Bohan Zhang

⚠️ New "IronWorm" supply-chain attack: 30+ npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall. It sweeps 86 env vars + 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.

As I'm sure you've all seen by now, nerds have been exploiting Meta's AI agent goop to steal Instagram accounts. The Instagram AI agent for support could be convinced to reset the credentials to other users accounts by asking nicely and do a super gnarly kickflip on a skateboard, or something, I don't know. Everyone on social media was freaking out. The trending posts on Xitter was people being all like ERRMERGERD ME INSTAGRAM ACCNT WAS STOLEN. It also resulted in some celebrities having their accounts stolen. One stolen account showed some rapper named Lil Tracy (?) messaging 14 year olds, or something, despite being 18 at the time. All the big cybersecurity nerds were discussing it, yelling about AI, taking the opportunity to meme Zuckerberg (as is tradition). The AI exploit thingy has apparently existed for awhile, a few months apparently, but that is kind of just gossip. I haven't seen any solid proof of that. Meta supposedly fixed the issue, but some people are saying you can still ask nicely and do a super gnarly heelflip and Instagram goop gives you account resets. Cool stuff bro, it's AI, it's lit pic unrelated

🖥️ High Precision Teams Impersonation Detection A high precision KQL detection crafted to detect Teams impersonation involving IT support based on eSentire TRU dataset statistics. 🫡 https://t.co/8PQYF8lnC8 let LookBack = 1h; CloudAppEvents | where Timestamp > ago(LookBack) | where ActionType == "TeamsImpersonationDetected" | extend ImpersonationDisplayName = tostring(parse_json(tostring(RawEventData.Sender)).DisplayName) | extend ImpersonationUPN = tostring(parse_json(tostring(RawEventData.Sender)).UPN) | extend ImpactedUserUPN = tostring(RawEventData.UserId) | where (tolower(ImpersonationDisplayName) matches regex @"(compliance|security|secops|help|desk|support|^tech|tech$|tech\s|assistance|troubleshoot|admin|^it|it$|it\s)" or tolower(ImpersonationUPN) matches regex @"(compliance|security|secops|help|desk|support|^tech|tech$|tech\s|assistance|troubleshoot|admin|^it|it$|it\s)") | where ImpersonationUPN endswith ".onmicrosoft.com" | project Timestamp, ImpactedUserUPN, ImpersonationDisplayName, ImpersonationUPN https://t.co/bqxbMqVZke #Cybersecurity #TeamsImpersonation #ThreatDetection

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

A long long time ago, when I first got into malware, I met a kid who was a little older than me who, by all standards of measurement, was significantly more intelligent and gifted than me. He made me feel like a moron. Very quickly he established a reputation on IRC for being "the guy", despite being like, 16. His parents were financially well off and extremely supportive and sent him to DEFCON. He had a really great PC setup. He had it all lined up. He was destined for an amazing and strong career in information security. I was extremely envious of him because he also had a super pretty girlfriend while somehow being a massive nerd. His parents bought him a car. In my eyes he had it all. On my side, I had some old piece of crap computer. I didn't even have a computer chair, I used some ghetto dining room table chair made from janky wood. It was all beat up and yucky. I struggled learning C. On IRC I was basically the village idiot and memed all the time (although in good jest). My friend would become frustrated with me because of how slow I learned. I was a poor kid. I wasn't like, poor-poor like, homeless or whatever, but his parents has significantly more money than mine and were capable for providing for their son in ways my family could not. I'm not entirely sure what happened because, despite him learning faster, retaining more information, having more resources, having amazing opportunities, ... he threw it away. I have no idea why. He lost his focus somehow and ended up working at a restaurant for a little bit as a server. He later worked at a mall kiosk. I ended up being the successful one. I ended up having an amazing career in cybersecurity. I ended up knowing far more than him. Sometimes I reflect on it and it blows my mind. I only surpassed him because I had endurance and was willing to continue the grind. He had everything on a silver platter. He had so many amazing opportunities. He could have gone so far, he was so incredibly gifted and smart. I have no idea what he was thinking to make him squander it all. I guess the moral of the story is that turtle and the rabbit thingy has truth to it.

🚨 CVE-2026-0257, a PAN-OS and Prisma Access authentication bypass flaw, is under active exploitation. The CVSS 7.8 bug can enable unauthorized VPN access and, in some observed cases, access to internal networks. Patch immediately or apply mitigations. Details: https://t.co/BlECtBGWR1

The researcher (Nightmare-Eclipse / Chaotic Eclipse) claims Microsoft ignored their reports and deleted their MSRC reporting account. The researcher has now threatened to release more exploits on July 14. This ongoing dispute is raising bigger questions about trust in the vulnerability reporting process.

One host touching 50+ internal IPs across 5+ ports in under 5 minutes is not “normal admin activity.” That is how ransomware operators map your network before encryption. 👀 The best part? This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic. I shared both the KQL and ESQL versions in the article. More discovery-phase detections soon.

I think AI coding hype follows roughly four stages: 1. Amazement You try it and can’t believe how much code it generates from a few prompts. 2. Expansion You start more and more projects because shipping suddenly feels cheap and fast. This is also the phase where people start convincing everyone around them: - coworkers - management - friends in other companies because nobody wants to “fall behind” in 6–12 months. That creates a massive snowball/FOMO effect. 3. The grind phase You realize the generated code has architectural issues, sloppy mistakes, weird abstractions, duplicated logic, broken edge cases, etc. So you start: - re-prompting - switching models - increasing reasoning effort - reviewing fixes - generating fixes for previous fixes And suddenly you spend your days reviewing AI-generated pull requests instead of building software. 4. Realization You realize AI coding increases output much faster than it increases certainty. The code still needs: - review - testing - ownership - architectural understanding - long-term maintenance Usually by expensive senior engineers. And the interesting thing is: this whole cycle can take many months or even more than a year because people become socially and professionally invested in the narrative themselves. Once teams, managers, and entire companies have been convinced that this is the future, it becomes psychologically and politically very hard to later say: “Actually, the ROI is much lower than we expected.”