The Axios npm supply chain incident: fake dependency, real backdoor

On March 31, 2026, two malicious Axios versions (1.14.1 and 0.30.4) were briefly published to npm via a compromised maintainer account. The only change performed was the addition of a trojanized dependency, whose postinstall script deployed a cross‑platform RAT (for macOS, Windows, and Linux). Although the Axios packages were removed within hours, multiple hits were … Continue reading The Axios npm supply chain incident: fake dependency, real backdoor →

Capture the Kerberos Flag: Detecting Kerberos Anomalies

Kerberos is one of the most common protocols in organizations that utilize Windows Active Directory, and an essential part of Windows authentication used to verify the identity of a user or a host [1]. As such, Kerberos is often a target for adversaries trying to either steal or forge Kerberos tickets [2]. In this blog … Continue reading Capture the Kerberos Flag: Detecting Kerberos Anomalies →

ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (a.k.a.AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL, by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim's Microsoft account.

How to hunt & defend against Business Email Compromise (BEC)

Business email compromise (BEC) remains a commonly utilized tactic that serves as leverage for adversaries to gain access to user resources or company information. Depending on the end goals of the adversaries, and on the compromised user’s business role - the potential impact can vary from simply accessing sensitive information (e.g., from emails, files uploaded … Continue reading How to hunt & defend against Business Email Compromise (BEC) →

Hunting Chromium Notifications

Browser notifications provide social-engineering opportunities. In this post we'll cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations.

Hunting for Remote Management Tools

In today's digital landscape, Remote Management and Monitoring (RMM) tools have become indispensable for organizations seeking to streamline IT operations, enhance productivity, and ensure seamless remote support. However, within our threat hunting and incident response engagements we often see that these tools, while beneficial, can also pose significant security risks if not properly managed. This … Continue reading Hunting for Remote Management Tools →