[SIGNALS WEEKLY] Tokens, Edges, and Exploits: Shifting Paths to Compromise
The token survived. npm packages, CI/CD runners, and edge boxes keep turning “contained” into “still owned.” The boring weakness became the breach path.
![[SIGNALS WEEKLY] Tokens, Edges, and Exploits: Shifting Paths to Compromise](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w1200/2026/05/z-9.png)
TL;DR
- [Supply Chain / CI-CD] Attackers are compromising npm packages and CI/CD runners to steal tokens and secrets, enabling low-noise access to cloud and production environments without traditional malware.
- [Vulnerabilities / Edge] Actively exploited bugs in Drupal, Trend Micro Apex One, Langflow, F5 BIG-IP, Confluence, and ASP.NET ViewState deserialization underline a recurring edge-to-internal pivot pattern and shared-secret misuse.
- [E‑Crime / Phishing] Criminal ecosystems are scaling phishing-as-a-service for real-time OTP/session theft and losing some VPN infrastructure to law enforcement, but are likely to reconstitute anonymization and focus further on identity and session abuse.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!
Like this? Forward this to a friend!
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Current Stories
TL;DR
-
[Supply Chain] Microsoft: compromised @antv npm maintainer pushed malicious versions; targeted GitHub Actions (Linux) to steal CI/CD creds and exfil secrets — who should care: GitHub Actions shops, npm-heavy front-end stacks, self-hosted runner operators.**
-
[Vulnerabilities] CISA KEV: active exploitation → urgent patching for Drupal Core SQLi (CVE-2026-9082), Trend Micro Apex One (on‑prem) traversal (CVE-2026-34926), and Langflow origin validation bug (CVE-2025-34291) — who should care: orgs running Drupal, Apex One on-prem, Langflow/LLM workflow tooling, and any internet-exposed app teams.**
-
[Cybercrime] Europol: “First VPN” disruption (33 servers seized; domains taken down) used by ransomware/data-theft actors; expect short-term infrastructure migration — who should care: ransomware-targeted sectors (health, manufacturing, local gov), threat hunting/IR teams tracking e-crime infra.**
-
[Intrusion Tradecraft] Microsoft: observed edge appliance (F5 BIG-IP) → internal app (Confluence) → identity/credential abuse chain — who should care: orgs with exposed edge appliances, Confluence admins, identity teams (AD/AAD/SSO).**
References
-
(2026-05-20) Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
-
(2026-05-21) Cybercriminal VPN used by ransomware actors dismantled in global crackdown
-
(2026-05-22) From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
-
(2026-05-21) Operation Saffron: Bitdefender Joins “First VPN” Takedown
-
(2026-05-22) CISA Adds One Known Exploited Vulnerability to Catalog
-
(2026-05-21) CISA Adds Two Known Exploited Vulnerabilities to Catalog
Emerging Stories
TL;DR
- [Phishing] GTI: Chinese-language PhaaS is scaling real-time OTP/session theft, increasingly delivered via RCS/iMessage with automated localization — who should care: consumer-facing brands, helpdesks, finance/e-commerce, and mobile-security teams.
![[GAME THEORY] AI-agent spoofing is becoming a claim-vs-proof problem](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-8.png)
![[FORECAST] The Threat Was Real. The Public Proof Probably Falls Short (Final: 2026-05-21)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-7.png)
![[SIGNALS WEEKLY] Identity-First Intrusions and AI-Driven Attack Surface Shifts](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/zz-1.png)
![[PODCAST] ANALYST YELLS AT CLOUD](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-6.png)