Agentic AI assistants in the browser collapse the gap between read access and exfil. Here is what the detection actually looks like in the M365 audit pipeline, where the noise comes from, and which assumptions change the answer.
First VPN — 1vpns.com, twelve years old, 5,000 accounts, the bulletproof VPN that ‘wouldn’t fall under any jurisdiction’ — is offline as of May 20. The story isn’t the seizure. It’s that Europol was already inside the infrastructure before the takedown, walking out with the user database. That changes the threat model for every successor service still running.
The Packagist attack making the rounds isn’t against laravel-lang — it’s against packages cosplaying as Laravel utilities. The RAT inside is conventional. The delivery model — clean decoy packages, a hard dev-master dependency, three years of credibility-building — is the part defenders need to internalize.
FIDO2 rollout doesn’t close the consent surface. A look at illicit OAuth grant tradecraft against Entra ID in 2026, what the detection actually looks like in a real SIEM, and where the first round of tuning breaks.
A Nightwing contractor with CISA access kept a public GitHub repository called Private-CISA from November 13, 2025 to May 15, 2026 — 184 days of admin credentials to three AWS GovCloud accounts, Entra ID SAML certificates, Artifactory tokens, plaintext passwords in CSV, and the Landing Zone DevSecOps configuration for the agency tasked with everyone else’s vulnerability hygiene. The leak is bad. The thing that should worry defenders more is that the AWS keys remained valid for 48 hours after CISA was notified.
A defender-oriented look at detecting indirect prompt injection in MCP-mediated and tool-calling agent stacks: which gateway fields matter, what the first week of alerting looks like, and where most detection programs miss the actual trust boundary.
CVE-2026-42897 is an actively exploited OWA cross-site-scripting flaw in Microsoft Exchange Server 2016, 2019, and Subscription Edition. CVSS 8.1, KEV-listed, federal remediation deadline May 29. A specially crafted email runs JavaScript in the victim’s OWA session — session token theft, mailbox read, send-as, mailbox rules — and the catch buried in Microsoft’s guidance is that a permanent patch is gated behind Period 2 ESU enrollment for everyone still on 2016 or 2019. The EEMS mitigation works, with caveats. Here’s what’s real about it.
A defender’s view of the Famous Chollima / Nickel Tapestry IT worker scheme as it looks in 2026 — the telemetry that actually catches it, the false positives that swamp you in week one, and where it sits in the 800-53 catalog.
TeamPCP — the supply-chain crew behind the Trivy / Checkmarx / KICS / LiteLLM compromises and the Shai-Hulud worm — surfaced a sale listing on May 19, 2026 claiming roughly 4,000 GitHub private repositories of internal source code. The claim is pending verification, the ESIX score is 7.96, and the group’s track record is exactly the mix of ‘demonstrably capable’ and ‘inclined to repackage’ that makes this kind of listing operationally annoying. Here’s the read.
A defender-side look at where PRC pre-positioning campaigns against critical infrastructure stand heading into 2026, what living-off-the-land actually looks like in the SIEM, and which tuning calls separate the teams that catch it from the teams that don’t.
