May 2026

Cyber Tools

TeamPCP Claims a 4,000-Repo GitHub Source Code Sale: What Goes in the Verification Column, and What You Actually Patch Around

TeamPCP — the supply-chain crew behind the Trivy / Checkmarx / KICS / LiteLLM compromises and the Shai-Hulud worm — surfaced a sale listing on May 19, 2026 claiming roughly 4,000 GitHub private repositories of internal source code. The claim is pending verification, the ESIX score is 7.96, and the group’s track record is exactly the mix of ‘demonstrably capable’ and ‘inclined to repackage’ that makes this kind of listing operationally annoying. Here’s the read.

CA

Volt Typhoon at Year Three: Pre-Positioning Detection in 2026

A defender-side look at where PRC pre-positioning campaigns against critical infrastructure stand heading into 2026, what living-off-the-land actually looks like in the SIEM, and which tuning calls separate the teams that catch it from the teams that don’t.

CM

Image-mode Linux and bootc: the hardening you stop doing, and the hardening you have to start

Image-mode RHEL and bootc move /usr to a read-only ostree commit and turn host updates into container pulls. That fixes one class of problem and creates a different one for defenders. Here is what actually changes on disk, what to detect, and where the model breaks.

Cyber Tools

HTTP/2 desync in 2026: parser differentials are still the gift that keeps giving

A defender-oriented look at where HTTP/2-to-HTTP/1.1 request smuggling sits in 2026 — the parser-differential class that keeps finding new homes, what the detection actually looks like in Splunk, and what most teams miss on the first tuning pass.

AC

YellowKey and GreenPlasma: A USB Stick, a Transaction Log, and Why BitLocker on a Stolen Laptop Is Now a Breach Notification

Chaotic Eclipse dropped two unpatched Windows zero-days on May 13, 2026. YellowKey turns an NTFS transaction log on a USB stick into a BitLocker bypass through WinRE — physical access, no recovery key, no PIN required on TPM-only boxes. GreenPlasma is the companion privilege escalation through CTFMON. No CVEs, no patches, and a researcher who has promised more for June’s Patch Tuesday.

AC

Token Theft After DBSC: What Identity Detection Actually Looks Like in 2026

Device Bound Session Credentials are landing in Chrome and Edge, but the gap between the protocol promise and what your SIEM sees is wider than the vendor decks suggest. A defender-oriented look at what detection actually requires right now.

AU

Token theft after AitM phishing in Entra ID: what the SignInLogs actually show in 2026

A defender-oriented walkthrough of investigating adversary-in-the-middle token theft against Entra ID now that token protection, CAE, and device-bound sessions are widely on — what the logs actually contain, what the first detection misses, and where the artifacts live outside Entra.

Cyber Tools

ClickFix Detection Without the Fairy Tale

ClickFix initial access has been pasting PowerShell into RunMRU for two years and most detection content still treats it like a primer. Here is what the telemetry actually looks like, what tunes out, and where teams keep getting it wrong.

Cyber Tools

Mini Shai-Hulud and the Collapse of Software Provenance Trust

The uncomfortable part about Mini Shai-Hulud is not the malware itself. Credential stealers are everywhere. Obfuscated JavaScript loaders in npm packages are not exactly new territory either. The problem is that this thing successfully rode through trusted publishing infrastructure and valid provenance paths, which means a lot of the security plumbing people have been congratulating …

Uncategorized

Intune as a Lateral Movement Plane: Detecting Red Team Abuse of Device Script Deployment

Red teams are pivoting through Intune to get fleet-wide SYSTEM execution after a single privileged Entra account. Here’s what the abuse looks like in the audit log, what tuning the first detection needs, and where most SOCs miss it.