OAuth Consent Phishing in 2026: MFA Stops Password Theft, Not Bad App Grants
Attackers do not always need your password. A single OAuth consent grant can give a malicious or compromised app durable access to mail, files, calendars, and SaaS data.
Security Research & Analysis
Offensive thinking.
Offensive thinking.
Defensive expertise.
In-depth red team research, blue team strategy — and privacy-first security tools that run entirely in your browser. No accounts. No telemetry. No data leaves your machine.
Featured
Latest research
Archive
Recent posts
AI Bug Hunting in Browsers: Discovery Is Becoming the Easy Part
Mozilla used Claude Mythos Preview to identify and fix 271 Firefox security bugs, while Chrome shipped a separate 151-fix security update. The lesson is not that AI replaces security teams. It is that patching, triage, and verification are becoming the bottleneck.
Poisoned AI: How Hugging Face Became a Malware Distribution Platform
A fake OpenAI repo hit #1 trending on Hugging Face with 244K downloads in 18 hours. Here's every attack vector targeting AI model repositories — and how to defend against them.
The IT Guy Who Wasn't: How Attackers Walk Through Your Front Door
Physical social engineering is back — and the attacker doesn't have to be an IT guy. Learn how anyone with the right uniform and pretext can walk through your front door, and how organizations can fight back.
Quasar Linux QLNX: A Developer Workstation RAT Built for Supply Chain Access
Trend Micro documented QLNX, a Linux RAT that combines credential harvesting, LD_PRELOAD persistence, PAM backdoors, and rootkit behavior. The real risk is not one infected host - it is the supply chain access behind it.
GitHub Finally Puts a Human in the Loop: npm Staged Publishing Explained
npm packages no longer publish instantly. GitHub's staged publishing forces a 2FA-gated human approval before any version hits the registry — here's what it means and how to enable it.
Netherlands Seized 800 Servers: Bulletproof Hosting Is Now a Sanctions Problem
Dutch investigators seized more than 800 servers in a sanctions case tied to Stark Industries. The lesson for defenders is simple: attacker infrastructure is a business ecosystem.