Threatnoir

New morning out, it looks pretty darn nice. This morning was about the CISA leak https://lnkd.in/dhXbsBd3

IThis week was supply chain season, and it got messy fast. TeamPCP weaponized over 400 npm and PyPI packages with a self-propagating worm called Shai-Hulud, the kind of thing that makes you wonder how many of those dependencies you're actually running without knowing it. Zero-day disclosures came out swinging too. A Windows BitLocker bypass and privilege escalation flaws dropped publicly (not sure how long that "responsible disclosure" window actually was), which means defenders are playing catch-up while attackers already have the blueprints. Critical infrastructure had a rough go of it. Foxconn got hit with ransomware and a pharmaceutical company took a major breach—when your supply chain or your production line goes down, the math on recovery gets brutal pretty fast. The vendor patch cycle is in overdrive. Microsoft, Adobe, SAP, and Fortinet pushed out fixes for over 200 vulnerabilities combined (it does feel like Fortinet gets hit a lot?). That's a lot of testing and deployment headaches across most organizations. On the regulatory side, GM just settled for $12.75M and CISA launched the CI Fortify initiative, which suggests someone finally noticed that critical infrastructure security is maybe worth taking seriously. Fines are starting to move the needle in ways that "best practices" never did. AI security is becoming an actual problem now, not just a thought experiment. Vulnerabilities showed up in OpenClaw, PraisonAI, and Hugging Face tokenizers—which means the tools everyone's racing to integrate might ship with their own backdoors. If your risk tolerance includes "hoping nobody notices our dependencies," this was probably not a great week. https://lnkd.in/dxvGzzvX #cybersecurity #supplychain #airisks notices

Another episode of Red vs Blue. "Good luck getting casual users to nuke & pave" https://lnkd.in/dN7eu3i3

 Week 19 hits the same as usual, hard. - ShinyHunters breached Canvas LMS during finals season. 9,000+ schools. 275 million users.  - Chinese state actors quietly exploited a Palo Alto PAN-OS zero-day for nearly a month before disclosure.  - AI coding tools (Claude, Gemini CLI, Cursor) found vulnerable to supply chain injection from malicious repositories.  - Polish water treatment compromised by Russian APTs with operational system access. The pattern: trust relationships and AI tooling are first-class attack surfaces now. Education technology and developer toolchains were the soft targets  this week.  Three things to do this week:  - Patch PAN-OS (CVE-2026-0300) and Ivanti EPMM (CVE-2026-6973) immediately  - Audit AI coding tool permissions, restrict execution on untrusted repos  - Review Canvas LMS access logs, rotate credentials for affected institutions Full roundup with IOCs and sources: https://lnkd.in/g3ZeghZE Want the next weekly information in your e-mail (or your Telegram/Discord etc, or let us know which and we can add some integration, we have webhooks as well), go to: https://lnkd.in/gE_-Tm4C  #cybersecurity #threatintelligence #weeklyroundup

The previous week was a mix of the expected and the genuinely unsettling. cPanel got hit with a critical authentication bypass that's being actively exploited for ransomware. Supply chain stuff is getting weirder. SAP packages and PyTorch Lightning both took hits, which means if you're pulling dependencies from either ecosystem, you might want to audit what came through. Developer credentials stolen at the source is always a bad sign. The two US cybersecurity professionals who played both sides just got sentenced to four years for running BlackCat ransomware attacks. It's a reminder that the people doing this aren't anonymous forever, even if it feels that way when you're reading about the attacks. Facebook had a rough week with 30,000+ accounts compromised through a Google AppSheet phishing operation. phishing still works and awareness is not dead... especially with all the AI tools that is available that can automate campaigns. Linux got a new privilege escalation added to CISA's known exploited list (CVE-2026-31431), so if you're managing Linux infrastructure, that's worth patching sooner rather than later. Automation is eating security from both sides. https://lnkd.in/evp-RZTJ #cybersecurity #ransomware #supplychain

Last weeks supply chain attacks got a lot more creative. Someone found wormable malware living in npm packages that can spread through developer toolchains, so not just infecting one project, but jumping across entire dependency trees. That's the kind of thing that keep teams having bad sleep !. Cisco firewalls are having a rough go of it right now. Researchers discovered persistent backdoors that survive firmware updates, which is particularly nasty because most teams assume a reboot and firmware patch gets you back to clean. Apparently not this time. The botnet industrialization story is wild too. Nation-state actors are treating botnets like actual business operations now, and they're weaponizing home routers as entry points into corporate networks. It's a reminder that your ISP-provided router isn't just a convenience problem—it's an infrastructure vulnerability. Mobile threats are expanding fast (AI-powered fake wallet apps are hitting Android, and prompt injection campaigns are getting more sophisticated), which means the attack surface just got wider for anyone managing bring-your-own-device policies. And if you're in regulated industries, DORA compliance deadlines are closing in while CISA keeps issuing emergency directives. The breach list this week hit telehealth, insurance, and government agencies across multiple countries. No shortage of targets when you're not picky. One thing that jumped out from our own research: Amazon Bedrock's AgentCore has an "Agent God Mode" vulnerability hiding in overly broad IAM permissions. The Bitwarden CLI is also compromised as part of an ongoing Checkmarx supply chain campaign. FIRESTARTER backdoor is still making rounds. Supply chain got weirder.. https://lnkd.in/d2nK8ctD #cybersecurity #supplychain #threatintel

Today's Red vs Blue is out, Title: "Vercel Breach Spreads Beyond Initial Blast Radius." Vendor Token Downstream, same three ingredients we keep watching show up. At some point you stop treating each incident as its own postmortem and start wondering if rotation hygiene is just a discipline nobody actually owns, maybe its time to create a job role :D Rotation isn't a quarterly cleanup task, it's how resilient pipelines stay resilient. Watch today's episode at: https://lnkd.in/dg-X5aaY

The launch video for ThreatNoir's Company Page was built with Hyperframes in about 15 minutes. I wrote up what the pipeline actually looks like, capture, design brief, script, storyboard, TTS, render. Also the mistake I made on v1 (default TTS voice read "A I" letter by letter) and the fix that worked.

Shadowserver found over 6,400 publicly exposed ActiveMQ servers sitting vulnerable to CVE-2026-34197. A code injection flaw that lets authenticated attackers run arbitrary code. This vulnerability lived in the wild for 13 years before anyone caught it. Makes you wonder what else is hiding in widely-used software right now, waiting for the right person (or tool) to look closely enough. CISA is already confirming active exploitation, which means this isn't theoretical. Federal agencies have until April 30 to patch, and if you're running ActiveMQ anywhere in your infrastructure—especially if it's internet-facing, treat that deadline like it's your own. The real lesson here: if a major component can stay broken for over a decade, your asset inventory better be solid. You need to know what you're running and where. https://lnkd.in/dqDUcctC #cybersecurity #vulnerability #patching

This looks like a really cool project, now the question is, when in time and between which projects whould we test it :)