Kyle - chaoticflaws.bsky.social 🇺🇦

IRFlow Timeline v1.0.7 is live. This one focuses on a problem I think DFIR teams will see more often: AI assistant usage becoming part of the investigation surface. You can now collect and normalize local AI usage history from tools like Claude Code, ChatGPT Desktop, Cursor, GitHub Copilot, OpenAI Codex, Gemini CLI, Continue, Windsurf, and Claude Desktop into a unified timeline view. Also added AI Secret Hunt, which helps identify secrets, tokens, API keys, private keys, and credentials that may have been pasted into AI assistants during real investigations or day-to-day engineering work. The goal is simple: make AI app activity easier to preserve, search, tag, and correlate during incident response. AI usage is becoming part of the forensic record. We need tooling that treats it that way. Link in the comment ⬇️ #DFIR #IncidentResponse

Microsoft has identified an active supply chain attack using typosquatted npm packages to steal cloud and CI/CD secrets. On May 28, 2026, a single threat actor operating under newly created maintainer alias vpmdhaj published 14 malicious packages within a 4-hour window. https://t.co/jC3f2m6EBp The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment. Read the blog from the Microsoft Defender Research team to an in-depth analysis, as well as mitigation, detection, and hunting guidance.

CVE MCP Server — Turn Claude Into a Full Security Analyst 💀🔥 27 security tools • 21 threat intelligence sources • One MCP protocol 🔥 Analyze CVEs, check KEV status, calculate exploit risk, investigate malicious IPs, scan dependencies, search PoCs, map MITRE ATT&CK techniques, query VirusTotal, Shodan, GreyNoise & more — directly inside Claude. ⚡ Automated vulnerability triage ⚡ Composite risk scoring ⚡ Threat intelligence correlation ⚡ AI-powered security workflows ⚡ MCP-ready security automation Perfect for SOC analysts, threat hunters, vulnerability management teams & security researchers. 🔗 https://t.co/1upveIkkJV #CyberSecurity #ThreatIntel #CVE #ThreatHunting #SOC #BlueTeam #MCP #ClaudeAI

One host touching 50+ internal IPs across 5+ ports in under 5 minutes is not “normal admin activity.” That is how ransomware operators map your network before encryption. 👀 The best part? This detection still works when the tool is renamed, packed, or stripped of metadata. Fully tool-agnostic. I shared both the KQL and ESQL versions in the article. More discovery-phase detections soon.

𝗦𝗺𝗮𝗹𝗹 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗨𝗽𝗱𝗮𝘁𝗲: We have not posted much about the project lately, but the matrix has not been sitting still. 𝗢𝘃𝗲𝗿 𝗔𝗽𝗿𝗶𝗹 𝗮𝗻𝗱 𝗠𝗮𝘆: ✅ 5 PRs merged 🧩 4 vendors added or updated 💻 Windows, macOS, and Linux coverage touched 🤝 24 community submissions reviewed, merged, or consolidated 𝗧𝗵𝗲 𝗺𝗮𝗶𝗻 𝘂𝗽𝗱𝗮𝘁𝗲𝘀: - 𝗖-𝗣𝗿𝗼𝘁 was added across Windows and macOS and took the place in the EDR Telemetry scoreboard. - 𝗨𝗽𝘁𝘆𝗰𝘀 macOS coverage landed across 55 subcategories. - 𝗘𝗹𝗮𝘀𝘁𝗶𝗰 𝗗𝗲𝗳𝗲𝗻𝗱 macOS got 6 corrections backed by evidence. - 𝗖𝗼𝗿𝘁𝗲𝘅 𝗫𝗗𝗥 Linux now has an initial profile. Most of the work is exactly what this project needs: adding coverage, checking evidence, fixing incorrect statuses, and keeping notes clear when explicit telemetry needs to be enabled or needs further confirmation. We have been quiet publicly, but the data has kept improving. Check out the updates on our website https://t.co/sVXZplFuKq

I spent the last weeks building LLM benchmarks for a very specific reason: We want to use AI in RuneAI to help with THOR finding triage, and I needed a better baseline for model selection than generic LLM leaderboards. Security-event triage is its own thing. A model can be great at coding, reasoning or vulnerability writeups and still be a bad fit for deciding whether a messy endpoint finding should be suppressed, reviewed or escalated. In real deployments this will likely happen inside agentic workflows with tools, memory, context handling and feedback loops. But before testing the whole system, I wanted a clean baseline: How does the model behave when it only gets the enriched finding itself? Blog post with the reasoning and methodology: https://t.co/KQPOPDWP1B Interactive benchmark results: https://t.co/pvVhTBJsz0 Repo: https://t.co/Fw3uW9nu2a Maybe useful for others building SOC / security-event triage benchmarks.

🐝 Bumblebee — A Read-Only Supply Chain Exposure Scanner for Developer Machines SBOMs show what shipped. EDRs show what executed. Bumblebee answers the missing question: 👉 Which developer endpoints currently contain the vulnerable package, extension, lockfile or MCP config? Built by Perplexity AI: • Single static Go binary • Zero external dependencies • No telemetry • No package-manager execution • No source-code parsing Scans: npm, pnpm, Yarn, Bun, PyPI, Go, Ruby, Composer, VSCode/Cursor extensions, browser extensions & MCP configs. Perfect for fast DFIR-style exposure checks during supply-chain incidents. https://t.co/O1mlJVoqKo #CyberSecurity #DFIR #SupplyChainSecurity #DevSecOps

I’ve always claimed that ETW is very fast. I’ve been writing and teaching about it for years (for example, my talk “The Good, the Bad and the ETW” at x33fcon 2020 https://t.co/mRjLi3Jr2D), but I never actually measured its speed - until today. I needed an exact figure, so I wrote a small C app that logs 1 million events and measures the elapsed time. Here’s the code along with the complete test procedure. Enjoy! 🚀 https://t.co/Ow75wzaIHz

Cursor is FREE Windsurf is FREE Trae is FREE Claude is FREE ChatGPT is FREE Gemini is FREE Perplexity is FREE Bolt is FREE v0 by Vercel is FREE GitHub Copilot is FREE Supabase is FREE Cloudflare is FREE Docker is FREE Hugging Face is FREE Railway is FREE https://t.co/05hozFFhlv Who is stopping you from building and learning?