//nefariousplan

field log · research archive

The gap between what systems claim to do and what they actually do.

Field research on vulnerability classes, broken trust models, supply chain betrayals, and cryptographic assumptions that turned out to be wrong. By Kevlar — in the hash-and-trust business since before most CVE programs existed.

22 entries/2026/pgp-signed/rss

2026
  1. CVE-2026-34621 Revisited: The 136-Day Detection Lie

    ▸ latestCVE-2026-34621 Revisited: The 136-Day Detection Lie

    On November 28, 2025, someone uploaded a PDF to VirusTotal. The filename was Invoice540.pdf. Thirteen of sixty-four antivirus engines flagged it. The other fifty-one saw a document.

  2. CVE-2026-3891: The Capability Check Is Missing Because the Nonce Check Was Never a Capability Check

    CVE-2026-3891: The Capability Check Is Missing Because the Nonce Check Was Never a Capability Check

    The C6 Bank integration for Pix for WooCommerce 1.5.0 exposes two AJAX endpoints. The first generates a WordPress nonce for the C6 settings context. The second accepts certificate file uploads and verifies that nonce before writing to disk.

  3. CVE-2026-34486: EncryptInterceptor Only Encrypts Messages That Survive Decryption

    CVE-2026-34486: EncryptInterceptor Only Encrypts Messages That Survive Decryption

    The Tomcat cluster port at TCP 4000 has one access control mechanism when EncryptInterceptor is configured: if your message cannot be decrypted with the cluster's AES key, it gets dropped. That is the contract the configuration implies.

  4. CVE-2026-39808: One curl to Root on the Box That's Supposed to Catch Malware

    CVE-2026-39808: One curl to Root on the Box That's Supposed to Catch Malware

    The device that receives your suspicious files, detonates them in an isolated VM, and tells your SOC whether they're malicious, that device is running an unauthenticated root shell endpoint.

  5. CVE-2026-34621: Adobe Acrobat's Privilege Gate Inherits What It Checks

    CVE-2026-34621: Adobe Acrobat's Privilege Gate Inherits What It Checks

    The PDF arrives as an invoice. It runs its JavaScript before you see the first page. The first thing it does is tell Object.prototype what to say when asked whether it's trusted.

  6. BlueHammer: What the Researcher Commented Out

    BlueHammer: What the Researcher Commented Out

    cfreg.ProviderName = L"IHATEMICROSOFT";

  7. UnDefend: What Chaotic Eclipse Held Back This Time

    UnDefend: What Chaotic Eclipse Held Back This Time

    Line 209 of UnDefend.cpp, inside WDKillerCallback, reads:

  8. The Trust Inversion

    The Trust Inversion

    A researcher called Chaotic Eclipse tried to do the right thing. They found a zero-day in Windows Defender, a SYSTEM write through the antivirus's own remediation engine. They reported it. Someone violated the disclosure agreement. So they published.

  9. RedSun: How Windows Defender's Remediation Became a SYSTEM File Write

    RedSun: How Windows Defender's Remediation Became a SYSTEM File Write

    The comment is on the line where the Cloud Files provider name is set.

  10. SAP NetWeaver CVE-2025-31324: When CVSS 10.0 Means What It Says

    SAP NetWeaver CVE-2025-31324: When CVSS 10.0 Means What It Says

    CVSS 10.0 is supposed to be a number that appears rarely enough to mean something. The scoring rubric requires everything to go wrong simultaneously: the vulnerability must be network-reachable, require no authentication, require no user interaction, and produ…

  11. Axios, Sapphire Sleet, and 70 Million Weekly Installs

    Axios, Sapphire Sleet, and 70 Million Weekly Installs

    On March 31, 2026, the axios npm package was compromised. Two malicious versions, 1.14.1 and 0.30.4, were published through the primary maintainer account, "jasonsaayman." Both looked like routine version bumps.

  12. TeamPCP Came for the Scanners

    TeamPCP Came for the Scanners

    Your CI pipeline runs Trivy. It scans containers, scans IaC, flags vulnerable dependencies. It's the canary. It's trusted. It runs early in the pipeline with elevated access to secrets because that's what security tooling needs to function.

  13. Oracle Cloud: The Breach They Technically Didn't Deny

    Oracle Cloud: The Breach They Technically Didn't Deny

    "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

  14. Prompt Injection Is a Supply Chain Attack

    Prompt Injection Is a Supply Chain Attack

    The security community is debating prompt injection as an AI safety problem. Some frame it as an alignment failure, the model is doing something it shouldn't. Neither framing is right, and the wrong frame means the wrong fix.

  15. MCP Servers: The New npm Left-Pad

    MCP Servers: The New npm Left-Pad

    In March 2016, Azer Koçulu unpublished 273 npm packages. One of them, left-pad, was eleven lines of string-padding utility. It brought down React, Babel, and the builds of thousands of projects that had never heard of it.

  16. Shai-Hulud: The First npm Worm

    Shai-Hulud: The First npm Worm

    September 14, 2025. Researchers named it Shai-Hulud, after the sandworm in Dune. By the time npm's incident team finished revoking tokens and yanking versions, 500+ package releases had been compromised, some of them carrying millions of weekly downloads.

  17. xrpl.js: The Official Package Was the Threat

    xrpl.js: The Official Package Was the Threat

    The XRP Ledger's official JavaScript SDK, xrpl on npm, published by the XRPL Foundation, 4.2 million weekly downloads, shipped a backdoor in late April 2025. Versions 4.2.1 through 4.2.4, plus 2.14.2 on the legacy branch.

  18. CLFS: Ransomware's Favorite Kernel Driver

    CLFS: Ransomware's Favorite Kernel Driver

    Five exploited-in-wild local privilege escalation vulnerabilities from a single kernel driver in three years. That's not a run of bad luck. That's a structural condition Microsoft keeps patching at the wrong scope.

  19. CrushFTP CVE-2025-31161: MFT Is the Target Now

    CrushFTP CVE-2025-31161: MFT Is the Target Now

    CrushFTP just shipped a patch for CVE-2025-31161: authentication bypass in the WebInterface component, CVSS 9.8, unauthenticated, network-accessible, low complexity.

  20. tj-actions: Mutable Tags Were Always a Lie

    tj-actions: Mutable Tags Were Always a Lie

    When you write uses: tj-actions/changed-files@v45 in a workflow, you're not pinning to a version. You're trusting that a stranger won't move the tag. That's not a pin. That's a prayer.

  21. Bybit: $1.5B via a JavaScript Injection Nobody Was Looking For

    Bybit: $1.5B via a JavaScript Injection Nobody Was Looking For

    On February 21, 2025, Bybit lost 401,347 ETH, approximately $1.46 billion at execution price, in a single transaction. Not a smart contract exploit. Not a bridge attack. Not a flash loan cascade.

  22. Ivanti: The Vulnerability Subscription

    Ivanti: The Vulnerability Subscription

    Ivanti disclosed CVE-2025-0282 on January 8, 2025. Mandiant's retrospective analysis placed active exploitation in December 2024, at least 12 days prior. During that window, organizations running Ivanti Connect Secure had no patch to apply, no advisory to act…