[SIGNALS WEEKLY] Perimeter Pressure, Supply Chain Drift, and Identity Theft
The perimeter blinked. VPN portals and CI tokens are still doing incident cosplay.
![[SIGNALS WEEKLY] Perimeter Pressure, Supply Chain Drift, and Identity Theft](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w1200/2026/06/z-1.png)
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!
Like this? Forward this to a friend!
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
TL;DR
-
[Perimeter/Vulnerabilities] Active exploitation of VPN/edge auth (incl. PAN-OS CVE-2026-0257) and new CISA KEV entries underscores that internet-facing portals/gateways remain primary initial-access points, requiring prioritized patching plus high-fidelity auth/admin telemetry.
-
[Supply Chain/CI-CD] The npm “Miasma” incident and emerging “agentic” GitHub workflows show that compromised publishers, CI identities, and untrusted text-driven automation are now central supply-chain attack surfaces, breaking the “signed = safe” assumption.
-
[Identity/Infostealers] Threat actors are weaponizing AI-themed lures and infostealers to capture credentials and cloud/SSO session tokens at scale, enabling rapid post-login pivots and reinforcing the need for tighter session controls, conditional access, and anomaly-based detection.
Current Stories
TL;DR
-
[Edge/VPN Exploitation] Perimeter auth remains a primary initial-access target (CISA KEV + PAN-OS GlobalProtect CVE-2026-0257) — so what this week: treat exposed portals/VPNs as “under active testing,” and prioritize patch/mitigation plus auth telemetry.
-
[Supply Chain] npm “Miasma” campaign trojanized Red Hat’s @redhat-cloud-services packages via a hijacked trusted publisher pipeline — so what this week: signed packages aren’t safety; CI/CD tokens and publisher permissions are the blast-radius multipliers.
-
[Social Engineering/Identity] AI-brand lures are being used to drive infostealers and steal session tokens — so what this week: expect user-initiated installs to translate quickly into cloud/SSO session hijack and rapid follow-on access.
-
[Sanctions/Finance] U.S. Treasury sanctioned Iran’s Nobitex and related entities tied to sanctions evasion and IRGC-linked activity — so what this week: anticipate shifting crypto rails and increased compliance scrutiny around exposure and tracing.
References
-
(2026-06-08) CISA Adds Two Known Exploited Vulnerabilities to Catalog
-
(2026-06-05) CISA Adds One Known Exploited Vulnerability to Catalog
-
(2026-06-05) Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
-
(2026-06-02) Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
-
(2026-06-08) AI brands as bait: How threat actors are using the AI hype in social engineering
-
(2026-06-02) Economic Fury Targets Iran’s Largest Digital Asset Exchange for Terror Finance and Sanctions Evasion
Emerging Stories
TL;DR
- [AI Security/CI-CD] Agentic GitHub workflows can turn untrusted text into tool actions — so what this week: treat issues/PRs as untrusted input, and keep secrets out of jobs that can be influenced by repo content.
![[FORECAST] Fake Hires, Real Access](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/ChatGPT-Image-Jun-4--2026--12_49_37-PM.png)
![[GAME THEORY] Your AI Agent Remembered the Secret. So Did the Attacker.](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/z.png)
![[SIGNALS WEEKLY] Shifting Extortion Tactics and Fragile Software Supply Chains](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/06/zzzz.png)
![[FORECAST] The next secret-stealing campaign may start with a tool you trusted](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-10.png)