Read Time: 8 minutes

Brought to you by:

Howdy friends!

I’m officially scuba certified! Fun stumbling into a new hobby. I’m going to get my advanced certification this week so I can use enriched oxygen and go deeper on my trip. Hoping that keeps me fresh for my keynote. I’ve been working on the slides this week and I’m excited for the talk, I’ll try to do a recap at some other conferences so those of you not going to Descent Cyber can watch. But if you’re into diving and infosec, this is a good group of people putting on this con and I’d get it on your radar.

ICYMI

🖊️ Something I wrote: This thread filled with good advice on how to not pull npm or PyPi malware with your ai agents

🎧️ Something I heard: Inside the Secret Luxury Market For Crypto Thieves

🎤 Something I said: I talked to the hackers that found a nation state iOS 0day

🔖 Something I read: Push published a blog of lessons learned from a webinar we did recently. Some good quotes in here from yours truly.

Vulnerable News

GitHub Confirms Breach of 3,800 Repos Via Malicious VSCode Extension

Something’s got to give with this supply chain malware because now the latest victim is GitHub itself. The irony is brutal because GitHub owns NPM, which sits right at the center of the exact malware campaigns we’ve been screaming about for weeks now.

BleepingComputer’s report on the GitHub breach lines up almost perfectly with the same Team PCP playbook we keep seeing over and over again with these “Mini Shai-Hulud” worms. At this point there’s nothing “mini” about it anymore. Threat actors reportedly compromised a poisoned VS Code extension, which ultimately led to GitHub confirming roughly 3,800 repositories were stolen.

The scary part is how little user error it actually took. The malicious extension was reportedly available for about 11 minutes, but the extension developers estimate more than 6,000 installs happened during that window. That means one GitHub developer likely just had auto-update enabled on what appeared to be a legitimate extension and suddenly malware landed directly inside their development environment. Nobody manually downloaded sketchy files. Nobody disabled antivirus. This is exactly why I keep saying browser extensions, IDE extensions, NPM packages, PyPI packages, and software supply chains are inching toward tied-for-first as the biggest security priority alongside help desk phishing. The attackers are openly telegraphing their playbook now. (read more here and here)

Traditional SASE Wasn't Built for AI Agents. Island Is.*

AI agents don't follow the rules traditional SASE was built for. Legacy architectures inspect connections but they cannot interpret intent. Island's Perfect Packet architecture enforces security where work actually happens: at the point of interaction, inside the browser.

Backhaul becomes the fallback, not the default, so up to 90% of sessions go direct with no forced TLS inspection or traffic rerouting. Across user and AI agent sessions alike, Island governs what's sent, to where, and by whom, with a full audit trail and no blind spots.

See how Island does it.

*Sponsored

Project Glasswing: What Mythos Showed Us

This is a top 5 blog of the year for me. Cloudflare’s writeup of their experience with Mythos. The first parts of it are more of what we already knew, Mythos is better at writing exploits than the average AI model. The real magic in this post is when they start to talk about the harness and then the last few paragraphs.

The people having the most success with Mythos aren’t just throwing source code at the model and saying “go find vulns.” They’re building advanced harnesses around it. Mozilla talked about it. The Cloudflare write-up talks about it. That seems to be where the magic actually happens: not just the model, but the surrounding tooling and workflows that let the model iterate toward a working exploit chain.

When the author starts to talk about how just fixing vulns faster is the wrong goal, I start to levitate off my seat. Music to my ears. Direct quote I love: “Patching faster does not change the shape of the pipeline that produces the patch.” - read it twice. then read it again. Fast whack-a-mole is still whack-a-mole. Vulnerabilities are just one way in, the layers you build around it are where security programs really earn their paycheck. (read more)

CISA Admin Leaked AWS GovCloud Keys on Github

This CISA GovCloud leak story from Brian Krebs is insane. It was plaintext passwords, exposed AWS GovCloud credentials, public GitHub repos, and apparently very basic security hygiene failures. One of the exposed files literally contained admin creds for GovCloud systems. Another was apparently just a CSV full of usernames and passwords. Then you read the official response saying there’s “no indication sensitive data was compromised” while staring directly at screenshots of plaintext credentials. Shot. Chaser. Oh my god.

The thing that really bothers me here is this clearly goes beyond “one contractor made a mistake.” There were supposed to be guardrails everywhere that should have caught this. GitGuardian reportedly flagged the exposed secrets. The repo was public. The passwords in some cases were apparently predictable formats like platform name plus current year. This would be embarrassing for any company. The fact that it’s tied to CISA-adjacent infrastructure and GovCloud makes it way worse. (read more)

Microsoft Shares Mitigation for YellowKey Windows Zero-Day

Microsoft finally assigned a CVE to the YellowKey BitLocker bypass after the researcher behind it basically said, “Fine, if coordinated disclosure isn’t working, I’m just going public.” This is the same researcher behind Blue Hammer, Red Sun, and Green Plasma. I get why this whole thing has turned messy. Microsoft’s response literally says the proof-of-concept was released “violating coordinated vulnerability disclosure best practices,” but you don’t really get to say that after frustrating somebody through the disclosure process so badly they just start dropping everything publicly. That’s the whole point of the protest.

The really wild part is how easy YellowKey apparently is to use. This is a BitLocker bypass that has people legitimately asking out loud whether this feels “too convenient” to be accidental. Microsoft’s mitigation guidance right now is basically “mount WinRE images manually, modify registry hives, disable recovery utilities,” which is honestly a disaster-tier mitigation for most organizations. The entire situation feels like Microsoft scrambling because they wanted time for a clean fix, but instead got forced into publishing ugly interim guidance after the exploit already hit GitHub. (read more)

Ever investigated a "super urgent" finding for it to be nothing?*

You've spent hours digging into a "critical" CVE only to realize one config setting makes it impossible to exploit in your environment.

You should never have had to look at it. That's not an exploitable finding, and reachability alone won't catch that. Maze AI agents determine exploitability like your best security engineer would, with context from your environment and business, before noise hits your backlog. (read more)

*Sponsored

Welcome to BlackFile: Inside a Vishing Extortion Operation

Meet BlackFile (UNC6671), a threat group that Google just profiled who specializes in voice phishing. These guys call victims pretending to be IT support, claiming there's some urgent MFA update or passkey migration needed. While they've got you on the phone walking through their fake portal, they're using your real credentials and MFA tokens in real-time to register their own devices on your accounts. Pretty slick adversary-in-the-middle setup that bypasses most traditional security controls.

Once they're in your Microsoft 365 or Okta environment, they go full automation mode with Python and PowerShell scripts to hoover up massive amounts of data - millions of files in some cases. They're using direct HTTP requests that show up as "FileAccessed" events instead of "FileDownloaded" to stay under the radar. After stealing everything from SharePoint to Salesforce, they hit you with extortion demands starting in the millions but often settling for low six-figures. Their data leak site shut down in May 2026 with a cryptic "shutting down under this name" message, suggesting they're probably just rebranding for round two. (read more)

1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials

This 1Password and OpenAI partnership might actually be one of the smarter AI security ideas I’ve seen lately. The core idea is to stop stuffing secrets into environment variables, dotfiles, prompts, repos, and MCP configs where AI coding agents can accidentally expose them. That’s exactly how a lot of developers are working right now. People are using Codex, MCP servers, and other AI coding tools, and the workflow often becomes, “Yeah, just stick the API key into the ENV variable and let the agent use it.” Then suddenly your coding agent has long-lived access to sensitive credentials sitting directly inside the model workflow.

What 1Password is proposing here is a just-in-time credential model where the secrets stay vaulted and only get issued temporarily for the specific task the agent is performing. In theory, I actually really like this idea. Keeping secrets out of prompts, repos, and model context windows is absolutely the right direction. The part I’d want to test hard is the enforcement side. It’s easy to say “credentials are scoped to the task,” but how do you actually guarantee that? You can’t just ask the AI agent nicely not to misuse the creds. Still, if this works the way they’re describing, it could genuinely reduce a lot of the secret leakage mess we’re seeing right now across AI-assisted development environments. (read more)

Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit

My ears perked up when I read this headline as I just did a whole video about Coruna and it’s sister exploit DarkSword. This is also a bit different then the other npm stuff we’ve covered lately as it’s not targeting the developer pulling the npm malware, it’s targeting iOS devices of users who happen upon websites using the pwned packages.

Socket's threat research team caught this in the popular art-template npm package. Someone got their way into taking over maintenance from the original author, then immediately started pushing weaponized versions. The compromised packages (4.13.5 and 4.13.6) inject a sophisticated iOS Safari exploit framework that's basically a respawned version of the Coruna exploit kit - the same commercial toolkit that Google documented earlier with 5 full exploit chains targeting iOS 13-17.2.

The technical sophistication is impressive in a terrifying way - multiple obfuscation layers, content-addressed module loading, and even CPU architecture discrimination between regular iPhones and Apple Silicon Macs. If your app bundled those bad art-template versions, every user visiting your site got served this exploit framework automatically. (read more)

Scammers are abusing an internal Microsoft account to send spam links

GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

Varonis just dropped details on a clever new evasion technique called GhostTree that's bound to give some EDR vendors headaches. The idea is to use NTFS junctions to create recursive directory loops that generate infinite file paths. Any user can pull this off with just write permissions and a couple mklink commands, no admin rights needed. Point a child folder back to its parent, and suddenly you've got unlimited valid paths to the same file that can stretch all the way to Windows' 260-character limit.

The nastier variant creates multiple junction branches, turning your directory structure into a binary tree nightmare that can theoretically generate 2^ 126 unique paths (that's more paths than there are atoms in your body, for perspective). When EDR tools try to recursively scan these folders, they get stuck in the loop and hang, leaving your actual malware sitting pretty and unscanned. Microsoft initially brushed this off saying "bypassing Defender isn't crossing a security boundary," but then quietly patched it anyway. (read more)

Grafana breach caused by missed token rotation after TanStack attack

Grafana is another ripple effect of the npm worms. Their CI/CD pipeline consumed one of those malicious npm packages and the credential-stealing malware did its thing and stole some GitHub workflow tokens from their environment. Grafana's incident response team jumped on it and started rotating tokens, but they missed one.

That lone forgotten token was all the attackers needed to get into Grafana's private GitHub repos and make off with source code plus some business operational data (think contact names and emails, nothing too spicy). No customer production data got touched, and they didn't mess with the actual codebase, so if you've been downloading Grafana recently, you're fine. But this hand in hand with the lead story on GitHub is a second order hack of the npm worm worth watching. (read more)

Europe dismantles VPN service used by cybercriminals to hide ransomware attacks

European cops just took a wrecking ball to First VPN, the go-to service for cybercriminals looking to hide their dirty work. This coordinated takedown between France, Netherlands, and Ukraine happened this week and targeted a service that had been advertising itself on Russian-speaking crime forums for years. They grabbed 33 servers and, more importantly, the entire user database - which is basically a Christmas list of cybercriminals who thought they were untouchable.

First VPN wasn't just some regular VPN that happened to have bad actors as customers. This thing was specifically marketed to criminals, promising they'd never cooperate with law enforcement and would keep users "beyond the reach" of authorities. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay