Trackr.Live – The landing site for Trackr Services

§ Trackr.Live

Agent Memory Poisoning Survives the Session. The Detection Lives in the Write Path Nobody Logs

Single-turn prompt injection usually dies when the context window clears. Memory poisoning persists, fires weeks later, and hides in a memory-write event your platform was never built to emit as security telemetry. Here is what to instrument, what to detect, and what the first round of tuning gets wrong.

AppDomainManager Hijacking Hides in a Signed Binary. The Tell Is One Line of XML That Kills ETW

AppDomainManager hijacking loads attacker code into a Microsoft-signed .NET process before the app runs — and the same config file that does it can switch off the ETW telemetry your EDR depends on. The cleanest detection isn’t the dropped DLL. It’s the XML.

The DPRK Worker’s KVM Is Plugged Into Your Laptop, Not the Internet. Hunt the Sign-In Log Instead

North Korean IT workers don’t breach you — they get hired. The device fingerprint everyone reaches for is spoofable and behind home NAT. The detection that survives contact with production lives in your identity provider’s sign-in logs.

Cyber Tools

GitHub Logs the Workflow Run, Not the Cache Write. That’s the Gap Cache Poisoning Lives In

The 2026 TanStack compromise (CVE-2026-45321) turned a bundle-size workflow into an npm publishing channel by poisoning a repo-scoped cache. The cache write left almost no runtime telemetry, which makes this a config audit before it’s ever a detection.

Cyber Tools

RC4 Is About to Go Extinct in Kerberos. So Is Your Kerberoasting Detection

Microsoft’s three-phase RC4 disablement for Kerberos closes a real attack surface and quietly breaks the most common Kerberoasting detection rule in the process. The signal you keyed on is about to disappear, and the attack isn’t going with it.

CVE-2026-20253 Runs as the splunk User — and That’s the Index You’d Hunt It In

An unauthenticated file-write in Splunk Enterprise’s bundled Postgres sidecar chains to code execution as the splunk service account — the same account that owns your _audit and _internal indexes. The detection problem is mostly a log-forwarding hygiene problem you either solved last year or didn’t.

Token Protection Binds the PRT, Not the Browser Session AiTM Actually Steals

Conditional Access Token Protection is the control everyone cites as the answer to adversary-in-the-middle phishing. It binds the PRT for native apps on Windows and skips browsers entirely — which is exactly where the stolen cookie lands. Detection, not the control, is still your line.

Bring Your Own Installer: When the EDR Bypass Ships Inside the EDR

Attackers don’t need a vulnerable driver to blind an EDR — they need the agent’s own installer and a window. The durable detection isn’t the kill command, it’s the silence that follows. Here is what that detection looks like the first time you deploy it, and why it floods the SOC before it works.

ClickFix’s Cleanest Artifact Is RunMRU. The 2026 Variants Walked Away From It

RunMRU is the tidiest endpoint signal for ClickFix, which is exactly why it’s the first thing attackers stopped touching. A look at what the registry detection catches, why it’s already half-blind, and the process-ancestry signal that actually survives.

Artificial Intelligence

Unicode Tag Smuggling Is Prompt Injection With a Byte Signature

Most prompt injection is semantic and resists signature detection. Invisible Unicode tag smuggling is the exception: it leaves a deterministic byte range you can match at the gateway. Here’s the detection, the tuning, and why most teams instrument the wrong path.