SI – Page 5 – Trackr.Live

§ Category

Six Packages, One Backdoor: The Packagist ‘Laravel Utility’ RAT and Why composer.lock Didn’t Save You

The Packagist attack making the rounds isn’t against laravel-lang — it’s against packages cosplaying as Laravel utilities. The RAT inside is conventional. The delivery model — clean decoy packages, a hard dev-master dependency, three years of credibility-building — is the part defenders need to internalize.

OAuth Consent Phishing in Entra ID: The Persistence Layer FIDO2 Doesn’t Touch

FIDO2 rollout doesn’t close the consent surface. A look at illicit OAuth grant tradecraft against Entra ID in 2026, what the detection actually looks like in a real SIEM, and where the first round of tuning breaks.

Artificial Intelligence

Indirect Prompt Injection at the Tool-Response Boundary: What the AI Gateway Actually Sees

A defender-oriented look at detecting indirect prompt injection in MCP-mediated and tool-calling agent stacks: which gateway fields matter, what the first week of alerting looks like, and where most detection programs miss the actual trust boundary.

Cyber Tools

CVE-2026-42897: The Exchange OWA XSS Zero-Day, the EEMS Mitigation, and the Period-2 ESU Patch Cliff Most Coverage Buries

CVE-2026-42897 is an actively exploited OWA cross-site-scripting flaw in Microsoft Exchange Server 2016, 2019, and Subscription Edition. CVSS 8.1, KEV-listed, federal remediation deadline May 29. A specially crafted email runs JavaScript in the victim’s OWA session — session token theft, mailbox read, send-as, mailbox rules — and the catch buried in Microsoft’s guidance is that a permanent patch is gated behind Period 2 ESU enrollment for everyone still on 2016 or 2019. The EEMS mitigation works, with caveats. Here’s what’s real about it.

Cyber Tools

Detecting DPRK IT Worker Infiltration: What the Signal Actually Looks Like

A defender’s view of the Famous Chollima / Nickel Tapestry IT worker scheme as it looks in 2026 — the telemetry that actually catches it, the false positives that swamp you in week one, and where it sits in the 800-53 catalog.

Cyber Tools

TeamPCP Claims a 4,000-Repo GitHub Source Code Sale: What Goes in the Verification Column, and What You Actually Patch Around

TeamPCP — the supply-chain crew behind the Trivy / Checkmarx / KICS / LiteLLM compromises and the Shai-Hulud worm — surfaced a sale listing on May 19, 2026 claiming roughly 4,000 GitHub private repositories of internal source code. The claim is pending verification, the ESIX score is 7.96, and the group’s track record is exactly the mix of ‘demonstrably capable’ and ‘inclined to repackage’ that makes this kind of listing operationally annoying. Here’s the read.

Volt Typhoon at Year Three: Pre-Positioning Detection in 2026

A defender-side look at where PRC pre-positioning campaigns against critical infrastructure stand heading into 2026, what living-off-the-land actually looks like in the SIEM, and which tuning calls separate the teams that catch it from the teams that don’t.

Image-mode Linux and bootc: the hardening you stop doing, and the hardening you have to start

Image-mode RHEL and bootc move /usr to a read-only ostree commit and turn host updates into container pulls. That fixes one class of problem and creates a different one for defenders. Here is what actually changes on disk, what to detect, and where the model breaks.

Cyber Tools

HTTP/2 desync in 2026: parser differentials are still the gift that keeps giving

A defender-oriented look at where HTTP/2-to-HTTP/1.1 request smuggling sits in 2026 — the parser-differential class that keeps finding new homes, what the detection actually looks like in Splunk, and what most teams miss on the first tuning pass.

Token Theft After DBSC: What Identity Detection Actually Looks Like in 2026

Device Bound Session Credentials are landing in Chrome and Edge, but the gap between the protocol promise and what your SIEM sees is wider than the vendor decks suggest. A defender-oriented look at what detection actually requires right now.