> deep dives

Long-form breakdowns, incident anatomies, and opinions that don't fit in a news post.

deep dive 2026-05-10 12 min read
Worms All the Way Down: Why npm and PyPI Will Keep Spawning Self-Propagating Compromises Until We Re-Architect Install-Time Trust
From the original Shai-Hulud in September 2025 through CanisterSprawl, the Bitwarden CLI compromise, and Mini Shai-Hulud, every major npm/PyPI worm of the last eight months has used the same primitive: package lifecycle hooks that run arbitrary code on install. Until the registries change that default, each generation will keep landing.
supply-chain npm pypi shai-hulud teampcp worm ci-cd package-manager install-time-execution
deep dive 2026-05-03 12 min read
The OAuth Pivot: How SaaS-to-SaaS Trust Became the 2026 Supply Chain Attack
Salesloft Drift industrialized it. UNC6040 weaponized vishing into it. Vercel and Context.ai proved it pivots through Google Workspace. The pattern is the same: a third-party SaaS gets popped, the attacker inherits its OAuth grants, and your password reset does absolutely nothing.
oauth saas-supply-chain salesforce google-workspace unc6040 shinyhunters vercel salesloft drift connected-app refresh-token opinion
deep dive 2026-04-26 15 min read
The Controller Token Leak Epidemic: Kubernetes Has a Confused-Deputy Problem
Six CVEs in three months, four against a single Kyverno feature, plus OpenShift AI and Argo CD: every modern Kubernetes platform is shipping helper code that hands its controller's bearer token to attacker-controlled URLs. The bug class isn't going to fix itself.
kubernetes kyverno openshift argocd confused-deputy serviceaccount token-leak ssrf rbac cloud-metadata opinion
deep dive 2026-04-19 11 min read
The Ransomware Dwell Time Collapse: When the Entire Kill Chain Fits Inside an Hour
Akira is encrypting domains 60 minutes after a VPN login. Storm-1175 is going from zero-day to domain-wide Medusa deployment in under 24 hours. The industry's average detection time is still measured in days. The math no longer works.
ransomware incident-response detection-engineering akira medusa storm-1175 dwell-time edr vpn opinion
deep dive 2026-04-12 11 min read
Self-Hosted and Unprotected: The AI Workflow Tool Security Crisis
Langflow, Flowise, n8n, ComfyUI — every major self-hosted AI workflow tool has shipped unauthenticated RCE vulnerabilities in 2026. This isn't a coincidence. It's a structural failure baked into how these tools were designed.
ai-infrastructure vulnerability rce langflow flowise n8n comfyui mcp self-hosted credential-theft
deep dive 2026-04-05 9 min read
Severity Drift: Why Your Vulnerability Triage Process Is Working With Bad Data
From silent reclassifications to incomplete patches to NVD enrichment backlogs, the severity data your vuln management program depends on is wrong more often than you think. Here's the proof — and what to do about it.
vulnerability-management cvss epss cisa-kev nvd risk-prioritization f5 cisco langflow opinion
deep dive 2026-04-02 12 min read
Dead Drops on the Chain: Why Blockchain Became the C2 Infrastructure Defenders Can't Take Down
From EtherHiding to CanisterWorm to GlassWorm — attackers spent three years systematically proving that blockchain is the unkillable C2 channel. Here's how each technique works and what you can actually do about it.
blockchain c2 supply-chain malware icp solana ethereum detection defense threat-intelligence
deep dive 2026-04-01 11 min read
Your Firewall Is the Foothold: Q1 2026's Edge Device Exploitation Epidemic
Three months into 2026, edge devices are the dominant entry point for attackers. A deep dive into the FortiGate SSO bypass and Ivanti EPMM RCE chains, and why this pattern shows no signs of stopping.
network-appliance fortinet ivanti vulnerability edge-device authentication-bypass ransomware cve