This week in Cybersecurity #47
Invited In, Not Broken In: How Attackers Are Winning Through Trust, Speed, and Your Own Tools, Your weekend catch-up on the most critical cybersecurity stories of the week, curated by James Azar and t
Good Morning, Security Gang!
Pull up a chair and pour the Illy Espresso into a perfect double glass cup, this week’s briefing is going to earn it.
If last week was about trust as an attack vector, this week was about the industrialization of that strategy. Attackers are no longer just exploiting trust opportunistically they’re scaling it. Supply chain attacks now simultaneously target PyPI, Docker Hub, and VS Code extensions. Phishing kits are bypassing MFA in minutes. Initial access timelines have compressed from days to hours sometimes minutes. And AI tooling is being poisoned through the same trusted package repositories your developers are pulling into production pipelines right now.
The Stryker fallout continued, with new details confirming the attack was a hybrid operation combining living-off-the-land techniques with destructive malware payloads affecting not just the company but hospitals and emergency services downstream. The FBI seized Iranian-linked infrastructure tied to the attack and it was back online within days. Meanwhile, Foster City, California, remained paralyzed by a separate cyberattack while 50,000 cybersecurity professionals gathered 35 minutes away at RSA in San Francisco.
China continued its quiet, patient campaign against military systems in Southeast Asia. North Korean actors pivoted their fake resume attacks to target HR teams in French. HackerOne — a security platform — exposed vulnerability reports through an API misconfiguration. And CISA is reportedly being squeezed into a reactive posture by funding constraints, at exactly the wrong moment.
The theme this week, in James’s words: attackers aren’t breaking the systems. They’re using them exactly as designed just better than we are.
Let’s get into it.
“Every single story today answers one question: How did they get in? The answer isn’t exotic. It’s a supplier system, a Zendesk instance, a developer tool, a messaging app, a forgotten device. Attackers aren’t breaking the systems — they’re using them exactly as designed, just better than we are.” James Azar
🌐 Geopolitical Cyber Warfare
China-Linked Espionage Campaign Breaches Military Systems Across Southeast Asia
Chinese state-linked threat actors breached military systems across Southeast Asia in a long-term, quiet espionage campaign consistent with China’s established doctrine: persistent access over loud disruption. The objective isn’t to break things it’s to understand them. Response plans, operational readiness, infrastructure dependencies, and communication channels. This correlates directly with prior reporting on Chinese pre-positioning within critical infrastructure in regions aligned with U.S. defense strategy.
Long-term undetected access to military intelligence and operational planning systems represents one of the most dangerous threat scenarios because the damage accumulates invisibly. Organizations handling sensitive government or defense-adjacent data should treat continuous access validation and environment segmentation as non-negotiable baseline controls.
FBI Seizes Iranian-Linked Infrastructure — It Returns Within Days
The FBI and DOJ seized domains linked to the Handela hacking group, the Iranian-linked actors behind the Stryker attack. The infrastructure was back online within days. This is the operational reality of working against well-resourced, motivated adversaries: takedowns create friction, not elimination. The cost of re-establishing infrastructure for these actors is low. The cost of assuming they’re gone is high. Defenses must be designed around adversary persistence, not adversary removal.
Lockheed Martin Targeted by Pro-Iranian Hacktivists
A pro-Iranian hacktivist group claimed a breach of Lockheed Martin, alleging access to sensitive data including F-35-related information. Lockheed has not confirmed the breach. Claims of this nature typically mix real data with recycled or publicly available information to amplify credibility and psychological impact but even unconfirmed, they warrant monitoring. Organizations should actively track dark web leak sites and threat actor channels for early indicators of claimed exposure.
FCC Advances Ban on Chinese Routers
The FCC is moving forward with efforts to ban specific Chinese-manufactured routers from U.S. networks due to national security concerns over potential backdoor access. This reflects a broader and accelerating policy shift toward supply chain security and foreign technology risk reduction. Organizations should establish approved hardware procurement policies and formally assess supply chain risk across their networking infrastructure.
💥 Stryker Fallout & Destructive Operations
Stryker Attack Confirmed as Hybrid Operation: Living-Off-the-Land Plus Malware
New details on the Stryker attack confirm it was a hybrid operation not purely living-off-the-land as initially characterized. Attackers used legitimate administrative access to establish footholds and then deployed destructive malware payloads to execute the wipe at scale. This is the same playbook used in Ukraine and other geopolitical conflict environments. The operational impact extended beyond Stryker’s own systems: hospitals and emergency services were affected, with some forced to disconnect as a precautionary measure. Supply chains for medical equipment remain disrupted.
The lesson is not new but demands repeating: behavioral detection capable of identifying abnormal administrative activity not just known malware signatures is the only reliable defense against this class of attack. Organizations must also design segregated backup environments and recovery capabilities calibrated to actual business continuity SLAs.
Foster City Paralyzed by Cyberattack During RSA
Foster City, California, remained operationally paralyzed by a cyberattack this week — with municipal services disrupted across the board — while more than 50,000 cybersecurity professionals gathered 35 minutes away at RSA Conference in San Francisco. Local governments are consistently under-resourced for the threat environment they face. Incident response preparedness and resilience planning must be treated as core investments, not afterthoughts, for any organization that provides essential services to the public.
🔓 Data Breaches & Exposures
“Cybersecurity is no longer just about defending networks. It’s about protecting operations, identities, and trust itself. Attackers are evolving — they’re blending in, they’re abusing trusted systems, and they’re aligning with geopolitical objectives. And defenders? We need to think the same way: holistically, strategically, and always one step ahead of our adversaries.” James Azar
HackerOne API Misconfiguration Exposes Vulnerability Reports
HackerOne disclosed a data exposure incident in which an API access control misconfiguration allowed users to view vulnerability reports they were not authorized to access — including unpatched vulnerabilities still in remediation. This is a blueprint-level exposure: seeing vulnerabilities before they are fixed provides a direct roadmap into affected organizations. The incident impacted 287 employees and reinforces how security platforms themselves have become high-value targets. Strict API access controls, continuous auditing, and deep visibility into third-party platforms handling sensitive data are essential mitigations.
AstraZeneca Breach Exposes Source Code and Infrastructure Secrets
Pharmaceutical giant AstraZeneca disclosed a breach in which attackers accessed approximately three gigabytes of internal data, including source code and infrastructure configuration details. Customer data does not appear to have been impacted. However, source code and infrastructure secrets are among the most dangerous categories of intellectual property exposure providing attackers with detailed knowledge of internal systems and potential further attack paths. Role-based access controls for research environments and alignment to known threat actor TTPs targeting pharmaceutical IP are essential.
Navia Breach: 2.7 Million Individuals, Months of Undetected Access
A major breach at Navia compromised data tied to approximately 2.7 million individuals. The attacker dwell time from late December through mid-January before detection is the story here. Extended undetected access is the norm, not the exception, in these aggregation-layer attacks where centralized platforms holding large volumes of user data are targeted. Behavioral fraud detection systems are essential for identifying abnormal account activity and preventing downstream monetization of stolen data.
Crunchyroll Zendesk Breach: 6.8 Million Email Records
Crunchyroll is investigating a breach of its Zendesk support environment exposing approximately 6.8 million unique email records, names, email addresses, IP addresses, and support ticket contents. This was not a breach of the core platform. It was a breach of a support system, which in many ways is more valuable to attackers. Support data provides rich operational context enabling precision phishing and convincing social engineering. Third-party SaaS support platforms are an undermonitored attack surface across nearly every enterprise.
Mazda Breach: Supply Chain Intelligence Gathering
Mazda disclosed a breach tied to a warehouse operations management system connected to parts procurement in Thailand. Employee and partner data was exposed — not customer records, but organizational context: relationships, communication paths, and operational workflows. This is exactly the kind of intelligence attackers use to map supply chains and identify where to strike next. Segmentation of partner-connected systems and business process security controls must be treated with the same urgency as core infrastructure.
🕵️ Nation-State & Insider Threats
North Korean Campaign Targets HR Teams with French-Language Fake Resumes
North Korean threat actors have expanded their fake resume campaign, with new variants now localized in French to target HR teams across European organizations. Once opened, the malicious documents execute malware against the HR workstation. This is a direct evolution of the broader North Korean IT worker infiltration strategy and it demonstrates how HR has become a frontline attack surface. Document sandboxing for all inbound candidate materials and secure handling protocols for HR platforms are essential mitigations.
AI Technology Smuggling Case: Three Charged with Exporting to China
Three individuals were charged with attempting to smuggle advanced U.S. AI technology to China. As AI becomes a core strategic national asset, cybersecurity, legal enforcement, and export controls are converging around its protection. Organizations developing or deploying advanced AI systems must implement strict monitoring of sensitive data access and formal export control compliance frameworks.
🛡️ Vulnerabilities & Active Exploitation
Oracle Identity Manager: Emergency RCE Patch
Oracle issued an emergency patch for a critical remote code execution vulnerability in its Identity Manager platform. Identity systems are the primary attack surface in modern enterprise environments — compromising them grants control over authentication across the organization. This is the definition of a high-urgency patch. Isolate identity systems, enforce privileged access controls, and treat this with the same urgency as a perimeter firewall zero-day.
Critical Windchill PLM Vulnerability: CVE-2026-4681
A critical deserialization remote code execution vulnerability in PTC Windchill FlexPLM is under active threat. PLM systems hold sensitive product design and intellectual property data — high-value targets for both espionage and competitive intelligence theft. Immediate patching and restriction of external access to PLM environments are required.
Citrix NetScaler: Session Hijacking via Session Mix-Up Vulnerabilities
Critical vulnerabilities in Citrix NetScaler introduce session mix-up conditions, effectively breaking trust between users and systems at the edge. NetScaler sits at the intersection of identity and access, making these vulnerabilities particularly dangerous. Immediate patching of all internet-facing Citrix infrastructure is essential.
Cisco Firewall Zero-Day Exploited by Ransomware Groups
A Cisco firewall zero-day continues to be actively exploited by ransomware operators. Perimeter compromise provides direct internal network access, backdoor account creation, and long-term persistence. Patch immediately and implement real-time monitoring for abnormal firewall configuration changes.
QNAP Vulnerabilities Demonstrated Live at Pwn2Own
Researchers chained multiple QNAP vulnerabilities to achieve root access in a live demonstration. NAS devices are consistently undermonitored and infrequently patched despite sitting inside enterprise networks with access to sensitive stored data. Inventory and patch all network-attached storage devices immediately.
ConnectWise ScreenConnect: Session Hijacking
ConnectWise disclosed a ScreenConnect vulnerability enabling session hijacking. Remote access platforms carry administrative-level capabilities when compromised, attackers inherit full system control. Enforce session-level authentication and privileged access monitoring across all remote access tooling.
TP-Link Router Authentication Bypass
A critical TP-Link vulnerability allows attackers to bypass authentication entirely and gain full administrative access to affected devices. Router compromise gives attackers foundational network visibility and control. Isolate management interfaces from public exposure and enforce zero-trust access principles including for network infrastructure devices.
SQL Server Exposure: Old Attack Path Still Working
Threat actors continue scanning and exploiting publicly exposed Microsoft SQL servers through weak credentials and misconfigured services. This is one of the oldest attack paths in enterprise security — and it still works because organizations still expose database services to the internet. Disable public exposure and enforce strong authentication across all database services.
Chrome: Continued High-Severity Patching
Google released Chrome version 146 with multiple high-severity patches. Browsers remain one of the most consistent initial access vectors, particularly when combined with phishing. Enforce automatic updates and browser security policies across all enterprise endpoints.
Node.js Vulnerabilities: Dependency Risk in Backend Services
Node.js released updates addressing vulnerabilities including denial-of-service and application stability flaws. Node is deeply embedded in enterprise application stacks. Automated patching pipelines for all runtime environments are required security has moved to runtime and patch hygiene must follow.
CISA Adds Wing FTP, Zimbra, and Others to KEV Catalog
CISA continues flagging actively exploited vulnerabilities across FTP servers, email infrastructure, and enterprise platforms. These additions carry federal patch mandates and should be treated with equivalent urgency by enterprise security teams.
🤖 AI, Supply Chain & Developer Threats
AI Supply Chain Attack Targets LiteLLM via PyPI
A supply chain compromise targeting the LiteLLM Python package distributed malicious code through PyPI the trusted package repository used by AI and ML developers globally. AI tooling is being adopted faster than security teams can vet it, and attackers are exploiting that gap directly. Developers are pulling these packages into production pipelines without validation, unknowingly introducing persistence mechanisms. Strict dependency allow-listing for AI and ML libraries is a required control for any organization deploying AI-driven applications.
Team PCP Expands to PyPI, Docker Hub, and VS Code Extensions
The Team PCP threat group has scaled from isolated targeting into a full-spectrum, multi-platform supply chain operation simultaneously attacking PyPI packages, Docker Hub images, and VS Code extensions. This is industrialized developer compromise. The goal is mass downstream enterprise access through development environment infiltration. Runtime scanning across containers and development environments is essential prevention controls are no longer keeping pace with the distribution velocity of these attacks.
Time to Initial Access Compressed to Hours or Minutes
New reporting confirms what practitioners have been observing: attackers are now achieving initial access within hours sometimes minutes of targeting an organization. This is driven by AI-assisted phishing, automation, and the maturation of initial access broker marketplaces. Detection windows have collapsed. Real-time identity threat detection and response across all identities human and non-human is the only operationally viable response to this timeline compression.
Microsoft Device Code Phishing Hits 340 Organizations
A large-scale phishing campaign is exploiting Microsoft device code authentication flows, impacting more than 340 organizations. Attackers are not breaking authentication — they are abusing it. Users are tricked into entering legitimate authentication codes, granting attackers valid session access without credential theft. Restrict device code authentication flows where they are not operationally required. This is the future of phishing: exploiting trust rather than bypassing controls.
Tycoon 2FA Phishing Kit: Responsible for 62% of Blocked Phishing Attempts
The Tycoon 2FA phishing kit responsible for 62% of phishing attempts blocked by Microsoft in 2025 was disrupted this week, but activity resumed almost immediately. This kit bypasses MFA, not just passwords. MFA alone is no longer sufficient against modern phishing infrastructure. Phishing-resistant authentication passkeys and FIDO2-based mechanisms is now the required standard for any organization that has faced or expects to face targeted credential theft.
Void Stealer Targets Chrome Credential Storage
New malware dubbed Void Stealer targets Chrome’s encryption keys to decrypt stored credentials using debugger techniques. Browser-based credential storage is not a secure vault it is a conveniently organized target. Enforce hardware-backed credential storage and eliminate browser-based password management across enterprise environments.
Malware Distributed via Open Directories
Researchers identified attackers using open, publicly accessible directory listings to host and rotate malware payloads — low-tech, but effective precisely because it exploits overlooked and misconfigured infrastructure. Identify and remediate misconfigurations in internet-facing systems and deploy network-level blocking of known open-directory distribution patterns.
North Korean Actors Target Developers via VS Code Auto-Run Tasks
North Korean threat actors are abusing VS Code auto-run task configurations to deploy malware against developer workstations. Developers are a primary attack vector across job postings, malicious packages, and now compromised IDE tooling. Restrict automated execution within development tools and enforce configuration validation across developer environments.
Russian Hackers Bypass Signal Encryption via Endpoint Compromise
The FBI warned that Russian hackers are targeting Signal users — not by breaking encryption, but by compromising the devices running it. Encrypted communications are only as secure as the endpoint managing them. Mobile and desktop endpoint security must receive the same rigor as network perimeter security for anyone handling sensitive communications.
💰 Financial Cybercrime
$24.5 Million DeFi Hack: Uncollateralized Stablecoins Minted Through Infrastructure Weakness
DeFi platform Resolve suffered approximately $24.5 million in losses after attackers exploited infrastructure weaknesses to mint uncollateralized stablecoins, which were then converted to Ethereum — crashing the token’s value in the process. This is a recurring pattern in DeFi: innovation velocity outpacing security validation. Independent smart contract audits and robust key management practices must be required before any financial protocol deployment.
Russian Initial Access Broker Sentenced to Six-Plus Years
A Russian initial access broker tied to ransomware operations was sentenced to more than six years in prison. Ransomware is an ecosystem, not a solo operation access brokers establish entry and sell it to ransomware groups for execution. Preventing initial access through strong identity controls, MFA enforcement, and network segmentation is the most effective intervention point in the entire ransomware kill chain.
Trivy Supply Chain Compromise Hits CI/CD Pipelines
A breach involving the Trivy vulnerability scanner resulted in attackers distributing an infostealer through GitHub Actions workflows. The target was a security tool used inside CI/CD pipelines which means the very tools organizations rely on for security were the vector. Pipeline integrity checks and third-party tool verification must be implemented across all automated build and deployment workflows.
⚖️ Law Enforcement, Policy & Regulatory
CISA Pushed Toward Reactive Posture by Funding Constraints
CISA is reportedly being constrained by funding limitations that are reducing its capacity for proactive threat defense and public-private coordination. CISA has served as a central hub for actionable threat intelligence and coordinated response across critical infrastructure sectors. Any degradation in that capability increases systemic national risk at exactly the moment the threat environment is most demanding. This is not theoretical exposure — it is real, measurable risk at scale.
LeakBase Admin Arrested in Rare Russian Enforcement Action
Authorities arrested the alleged administrator of LeakBase, a platform used to buy and sell stolen data — with the arrest taking place inside Russia, marking a rare enforcement action within that jurisdiction. While arrests disrupt momentum and create some deterrence, they rarely dismantle the broader cybercrime ecosystem. Continuous monitoring of underground markets remains essential.
Vendor Compliance Integrity: Delve Facing False Claims Allegations
A report surfaced alleging that compliance startup Delve made misleading claims about its security certifications and processes. Details remain contested, but the broader issue is real: the gap between vendor-claimed security capabilities and actual verified controls is a persistent and dangerous vulnerability in enterprise procurement. Independent audits and verified certification reviews must be part of any vendor onboarding process.
Libyan Oil Infrastructure Targeted with Long-Running AsyncRAT Campaign
A Libyan oil refinery was the target of a long-running espionage campaign using AsyncRAT, with attackers maintaining persistent access for months. Energy infrastructure continues to be a geopolitical targeting priority. Organizations operating OT environments must deploy continuous threat hunting and behavioral monitoring across industrial control systems not as an aspirational goal but as a present-day operational requirement.
✅ This Week’s Priority Action List
Immediate (Do This Now)
Patch Oracle Identity Manager RCE emergency patch — identity system compromise is total environment compromise
Patch Citrix NetScaler, Cisco firewall zero-day, ConnectWise ScreenConnect, Windchill CVE-2026-4681 immediately
Enforce multi-approval workflows for all destructive administrative actions — the Stryker hybrid attack confirms this as a critical control
Implement real-time identity threat detection and response across all human and non-human identities
Restrict device code authentication flows for Microsoft services where not operationally required
Deploy behavioral detection for abnormal administrative patterns — not just signature-based malware detection
Short-Term (This Month)
Enforce strict dependency allow-listing and runtime scanning for AI/ML packages and developer tools (LiteLLM, Team PCP)
Implement pipeline integrity checks and third-party tool verification for all CI/CD workflows
Lock down Zendesk and all third-party SaaS support platforms — enforce strict access controls and monitoring
Sandbox all inbound documents in HR workflows — North Korean malicious resume campaigns are active
Eliminate browser-based credential storage; enforce hardware-backed authentication (Void Stealer is active)
Inventory and patch all QNAP NAS devices, TP-Link routers, SQL servers exposed to the internet
Monitor dark web and threat actor channels for claims related to your organization or key partners
Deploy runtime scanning across all container and developer environments (Docker Hub, VS Code, PyPI)
Strategic (This Quarter)
Transition to phishing-resistant authentication (passkeys / FIDO2) — Tycoon 2FA proves MFA alone is insufficient
Assess and formalize supply chain security controls across AI tooling, developer dependencies, and SaaS platforms
Conduct continuous threat hunting specifically for Chinese and Iranian APT persistence indicators
Harden DeFi and financial smart contract environments with independent audits before deployment
Establish approved hardware procurement policies and assess FCC-flagged foreign networking equipment
Review CISA KEV catalog compliance and ensure federal patch guidance is matched or exceeded in enterprise environments
Design segregated backup and recovery environments with business-SLA-calibrated recovery objectives
🎙️ James Azar’s CISO’s Take
When I look at this week in its entirety, what stands out most is the industrialization of access. Nation-state actors are quietly embedding in military systems for months. Cybercriminals are simultaneously attacking PyPI, Docker Hub, and VS Code. Initial access timelines have compressed to minutes. Phishing kits are bypassing MFA. And a security platform HackerOne exposed vulnerability blueprints through a misconfigured API. The common thread across all of it is the same: attackers are exploiting trust, misconfiguration, and the speed gap between adoption and security validation. They’re not forcing their way through the door — they’re walking through the ones we left open.
The second takeaway is that the security model has to evolve to match this reality. Prevention is necessary but no longer sufficient. Detection and response are now the decisive capabilities, and they must operate in real time. Identity is the front line. Supply chain is the battlefield. Speed is the deciding factor. If your detection time is measured in hours, you’re already behind. The organizations that will remain resilient in this environment are the ones that combine relentless execution on fundamentals with continuous monitoring, adaptive defenses, and the strategic awareness to anticipate where the next trusted door will be opened.
📋 Week in Summary
This week confirmed that the cybersecurity threat landscape has entered a new phase — not of sophistication for its own sake, but of industrialized trust exploitation at speed. Stryker’s attack was confirmed as a hybrid operation. Iranian infrastructure returned online days after FBI seizure. Supply chain attacks scaled across every developer platform simultaneously. AI tooling is being poisoned before organizations finish deploying it. And the time between an attacker identifying a target and achieving access has collapsed to hours or minutes in many documented cases.
The geopolitical dimension remained active on every front. China continued its patient military espionage in Southeast Asia. Iran’s Handela group proved its resilience. North Korea expanded social engineering operations into new languages and new targets. And CISA — the backbone of U.S. public-private cyber defense coordination — is facing resource constraints that reduce its proactive capacity at exactly the wrong moment in history.
The response, as always, comes back to fundamentals executed with urgency and discipline: identity control, supply chain validation, behavioral detection, segmentation, and patch velocity. These aren’t aspirational controls. They are the difference between organizations that absorb these attacks and those that become the next case study. Know which one you want to be.
Stay informed. Stay prepared. Stay Cyber Safe. 🔐
© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn