Nobody Breaks In Anymore
Read enough 2026 breach reports and something gets embarrassing. The intrusion you picture, the hoodie, the zero-day, the frantic keyboard work, almost never happened. The attacker walked in. Sometimes you left the door open. Sometimes someone sold them the key. Sometimes you imported them yourself and ran their code on your build server with a smile.
Three roads, one destination: your environment. None of them look like hacking. All of them work, and the data from the last six months says they work better than ever.
Road one: the door you left open
Cloud misconfiguration is the breach cause that refuses to die. Not nation-state magic. Not a novel exploit chain. A storage bucket set to public. An IAM role with *:* because someone needed it to ship on a Friday. A security group open to 0.0.0.0/0 that was "temporary" in 2024.
The number that should keep you up is the last one. Most of a calendar year, attacker resident in your cloud, undetected. That is not a detection-tooling problem. That is a visibility-and-ownership problem dressed up as one.
And misconfig never stays a single mistake. It chains. A leaked CI/CD token lands on an over-privileged role. That role reads a public store. The store holds another credential. That credential modifies production. Every link in that chain is a config nobody reviewed, because reviewing configs is boring and shipping features is not. Roughly 45% of breaches now touch the cloud, and the average public-cloud incident clears five million dollars. Boring is expensive.
Road two: the key someone sold
You do not need an exploit if you can log in. In 2026 that is the default. The clearest signal in the whole threat landscape: the majority of intrusions involve no malware at the entry point at all.
This is the Initial Access Broker economy, and it has matured into a clean professional supply chain. Infostealer malware harvests credentials and session cookies from some unlucky endpoint. Those logs get parsed, sorted, and sold. A broker packages "VPN access to a UK financial services firm, domain admin adjacent" and lists it. A ransomware affiliate buys it for four figures and is inside before your SOC has finished its morning standup.
The brokers have gone upmarket. Through 2025 and into 2026, researchers tracked IABs shifting toward high-value targets and premium pricing, with elite players retreating from burned public boards like the rebooted BreachForums toward closed, Russian-language platforms after names like IntelBroker got arrested and unmasked. The market did not collapse under law-enforcement pressure. It professionalised and went quieter.
The operational takeaway is brutal and simple. By the time ransomware detonates, the breach is old news. The encryption is the invoice, not the intrusion. Someone bought your access weeks earlier, sat inside, staged exfiltration, and only then pulled the trigger.
Road three: the code you imported
The third road is the one we walk down ourselves, voluntarily, thousands of times a day. Your dependency graph is a trust network you do not monitor and mostly cannot see. npm install is an instruction to download and execute arbitrary code from strangers, and 2026 has been a clinic in what that costs.
The shift started with Shai-Hulud in late 2025: a self-replicating worm that stole npm tokens and GitHub PATs, then used them to automatically republish itself into other packages. That ended the nuisance era. Then the consequences arrived at scale:
- Axios (March 2026): the most popular HTTP client in the ecosystem, 100M+ weekly downloads. A hijacked maintainer account pushed poisoned versions carrying a phantom dependency that dropped a cross-platform RAT on install. Attributed to a North Korean state actor. Live within 39 minutes of a stolen token being used.
- node-ipc (May 2026): three malicious versions published across multiple semver lines at once, deliberately maximising blast radius so anyone pinned to
^9,^12, or a tilde range pulled an 80KB credential stealer on their next lockfile refresh. - Miasma / @redhat-cloud-services (June 2026): a Shai-Hulud derivative abusing install-time scripts, compromising a vendor namespace through a hijacked GitHub account.
Notice the pattern. Almost none of these were typosquats you could have avoided by spelling carefully. They were legitimate, trusted, widely-used packages whose publishing identity got stolen. The malicious code arrived through the exact channel you told your build system to trust implicitly. postinstall is remote code execution that you opted into and put in your pipeline.
The throughline
Three roads, one root cause: trust granted without verification. The open cloud role, the stolen credential, the hijacked maintainer token. Same currency, different counter. We spent a decade buying perimeter products while the perimeter quietly redefined itself as "anyone holding a valid token." Identity is the perimeter now. It has been for a while. The breach reports are just catching the rest of us up.
// Opinion: this is good news, if you can stand to hear it
Every one of these is a hygiene failure, not a sophistication failure. Nobody out-galaxy-brained your defences. They used a checkbox, a credential, and an install script. That should be encouraging, because boring problems have boring fixes, and boring fixes are cheap relative to the next platform your vendor wants to sell you.
What actually moves the needle, in priority order:
- Least privilege, enforced, not aspirational. The CI/CD token that can reach prod is the entire kill chain compressed into one line. Scope it down until it hurts.
- Pin and verify dependencies. Lockfiles with integrity hashes. No blind caret ranges on anything that runs install scripts. Disable
postinstallby default and allowlist the few that need it. - Monitor infostealer logs for your own domains. If your credentials are for sale, you want to know before the affiliate does.
- Phishing-resistant MFA everywhere. When 79% of intrusions are malware-free, credentials are the product. Stop shipping the product.
- Default-deny cloud, reviewed IaC, CSPM that blocks instead of alerting into a void nobody reads.
None of this is a new product. It is discipline applied to the three roads attackers actually use. The movie hack is a distraction. The real breach is administrative, and so is the defence.
