20/06/2026

Nobody Breaks In Anymore

Nobody Breaks In Anymore

// elusive thoughts // appsec // threat intel // 2026

Read enough 2026 breach reports and something gets embarrassing. The intrusion you picture, the hoodie, the zero-day, the frantic keyboard work, almost never happened. The attacker walked in. Sometimes you left the door open. Sometimes someone sold them the key. Sometimes you imported them yourself and ran their code on your build server with a smile.

Three roads, one destination: your environment. None of them look like hacking. All of them work, and the data from the last six months says they work better than ever.

Road one: the door you left open

Cloud misconfiguration is the breach cause that refuses to die. Not nation-state magic. Not a novel exploit chain. A storage bucket set to public. An IAM role with *:* because someone needed it to ship on a Friday. A security group open to 0.0.0.0/0 that was "temporary" in 2024.

~95%of cloud security failures trace to human error / misconfig
~70%of cloud attack vectors lead with identity or credential compromise
277daverage time to detect a cloud breach

The number that should keep you up is the last one. Most of a calendar year, attacker resident in your cloud, undetected. That is not a detection-tooling problem. That is a visibility-and-ownership problem dressed up as one.

And misconfig never stays a single mistake. It chains. A leaked CI/CD token lands on an over-privileged role. That role reads a public store. The store holds another credential. That credential modifies production. Every link in that chain is a config nobody reviewed, because reviewing configs is boring and shipping features is not. Roughly 45% of breaches now touch the cloud, and the average public-cloud incident clears five million dollars. Boring is expensive.

Road two: the key someone sold

You do not need an exploit if you can log in. In 2026 that is the default. The clearest signal in the whole threat landscape: the majority of intrusions involve no malware at the entry point at all.

79%of intrusions are malware-free at initial access (stolen creds, not exploits)
54%of ransomware victims appeared in infostealer logs BEFORE the attack
~30%of incidents start with identity abuse, the top single vector

This is the Initial Access Broker economy, and it has matured into a clean professional supply chain. Infostealer malware harvests credentials and session cookies from some unlucky endpoint. Those logs get parsed, sorted, and sold. A broker packages "VPN access to a UK financial services firm, domain admin adjacent" and lists it. A ransomware affiliate buys it for four figures and is inside before your SOC has finished its morning standup.

The brokers have gone upmarket. Through 2025 and into 2026, researchers tracked IABs shifting toward high-value targets and premium pricing, with elite players retreating from burned public boards like the rebooted BreachForums toward closed, Russian-language platforms after names like IntelBroker got arrested and unmasked. The market did not collapse under law-enforcement pressure. It professionalised and went quieter.

The operational takeaway is brutal and simple. By the time ransomware detonates, the breach is old news. The encryption is the invoice, not the intrusion. Someone bought your access weeks earlier, sat inside, staged exfiltration, and only then pulled the trigger.

Road three: the code you imported

The third road is the one we walk down ourselves, voluntarily, thousands of times a day. Your dependency graph is a trust network you do not monitor and mostly cannot see. npm install is an instruction to download and execute arbitrary code from strangers, and 2026 has been a clinic in what that costs.

The shift started with Shai-Hulud in late 2025: a self-replicating worm that stole npm tokens and GitHub PATs, then used them to automatically republish itself into other packages. That ended the nuisance era. Then the consequences arrived at scale:

  • Axios (March 2026): the most popular HTTP client in the ecosystem, 100M+ weekly downloads. A hijacked maintainer account pushed poisoned versions carrying a phantom dependency that dropped a cross-platform RAT on install. Attributed to a North Korean state actor. Live within 39 minutes of a stolen token being used.
  • node-ipc (May 2026): three malicious versions published across multiple semver lines at once, deliberately maximising blast radius so anyone pinned to ^9, ^12, or a tilde range pulled an 80KB credential stealer on their next lockfile refresh.
  • Miasma / @redhat-cloud-services (June 2026): a Shai-Hulud derivative abusing install-time scripts, compromising a vendor namespace through a hijacked GitHub account.

Notice the pattern. Almost none of these were typosquats you could have avoided by spelling carefully. They were legitimate, trusted, widely-used packages whose publishing identity got stolen. The malicious code arrived through the exact channel you told your build system to trust implicitly. postinstall is remote code execution that you opted into and put in your pipeline.

The throughline

Three roads, one root cause: trust granted without verification. The open cloud role, the stolen credential, the hijacked maintainer token. Same currency, different counter. We spent a decade buying perimeter products while the perimeter quietly redefined itself as "anyone holding a valid token." Identity is the perimeter now. It has been for a while. The breach reports are just catching the rest of us up.

// Opinion: this is good news, if you can stand to hear it

Every one of these is a hygiene failure, not a sophistication failure. Nobody out-galaxy-brained your defences. They used a checkbox, a credential, and an install script. That should be encouraging, because boring problems have boring fixes, and boring fixes are cheap relative to the next platform your vendor wants to sell you.

What actually moves the needle, in priority order:

  • Least privilege, enforced, not aspirational. The CI/CD token that can reach prod is the entire kill chain compressed into one line. Scope it down until it hurts.
  • Pin and verify dependencies. Lockfiles with integrity hashes. No blind caret ranges on anything that runs install scripts. Disable postinstall by default and allowlist the few that need it.
  • Monitor infostealer logs for your own domains. If your credentials are for sale, you want to know before the affiliate does.
  • Phishing-resistant MFA everywhere. When 79% of intrusions are malware-free, credentials are the product. Stop shipping the product.
  • Default-deny cloud, reviewed IaC, CSPM that blocks instead of alerting into a void nobody reads.

None of this is a new product. It is discipline applied to the three roads attackers actually use. The movie hack is a distraction. The real breach is administrative, and so is the defence.

SOURCES // SentinelOne and StationX cloud + breach statistics (2026) // CrowdStrike 2025 (malware-free intrusions) // Verizon DBIR 2025 (infostealer logs, identity vectors) // Rapid7 threat intelligence, Initial Access Broker pricing shift (2026) // IBM X-Force Threat Intelligence Index 2026 // StepSecurity (node-ipc), Trend Micro and Microsoft (Axios / Sapphire Sleet), Wiz and Palo Alto Unit 42 (Miasma / Shai-Hulud). Figures are cross-source and approximate; treat as direction, not decimals.
#AppSec #CloudSecurity #SupplyChain #ThreatIntel #IAB #npm #DevSecOps

14/06/2026

Anthropic, cannot give you anymore access to Mython and Fable, unless you are American military personnel....

There Is No Universal Railguard, And They Shipped It Anyway // Elusive Thoughts

root@elusive:~/posts$ cat no-universal-railguard.md

There Is No Universal Railguard, And They Shipped It Anyway

Filed under: agentic AI security // governance // things that were always going to happen

Anthropic told us the truth and we did not listen. Buried in the Fable 5 launch was one of the most honest sentences a frontier lab has ever published about its own safeguards: perfect jailbreak resistance is not currently possible for any model provider. Read that again. Not "we have not finished hardening." Not "edge cases remain." A flat statement that the unbreakable wall does not exist and will not exist on this architecture.

Then they put the model in front of hundreds of millions of people. Then a researcher beat the layer in under two days. Then the US government pulled the plug. None of these three events contradict the others. That is the whole point, and almost nobody is saying it.

The architecture, because the architecture is the story

Fable 5 and Mythos 5 are the same model. The difference is a classifier layer. When a query trips one of the high-risk buckets (cybersecurity, biology, chemistry, model distillation), Fable does not refuse. It silently downgrades the request to the weaker Opus 4.8 and tells you it did so. Mythos is the same model with the cyber classifiers lifted, handed to a small set of trusted defenders.

If you have ever deployed a WAF in front of an application you already understand the entire security posture here. The classifier is not the model's security. It is a request inspector bolted to the front. It reads what you send, scores it, and decides whether the real engine answers or the understudy does. It does not, and cannot, read your intent.

That is why the published bypass techniques are unremarkable to anyone in this field. Unicode and homoglyph substitution to dodge keyword matching. Long-context framing to dilute intent across a conversation so no single turn looks bad. Decomposition-recomposition, where you split a forbidden task into a dozen individually innocent sub-requests and reassemble the answer yourself. These are not exotic. They are the LLM equivalent of encoding a payload to slip past a signature-based filter. WAF evasion, new substrate.

So when the classifier layer falls, the correct reaction is not shock. The correct reaction is "yes, that is what classifier layers do." Anthropic said so themselves. Out loud. In the launch post.

Reading one: this is bad, and the takedown is the system working

Here is the uncomfortable version.

Anthropic has previously described Mythos-class capability as analogous to a cyberweapon that warrants careful oversight. Fine. Then the same company wrapped that capability in a layer it publicly admitted was defeatable in principle, tuned the layer conservatively, and shipped it to the general public at ten dollars per million input tokens. The safety argument rests entirely on three words: "no universal jailbreak." And the operative word in that phrase is yet.

A non-universal jailbreak is a key that opens one door and has to be re-cut for the next. A universal jailbreak is a master key. Anthropic's bet is that they can keep attackers stuck cutting individual keys, log every attempt, and patch faster than anyone can scale an attack. That is a reasonable bet for a monitored, narrow deployment to vetted defenders. It is a far shakier bet for a public model with hundreds of millions of users and a financial incentive sitting on every successful bypass.

In this reading, a government that recalls the model the moment a credible bypass surfaces is not overreacting. It is enforcing the precautionary principle the lab itself claimed to believe in. If your security control has a known expiry date and you sell it as if it does not, the recall is the smoke alarm doing its job. The fact that it is loud does not make it wrong.

Reading two: this is over-amplified, and partly a control play

Now the other version, which is also supported by the facts.

What did the disclosed bypass actually produce? By Anthropic's own account, the government's evidence was verbal, and the technique essentially amounts to asking the model to read a codebase and fix its flaws. That is not a weapon. That is Tuesday for every defender alive. The lurid screenshots, stack overflow exploit code and a meth synthesis pathway, describe capabilities you can already pull from other public frontier models and from a patient afternoon with a search engine. The leaked 120,000 character system prompt is not a compromise. It is the model's refusal logic and house style. It embarrasses, it does not hand over control, and system prompts get extracted from every frontier model by anyone who tries hard enough.

Then look at the plumbing of the takedown. Reporting points to the bypass being found by Amazon, which happens to be Anthropic's largest investor, a board presence, and its cloud host, then escalated to Treasury, then converted into a Commerce directive that pulled a model overnight. The White House framing is that Amodei was offered a fix-or-pull choice and refused. Anthropic's account differs on essentially every material point and says the letter arrived at 5:21pm with no technical specifics at all.

Strip the national-security wrapper and what is left is this: a model deployed to millions got recalled over a narrow, non-universal, verbally-described filter evasion, through a channel that runs straight through a competitor-and-investor. Apply that standard evenly and you do not have a safer industry. You have no new model releases at all, because every model in existence is vulnerable to non-universal jailbreaks by definition. That is not safety policy. That is a kill switch with a flag painted on it.

The AppSec verdict

Both readings are correct. That is the part that should keep you up at night, not either one alone.

The engineering claim is true. There is no universal railguard. Anybody selling you one is selling you a WAF and calling it a vault.

The product claim is where it breaks. "No universal bypass exists yet" is a dependency note, not a safety guarantee, and shipping it to the entire planet as if it were the latter is the actual unsafe act. Not the jailbreak. The framing.

The governance claim is the one that matters most to anyone who builds. A frontier model vanished for every customer, overnight, on the strength of a verbal, undocumented finding routed through an interested party. If your production workflow is coupled to a single closed API, you just watched a live demonstration of your own supply-chain risk. The model did not fail. The endpoint did not get hacked. It simply stopped existing because of a letter you will never read.

So treat "no universal jailbreak" as exactly what it is: the most honest thing the vendor said, and the one you are least allowed to forget. Build for the day the layer falls, because the people who built it already told you it would. Monitor like the control is temporary, because it is. And never put a production dependency somewhere a single letter can switch off at 5:21 on a Friday.

The railguard was never universal. The only surprise is that anyone is surprised.

// EOF  //  Elusive Thoughts  //  securityhorror.blogspot.com

A Threat Model Developers Will Actually Use

A Threat Model Developers Will Actually Use // appsec // threat modeling // kill the 40-page pdf Somewhere on a shared drive at almos...