How the Threat is Introduced (Initial Access) Official Store Publishing or Impersonation Attackers publish extensions that appear legitimate or impersonate popular tools, relying on storefront trust signals and user intent. Developer Account Compromise (Supply Chain) Phishing and permission abuse against extension developers enables attackers to upload a malicious version of
Citrix ADC
TRENDING TOPICS FEB 04, 2026 Dual-Mode Citrix Gateway Recon Campaign: Residential Proxies and Version Enumeration Between January 28 and February 2, 2026, GreyNoise observed a coordinated reconnaissance effort targeting Citrix ADC and NetScaler Gateway environments, with activity peaking just before February 1. The campaign totaled 111,834 sessions and used
GlassWorm
TRENDING TOPICS FEB 03, 2026 GlassWorm Supply Chain Attack Abuses Trusted Open VSX Extensions to Steal Developer Secrets A supply chain attack tracked as GlassWorm compromised the Open VSX Registry after threat actors gained unauthorized access to the publishing credentials of a legitimate developer account, oorzc. On January 30, 2026,
MONTHLY WRAP MONTHLY WRAP Overview January 2026 reinforced a clear reality: attackers are gaining leverage by abusing trust and identity far more often than by inventing new exploits. This month featured sustained identity-driven intrusions (vishing, adversary-in-the-middle, OAuth abuse, Browser-in-the-Browser phishing
ShinyHunters
TRENDING TOPICS FEB 02, 2026 Update: Google Findings on ShinyHunters SSO-Driven SaaS Intrusions Recent intrusions tied to ShinyHunters, Scattered Spider, and the Scattered LAPSUS$ Hunters label reinforce the idea that identity has become the primary entry point into SaaS environments. Instead of exploiting software flaws, operators impersonate IT or support
Android
CVE-2026-24858 Critical Fortinet FortiCloud SSO AUTHENTICATION BYPASS CROSS-ACCOUNT ACCESS Authentication bypass vulnerability in Fortinet products that allows an attacker with a FortiCloud account and a registered device to log into other Fortinet devices owned by different accounts when FortiCloud SSO is enabled, enabling unauthorized cross-tenant access. Urgent Action: Immediately apply
TA584
TRENDING TOPICS JAN 29, 2026 Update: TA584 Accelerates Initial Access Innovation with ClickFix and Tsundere Bot MaaS TA584 is a highly active and adaptive initial access broker that significantly increased its operational tempo throughout 2025, tripling monthly campaign volume while continuously rotating infrastructure, lures, and delivery techniques. The actor demonstrated
ShinyHunters (UNC6040) Emergence Date: 2020 Attribution Financially motivated extortion group; pivoted from mass data theft to SaaS targeting Recent Activities Claimed responsibility for vishing campaigns against Okta, Microsoft Entra, and Google SSO; identified Salesforce as a primary target Targets Salesforce; SaaS platforms reachable via SSO ShinyHunters UNC6040 Financially Motivated Vishing
GitHub
TRENDING TOPICS JAN 28, 2026 GitHub Repository Abuse Enables Malware Delivery Through Trusted Installer Paths GMO Researchers have identified a malware campaign that exploits GitHub's repository-forking mechanism to distribute trojanized installers under the guise of official projects. Attackers fork the legitimate GitHub Desktop repository, alter download links in
DPRK
TRENDING TOPICS JAN 27, 2026 Update: DPRK “Fake Font” Contagious Interview Campaign Abuses VS Code Tasks to Deploy InvisibleFerret North Korean Lazarus Group operators have launched a new evolution of the long-running “Contagious Interview” campaign that abuses Microsoft VS Code’s task automation feature to execute malware disguised as web
PackageGate
TRENDING TOPICS JAN 26, 2026 Update: PackageGate Highlights New Ways to Slip Past NPM Supply-Chain Safeguards Security researchers at Koi, are using the name “PackageGate” to describe six newly reported weaknesses in JavaScript package managers that can undermine two defenses many teams rely on after the 2025 npm supply-chain incidents:
1 Initial Access Through Trusted Web Content Step Description Victims are directed to a malicious or attacker-injected page hosted on a legitimate, high-reputation website, often discovered via search results. This avoids email-based phishing detection and leverages normal browsing behavior. Legitimate Website High-Reputation Attacker-Injected Page Search Results Avoids Email Security Normal