The Coincidence That Isn't

CVE-2026-33017: One HTTP Request. No Auth. Full RCE. And Your AI Pipeline Keys. March 17, 2026. A critical vulnerability is disclosed in Langflow — the open-source visual builder for LangChain AI agents. CVSS 9.3. Twenty hours later, attackers are already inside production instances. No proof-of-concept existed yet. They built working exploits from the advisory text alone. What Langflow Is Langflow is the drag-and-drop interface for building AI agent pipelines. LangChain unde

How Interlock Ransomware Owned Enterprise Firewalls Before Anyone Knew January 26, 2026. A ransomware gang called Interlock starts exploiting a vulnerability in Cisco Secure Firewall Management Center. CVSS score: 10.0. The maximum. Unauthenticated. Remote. Root access. Cisco doesn't know yet. Their customers don't know yet. For 36 days, every Cisco FMC instance facing the internet is a door with no lock. What CVE-2026-20131 Actually Does Insecure deserialization of user-supp

Wiz sold "visibility" to Google for $32 billion. They meant inward. We mean outward. Only one stops the bullet. "Visibility equals security." That's the pitch. Wiz, CrowdStrike, Palo Alto, every vendor at RSA for the last five years. If you can see it, you can secure it. Dashboard everything. Alert on everything. Visualize your attack surface and the threats will reveal themselves. They're not wrong. They're just looking the wrong direction. The Inward Gaze Wiz looks inward.

We followed the Handala wiper network. It led to 120 offensive AI skills, MANPADS documentation, and the biggest collection node we've ever seen. Two weeks ago we found Iran's Handala wiper masquerading as a CrowdStrike update on GitHub. The repo was published by an account called MrDomainAdmin — 20 repos, zero followers, no bio. A ghost. Today we followed the followers. The Network MrDomainAdmin has 7 followers. One of them is killvxk. killvxk has 14,220 public repositories.

A single-file Cloudflare Worker that blocks known malicious IPs, trolls scanners, and tells you who's visiting — powered by our STIX feed. We built something for ourselves and decided to give it away. The Problem Your firewall rules are static. Your threat intel updates daily — maybe. And between the moment a new IOC is published and the moment it reaches your infrastructure, attackers have a window. That window is where breaches happen. What Edge Shield Does DugganUSA Edge S

The $100B consulting firm that charges $500K for strategic analysis couldn't parameterize a SQL query. On February 28, 2026, security startup CodeWall deployed an autonomous AI agent against McKinsey's internal AI platform, Lilli. No credentials. No human intervention. Within two hours, the agent had full read-write access to the database. What it found: 46.5 million plaintext chat messages 728,000 files (192K PDFs, 93K spreadsheets) 57,000 employee accounts 384,000 AI assi

433 compromised packages. A zombie ransomware group. Invisible Unicode malware. Happy March 18th. While half the internet was recovering from St. Patrick's Day, the other half was getting owned. Here's what dropped in the last 72 hours — and what we indexed before your coffee was ready. GlassWorm: The Supply Chain Attack You Can't See GlassWorm is back. And this time, it brought friends. Between March 3rd and 12th, attackers compromised 151+ GitHub repositories, npm packages,

We Published the Fix Monday. They Named the Attacker Wednesday. On March 17, we published "Your Cisco ASA Is Getting Popped Right Now" — a step-by-step guide to blocking known attacker infrastructure across OPNsense, Zscaler, Splunk ES, Palo Alto, and Cisco ISE. Today, Amazon Threat Intelligence confirmed who's been doing the popping: Interlock, a ransomware operation that's been exploiting CVE-2026-20131 as a zero-day since January 26, 2026. Six weeks before Cisco disclosed

Day Seven. Still Restoring. 200,000 devices wiped. 50TB exfiltrated. 79 countries. A nation-state used Stryker's own Microsoft Intune MDM to do it. I'm not here to pile on. Everyone gets breached. The question is what you do before, during, and after. Here's what I'd do. 1. MDM Is a Weapon. Treat It Like One. The Handala group didn't bring their own tools. They walked in through the front door and used Intune to wipe 200,000 devices simultaneously. That's not a vulnerability

The Font That Blinds Every Major AI LayerX published research today that should make every organization using AI assistants stop and think. The attack: modify a TrueType font's character-to-glyph mapping. The character "3" displays as "a." The browser sees the glyph. The AI reads the underlying code. They're looking at different things. You embed a malicious prompt in a webpage or PDF. The user sees normal text. Their AI assistant — ChatGPT, Claude, Copilot, Gemini — reads th

The Afternoon Sweep Five things happened today that matter. 1. BreachForums Is Offline The dark web's most popular stolen data marketplace is returning 502 errors. No explanation. No maintenance page. Just down. BreachForums is where stolen databases go to be sold. Credit cards, credentials, PII, corporate data. If your company has been breached in the last two years, your data was probably listed there. When the marketplace goes down, the data doesn't disappear. It moves. Te

The Monday Hunt We sweep GitHub for malware the way other people check email. Today's hunt found a fake exploit targeting security researchers, three infostealers published in the last 48 hours, and a C2 framework hiding behind 31 junk repos. All reported to GitHub. All indexed in our STIX feed. Here's what's out there. The Fake Cisco POC (Pattern 38) Account: p3Nt3st3r-sTAr Created: March 2, 2026 — 15 days ago Repos: 5, all exploit proof-of-concepts This account exists to ba

48 Vulnerabilities. 25 Advisories. One Firewall Platform. Cisco dropped ERP-75736 on March 4. 25 advisories. 48 vulnerabilities across ASA, FMC, and FTD. Two of them are CVSS 10.0 — unauthenticated root access to your firewall management console. That's not a security advisory. That's a resignation letter from your perimeter. Meanwhile, UAT4356 — the state-sponsored group behind ArcaneDoor — has been exploiting ASA zero-days since September 2025. CISA issued Emergency Directi

The Morning Sweep Every day starts the same: check the feeds, check the headlines, check what broke overnight. St. Patrick's Day 2026 brought gifts. One Russian IP Owns 83% of an Ivanti Zero-Day CVE-2026-1281 and CVE-2026-1340. Pre-authentication remote code execution in Ivanti Endpoint Manager Mobile. The kind of vulnerability that makes patch management teams cancel lunch. GreyNoise, Unit 42, and Rapid7 all published within hours of each other. The interesting part isn't th

The Problem Nobody Talks About You bought the SIEM. You hired the analyst. You have the dashboards. But when Iran's Handala wiper hit Stryker last week — 200,000 devices wiped — most security teams found out from the news. Not from their tools. The tools weren't broken. They just weren't fed. A SIEM without threat intelligence is a security camera with no film. It records everything and catches nothing. The fix takes 5 minutes. This post walks you through it. What's a STIX Fe

The Alcoholic Comet Nobody's Thinking About Correctly The headlines are cute. "Interstellar comet is exceptionally alcoholic." Scientific American, Space.com, Phys.org — all running the methanol angle like it's a frat party in the Oort Cloud. They're missing the story. 3I/ATLAS reached closest approach to Jupiter today — March 16, 2026 — at a distance of 53.6 million kilometers. That number matters. Jupiter's Hill radius — the gravitational boundary where Jupiter's pull domin