Fabius Manzi

Conditional Access policies won’t stop token theft—and standard MFA won't fix it either. When teams roll out Microsoft Authenticator push codes or SMS, some assume the cloud perimeter is safe. But sophisticated actors have moved completely past brute-forcing passwords. They use Adversary-in-the-Middle (AiTM) phishing frameworks like Evilginx. The attack flow is clean: The proxy site mirrors your Entra ID login page. The user enters credentials and solves the genuine MFA challenge. Once Entra ID validates the session, it issues an ESTSAUTH session cookie. The malicious proxy server snatches that cookie before passing it back to the victim’s browser. The Result: The attacker drops that stolen cookie into their own machine. Because the session has already passed the MFA verification loop, they gain instant access to the mailbox or cloud apps. They bypass standard Conditional Access rules seamlessly. , when an identical session jumps between network or device contexts Advanced features like Continuous Access Evaluation (CAE), Token Protection session controls, or strict device compliance rules can mitigate this. But they are rarely part of an organization’s "default" browser-based setups. Because a stolen token completely bypasses the sign-in loop, you cannot hunt for it by looking for failed logins. You have to hunt for Session Anomalies—specifically when an identical session jumps network or device context mid-lifecycle. From Sentinel or Entra ID Advanced Hunting, you can run the below KQL query to identify active token replays across interactive and non-interactive sign-ins:

Fresh from the oven 🍞 From what I observed the campaign started ~ 15 Apr and tampered down 17 May. Check if you are impacted ... DeviceEvents | where TimeGenerated > ago(45d) | where ActionType == "AntivirusDetection" | where parse_json(AdditionalFields)["ThreatName"] has "Qwexlafiba!rfn" SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer security.microsoft.com/threatanalytic… #Cybersecurity #DefenderXDR #SEOPoisoning

🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART.. They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials.. The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history.. Here's how the whole thing unfolded.. In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally.. They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background.. It took Aqua Security 5 days to fully remove them.. Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms.. In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers.. That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm.. One compromised security scanner poisoned a password manager.. Automatically.. No human involved.. In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages.. And here's the terrifying part.. The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures.. Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed.. They defeated the entire trust model of modern software supply chains.. The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials.. That's a first.. Supply chain malware designed to steal your AI's access keys.. Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free".. Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next.. It jumps between npm and PyPI automatically.. The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records.. And the scariest part of all.. They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools.. Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream.. And right now.. Nobody can tell the difference between a legitimate build and a compromised one.. Because the compromised ones have valid signatures too.

🚨 We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase. (1/6)

🚨 #MicroStealer is actively targeting telecom & education in the US and Germany — stealing browser credentials and session tokens before most AV tools even flag it. 🎯 One infected endpoint can expose your entire SaaS stack. How to detect & protect: any.run/malware-trends…

🛡️ Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware Source: cybersecuritynews.com/defender-flags… Microsoft Defender triggered widespread false positive alerts after a faulty security update caused it to flag two legitimate DigiCert root certificates as malicious, potentially disrupting SSL/TLS validation and code-signing operations across enterprise environments worldwide. On affected systems, Microsoft Defender automatically quarantined the flagged certificate entries as part of its standard remediation workflow, effectively removing them from the Windows trust store. This created a serious downstream risk: without these root certificates in place, systems could fail to validate SSL/TLS connections for websites and break code-signing verification. #cybersecuritynews #Digicert #Microsoft

UYU MUNSI MU MATEKA Ku ya 11 Mata 1994, MINUAR yatereranye Abatutsi bari bahungiye muri ETO Kicukiro, bituma hicwa Abatutsi barenga 2000. Ubwicanyi bw’Abatutsi bwakorewe mu bice bitandukanye bya perefegitura za Byumba, Cyangugu na Kibungo. Kwibuka twiyubaka. --- TODAY IN HISTORY On 11 April 1994, the UNAMIR contingent abandoned Tutsi who had sought refuge in ETO Kicukiro, leading to a massacre of more than 2,000 Tutsi. These massacres also continued in other prefectures including Byumba, Cyangugu and Kibungo. Remember, unite, renew. --- CE JOUR-LÀ DANS L’HISTOIRE Le 11 avril 1994, le contingent de la MINUAR a abandonné les Tutsi qui cherchaient refuge à l’ETO, Kicukiro, entraînant le massacre de 2 000 Tutsi. Les massacres de Tutsi ont également continué dans d’autres préfectures, notamment Byumba, Cyangugu et Kibungo. Se souvenir, bâtir, ensemble. #Kwibuka32

I remember April 1994 as if it were yesterday. This short testimony goes to the youth, but especially to those who dare to speak of a “double genocide.” I was not hunted. But I remember how Tutsis were hunted. I remember conversations with my Tutsi peers. Fear in their eyes. Total despair. Wondering where to hide. I remember Tutsi neighbours trying to return to their places of origin, hoping to find safety, and never making it. Some were killed on the way. Others were killed when they arrived, in places they believed would protect them. I remember churches becoming places of animosity. Places of slaughter. And I remember not understanding how people could suddenly become so cruel. There was a roadblock near our home. People were stopped and asked to present their IDs. If your ID said Tutsi, you were to die. If you had children, they were to die, no matter their age. If you were pregnant, the unborn child was to die first. The unspeakable had become normal. There was a nearby forest. Killers had given it a name, CND. And we would hear them say they had taken people to CND. That is how death was spoken about. Casually. As if it meant nothing. No one questioned it. Those who could ask were the same ones killing or giving the orders. At no point during the Genocide against the Tutsi did I hear of Hutus being hunted for being Hutu. Tutsis were hunted. Systematically. Ruthlessly. Yes, some Hutus were killed because they were mistaken for Tutsi. Yes, some Hutus were killed because they refused to kill, or because they chose to hide and protect Tutsis. Yes, many Hutus died on the way to exile, mostly from cholera. But they were never hunted to death for being Hutu. Let us not distort history. Let us not equalise what was never equal. To the youth, Rwanda was once dead. What you see today did not exist. And yet, we rose. We rebuilt. We chose unity over division. Today, Rwanda stands strong, among the fast-developing nations, guided by visionary leadership under H.E. Paul Kagame. Under Inkotanyi, who stopped the genocide when the international community failed to act. Our dignity was restored. Today, amahanga aratwubaha. This is not something we can ever take for granted. We must stand together to protect our country and our leadership. We must stand together to fight any harm against Rwanda. We must stand together against any form of genocide ideology. We must stand together against denial, so that “Never Again” becomes a reality. Today and forever. As our President said, Rwanda cannot die twice. #Kwibuka32

Today, we remember and reflect on the horrific 1994 genocide against the Tutsi in Rwanda. We honour the victims, survivors, and everyone whose lives were changed forever by the atrocities and commit to building a better world where such horrors are never forgotten or repeated.

STILL UNDEFEATED 🤞🇷🇼

Wayne Rooney sur la finale de l'AFCON : « C'est fou. Si j'étais un joueur marocain, je ne l'accepterais pas. » « Le Sénégal les a battus équitablement. » 🇸🇳

Malicious extensions in Chrome Web store steal user credentials - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Thousands of CCTV cameras are exposed to the internet and hackers know exactly how to find them. In this attack, we use Shodan to locate a vulnerable Hikvision DVR login panel exposed at a public IP. Once we confirm the login page, we attempt brute force using common username/password pairs like admin:12345, admin:root, and root:123456. After successful login, we hijack the feed and identify sensitive video streams. Many CCTV setups are rushed, default credentials left unchanged, web ports exposed, and no IP restrictions. Once inside, attackers can record footage, delete logs, or even pivot further into the internal network if the DVR is not sandboxed.

I like that he explains the process, from reconnaissance to how he found the RCE hackerone.com/reports/502758 Thanks man for sharing this..) @spaceraccoonsec

⚡ Security Warning! Attackers can bypass Microsoft Defender for Office 365 by exploiting Teams’ guest access. When users join another organization’s tenant, they lose their home protections — and a malicious tenant can use that gap to deliver phishing or malware. Read ↓ thehackernews.com/2025/11/ms-tea…

🚨 Hackers found a new way to phish — through browser notifications. A new tool called Matrix Push C2 lets attackers send fake alerts that look like real ones from PayPal, Netflix, or TikTok. No downloads. No malware file. Just one click — and your data’s theirs. Learn more ↓ thehackernews.com/2025/11/matrix…

Running it back in Los Angeles 🔥 @CP3 x @LAClippers

VISIT RWANDA becomes the official sponsor of the @LAClippers & @RamsNFL — the first African tourism brand in both the @NBA & @NFL $650M tourism revenue in 2024 Goal: $1B by 2029 #VisitRwanda | #NBA | #NFL

AMERICAN TAYLOR TOWNSEND UPSETS NO. 5 MIRRA ANDREEVA AT THE US OPEN 🇺🇸

"When my mother was killed, I was made to clean her blood. That is not contained in the word 'genocide'", Annick Kayitesi, a survivor of the genocide against the Tutsi insists that The word 'genocide' reduces what Rwanda went through,it does not express the entirety of terror and trauma victims endured . #Kwibuka30 via @franceinter