Short-lived OIDC federation from GitHub Actions to cloud IAM roles is the right pattern — and the trust policy condition is exactly where it goes wrong. What the abuse looks like in CloudTrail, why the obvious detection doesn’t fire, and what the first round of tuning has to fix.
Bootc and rpm-ostree turn the root filesystem read-only and push state into a handful of writable paths. That quietly invalidates half your host integrity detections. Here is the new shape of the problem and what to instrument before the first ATO review notices.
CVE-2025-29927 let attackers skip Next.js middleware entirely with a single request header, including the middleware doing your auth. The detection is trivial once you capture the field — and the architecture mistake underneath it is the part worth your attention.
Adversary-in-the-middle kits steal the session token after MFA succeeds, then replay it from somewhere else. Here is how the replay actually looks in your sign-in logs, why token protection only half-closes the gap, and where it maps to 800-53.
A self-propagating npm worm poisoned 32 @redhat-cloud-services packages on June 1, 2026 — and because it published through Red Hat’s own OIDC pipeline, the malicious versions carried legitimate SLSA provenance. Here’s the scope, the mechanism, and the rotation list.
System-preferred authentication is moving to the first factor, the password prompt is about to vanish for passkey holders, and break-glass accounts are not exempt from mandatory MFA. Here’s what that actually changes for Entra defenders and home users.
Chinese state actors have been inside major U.S. carrier networks for months to years. Here is what enterprise defenders should actually do about it — detection logic, SIEM specifics, and the control updates that matter.
Wildcarded sub claims in IAM trust policies for GitHub Actions OIDC are still the most common cloud-CI footgun in 2026. Here’s the detection that actually catches it, and the tuning round that has to happen before the SOC stops ignoring the alert.
Image-mode RHEL moves the host into an ostree-backed, container-built world. The threat model shifts up the stack, and most detection content built for traditional EL hosts quietly stops working.
A defender-oriented look at the SharePoint ToolShell chain (CVE-2025-53770 / 53771) — what the telemetry actually looks like in a real SIEM, where the first round of tuning breaks, and which assumptions about your SharePoint farm change the answer.
