Mike Saurbaugh

Supply Chain Attack Hits Axios NPM Packages decipher.sc/2026/03/31/sup… #decipher #deciphersec

I’ve been briefed on this one from the team that found it. I interviewed them yesterday and will put out a video soon. - it’s an insane story between Darksword and Coruna.

I’m going to keep harping on this. Meta’s push to remove encryption and lobby for age verification laws feel like two sides of a very ominous coin.

"For the first time since we began publishing the CTHR in 2021, we observed a tactical pivot by threat actors. They’re now targeting third-party software vulnerabilities more than weak or missing credentials as the primary initial access vector." cloud.google.com/blog/products/…

Every day is zero day. New data from @Mandiant on who's using 0 days and how.

👀

The response to this was really nice so I went deeper and made it an essay NOBODY KNOWS ANYTHING open.substack.com/pub/derekthomp…

Simple analogy on AI and cybersecurity. Security has never been solely a technology problem - it's largely a people problem. Complexity of business integration, misconfigurations, legacy systems, business transformations, M&As, etc. are all part of this industry we call cybersecurity. I can't remember the last time I've used a zero day on a customer before. Claude security scan is awesome - augment and make code better. All for it. Security will continue to evolve with AI and integrate with it making us better and faster. Doesn't replace - will never replace. FWIW we've had source code analyzers since I joined this industry - they've gotten better over time and will continue to get better with AI. If I ask claude to do a FULL COMPREHENSIVE code analysis and find every single security bug and don't stop until you do. It will find some, fix them, and say it's good. If I run the same exact prompt, it will find a whole new set of issues. Now, what's today isn't what's tomorrow - but code analysis is only a small portion of an entire security program and it hasn't nailed that yet, and I don't see it nailing that in the future especially with complex systems and business process integration. I'm excited about today, and the future tomorrow in cybersecurity - it'll continue to evolve and honestly, we haven't had any real major breakthroughs in protecting aside from "the basics" in really 20 years. One of our biggest complaints in cybersecurity is we never have enough funding and people. This should help augment and alleviate some of that burden in the future, but doesn't replace and hits at the core of what our challenges have always been. AI is a great thing for the cybersecurity industry both for offense and defense.

Authorities are using a "bluetooth sniffer," a tool created by @HackingDave, to try to catch a signal from Nancy Guthrie's pacemaker. He joins CNN to discuss the how the tool works, the possibility of using drones, and how it could help locate Guthrie's whereabouts. Watch now!

Less than a third of Americans trust AI. Less than half of Americans like AI. More than three quarters say it's a threat to humanity. In this article I investigate the biggest AI question nobody's talking about: What if no one wants this?

This cannot be repeated enough. Not just because it’s true, but because when people believe the lie that Telegram is private and secure, they can put themselves and the people they communicate with in danger.

The book is currently 23 percent off on Amazon and I just got word from my publisher stock will be back in a few hours. My guess is the price will go back up then, so if you’re on the edge, lock it in now. (And your copy will be first to ship!)

Actual encryption expert weighs in.

Disaster is coming. Thousands of ClawdBots are live right now on VPSs… with open ports to the internet… and zero authentication. This is going to get ugly. If your agent can: - browse the web - call tools - access files/secrets - hit internal endpoints …then an unauthenticated public endpoint is basically “please take over my bot”. This isn’t theoretical. The internet is a nonstop scanner. Fix it today: 1) close the port / firewall to VPN or IP allowlist 2) add auth (JWT/OAuth, at least a strong secret) + TLS 3) rotate keys (assume compromise) 4) rate limit + logs + alerts Agents are powerful. Demo-grade deployments on the open internet are not.

Different kind of book “launch” than I expected. Bummer so much is being cancelled. Please support and get your copy today.

Be careful out there with your clawdbots

These skills are experimental and don't replace security engineers. Help us improve them, and if you find a bug using a skill, join the trophy case. #trophy-case" target="_blank" rel="nofollow noopener">github.com/trailofbits/sk…

One of my new year's resolutions is to write more, so naturally I started a Substack. My first post, "Company of the Year," is out now. Read it here: edwardelson.substack.com/p/company-of-t…

This book made me $13 million. 🙋‍♂️Because I was dumb enough to try something crazy. I'm not a tech guy. I was a political science major who got Ds in my mandatory engineering classes. I had never written a line of code in my life. I had never even downloaded Access. I started my company with my best friend in May of 2013. By Thanksgiving, I was down to my last $2000. Not even enough to cover rent. Our business sent letters to property owners that said, "Call us for your personalized offer." The problem was that everyone else was doing the same thing. Our letters were getting lost in a sea of competitors. We survived those scrappy years, but we were still fighting tooth and nail for every deal. Then, in 2016, I had an idea to stand out. What if our letters contained real offers? Not lowballs or estimates. Verified, actual numbers. The challenge was scale. We had hundreds of thousands of property owners in our database. Some owned one property, but others might own more than a hundred. Each property had different acreage, ownership percentage, and values per acre. We had to account for millions of variables. Doing it by hand would be impossible. I started researching and learned that Microsoft Access could theoretically handle the logic. So I hired an Access programmer, then another. Both failed. They were trying to build enterprise-grade solutions. They didn't have the industry-specific expertise to understand the real-world use case I was solving for. So I decided to build it myself. I bought the book and started on page one. I literally had to learn what a table was. Then I learned about queries, how relationships work, and eventually, nested queries and if-then logic. I spent an entire year teaching myself from the ground up. I didn't know if it would work. I didn't know if I was wasting my time. I just knew I had nothing to lose. I was not obsessed with work. I was obsessed with the problem. Eventually, I built a system that could generate real offers at scale. The first time we mailed them, our phones started ringing nonstop. Within the next ten months, we went from low seven figures to multi-eight figures in transactions. The trajectory of my life was forever changed by our "overnight success." Here's the thing: - I had no prior skill - Zero qualifications - No idea what I was doing I literally bought a book called For Dummies because that is exactly what I was when it came to SQL. The key was having a beginner's mind. Because I actually was one, my ego never got the chance to take over and complicate things. I had zero self-judgment because I was supposed to be bad. And I committed to working on the problem until I had solved it. Tomorrow is January 1st. You are one year of unhinged commitment away from changing the trajectory of your life. All it takes is the willingness to keep showing up and to stay with something long enough for it to compound.