Articles
Long-form writing on tech, culture, and the edges of the internet.
Harvard.edu among 141 hosts serving ClickFix lures
Technical analysis of the campaign that weaponised harvard.edu and 140 other legitimate sites - entry vectors, TDS chain, MITRE mapping, EDR telemetry.
Megalodon hijacked 55,000 GitHub repos via token replay
Megalodon compromised 55,000+ GitHub repositories through PAT harvesting, pull_request_target abuse, and OAuth scope inheritance. Technical breakdown.
The sandbox was never the hard part
CVE-2026-40369 is a 12-byte Mojo IPC overflow in Chromium that converts renderer RCE into browser-process code execution on the host.
Your valid credentials are the breach.
Technical analysis of a coordinated GitHub Actions workflow compromise across 5,561 repositories, with detection guidance for audit log and EDR telemetry.
AI is making attackers worse, not better.
Defender telemetry through 2026 shows model-mediated attackers produce more volume, less variance, weaker adaptation. Substitution is not uplift.
CVSS 5.5 is lying to you
A nine-year-old Linux kernel flaw enables root command execution. CVSS 5.5 understates the outcome. Patch scope and operator action.
GitHub shipped optional hardening as a control
The GitHub breach follows a documented class of failure. The mechanism is identity issuance separated from validation. The industry chose documentation over enforcement.
Malicious commits breached 5,561 repositories
5,561 GitHub repos received malicious CI/CD commits disguised as bot maintenance. The failure was identity enforcement, not exploit complexity.
Microsoft flags password reset exploitation
Microsoft confirms password reset exploitation. The reset endpoint is an authentication surface and must be controlled as one.
Nginx patched. Assume breach.
NGINX issued the nginx-poolslip patch. Operator analysis of what is confirmed, what is not, and what must change at the proxy boundary.
Passkeys authenticate the moment, not the session
MFA, passkeys, and trusted IP authenticate the login moment. They do not extend to the session, the token, or the actions that follow.
Reputation is not a control
Harvard.edu and 140 other domains reported compromised. Why reputation-based controls fail when trusted origins are turned against their consumers.