weekly
SIGNALS WEEKLY: React2Shell in the Wild, BRICKSTORM in the Walls, Predator on the Phone
React2Shell in the wild, BRICKSTORM in the walls, Predator on the phone. Not a dystopian haiku—this week’s risk stack. 🧯🕳️📱
2025
oauth
The Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords
2026’s nastiest SaaS breaches will ride valid tokens + “trusted” apps. We already got the trailer with the Salesloft/Drift OAuth blast radius. And the browser? Yeah, it’s part of the perimeter now. 😬🔑💬
forecasts
How Close Are We to a Cyber-Driven Citywide Water Outage?
Will hackers actually turn off a city’s water, or is that just conference-slide horror fiction? 💧🤔 We put a number on it...
weekly
SIGNALS WEEKLY: Android Banking Malware & VS Code Worms Go Mainstream
🚨 CodeRED alerts ransomed. 🐛 Shai Hulud 2.0 looting CI/CD secrets. 📱 107 Android bugs + Albiriox on-device fraud. Signals Weekly on what to fix first.
ai
Dark LLMs: When Your AI Traffic Is C2
Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖
weekly
SIGNALS WEEKLY: Wormed Repos, Multi-Vector APTs, KEV Identity RCE
Wormed npm repos. Multi-vector APTs. KEV-listed identity RCE. If your CI/CD + SSO aren’t on the same crisis board this week, you’re already late. 😈🚨
ai
Your AI Agents Are the New C2 — Lock Down Identity & Connectors
Anthropic just showed what happens when your “helpful” AI agents become C2: 80–90% of an espionage op automated, humans just clicking approve. Lock down identity + connectors or you’re renting your SaaS to someone else’s botnet. 🤖🚨
forecasts
Will Akira trigger a week-long hospital disruption by end of 2026?
20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?
weekly
SIGNALS WEEKLY: The Quiet Shift- When Intrusions Start Thinking for Themselves
A Chinese crew let a jailbroken AI run most of the intrusion while FortiWeb + Firebox burn in KEV and a contractor leak drops the playbook.
cl0p
After LockBit and BlackCat, Is Cl0p Really Next in Line?
LockBit got the Operation Cronos takedown. BlackCat imploded. Cl0p just logged a record leak month—and shows no sign of slowing. By 2026, do we really keep Cl0p dark for 90+ days… or just get Cl0p v2 with a fresh logo?
unc6485
Triofox Exploitation Cluster (UNC6485): Six-Month Outlook, Copycat Risk, and What to Watch
UNC6485 is farming Triofox: Host: localhost → setup → mint admin → AV path = your script → SYSTEM → RMM + reverse RDP/443. Patch to 16.7.10368.56560 now. Copycats next. 🔥🛡️
weekly
SIGNALS WEEKLY: Keys & Gates — Windows kernel EoP; Cisco RA VPN reloads
Keys. Gates. Windows. Actively exploited Win kernel EoP ✅ (CVE-2025-62215). Cisco RA-VPN bugs can reload unpatched edges. LANDFALL used Samsung’s image bug (CVE-2025-21042). Which breaks first in your shop?