eBPF rootkits: uprobe on libpam.so = cleartext creds from every sudo/ssh/VPN with zero binary modification. XDP at the NIC driver = full firewall bypass before iptables processes the packet. BPFDoor in production against telecoms since 2021. ShadowGuard hit 70+ orgs in 37 countries in Feb 2026. https://www.kayssel.com/newsletter/issue-55/
#infoSec #cyberSecurity #Pentesting #BugBounty #Offsec #Linux #ebpf

Enterprise SSO with SAML: one XML signature wrapping attack = access to every app in scope. This week I broke down XSW variants, void canonicalization bypass, NameID comment injection, and attribute-based escalation. Five quick checks that cover most real-world SAML bugs, all automatable with SAMLRaider. https://www.kayssel.com/newsletter/issue-54/
#InfoSec #CyberSecurity #Pentesting #BugBounty #OffSec #SAMl #SSo

On-prem AD foothold to Entra ID Global Admin: SyncJacking abuses Entra Connect hard match sync to hijack any cloud identity including Global Administrator. This issue covers MSOL credential extraction, PTA agent backdooring with PTASpy, the sync API abuse paths that survive Microsoft's patching, and AzureHound/ROADtools for attack path mapping. https://www.kayssel.com/newsletter/issue-53/
#InfoSec #CyberSecurity #pentesting #bugBounty #OffSec #ActiveDirector #EntraID

MFA doesn't stop device code phishing. The victim completes the MFA challenge on behalf of the attacker. What the attacker gets: a 90-day refresh token that silently pivots to mail, Teams, SharePoint, and Azure management APIs. Storm-2372 ran this against governments and defense contractors for months before it went mainstream. Issue 52 covers the RFC 8628 mechanics, the attack flow, TokenTacticsV2 commands, and Conditional Access blocking: https://www.kayssel.com/newsletter/issue-52/
#infoSec #cyberSecurity

SCIM powers user provisioning across every major SaaS platform and almost nobody tests it. POST to Grafana SCIM with externalId "1" mapped your account to the default admin UID. GitLab SCIM PATCH bypassed email verification for full account takeover. Start with /ServiceProviderConfig. Unauthenticated by spec design, gives you the full capability map before you've touched any credentials. https://www.kayssel.com/newsletter/issue-51/
#infoSec #cyberSecurity

MCP tool descriptions are instructions, not just metadata. A malicious server embeds payloads in description fields: your AI exfiltrates SSH keys, reads config files, sends data via tool parameters. Anthropic's Inspector had no auth on port 6277, RCE via DNS rebinding from any open browser tab. mcp-remote's OAuth handshake executed attacker code on 437K+ installs before the auth flow even completed. https://www.kayssel.com/newsletter/issue-50/
#infoSec #cyberSecurity

Indirect prompt injection doesn't require you to talk to the AI at all. Plant a payload in content it reads. If it has tool access, your payload sends emails, exfils files, makes API calls. EchoLeak (CVSS 9.3) did this zero-click against M365 Copilot. garak automates structured LLM security testing across probe categories. https://www.kayssel.com/newsletter/issue-49/
#infoSec #cyberSecurity

AWS IAM privilege escalation rarely needs iam:*. PassRole + Lambda is enough. PMapper (NCC Group) graphs every path to admin including multi-hop chains across compute services. 20+ documented methods, all from misconfigurations not vulnerabilities. CloudGoat labs to practice each path. https://www.kayssel.com/newsletter/issue-48/
#infoSec #cyberSecurity

WebSocket upgrade requests carry session cookies from any origin by default. If the server skips Origin validation, an attacker page hijacks the connection bidirectionally. CSWSH hit Gitpod (CVSS 9.6), MeshCentral (CVSS 8.8), and keeps landing in production code. Plus message injection, smuggling, and tunneling. https://www.kayssel.com/newsletter/issue-47/
#infoSec #cyberSecurity

GitHub Actions is a secrets vault with a pipeline attached. pull_request_target + fork checkout = attacker gets your secrets. ${{ github.event.issue.title }} in a run step is command injection. Mutable action tags let one compromised maintainer hit thousands of repos (see tj-actions 2025). Self-hosted runners are persistent footholds. https://www.kayssel.com/newsletter/issue-46/
#InfoSec #CyberSecurity #Pentesting #BugBounty #OffSec #SupplyChain