ac@t:~#

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. https://t.co/z2GjRIAyYS A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🔥🤖 M365 Connector for Claude – Why SecOps Must Care Monitoring the M365 Connector for Claude is critical because when ResultType=0, it means an Entra Global Admin has granted permissions, enabling Claude to directly access SharePoint, OneDrive, Outlook, and Teams—a governance decision with major security implications that SecOps must track closely. Meanwhile, ResultType=90095 shows end users attempting to use the connector without the admin grant, signaling demand, shadow IT risk, and adoption pressure. By watching both signals, defenders gain visibility into where governance decisions meet user behavior, ensuring connector risks are managed before they escalate. KQL Code: https://t.co/NGuwSLgvKF #Cybersecurity #M365ConnectorClaude #Entra #Governance

For convenience: I wrote a small collector that pulls all SHA-256, SHA-1 and MD5 hashes from Notepad++ releases and compiles them into big CSV + JSON files Use it to check if any Notepad++ installs in your org match known-good release hashes - and spot weird/malicious outliers https://t.co/W2pYbfYemz

My CISO called me at 3 AM last Tuesday. "We caught someone." I asked, "Caught them doing what?" He said, "Typing." Let me explain. We have an employee in IT. Great worker. Always online. Never complained. Perfect Slack etiquette. One problem. His keystrokes were arriving 110 milliseconds late. One hundred and ten milliseconds. That's 0.11 seconds. The average American remote worker has 20-40ms of latency. This guy? 110ms. Every. Single. Keystroke. My security team ran the numbers. That latency doesn't come from a bad router in Ohio. That latency comes from Pyongyang. Our "Senior DevOps Engineer" was a North Korean operative. Running his work laptop through a laptop farm. In America. While he worked from a government building. In North Korea. He passed the interview. He passed the background check. He passed the vibe check. He did not pass the speed of light. Here's what people don't understand about physics: Light travels 186,000 miles per second. But it still has to go through China. And China adds latency. Since April, Amazon has caught 1,800 of these attempts. Eighteen hundred. I called an emergency meeting with my board. I said, "We need to implement Keystroke Velocity Auditing across all remote employees." They said, "That sounds invasive." I said, "You know what else is invasive? The Democratic People's Republic of Korea in your Jira tickets." They approved the budget. We now monitor keystroke timing to the microsecond. If your latency exceeds 60ms, you get a call from HR. If it exceeds 100ms, you get a call from the FBI. We've already flagged 47 employees. Turns out 44 of them just have bad Wi-Fi. 3 of them are "still under investigation." The lesson? You can fake a resume. You can fake a background check. You can fake an American accent on Zoom. But you cannot fake the speed of light. Physics is the ultimate background check. Hire accordingly.

The story of FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8. If you're not the type to pay for your software, you probably know this key. What you might not know is that I worked on the first version of Windows Product Activation, and this was our first major "hack". And yet, it wasn't a 'hack' at all - it was a disastrous leak. The FCKGW key was a valid volume licensing key, so all you needed was special volume media to go with it. Eventually, they were bundled and put online by pirates. WPA worked by generating a hardware ID from your CPU, RAM, and other components, then sending it to Microsoft alongside your product key for validation. A mismatched or suspicious key would flag the install as pirated. But as a legitimate VLK, FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8 was whitelisted in XP's activation logic—it told the system, "This is corporate volume licensing; no need to phone home." During installation, users selected the "Yes, I have a product key" option, entered the code, and WPA simply... skipped the activation prompt. The OS booted fully functional, with no 30-day timer or watermarks. It even fooled early validation checks for updates. This loophole let pirates distribute "pre-activated" ISOs, making XP as easy to "acquire" as a free mixtape. Technically, you could still use it today on an old XP disc (if you can find one), but Microsoft's servers shut down validation years ago, and the key's long since been blacklisted.