Miasma and Mini Shai-Hulud: When npm Malware Learned to Persist in AI Coding Agents
Mini Shai-Hulud and Miasma show how supply chain malware can move from npm install-time execution into Claude Code hooks, VS Code tasks, and CI/CD persistence.
Malware Analysis
30 articles
The AI Evasion Lab
Sophos X-Ops uncovered a threat actor using Claude Opus 4.5 and Cursor IDE to build an automated, modular EDR evasion framework — 80 modules, 70+ techniques, tested against Sophos, CrowdStrike, and Defender.
Poisoned AI: How Hugging Face Became a Malware Distribution Platform
A fake OpenAI repo hit #1 trending on Hugging Face with 244K downloads in 18 hours. Here's every attack vector targeting AI model repositories — and how to defend against them.
DFIR 2026: Memory Forensics, Windows Artifacts, and Incident Response
Memory forensics, Windows event artifacts, and IR methodology — from initial alert to post-incident report. Tools, commands, and playbooks included.
LOLBins in 2026: How Attackers Use Windows Against Itself
79% of attacks in 2024 used no malware. Certutil, mshta, rundll32 — execution, persistence, and evasion via Windows built-ins. Detection rules included.
Windows Attack Techniques 2026: BYOVD, ClickFix, and C2 over Cloud
BYOVD EDR evasion, ClickFix delivery, C2 over cloud services — how modern Windows attackers operate in 2026, and the detection logic to catch them.
Unmasking TeamPCP: The Supply Chain Saboteurs and the Trails They Left Behind
TeamPCP has compromised hundreds of open-source packages and stolen half a million credentials. But their OPSEC is leaking — and someone is already hunting them.
When the Weapon Learns: How Nation-States Weaponized AI Across the Full Attack Chain
Google GTIG's May 2026 report documents a turning point: state actors now use AI to write zero-day exploits, build self-navigating backdoors, and poison the AI supply chain itself.
CallPhantom: How 28 Fake Apps Collected Payments for Data That Never Existed
ESET uncovered CallPhantom — 28 Android apps with 7.3M downloads that sold fabricated call histories. A deep dive into the fraud mechanics, billing bypass, and how to protect yourself.
The World's Most Dangerous Hacking Teams: A Guide to Nation-State APT Groups
Meet the elite state-sponsored hacking groups that stole billions, blacked out cities, and infiltrated governments. Who they are, what they want, and how they operate in 2026.
AutoHotkey Malware Loaders: How Attackers Weaponize Automation Scripts
AutoHotkey isn't just for productivity scripts — attackers use it as a stealthy malware loader. Learn how AHK-based campaigns work and how to detect them.
Browser Vendors Fail Users: Millions Infected, Zero Notifications Sent
840,000 GhostPoster victims, 3.2M+ in GitLab campaign, 4.3M+ in ShadyPanda—browser vendors removed extensions but never told users. Self-regulation failed.
BYOVD: How Attackers Use Legitimate Drivers to Kill Your Security Tools
BYOVD (Bring Your Own Vulnerable Driver) lets attackers reach the Windows kernel using signed, legitimate drivers — and then silently kill your EDR before ransomware drops.
Cobalt Strike Detection & Hunting: A Defender's Playbook
How to detect Cobalt Strike beacons in your environment — network fingerprints, process injection patterns, Sigma rules, and practical hunting queries for blue teams.
The Digital Parasite: How Attacker Tradecraft Evolved in 2026
80% of top MITRE ATT&CK techniques now focus on evasion and persistence. Attackers abandoned smash-and-grab for long-term parasitic operations in networks.
Invisible Characters as an Attack Vector
Unicode's invisible characters are being weaponized — hiding malicious code in repositories, hijacking AI agents, and bypassing security reviews without leaving a trace visible to human eyes.
Kimwolf Botnet: 2 Million Hijacked Devices Reshaping Threat Landscape
The Kimwolf botnet has compromised over 2 million devices worldwide by exploiting residential proxy networks and unsecured Android TV boxes. Here's what threat intelligence reveals about its infrastructure, tactics, and how to defend against it.
Trust Me, I'm a Shortcut: How LNK Files Lie to Windows Explorer
Windows .lnk shortcut files can show one target while silently executing another. Discover five spoofing techniques including CVE-2025-9491, how attackers exploit them, and how to detect them.
macOS Offensive Security: How Attackers Exploit Apple's Unique Attack Surface
TCC bypass, Keychain theft, Launch Agent persistence, dylib hijacking — how attackers target macOS and how defenders detect them. Attack→Detect with real commands.
The Package You Trusted: How the Axios Supply Chain Attack Happened
On March 31, 2026, a trusted npm package with 400 million monthly downloads was backdoored for three hours. Here's how it worked and why it keeps happening.
NTFS Alternate Data Streams: How Attackers Hide in Plain Sight
NTFS Alternate Data Streams let attackers hide executables inside innocent-looking files. Learn how ADS works, how malware uses it, and how to detect it with PowerShell, Sysinternals, and Sysmon.
OpenClaw: How the Viral AI Agent Became 2026's First Major Security Crisis
OpenClaw went from 0 to 180,000 GitHub stars in weeks — and then came the RCE, 30,000 exposed instances, and a supply chain attack poisoning its entire skill marketplace.
State-Sponsored Threat Actors 2026: Who They Are and What They Do
A threat intelligence deep-dive into the world's most dangerous state-sponsored APT groups — their identities, motivations, campaigns, and tradecraft in 2026.
UEFI Bootkits: The Malware That Lives Below Your Operating System
UEFI bootkits survive OS reinstalls, hide from every AV and EDR tool, and can bypass Secure Boot on fully-patched systems. Here's how they work and what you can do about it.
When Your Defender Becomes the Attacker: How Trusted Windows Processes Get Weaponized
Windows Defender and other high-privilege system processes are increasingly targeted by attackers. Learn how security tools become attack surfaces — and what you can do about it.
Xanthorox AI: When the Attacker's AI Goes Dark
Xanthorox is an offline, modular AI attack platform with five specialized models — and it needs no cloud, no API, and leaves no traditional IoCs. Here's what defenders need to know.
Zombie ZIP: How a Malformed Archive Header Blinds 98% of Antivirus Engines
CVE-2026-0866 — a single two-byte header manipulation causes 50 of 51 AV engines to scan compressed noise instead of the actual payload. Technical breakdown, attack scenarios, and detection.
Memory Forensics with Volatility 3: What Attackers Leave Behind
How attackers hide in RAM using fileless malware and process injection — and how defenders use Volatility 3 to find them. Practical DFIR workflow with real commands.
Cookie-Controlled PHP Webshells: A Stealthy Tradecraft in Linux Hosting Environments
Microsoft's Defender team uncovered a clever attacker technique: PHP webshells that stay completely dormant until activated by a secret HTTP cookie. Here's how it works — and how to catch it.
Telegram as a C2 Server: How It Works and How to Detect It
Attackers use Telegram's Bot API as command-and-control infrastructure — no Telegram install needed on the victim machine. Here's the mechanics, real-world examples, and blue team detection strategies.