Security professional. Modern-day gentleman. Whiskey neat, handshake firm, intentions clear.
Joined May 2008
- Tweets 253
- Following 90
- Followers 44
- Likes 560
56 Photos and videos
A China-linked group spent over a year inside North American medical and military research networks, quietly stealing defense email. The clever part: no exfiltration malware. They used Google Workspace’s own features.
#CyberSecurity #ThreatIntel #InfoSec
thehackernews.com/2026/06/ch…
4
24
The lesson applies to M365 and every SaaS platform too. Built-in admin features need governance. Review mail forwarding and compliance rules for anything BCCing external addresses. Audit when rules changed, not just what they say now. Enforce phishing-resistant MFA on admins.
7
Why it went undetected for over a year: the email copying was done by Google Workspace working exactly as designed. No malware on the mail system. No anomalous network traffic. Nothing for traditional detection to catch. Living off the land at the SaaS layer.
7
Here is the genius and the danger: to steal email, they did not install a tool. They edited the victims’ own Google Workspace content compliance rules to silently BCC any message matching ~150 keywords to an attacker Gmail account. A legitimate admin feature, weaponized.
12
The group, tracked by Google as UNC6508, got in through backdoored REDCap servers, the research platform hospitals and universities use for study databases. Custom malware called INFINITERED harvested credentials and survived every software upgrade by reinjecting itself.
6
Jun 10
Microsoft June Patch Tuesday: 200 vulnerabilities, 33 critical, 3 publicly known zero-days patched today. But the real story is why patch volumes keep breaking records, and who is behind it.
#Microsoft #PatchTuesday #Windows #InfoSec #CyberSecurity
bleepingcomputer.com/news/mi…
4
31
Jun 10
Mythos alone has over 10,000 confirmed high or critical severity findings. Only 14% have been patched. The patch wave is not slowing down. If your team’s patching cadence was built for a slower era, it needs to be rebuilt. July 14th is the next stress test.
10
Jun 10
CVE-2026-49160, the HTTP/2 Bomb DoS, was reported by OpenAI’s Codex. AI is now directly credited on CVEs. Microsoft’s MDASH flagged 16 flaws in May. Anthropic’s Project Glasswing Mythos has identified 23,000 potential vulnerabilities across 1,000 OSS projects.
54
Jun 10
Nightmare Eclipse has now released 6 Windows zero-days in 6 weeks: BlueHammer, RedSun, UnDefend, MiniPlasma, GreenPlasma, and YellowKey. All timed to drop the day after Patch Tuesday to maximize the unpatched window. July 14th is the next signaled date.
33
Jun 10
Two of the zero-days, CVE-2026-45586 (SYSTEM via CTFMON) and CVE-2026-50507 (BitLocker bypass), were not responsibly disclosed. They were dropped publicly by Nightmare Eclipse after May Patch Tuesday in retaliation for Microsoft’s handling of its bug bounty program.
85
Secure Boot certificates protecting Windows PCs since 2011 expire June 24th. 21 days. Your PC keeps booting, but quietly stops receiving boot-level security updates without any warning.
#Microsoft #Windows #SecureBoot #InfoSec #CyberSecurity
techcommunity.microsoft.com/…
4
1
48
Enterprise teams: check KB5089549 and the Secure Boot playbook at aka.ms/GetSecureBoot. If you manage endpoints with WSUS or SCCM, do not assume this rolled out. Verify it.
261
For most users, Windows Update handles this automatically. The issue is older hardware where OEMs never released firmware support for the new 2023 certificates. Those machines may never transition cleanly.
14
What actually happens after expiry: your PC keeps starting normally. But it enters a degraded security state where future boot-level patches and malware blacklist updates stop arriving. Bootkits like BlackLotus become a bigger problem on unpatched machines.
12
Three certificates are expiring. Microsoft Corporation KEK CA 2011 goes first on June 24th. Microsoft UEFI CA 2011 follows June 27th. Microsoft Windows Production PCA 2011 expires October 19th. Each one is a layer of trust in your boot chain.
19
Your package manager just became a weapon.
32 official Red Hat npm packages were backdoored on June 1st with Miasma, a self-propagating credential stealer averaging 80,000 weekly downloads.
#CyberSecurity #SupplyChain #InfoSec #DevSecOps
thehackernews.com/2026/06/mi…
4
34
Installed any @redhat-cloud-services package since June 1st? Treat it as an active incident. Rotate all CI secrets, cloud credentials, SSH keys, and npm tokens now.
6
One infected dev environment becomes a launchpad for the next. This is the self-propagating part people need to understand.
6
Miasma runs on install. No prompt, no warning. It harvests GitHub tokens, npm tokens, and AWS, GCP, and Azure credentials, then queries npm for other packages the identity can publish to and spreads itself there.
11
This was not typosquatting. A Red Hat employee’s GitHub account was compromised. Malicious commits bypassed code review via GitHub Actions OIDC tokens, publishing backdoored packages with valid provenance. The pipeline looked clean.
16