Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Automating GOAD and Live Malware Labs#
Elastic Security Labs published a comprehensive guide on automating GOAD and live malware labs by combining Ludus infrastructure automation with Elastic’s SIEM/XDR platform. The setup merges Game of Active Directory labs for identity-based attacks like Kerberoasting with live malware simulation using XZbot (CVE-2024-3094), all safely isolated through pinhole egress controls. With 1,500+ prebuilt detection rules and AI-powered attack correlation, this turns manual purple team lab validation into a repeatable, continuous detection-engineering pipeline — cyber range as code, if you will.
The State of Art in Red Team#
X-C3ll wrote a refreshingly honest rant arguing that nobody actually knows what the “state of the art” in red teaming is, because every team operates in its own bubble and the good stuff never gets published. What does get shared publicly is typically years old, and the real challenges these days aren’t initial access — it’s dealing with honey objects, network detection, and properly hardened Active Directory environments. Hot take: the best tradecraft is the tradecraft you’ve never heard of.
Vulnerability Spoiler Alert#
Vulnerability Spoiler Alert is a monitoring hub that watches popular open-source repositories and uses Claude AI to detect when commits are patching security vulnerabilities — often before a CVE is even assigned. Running on GitHub Actions every six hours, it analyzes commit diffs across projects like Next.js, Django, React, and Grafana, then publishes findings to a retro-themed newspaper-style website with an RSS feed. Know about security patches before the CVE drops — what could possibly go wrong?
Spying Chrome Extensions#
The Q Continuum group built an automated scanning pipeline that runs Chrome inside Docker, routes all traffic through a MITM proxy, and correlates outbound request sizes with URL lengths to catch extensions phoning home. Their research identified 287 Chrome extensions exfiltrating browsing history from roughly 37.4 million users — about 1% of the global Chrome user base. Data brokers like Similarweb, Chinese actors, and a mysterious outfit called “Big Star Labs” are all happily collecting this data using obfuscation ranging from ROT47 encoding to AES-256 encryption.
The Top 10 Most Prevalent MITRE ATT&CK Techniques#
The Picus Red Report 2026 analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions, finding that defense evasion, persistence, and C2 tactics now account for 80% of the top ten techniques. Process Injection (T1055) tops the list for the third consecutive year at 30%, while Sandbox Evasion (T1497) saw explosive growth — LummaC2 now calculates the Euclidean distance and angles of mouse movements to distinguish human operators from sandbox automation. Ransomware took a 38% nosedive as attackers pivot from loud encryption to quiet long-term residency — the era of the “digital parasite.”
GitLab Threat Intelligence on North Korean Tradecraft#
GitLab’s security team identified and disrupted 131 accounts controlled by North Korean state actors running the “Contagious Interview” campaign, which tricks developers into executing malicious code during fake technical interviews.
The actors used base64-encoded staging URLs in .env files, custom error handlers abusing Function.constructor for remote code execution, and legitimate services like Vercel to host payloads.
Beyond the malware distribution, GitLab uncovered a structured IT worker cell that generated $1.64 million since 2022, with individual operators maintaining dozens of fraudulent personas — because one fake identity is never enough.
A Peek Into Muddled Libra’s Operational Playbook#
Unit 42 got their hands on a rogue virtual machine used by the Muddled Libra group, revealing an operational playbook that relies on social engineering and living-off-the-land techniques rather than sophisticated malware. The group used legitimate tools like Chisel, PsExec, and ADRecon to establish persistence, harvest credentials, enumerate Active Directory, and exfiltrate data from Snowflake databases and email systems. When your entire attack chain is built from admin tools already on the network, EDR has a bad day.
AitM Phishing Framework Starkiller#
The Starkiller phishing kit operates as a phishing-as-a-service platform that uses headless browsers and reverse proxies to load legitimate login pages while intercepting credentials, MFA tokens, and session cookies in real time — making traditional MFA completely ineffective. As ByteArchitect’s analysis points out, detection now requires shifting from identifying fake pages to analyzing session behavior anomalies like impossible travel patterns and device mismatches, while FIDO2 authentication and session binding offer the most effective countermeasures. Your MFA prompt isn’t protecting you — it’s just adding one more thing for the proxy to forward.
Malicious npm Packages Use Pastebin Steganography#
Socket uncovered 26 malicious npm packages deploying a sophisticated nine-module infostealer toolkit attributed to North Korea’s FAMOUS CHOLLIMA group. The attack chain uses character-level steganography on Pastebin to hide C2 infrastructure, ultimately delivering ransomware targeting developer credentials, SSH keys, cryptocurrency wallets, and Git repositories through disguised package installations. Hiding your C2 in Pastebin using invisible Unicode characters — because base64 was apparently too mainstream.
Hardening Firefox with AI#
Mozilla and Anthropic’s Frontier Red Team collaborated on AI-assisted vulnerability hunting in Firefox, discovering 22 CVEs including 14 high-severity bugs — representing almost a fifth of all high-severity Firefox vulnerabilities remediated in 2025. As Anthropic’s writeup details, the team used “task verifiers” to let Claude validate its own work against the codebase, proving significantly better at finding vulnerabilities than exploiting them — successfully creating only two functional browser exploits from hundreds of attempts. All issues are patched in Firefox 148, and the takeaway is clear: AI finds logic errors that traditional fuzzing misses, but the window of defensive advantage won’t stay open forever.
Industrialisation of Exploit Generation#
Sean Heelan conducted experiments using LLM agents to generate exploits for a previously unknown QuickJS vulnerability, with GPT-5.2 solving every challenge and Opus 4.5 solving all but two — producing over 40 distinct exploits against modern mitigations like ASLR and shadow stacks. His argument: the limiting factor on offensive capability is no longer specialized human expertise but token throughput over time, meaning exploit generation is becoming an industrial process. Meanwhile, Zero Day Clock is tracking the time-to-exploit window across 83,000+ CVEs and ten sources, showing that the gap between disclosure and exploitation is collapsing to zero. Skynet called — it wants its pentesting credentials back.
Malicious Go “crypto” Module Steals Passwords#
Researchers at Socket discovered a malicious Go module impersonating the legitimate golang.org/x/crypto library that intercepts password prompts, captures secrets, and phones home to attacker-controlled infrastructure.
The backdoor executes a multi-stage Linux attack chain delivering the Rekoobe backdoor, establishing SSH persistence, and weakening firewall defenses through iptables modifications on Ubuntu systems.
Supply chain attacks in Go modules — because go get should really come with a trust-but-verify warning label.
Axios Supply Chain Attack Post-Mortem#
On March 31, 2026, an attacker compromised the axios lead maintainer’s account through social engineering and a remote access trojan, publishing two malicious package versions (1.14.1 and 0.30.4) that injected a cross-platform trojan — the malicious versions were live for approximately three hours before removal. As Simon Willison details, the attackers impersonated a company founder, created a convincing fake Slack workspace with realistic channels and profiles, and tricked the maintainer into installing malware disguised as a Teams update during a scheduled meeting. Pro tip for open-source maintainers: if the “CEO” wants you to install a custom Teams client, maybe don’t.
Tools#
- NVIDIA/garak - the LLM vulnerability scanner
- praetorian-inc/augustus - LLM security testing framework for detecting prompt injection, jailbreaks, and adversarial attacks — 190+ probes, 28 providers, single Go binary
- promptfoo/promptfoo - Test your prompts, agents, and RAGs. AI Red teaming, pentesting, and vulnerability scanning for LLMs. Compare performance of GPT, Claude, Gemini, Llama, and more. Simple declarative configs with command line and CI/CD integration.
- KeygraphHQ/shannon - Fully autonomous AI hacker to find actual exploits in your web apps. Shannon has achieved a 96.15% success rate on the hint-free, source-aware XBOW Benchmark.
- galoryber/fawkes - Fawkes is a golang Mythic C2 Agent exclusively written by AI.
- trailofbits/skills - Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows
- dannymcc/bluehood - Monitor your local neighbourhood’s bluetooth activity
- huseyinstif/CVE-2026-2441-PoC - Chrome CSSFontFeatureValuesMap Use-After-Free
- praetorian-inc/trajan - A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.
- BaddKharma/redStack - Boot-to-Breach red team lab on AWS. Mythic, Sliver, and Havoc C2 behind a production-style Apache redirector. Deployed via Terraform.