Daily notes

2,000+ publicly accessible vibe-coded applications holding sensitive corporate data. Shadow Builders are bypassing every security control you've built. This is the enterprise defense playbook for a problem most organizations haven't acknowledged exists yet.

A threat actor used an LLM agent to conduct post-exploitation after compromising a Marimo notebook via CVE-2026-39987. The end-to-end attack chain lasted just over an hour, with the attacker exfiltrating a full PostgreSQL database in under two minutes.

CVE-2026-35616 in FortiClient EMS is being actively exploited to deploy credential-stealing malware. The attackers abuse the management infrastructure itself to push malware to every managed endpoint.

CrowdStrike, Google, and the Shadowserver Foundation dismantled GlassWorm's C2 infrastructure. The campaign pushed trojanized VS Code extensions and malicious npm packages to harvest developer credentials at scale.

CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog 48 hours after Drupal's disclosure. Over 15,000 attack attempts are now targeting Drupal Core's SQL injection flaw.

A coordinated supply chain attack codenamed TrapDoor spread credential-stealing malware through 34 malicious packages on npm, PyPI, and Crates.io. The campaign uses postinstall hooks, build scripts, and even AI assistant prompts to steal credentials and maintain persistence on developer machines.