Security things from the last few days:
- CopyFail (linux pwn'd)
- CopyFail 2/Dirty Frag
- 13 advisories in Next.js
- Over 70 CVEs addressed in MacOS 26.5
- ~50 CVEs addressed in iOS 26.5
- YellowKey (Windows Bitlocker pwn'd entirely)
- GreenPlasma (Windows privilege escalation)
- CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE
- CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access
- Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning)
- Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too"
- Canvas (popular LMS used in most schools) pwn'd entirely
- PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300
Are you scared yet?
The SILENT WITNESS ON YOUR COMPUTER WAITING FOR YOU TO GET INTO TROUBLE.
Most people believe that deleting a folder, clearing recent files, or wiping their history is enough to hide their tracks on a computer. What they don’t realize is that Windows quietly keeps a hidden record of the folders they open, even after those folders are deleted or the drive is removed. These records are called Shellbags, and they are one of the most powerful and incriminating artifacts available to forensic investigators.
Shellbags appear inside two registry hives NTUSER.DAT and USRCLASS.DAT and they store detailed information about a user’s folder-browsing activity. This includes local folders, USB drives, external hard drives, network shares, and even directories that no longer exist. Each time a user opens a folder in Windows Explorer, the system automatically creates or updates a Shellbag entry. These entries contain timestamps, folder paths, the hierarchy of subfolders, the order in which a folder was accessed, and even the specific view settings used by the user. Because of this, Shellbags reconstruct a user’s exact navigation trail long after the person believes the evidence is gone. What makes Shellbags truly dangerous is the fact that they survive actions that users typically rely on to cover their tracks.
Deleting a folder does not delete the Shellbag. Formatting a drive does not delete it. Even privacy tools and cleaners like CCleaner or BleachBit cannot reliably erase Shellbag data, because the information is deeply embedded within registry hives that standard cleaning utilities do not touch. The only way to remove Shellbags is through advanced forensic wiping, and attempting such wiping is, in itself, a sign of suspicious behavior.
Forensic examiners rely heavily on Shellbags because they expose the truth even when a suspect tries to lie.
If a person denies ever accessing a directory, the Shellbags can show when that folder was opened, how many times it was accessed, and whether it was located on an internal drive, an external USB, or a deleted partition. This makes Shellbags extremely valuable in investigations involving insider threats, data theft, fraud, child exploitation, unauthorized data access, and corporate disputes. In many cases, Shellbags become the deciding factor that disproves a suspect’s story. In the screenshot, the highlighted red section shows three important keys inside the registry.
When all of this information is combined, Shellbags become a silent witness that never forgets. They reconstruct a hidden story of user activity that the person cannot deny, overwrite, or talk their way out of. This is why Shellbags remain one of the most feared artifacts for anyone attempting to conceal their actions on a Windows computer. You can delete the folder… but Shellbags still show it existed
Even if you format a drive or delete the directory, Windows has already logged:
1. The folder name
2. Its full path
3. When it was opened
4. How many times it was opened
5. The view settings (icon mode, window size)
6. The order in which folders were browsed
This means forensic investigators can prove someone accessed:
“Secret” directories
Hidden folder structures
USB drives or removable media
Folder paths used for storage of illicit or suspicious
Folder paths used for storage of illicit or suspicious data even if the folders are long gone.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
Five hacker groups have joined together to create an organization called "The Five Families," similar to the intelligence alliance known as "Five Eyes."
The hacker groups within this organization are "ThreatSec," "GhostSec," "Stormous," "Blackforums," and "SiegedSec."