Kostas

Sometimes the call comes a little too late and you gotta do what you gotta do 😂

Bots: An introduction for developers Bots are small applications that run entirely within the Telegram app. Users interact with bots through flexible interfaces…

𝗛𝘂𝗻𝘁 𝗳𝗼𝗿 𝘁𝗵𝗶𝘀 𝗯𝘆 𝗹𝗼𝗼𝗸𝗶𝗻𝗴 𝗮𝘁:

• Chrome/Edge running on servers where they shouldn't be
• Browser profile directory access by non-browser processes
• Outbound HTTPS to api.telegram.org from unexpected executables
• Startup persistence under AppData or ProgramData without operational justification

TelePeek - Telegram Bot Investigation Professional tool to securely track and analyze bot interactions

I'm using TelePeek.com to monitor the receiving interface (screenshot shows operator's dashboard). The victim profile is concerning with government employees and enterprise users in high-level organizations...

TelePeek - Telegram Bot Investigation Professional tool to securely track and analyze bot interactions

Exfiltration via Telegram bot API where PhantomStealer packages victim data as JSON and POSTs directly:

• Browser credentials, cookies, saved passwords
• System metadata (OS, username, antivirus status)
• Network reconnaissance (gateway/internal/external IPs)

Phantom Stealer has been prominent across phishing campaigns over the past two weeks. Operationally interesting to me is that it’s not just an infostealer. It also acts as an initial access broker, dropping GuLoader for follow-on activity, and I’ve seen it deploy crypto miners as well.

Unauthorized npm publish of Cline CLI cline@2.3.0 with modified postinstall script to install openclaw ### Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0. The published pac...

Worth reading if you're running AI in CI/CD.

github.com/cline/cline/...

Unauthorized npm publish of Cline CLI cline@2.3.0 with modified postinstall script to install openclaw ### Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: cline@2.3.0. The published pac...

Clinejection PoC: researcher proved you can compromise a VS Code extension (700k+ weekly users) via prompt injection in GitHub issues.

He was kind enough to install harmless software as a POC. Real attackers won't...

Vendor ignored him for 47 days, fixed it in 30 min after he went public.

HCSEC-2026-01 - Arbitrary code execution in React server-side rendering of untrusted MDX content Bulletin ID: HCSEC-2026-01 Affected Products / Versions: next-mdx-remote from 4.3.0 up to 5.0.0, fixed in 6.0.0. Publication Date: February 11, 2026 Summary The serialize function used to compile…

Upgrade to 6.0.0 especially if other people can write MDX that your server then compiles and renders for them.

CVE with 8.8 score
- discuss.hashicorp.com/t/hcsec-2026...

HCSEC-2026-01 - Arbitrary code execution in React server-side rendering of untrusted MDX content Bulletin ID: HCSEC-2026-01 Affected Products / Versions: next-mdx-remote from 4.3.0 up to 5.0.0, fixed in 6.0.0. Publication Date: February 11, 2026 Summary The serialize function used to compile…

MDX content is awesome, I love it, and I use it whenever I can on my projects. But be careful cause if you’re using next-mdx-remote (4.3.0–5.x) to server‑side render untrusted MDX, you’re potentially exposing yourself to RCE via CVE‑2026‑0969...

Why Your EDR Needs a Partner: The Case for Application Control How threat intelligence-aware application control fills the gaps that EDR leaves open

...the missing layer.

Full write-up: www.edr-telemetry.com/blog/Why-You...

Why Your EDR Needs a Partner: The Case for Application Control How threat intelligence-aware application control fills the gaps that EDR leaves open

At EDR Telemetry project, we spend a lot of time measuring what EDRs can see. This article is about what they still cannot safely stop.

From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...

In the screenshot below, you can see an example of this Skill in use (I'm using GPT 5.2-low in Codex)

Link to the skill: github.com/tsale/awesom...

We have added a new analysis Skill thanks to @BlueTeamSteve! This skill can be used to quickly and accurately map the MITRE ATT&CK tactic and technique to threat behaviors and indicators you enter in the prompt, saving you a ton of time!

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

We’ve also expanded 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 options for organizations that need additional flexibility, scale, and support on top of the Advanced tier.

Check out the new tiers now: www.edr-comparison.com/pricing

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥. We’ve also introduced 𝗕𝗮𝘀𝗶𝗰 𝗮𝗻𝗱 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿𝘀 to better reflect how different users engage with the platform. With the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿, we’re introducing a deep dive into the technical justification and expert analysis behind every single feature in our comparison.

Since launching in November, the platform has already helped hundreds of consultants and enterprises navigate the complexity of EDR selection.

This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:

EDR Comparison - Compare Endpoint Detection & Response Solutions Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.

𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥

We want to start by thanking everyone who supported us as early adopters.

Feel free to contribute and use these skills to save a ton of time, like we already do.

github.com/tsale/awesom...

Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...

𝗝𝘂𝘀𝘁 𝗹𝗮𝘂𝗻𝗰𝗵𝗲𝗱 𝗮𝘄𝗲𝘀𝗼𝗺𝗲-𝗱𝗳𝗶𝗿-𝘀𝗸𝗶𝗹𝗹𝘀 𝘄𝗶𝘁𝗵 @fr0gger_ !

Designed to save time during investigations and everyday DFIR tasks

Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.

github.com/tsale/EDR-Te...

This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:

github.com/tsale/EDR-Te...

Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.

environment, validated event mappings, and published the raw logs from the evaluation so the community can independently verify everything.

Artifacts included:

• Real production telemetry logs
• Some screenshots from the platform

Validation material to reproduce the results can be found under

Add C-Prot telemetry coverage to Linux EDR telemetry matrix by tsale · Pull Request #151 · tsale/EDR-Telemetry EDR Telemetry Pull Request Contribution Details Adding comprehensive Linux telemetry support for C-Prot EDR, including detailed event mappings, field explanations, and validation artifacts. This co...

We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry!

C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...

What are Skills? | Claude Help Center Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…

Be careful what you install and avoid using skills from unknown or unverified libraries.

Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/

What are Skills? | Claude Help Center Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…

One quick caveat tho, as skills libraries become more popular, where you will be able to search and find the right skill you want to install, we’re likely going to see malicious skills pop up that download and execute malware...

Agent Skills Give Codex new capabilities and expertise

Claude set a strong bar for structured, workflow-driven AI usage, and it’s no surprise we’re now seeing similar ideas across other platforms like OpenAI.

I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.

Pretty 😍

Merry Christmas everyone! Hope everyone’s enjoying some downtime 🎄

Much of it remains applicable today, along with the threat hunting series, which I’m especially proud of.

Cobalt Strike, a Defender's Guide - Part 2 The second part of the Cobalt Strike defender's guide, focusing on network traffic analysis and practical detection methods to identify Cobalt Strike beacons in your environment.

I’ve moved all of my blog posts from Medium to a new blog section on my personal website.

If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.

kostas.page/blog/cobalt-...