Newsletter 2026-04-07
Another busy week:
Claude found an RCE in vim and emacs relatively easily.
Another week and another supply chain attack.
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/
And right along with that, TeamPCP uses audio steganography in WAV files to bypass EDR and other analysis tools.
I’m an avowed RSS fan, but I didn’t know about XSLT. Too bad I only find out about it when it’s being discontinued.
MDSec shows a way in the article to disable pre-boot DMA without triggering the Bitlocker Recovery Key by reading out the UEFI, modifying it, and writing it back.
After we recently had the iPhone chain, here’s an Android rootkit to add. It apparently successfully infected 2.3 million devices via Google Play apps.
Point Wild dissected Remcos RAT and broke down the malware’s approach.
Sarah Gooding wrote up on the socket.dev blog how TAs are currently actively going after NodeJS maintainers to get access to their credentials and thus the repos.
We recently had a tool that’s supposed to find known functions in reverse engineering. Quarkslab presents an integration for Ghidra, Binary Ninja, and IDA Pro.
SpecterOps presents another tool. This time to use NTLM relays in the browser via SOCKS proxy.
Another tool - another emperor - from Praetorian. It enables API discovery from recorded logs (Burp export, Mitmproxy dump, HAR files) and generates documentation from them.
Read you next week