Wildcarded sub claims in IAM trust policies for GitHub Actions OIDC are still the most common cloud-CI footgun in 2026. Here’s the detection that actually catches it, and the tuning round that has to happen before the SOC stops ignoring the alert.
Continuous Access Evaluation and Device Bound Session Credentials closed some of the AitM gap, but session token theft against Entra ID is still the dominant identity attack and most of the detection burden still falls on the SOC. Here is the shape of the problem and where the first round of tuning has to land.
The Packagist attack making the rounds isn’t against laravel-lang — it’s against packages cosplaying as Laravel utilities. The RAT inside is conventional. The delivery model — clean decoy packages, a hard dev-master dependency, three years of credibility-building — is the part defenders need to internalize.
FIDO2 rollout doesn’t close the consent surface. A look at illicit OAuth grant tradecraft against Entra ID in 2026, what the detection actually looks like in a real SIEM, and where the first round of tuning breaks.
A Nightwing contractor with CISA access kept a public GitHub repository called Private-CISA from November 13, 2025 to May 15, 2026 — 184 days of admin credentials to three AWS GovCloud accounts, Entra ID SAML certificates, Artifactory tokens, plaintext passwords in CSV, and the Landing Zone DevSecOps configuration for the agency tasked with everyone else’s vulnerability hygiene. The leak is bad. The thing that should worry defenders more is that the AWS keys remained valid for 48 hours after CISA was notified.
Chaotic Eclipse dropped two unpatched Windows zero-days on May 13, 2026. YellowKey turns an NTFS transaction log on a USB stick into a BitLocker bypass through WinRE — physical access, no recovery key, no PIN required on TPM-only boxes. GreenPlasma is the companion privilege escalation through CTFMON. No CVEs, no patches, and a researcher who has promised more for June’s Patch Tuesday.
Device Bound Session Credentials are landing in Chrome and Edge, but the gap between the protocol promise and what your SIEM sees is wider than the vendor decks suggest. A defender-oriented look at what detection actually requires right now.
A defender-oriented analysis of indirect prompt injection in tool-calling agents: where the signal actually lives in the trace pipeline, what the first week of tuning has to fix, and which 800-53 controls the implementation maps to.
A defender-focused analysis of how APT29-aligned and Storm-2372-style intrusion sets are abusing device authorization grants and long-lived OAuth consent in Entra ID through 2026 — what to detect, what to revoke, and where it maps to 800-53.
Model Context Protocol gives agents a clean way to call tools, but it also gives every piece of retrieved content a direct line to those tools. The classic confused deputy problem is back, and most deployments are not handling it.
