivery · alerting DSΣPDDCS [LLM] Phar archive or PHPSpreadsheet RCE marker written by web-server process Bespoke delivery · alerting DSΣPDDCS [LLM] Quick Assist launched followed by remote interactive session (UNC3753 vishing pretext) Bespoke delivery · hunting DSΣPDDCS [LLM] Privnote[.]com self-destructing-note URL access from corporate endpoint Bespoke delivery · hunting DSΣPDDCS [LLM] DbGate exploit web request — POST /runners/start or /runners/load-reader with child_process injection Bespoke delivery · alerting DSΣPDDCS [LLM] Bun runtime download to /tmp from a node process during npm install Bespoke delivery · alerting DSPDDCS [LLM] Nx Console v18.95.0 Malicious Payload Bootstrap via Orphan Commit (npx github:nrwl/nx#558b09d7) Bespoke delivery · alerting DSΣPDDCS [LLM] jqwik-engine 1.10.0 malicious JAR on disk (SHA256 / filename match) Bespoke delivery · hunting DSΣPDDCS [LLM] Inbound TCP connection to Vitest UI port 51204 from non-loopback source Bespoke delivery · hunting DSΣPDDCSCW [LLM] npm install of dependency-confusion scoped packages (moika.tech actor) Bespoke delivery · alerting DSΣPDDCS [LLM] Unauthenticated JSON-RPC POST to PraisonAI /a2a endpoint (CVE-2026-47391 exploit) Bespoke delivery · hunting DSΣPDDCS [LLM] Public inbound to PraisonAI Flask listener on TCP/8005 (default port, 0.0.0.0 bind) Bespoke delivery · alerting DSPDDCSCW [LLM] vpmdhaj typosquat npm package install via preinstall hook (node child of npm) Bespoke delivery · alerting DSΣPDDCS [LLM] Bun runtime download from github.com/oven-sh during npm install (Gen-2 loader) Bespoke delivery · hunting DSΣPDDCS [LLM] World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Bespoke delivery · hunting DSΣPDDCS [LLM] npm/pnpm install of trojanized codexui-android package on developer endpoint Bespoke delivery · hunting DSΣPDDCS [LLM] BTMOB Android RAT APK SHA256 sighting in file or email telemetry Bespoke delivery · hunting DSΣPDDCS [LLM] Compromised laravel-lang Composer package: helpers.php in vendor tree Bespoke delivery · hunting DSΣPDDCS [LLM] Composer install of malicious helpers.php in laravel-lang vendor package Bespoke delivery · hunting DSΣPDDCS [LLM] Screening Serpens recruitment lure — Hiring Portal.zip + job requisition PDFs Bespoke delivery · alerting DSΣPDDCS [LLM] Mail-borne click to fake FIFA World Cup 2026 phishing domain Bespoke delivery · alerting DSΣPDDCS [LLM] Endpoint DNS or web traffic to fake FIFA World Cup 2026 typosquat domain Bespoke delivery · alerting DSΣPDDCS [LLM] Compromised Nx Console VS Code extension (nrwl.angular-console v18.94.0/18.95.0/18.100.0) install on endpoint Bespoke delivery · alerting DSΣPDDCS [LLM] Nx Console v18.95.0 compromised extension installed (May 2026 supply-chain attack) Bespoke delivery · hunting DSΣPDDCS [LLM] Compromised Microsoft durabletask PyPI Package Install (TeamPCP 1.4.1-1.4.3) Bespoke delivery · alerting DSΣPDDCS [LLM] Installation of malicious guardrails-ai==0.10.1 PyPI package (CVE-2026-45758) Bespoke delivery · alerting DSΣPDDCS [LLM] npm install of compromised @opensearch-project/opensearch versions 3.5.3/3.6.2/3.7.0/3.8.0 Bespoke delivery · alerting DSΣPDDCS [LLM] mistralai 2.4.6 dropper: curl downloading transformers.pyz from 83.142.209.194 Bespoke delivery · hunting DSΣPDDCS [LLM] Malicious node-ipc package landed on disk under node_modules Bespoke delivery · hunting DSΣPDDCS [LLM] Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke delivery · alerting DSΣPDD [LLM] Mini Shai-Hulud npm worm payload dropped under node_modules (router_init.js / tanstack_runner.js / known SHA256) Bespoke delivery · hunting DSΣPDD [LLM] ScarCruft sqgame supply-chain delivery domain contact (BirdCall/RokRAT) Bespoke delivery · alerting DSΣPDDCS [LLM] Install of trojaned elementary-data 0.23.3 via pip / poetry / uv Bespoke delivery · alerting DSΣPDDCS [LLM] Docker / Kubernetes pull of compromised ghcr.io/elementary-data/elementary image Bespoke delivery · alerting DSΣPDDCS [LLM] Bun runtime fetched from github.com/oven-sh/bun during npm install (Bitwarden CLI hijack) Bespoke delivery · alerting DSPDDCS [LLM] Known-bad tanstack 2.0.4-2.0.7 package tarball SHA256 file hash on disk Bespoke delivery · hunting DSΣPDDCS [LLM] Compromised elementary-data==0.23.3 PyPI install on developer / CI host Bespoke delivery · alerting DSΣPDDCS [LLM] Qinglong cryptominer payload download from file.551911.xyz Bespoke delivery · alerting DSΣPDDCS [LLM] Roblox cheat/exploit download on enterprise endpoint (Lumma Stealer entry vector) Bespoke delivery · alerting DSΣPDDCS [LLM] Access to NGate distribution domain protecaocartao[.]online (HandyPay trojan + APK delivery) Bespoke delivery · hunting DSΣP [LLM] node process spawning bash/curl chain to fetch Velora DEX install.sh dropper Bespoke delivery · alerting DSΣPDDCS [LLM] Malicious axios or plain-crypto-js package files written to node_modules Bespoke delivery · hunting DSΣPDDCS [LLM] Outbound fetch of attacker-controlled autoimport VSIX from ColossusQuailPray GitHub release Bespoke delivery · alerting DSΣPDD [LLM] IoliteLabs VSCode extension dropper: VS Code child process reaching rraghh.com / oortt.com C2 Bespoke delivery · alerting DSΣPDD [LLM] pip install of malicious telnyx versions 4.87.1 / 4.87.2 Bespoke delivery · alerting DSΣPDDCS [LLM] WAV-disguised stager pull from TeamPCP loader 83.142.209.203:8080 Bespoke delivery · hunting DSΣPDDCS [LLM] npm/node postinstall hook spawning interpreter and reaching new C2 host (Axios-style dropper) Bespoke delivery · hunting DSPDDCS [LLM] Telnyx PyPI compromise: malicious telnyx 4.87.1 / 4.87.2 hash on disk Bespoke delivery · hunting DSΣPDDCS [LLM] TeamPCP WAV-stego payload drop (hangup.wav / ringtone.wav) Bespoke delivery · alerting DSPDDCS [LLM] Compromised bittensor-wallet 4.0.2 source-tarball SHA256 on disk Bespoke delivery · hunting DSΣPDD [LLM] Compromised react-native-international-phone-number / react-native-country-select files written to node_modules Bespoke delivery · alerting DSΣPDDCS [LLM] Attacker-controlled scoped npm relay packages on disk (@usebioerhold8733 / @agnoliaarisian7180) Bespoke delivery · alerting DSΣPDDCS [LLM] Malicious typosquat npm packages installed on disk (ts-bign / big-nunber / levex-refa / lint-builder) Bespoke delivery · hunting DSΣPDD [LLM] GitHub Actions workflow file referencing compromised xygeni/xygeni-action@v5 or backdoored commit 4bf1d4e Bespoke delivery · alerting DSΣPDDCS [LLM] Malicious litellm 1.82.7/1.82.8 wheel install drops litellm_init.pth in site-packages Bespoke delivery · alerting DSΣPDDCS [LLM] Cloudflare-tunnel curl-piped Python stager (kamikaze.sh / kube.py) Bespoke delivery · alerting DSΣPDDCS [LLM] VSCode/VSCodium spawning shell or curl to raw.githubusercontent.com/BlokTrooper Bespoke delivery · alerting DSΣPDDCS [LLM] VSCode-family host fetching from raw.githubusercontent.com/BlokTrooper/extension path Bespoke delivery · hunting DSΣPDDCS [LLM] GlassWorm Mar 2026 wave — compromised npm/VS Code package artifacts on disk Bespoke delivery · alerting DSΣPDD [LLM] DRILLAPP variant 2 delivery: CPL file executed from user-writable folder spawning Edge Bespoke delivery · alerting DSPDDCS [LLM] PromptSpy / MorganArg Android banker — distribution domain DNS/proxy hits Bespoke delivery · alerting DSΣPDDCS [LLM] Installation of unauthorized cline@2.3.0 npm package on developer endpoints Bespoke delivery · alerting DSΣPDDCS [LLM] Inventory: @kilocode/cli v1.0.0-v1.0.3 affected-release install on dev workstations Bespoke delivery · hunting DSΣPDDCS [LLM] Scavenger loader/install.js dropped into node_modules (known SHA256 or filename match) Bespoke delivery · hunting DSΣPDD [LLM] tj-actions/changed-files compromise: self-hosted runner egress to nikitastupin memdump gist (CVE-2025-30066) Bespoke delivery · hunting DSΣPDD [LLM] Pastebin-piping stager retrieved from rentry.co/openclaw-core (macOS/Linux ClawHub skill) Bespoke delivery · alerting DSPDDCS [LLM] Download of openclawcore-1.0.3.zip from denboss99 GitHub release (Windows OpenClaw skill payload) Bespoke delivery · alerting DSΣPDDCS [LLM] Outbound connection to clawhub.ai or skills.sh from CLI agent (skill marketplace fetch) Bespoke delivery · hunting DSΣPDDCS [LLM] Executable dropped into C:\inetpub\pub\ shared directory Bespoke delivery · alerting DSΣPDDCS [LLM] VS Code (Code.exe/node) drops payload to %TEMP%\Lightshot staging directory Bespoke delivery · hunting DSΣPDDCS [LLM] G_Wagon dropper: node.exe spawns system tar.exe extracting from stdin (-x -f - -C) Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido npm phishing: DNS / web request to siemens-energy.icu or siemensergy.icu typosquats Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido campaign: jsDelivr CDN fetch of weaponised flockiali/opresc/prndn/oprnm/operni npm package Bespoke delivery · alerting DSΣPDDCS [LLM] Aikido npm phishing: user clicked phishing URL hosting /DIVzTaSF credential capture Bespoke delivery · alerting DSΣPDDCS [LLM] PyPI install of malicious typosquat spellcheckpy or spellcheckerpy Bespoke delivery · alerting DSΣPDDCS [LLM] Compromised Nx npm package version install on developer or CI host Bespoke delivery · alerting DSΣPDDCS [LLM] Compromised npm package @vietmoney/react-big-calendar@0.26.2 installation (Shai-Hulud 3.0) Bespoke delivery · alerting DSΣPDDCS [LLM] NPM preinstall hook fetching Bun installer from bun.sh (Sha1-Hulud dropper) Bespoke delivery · alerting DSΣPDDCS [LLM] DNS / outbound connection to npnjs[.]com phishing infrastructure Bespoke delivery · alerting DSΣPDD [LLM] LittleDaemon / DaemonicLogistics update-hijack URL pattern (popup_4.2.0.2246.dll, /update/updateInfo.bzp, /update/file6.bdat, /update/file2. Bespoke delivery · alerting DSΣP [LLM] IndonesianFoods npm spam package install on developer/CI endpoint Bespoke delivery · alerting DSΣPDDCS [LLM] ESET-impersonating typosquat domain contact (InedibleOchotense / Kalambur delivery) Bespoke delivery · alerting DSΣPDDCS [LLM] DreamJob trojanized PDF/installer execution from job-lure decoy folder Bespoke delivery · hunting DSΣPDDCS [LLM] Browser/HTTPS traffic to npmjs.help credential-harvesting page Bespoke delivery · alerting DSΣPDDCS [LLM] Compromised tj-actions/changed-files commit SHA referenced on host (CVE-2025-30066 IOC hunt) Bespoke delivery · alerting DSΣPDDCS [LLM] PyPI install footprint of num2words v0.5.15/0.5.16 (Scavenger supply-chain compromise) Bespoke delivery · alerting DSΣPDD [LLM] npm registry typosquat npnjs.com — DNS / URL click (eslint-config-prettier maintainer phishing kit) Bespoke delivery · alerting DSΣPDDCS [LLM] Scavenger Loader DLL (node-gyp.dll) written inside node_modules of CVE-2025-54313 packages Bespoke delivery · alerting DSΣPDDCS [LLM] Solidity Language malicious Cursor/VS Code extension folder created on disk (solidityai.solidity-* and related) Bespoke delivery · alerting DSΣPDDCS [LLM] Self-hosted GitHub Action runner downloads memdump.py from compromised gist (CVE-2025-30066) Bespoke delivery · alerting DSΣPDDCS [LLM] Go typosquat module reference: github.com/boltdb-go/bolt in process or build telemetry Bespoke delivery · alerting DSΣPDDCS [LLM] Browser/proxy fetch of compromised @lottiefiles/lottie-player from unpkg or jsDelivr CDN Bespoke delivery · alerting DSΣP [LLM] npm/yarn/pnpm install of himanshutester002 suspicious aliased packages (string-width-cjs et al) Bespoke delivery · alerting DSΣPDDCS [LLM] Inbound UDP/631 (CUPS IPP discovery) from external network Bespoke delivery · hunting DSΣPDDCS [LLM] Polyfill.io supply-chain compromise: egress to Funnull-controlled CDN cluster Bespoke delivery · alerting DSΣPDDCS [LLM] Vulnerable Moq 4.20.0 or Devlooped.SponsorLink NuGet package landed on endpoint Bespoke delivery · alerting DSΣPDDCS

Exploitation (367)

Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal exploit · alerting DSΣP Office app spawning script/LOLBin child process Internal exploit · alerting DSΣP PowerShell encoded / obfuscated command Internal exploit · alerting DSΣP Trusted vendor binary / installer launching unusual children Internal exploit · hunting DSΣP [WEEKLY] Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Internal exploit · alerting DSPDD [WEEKLY] Developer/AI tooling runtime spawns shell or egress LOLBin (unauth RCE post-expl) Internal exploit · alerting DSPDDCS [WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internal exploit · alerting DSPDD [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Internal exploit · alerting DSΣPDD [WEEKLY] Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain Internal exploit · alerting DSPDD [WEEKLY] Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition Internal exploit · alerting DSPDD [WEEKLY] Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Internal exploit · alerting DSΣPDD [WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) Internal exploit · alerting DSPDD [WEEKLY] Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool Internal exploit · alerting DSΣPDD [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write Internal exploit · alerting DSPDD [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Internal exploit · alerting DSΣPDD [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens Internal exploit · alerting DSΣPDD [WEEKLY] Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host Internal exploit · alerting DSPDD [LLM] Unauthenticated POST to Splunk /v1/postgres/recovery/{backup,restore} endpoints Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Bespoke exploit · hunting DSP Article-specific behavioural hunt — Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Bespoke exploit · hunting DSP [LLM] Ivanti Sentry CVE-2026-10520 handleMessage exploit attempt (commandexec XML) Bespoke exploit · alerting DSΣPDD [LLM] Shell or recon binary spawned by Tomcat/Java on Ivanti Sentry (CVE-2026-10520 post-exploitation) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Univ Bespoke exploit · hunting DSP [LLM] PeopleSoft CVE-2026-35273 exploit — POST to /PSEMHUB/hub or /PSIGW/HttpListeningConnector Bespoke exploit · hunting DSΣPDDCS Article-specific behavioural hunt — A tale of two eras Bespoke exploit · hunting DSP [LLM] Webserver / PHP interpreter spawns shell or LOLBin — post-upload RCE indicator Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspi Bespoke exploit · hunting DSP [LLM] VS Code/Cursor/Claude/Gemini spawns interpreter referencing folderOpen or SessionStart hook script Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — npm v12 delivers one of the biggest security improvements in years Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Ex Bespoke exploit · hunting DSP [LLM] CVE-2026-48039 PoC artifact execution (meta-ads-mcp-vuln001 image, FAKE_TOKEN_FOR_POC_DEMO env) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Bespoke exploit · hunting DSP [LLM] First successful FortiGate admin/SSL-VPN login from never-seen ASN after failure burst Bespoke exploit · hunting DSPDD Article-specific behavioural hunt — OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack Bespoke exploit · hunting DSP [LLM] Public-facing MSSQL sqlservr.exe spawns suspicious child (OceanLotus transport-construction intrusion vector) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — OceanLotus: From external espionage to domestic targeting Bespoke exploit · hunting DSP Article-specific behavioural hunt — GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks Bespoke exploit · hunting DSP [LLM] Ivanti Sentry command injection via /mics/api/v2/sentry/mics-config/handleMessage (CVE-2026-10520) Bespoke exploit · alerting DSΣPDDCS [LLM] Fortinet FortiSandbox WEB UI command injection HTTP pattern (CVE-2026-25089) Bespoke exploit · hunting DSΣPDDCS [LLM] Chrome browser spawning LOLBin children post-V8 sandbox-escape (CVE-2026-11645) Bespoke exploit · hunting DSΣPDDCS Article-specific behavioural hunt — Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE B Bespoke exploit · hunting DSP [LLM] DHCP Client svchost anomalous child process (CVE-2026-44815 post-exploit) Bespoke exploit · alerting DSΣPDDCS [LLM] HTTP.sys / IIS w3wp.exe spawning shell or LOLBin (CVE-2026-47291 post-exploit) Bespoke exploit · alerting DSΣPDDCS [LLM] CTFMON spawning elevated child or CTFMON-hosted privilege escalation (CVE-2026-45586 / GreenPlasma) Bespoke exploit · alerting DSΣPDDCS [LLM] Defender Component (MsMpEng/NisSrv) Spawns Interactive Shell with SYSTEM Integrity Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code e Bespoke exploit · hunting DSP [LLM] HEEx / Elixir Kernel injection markers in BEAM-spawned process command line (CVE-2026-8467) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilitie Bespoke exploit · hunting DSP [LLM] mstsc.exe child process after outbound RDP to external server (RDC heap overflow) Bespoke exploit · alerting DSΣPDDCS [LLM] csrss.exe or dwm.exe spawning child process (Win32K-GRFX kernel exploit marker) Bespoke exploit · alerting DSΣPDDCS [LLM] w3wp.exe spawning interpreter or LOLBin (http.sys exploitation / IIS RCE marker) Bespoke exploit · alerting DSΣPDDCS [LLM] Hyper-V worker process (vmwp.exe / vmms.exe) spawning unexpected child (guest-to-host escape) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blo Bespoke exploit · hunting DSP Article-specific behavioural hunt — Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositori Bespoke exploit · hunting DSP [LLM] node.exe spawned by Code/Cursor/Claude/Gemini executing .github/setup.js Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Conti Bespoke exploit · hunting DSP [LLM] Chrome process executing with pre-fix V8 version (149.0.7827.<102) post-disclosure Bespoke exploit · hunting DSP Article-specific behavioural hunt — Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System Bespoke exploit · hunting DSP Article-specific behavioural hunt — WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine Bespoke exploit · hunting DSP Article-specific behavioural hunt — Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via U Bespoke exploit · hunting DSP [LLM] osascript invoked with AppleScript breakout pattern (mismatched tell blocks + do shell script) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45034: PHPSpreadsheet has a patch bypass for CVE-2026 Bespoke exploit · hunting DSP [LLM] Web-server process (php-fpm / apache / nginx / w3wp) spawning shell or network tooling Bespoke exploit · hunting DSΣPDDCS [LLM] Unprivileged user namespace + nf_tables manipulation chain (CVE-2026-23111 exploitation) Bespoke exploit · alerting DSPDDCS [LLM] nft (nftables) ruleset manipulation by non-root account on Linux endpoints Bespoke exploit · hunting DSΣPDDCS [LLM] Check Point Remote Access VPN inbound auth from CVE-2026-50751 actor VPS IPs Bespoke exploit · hunting DSΣPDDCSCW Article-specific behavioural hunt — AI brands as bait: How threat actors are using the AI hype in social engineering Bespoke exploit · hunting DSP [LLM] HTTP access to Shopper admin team-settings / Livewire endpoints (CVE-2026-47744) Bespoke exploit · hunting DSΣPDDCW Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal Bespoke exploit · hunting DSP [LLM] Unauthenticated POST to AIT-BSC /<name>/start with path-traversal form fields (CVE-2026-47731) Bespoke exploit · alerting DSΣPDD [LLM] Claude Code Action Read tool exfil: node opens /proc/<pid>/environ on Linux CI runner Bespoke exploit · alerting DSΣPDDCS [LLM] Claude Code Read tool steered to cloud-credential files on GitHub Actions runner Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47670: Authenticated Remote Code Execution via loadRe Bespoke exploit · hunting DSP [LLM] DbGate loadReader functionName code injection (CVE-2026-47670) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47668: DbGate: Unauthenticated Remote Code Execution Bespoke exploit · hunting DSP [LLM] DbGate CVE-2026-47668 — Node.js runner spawning shell/LOLBin children for egress Bespoke exploit · alerting DSΣPDDCS [LLM] Stata binary spawning OS shell (CVE-2026-47708 stata-mcp log_file_name injection) Bespoke exploit · alerting DSΣPDDCS [LLM] Stata-authored log file written with shell metacharacters or path traversal in filename (CVE-2026-47708) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] GHSA-8whc-2wmv-ww35: WWBN AVideo: Unauthenticated Stored DOM C Bespoke exploit · hunting DSP [LLM] AVideo YPTSocket plugin XSS injection via webSocketSelfURI/page_title query strings Bespoke exploit · alerting DSΣPDD Article-specific behavioural hunt — Reporting from Vegas: Networking, AI, and good boys Bespoke exploit · hunting DSP Article-specific behavioural hunt — Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp Bespoke exploit · hunting DSP Article-specific behavioural hunt — Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting Bespoke exploit · hunting DSP Article-specific behavioural hunt — Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in bind Bespoke exploit · hunting DSP [LLM] mcp-remote OAuth authorization_endpoint RCE (CVE-2025-6514) — node spawning shell Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44182: Jupyter Enterprise Gateway: Kubernetes Manifes Bespoke exploit · hunting DSP [LLM] Jupyter Enterprise Gateway /api/kernels POST with KERNEL_* YAML-injection payload Bespoke exploit · hunting DSPDD Article-specific behavioural hunt — Argamal: Malware hidden in hentai games Bespoke exploit · hunting DSP Article-specific behavioural hunt — Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing cam Bespoke exploit · hunting DSP [LLM] Passwordless sudo rule dropped into /etc/sudoers.d (Miasma privilege escalation) Bespoke exploit · alerting DSΣPDDCS [LLM] Security vendor domain blackhole written to /etc/hosts from non-admin process Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Why EDR and proxy won’t save you from supply chain malware Bespoke exploit · hunting DSP Article-specific behavioural hunt — The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Bespoke exploit · hunting DSP Article-specific behavioural hunt — Multiple redhat-cloud-services npm Packages compromised Bespoke exploit · hunting DSP Article-specific behavioural hunt — Nx Console VS Code Extension Compromised Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can a Bespoke exploit · hunting DSP [LLM] Path-traversal exploit hitting Vitest /__vitest_attachment__ endpoint (CVE-2026-47429 PoC) Bespoke exploit · alerting DSΣPDDCS [LLM] Post-exploit shell spawned by Vitest node.exe via rerun / saveTestFile (CVE-2026-47429) Bespoke exploit · alerting DSΣPDDCS [LLM] Privileged container launch — docker run --privileged from non-CI parent Bespoke exploit · alerting DSΣPDDCS [LLM] Container escape via cgroups release_agent write (CVE-2022-0492) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Miasma supply chain attack: malicious code found in @redhat-cloud-services npm p Bespoke exploit · hunting DSP Article-specific behavioural hunt — Malicious npm packages abuse dependency confusion to profile developer environme Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can p Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47410: praisonai-platform: JWT signing key defaults t Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official examp Bespoke exploit · hunting DSP [LLM] Suspicious child process spawned by PraisonAI uvicorn/python A2A server (eval() RCE evidence) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `pr Bespoke exploit · hunting DSP [LLM] PraisonAI Python subprocess spawns OS shell with discovery / credential-reading commands Bespoke exploit · alerting DSPDDCS [LLM] Literal PraisonAI sandbox-escape signature: `print.__self__` + builtins dict access Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47393: PraisonAI `deploy --type api` emits a Flask se Bespoke exploit · hunting DSP [LLM] Unauthenticated POST to PraisonAI `/chat` or `/agents` endpoint (incl. CVE-Detector scanner) Bespoke exploit · alerting DSΣPDDCW Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47140: NodeVM builtin denylist bypass via process and Bespoke exploit · hunting DSP [LLM] Node.js process spawning native shell / interpreter — post-vm2-escape host execution Bespoke exploit · alerting DSΣPDDCS [LLM] vm2 NodeVM denylist bypass PoC strings — getBuiltinModule + inspector/promises Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47210: vm2 sandbox escape via JSPI-backed Promise `.f Bespoke exploit · hunting DSP [LLM] Node.js process spawns shell or LOLBin — vm2 sandbox escape post-exploitation (CVE-2026-47210) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47137: vm2 has a CVE-2023-37903 patch bypass: nesting Bespoke exploit · hunting DSP [LLM] Node.js process spawning OS shell with enumeration commands — vm2 sandbox escape (CVE-2026-47137) Bespoke exploit · hunting DSΣPDDCS [LLM] node.exe spawning child_process targets — vm2 Promise species sandbox escape post-exploitation Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47131: vm2 has a Sandbox Escape issue Bespoke exploit · hunting DSP [LLM] vm2 sandbox-escape PoC strings observed in inbound HTTP request body / WAF Bespoke exploit · alerting DSΣPDDCS [LLM] Web service in container spawning interactive shell (Redis/nginx RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] Container privilege escalation via Looney Tunables, PwnKit, sudo chroot Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Typosquatted npm packages used to steal cloud and CI/CD secrets Bespoke exploit · hunting DSP Article-specific behavioural hunt — Less panic patching, more precision Bespoke exploit · hunting DSP Article-specific behavioural hunt — Pirates in the crosshairs: how one cybercrime gang has been infecting book, movi Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Bespoke exploit · hunting DSP [LLM] Yamcs MDB algorithm PATCH with embedded Jython java.lang.Runtime payload (CVE-2026-46621) Bespoke exploit · alerting DSΣPDDCS [LLM] Yamcs MdbOverrideApi algorithm PATCH carrying Nashorn Java.type RCE payload Bespoke exploit · alerting DSΣPDD [LLM] Hazy Scorpius (CL0P) Oracle EBS exploitation via CVE-2025-61882 — concurrent processing spawns shell/wget Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens Bespoke exploit · hunting DSP [LLM] LiquidJS SSTI gadget tokens in inbound HTTP (CVE-2026-45618) Bespoke exploit · alerting DSΣPDDCS [LLM] Node.js web process spawning shell (LiquidJS RCE post-exploit) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection Bespoke exploit · hunting DSP [LLM] Yamcs JVM spawning OS shell/interpreter (Janino RCE via CVE-2026-44632) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Laravel Lang Supply Chain Advisory Bespoke exploit · hunting DSP Article-specific behavioural hunt — Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46670: YesWiki: Unauthenticated SQL Injection Bespoke exploit · hunting DSP Article-specific behavioural hunt — Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Bespoke exploit · hunting DSP Article-specific behavioural hunt — Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46703: Boxlite: Path Traversal Vulnerability Leads to Bespoke exploit · hunting DSP [LLM] OCI image extraction creates symlink with absolute path target (CWE-61 primitive) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — The art of being ungovernable Bespoke exploit · hunting DSP Article-specific behavioural hunt — The Wild West of VS Code extensions and how a poisoned extension breached GitHub Bespoke exploit · hunting DSP Article-specific behavioural hunt — Tracking TamperedChef Clusters via Certificate and Code Reuse Bespoke exploit · hunting DSP Article-specific behavioural hunt — GitHub breached via a malicious VS Code extension: why developer devices are the Bespoke exploit · hunting DSP Article-specific behavioural hunt — Webworm: New burrowing techniques Bespoke exploit · hunting DSP Article-specific behavioural hunt — CISA KEV: CVE-2009-1537 — Microsoft DirectX NULL Byte Overwrite Vulnerability Bespoke exploit · hunting DSP Article-specific behavioural hunt — The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package C Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46339: 9router: Unauthenticated Remote Code Execution Bespoke exploit · hunting DSP [LLM] Kopia process spawns ssh with -oProxyCommand= argument (CVE-2026-45695) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks aga Bespoke exploit · hunting DSP [LLM] GlassFish java process spawning command shell (CVE-2026-2587 RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] GlassFish java process outbound HTTP fetch to external host (gadget XML callback) Bespoke exploit · hunting DSPDDCS [LLM] Inbound HTTP request with Camel-internal header or query param to CXF/Knative endpoint (CVE-2026-47323) Bespoke exploit · alerting DSΣPDDCS [LLM] zrok ProxyShare SSRF — request path begins with absolute URL (CVE-2026-45568) Bespoke exploit · hunting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46395: HAXcms: Private Key Disclosure via Broken HMAC Bespoke exploit · hunting DSP [LLM] Algernon web server spawning shell child process (CVE-2026-45721 handler.lua RCE) Bespoke exploit · alerting DSΣPDDCS [LLM] MLflow server process spawning Claude Code CLI or shell — CVE-2026-2611 RCE chain Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese- Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages Bespoke exploit · hunting DSP Article-specific behavioural hunt — actions-cool/issues-helper GitHub Action Compromised: All Tags Point to Imposter Bespoke exploit · hunting DSP Article-specific behavioural hunt — Active Supply Chain Attack: Malicious node-ipc Versions Published to npm Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Bespoke exploit · hunting DSP Article-specific behavioural hunt — [GHSA / CRITICAL] GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI Bespoke exploit · hunting DSP [LLM] Web-server process (w3wp/php/nginx) spawns shell or LOLBin (post-SSTI RCE chain) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Malicious node-ipc versions published to npm in suspected maintainer account com Bespoke exploit · hunting DSP [LLM] Node.js process spawning shell or system utility — likely vm2 sandbox escape Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via U Bespoke exploit · hunting DSP [LLM] utcp-cli command injection via UTCP_ARG substitution in python→bash -c CMD_N_OUTPUT script Bespoke exploit · alerting DSΣPDD [LLM] DeepSeek-TUI sub-agent shell execution via AGENTS.md prompt injection (CVE-2026-45374) Bespoke exploit · alerting DSΣPDD [LLM] DeepSeek-TUI spawning 'cargo test' — CVE-2026-45311 auto-approved run_tests pathway Bespoke exploit · hunting DSΣPDD [LLM] Rust cargo-test binary in target/debug/deps spawning shell or network tool (CVE-2026-45311 exploitation) Bespoke exploit · alerting DSΣPDD Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-44990: Apostrophe has default XSS via `xmp` raw-text Bespoke exploit · hunting DSP [LLM] sanitize-html xmp-tag XSS payload (CVE-2026-44990) in inbound HTTP request Bespoke exploit · alerting DSΣPDD Article-specific behavioural hunt — The time of much patching is coming Bespoke exploit · hunting DSP [LLM] Portainer Swarm service create/update API access (CVE-2026-44849 exploitation path) Bespoke exploit · hunting DSΣPDDCS [LLM] Portainer Swarm service spec with elevated Linux capabilities or unconfined Seccomp Bespoke exploit · alerting DSΣPDDCS [LLM] Container start with docker.sock or sensitive host-path bind mount Bespoke exploit · alerting DSΣPDDCS [LLM] Docker local-driver volume created with type=none and o=bind (CVE-2026-44849 volume variant) Bespoke exploit · alerting DSΣPDDCS [LLM] n8n Node.js parent spawning OS shell — post-exploit RCE indicator for CVE-2026-44791 Bespoke exploit · alerting DSΣPDDCS [LLM] n8n workflow API request body containing JS prototype pollution tokens (CVE-2026-44789) Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Bespoke exploit · hunting DSP [LLM] Inbound exploit attempt to Cisco Catalyst SD-WAN Manager from known UAT-8616 / Cluster IPs Bespoke exploit · hunting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46442: FlowiseAI: Authenticated Host RCE via POST /ap Bespoke exploit · hunting DSP [LLM] Flowise node.exe Spawning OS Shell or Command-Line Utility - Post-Exploit RCE (CVE-2026-46442) Bespoke exploit · alerting DSΣPDDCS [LLM] CVE-2026-8178 exploit attempt: Redshift JDBC URL with class-loading parameter (socketFactory/sslfactory/sslhostnameverifier/sslpasswordcallb Bespoke exploit · alerting DSΣPDD Article-specific behavioural hunt — Kimsuky targets organizations with PebbleDash-based tools Bespoke exploit · hunting DSP Article-specific behavioural hunt — FrostyNeighbor: Fresh mischief and digital shenanigans Bespoke exploit · hunting DSP [LLM] FrostyNeighbor JS dropper self-relaunch with --update flag Bespoke exploit · alerting DSΣPDDCS Article-specific behavioural hunt — TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromi Bespoke exploit · hunting DSP Article-specific behavioural hunt — Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Bespoke exploit · hunting DSP Article-specific behavioural hunt — Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Bespoke exploit · hunting DSP [LLM] CVE-2022-26923 exploitation via update6.exe binary execution Bespoke exploit · alerting DSΣPDDCS [LLM] AD CS certificate request with ENROLLEE_SUPPLIES_SUBJECT flag (ESC1) Bespoke exploit · hunting DSPDDCS Article-specific behavioural hunt — TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack Bespoke exploit · hunting DSP Article-specific behavioural hunt — PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale Bespoke exploit · hunting DSP [LLM] Malformed CL-STA-1132 attacker User-Agent (Mozilla/5.5 + Safari/532.31) Bespoke exploit · alerting DSΣPDD

Installation (375)

Suspicious browser extension installation Internal install · hunting DSΣP File hash IOCs — endpoint file/process match Internal install · alerting DSΣP RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal install · hunting DSΣP Scheduled task created with suspicious image / encoded args Internal install · hunting DSΣP Service install for persistence — sc.exe / new service registry write Internal install · hunting DSΣP [WEEKLY] Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Internal install · alerting DSPDDCSCW [WEEKLY] Developer package install spawning script-host with non-registry C2 within 5 minutes Internal install · alerting DSPDD [WEEKLY] Internet-facing server process spawns interpreter then beacons to first-seen external host within 5 minutes Internal install · alerting DSPDD [WEEKLY] Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internal install · alerting DSΣPDD [WEEKLY] npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) Internal install · alerting DSPDD [WEEKLY] npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules Internal install · alerting DSΣPDD [WEEKLY] Package install lifecycle hook spawns interpreter that reads developer credential stores Internal install · alerting DSPDDCS [WEEKLY] Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain Internal install · alerting DSPDD [WEEKLY] Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) Internal install · alerting DSPDD [WEEKLY] Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access Internal install · alerting DSPDD [WEEKLY] Package-manager install hook spawns interpreter that beacons to non-registry host within 120s Internal install · alerting DSPDD [WEEKLY] Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry Internal install · alerting DSPDD [WEEKLY] Package-Manager Install -> Interpreter Child -> Non-Registry Egress Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes Internal install · alerting DSPDD [WEEKLY] Package-manager install-time interpreter spawn with credential-file read and outbound egress within 120s Internal install · alerting DSPDD [WEEKLY] Package manager lifecycle hook spawns network-fetching shell or runtime Internal install · alerting DSΣPDD [WEEKLY] Package manager lifecycle hook spawns runtime with outbound egress to non-registry host within 5 minutes Internal install · alerting DSPDD [WEEKLY] Package manager spawns network-fetching child to public code-hosting within minutes of install Internal install · alerting DSPDD [WEEKLY] Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop Internal install · alerting DSΣPDD [LLM] Velvet Ant PAM backdoor — unauthorized pam_unix.so / PAM module modification on Linux Bespoke install · alerting DSΣPDDCS [LLM] Velvet Ant trojanized OpenSSH — unauthorized sshd/ssh/scp binary replacement Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Bespoke install · hunting DSP [LLM] splunkd spawning shell interpreters (CVE-2026-20253 post-exploit RCE) Bespoke install · alerting DSΣPDDCS [LLM] Write to Splunk .pgpass or ssg_enable_modular_input.py from unexpected process Bespoke install · alerting DSΣPDDCS [LLM] AUR helper or makepkg spawning npm/node to install atomic-lockfile or js-digest Bespoke install · alerting DSΣPDDCS [LLM] eBPF program load or pinned object created from non-system parent on Arch host Bespoke install · hunting DSΣPDDCS [LLM] Persistence written to user shell init or systemd user units from AUR build/install scriptlet Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch: deps ELF execution by SHA256/MD5 or src/hooks/deps path Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch: systemd unit with Restart=always dropped by non-package-manager process Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch: eBPF rootkit pinned maps hidden_pids/hidden_names/hidden_inodes in /sys/fs/bpf/ Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized write to Linux PAM authentication module (pam_unix.so swap) Bespoke install · alerting DSΣPDDCS [LLM] Unauthorized modification of OpenSSH sshd or ssh client binary Bespoke install · alerting DSΣPDDCS [LLM] First-seen pam_unix.so / sshd / ssh binary hash in Linux fleet Bespoke install · hunting DSPDDCS [LLM] Atomic Arch — pacman/makepkg post-install spawning npm install of atomic-lockfile Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch — ELF payload 'deps' written or executed under build/cache directories after AUR install Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch rootkit — eBPF program load by AUR-build-chain descendant Bespoke install · hunting DSPDD [LLM] Shai-Hulud npm worm — shai-hulud-workflow.yml dropped into .github/workflows/ Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud bundle.js — known-bad SHA256 written to disk Bespoke install · hunting DSΣPDDCS [LLM] AI coding agent (Claude Code / Cursor / Codex) spawning shell that fetch-and-executes remote payload Bespoke install · alerting DSΣPDDCS [LLM] Shell/LOLBin spawned by LangGraph Python or Node runtime Bespoke install · alerting DSΣPDDCS [LLM] Unexpected .jsp files written under PSEMHUB.war web application Bespoke install · alerting DSΣPDDCS [LLM] PeopleSoft XMLDecoder persistence — XML file changes under envmetadata/data/environment Bespoke install · alerting DSΣPDDCS [LLM] Talos weekly prevalent malware hash execution (Coinminer/Injector/Dropper.Miner) Bespoke install · alerting DSΣPDDCS [LLM] Talos prevalent malware filename pattern — VID001.exe and d4aa3e70..._N_Exe.exe Bespoke install · hunting DSΣPDDCS [LLM] Self-hosted AI agent process spawns shell/curl/wget then executes the fetched payload Bespoke install · alerting DSΣPDDCS [LLM] reagentc.exe invocation enabling or remounting WinRE before reboot (GreatXML precondition) Bespoke install · alerting DSΣPDDCS [LLM] bcdedit recovery-sequence modification consistent with GreatXML WinRE pivot Bespoke install · alerting DSΣPDDCS [LLM] Webserver process writes PHP-executable file to public web-root or upload directory (CVE-2026-48062) Bespoke install · alerting DSΣPDDCS [LLM] Miasma/Hades known-bad SHA256 execution on developer endpoint Bespoke install · hunting DSΣPDDCS [LLM] Hades on-import payload: python interpreter spawns Bun runtime download Bespoke install · alerting DSΣPDDCS [LLM] npm/node install-time spawn downloads Bun runtime (Shai-Hulud worm pattern) Bespoke install · alerting DSΣPDDCS [LLM] Implicit node-gyp rebuild from binding.gyp spawns suspicious build child Bespoke install · hunting DSΣPDDCS [LLM] Machine-cadence post-auth FortiGate CLI/API calls in single session (MCP-orchestrated) Bespoke install · hunting DSPDD [LLM] DtlCrashCatch.dll image-load by legitimate signed binary (OceanLotus DLL side-load) Bespoke install · alerting DSΣPDDCS [LLM] OneDrive.Sync.Service.exe spawned/injected outside legitimate OneDrive chain (SPECTRALVIPER injection target) Bespoke install · hunting DSPDDCS [LLM] SPECTRALVIPER known-bad SHA1 observed on disk or in process Bespoke install · alerting DSΣPDDCS [LLM] Registry Run-key persistence written by SPECTRALVIPER side-load chain Bespoke install · hunting DSΣPDDCS [LLM] SPECTRALVIPER known SHA1 sample sighting (ESET 2024-2026 IOC bundle) Bespoke install · hunting DSΣPDDCS [LLM] npm install lifecycle script spawns interpreter or network-fetcher child Bespoke install · alerting DSΣPDDCS [LLM] npm/yarn/pnpm install or upgrade of Baileys package Bespoke install · hunting DSΣPDDCS [LLM] MIPS shell-script dropper on Linux edge device — JDY architecture-aware payload fetch Bespoke install · hunting DSΣPDDCS [LLM] Ivanti Sentry unauthenticated admin account creation (CVE-2026-10523) Bespoke install · alerting DSPDDCS [LLM] PoC artefact drop — Chaotic Eclipse named exploits (YellowKey, GreenPlasma, MiniPlasma, RoguePlanet, bitskrieg) Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-48030: Pheditor: OS Command Injection in terminal han Bespoke install · hunting DSP [LLM] Pheditor CVE-2026-48030 — web server spawning shell interpreter from terminal handler RCE Bespoke install · alerting DSΣPDDCS [LLM] Pheditor CVE-2026-48030 — webshell drop: PHP / web account writing .php to webroot Bespoke install · alerting DSΣPDDCS [LLM] BEAM / Erlang VM spawns shell or interpreter child (post-RCE — CVE-2026-8467) Bespoke install · alerting DSΣPDDCS [LLM] Erlang .beam compiled module dropped to /tmp, /dev/shm, or %TEMP% by BEAM runtime Bespoke install · alerting DSΣPDDCS [LLM] Python interpreter downloads oven-sh Bun runtime v1.3.14 from GitHub releases at import time Bespoke install · alerting DSΣPDDCS [LLM] Bun runtime executed from temp directory by Python interpreter (Hades vF203 loader) Bespoke install · alerting DSΣPDDCS [LLM] Malicious AI coding-agent hook configs written to repo (.claude/.gemini/.cursor/.vscode) Bespoke install · alerting DSΣPDDCS [LLM] Miasma loader artifact written to Python site-packages: .pth, _index.js, .abi3.so Bespoke install · alerting DSΣPDDCS [LLM] Bun or Node runtime spawned by Python package manager (Miasma stealer bootstrap) Bespoke install · alerting DSΣPDDCS [LLM] Miasma stealer payload SHA256 match on disk or in execution Bespoke install · hunting DSΣPDDCS [LLM] Miasma Phantom Gyp: python.exe (gyp parser) spawning node index.js during npm install Bespoke install · alerting DSΣPDDCS [LLM] Miasma payload SHA256 hash hit (published Phantom Gyp IOCs) Bespoke install · hunting DSΣPDDCS [LLM] WinRAR CVE-2025-8088 — archive tool writes payload to user Startup folder Bespoke install · alerting DSΣPDDCS [LLM] Startup LNK spawns cmd.exe → PowerShell in-memory DLL loader (GIFTEDCROOK chain) Bespoke install · alerting DSPDDCS [LLM] Python interpreter downloading Bun runtime ZIP from oven-sh GitHub release Bespoke install · alerting DSPDDCS [LLM] Hades persistence: *-setup.pth file written into Python site-packages Bespoke install · alerting DSΣPDDCS [LLM] LiteLLM proxy (uvicorn/python) spawning shell or LOLBin — CVE-2026-42271 post-exploit Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public Bespoke install · hunting DSP [LLM] Qilin Linux ransomware ELF payload (CVE-2026-50751 campaign) — known MD5 file event Bespoke install · hunting DSΣPDDCS [LLM] Execution or drop of fake AI-platform installer (DeepSeek/Manus/Seedance/GPT-5.5/Kimi) Bespoke install · alerting DSΣPDDCS [LLM] VerdantBamboo BRICKSTORM / PLENET / AGENTPSD file-hash IOCs Bespoke install · hunting DSΣPDDCS [LLM] AGENTPSD-style Python reverse shell spawned by sshd on Linux / NAS Bespoke install · hunting DSΣPDDCS [LLM] AnyDesk, Bomgar, SuperOps or Zoho Assist installer execution (UNC3753 RMM foothold) Bespoke install · hunting DSΣPDDCS [LLM] Bright Data partner-app or brdsdk.framework present on managed iOS / mobile inventory Bespoke install · hunting DSP [LLM] DbGate node process spawning shell child (post-exploit RCE) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47669: DbGate: Zip Slip in archive/unzip allows arbit Bespoke install · hunting DSP [LLM] DbGate Zip Slip (CVE-2026-47669): node process writes outside archive dir to OS-sensitive paths Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47708: MCP-for-Stata: Command injection via log_file_ Bespoke install · hunting DSP [LLM] Bun runtime spawned by npm/node preinstall hook (TeamPCP setup.mjs loader) Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud payload SHA256 on disk (7c24b4d9...e627144e8b) Bespoke install · hunting DSΣPDDCS [LLM] Talos weekly prevalent malware SHA256 IOC sweep (Coinminer / Procpatcher / KMS activator) Bespoke install · alerting DSΣPDDCS [LLM] PowerShell Invoke-WebRequest dropping script.ps1 to user AppData (KongTuke stage-2) Bespoke install · alerting DSΣPDDCS [LLM] Enterprise Gateway python container spawns shell or reads K8s service-account token (CVE-2026-44181 RCE) Bespoke install · alerting DSΣPDDCS [LLM] Cron/persistence file written on Kubernetes worker node from container runtime context Bespoke install · alerting DSΣPDDCS [LLM] Argamal COM Hijack of Windows Color System Calibration Loader CLSID Bespoke install · alerting DSΣPDDCS [LLM] Argamal MI_V / MI_V2 Environment Variable Stage Handoff Bespoke install · alerting DSΣPDDCS [LLM] Argamal Scheduled Task Pointing at AppData\Local DLL via Color System Calibration Loader Bespoke install · alerting DSΣPDDCS [LLM] Argamal Loader Artifacts — natives2_blob.bin / Modified ffmpeg.dll IOC Sweep Bespoke install · hunting DSΣPDDCS [LLM] Bun runtime spawned via node→shell→bun chain from npm install (Miasma dropper) Bespoke install · alerting DSΣPDDCS [LLM] Downloader or shell child of npm/pip install (postinstall RAT loader) Bespoke install · alerting DSΣPDDCS [LLM] npm/node lifecycle script fetching Bun runtime from github.com/oven-sh/bun Bespoke install · alerting DSΣPDDCS [LLM] Malicious @bitwarden/cli payload artifacts on disk (bw_setup.js, bw1.js, Shai-Hulud markers) Bespoke install · alerting DSΣPDDCS [LLM] npm preinstall hook executing oversized node index.js from @redhat-cloud-services package Bespoke install · alerting DSΣPDDCS [LLM] Bun spawned from npm install context executing /tmp/p*.js implant Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Re Bespoke install · hunting DSP [LLM] PHP CLI drops hidden /tmp dropper artefacts (Laravel-Lang autoload payload) Bespoke install · alerting DSΣPDDCS [LLM] Nx Console v18.95.0 Compromised VSIX / main.js / payload SHA-256 Hash Match Bespoke install · hunting DSΣPDDCS [LLM] macOS LaunchAgent Persistence — com.user.kitty-monitor.plist (Nx Console Compromise) Bespoke install · alerting DSΣPDDCS [LLM] Kitty cat.py Python Backdoor File Drop / Execution (Nx Console Compromise) Bespoke install · alerting DSΣPDDCS [LLM] FlutterShell macOS payload SHA256 IOC match Bespoke install · hunting DSΣPCS [LLM] Maven/Gradle build log file containing jqwik prompt-injection directive Bespoke install · hunting DSPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47429: When Vitest UI server is listening, arbitrary Bespoke install · hunting DSP Article-specific behavioural hunt — Containers on fire: from container escapes to supply chain attacks Bespoke install · hunting DSP [LLM] runC binary modified outside package manager (CVE-2019-5736 / CVE-2024-21626) Bespoke install · alerting DSΣPDDCS [LLM] Malicious postinstall.js dropped under node_modules for actor scopes Bespoke install · hunting DSΣPDDCS [LLM] node.exe spawns detached child from tmpdir after npm install (moika.tech dropper) Bespoke install · hunting DSPDDCS [LLM] Vulnerable praisonai-platform deployment hunt (uvicorn launching praisonai_platform.api.app) Bespoke install · hunting DSΣPDDCS [LLM] PraisonAI A2A example server started with vulnerable 0.0.0.0 bind and no auth_token Bespoke install · hunting DSΣPDDCS [LLM] PraisonAI `deploy --type api` command execution — vulnerable server provisioned Bespoke install · hunting DSΣPDDCS [LLM] Node.exe spawning OS shell after vm2 sandbox exploitation Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — What’s in the container? Analyzing vulnerabilities, risks and protection with Ka Bespoke install · hunting DSP [LLM] perfctl rootkit — /etc/ld.so.preload write or LD_PRELOAD on root daemon Bespoke install · alerting DSΣPDDCS [LLM] payload.bin written under node_modules by node process Bespoke install · alerting DSΣPDDCS [LLM] __DAEMONIZED=1 environment marker on spawned process Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud worm GitHub Action workflow file dropped under .github/workflows Bespoke install · alerting DSΣPDDCS [LLM] npm/yarn/pnpm postinstall hook spawning credential-harvest tooling Bespoke install · hunting DSΣPDDCS [LLM] Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency Bespoke install · alerting DSΣPDDCS [LLM] axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging Bespoke install · alerting DSΣPDDCS [LLM] HLS Installer.874.exe DLL side-load from pirate-streaming ZIP lure Bespoke install · alerting DSΣPDDCS [LLM] SilentCryptoMiner-fork: Defender exclusions added for %USERPROFILE%, %PROGRAMDATA%, %WINDIR%, .exe, .dll Bespoke install · alerting DSPDDCS [LLM] MSRT tampering: HKLM\Software\Policies\Microsoft\MRT DontOfferThroughWUAU = 1 Bespoke install · alerting DSΣPDDCS [LLM] powercfg sleep/hibernate disable burst (4-command sequence) Bespoke install · alerting DSPDDCS [LLM] Yamcs JVM spawns shell or network utility (CVE-2026-46621 post-exploitation) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Bespoke install · hunting DSP [LLM] Yamcs JVM spawning a POSIX shell — Nashorn Runtime.exec post-exploitation Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud npm postinstall reads cloud credential files (~/.aws, ~/.ssh, ~/.kube, gcloud ADC) Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45618: LiquidJS is Vulnerable to Remote Code Executio Bespoke install · hunting DSP [LLM] Mini Shai-Hulud 'gh-token-monitor' persistence daemon (LaunchAgent / systemd) Bespoke install · alerting DSΣPDDCS [LLM] Laravel-Lang stealer file drop in .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] DebugChromium.exe execution (Laravel-Lang stealer Windows artifact) Bespoke install · alerting DSΣPDDCS [LLM] cscript/wscript executing a script from .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] cscript.exe launching .vbs from .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] Stealer or VBS launcher dropped into .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on Bespoke install · hunting DSP Article-specific behavioural hunt — Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Reposito Bespoke install · hunting DSP [LLM] Megalodon backdoor workflow file (SysDiag.yml / Optimize-Build.yml) written to .github/workflows/ Bespoke install · alerting DSΣPDDCS [LLM] MiniUpdate UpdateChecker.dll sideload via legitimate signed .NET host Bespoke install · alerting DSΣPDDCS [LLM] Screening Serpens AppDomainManager hijack via .NET app .config tampering Bespoke install · alerting DSPDDCS [LLM] PowerShell-parented taskkill of winrar.exe (Cloud Atlas LNK anti-forensic cleanup) Bespoke install · alerting DSΣPDDCS [LLM] PowerShower dropped to user Pictures folder as googleearth.ps1 Bespoke install · alerting DSΣPDDCS [LLM] termsrv.dll patched (multi-RDP enabling) - takeown + binary write + TermService restart Bespoke install · alerting DSΣPDDCS [LLM] Boxlite sandbox writes to SSH authorized_keys (post-exploit RCE pivot) Bespoke install · alerting DSΣPDDCS [LLM] BadIIS rogue native module drop in IIS folders (demo.pdb / Chinese path heuristic) Bespoke install · hunting DSΣPDDCS [LLM] Talos weekly prevalent-malware hash hit (Coinminer worm / TunMirror / SECOH-QAD / KMS-Loader) Bespoke install · alerting DSPDDCS [LLM] Known Shai-Hulud / Nx Console implant hash match (SHA256/SHA1) Bespoke install · hunting DSΣPDDCS [LLM] macOS LaunchAgent/LaunchDaemon plist persistence pointing at Python interpreter Bespoke install · hunting DSΣPDDCS Article-specific behavioural hunt — Dev Machine Guard Now Supports Linux Bespoke install · hunting DSP [LLM] Compromised @cap-js stealer artefact hash present on disk or in execution Bespoke install · hunting DSΣPDDCS [LLM] VS Code/Cursor extension host fetches dropper from nrwl/nx orphan commit on GitHub Bespoke install · hunting DSΣPDDCS [LLM] macOS Python backdoor persistence via kitty-monitor LaunchAgent and cat.py drop Bespoke install · alerting DSΣPDDCS [LLM] Python backdoor self-daemonisation via __DAEMONIZED=1 spawned by VS Code helper or node Bespoke install · hunting DSΣPDDCS [LLM] TamperedChef shell-company code-signing certificate execution (CL-UNK-1090) Bespoke install · alerting DSΣPDDCS [LLM] TamperedChef trojanized-app activation via --cm / --enableupdate / --fullupdate flags Bespoke install · alerting DSΣPDDCS [LLM] TamperedChef scheduled-task persistence via task.xml + obfuscated JS (appsuite-print.js) Bespoke install · alerting DSPDDCS [LLM] TeamPCP Nx Console payload SHA256 hash match on developer endpoints Bespoke install · hunting DSΣPDDCS [LLM] VS Code child process fetching payload from nrwl/nx orphan commit (Nx Console v18.95.0 dropper) Bespoke install · alerting DSΣPDDCS [LLM] TeamPCP rope.pyz Dropper Infection Markers on Linux Bespoke install · alerting DSΣPDDCS [LLM] 9router Node.js process spawning shell binary (CVE-2026-46339 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] SSH process spawned by Kopia invokes a shell child (ProxyCommand execution) Bespoke install · alerting DSPDDCS [LLM] Python process executing transformers.pyz dropped from git-tanstack.com (TeamPCP) Bespoke install · alerting DSΣPDDCS [LLM] Apache Camel JVM spawning shell or command interpreter via camel-exec (CVE-2026-47323 post-exploit) Bespoke install · alerting DSΣPDDCS [LLM] Apache Camel JVM writing files to sensitive paths via camel-file (CVE-2026-47323 arbitrary file write) Bespoke install · hunting DSPDDCS Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45721: Algernon: handler.lua discovery walks parent d Bespoke install · hunting DSP [LLM] handler.lua dropped outside Algernon's configured web root (CVE-2026-45721 backdoor stage) Bespoke install · alerting DSΣPDDCS [LLM] On-disk presence of malicious @opensearch-project/opensearch payload SHA256 Bespoke install · hunting DSΣPDDCS [LLM] Postinstall script execution from compromised @opensearch-project/opensearch package Bespoke install · hunting DSΣPDDCS [LLM] BadIIS demo.pdb variant known SHA256 file/process hashes Bespoke install · alerting DSΣPDDCS [LLM] IIS native module DLL drop or applicationHost.config modification by non-IIS process Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud npm worm payload by SHA256 Bespoke install · hunting DSΣPDDCS [LLM] Mini Shai-Hulud persistence hooks written into .vscode/ and .claude/ configs Bespoke install · hunting DSΣPDDCS [LLM] bun runtime executed on CI runner spawning python3 with sudo escalation Bespoke install · alerting DSΣPDDCS [LLM] Compromised node-ipc.cjs bundle write (~117KB) under node_modules Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud npm preinstall hook spawning bun runtime Bespoke install · alerting DSΣPDDCS [LLM] Mini Shai-Hulud Claude Code SessionStart hook injection via npm install Bespoke install · alerting DSΣPDDCS [LLM] VS Code tasks.json folderOpen persistence written by npm install chain Bespoke install · hunting DSΣPDDCS [LLM] Mini Shai-Hulud Linux daemon persistence: kitty/cat.py and systemd user service Bespoke install · alerting DSΣPDDCS [LLM] mistralai 2.4.6 dropper: Python interpreter executing /tmp/transformers.pyz as detached session Bespoke install · alerting DSΣPDDCS [LLM] Drop of /tmp/transformers.pyz on Linux endpoint Bespoke install · alerting DSΣPDDCS [LLM] PHP / IIS web-server writes .php/.phtml/.phar to webroot (post-SSTI webshell drop) Bespoke install · alerting DSΣPDDCS [LLM] Gremlin Stealer packed sample SHA256 execution (2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) Bespoke install · alerting DSΣPDDCS [LLM] node-ipc stealer __ntw=1 environment marker in process command line Bespoke install · alerting DSΣPDDCS

Command & Control (178)

Beaconing — periodic outbound to small set of destinations Internal c2 · alerting DSP DNS tunneling / TXT-heavy domain queries Internal c2 · hunting DSP Network connections to article IPs / domains Internal c2 · alerting DSΣP [WEEKLY] Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start Internal c2 · alerting DSΣPDD [LLM] SOCKS5 proxy masquerading as 'smbd -D' from non-Samba install path Bespoke c2 · alerting DSΣPDDCS [LLM] GS-Netcat reverse shell — host beacons to gs.thc.org Global Socket relay Bespoke c2 · alerting DSΣPDDCS [LLM] Splunk Enterprise host initiating outbound PostgreSQL (TCP/5432) to public IP Bespoke c2 · alerting DSΣPDDCS [LLM] AUR build process egress to temp.sh or github.com/fardewoak/nodejs-argo Bespoke c2 · alerting DSΣPDDCS [LLM] Atomic Arch: non-Tor-aware process connecting to local SOCKS proxy on 9050/9150 Bespoke c2 · hunting DSΣPDDCS [LLM] Atomic Arch — DNS resolution and HTTP POST to temp.sh from non-browser developer workstation process Bespoke c2 · alerting DSΣPDDCS [LLM] Atomic Arch — Tor client spawn or .onion endpoint contact from AUR-installing developer host Bespoke c2 · alerting DSΣPDDCS [LLM] Shai-Hulud worm exfil — outbound to webhook.site/bb8ca5f6 from developer or CI process Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound public network from LangGraph runtime to non-allowlisted destination Bespoke c2 · hunting DSΣPDDCS [LLM] Sniper Dz seized phishing infrastructure callback (post-takedown beacons) Bespoke c2 · alerting DSΣPDDCS [LLM] DNS/network contact with AudiA6 money-mule registration domains Bespoke c2 · alerting DSΣPDDCS [LLM] MeshCentral agent disguised as Microsoft Azure binary calling azurenetfiles.net Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound connection or DNS resolution to imperva_artifactory.com (OpenClaw PoC C2) Bespoke c2 · alerting DSΣPDDCS [LLM] Bun runtime egress to npm/PyPI publish endpoints or attacker-controlled GitHub repos Bespoke c2 · hunting DSΣPDDCS [LLM] npm/node install-time process beaconing to webhook.site, sfrclak.com or 142.11.206.73 Bespoke c2 · alerting DSΣPDDCS [LLM] Meta Graph API request with access_token in URL query string (CVE-2026-48039 leak signature) Bespoke c2 · alerting DSΣPDDCS [LLM] Miasma worm GitHub commit-search C2 magic strings on command line or script Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound JSON-RPC or LLM-API egress from network appliance / edge device Bespoke c2 · alerting DSΣPDD [LLM] SPECTRALVIPER C2 callout to OceanLotus FireAnt infrastructure Bespoke c2 · hunting DSΣPDDCS [LLM] Network egress to OceanLotus SPECTRALVIPER C2 IPs (2024-2026 campaigns) Bespoke c2 · hunting DSΣPDDCS [LLM] DNS resolution for OceanLotus SPECTRALVIPER C2 domains Bespoke c2 · alerting DSΣPDDCS [LLM] Sustained low-volume beaconing to OceanLotus SPECTRALVIPER C2 (long-tail persistence) Bespoke c2 · hunting DSPDDCS [LLM] Outbound Tor (9001/9030/9050) from network appliance / IoT subnet — JDY C2 beaconing Bespoke c2 · alerting DSΣPDDCS [LLM] Network egress to onering Sentry exfil ingest domain or project envelope path Bespoke c2 · alerting DSΣPDDCS [LLM] Connection to RoguePlanet PoC C2 Domain projectnightcrawler.dev Bespoke c2 · alerting DSΣPDDCS [LLM] BEAM process outbound to new public destination or non-standard port (post-RCE C2) Bespoke c2 · hunting DSPDDCS [LLM] Outbound DNS / HTTP to Miasma C2 (git-service.com / m-kosche.com) Bespoke c2 · alerting DSΣPDDCS [LLM] Miasma C2 / IOC domain resolution: check.git-service.com, t.m-kosche.com, git-service.com Bespoke c2 · alerting DSΣPDDCS [LLM] GIFTEDCROOK / Gamaredon C2 callback to article IOCs (IPs + workers.dev / trycloudflare / .ru domains) Bespoke c2 · hunting DSΣPDDCS [LLM] Hades C2: GitHub commit search for campaign markers TheBeautifulSnadsOfTime / firedalazer Bespoke c2 · alerting DSΣPDDCS [LLM] Internal host outbound to CVE-2026-50751 Qilin actor IPs (post-bypass C2 / staging) Bespoke c2 · alerting DSΣPDDCSCW [LLM] Connection to AI-brand phishing / installer C2 infrastructure (MSTI June 2026 IOCs) Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound endpoint connections to BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCSCW [LLM] Outbound connection to UNC3753 (Luna Moth) infrastructure IPs Bespoke c2 · hunting DSΣPDDCSCW [LLM] Outbound mail to or domain lookup of business-data-leaks[.]com (UNC3753 extortion infrastructure) Bespoke c2 · alerting DSΣPDDCS [LLM] Bright Data SDK control-plane beacon to proxyjs/clientsdk endpoints Bespoke c2 · alerting DSΣPDDCS [LLM] ait-bsc outbound TCP to public/non-baseline destination (attacker-supplied loc port) Bespoke c2 · alerting DSPDDCS [LLM] GitHub Actions runner: node from Claude Code Action egresses to non-Anthropic/non-GitHub endpoint Bespoke c2 · hunting DSPDDCS [LLM] KongTuke TDS C2 callout to 144.31.221.82:6060 with /capcha URL path Bespoke c2 · alerting DSΣPDDCS [LLM] Same host calling KongTuke C2 from both powershell.exe and curl.exe within short window Bespoke c2 · alerting DSPDDCS [LLM] Argamal Stage2 BITSAdmin Pull of zaesdl.dat from GitHub Bespoke c2 · alerting DSΣPDDCS [LLM] Argamal RAT C2 Beacon — 186.158.223.35 / freeddns / kozow / ignorelist / UDP-57441 / TCP-3747 Bespoke c2 · alerting DSΣPDDCS [LLM] Package manager runtime connecting to durabletask/axios supply-chain C2 IOCs Bespoke c2 · alerting DSΣPDDCS [LLM] C2 beacon to audit.checkmarx[.]cx /v1/telemetry (TeamPCP Shai-Hulud Third Coming) Bespoke c2 · alerting DSΣPDDCS [LLM] Egress to typosquatted C2 flipboxstudio.info (Laravel-Lang Composer SC) Bespoke c2 · alerting DSΣPDDCS [LLM] FlutterShell macOS C2 contact (atsheisdomestic / etoftheappyrince / healightejustb) Bespoke c2 · alerting DSΣPCS [LLM] TeamPCP Checkmarx KICS supply-chain stealer C2 callback (audit.checkmarx.cx / 94.154.172.43) Bespoke c2 · hunting DSΣPDDCS [LLM] C2 callback to moika.tech payload distribution infrastructure Bespoke c2 · alerting DSΣPDDCS [LLM] Container egress to cryptominer pool / Kinsing C2 Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound HTTP beacon to vpmdhaj C2 (aab.sportsontheweb.net) Bespoke c2 · alerting DSΣPDDCS [LLM] Cyberhaven trojanized Chrome extension C2 callback to cyberhavenext.pro Bespoke c2 · alerting DSΣPDDCS [LLM] NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) Bespoke c2 · alerting DSΣPCS [LLM] axios RAT C2 callout to sfrclak.com / 142.11.206.73:8000 Bespoke c2 · alerting DSΣPDDCS [LLM] SilentCryptoMiner DNS tunneling to *.microsoft.com lookalike and known C2 .space domains Bespoke c2 · alerting DSΣPDDCS [LLM] Yamcs Java process beacons to webhook / interact / tunneling service (CVE-2026-46621 C2) Bespoke c2 · alerting DSΣPDDCS [LLM] Reverse-shell /dev/tcp file descriptor from Yamcs java process tree Bespoke c2 · alerting DSΣPDDCS [LLM] DNS/HTTPS exfil to sentry.anyclaw.store (Codex token C2 masquerading as Sentry) Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound recon callback from Yamcs host (curl/shell child of JVM to public IP) Bespoke c2 · alerting DSPCS [LLM] BTMOB C2/phishing domain contact — arbsniper.com Bespoke c2 · alerting DSΣPDDCS [LLM] Egress to BTMOB hosted C2 cluster (LATAM/Hetzner IPs, Google CDN excluded) Bespoke c2 · hunting DSPDDCS [LLM] Laravel-Lang supply chain C2/exfil to flipboxstudio.info Bespoke c2 · alerting DSΣPDDCS [LLM] C2 egress to flipboxstudio.info from Laravel-Lang composer dropper Bespoke c2 · alerting DSΣPDDCS [LLM] Megalodon CI/CD exfil: outbound HTTPS to C2 216.126.225.129:8443 Bespoke c2 · hunting DSΣPDDCS [LLM] Screening Serpens C2 — DNS/network to UNC1549 infrastructure (Feb-Apr 2026) Bespoke c2 · alerting DSΣPDDCS [LLM] OpenSSH reverse port-forward (-R) launched on a workstation - Cloud Atlas backup C2 Bespoke c2 · alerting DSΣPDDCS [LLM] Nx Console / Shai-Hulud C2 connection (t.m-kosche.com, check.git-service.com, filev2.getsession.org, api.masscan.cloud, 83.142.209.194) Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud C2 callback to zero.masscan.cloud / 94.154.172.43 Bespoke c2 · alerting DSΣPDDCS [LLM] TamperedChef C2 / distribution callback to appsuites.ai and sibling domains Bespoke c2 · alerting DSΣPDDCS [LLM] DNS / Network egress to TeamPCP Nx Console C2 domain check.git-service.com Bespoke c2 · alerting DSΣPDDCS [LLM] EchoCreep Discord API beacon from non-browser process (Webworm 2025) Bespoke c2 · hunting DSΣPDDCS [LLM] GraphWorm OneDrive /createUploadSession C2 from non-Office process Bespoke c2 · hunting DSΣPDDCS [LLM] Webworm 2025 IOC match — known C2 IPs (Vultr/IT7) and file hashes Bespoke c2 · hunting DSΣPDDCS [LLM] TeamPCP rope.pyz Dropper Fetch from check.git-service.com C2 Bespoke c2 · hunting DSΣPDDCS [LLM] Reverse shell from 9router-spawned shell — outbound TCP from node-child bash Bespoke c2 · hunting DSPDDCS [LLM] DNS lookup for git-tanstack.com TeamPCP C2 staging domain Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound connection to TeamPCP C2 IP 83.142.209.194 Bespoke c2 · hunting DSΣPDDCS [LLM] Mini Shai-Hulud / TeamPCP C2 beacon to api.masscan.cloud / git-tanstack.com / *.getsession.org Bespoke c2 · alerting DSPDDCS [LLM] BadIIS C2 IP / domain beacon (lee.6686ty.vip, iis.01nmwe.xyz) Bespoke c2 · hunting DSΣPDDCS [LLM] IIS worker (w3wp.exe) initiating outbound connection to public IP Bespoke c2 · hunting DSPDDCS [LLM] Mini Shai-Hulud C2 exfil to t.m-kosche.com disguised as OpenTelemetry collector Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound C2 to t.m-kosche.com from CI/CD runner or any endpoint Bespoke c2 · alerting DSΣPDDCS [LLM] node-ipc C2 callback to sh.azurestaticprovider.net (May 2026 npm supply-chain) Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud C2 backchannel: python polling GitHub commit search for 'firedalazer' Bespoke c2 · alerting DSPDDCS [LLM] Outbound network connection to mistralai 2.4.6 dropper C2 (83.142.209.194) Bespoke c2 · alerting DSΣPDDCS [LLM] Arcane backend host outbound Git/HTTPS to non-allowlisted host on port 22/443 (CVE-2026-45625 credential sink) Bespoke c2 · hunting DSPDDCS [LLM] DNS lookup for azurestaticprovider[.]net node-ipc exfil domain Bespoke c2 · alerting DSΣPDDCS [LLM] AdaptixC2 'shadowcore' / Mythic C2 traffic to UAT-8616 infrastructure 194.163.175.135 Bespoke c2 · hunting DSΣPDDCS [LLM] FrostyNeighbor C2 callout to needbinding/nebao/algsat/sardk/alexavegas/lavanille Bespoke c2 · alerting DSΣPDDCS [LLM] Mini Shai-Hulud npm Worm C2 callback to Session Protocol CDN and masscan.cloud Bespoke c2 · alerting DSΣPDDCS [LLM] Session/Oxen P2P exfil DNS or TCP to getsession.org from build/CI host Bespoke c2 · alerting DSΣPDD [LLM] CL-STA-1132 EarthWorm staging download from 146.70.100.69:8000/php_sess Bespoke c2 · hunting DSΣPDD [LLM] BirdCall RokRAT cloud-storage C2 beacon (Dropbox/pCloud) from non-browser process Bespoke c2 · hunting DSPDDCS [LLM] Outbound to elementary-data exfil C2 igotnofriendsonlineorirl-imgonnakmslmao.sky Bespoke c2 · alerting DSΣPDDCS [LLM] TeamPCP @bitwarden/cli stealer exfil to audit.checkmarx.cx (94.154.172.43) Bespoke c2 · hunting DSΣPDDCS [LLM] Mini Shai-Hulud 'OhNoWhatsGoingOnWithGitHub' dead-drop keyword in outbound URL Bespoke c2 · alerting DSΣPDD [LLM] Exfil to skyhanni.cloud C2 with X-Rise-To-The-Trinny header Bespoke c2 · alerting DSΣPDDCS [LLM] Cyberhaven compromised Chrome extension C2 callback (cyberhavenext.pro) Bespoke c2 · hunting DSΣPDDCS [LLM] Non-browser process posting to Slack Web API (LaxGopher C2) Bespoke c2 · hunting DSPDDCS [LLM] Non-browser process posting to Discord API (RatGopher C2) Bespoke c2 · hunting DSPDDCS [LLM] Beaconing to GopherWhisper C2 IP 43.231.113.50 (incl. SSLORDoor raw TLS/443) Bespoke c2 · alerting DSΣPDDCS [LLM] Suspicious draft email manipulation against barrantaya.1010@outlook.com (BoxOfFriends Graph API C2) Bespoke c2 · hunting DSPDDCS [LLM] GPT-Proxy backdoor C2 / Stage-2 download (sync.geeker.indevs.in, gibunxi4201/kube-node-diag) Bespoke c2 · alerting DSΣPDD [LLM] Trust Wallet Shai-Hulud C2 callback to metrics-trustwallet.com / 138.124.70.40 Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound connection to Velora DEX npm supply-chain C2 89.36.224.5 Bespoke c2 · alerting DSΣPDDCS [LLM] TeamPCP Trivy/KICS C2 callback to scan.aquasecurtiy.org / 45.148.10.212 Bespoke c2 · hunting DSΣPDD [LLM] axios Supply Chain RAT C2 Callback to sfrclak.com (Port 8000) Bespoke c2 · alerting DSΣPDDCS [LLM] hackerbot-claw payload host: DNS/HTTP egress to hackmoltrepeat.com (C2 + exfil) Bespoke c2 · alerting DSΣPDDCS [LLM] OpenClaw Gateway WebSocket listener / loopback connection on TCP 18789 Bespoke c2 · hunting DSΣPDDCS [LLM] IoliteLabs IOC sweep: rraghh.com / oortt.com hostnames + campaign file hashes Bespoke c2 · hunting DSΣPDD [LLM] Outbound connection to TeamPCP C2 83.142.209.203 / ringtone.wav stego payload fetch Bespoke c2 · alerting DSΣPDDCS [LLM] TeamPCP C2 / exfil egress to models.litellm.cloud, checkmarx.zone and AS205759 nodes Bespoke c2 · hunting DSΣPDDCS [LLM] Outbound C2 to sfrclak.com / 142.11.206.73:8000 (Axios npm RAT beacon) Bespoke c2 · alerting DSΣPDDCS [LLM] axios npm RAT C2 beacon to sfrclak.com / 142.11.206.73:8000 Bespoke c2 · hunting DSΣPDD [LLM] Outbound DNS/HTTPS to TeamPCP exfil domain models.litellm.cloud (litellm PyPI compromise) Bespoke c2 · alerting DSΣPDDCS [LLM] TeamPCP C2 egress to 83.142.209.203:8080 (telnyx WAV-stego dropper) Bespoke c2 · hunting DSΣPDDCS [LLM] TeamPCP supply-chain C2 — outbound to checkmarx[.]zone / 83.142.209.11 Bespoke c2 · hunting DSΣPDD [LLM] Trivy supply-chain C2 beacon to typosquat domain scan.aquasecurtiy.org Bespoke c2 · alerting DSΣPDD [LLM] bittensor-wallet 4.0.2 backdoor C2 domain contact (opentensor-* lookalikes) Bespoke c2 · alerting DSΣPDD [LLM] DNS tunneling exfiltration pattern to *.t.opentensor-cdn.com (hex chunk/index/total/session) Bespoke c2 · alerting DSΣPDD [LLM] node.exe contacting Solana JSON-RPC endpoints (suspected blockchain dead-drop C2) Bespoke c2 · hunting DSPDDCS [LLM] C2 beaconing to Vercel-hosted Cloudflare-impersonating domains (cloudflareguard / cloudflareinsights) Bespoke c2 · alerting DSΣPDD [LLM] ForceMemo: Python process queries Solana mainnet RPC endpoint (blockchain dead-drop C2) Bespoke c2 · alerting DSΣPDD [LLM] Outbound C2 callback to xygeni-action backdoor IP 91.214.78.178 from CI runner Bespoke c2 · hunting DSΣPDDCS [LLM] Bash-spawned curl to xygeni-action C2 nip.io endpoint with /b/in /b/q /b/r path on CI runner Bespoke c2 · alerting DSΣPDDCS [LLM] DNS / HTTPS egress to TeamPCP exfil infra (models.litellm.cloud, checkmarx.zone) Bespoke c2 · hunting DSΣPDDCS [LLM] DNS/HTTP egress to CanisterWorm ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai) Bespoke c2 · alerting DSΣPDDCS [LLM] GlassWorm hardcoded C2 IP egress (45.32.150.251 / 217.69.3.152) for Stage-2 fetch and exfil Bespoke c2 · hunting DSΣPDDCS [LLM] GlassWorm Solana blockchain dead-drop C2 lookup via public RPC endpoints from Node Bespoke c2 · hunting DSΣPDDCS [LLM] Outbound TCP beacon to BlokTrooper Socket.IO C2 195.201.104.53:6931/6936/6939 Bespoke c2 · alerting DSΣPDDCS [LLM] Glassworm stage-2/stage-3 C2 callback to 45.32.150.251 or 217.69.3.152 Bespoke c2 · hunting DSΣPDD [LLM] DRILLAPP variant 2: Edge launched with --remote-debugging-port=9222 for CDP-based file download Bespoke c2 · alerting DSΣPDDCS [LLM] DRILLAPP C2 staging: msedge.exe contacting pastefy.app Bespoke c2 · alerting DSΣPDDCS [LLM] DRILLAPP C2: msedge.exe egress to known DRILLAPP IPs or WebSocket to localhost:8000 Bespoke c2 · hunting DSΣPDDCS [LLM] Exfiltration to kubernetes-el attacker webhook.site UUIDs (Pwn Request payload) Bespoke c2 · alerting DSΣPDD [LLM] BeardShell C2: outbound to Icedrive cloud-storage API as non-browser process Bespoke c2 · alerting DSΣPDDCS [LLM] Covenant C2: outbound to Filen cloud-storage API as non-browser process Bespoke c2 · alerting DSΣPDDCS [LLM] PlugX C2 egress — connections to decoraat.net / decoorat.net / gesecole.net Bespoke c2 · alerting DSΣPDDCS [LLM] PromptSpy VNC C2 egress to 54.67.2.84 Bespoke c2 · hunting DSΣPDDCS [LLM] Egress to sidoraress json-bigint-extend gambling backdoor C2 infrastructure Bespoke c2 · alerting DSΣPDD [LLM] CI runner anomalous outbound to raw.githubusercontent.com / gist.githubusercontent.com Bespoke c2 · alerting DSPDDCS [LLM] Egress to Qix npm phishing/exfil infrastructure (npmjs.help, publicvm.com, BunnyCDN buckets) Bespoke c2 · hunting DSΣPDDCS [LLM] APT28 MacroMaze: Edge launched off-screen or headless to webhook.site by non-browser parent Bespoke c2 · alerting DSΣP [LLM] APT28 MacroMaze: Office or Edge HTTP traffic to webhook.site (INCLUDEPICTURE tracker + exfil) Bespoke c2 · hunting DSP [LLM] npm/yarn/pnpm postinstall: Node child egressing to non-registry public host Bespoke c2 · hunting DSPDDCS [LLM] Scavenger npm malware C2 beacon to firebase.su / dieorsuffer.com / smartscreen-api.com Bespoke c2 · alerting DSΣPDD [LLM] Endpoint contact with attacker C2 setup-service.com (OpenClaw skill stager) Bespoke c2 · alerting DSΣPDDCS [LLM] Sandworm SOCKS5 C2 egress to 31.172.71[.]5 (Fornex) or progamevl.ru Bespoke c2 · hunting DSΣPDDCS [LLM] GhostChat C2/staging infrastructure contact (hitpak.org, buildthenations.info, fkclb.com) Bespoke c2 · alerting DSΣPDDCS [LLM] ScreenConnect client beaconing to ClawdBot attacker relay (meeting.bulletmailer.net:8041) Bespoke c2 · hunting DSΣPDDCS [LLM] rsocx SOCKS5 reverse proxy beacon to 31.172.71.5:8008 (Sandworm Poland C2) Bespoke c2 · alerting DSΣP [LLM] G_Wagon C2 beacon: node.exe or python.exe egress to Appwrite storage buckets Bespoke c2 · alerting DSΣPDDCS [LLM] Aikido npm phishing: direct outbound connection to RackGenius C2 (163.123.236.118) Bespoke c2 · hunting DSΣPDDCS [LLM] C2 beacon or stage-2 fetch to updatenet[.]work / 172.86.73.139 / dothebest[.]store Bespoke c2 · hunting DSΣPDDCS [LLM] MuddyViper C2 fingerprint: 'A WinHTTP Example Program/1.0' UA + distinctive URI paths Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound exfiltration to webhook.site from npm / node / bun process tree Bespoke c2 · alerting DSΣPDDCS [LLM] Outbound exfiltration to Shai-Hulud webhook.site/bb8ca5f6 C2 endpoint Bespoke c2 · alerting DSΣPDD [LLM] PlushDaemon EdgeStepper hijacking infrastructure (wcsset.com / 47.242.198.250 / 8.212.132.120) contact Bespoke c2 · hunting DSΣP [LLM] TEA Protocol (tea.xyz) DNS resolution from developer or build endpoint Bespoke c2 · hunting DSΣPDDCS [LLM] ScoringMathTea C2 beacon to compromised WordPress hosts (Lazarus DreamJob IOCs) Bespoke c2 · hunting DSΣPDDCS [LLM] SnakeStealer Telegram Bot Exfiltration via api.telegram.org from Non-Telegram Process Bespoke c2 · alerting DSΣPDDCS [LLM] Beamglea mad-* dead-drop fetch from raw.githubusercontent.com/Abassdos2992 Bespoke c2 · alerting DSΣPDDCS [LLM] DNS or HTTP egress to giftshop.club exfil domain Bespoke c2 · alerting DSΣPDDCS [LLM] GhostAction C2 egress to Plesk-hosted exfiltration infrastructure Bespoke c2 · hunting DSΣPDDCS [LLM] Shai-Hulud worm C2 exfiltration to webhook.site UUID bb8ca5f6 Bespoke c2 · alerting DSΣPDDCS [LLM] Egress to websocket-api2.publicvm.com (Qix campaign credential exfil C2) Bespoke c2 · alerting DSΣPDDCS [LLM] CI/CD Linux build host outbound to gist.githubusercontent.com (tj-actions IOC pattern) Bespoke c2 · alerting DSΣPDD [LLM] CI/CD runner outbound to gist.githubusercontent.com (tj-actions CVE-2025-30066 staging fetch) Bespoke c2 · alerting DSΣPDDCS [LLM] Scavenger C2 callback: ifyouseethisyouareultragay[.]com / pokerainteasy[.]su Bespoke c2 · alerting DSΣPDD [LLM] Scavenger Stealer C2 beacon to corroborated infrastructure (datahog.su / datalytica.su / smartscreen-api.com) Bespoke c2 · alerting DSΣPDDCS [LLM] Egress to Solidity Language Cursor extension C2 infrastructure (angelic.su / lmfao.su / staketree.net / ab498.pythonanywhere.com / 144.172.1 Bespoke c2 · hunting DSΣPDDCS [LLM] BoltDB Go backdoor C2 callback to 49.12.198.231:20022 Bespoke c2 · hunting DSΣPDDCS [LLM] Outbound fetch of file.sh via attacker-controlled commit d8daa0b... on raw.githubusercontent.com Bespoke c2 · alerting DSΣPDDCS [LLM] Polyfill malware C2: contact with googie-anaiytics homograph or kuurza redirect Bespoke c2 · alerting DSΣPDDCS [LLM] Moq SponsorLink email exfil egress to cdn.devlooped.com / SponsorLink blob Bespoke c2 · hunting DSΣPDDCS

Actions on Objectives (374)

Infostealer — non-browser process accessing browser cookie/login DBs Internal actions · alerting DSΣP Crypto-wallet file/keystore access by non-wallet process Internal actions · alerting DSΣP Remote service execution — PsExec / SMB lateral movement Internal actions · alerting DSΣP LSASS process access / dump (credential theft) Internal actions · alerting DSΣP Ransomware-style mass file rename / extension change Internal actions · alerting DSP [WEEKLY] Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Internal actions · alerting DSPDD [WEEKLY] Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internal actions · alerting DSPDD [WEEKLY] Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) Internal actions · alerting DSPDDCSCW [WEEKLY] Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes Internal actions · alerting DSPDD [WEEKLY] npm-install spawned process performing cred-file fan-out plus IMDS reach Internal actions · alerting DSPDDCSCW [WEEKLY] Supply-chain repo credential theft → outbound exfil to attacker infra Internal actions · alerting DSPDD Access LSASS Memory for Dump Creation ESCU actions · alerting P Anomalous usage of 7zip ESCU actions · hunting P Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI ESCU actions · hunting P Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download ESCU actions · hunting P Cisco NVM - Suspicious Download From File Sharing Website ESCU actions · hunting P Cisco NVM - Suspicious Network Connection From Process With No Args ESCU actions · hunting P Clop Ransomware Known Service Name ESCU actions · alerting P Create Remote Thread In Shell Application ESCU actions · alerting P Creation of lsass Dump with Taskmgr ESCU actions · alerting P Creation of Shadow Copy ESCU actions · alerting P Deleting Shadow Copies ESCU actions · alerting P Detect Credential Dumping through LSASS access ESCU actions · alerting P Detect New Local Admin account ESCU actions · alerting P Detect Prohibited Applications Spawning cmd exe ESCU actions · hunting P Detect Regasm with Network Connection ESCU actions · alerting P Detect Regsvcs with Network Connection ESCU actions · alerting P Detect Use of cmd exe to Launch Script Interpreters ESCU actions · hunting P Domain Account Discovery with Wmic ESCU actions · alerting P Domain Controller Discovery with Wmic ESCU actions · hunting P Drop IcedID License dat ESCU actions · hunting P Elevated Group Discovery With Wmic ESCU actions · alerting P Executable File Written in Administrative SMB Share ESCU actions · alerting P Get ADUser with PowerShell ESCU actions · hunting P Get ADUserResultantPasswordPolicy with Powershell ESCU actions · alerting P Get DomainPolicy with Powershell ESCU actions · alerting P Get DomainUser with PowerShell ESCU actions · alerting P Get-ForestTrust with PowerShell ESCU actions · alerting P Get WMIObject Group Discovery ESCU actions · hunting P GetAdComputer with PowerShell ESCU actions · hunting P GetAdGroup with PowerShell ESCU actions · hunting P GetCurrent User with PowerShell ESCU actions · hunting P GetDomainComputer with PowerShell ESCU actions · alerting P GetDomainController with PowerShell ESCU actions · hunting P GetDomainGroup with PowerShell ESCU actions · alerting P GetLocalUser with PowerShell ESCU actions · hunting P GetNetTcpconnection with PowerShell ESCU actions · hunting P GetWmiObject User Account with PowerShell ESCU actions · hunting P High Frequency Copy Of Files In Network Share ESCU actions · hunting P Impacket Lateral Movement Commandline Parameters ESCU actions · alerting P Impacket Lateral Movement smbexec CommandLine Parameters ESCU actions · alerting P Kerberoasting spn request with RC4 encryption ESCU actions · alerting P Kerberos Service Ticket Request Using RC4 Encryption ESCU actions · alerting P Kerberos TGT Request Using RC4 Encryption ESCU actions · alerting P Kerberos User Enumeration ESCU actions · hunting P LOLBAS With Network Traffic ESCU actions · alerting P Malicious Powershell Executed As A Service ESCU actions · alerting P Network Share Discovery Via Dir Command ESCU actions · hunting P PetitPotam Network Share Access Request ESCU actions · alerting P PetitPotam Suspicious Kerberos TGT Request ESCU actions · alerting P Possible Lateral Movement PowerShell Spawn ESCU actions · hunting P PowerShell Get LocalGroup Discovery ESCU actions · hunting P Powershell Remote Thread To Known Windows Process ESCU actions · alerting P Process Deleting Its Process File Path ESCU actions · alerting P Randomly Generated Windows Service Name ESCU actions · hunting P Ransomware Notes bulk creation ESCU actions · hunting P Remote System Discovery with Wmic ESCU actions · alerting P Resize ShadowStorage volume ESCU actions · alerting P Rubeus Kerberos Ticket Exports Through Winlogon Access ESCU actions · alerting P Rundll32 Create Remote Thread To A Process ESCU actions · alerting P Rundll32 CreateRemoteThread In Browser ESCU actions · alerting P Rundll32 LockWorkStation ESCU actions · hunting P Rundll32 Process Creating Exe Dll Files ESCU actions · alerting P Rundll32 with no Command Line Arguments with Network ESCU actions · alerting P SchCache Change By App Connect And Create ADSI Object ESCU actions · hunting P Scheduled Task Deleted Or Created via CMD ESCU actions · hunting P Spoolsv Suspicious Process Access ESCU actions · alerting P Spoolsv Writing a DLL - Sysmon ESCU actions · alerting P Sqlite Module In Temp Folder ESCU actions · alerting P Suspicious Copy on System32 ESCU actions · hunting P Suspicious Kerberos Service Ticket Request ESCU actions · alerting P Suspicious mshta child process ESCU actions · alerting P Suspicious Reg exe Process ESCU actions · hunting P Suspicious Rundll32 no Command Line Arguments ESCU actions · alerting P Suspicious Ticket Granting Ticket Request ESCU actions · hunting P Suspicious wevtutil Usage ESCU actions · alerting P Unusual Number of Computer Service Tickets Requested ESCU actions · hunting P Unusual Number of Kerberos Service Tickets Requested ESCU actions · hunting P Unusual Number of Remote Endpoint Authentication Events ESCU actions · hunting P User Discovery With Env Vars PowerShell ESCU actions · hunting P Wermgr Process Create Executable File ESCU actions · alerting P Windows Access Token Manipulation Winlogon Duplicate Token Handle ESCU actions · hunting P Windows Access Token Winlogon Duplicate Handle In Uncommon Path ESCU actions · hunting P Windows Account Access Removal via Logoff Exec ESCU actions · hunting P Windows AD Domain Controller Promotion ESCU actions · alerting P Windows AD Replication Request Initiated by User Account ESCU actions · alerting P Windows AD Replication Request Initiated from Unsanctioned Location ESCU actions · alerting P Windows AD Short Lived Domain Controller SPN Attribute ESCU actions · alerting P Windows AD Suspicious Attribute Modification ESCU actions · alerting P Windows Administrative Shares Accessed On Multiple Hosts ESCU actions · alerting P Windows Alternate DataStream - Process Execution ESCU actions · alerting P Windows Bluetooth Service Installed From Uncommon Location ESCU actions · hunting P Windows Cmdline Tool Execution From Non-Shell Process ESCU actions · hunting P Windows Command Shell DCRat ForkBomb Payload ESCU actions · alerting P Windows Computer Account Requesting Kerberos Ticket ESCU actions · alerting P Windows Crowdstrike RTR Script Execution ESCU actions · hunting P Windows Detect Network Scanner Behavior ESCU actions · hunting P Windows DnsAdmins New Member Added ESCU actions · alerting P Windows EventLog Recon Activity Using Log Query Utilities ESCU actions · hunting P Windows Explorer LNK Exploit Process Launch With Padding ESCU actions · alerting P Windows File Transfer Protocol In Non-Common Process Path ESCU actions · hunting P Windows Handle Duplication in Known UAC-Bypass Binaries ESCU actions · hunting P Windows Hunting System Account Targeting Lsass ESCU actions · hunting P Windows Identify PowerShell Web Access IIS Pool ESCU actions · hunting P Windows Kerberos Local Successful Logon ESCU actions · alerting P Windows KrbRelayUp Service Creation ESCU actions · alerting P Windows Large Number of Computer Service Tickets Requested ESCU actions · hunting P Windows List ENV Variables Via SET Command From Uncommon Parent ESCU actions · hunting P Windows Local Administrator Credential Stuffing ESCU actions · alerting P Windows Mail Protocol In Non-Common Process Path ESCU actions · hunting P Windows Masquerading Explorer As Child Process ESCU actions · alerting P Windows MOF Event Triggered Execution via WMI ESCU actions · alerting P Windows MSHTA Writing to World Writable Path ESCU actions · alerting P Windows MSIExec Spawn Discovery Command ESCU actions · hunting P Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos ESCU actions · alerting P Windows Multiple Invalid Users Fail To Authenticate Using Kerberos ESCU actions · alerting P Windows Multiple Invalid Users Failed To Authenticate Using NTLM ESCU actions · alerting P Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials ESCU actions · alerting P Windows Multiple Users Failed To Authenticate From Host Using NTLM ESCU actions · alerting P Windows Multiple Users Failed To Authenticate From Process ESCU actions · alerting P Windows Multiple Users Remotely Failed To Authenticate From Host ESCU actions · alerting P Windows Non-System Account Targeting Lsass ESCU actions · alerting P Windows Obfuscated Files or Information via RAR SFX ESCU actions · hunting P Windows Office Product Spawned Uncommon Process ESCU actions · alerting P Windows Possible Credential Dumping ESCU actions · alerting P Windows PowGoop Beacon Decoding ESCU actions · alerting P Windows Process Executed From Removable Media ESCU actions · hunting P Windows Process Injection into Commonly Abused Processes ESCU actions · hunting P Windows Process Injection into Notepad ESCU actions · hunting P Windows Process Injection Remote Thread ESCU actions · alerting P Windows Rapid Authentication On Multiple Hosts ESCU actions · alerting P Windows RDP Login Session Was Established ESCU actions · hunting P Windows Remote Management Execute Shell ESCU actions · hunting P Windows Renamed Powershell Execution ESCU actions · alerting P Windows Rundll32 WebDAV Request ESCU actions · hunting P Windows Rundll32 with Non-Standard File Extension ESCU actions · hunting P Windows Scheduled Task Created in a Group Policy Object ESCU actions · alerting P Windows Scheduled Task Service Spawned Shell ESCU actions · alerting P Windows Sensitive Registry Hive Dump Via CommandLine ESCU actions · alerting P Windows Service Create RemComSvc ESCU actions · hunting P Windows Service Create SliverC2 ESCU actions · alerting P Windows Service Created with Suspicious Service Name ESCU actions · hunting P Windows Service Created with Suspicious Service Path ESCU actions · alerting P Windows Shell or Script Execution From IIS Directory ESCU actions · hunting P Windows Snake Malware Service Create ESCU actions · alerting P Windows Special Privileged Logon On Multiple Hosts ESCU actions · alerting P Windows SpeechRuntime Suspicious Child Process ESCU actions · alerting P Windows Steal Authentication Certificates - ESC1 Authentication ESCU actions · alerting P Windows Steal or Forge Kerberos Tickets Klist ESCU actions · hunting P Windows Suspicious Child Process Spawned From WebServer ESCU actions · hunting P Windows Suspicious React or Next.js Child Process ESCU actions · alerting P Windows Suspicious VMWare Tools Child Process ESCU actions · alerting P Windows Terminating Lsass Process ESCU actions · hunting P Windows UAC Bypass Suspicious Child Process ESCU actions · alerting P Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos ESCU actions · hunting P Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos ESCU actions · hunting P Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM ESCU actions · hunting P Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials ESCU actions · hunting P Windows Unusual Count Of Users Failed To Authenticate From Process ESCU actions · hunting P Windows Unusual Count Of Users Failed To Authenticate Using NTLM ESCU actions · hunting P Windows Unusual Count Of Users Remotely Failed To Auth From Host ESCU actions · hunting P Windows USBSTOR Registry Key Modification ESCU actions · hunting P Windows Vulnerable Driver Installed ESCU actions · alerting P Windows WMI Impersonate Token ESCU actions · hunting P Windows WMI Reconnaissance Class Query ESCU actions · hunting P Windows WMIC Shadowcopy Delete ESCU actions · hunting P Windows WPDBusEnum Registry Key Modification ESCU actions · hunting P WinEvent Scheduled Task Created to Spawn Shell ESCU actions · alerting P WinRM Spawning a Process ESCU actions · alerting P Wmic Group Discovery ESCU actions · hunting P Wmic NonInteractive App Uninstallation ESCU actions · hunting P Wscript Or Cscript Suspicious Child Process ESCU actions · hunting P Rundll32 DNSQuery ESCU actions · alerting P Suspicious Process DNS Query Known Abuse Web Services ESCU actions · alerting P Attempted Credential Dump From Registry via Reg exe ESCU actions · alerting P Cmdline Tool Not Executed In CMD Shell ESCU actions · alerting P Detect Activity Related to Pass the Hash Attacks ESCU actions · hunting P Detect Mimikatz Via PowerShell And EventCode 4703 ESCU actions · alerting P Detect Webshell Exploit Behavior ESCU actions · alerting P First time seen command line argument ESCU actions · hunting P Suspicious Powershell Command-Line Arguments ESCU actions · alerting P Suspicious Rundll32 Rename ESCU actions · hunting P Suspicious writes to System Volume Information ESCU actions · hunting P Windows AD Suspicious GPO Modification ESCU actions · alerting P Windows Command Shell Fetch Env Variables ESCU actions · alerting P Windows Service Created Within Public Path ESCU actions · alerting P [LLM] Velvet Ant air-gap bridge — fcgiwrap/uptime spawning SSH from HTTP-driven FastCGI Bespoke actions · alerting DSΣPDDCS [LLM] Non-browser process fan-out reading SSH/npm/Docker/AWS/browser credential stores on Arch host Bespoke actions · hunting DSPDDCS [LLM] Anti-forensic deletion/tampering of macOS Tahoe 26 App.MenuItem Biome stream Bespoke actions · alerting DSΣPDDCS [LLM] Non-forensic process bulk-reading the App.MenuItem Biome stream Bespoke actions · hunting DSΣPDDCS

Recent articles citing Windows-targeted detections

high FBI disrupts massive AI-powered phishing service using a million URLs
med When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security Teams
med 152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
crit Chinese hackers hijack auth flow, spy on isolated network for a decade
crit Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
high Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks
crit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
high Ukrainian national pleads guilty to role in Conti ransomware operation
high Over 400 Arch Linux packages compromised to push rootkit, infostealer
high Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets
crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
crit Rethinking MDR as Attackers and Defenders Embrace AI
crit LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
high CISA orders feds to patch actively exploited Ivanti flaw by Sunday
med Over 73,000 French govt employees affected in Tchap messenger breach
high Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
high A tale of two eras
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
crit New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
crit [GHSA / CRITICAL] CVE-2026-48062: CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule
crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files
high npm v12 delivers one of the biggest security improvements in years
crit [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
high AI Broke Vulnerability Management. That's Why CISOs Are Moving Budget to BAS.
crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
crit OceanLotus: From external espionage to domestic targeting
high GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
crit [GHSA / CRITICAL] CVE-2026-48063: Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted pr
high Code is being written everywhere, and the device is the only constant
crit China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
crit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
crit Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE
crit [GHSA / CRITICAL] CVE-2026-48031: Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
crit Compromised Rust crate onering performs code exfiltration
crit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
crit Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
crit [GHSA / CRITICAL] CVE-2026-48030: Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility
crit [GHSA / CRITICAL] CVE-2026-8467: PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook pl
crit Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag
high Meta to Use Off-Site Business Data for Feed and AI Personalization
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues
crit Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
crit Wait, binding.gyp Can Do What? Exploring npm's Weirdest Build System
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing