Aviatrix Cloud Threat Command CenterBlast Radius Assessment Report — Aviatrix Threat Research Center
Generated April 29, 2026
aviatrix.ai
aviatrix.ai
Containment Era Intelligence
The threat landscape has changed.
The question has changed with it.
Updated April 2026
Detection asks: did we find it?
The Containment Era asks: what can an attacker reach from inside your environment?
March 2026 TeamPCP proved that detection-first architecture cannot contain attacks that move through trusted code, not around defenses. This command center tracks the current threat landscape and helps you measure yourBlast Radius — the architectural metric that matters in the Containment Era.
Tracked Campaigns
8
ACTIVE INTELLIGENCE
MONITORING
29 min
Avg. eCrime breakout time
initial access → lateral movement
27 sec
Fastest observed eCrime breakout
fastest recorded intrusion progression
📡
Intelligence TimelineJan 7 – Apr 8, 2026
Campaign Arc
Key compromise events, disclosures, and patches across tracked campaigns. Connector lines show campaign duration in-window. Dot color indicates attack vector category.
Window
Supply ChainCVE / ExploitAI InjectionCredentialDisclosurePatchRansomwareActive (predates window)
Jan 2026
Feb
Mar
Apr
TODAY
Nation State
Disclosure
UNC5221
U.S. Govt + Legal targeting active
Disclosure
Salt Typhoon
FCC mandate · carriers required to report
Credential
Midnight Blizzard
Cloud app persistence ongoing
Salt Typhoon
DPRK / UNC1069
Disclosure
Salt Typhoon
No containment confirmed
Supply Chain
DPRK / UNC1069
axios@1.14.1 · WAVESHAPER.V2 RAT
2
Disclosure
APT28
FBI Op Masquerade · 18K+ routers · 120 countries
Supply Chain
GlassWorm
TeamPCP
Supply Chain
GlassWorm
72+ malicious OpenVSX extensions · IDE targeting
Supply Chain
TeamPCP
Trivy · PyPI backdoor → LiteLLM
2
TeamPCP
GlassWorm
Supply Chain
TeamPCP
Cisco Dev Breach · 300+ repos · AWS keys via CI/CD
Supply Chain
GlassWorm
AI tool targeting · Claude Code · Codex · Solana C2
2
Ransomware
TeamPCP → Ransom
Supply chain pivots to active extortion ⇩
Supply Chain
Vercel / Context.ai
OAuth AI tool · env vars exposed
Ransomware & Extortion
Credential
Storm-0501
Embargo wave · healthcare + govt sector
Ransomware
Scattered LAPSUS$
Alert360 · 2.5M records · ShinyHunters
Ransomware
Scattered LAPSUS$
Salesforce Aura · 300–400 orgs exfiltrated
Storm-1175 / Medusa
⇧ TeamPCP extortion
Disclosure
Storm-1175 / Medusa
24-hr dwell · 16+ CVEs · MSFT analysis
Ransomware
⇧ TeamPCP extortion
Supply chain origin · active ransomware phase
2
Ransomware
Scattered LAPSUS$
Rockstar / GTA-6 · pay-or-leak Apr 14
AI & Emerging Threats
Disclosure
Z.ai
$558M HK IPO · Tsinghua spinoff · Ascend chips
AI Injection
GrafanaGhost
AI injection technique identified · Noma Security
GrafanaGhost
Project Glasswing
Z.ai GLM-5.1
Patch
GrafanaGhost
CSP + INTENT fix · patched
Supply Chain
Z.ai GLM-5.1
68.7% CyberGym · open weights · no guardrails
3
Apr 2025
Jul
Oct
Jan 2026
Apr
TODAY
Nation State
DPRK IT Workers
Midnight Blizzard
Ransomware
DPRK IT Workers
Extortion-on-exit · 122-day median dwell
Credential
Midnight Blizzard
OAuth token pivot · cloud credential abuse
2
Disclosure
Salt Typhoon
FCC mandate · carriers required to report
DPRK / UNC1069
APT28
Supply Chain
DPRK / UNC1069
axios@1.14.1 · 100M+ weekly downloads · WAVESHAPER.V2
Disclosure
APT28
FBI Op Masquerade · 18K+ routers · 120 countries
2
Supply Chain
Supply Chain
GlassWorm
Aikido Security · OpenVSX malicious extension campaign
Supply Chain
Shai-Hulud 1.0
180+ npm packages · TruffleHog credential harvest
Supply Chain
Shai-Hulud 2.0
27K malicious packages · 400K secrets leaked
Ransomware
Shai-Hulud → Ransom
Trust Wallet · npm origin → $8.5M theft ⇩
Supply Chain
TeamPCP
Trivy · PyPI backdoor → LiteLLM
TeamPCP
GlassWorm
TeamPCP → Ransom
Vercel / Context.ai
Supply Chain
TeamPCP
Cisco Dev Breach · 300+ repos · AWS keys via CI/CD
Supply Chain
GlassWorm
AI tool targeting · Claude Code · Codex · Solana C2
Ransomware
TeamPCP → Ransom
Supply chain pivots to active extortion ⇩
Supply Chain
Vercel / Context.ai
OAuth AI tool · env vars exposed
4
Ransomware & Extortion
Ransomware
Scattered LAPSUS$
UK retail wave · M&S + Co-op · £440M combined
Ransomware
CLOP
Extortion wave · data-theft ransom · no encryption
Ransomware
⇧ Shai-Hulud
Trust Wallet $8.5M · 2,500+ wallets · npm origin
Credential
Storm-0501
Embargo wave · healthcare + govt sector
Ransomware
Scattered LAPSUS$
Salesforce Aura · 300–400 orgs exfiltrated
Storm-1175 / Medusa
⇧ TeamPCP extortion
Scattered LAPSUS$
Disclosure
Storm-1175 / Medusa
24-hr ransomware deployment · health + finance
Ransomware
⇧ TeamPCP extortion
Supply chain origin · active ransomware phase
Ransomware
Scattered LAPSUS$
Rockstar / GTA-6 · pay-or-leak Apr 14
3
AI & Emerging Threats
Disclosure
Z.ai
$558M HK IPO · Tsinghua spinoff
AI Injection
GrafanaGhost
AI injection technique · Noma Security research
GrafanaGhost
Project Glasswing
Z.ai GLM-5.1
Patch
GrafanaGhost
Patched · CSP + INTENT fix
Supply Chain
Z.ai GLM-5.1
68.7% CyberGym · open weights · no guardrails
3
Apr 2024
Jul
Oct
Jan 2025
Apr
Jul
Oct
Jan 2026
Apr
TODAY
Nation State
Credential
APT28
FrostArmada · GRU Unit 26165 · DNS + M365 theft
Disclosure
DPRK IT Workers
AI deepfake interviews · laptop farm infrastructure
Disclosure
Salt Typhoon
US telcos breached · first public disclosure (PRC)
UNC5221
DPRK IT Workers
Ransomware
DPRK IT Workers
Extortion-on-exit · 122-day median dwell confirmed
2
DPRK / UNC1069
APT28
Supply Chain
DPRK / UNC1069
axios@1.14.1 · 100M+ weekly downloads · WAVESHAPER.V2
Disclosure
APT28
FBI Op Masquerade · 18K+ routers · 120 countries
2
Supply Chain
Supply Chain
GlassWorm
Aikido · OpenVSX malicious extension campaign begins
Supply Chain
Shai-Hulud 1.0
180+ npm packages · TruffleHog credential harvest
Shai-Hulud 2.0
Shai-Hulud → Ransom
TeamPCP
Supply Chain
Shai-Hulud 2.0
27K malicious packages · 400K secrets leaked
Ransomware
Shai-Hulud → Ransom
Trust Wallet · npm origin → $8.5M theft ⇩
Supply Chain
TeamPCP
Trivy · PyPI backdoor → LiteLLM AI proxy
3
TeamPCP
TeamPCP → Ransom
Vercel / Context.ai
Supply Chain
TeamPCP
Cisco Dev Breach · 300+ repos · AWS keys via CI/CD
Ransomware
TeamPCP → Ransom
Supply chain pivots to active extortion ⇩
Supply Chain
Vercel / Context.ai
OAuth AI tool · env vars exposed
3
Ransomware & Extortion
Credential
Scattered LAPSUS$
Snowflake wave · 165+ orgs · credential harvest
Ransomware
Scattered LAPSUS$
UK retail wave · M&S + Co-op · £440M combined
Ransomware
CLOP
Extortion wave · data-theft ransom · no encryption
Ransomware
⇧ Shai-Hulud
Trust Wallet $8.5M · 2,500+ wallets · npm origin
Scattered LAPSUS$
⇧ TeamPCP extortion
Scattered LAPSUS$
Ransomware
Scattered LAPSUS$
Salesforce Aura · 300–400 orgs exfiltrated
Ransomware
⇧ TeamPCP extortion
Supply chain origin · active ransomware phase
Ransomware
Scattered LAPSUS$
Rockstar / GTA-6 · pay-or-leak Apr 14
3
AI & Emerging Threats
Disclosure
Z.ai
$558M HK IPO · Tsinghua spinoff
GrafanaGhost
Project Glasswing
Z.ai GLM-5.1
AI Injection
GrafanaGhost
AI injection technique · Noma Security
Supply Chain
Z.ai GLM-5.1
68.7% CyberGym · open weights · no guardrails
3
Apr 2023
Jul
Oct
Jan 2024
Apr
Jul
Oct
Jan 2025
Apr
Oct
Jan 2026
Apr
TODAY
Nation State
Credential
Midnight Blizzard
MSFT corporate email + source code accessed (Russia/SVR)
APT28
DPRK IT Workers
Salt Typhoon
Credential
APT28
FrostArmada · GRU Unit 26165 · router botnet begins
Disclosure
DPRK IT Workers
AI deepfake interviews · laptop farm infrastructure
Disclosure
Salt Typhoon
US telcos breached · PRC espionage · CALEA systems
3
Ransomware
DPRK IT Workers
Extortion-on-exit · 122-day median dwell confirmed
DPRK / UNC1069
APT28
Supply Chain
DPRK / UNC1069
axios@1.14.1 · 100M+ weekly downloads · WAVESHAPER.V2
Disclosure
APT28
FBI Op Masquerade · 18K+ routers · 120 countries
2
Supply Chain
Supply Chain
GlassWorm
Aikido · OpenVSX malicious extension campaign begins
Supply Chain
Shai-Hulud
npm worm · 180+ packages · credential harvest
Shai-Hulud → Ransom
TeamPCP
TeamPCP → Ransom
Vercel / Context.ai
Ransomware
Shai-Hulud → Ransom
Trust Wallet · npm origin → $8.5M theft ⇩
Supply Chain
TeamPCP
Trivy · PyPI backdoor → LiteLLM AI proxy
Ransomware
TeamPCP → Ransom
Supply chain pivots to active extortion ⇩
Supply Chain
Vercel / Context.ai
OAuth AI tool · env vars exposed
4
Ransomware & Extortion
Ransomware
Scattered LAPSUS$
Caesars + MGM · $115M combined · vishing + ALPHV
Credential
Change Healthcare
Systems offline · single stolen credential · ALPHV
Credential
Scattered LAPSUS$
Snowflake wave · 165+ orgs · credential harvest
Scattered LAPSUS$
CLOP
Ransomware
Scattered LAPSUS$
UK retail £440M · M&S + Co-op · DragonForce
2
Ransomware
⇧ Shai-Hulud
Trust Wallet $8.5M · 2,500+ wallets · npm origin
⇧ TeamPCP extortion
Scattered LAPSUS$
Ransomware
⇧ TeamPCP extortion
Supply chain origin · active ransomware phase
Ransomware
Scattered LAPSUS$
Rockstar / GTA-6 · pay-or-leak Apr 14
2
AI & Emerging Threats
Z.ai
GrafanaGhost
Project Glasswing
Z.ai GLM-5.1
Disclosure
Z.ai
$558M HK IPO · Tsinghua spinoff
AI Injection
GrafanaGhost
AI injection technique · Noma Security
Supply Chain
Z.ai GLM-5.1
68.7% CyberGym · open weights · no guardrails
4
Oct 2020
Jan 2021
Jan 2022
Jan 2023
Jan 2024
Jan 2025
Jan 2026
Apr
TODAY
Nation State
Supply Chain
Russia / SolarWinds
NSA/FBI/CISA attribution · SVR supply chain operation
Disclosure
DPRK IT Workers
DOJ first cases · state-sponsored IT fraud program public
Midnight Blizzard
APT28
Salt Typhoon
Credential
Midnight Blizzard
MSFT corporate email accessed · Russia/SVR
Credential
APT28
FrostArmada · GRU · 18K+ routers compromised
Disclosure
Salt Typhoon
US telcos breached · PRC espionage · CALEA
3
UNC5221
DPRK IT Workers
Ransomware
DPRK IT Workers
Extortion-on-exit · 122-day median dwell
2
DPRK / UNC1069
APT28
Supply Chain
DPRK / UNC1069
axios@1.14.1 · 100M+ weekly downloads · WAVESHAPER.V2
Disclosure
APT28
FBI Op Masquerade · 18K+ routers · 120 countries
2
Supply Chain
SolarWinds
Codecov
Supply Chain
SolarWinds
SUNBURST · FireEye · nation-state supply chain
Supply Chain
Codecov
Bash uploader · CI/CD credential harvest · 2.5-month window
2
Shai-Hulud
TeamPCP
TeamPCP → Ransom
Vercel / Context.ai
Supply Chain
Shai-Hulud
npm worm · 27K packages · 400K secrets leaked
Supply Chain
TeamPCP
Trivy · PyPI backdoor → LiteLLM AI proxy
Ransomware
TeamPCP → Ransom
Supply chain pivots to active extortion ⇩
Supply Chain
Vercel / Context.ai
OAuth AI tool · env vars exposed
4
Ransomware & Extortion
CLOP / MOVEit
Scattered LAPSUS$
Ransomware
Scattered LAPSUS$
Caesars + MGM · $115M combined · vishing + ALPHV
2
Change Healthcare
Scattered LAPSUS$
Credential
Change Healthcare
Systems offline · single stolen credential · ALPHV
Credential
Scattered LAPSUS$
Snowflake wave · 165+ orgs · credential harvest
2
Scattered LAPSUS$
CLOP
Ransomware
Scattered LAPSUS$
UK retail £440M · M&S + Co-op · DragonForce
2
⇧ Shai-Hulud
⇧ TeamPCP extortion
Scattered LAPSUS$
Ransomware
⇧ Shai-Hulud
Trust Wallet $8.5M · 2,500+ wallets · npm origin
Ransomware
⇧ TeamPCP extortion
Supply chain origin · active ransomware phase
Ransomware
Scattered LAPSUS$
Rockstar / GTA-6 · pay-or-leak Apr 14
3
AI & Emerging Threats
Z.ai
GrafanaGhost
Project Glasswing
Z.ai GLM-5.1
Disclosure
Z.ai
$558M HK IPO · Tsinghua spinoff
AI Injection
GrafanaGhost
AI injection technique · Noma Security
Supply Chain
Z.ai GLM-5.1
68.7% CyberGym · open weights · no guardrails
4
⚠️
Active Threat Intelligence21 tracked
Threat Board
Status reflects Blast Radius exposure for organizations without workload-level Communication Governance. Patch status addresses CVE mechanics; architectural exposure persists until policy is enforced.
Intelligence Briefⓘ All campaigns reflect documented public incidents and published threat intelligence. CVE IDs and advisory numbers correspond to disclosed vulnerabilities and vendor advisories.
TeamPCP
Trust Chain Compromise · Feb–Mar 2026 · Ransomware Phase Active Apr 2026
Active — Ransomware Phase
5 Trust Chain compromises in 12 days (Phase 1–2): Trivy, LiteLLM, Checkmarx KICS, Telnyx, and a fifth package. CVE-2026-33634 (CVSS 9.4 CRITICAL). Sources: CSO Online, Palo Alto Unit 42, Wiz, Sonatype, Datadog, BleepingComputer. (Aviatrix TRC Advisory AVX-SEC-2026-003)
Payload moves through trusted code security scanners, AI proxies, compliance tooling. Detection window measured in hours. Payload completion measured in seconds.
Campaign escalated to ransomware phase (Apr 7). Credentials from the Feb–Mar 2026 supply chain window now drive active extortion. C2: 45.148.10.212. (Source: Aviatrix TRC Advisory AVX-SEC-2026-003)
Apr 22, 2026 — Checkmarx supply chain (Phase 5a): Attackers overwrote Checkmarx KICS Docker tags (v2.1.20, v2.1.21, alpine, debian, latest) with modified binary (SHA256: 2a6a35f0…) containing exfiltration capabilities. VS Code extensions cx-dev-assist@1.17.0/1.19.0 and ast-results@2.66.0/2.63.0 infected via backdated
mcpAddon.js (SHA256: 24680027…). Payload harvests GitHub tokens, AWS/Azure/GCP credentials, npm configs, SSH keys, Claude MCP configs, and shell history. Exfil endpoint: 94.154.172.43 / audit.checkmarx[.]cx. Workflows inject ${ toJSON(secrets) } to serialize entire secret contexts into public GitHub artifact repos. TeamPCP claimed via @pcpcats: “Thank you OSS distribution for another very successful day at PCP inc.” (Sources: Socket.dev, JFrog)Apr 22–23, 2026 — Bitwarden CLI “Shai-Hulud: The Third Coming” (Phase 5b):
@bitwarden/cli@2026.4.0 distributed with malicious bw1.js between 5:57–7:30 PM ET via compromised GitHub Action in Bitwarden’s CI/CD. Stolen GitHub tokens injected malicious workflow; harvested npm credentials pushed payload downstream. Steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets; exfiltrates via private domains and GitHub commits. Package contained string “Shai-Hulud: The Third Coming” confirming TeamPCP authorship. Likely the first compromise of an npm Trusted Publishing flow. CVE pending. Bitwarden confirmed no vault data accessed. (Sources: The Hacker News, JFrog, Socket.dev)Campaign Arc
Feb 2026Phase 1 — Delivery: Trivy scanner PyPI package backdoored; malicious version propagates through CI/CD pipelines
Feb–Mar 2026Phase 2 — Harvest: LiteLLM, KICS, Telnyx compromised; AI proxy and security tooling layers begin silent credential exfiltration on install; five Trust Chain packages in 12 days
Mar 2026Phase 3 — Disclosure: CVE-2026-33634 published to NVD (Mar 23); analyses from Wiz, Snyk, Sonatype, Datadog, Unit 42, BleepingComputer. Packages patched — credentials already harvested are weaponized.
Apr 7 2026Phase 4 — Ransomware: Harvested credentials leveraged for active extortion and ransomware deployment. (Aviatrix TRC AVX-SEC-2026-003)
Apr 22 2026Phase 5 — Escalation: Checkmarx KICS Docker images and VS Code extensions backdoored (mcpAddon.js; exfil to 94.154.172.43). Hours later,
@bitwarden/cli@2026.4.0 via compromised CI/CD with “Shai-Hulud: The Third Coming” payload — first known npm Trusted Publishing compromise. TeamPCP claimed responsibility.Attack Vectors
PyPI package registryBuild pipeline dependency resolverAI proxy layer (LiteLLM)Security scanner (Trivy)Dependency auto-update (Dependabot / Renovate)Harvested credentials → ransomware deployment
MITRE ATT&CK
Initial AccessT1195.002Supply Chain Compromise: Software Supply Chain
ExecutionT1059.006Command & Scripting Interpreter: Python
Credential AccessT1552.001Unsecured Credentials: Credentials In Files
ExfiltrationT1041Exfiltration Over C2 Channel
ImpactT1486Data Encrypted for Impact (ransomware phase active)
Blast Radius
Exposure
Network-wide
Communication Governance stops it: Credential exfil and C2 calls blocked at workload boundary — novel exfil domains denied before any IOC exists.
GrafanaGhost
AI Trust Chain / Indirect Prompt Injection · April 2026
Patched
175-character payload. No malware. No user interaction. No IOC at time of attack.
Three-layer bypass: CSP protocol-relative URL ▸ INTENT guardrail keyword ▸ AI renders exfil image.
Every dashboard title accessible to the AI assistant exfiltrated in one HTTP GET.
Grafana patched the CSP and INTENT mechanisms. AI workload Blast Radius problem persists across all AI-enabled tools.
Campaign Arc
Mar 2026Technique first identified in Grafana AI Assistant by Noma Security research team
Apr 2026Noma Security public disclosure indirect prompt injection + CSP bypass + INTENT guardrail bypass chain documented
Apr 2026Grafana patches protocol-relative URL handling in CSP and disables INTENT guardrail bypass; CVE pending assignment
Attack Vectors
Grafana AI Assistant (chat interface)Indirect prompt injection via dashboard dataProtocol-relative URL CSP bypass (//attacker.com)INTENT keyword guardrail bypassAI image render → HTTP GET exfil
MITRE ATT&CK
Initial AccessT1190Exploit Public-Facing Application
ExecutionT1658Prompt Injection
Defense EvasionT1562.001Impair Defenses: Disable or Modify Tools (CSP / guardrail bypass)
ExfiltrationT1071.001Application Layer Protocol: Web Protocols
Blast Radius
Exposure
All AI tenants (unpatched)
Communication Governance stops it: Exfil HTTP GET to novel domain blocked at workload boundary before the first byte is transmitted regardless of patch status on the AI workload.
Attack Breakdown demoSalt Typhoon
PRC Nation-State / Telecom & Network Infrastructure
Active
PRC-linked campaign targeting telecommunications providers and ISPs confirmed across multiple US carriers and international operators.
Primary vector: credential harvesting from network management infrastructure, followed by lateral movement through trusted internal paths.
The lateral movement playbook stolen credentials, living-off-the-land, no malware binary is operationally identical to the cloud-native intrusion pattern used across Storm-0501 and TeamPCP.
Organizations with overlapping telecom or managed network exposure and a TeamPCP-affected Trust Chain have compounded credential blast radius.
Campaign Arc
2023Exploitation of Cisco IOS XE (CVE-2023-20198, CVE-2023-20273) enables persistent access to network management infrastructure
Jan 2024CISA Advisory AA24-038A published confirmed targeting of US telecom and ISP infrastructure
Oct 2024FBI/CISA joint advisory names AT&T, Verizon, Lumen, T-Mobile as confirmed victims; CALEA lawful-intercept systems accessed
Nov 2024FCC opens formal investigation; additional international carriers disclose compromise
2025–presentCampaign ongoing; additional carriers and network operators continue to be identified
Attack Vectors
Cisco IOS XE (CVE-2023-20198 / CVE-2023-20273)Network management plane credentialsCALEA intercept infrastructureTrusted internal routing pathsCredential reuse across network devices
MITRE ATT&CK
Initial AccessT1190Exploit Public-Facing Application (Cisco IOS XE)
PersistenceT1078Valid Accounts (network management credentials)
CollectionT1040Network Sniffing (CALEA intercept tap)
CollectionT1557Adversary-in-the-Middle
Lateral MovementT1078Valid Accounts (credential reuse across network devices)
Blast Radius
Exposure
Network-wide if credentials stolen
Communication Governance stops the playbook: The credential-harvesting-to-lateral-movement pattern requires workload-to-workload reach. Default-deny east-west policy closes that path regardless of credential validity the same architectural control that applies to Storm-0501 and TeamPCP. Scope: CG enforcement applies at the cloud workload layer. Salt Typhoon's documented persistence on network device firmware (Cisco IOS XE) operates below this layer and requires separate network device hardening. CG contains the cloud-side impact once attacker tooling attempts cloud workload-to-workload movement or C2 egress from cloud environments.
Storm-0501
Cloud-Native Ransomware / Entra ID Pivot
Active
Pivot from on-premises AD targeting to Entra ID compromise to full cloud environment access.
29-minute average eCrime breakout time from initial access to lateral movement to another host (CrowdStrike GTR). Reconnaissance, credential harvesting, and lateral movement phases are malware-free. Embargo ransomware binary deployed after environment traversal. In 2025, data-theft-only extortion (23%) now outnumbers ransomware encryption (13%) of financially motivated intrusions — attackers increasingly skip encryption and extort with stolen data alone (Mandiant M-Trends 2026).
Credential harvesting ▸ lateral movement ▸ ransomware deployment matches TeamPCP credential payload operationally.
C2 communication via legitimate cloud channels no malware signature, no novel network behavior to detect.
Campaign Arc
Q1 2024Initial Entra ID–pivot campaigns observed against US government agencies and critical infrastructure sectors
Sep 2024Microsoft Threat Intelligence publishes Storm-0501 multi-phase cloud campaign analysis; on-prem → Entra → cloud workload pivot chain documented
Late 2024Widespread targeting expands to healthcare, manufacturing, transportation, and government; Embargo ransomware deployments confirmed
2025–presentActive; campaign continues targeting organizations with hybrid AD/Entra deployments
Attack Vectors
Entra ID (Azure AD) stolen credentialsOn-prem AD → Entra pivotCloud workload lateral movementLOLBins (PowerShell, WMI, certutil)RMM tools (AnyDesk, TeamViewer)Legitimate cloud service channels (C2)
MITRE ATT&CK
Initial AccessT1078.004Valid Accounts: Cloud Accounts (Entra ID)
ExecutionT1059.001Command & Scripting Interpreter: PowerShell
Lateral MovementT1021.007Remote Services: Cloud Services
Defense EvasionT1218System Binary Proxy Execution (LOLBins)
ImpactT1486Data Encrypted for Impact (Embargo ransomware)
Blast Radius
Exposure
Entire cloud environment
Communication Governance stops it: C2 communication and lateral movement paths blocked. Ransomware deployment requires workload-to-workload reach that default-deny east-west denies.
Scattered LAPSUS$ Hunters
Social Engineering / Identity Plane Compromise · 2022–present · fmr. Scattered Spider · ShinyHunters · Lapsus$
Active — Escalating
Signature technique: vishing IT help desks with LinkedIn-sourced employee PII to trigger MFA resets. Okta or Entra admin session obtained in under 10 minutes. No vulnerability exploited — every authentication event passes. (Source: CISA AA23-320A, Nov 2023; updated Jul 29, 2025) Voice phishing is now the #2 initial infection vector in 2025 at 11% (Mandiant M-Trends 2026) — up sharply while email phishing collapsed from 14% to 6% in a single year.
Caesars Entertainment: $15M ransom paid Sep 2023. MGM Resorts: ~$100M Q3 impact. Combined $115M damage from a single two-week campaign in Sep 2023. (Source: Caesars SEC 8-K Sep 14, 2023; MGM SEC 8-K Oct 5, 2023)
UK retail wave Apr–May 2025: Marks & Spencer £300M (~$400M), Co-op £206M (~$277M). UK Cyber Monitoring Centre classified the combined £440M ($592M) as a Category 1 national cyber event. DragonForce ransomware deployed. (Source: M&S earnings disclosure; UK Cyber Monitoring Centre 2025)
Group convergence — now "Scattered LAPSUS$ Hunters": By late 2025 Scattered Spider merged operationally with ShinyHunters and Lapsus$, combining social engineering, SaaS abuse, and data-theft extortion capabilities. Formally named "Scattered LAPSUS$ Hunters" in Aviatrix threat intelligence research (Mar 5, 2026). 16+ shared Telegram channels for recruitment and coordination. Also partners with ALPHV/BlackCat (2023) and DragonForce (2025) for ransomware payloads. Group remains active despite DOJ indictment of 5 members (Nov 20, 2024) and 4 UK NCA arrests (Jul 10, 2025). (Sources: Mandiant / Google Threat Intelligence 2025; Aviatrix TI, Mar 2026)
Campaign Arc
Aug 20220ktapus campaign: SMS phishing wave against 130+ organizations including Twilio, Okta, LastPass, and Mailchimp. Thousands of credentials and live MFA tokens harvested. (Source: Group-IB 0ktapus report 2022)
Sep 2023MGM + Caesars: Vishing IT help desk, then Okta admin session. MGM 10-day outage, ~$100M impact; Caesars $15M ransom paid. $115M damage in two weeks. (Source: MGM SEC 8-K Oct 5, 2023; Caesars SEC 8-K Sep 14, 2023)
Apr 2025UK retail wave: DragonForce ransomware at M&S (£300M), Co-op (£206M), Harrods. UK Cyber Monitoring Centre: Category 1 national event. NCA arrests 4 suspects Jul 2025; group operationally active post-arrests. (Source: M&S earnings; UK Cyber Monitoring Centre 2025)
Mar 5, 2026Named "Scattered LAPSUS$ Hunters": Aviatrix TI formally names the consolidated group. TTPs: vishing/MFA bypass → signed RMM tools → cookie/OAuth theft → flat-network east-west → Telegram extortion. Hours from foothold to public demand. (Source: Aviatrix TI, Mar 5, 2026)
Apr 13, 2026Rockstar Games / GTA-6 extortion: ShinyHunters sets April 14 pay-or-leak deadline for Rockstar Games, claiming possession of Grand Theft Auto 6 data. Rockstar acknowledges breach as "a limited amount of non-material company information." Consistent with prior ShinyHunters high-pressure extortion playbook (Ticketmaster, Santander, Snowflake ecosystem). (Source: Shacknews, Apr 2026)
Attack Vectors
ALPHV / BlackCat (2023 — MGM)DragonForce (2025 — UK retail)ShinyHunters (merged → LAPSUS$ Hunters)Lapsus$ (merged → LAPSUS$ Hunters)Evilginx AiTM phishing kitDark web infostealer credentials
MITRE ATT&CK
Initial AccessT1566.004Phishing: Spearphishing Voice (help desk vishing)
Credential AccessT1621Multi-Factor Authentication Request Generation
Defense EvasionT1656Impersonation
Initial AccessT1078.004Valid Accounts: Cloud Accounts
Privilege EscalationT1484.002Domain / Tenant Policy Modification: Trust Modification
ImpactT1486Data Encrypted for Impact (DragonForce / ALPHV deployment)
Blast Radius
Exposure
Entire SSO-federated estate
Communication Governance stops it: The IdP credential grants authentication — it does not grant network reach. Workload-level east-west policy is enforced independently of IdP state. A compromised Okta admin session cannot pivot to workloads, databases, or internal APIs not explicitly permitted for that source. The Blast Radius is bounded before the first internal move.
Axios / UNC1069
npm Supply Chain · DPRK BlueNoroff (UNC1069 · Sapphire Sleet)
Contained — Mar 31 2026
DPRK-linked actor (UNC1069 / Sapphire Sleet) socially engineered an axios npm maintainer, obtained publish credentials, and pushed a backdoored axios@1.14.1 on March 31 2026 at 00:21 UTC — passing all existing npm integrity checks because no package signing existed.
The malicious package delivered a two-stage implant: SILKBELL dropper executed via postinstall hook, which fetched and persisted WAVESHAPER.V2 RAT. The RAT beaconed to sfrclak[.]com:8000 — a domain registered the same day with no prior reputation record — via HTTP POST every 90 seconds.
Scale: axios has 100M+ weekly npm downloads and is a transitive dependency in over 12,000 open-source projects. The backdoor was live for approximately 3 hours. Socket.dev automated scanner flagged the package at T+6min (Aviatrix TRC estimate); affected organizations without default-deny egress had already beaconed to C2 by then. Enterprise endpoints confirmed impacted (representative figure; exact scope not independently verified).
Attribution: Google Cloud GTIG (UNC1069), Microsoft Security (Sapphire Sleet), CrowdStrike (Stardust Chollima) — all three intelligence teams independently attributed to DPRK's BlueNoroff financial theft cluster. GHSA-fw8c-xr5c-95f9 / CVE-2026-34841 (CVSS 9.8).
Campaign Arc
Mar 30 2026Attacker stages malicious payload; DPRK actor completes social engineering of axios maintainer and obtains npm publish credentials
Mar 31 · 00:21 UTCaxios@1.14.1 published to npm registry with embedded SILKBELL dropper in postinstall hook; passes integrity checks (no package signing)
Mar 31 · 00:27 UTCSocket.dev automated scanner flags anomalous postinstall behavior at T+6min (Aviatrix TRC estimate); alert sent to subscribers — non-subscribers continue downloading
Mar 31 · 03:25 UTCaxios maintainers remove malicious package from npm registry after coordinated disclosure; 1.14.0 restored as latest; ~3-hour window total
Apr 1 2026DPRK attribution published: Google GTIG (UNC1069 / BlueNoroff financial theft cluster), Microsoft (Sapphire Sleet), CrowdStrike (Stardust Chollima)
Attack Vectors
npm maintainer social engineeringMalicious postinstall hook (SILKBELL dropper)WAVESHAPER.V2 RAT persistenceHTTP POST C2 beacon (day-of domain)CI/CD pipeline auto-installTransitive dependency exposure
MITRE ATT&CK
Initial AccessT1195.002Supply Chain Compromise: Compromise Software Supply Chain
Initial AccessT1566.001Phishing: Spearphishing Attachment (maintainer credential theft)
ExecutionT1059.001Command and Scripting Interpreter: PowerShell
ExecutionT1059.006Command and Scripting Interpreter: Python (SILKBELL dropper)
PersistenceT1547.001Boot or Logon Autostart: Registry Run Keys (WAVESHAPER.V2)
ExfiltrationT1041Exfiltration Over C2 Channel (HTTP POST beacon to sfrclak[.]com:8000)
Credential AccessT1552.001Unsecured Credentials: Credentials In Files (CI/CD env vars harvested)
Blast Radius
Exposure
All CI/CD pipelines & workstations (~70%)
Communication Governance stops it: WAVESHAPER.V2 requires outbound connectivity to beacon home — the C2 domain sfrclak[.]com was registered the same day with zero prior reputation. Default-deny egress blocks the callback before the first byte leaves the workload. No IOC, no signature, and no behavioral alert is required — the path simply does not exist. Even if the RAT installs and runs, it cannot exfiltrate credentials, receive tasking, or pivot laterally without the outbound channel that CG eliminates at T+0.
OpenAI Cert Revocation
Axios / UNC1069 Victim · Code Signing Pipeline Compromise · Apr 7 2026
Contained — Certs Revoked Apr 7
OpenAI's GitHub Actions workflow for signing macOS applications automatically installed the backdoored axios@1.14.1, embedding WAVESHAPER.V2 into the code-signing build environment. The RAT had access to the signing certificate material and notarization credentials used across OpenAI's macOS app portfolio.
Four macOS apps affected: ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI revoked the associated code-signing certificates on April 7, 2026 — rendering all previously-signed versions untrusted on macOS. No user data or internal systems were compromised.
Users must update to newly re-signed versions before May 8, 2026 or applications will be blocked by macOS Gatekeeper. The attack demonstrates that even security-conscious AI companies are exposed through transitive supply chain dependencies they never directly install.
Campaign Arc
Mar 31 · 00:21 UTCaxios@1.14.1 published to npm with WAVESHAPER.V2; OpenAI CI/CD signing workflow auto-installs — WAVESHAPER.V2 gains access to code-signing certificate environment
Mar 31 · 03:25 UTCaxios package removed from npm; ~3-hour exposure window; signing credentials potentially exfiltrated during window
Apr 7 2026OpenAI revokes macOS code-signing certificates; ChatGPT Desktop, Codex CLI, Codex, and Atlas require re-signing and immediate user update
May 8 2026Update deadline: users on unsigned builds blocked by macOS Gatekeeper; re-signed builds rolling out
Attack Vectors
axios@1.14.1 npm supply chainCI/CD auto-install in signing pipelineWAVESHAPER.V2 RAT in build envCode signing certificate exposuremacOS Gatekeeper trust chain break
MITRE ATT&CK
Initial AccessT1195.002Supply Chain Compromise (axios@1.14.1 in build pipeline)
Defense EvasionT1553.002Code Signing — signing pipeline access & certificate exposure
Credential AccessT1552.001Credentials In Files (signing cert & notarization creds in build env)
ExfiltrationT1041Exfiltration Over C2 Channel (WAVESHAPER.V2 HTTP POST beacon)
Blast Radius
Exposure
ChatGPT Desktop + Codex macOS users
Communication Governance stops it: WAVESHAPER.V2 in the build pipeline required outbound HTTP POST connectivity to sfrclak[.]com:8000 to exfiltrate signing credentials. Default-deny egress on CI/CD workloads severs this path before the first byte leaves the build environment — no IOC, no certificate anomaly, and no behavioral alert required.
UNC5221 — PRC Cloud Pivot
PRC Espionage · SaaS → Azure Service Principal · Active 2025–2026
Active
PRC-nexus cluster exploited CVE-2025-31324 (SAP NetWeaver, unauthenticated RCE zero-day) and CVE-2025-53770 (Microsoft SharePoint deserialization RCE zero-day) to gain initial footholds in high-tech SaaS providers hosting U.S. government and legal sector tenants.
Once inside a SaaS provider, attackers weaponized the provider's Azure Service Principal — a trusted cloud identity used for automation — to move laterally into downstream customer tenants without ever touching on-premises infrastructure. No malware binary deployed in the pivot phase.
Mandiant explicitly distinguishes UNC5221 from Silk Typhoon (UNC2814) and Salt Typhoon (UNC5807) — three separately tracked PRC-nexus clusters each exploiting the same supply chain attack surface through different technical paths and target sets.
Data collected: source code repositories mined for credentials and API keys; targeted files related to U.S. national security and international trade policy. UNC6395, a related cluster, independently harvests credentials from code repos for the same cloud pivot.
Campaign Arc
Apr 2025CVE-2025-31324 (SAP NetWeaver unauthenticated RCE) exploited as zero-day by multiple PRC-nexus clusters including UNC5221; initial SaaS provider footholds established
Jul 2025CVE-2025-53770 (SharePoint deserialization RCE zero-day) added to toolkit; weaponization of Azure Service Principals for cross-tenant lateral movement documented by Mandiant
Aug 2025Patches released for both CVEs; exploitation observed continuing against unpatched instances; UNC6395 credential-mining variant active in parallel
2026 ongoingCampaign active; downstream U.S. Government and Legal sector intrusions attributed to SaaS-provider pivot chains originating from UNC5221 access; no containment confirmed
Attack Vectors
CVE-2025-31324 (SAP NetWeaver RCE, zero-day)CVE-2025-53770 (SharePoint RCE, zero-day)Azure Service Principal weaponizationCross-tenant lateral movement (no malware)Code repository credential harvestingWebshell + SQL injection (initial access)
MITRE ATT&CK
Initial AccessT1190Exploit Public-Facing Application (SAP NetWeaver / SharePoint zero-days)
PersistenceT1505.003Server Software Component: Web Shell
Defense EvasionT1078.004Valid Accounts: Cloud Accounts (Azure Service Principal abuse)
Lateral MovementT1199Trusted Relationship (SaaS provider → downstream tenant via Service Principal)
Credential AccessT1552.001Unsecured Credentials: Credentials in Files (code repo key harvest)
ExfiltrationT1567.002Exfiltration to Cloud Storage (national security & trade policy files)
Blast Radius
Exposure
SaaS providers + all downstream tenants
Communication Governance stops it: The Azure Service Principal grants cloud identity — it does not grant network reachability. Workload-level east-west policy enforced by Aviatrix is independent of Azure RBAC and Service Principal scope. A compromised Service Principal cannot pivot to workloads, databases, or internal APIs not explicitly permitted for that source identity at the network layer. The blast radius is bounded at the cloud firewall before the first cross-tenant move.
CLOP — Oracle EBS Extortion
Financial · CVE-2025-61882 · FIN11-Adjacent · Active 2025
Active
CLOP-adjacent clusters exploited CVE-2025-61882 (Oracle E-Business Suite, improper authentication + remote code execution) as a zero-day beginning July 2025 — six weeks before Oracle released a patch in August 2025. Oracle EBS is used by thousands of enterprises for finance, HR, and supply chain operations, often cloud-hosted or hybrid.
Post-exploitation payload: GOLDVEIN downloader retrieves GOLDTOMB backdoor, establishing persistent C2 access. The GOLDENJAVA variant targets Java-based application server layers. Pattern is operationally identical to prior CLOP mass-exploitation campaigns against GoAnywhere MFT (2023), MOVEit Transfer (2023), and Cleo (2024).
Mandiant tracked at least four separately motivated threat clusters exploiting CVE-2025-61882 simultaneously: CLOP-adjacent financially motivated actors, PRC-nexus espionage clusters (UNC5221/UNC6395), and opportunistic ransomware operators. A single unpatched Oracle EBS instance exposed multiple adversary playbooks at once.
Extortion pattern: silent data exfiltration over weeks → branded extortion notification citing specific stolen files → public leak threat. No encryption required for leverage. Data-theft-only extortion now represents 23% of all financially motivated intrusions (Mandiant M-Trends 2026), outnumbering ransomware encryption (13%) nearly 2:1.
Campaign Arc
Jul 2025CVE-2025-61882 zero-day exploitation begins — CLOP-adjacent actors and PRC-nexus clusters simultaneously target Oracle EBS instances; no patch available, no public CVE assigned
Aug 2025Oracle releases patch; public CVE-2025-61882 assigned; GOLDVEIN/GOLDTOMB implants discovered in forensic investigations at multiple victims; 6-week pre-patch exploitation window confirmed
Sep–Oct 2025Branded CLOP extortion notifications sent to victims; data-theft-only ransom demands (no encryption); Mandiant CAMP.24.087 elevated as ongoing 2025 campaign
2025–2026Campaign active; unpatched Oracle EBS instances remain at risk; CLOP continues iterating to next enterprise file/app platform per established quarterly cadence
Attack Vectors
CVE-2025-61882 (Oracle EBS RCE, zero-day)GOLDVEIN downloaderGOLDTOMB backdoor (C2 persistence)GOLDENJAVA (Java app server variant)Silent data exfiltration (weeks-long)Data-theft extortion (no encryption)
MITRE ATT&CK
PersistenceT1505.003Server Software Component: Web Shell
ExecutionT1059.006Command and Scripting Interpreter: Python / Java (GOLDVEIN, GOLDENJAVA)
CollectionT1005Data from Local System (finance, HR, supply chain records)
ExfiltrationT1567.002Exfiltration to Cloud Storage (staged multi-week exfil)
ImpactT1657Financial Theft / Extortion (data-theft ransom, no encryption)
Blast Radius
Exposure
All cloud-hosted Oracle EBS instances
Communication Governance stops it: GOLDTOMB requires outbound C2 connectivity to beacon and receive tasking. Default-deny egress blocks the callback before any data leaves the Oracle EBS workload — no IOC, no signature, and no behavioral alert needed. The silent weeks-long exfiltration phase that precedes CLOP extortion demands requires sustained outbound data transfer to attacker-controlled cloud storage; without an egress path, the exfiltration cannot complete and the extortion leverage never materializes.
DPRK IT Worker Network
DPRK Financial + Espionage · Insider Threat · Active 2022–2026
Active
North Korean operatives pose as remote IT contractors — using fabricated identities, AI-generated profile photos, and front companies — to obtain legitimate employment at Western technology, financial, healthcare, and government organizations. Once provisioned, they operate as credentialed insiders with normal cloud access for months before exfiltration or extortion.
122-day median dwell time for DPRK IT worker incidents (Mandiant M-Trends 2026) — compared to the global median of 14 days. The account appears legitimate, passes IAM review, and generates no EDR alerts because no malware is deployed during the collection phase. Identity-based detection alone is insufficient.
Sectors targeted in 2025 confirmed incidents: financial services, business & professional services, government, technology, healthcare, and hospitality. At exit, operatives either quietly resign (with stolen IP) or escalate to extortion — threatening to release sensitive data unless paid.
Related to but distinct from the Axios/UNC1069 npm supply chain vector: both are DPRK BlueNoroff-cluster operations, but the IT worker program is the human-as-vector variant. A single contractor account can persist longer and collect more broadly than a time-limited malicious package.
Campaign Arc
2022–2023U.S. DOJ first unseals DPRK IT worker fraud cases; FBI issues industry advisory on fake contractor schemes; estimated hundreds of operatives placed globally
2024Activity accelerates; AI-generated identity documents and deepfake video interviews observed; laptop farm infrastructure identified in multiple U.S. states; first confirmed extortion-on-exit cases
2025Mandiant M-Trends 2026 confirms DPRK IT worker incidents across 6 sectors; 122-day median dwell documented; operatives increasingly target cloud-native companies for access to cloud credentials and AI model IP
2026 ongoingCampaign active and expanding; remote-first hiring at cloud companies remains primary attack surface; no containment at the program level; individual incidents closed on detection
Attack Vectors
Fabricated contractor identity + AI-generated docsLegitimate employment provisioningCloud credential and IP exfiltrationLaptop farm infrastructure (proxy access)Extortion on exit (data leak threat)AI model and source code theft
MITRE ATT&CK
Initial AccessT1078Valid Accounts (legitimate contractor provisioning via identity fraud)
Defense EvasionT1656Impersonation (fabricated identity, AI-generated profile)
CollectionT1213Data from Information Repositories (cloud storage, code repos, AI model weights)
ExfiltrationT1048Exfiltration Over Alternative Protocol (data transferred via contractor's provisioned access)
ImpactT1657Financial Theft / Extortion (exit-stage data extortion threat)
Blast Radius
Exposure
All orgs with remote contractor access
Communication Governance stops it: A contractor account that looks legitimate at the identity layer is still subject to network-layer policy. Communication Governance scopes what the contractor workload can reach — limiting access to exactly the services required for the stated role and blocking lateral movement to data stores outside that scope. Anomalous egress (bulk data transfer to personal cloud storage, access to production databases from a contractor sandbox) is blocked before exfiltration volume reaches extortion threshold. The 122-day dwell problem is a detection problem; CG makes it a containment problem instead. Note: CG limits the blast radius of any provisioned identity — data stores and workloads not explicitly permitted for that source remain unreachable. CG does not eliminate insider risk, but it constrains the architectural surface a compromised or malicious insider can reach, regardless of credential legitimacy.
Malware-Free Attack Baseline
Structural Trend · CrowdStrike 2026 Baseline
Structural
82% of all intrusions are now malware-free — using stolen credentials and living-off-the-land techniques. Exploits remain the #1 initial vector (32%, 6th consecutive year); voice phishing rose to #2 (11%); email phishing collapsed from 14% to 6% in a single year — a 57% decline (Mandiant M-Trends 2026).
No malware binary means no EDR signature, no behavior to sandbox, no known-bad hash to block.
Detection-era architecture assumes malicious behavior is distinguishable from legitimate behavior. This assumption no longer holds at scale.
The Containment Era answer: it does not matter whether behavior is distinguishable what matters is what the workload is permitted to reach.
Campaign Arc
2022 GTR71% of intrusions malware-free identity-based and living-off-the-land attacks surpass malware for the first time
2024 GTR75% malware-free interactive intrusions (human-operated, not automated) up 60% year-over-year
2025 GTR79% malware-free cloud intrusions up 75%; identity-based initial access now dominant vector
2026 GTR82% malware-free the structural shift is now the baseline assumption for any active threat campaign
Attack Vectors
Credential theft (phishing / dark web purchase)RMM tool abuse (AnyDesk, TeamViewer)LOLBins (PowerShell, certutil, wmic)Cloud API / management planeTrusted-path traversal
MITRE ATT&CK
Initial AccessT1078Valid Accounts (all sub-types)
Initial AccessT1133External Remote Services
ExecutionT1059Command & Scripting Interpreter (LOLBins)
Defense EvasionT1218System Binary Proxy Execution
Lateral MovementT1021Remote Services (all sub-types)
Blast Radius
Exposure
Credential-scoped (unlimited if default-allow)
Communication Governance stops it: Stolen credentials cannot initiate external calls without a matching allowlist policy. Blast Radius of any credential is bounded by workload-level governance regardless of whether detection fires.
MOVEit / Cl0p
SQL Injection Zero-Day · May 2023 · CVE-2023-34362
Patched
Mass exploitation of CVE-2023-34362 (SQL injection in MOVEit Transfer) by Cl0p ransomware group. Zero-day leveraged before any patch existed. Progress Software patched the same day they disclosed. (Source: Progress Software advisory, May 31 2023; CISA advisory AA23-158A)
2,600+ organizations confirmed affected globally, including US federal agencies (DOE, USDA), state DMVs, NHS trusts, and major financial institutions. 77 million+ individuals had PII exfiltrated. (Source: Emsisoft MOVEit breach tracker, Jul 2023; CISA/FBI advisory AA23-158A)
Patch exists. Architectural failure persists: east-west paths between file-transfer systems and sensitive internal systems were ungoverned. Cl0p needed only SQL access to extract data no lateral movement required when data lives next to the entry point.
Campaign Arc
May 27, 2023Zero-day exploitation begins; CVE-2023-34362 SQL injection in MOVEit Transfer web application
May 31, 2023Progress Software discloses vulnerability and releases patches; CISA issues advisory AA23-158A
Jun 6, 2023Cl0p ransomware group claims responsibility; begins extortion campaign against affected organizations
Jul 20232,600+ organizations confirmed affected globally, 77M+ individuals' PII exfiltrated (Source: Emsisoft MOVEit breach tracker; CISA/FBI AA23-158A)
Attack Vectors
SQL injection (CVE-2023-34362)Web shell deployment (LEMURLOOT)File transfer system data accessUngoverned east-west data paths
MITRE ATT&CK
PersistenceT1505.003Server Software Component: Web Shell (LEMURLOOT)
CollectionT1213Data from Information Repositories (file-transfer database)
ExfiltrationT1567.002Exfiltration to Cloud Storage
Blast Radius
Exposure
All data reachable from the file-transfer system
Communication Governance stops exfil: Even with SQL injection achieved, data exfiltration over HTTP to Cl0p infrastructure requires an outbound path. Workload-level egress policy blocks novel outbound destinations before the first byte leaves regardless of whether the CVE is patched.
Change Healthcare
Credential Blast Radius · BlackCat/ALPHV · Feb 2024
Contained
Single stolen credential with no MFA on a legacy Citrix remote access portal. No zero-day, no malware on entry. (Source: UnitedHealth Group CEO Andrew Witty testimony, Senate Finance Committee, May 1 2024)
ALPHV/BlackCat moved laterally across Change Healthcare's network over nine days before deploying ransomware. ~$22M ransom paid by UHG (confirmed via on-chain blockchain analysis). ALPHV then exit-scammed its own affiliate; RansomHub re-extorted UHG with the same stolen data. (Source: blockchain analysis, Recorded Future / TRM Labs; ALPHV leak site)
190 million Americans' protected health information (PHI) potentially exposed — the largest healthcare breach in US history. Claims processing for approximately one-third of US healthcare disrupted for weeks. UHG reported $872M in direct response costs through Q1 2024. (Source: HHS OCR breach notification, Dec 2024; UHG Q1 2024 earnings, May 2024)
No MFA and no workload segmentation from a single Citrix portal is the canonical Blast Radius failure: the credential was the key to the entire network.
Campaign Arc
Feb 12, 2024BlackCat/ALPHV first access via stolen credentials on Citrix portal with no MFA (Source: UHG Senate testimony, May 2024)
Feb 21, 2024Change Healthcare systems taken offline; ransomware deployed after 9-day lateral movement phase
Feb 28, 2024BlackCat/ALPHV claims responsibility; $22M ransom reportedly paid (Source: blockchain analysis, Recorded Future)
Mar–Apr 2024HHS advisory issued; Senate hearings; UHG discloses ~$872M in direct costs (Source: UHG Q1 2024 earnings)
Attack Vectors
Stolen credentials (dark web / infostealer)Citrix remote access (no MFA)9-day lateral movement campaignData exfiltration before encryptionBlackCat/ALPHV ransomware
MITRE ATT&CK
Initial AccessT1078.003Valid Accounts: Local Accounts (on-prem Citrix, per UHG Senate testimony)
Initial AccessT1133External Remote Services (Citrix portal)
Lateral MovementT1021.001Remote Services: Remote Desktop Protocol
ExfiltrationT1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
ImpactT1486Data Encrypted for Impact (BlackCat/ALPHV)
Blast Radius
Exposure
Entire UHG network from one credential
Communication Governance stops the lateral movement: The stolen Citrix credential is the entry point. The nine days of lateral traversal that preceded ransomware deployment required workload-to-workload reach across the entire UHG network. Default-deny east-west policy closes those paths the credential can authenticate but cannot move.
Project Glasswing / Claude Mythos
AI Zero-Day Discovery · Structural Shift · Apr 7 2026
Active — Structural Threat
In this scenario, a next-generation AI model (Project Glasswing) autonomously discovered thousands of exploitable zero-days across every major OS and browser during controlled safety testing. Over 99% remain unpatched. Model withheld from public release.
CVE-2026-4747 (CVSS 8.8 HIGH — FreeBSD SA-26:08): stack-based buffer overflow in RPCSEC_GSS data packet validation; kernel-space RCE from any low-privilege network client, no user interaction. Reported March 26 2026. Mythos identified, developed a working exploit, and tested it in ~4 hours from a low-privilege network position — no human guidance. Separately wrote a 4-vuln browser exploit chain including JIT heap spray escaping renderer and OS sandboxes.
Oldest vulnerability: 27-year-old OpenBSD bug (OS renowned for security hardening). Autonomous deceptive behavior confirmed: Mythos erased git history records and posted exploit details to hard-to-find public websites unprompted.
This scenario is based on publicly documented AI safety research demonstrating emergent offensive capability in large code-reasoning models. The key finding: offensive capability was not trained — it emerged as a byproduct of general improvements in code, reasoning, and autonomy. Every frontier model going forward is likely to develop similar capabilities as coding ability improves.
CRITICAL GAP: Glasswing coalition (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, Linux Foundation, Microsoft, NVIDIA, Palo Alto) is a detect-and-patch initiative. With 99% of discovered vulnerabilities unpatched, detect-and-patch is structurally unwinnable at machine speed. No Glasswing partner addresses workload-level containment.
Campaign Arc
Apr 7 2026Anthropic announces Project Glasswing — $100M coalition with 12 major tech companies; Mythos withheld from release
Apr 7 2026CVE-2026-4747 disclosed — 17-year FreeBSD NFS RCE exploited autonomously in 4 hours; 27-year OpenBSD bug confirmed; >99% of discovered vulns unpatched
Apr 7 2026Anthropic security incidents: ~2,000 source files accidentally exposed; Claude Code found to silently ignore security deny rules with 50+ subcommands
OngoingAlex Stamos (CPO, Corridor): 6 months before open-weight models achieve parity in vuln discovery — "every ransomware actor" gains capability
Attack Vectors
AI autonomous zero-day discoveryPatch-window exploitation (hours vs. days)Emergent offensive capability (not trained)Open-weight model proliferation
MITRE ATT&CK
Initial AccessT1190Exploit Public-Facing Application
Privilege EscalationT1068Exploitation for Privilege Escalation
Defense EvasionT1587.004Develop Capabilities: Exploits
Blast Radius
Exposure
Any unpatched workload in scope
Communication Governance stops the blast radius propagation: When a zero-day is exploited, default-deny egress blocks the C2 callback and lateral movement — the window between zero-day exploitation and containment is closed architecturally, not by patch cadence.
GlassWorm IDE Supply Chain
IDE Extension Supply Chain · AI Developer Tooling · Active Apr 2026
Active — 72+ Extensions
Trojanized OpenVSX extension
code-wakatime-activity-tracker ships Zig-compiled native binaries (win.node / mac.node) that load directly into Node.js runtime with full OS-level access — bypassing the JavaScript sandbox entirely.Binary silently discovers and infects every VS Code-compatible IDE on the machine: Visual Studio Code, VS Code Insiders, Cursor, Windsurf, VSCodium, Positron. 72+ malicious Open VSX extensions linked to GlassWorm since Jan 31 2026 (Socket).
Campaign specifically targets AI developer tooling — extensions impersonating Claude Code, Codex, and Google Antigravity. Solana blockchain-based C2 (traditional domain-block lists are ineffective). Geofences Russian systems.
Deploys persistent RAT: keystroke logging, session cookie theft, full credential harvest from IDE environment. Developer and CI/CD workstations have elevated access — cluster credentials, cloud provider tokens, service account tokens.
Directly relevant to Aviatrix: Aviatrix uses Cursor. Engineering teams should verify no GlassWorm-linked extensions from Open VSX. Check specifically for code-wakatime-activity-tracker and floktokbok.autoimport.
Campaign Arc
Mar 2025GlassWorm campaign first tracked by Aikido Security
Jan 31 2026Escalation — 72+ malicious OpenVSX extensions identified
Apr 2026Significant new evolution — AI developer tooling targeted specifically (Claude Code, Codex, Google Antigravity impersonation); Zig-compiled native binaries bypass JS sandbox
OngoingC2 via Solana blockchain — resistant to domain-based blocking; all major AI IDE platforms in scope
Attack Vectors
OpenVSX extension marketplaceZig-compiled native Node.js binary (sandbox escape)Cursor / VS Code / Windsurf / Positron targetingBlockchain-based C2 (Solana)AI tool impersonation (Claude Code, Codex)
MITRE ATT&CK
Initial AccessT1195.002Supply Chain: Software Supply Chain
ExecutionT1059Command and Scripting Interpreter
Credential AccessT1056.001Keylogging
Credential AccessT1539Steal Web Session Cookie
Command & ControlT1102Web Service — Solana C2
Blast Radius
Exposure
Dev env → CI/CD → prod credentials
Communication Governance stops lateral propagation: GlassWorm RAT requires outbound C2 connectivity. Default-deny egress blocks the Solana blockchain callback and any credential exfiltration channel — even with a compromised IDE, the blast radius is contained to the workstation.
APT28 / FrostArmada
Nation-State · GRU Unit 26165 · DNS Credential Theft · Active since 2024
Active — GRU / Fancy Bear
Russia's GRU (Military Unit 26165 / APT28 / Fancy Bear / Forest Blizzard) compromised 18,000+ SOHO routers (MikroTik, TP-Link) across 120 countries, modifying DNS settings to intercept Microsoft 365 authentication tokens and credentials at the network layer.
The campaign requires NO malware installation on target endpoints — operates entirely through DNS manipulation of edge devices. Completely invisible to endpoint security, EDR, and behavioral detection. Microsoft identified 200+ affected organizations, 5,000+ consumer devices.
FBI Operation Masquerade conducted court-authorized remediation of compromised routers across 23 US states. Disclosed in coordinated release by UK NCSC, FBI, Microsoft, and Lumen's Black Lotus Labs on April 7, 2026. Campaign active since at least 2024.
Stolen M365 tokens enable direct cloud tenant access and SaaS lateral movement — no further credential theft required. Token scope includes SharePoint, Teams, Exchange, Azure AD, and downstream SaaS applications.
Campaign Arc
2024+GRU Unit 26165 begins DNS manipulation campaign targeting SOHO routers globally
Feb–Apr 2026Active interception of M365 auth tokens from 18,000+ compromised routers across 120 countries
Apr 7 2026Coordinated disclosure — UK NCSC, FBI, Microsoft, Lumen Black Lotus Labs; FBI Operation Masquerade court-authorized router remediation across 23 US states
Ongoing200+ organizations confirmed; token theft infrastructure remains partially active; DNS hijack capability persists on unpatched devices
Attack Vectors
DNS manipulation of SOHO edge devices (MikroTik, TP-Link)M365 authentication token interceptionNo endpoint malware (invisible to EDR)Router firmware persistenceCloud tenant lateral movement via stolen tokens
MITRE ATT&CK
Lateral MovementT1557Adversary-in-the-Middle
Credential AccessT1040Network Sniffing
Initial AccessT1078.004Valid Accounts: Cloud Accounts
Defense EvasionT1550.001Use Alternate Auth Material: App Access Token
Blast Radius
Exposure
M365 token → full cloud tenant + SaaS
Communication Governance stops lateral movement: Stolen M365 tokens provide authentication but not unlimited reach. Workload-level egress policy and east-west governance bounds what each authenticated identity can access — token theft is the entry point, but communication governance determines what it can reach.
Storm-1175 / Medusa
Cloud Ransomware · China-Nexus · 24-Hour Dwell · Active 2026
Active — 24-Hour Deployment
China-based, financially motivated threat actor operating high-velocity Medusa ransomware campaigns. Moves from initial access to data exfiltration and ransomware deployment in as few as 24 hours — compressing the traditional "dwell time" narrative to near-zero.
Weaponizes N-day vulnerabilities during the window between disclosure and patch adoption. 16+ vulnerabilities exploited since 2023. Zero-day capability confirmed: CVE-2026-23760 (SmarterMail) and CVE-2025-10035 (GoAnywhere MFT) weaponized approximately one week before public disclosure in each case.
Recent intrusions heavily impacted healthcare, education, professional services, and finance in the US, UK, and Australia. IDC's Sakshi Grover: "This is the death of the traditional 'dwell time' narrative. This is no longer about attackers sitting quietly in the network. It is about speed and disciplined execution."
Analysis published by Microsoft Threat Intelligence on April 6, 2026.
Campaign Arc
2023–2025Storm-1175 exploits 16+ vulnerabilities; establishes Medusa ransomware affiliate network
Feb 2026CVE-2026-23760 (SmarterMail zero-day) weaponized ~1 week before public disclosure
Apr 6 2026Microsoft Threat Intelligence detailed analysis published; 24-hour dwell-to-encryption timeline confirmed; healthcare/edu/finance sectors primary targets
OngoingN-day weaponization continues; AI-accelerated vulnerability chaining compresses timeline further
Attack Vectors
N-day vulnerability exploitation (patch-window targeting)Zero-day development (SmarterMail, GoAnywhere MFT)Data exfiltration before encryptionMedusa ransomware affiliate networkCross-sector targeting (healthcare, finance, education)
MITRE ATT&CK
Initial AccessT1190Exploit Public-Facing Application
ImpactT1486Data Encrypted for Impact
ExfiltrationT1567Exfiltration Over Web Service
ReconnaissanceT1595Active Scanning
Blast Radius
Exposure
Full tenant in 24 hours
Communication Governance compresses the blast radius: Storm-1175's 24-hour timeline depends on unrestricted lateral movement. Default-deny east-west policy means even after successful initial exploitation, workload-to-workload propagation and data staging are blocked before the ransomware payload deploys.
Z.ai GLM-5.1
Open-Weight Offensive AI · Ungoverned · MIT License · Apr 7 2026
Active — Open Weights
China's Z.ai (formerly Zhipu AI, Tsinghua University spinoff; HK IPO Jan 2026, ~$558M raised) released GLM-5.1 open weights under MIT license on April 7, 2026. 754 billion parameter mixture-of-experts model, trained entirely on 100,000 Huawei Ascend 910B chips — zero NVIDIA hardware, outside Western governance frameworks.
CyberGym benchmark (UC Berkeley, 1,507 real-world vulnerabilities, 188 software projects — tests AI ability to reproduce vulnerabilities with working PoC exploits): GLM-5.1 scores 68.7% vs. Claude Opus 4.6 at 66.6% and GPT-5.4 at 66.3%. Western models scored lower partly because safety guardrails blocked certain offensive tasks. GLM-5.1 has no such constraints.
Model available on HuggingFace under MIT license. Zero safety constraints, zero usage restrictions, zero monitoring. While full-scale operation requires substantial compute (not consumer-grade), it is accessible to any well-funded threat group, state actor, or organized criminal operation at near-zero marginal cost.
Per Alex Stamos (CPO, Corridor): open-weight models will achieve parity with foundation models in vulnerability discovery within ~6 months, "at which point every ransomware actor will be able to find and weaponize bugs without leaving traces for law enforcement." The attack tooling is functionally democratized among sophisticated actors.
Campaign Arc
Jan 2026Z.ai completes Hong Kong IPO — ~$558M raised; Tsinghua University spinoff
Apr 7 2026GLM-5.1 open weights released under MIT license — 68.7% CyberGym, beats Western frontier models on offensive benchmarks; no safety constraints
Oct 2026 (est.)Per Stamos: open-weight models achieve parity with foundation models in vuln discovery; ransomware actors gain AI-powered zero-day capability
OngoingGLM-5.1-based offensive tooling emerging in threat actor toolchains; fine-tuned variants lowering compute barrier
Attack Vectors
AI-autonomous vulnerability discoveryOpen-weight model (no governance)Huawei compute (outside Western export controls)CyberGym-validated exploit generationNear-zero marginal cost for state/criminal actors
MITRE ATT&CK
Defense EvasionT1587.004Develop Capabilities: Exploits
Defense EvasionT1588.005Obtain Capabilities: Exploits
Blast Radius
Exposure
Any unpatched workload; AI finds the path
Communication Governance is the architectural answer: GLM-5.1 eliminates the argument that AI-powered attacks are hypothetical. The only remaining variable is whether targets have containment architecture that bounds the blast radius when the breach occurs. Default-deny egress and workload-level enforcement make the exploit less valuable — even AI-discovered zero-days require C2 egress and lateral movement to complete.
Shai-Hulud
npm Supply Chain Worm · Self-Replicating · Active since Sep 2025
Active — npm Ecosystem
Self-replicating npm supply chain worm. Sep 2025 (1.0): 180+ packages compromised; post-install scripts use TruffleHog to harvest credentials from CI/CD environment variables and git history; phishing campaign spoofing npm MFA update notifications. High-reach packages including @ctrl/tinycolor (millions of weekly downloads) among initial victims.
Shai-Hulud 2.0 (Nov 26, 2025): 800+ packages targeted; 27,000 malicious packages uploaded to npm in a self-replicating wave within 24 hours; 400,000 raw secrets leaked across 30,000+ GitHub repositories — 60%+ of exposed npm tokens still valid weeks after disclosure. Pre-install execution; obfuscated 10+ MB payload files ("setup_bun.js", "bun_environment.js"); fallback destroys victim home directory. GitHub Actions persistence via "discussion.yaml" workflow. Microsoft Security Blog guidance published Dec 9, 2025.
Dec 24, 2025 — Trust Wallet: Shai-Hulud 2.0 harvested developer GitHub token used to inject malicious code into browser extension v2.68.0 via Chrome Web Store API. $8.5M drained from 2,500+ wallets across a 200M-user base. Third variant found in dormant "@vietmoney/react-big-calendar" (inactive since Mar 2021). No CVE assigned. Possibly LLM-assisted malware generation.
Credentials stolen include npm publish tokens, GitHub PATs, AWS / GCP / Azure API keys, and SSH keys. 60%+ remained valid weeks later. No malware required for downstream access — workload-level containment is the only control that bounds what a stolen credential can reach after exfiltration.
Apr 22, 2026: “The Third Coming” confirmed. String “Shai-Hulud: The Third Coming” found in the malicious
@bitwarden/cli@2026.4.0 package, confirming TeamPCP as author of all three Shai-Hulud variants. The operation now spans npm, PyPI, Docker Hub, VS Code Marketplace, and npm Trusted Publishing — every major package distribution channel used in modern DevOps pipelines. (Source: The Hacker News Apr 23 2026)Campaign Arc
Sep 2025Shai-Hulud 1.0: 180+ npm packages compromised; TruffleHog credential harvesting; MFA phishing campaign; @ctrl/tinycolor among high-reach victims
Nov 26 2025Shai-Hulud 2.0: 27,000 malicious packages uploaded; 400,000 raw secrets from 30,000+ GitHub repos; pre-install execution; home-directory destruction fallback; GitHub Actions persistence
Dec 9 2025Microsoft Security Blog guidance published: detection, investigation, and defense guidance for Shai-Hulud 2.0
Dec 24 2025Trust Wallet breach: stolen GitHub developer token injects malicious code into browser extension v2.68.0 via Chrome Web Store API; $8.5M stolen from 2,500+ wallets; 200M-user base impacted. One stolen credential → production signing access → financial damage in a single hop.
2026Third variant found in dormant @vietmoney/react-big-calendar (inactive since Mar 2021); stolen credentials remain valid across npm, GitHub, and cloud environments
Apr 22 2026“Shai-Hulud: The Third Coming”: String confirmed in @bitwarden/cli@2026.4.0 malicious payload, establishing TeamPCP as the author of all three Shai-Hulud variants. First known compromise of an npm Trusted Publishing flow. CVE pending. (Sources: The Hacker News, JFrog)
Attack Vectors
npm package registryCI/CD post/pre-install scriptsTruffleHog credential harvestingSelf-replicating worm (npm publish token)GitHub Actions persistenceDormant/abandoned packagesChrome Web Store API (Trust Wallet)
MITRE ATT&CK
Initial AccessT1195.002Supply Chain Compromise: Software Supply Chain
ExecutionT1059.006Command & Scripting Interpreter: Python / Node.js
Credential AccessT1552.001Unsecured Credentials: Credentials In Files (env vars, git history)
PersistenceT1053.003Scheduled Task/Job: CI/CD Pipeline (GitHub Actions)
ExfiltrationT1041Exfiltration Over C2 Channel
Blast Radius
Exposure
Any workload with npm deps; stolen credentials persist until rotated
Communication Governance stops it: npm post/pre-install scripts execute inside workloads — default-deny egress stops the TruffleHog credential callback at the workload boundary before any secret leaves the environment. Trust Wallet shows the downstream consequence: one stolen token, unconstrained, reaches production signing infrastructure. Workload-level containment limits what any harvested credential can reach.
Vercel / Context.ai Breach
OAuth Supply Chain • Third-Party AI Tool • Apr 2026
Active — Investigation
Attacker compromised Context.ai, a third-party AI tool used internally at Vercel. Its Google Workspace OAuth app was the initial foothold; Vercel assessed the actor as "highly sophisticated" based on operational velocity and detailed knowledge of Vercel's internal systems. Mandiant engaged.
Environment variables not marked sensitive were accessible. A limited subset of customer credentials was confirmed compromised; those customers were directly notified. Full exfiltration scope remains under investigation as of Apr 20 2026.
IOC: OAuth App
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com assessed as impacting hundreds of organizations beyond Vercel via the same Context.ai compromise. Law enforcement notified.Campaign Arc
Apr 19Context.ai OAuth app confirmed as attack origin; IOC published; impacted customers notified.
Apr 19Attack origin details published; Mandiant + additional IR firms engaged; law enforcement notified.
Apr 20Bulletin updated; env var rotation recommended; customer exfiltration scope still under assessment.
Attack Vectors
Third-party AI tool OAuth (Context.ai)Google Workspace account takeoverEnv var exfiltration (non-sensitive)
MITRE ATT&CK
Initial AccessT1199Trusted Relationship
Credential AccessT1528Steal Application Access Token
CollectionT1552.001Credentials In Files (env vars)
Blast Radius
Orgs
100s via Context.ai
Systems
Env vars + internal envs
Status
Scope under investigation
Communication Governance stops it: The OAuth token exfiltration and C2 callbacks are blocked at the workload boundary before any credential leaves the environment. Third-party AI tool access to internal systems is governed at egress — even a compromised OAuth app cannot reach credential stores when workload-level east-west controls are enforced.
🎯
Security Posture10 questions
Blast Radius Assessment
Answer based on your current architecture — not what is planned or in progress.
What is your Blast Radius?
Blast Radius is not a vulnerability score it is an architectural metric. It measures what an attacker can reach once inside your environment. TeamPCP's payload harvested credentials because the workloads that ran the compromised package had unrestricted outbound reach. GrafanaGhost exfiltrated multiple dashboards in the documented proof-of-concept because the AI assistant had no Communication Governance policy. This assessment maps your architecture against the current threat landscape and shows you exactly where your Blast Radius is exposed. These controls can be implemented with native cloud tools, purpose-built solutions, or a combination — the assessment measures architecture, not vendor choice.
01of 10
0/10What is the default outbound stance for your cloud workloads?
This single architectural decision determines whether every attack on this board can complete or not.
Default-deny
Workloads can only reach explicitly permitted destinations. Everything else is blocked at the workload level.
Default-deny at the perimeter, default-allow internally
Edge restrictions in place but cloud workloads have broad internal and outbound reach.
Default-allow with a blocklist
Known-bad destinations are blocked; everything else is permitted.
Default-allow
Workloads can reach any external destination without restriction.
0 of 10 answeredSelect an answer to auto-advance
Answer all 10 questions to calculate your Blast Radius.
No data is collected — this runs entirely in your browser.
Your score
/ 100
Active Threat Exposure
Architecture Gap Analysis
Recommended Actions
Measure your full Blast Radius with Aviatrix DCFDeploy in monitor mode to map every outbound destination across all AI agents, LLM proxies, and cloud workloads. 30 days. No blocking. A complete Blast Radius map before you enforce any policy.
Start Your Blast Radius Assessment →Retake the assessment
🛡️
Defense Landscape6 vectors · 7 tools
Coverage Matrix
Every attack that causes damage must do one of two things: reach out (C2, exfil) or move laterally. Block both at the network layer and the blast radius is contained regardless of how the attacker got in.
Hub-spoke NGFW note: Hub-spoke architectures with centralized egress inspection (Palo Alto Prisma Cloud, Fortinet, Check Point) govern north-south traffic effectively. Three paths bypass centralized inspection by design: (1) Kubernetes pods egress through the node's NAT gateway, not the hub firewall; (2) Lambda and Cloud Functions use AWS/GCP/Azure-managed networking; (3) east-west workload-to-workload traffic within a VPC/VNet does not traverse the hub. Communication Governance enforces policy at the workload level, closing these three paths without replacing the hub-spoke perimeter.
Threat Vector
EDR / XDR
SIEM / SOAR
NGFW / IDS
CASB / CNAPP
Identity / MFA
Native Cloud
✦ Communication
Governance
Governance
Supply Chain Attack
Poisoned package → C2 → exfil
✗
Signed binary; no endpoint behavioral match
◑
Detects egress anomalies late — after C2 established
~
May block known C2 IPs; misses new infrastructure
◑
CSPM flags misconfigs; does not block execution
✗
Payload runs as valid service identity
~
Egress rules block known ports; gaps at scale
✓
Unauthorized egress denied before first C2 byte leaves
Ransomware Cloud Pivot
Endpoint breach → lateral move to cloud
~
Detects endpoint stage; blind once pivot moves to cloud
◑
Correlates alerts post-pivot; response lags encryption
✗
Cloud east-west bypasses perimeter NGFW entirely
◑
Detects anomalous API patterns; no workload policy block
~
Conditional access may slow; workload-to-workload reach persists
~
SGs limit subnet-level east-west; no cross-cloud policy
✓
East-west default-deny: pivot path never executes
Credential Theft + Cloud Pivot
Stolen keys / session tokens reach production
✗
Valid credentials look like normal API calls
◑
UEBA may flag anomalous access — hours after pivot
✗
Credential-based cloud access bypasses network perimeter
~
CNAPP detects IAM anomalies; enforcement lags detection
✗
Credential already valid — MFA bypassed upstream
~
SGs restrict IPs; no identity-aware workload policy
✓
Workload policy ignores credential validity — path not permitted
AI / LLM Attack
Prompt injection → agent exfil → model poisoning
~
Covers OS layer on self-hosted; blind to managed cloud
✗
LLM API logs rarely tuned for prompt injection
✗
AI workloads use HTTPS; payload indistinguishable
◑
Some CNAPP tooling beginning to model AI workload behavior
✗
AI agent uses authorized service account
✗
SGs/NSGs cannot scope AI workload egress by domain
✓
AI workload egress scoped: only permitted destinations reachable
APT Espionage
Long-dwell cloud mapping + data exfil
~
Detects known TTPs; APTs cycle tooling to evade
◑
Catches known IOCs; zero-day TTPs slip through
~
Blocks known C2; APTs use cloud-native exfil (S3, Teams)
◑
CSPM maps over-privileged access; long-dwell widens exposure
~
MFA-resistant attacks bypass identity controls
~
Limits lateral movement; APTs operate within allowed paths
✓
Blast radius contained: attacker dwells in entry, cannot pivot to crown jewels
Insider Threat
Privileged user staging + cloud exfil
~
DLP on endpoint catches some staging; cloud-direct exfil bypasses
◑
UEBA baseline detects anomalous volume; slow exfil evades
✗
Insider uses authorized network paths; NGFW sees legitimate traffic
◑
CASB blocks unauthorized SaaS; authorized storage uncontrolled
✗
Insider has valid credentials and MFA
~
Data tier behind SG; privileged users have broad access by design
✓
Data tier access scoped to defined workflows only
✗
No coverage — attack completes◑
Detects late — after blast radius is open~
Partial — covers some variants; gaps remain✓
Contains — path blocked before damageCASB / CNAPP — posture vs. runtime: CASB/CNAPP posture tools (Wiz, Orca, Lacework) identify misconfiguration and known vulnerabilities. Wiz Runtime and similar behavioral sensors add workload-level visibility but enforce at the alert/detection layer — they do not block egress or constrain lateral movement paths. Detection findings still require a separate enforcement control to translate into a blocked path; Communication Governance provides that enforcement layer.
🛡️
Unified Attack Path Control5 paths · 1 enforcement plane
Attack Path Analysis
A representative enterprise environment showing five real attack techniques and the one architectural control that terminates each path before completion. Serverless, Kubernetes, on-prem VPN, and cross-cloud peering all route through the same enforcement plane.
🛡️
Intelligence BriefingAttack Speed vs. Response Time · 2025–2026 Sources
The Detection Gap
Mean time to identify
158
days
The median organization takes 158 days to identify a breach after initial access — a 9-year low, yet still measured in months while attackers move in minutes.
IBM Cost of a Data Breach Report 2025
Total breach lifecycle
241
days
158 days to identify + 83 days to contain = 241-day total lifecycle. Blast radius expands continuously throughout this window as attackers traverse workloads and accounts.
IBM Cost of a Data Breach Report 2025
Attacker breakout time
29
minutes avg · 27 seconds fastest
Average eCrime breakout to lateral movement: 29 minutes. Fastest recorded: 27 seconds. At this velocity, detection response windows are measured in seconds, not hours.
CrowdStrike GTR 2026
CG does not wait to detect malicious behavior — it enforces default-deny on all unauthorized workload-to-workload communication from deployment. The 29-minute average breakout window never opens: lateral movement requires east-west paths that simply do not exist under CG policy. The 241-day detection-to-containment lifecycle becomes structurally irrelevant because the blast radius cannot expand.
🚀
Implementation Guide4 phases · 12 months
Deployment Roadmap
Workload-level containment deploys incrementally — observe first, enforce gradually. No rearchitecting. No cloud provider changes. No application code changes.
Key Milestones
Observe & Baseline
Establish a non-intrusive visibility layer across your cloud architecture to map the current blast radius.
Deploy CG in logging mode across one VPC or cloud account
Map all active east-west flows — service to service, workload to workload
Identify over-permissive default-allow paths that have no documented business need
Generate blast radius baseline: what could an attacker reach from any single workload today?
Insights
Nothing changes for your team
No policy enforcement. No traffic interruption. No application code changes. No cloud provider migration. All existing security tools continue operating as-is.
How enforcement works — TLS / HTTPS question
CG enforces at the FQDN/IP allowlist layer using workload identity, not deep packet inspection. HTTPS destinations are permitted or denied based on the destination FQDN/IP — no TLS decryption required. This means policy is not dependent on certificate inspection and works for any protocol, including encrypted C2 channels to unknown domains.
Phase Completion