Wes - AlphaHunt Newsletter

forecasts

Will UNC5221 pop a fresh zero-day before Dec 31? Final Forecast!

BRICKSTORM intel just landed: PRC actors camping in vCenter/ESXi + Windows. 🧱🕵️‍♂️ F5 source-code drama raises the long-run 0-day odds, but the calendar + attribution lag are savage. Our final call: 11% UNC5221 gets publicly tied to a new 0-day before Dec 31. 🎯

weekly

SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone

React2Shell in the wild, BRICKSTORM in the walls, Predator on the phone. Not a dystopian haiku—this week’s risk stack. 🧯🕳️📱

oauth

The Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords

2026’s nastiest SaaS breaches will ride valid tokens + “trusted” apps. We already got the trailer with the Salesloft/Drift OAuth blast radius. And the browser? Yeah, it’s part of the perimeter now. 😬🔑💬

forecasts

How Close Are We to a Cyber-Driven Citywide Water Outage?

Will hackers actually turn off a city’s water, or is that just conference-slide horror fiction? 💧🤔 We put a number on it...

weekly

SIGNALS WEEKLY: Android Banking Malware & VS Code Worms Go Mainstream

🚨 CodeRED alerts ransomed. 🐛 Shai Hulud 2.0 looting CI/CD secrets. 📱 107 Android bugs + Albiriox on-device fraud. Signals Weekly on what to fix first.

ai

Dark LLMs: When Your AI Traffic Is C2

Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖

forecasts

AI Agents as Regulated C2: Will Anyone Be Forced to Act?

AI just ran most of an espionage op, and regulators are still in “interesting case study” mode. 😏 We’re forecasting: 55% odds that by 2026, someone will force signed AI connectors + agent logs by default.

weekly

SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE

Wormed npm repos. Multi-vector APTs. KEV-listed identity RCE. If your CI/CD + SSO aren’t on the same crisis board this week, you’re already late. 😈🚨

ai

Your AI Agents Are the New C2 — Lock Down Identity & Connectors

Anthropic just showed what happens when your “helpful” AI agents become C2: 80–90% of an espionage op automated, humans just clicking approve. Lock down identity + connectors or you’re renting your SaaS to someone else’s botnet. 🤖🚨

forecasts

Will Akira trigger a week-long hospital disruption by end of 2026?

20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?

weekly

SIGNALS WEEKLY: The Quiet Shift- When Intrusions Start Thinking for Themselves

A Chinese crew let a jailbroken AI run most of the intrusion while FortiWeb + Firebox burn in KEV and a contractor leak drops the playbook.

cl0p

After LockBit and BlackCat, Is Cl0p Really Next in Line?

LockBit got the Operation Cronos takedown. BlackCat imploded. Cl0p just logged a record leak month—and shows no sign of slowing. By 2026, do we really keep Cl0p dark for 90+ days… or just get Cl0p v2 with a fresh logo?