![[FORECAST] Fortune 500s: Will Prompt Injection Trick IDE Agent Mode into Running Commands—or Leaking Secrets—by 2026?](/content/images/size/w600/2026/02/z-10.png)
forecasts
[FORECAST] Fortune 500s: Will Prompt Injection Trick IDE Agent Mode into Running Commands—or Leaking Secrets—by 2026?
Recent agent-mode rollouts make ‘read files + run tasks’ normal. Prompt injection makes that risky. Here’s the forecast..
weekly
SIGNALS WEEKLY: How AI Is Turbocharging Attacks on 600+ FortiGate Firewalls
Your firewall isn’t the perimeter. It’s the onboarding portal. 🔥
unc6201
CISA Flags Dell RecoverPoint Zero-Day: Backup Systems as the New Beachhead
Your backup system isn’t your parachute. It’s a beachhead. 🏖️ Mandiant/GTIG report UNC6201 exploiting Dell RP4VM (CVE-2026-22769, CVSS 10.0). Hardcoded credential → OS-level control + root persistence.
![[FORECAST] Dismantled or Displaced? Cambodia’s Scam-Compound Crackdown by 2030?](/content/images/size/w600/2026/02/z-7.png)
forecasts
[FORECAST] Dismantled or Displaced? Cambodia’s Scam-Compound Crackdown by 2030?
Cambodia says it sealed off ~190 scam sites. 🧨 Now the real question: dismantled or displaced? 🧱🚚 Our forecast uses grown-up metrics (convictions + asset denial + independent compound counts).
weekly
SIGNALS WEEKLY: Active Ivanti EPMM Zero-Days — What Defenders Must Do Now
Your control plane isn’t infrastructure. It’s leverage. 🔥
identity
The 90-Day Disruption Dividend: How Intel-Led Hunting Reduces Dwell Time Without a Massive SOC
Your SOC isn’t understaffed. It’s late. ⏱️😈 Attackers aren’t scaling with malware—they’re scaling with OAuth + tokens + “normal” API exports. Big tech wins by yanking kill-switches fast. Can you revoke an OAuth grant in <30 min?
forecasts
ClickFix to Linked-Device Takeovers: Will Star Blizzard Introduce a New Initial-Access Vector by Oct 2026?
Fake CAPTCHA ➜ “paste this PowerShell.” 🙃 Linked-device pairing ➜ quiet account takeovers. 👻 Device-code phishing ➜ legit login page, attacker gets tokens. 🔑
weekly
SIGNALS WEEKLY: Pre-Filled Links That Poison AI Recommendations (and Memory)
Pre-filled AI prompt links: now a delivery vector. Microsoft warns they can poison assistant recommendations + memory. 🧠🧪
![[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking](/content/images/size/w600/2026/02/z-2.png)
uat-8099
[DEEP RESEARCH] BadIIS Isn’t Enough: The IIS Module + HTTP Fingerprints That Catch SEO-Fraud Cloaking
*Vendors are naming slices of the same IIS SEO fraud problem differently. This summary aligns those labels into one unified hunt surface and shows how to separate UAT-8099/WEBJACK from other BadIIS-style activity using concrete host and HTTP fingerprints.*
proxy
Residential Proxies: When "Normal" Traffic Becomes a Risk Multiplier
“Normal traffic” is now an attacker costume. 🥸🏠 Residential proxies borrow real home ISP IPs, making sprays/scrapes/SaaS intrusion blend in. Don’t rage-block—use tiered friction (identity+behavior) w/ proxy intel as a risk multiplier.
weekly
SIGNALS WEEKLY: ShinyHunters, Vishing, and the MFA Hijack Problem in SaaS
MFA isn’t “done.” It’s now the excuse attackers use on the phone. ☎️😈🔑 Vishing → MFA reset/re-enroll → post-login SaaS data grabs. Plus: selective Notepad++ updater abuse + proxy traffic making IP rep cry.
![[FORECAST] ShinyHunters SaaS Data Theft: Why Non-Ransom Monetization Looks Increasingly Attractive](/content/images/size/w600/2026/02/z.png)
forecasts
[FORECAST] ShinyHunters SaaS Data Theft: Why Non-Ransom Monetization Looks Increasingly Attractive
Our new forecast asks: will ShinyHunters make more in 2H 2026 by selling SaaS access/data than by getting paid? Signals say yes. 🕵️♂️💸☁️