No malware required: device-code phishing + Teams as the intrusion surface

No malware. Still owned. 🧾🔑💬 Device-code phishing + Teams as the “lobby” + stolen OAuth tokens = API-speed SaaS exfil. If you’re hunting binaries, you’re late.

SIGNALS WEEKLY: When Management Planes Become the Battlefield

🛫 Your “management plane” is now the battlefield. Cisco Secure Email + HPE OneView are seeing active exploitation, and UAT-8837 is chasing CI targets. Patch like it’s a fire drill. 🔥🧯

[FORECAST] Integrator CI/CD Compromise by End-2026?

OWASP Top 10:2025 put Software Supply Chain Failures front-and-center. 🧩⚙️ Now the fun question: by end-2026, do we get public root-cause confirmation that an industrial integrator’s CI/CD/build/signing or update channel led to 2+ critical-infra intrusions? 😬

Iran’s Internet Went to Zero on Jan 8—Will Account Takeovers Spike in the Next 2–3 Weeks?

Iran’s internet goes dark → attackers don’t stop. They speed-run creds and hit post-auth collection the moment connectivity blips back. ⏱️🔑👀

SIGNALS WEEKLY: Taiwan Critical Infrastructure: Reports of China-Linked Probing and Prepositioning

🧭 Taiwan CI pressure looks like recon + access maintenance, not a one-off headline. 🩹 Patch Tuesday + KEV = attacker shopping list. ☁️ And Salesforce Aura/Experience Cloud exposure? No patch… just “surprise, it’s public.”

Deepfake BEC & Payment Diversion: The Q1 2026 Fraud PIR You Can’t Defer

Deepfake BEC = the same old fraud… with a way better script. 🎭💸 If payroll/AP changes can happen on “sounds right,” you’re funding someone’s Q1 bonus.

[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens

Will at least one publicly disclosed enterprise breach be confirmed where attackers used a Microsoft Copilot Studio..

SIGNALS WEEKLY: MongoBleed (CVE-2025-14847) Is in KEV: The Unauth MongoDB Leak You Need to Patch

MongoBleed is in KEV: unauth MongoDB memory leak = creds/tokens. Patch + find exposed hosts. Dolby fix + poisoned dev tools too. 🧯🧬👇

[DEEP RESEARCH] Token Factory: The 5 Costliest US Breaches of 2025

2025’s costliest US breaches: identity, outage math, outcomes Identity-led intrusions at distributors, govtech, healthcare, and an appliance vendor drove nine-figure losses. Outage duration and revocation speed determined the spread between disruption and recovery.

Geopatriation Is Coming: Sovereign Clouds Will Break Your Telemetry First

2026 prediction: “sovereign cloud” becomes the #1 way to accidentally create telemetry refugees 🛂☁️ Meanwhile: DPRK “IT workers” in the supply chain + OAuth consent hijacks that laugh at MFA 🔑🎭 What’s your log-clears-customs plan?

SIGNALS WEEKLY: Poisoned DNS Updates + Aflac’s 22.65M Aftershock (and MongoBleed)

This week’s vibe: MongoBleed → KEV, BitLocker ransomware in critical infra, poisoned DNS “updates” for MgBot, and Aflac’s ~22.65M aftershock. 🔥🧨🦠

Token Factory: The 5 Costliest US Breaches of 2025

2025’s priciest breaches weren’t “elite malware.” They were tokens + SaaS + downtime 🪙⏱️🔥 If your revoke MTTR is measured in days, the attackers already won.

edr

CrowdStrike vs Microsoft Defender: Who Leads EDR/XDR Into 2026?

EDR “leader” in 2026 = who contains fastest at scale + doesn’t implode during updates. 🎄🧯 Our model: CrowdStrike 50% (±8), Microsoft Defender 35% (±7), SentinelOne 15% (±5).

weekly

SIGNALS WEEKLY: Holiday Patch Panic: Cisco AsyncOS Zero-Day + KEV Edge Rush

🎄 Zero-day season: Cisco AsyncOS exploited + KEV edge scramble. 🧯 VNC-to-HMI + cloud C2 (Drive/Telegram) keep paying rent.

scam

Holiday Scam Survival Kit (2025): Delivery Texts, ‘Family Emergency’ Calls, Gift Card Traps

Holiday scammers are running peak-season ops 📦🎄 “Delivery problem” texts, AI “family emergency” calls, and “pay via gift card/Zelle” pressure. Rule: don’t click, hang up + call back, never gift cards/crypto/wires.

sass

[DEEP RESEARCH] Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Most downtime and spend stemmed from OAuth/SaaS abuse and edge appliances—not catastrophic zero-days. Here’s what drove real operating impact and the fastest ways to shrink it.

weekly

SIGNALS WEEKLY: Chrome 0-Day in the Wild + December Patch Tuesday Priv-Esc

Chrome 0-day in the wild + Windows priv-esc getting abused + OT VNC still exposed like it’s 2009. 😬🔥

oauth

Zero-Days Are a Distraction: 2025’s Biggest Losses Were Stolen Tokens + OAuth

Zero-days get the headlines. Stolen tokens + OAuth consent abuse get the invoices. 🧾🔑😈 2025 pain = AiTM/device-code phishing + token replay + KEV-speed edge fires.

forecasts

Will UNC5221 pop a fresh zero-day before Dec 31? Final Forecast!

BRICKSTORM intel just landed: PRC actors camping in vCenter/ESXi + Windows. 🧱🕵️‍♂️ F5 source-code drama raises the long-run 0-day odds, but the calendar + attribution lag are savage. Our final call: 11% UNC5221 gets publicly tied to a new 0-day before Dec 31. 🎯

weekly

SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone

React2Shell in the wild, BRICKSTORM in the walls, Predator on the phone. Not a dystopian haiku—this week’s risk stack. 🧯🕳️📱

oauth

The Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords

2026’s nastiest SaaS breaches will ride valid tokens + “trusted” apps. We already got the trailer with the Salesloft/Drift OAuth blast radius. And the browser? Yeah, it’s part of the perimeter now. 😬🔑💬

forecasts

How Close Are We to a Cyber-Driven Citywide Water Outage?

Will hackers actually turn off a city’s water, or is that just conference-slide horror fiction? 💧🤔 We put a number on it...

weekly

SIGNALS WEEKLY: Android Banking Malware & VS Code Worms Go Mainstream

🚨 CodeRED alerts ransomed. 🐛 Shai Hulud 2.0 looting CI/CD secrets. 📱 107 Android bugs + Albiriox on-device fraud. Signals Weekly on what to fix first.

ai

Dark LLMs: When Your AI Traffic Is C2

Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖