chore: update feed state [2026-04-18]

Author: github-actions[bot]

logs/urls.txt

@@ -136,3 +136,15 @@
 [2026-04-17] https://www.datadoghq.com/blog/github-actions-iac-security/
 [2026-04-17] https://www.datadoghq.com/blog/otel-ai-observability-pipelines-clickhouse/
 [2026-04-17] https://www.datadoghq.com/blog/single-step-instrumentation-rules/
+[2026-04-18] https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/
+[2026-04-18] https://labs.cognisys.group/posts/Beyond-the-Perimeter-How-an-On-Premises-Domain-Admin-Compromise-Unlocked-the-Cloud/
+[2026-04-18] https://shellsharks.com/scrolls/scroll/2026-04-17
+[2026-04-18] https://projectdiscovery.io/blog/neo-vs-diy
+[2026-04-18] https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
+[2026-04-18] https://trustedsec.com/blog/mythos-memory-loss-and-the-part-infosec-keeps-missing
+[2026-04-18] https://www.sygnia.co/threat-reports-and-advisories/mythos-effect-ai-accelerated-exploitation-vulnerability-management/
+[2026-04-18] https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/
+[2026-04-18] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-7/
+[2026-04-18] https://www.wiz.io/blog/wiz-iac-inventory
+[2026-04-18] https://www.datadoghq.com/blog/governance-console/
+[2026-04-18] https://falconforce.nl/northsec-may-2026/

site/_posts/2026-04-18-anonymous-credentials-an-illustrated-primer-part-2.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "Anonymous credentials: an illustrated primer (Part 2)"
+date: 2026-04-18 03:10:45 +0300
+categories: [RSS]
+tags: [privacy, cryptography, anonymous-credentials, blind-signatures, privacypass]
+toc: true
+---
+
+This post examines how real anonymous credential systems are built and deployed, focusing on Privacy Pass as a concrete implementation of Chaum-style blind-signature credentials. It walks through the issuance flow where a user chooses a token type, optional metadata, and a random serial number, then obtains a blind signature so the issuer signs the credential without learning its contents. The verifier later checks the issuer signature and enforces single use by storing previously seen serial numbers, while the metadata field can bind a token to a specific site, date, or session challenge without exposing that binding to the issuer. The article frames these design choices as practical defenses against credential cloning and cross-site reuse, and uses Privacy Pass deployment by Cloudflare, Apple, Google, and others to show that anonymous authentication is now operational at Internet scale.
+
+[Read original article](https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/){: .btn .btn-primary }

site/_posts/2026-04-18-beyond-the-perimeter-how-an-on-premises-domain-admin-comprom.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "Beyond the Perimeter How an On-Premises Domain Admin Compromise Unlocked the Cloud"
+date: 2026-04-18 03:10:45 +0300
+categories: [RSS]
+tags: [entra-id, active-directory, token-theft, hybrid-identity, m365]
+toc: true
+---
+
+This write-up shows how an attacker who already reached on-premises Active Directory Domain Admin can pivot into Microsoft 365 by stealing Entra ID session tokens from a privileged user's workstation, effectively bypassing MFA and Conditional Access. The operators first enumerated cloud directory roles with ROADrecon using compromised credentials, identified a Global Administrator, then used Domain Admin access and SMB/WinRM to locate that user's active workstation and inspect logged-in sessions. After confirming Outlook and Teams were running under the target context, they dumped those Office processes and extracted bearer and refresh tokens from memory using simple string matching on the dump, allowing reuse against Microsoft Graph and other cloud resources. The practical impact is that hybrid identity environments can collapse from an on-prem compromise into full cloud tenant compromise when privileged admins use ordinary domain-joined workstations for Entra administration.
+
+[Read original article](https://labs.cognisys.group/posts/Beyond-the-Perimeter-How-an-On-Premises-Domain-Admin-Compromise-Unlocked-the-Cloud/){: .btn .btn-primary }

site/_posts/2026-04-18-mythos-memory-loss-and-the-part-infosec-keeps-missing.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "Mythos, Memory Loss, and the Part InfoSec Keeps Missing"
+date: 2026-04-18 03:10:49 +0300
+categories: [RSS]
+tags: [ai, exploit-development, vulnerability-research, ransomware, identity]
+toc: true
+---
+
+TrustedSec argues that Mythos is a real capability jump for vulnerability research because it can identify promising bug candidates, reason about exploitability, and help produce exploit paths faster than previous tooling, but that this does not suddenly make autonomous zero-day discovery the primary risk for most defenders. The article frames Mythos as an accelerator for an existing trend: shrinking time from disclosure to usable exploitation driven by public PoCs, exploit frameworks, cheaper reverse engineering, and bug bounty incentives, rather than a totally new attack model. Its technical substance is in the historical comparison: exposed services in inetd-era Unix systems, Metasploit-era browser exploits, Blackhole and Angler exploit kits, and POS memory-scraping campaigns all became less dominant only after architectural shifts such as host firewalls, browser hardening, exploit mitigations like ASLR/DEP/CFG, chip-and-PIN, and point-to-point encryption changed attacker economics. The practical takeaway is that defenders should still prioritize the attack paths the article says dominate real intrusions today—phishing, stolen credentials, exposed edge devices, known vulnerabilities, weak identity controls, and poor segmentation—because AI-assisted exploit development lands on top of those long-standing weaknesses rather than replacing them.
+
+[Read original article](https://trustedsec.com/blog/mythos-memory-loss-and-the-part-infosec-keeps-missing){: .btn .btn-primary }

site/_posts/2026-04-18-the-good-the-bad-and-the-ugly-in-cybersecurity-week-16.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "The Good, the Bad and the Ugly in Cybersecurity – Week 16"
+date: 2026-04-18 03:10:51 +0300
+categories: [RSS]
+tags: [phishing, dprk, malware, nginx, auth-bypass]
+toc: true
+---
+
+This weekly roundup aggregates three technically relevant stories: the FBI and Indonesian authorities dismantled the W3LL phishing ecosystem, a phishing-as-a-service platform that cloned login portals and used adversary-in-the-middle techniques to bypass MFA and support large-scale business email compromise. It also covers CERT-UA's report on the AgingFly campaign against Ukrainian government and healthcare targets, where phishing-delivered LNK files launch a script chain that installs a C# backdoor capable of command execution, file theft, screenshots, keylogging, Telegram-based C2 updates, and even on-host compilation of downloaded handler source code to reduce static detection. The article further summarizes active exploitation of CVE-2026-33032 in Nginx UI, where an exposed `/mcp_message` endpoint in MCP-enabled deployments allows unauthenticated attackers to establish a session, reuse a session ID, invoke privileged MCP functions, alter configuration, and restart services for full server takeover. While it is a news-style digest rather than an original deep dive, it points readers to concrete attack mechanics, affected software, and operational impact across phishing, state-backed intrusion support, commodity malware tradecraft, and exposed management-plane vulnerabilities.
+
+[Read original article](https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-7/){: .btn .btn-primary }

site/_posts/2026-04-18-the-mythos-effect-preparing-for-ai-accelerated-exploitation.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "The Mythos Effect: Preparing for AI-Accelerated Exploitation"
+date: 2026-04-18 03:10:50 +0300
+categories: [RSS]
+tags: [ai, vulnerability-management, exposure-management, exploit-chaining]
+toc: true
+---
+
+Sygnia frames Anthropic's Mythos Preview and Project Glasswing as evidence that exploit development timelines may compress sharply, with claimed capabilities including zero-day discovery in major operating systems and browsers, autonomous chaining of multiple bugs, and faster N-day weaponization. The advisory's core point is that many vulnerability management programs still rely on assumptions that exploitation is slow and skill-intensive, using CVSS scores, backlog aging, and ticket throughput as primary decision signals. It argues defenders instead need "exposure readiness": tighter asset-to-business-service mapping, clear ownership for findings, contextual prioritization based on operational dependency and adversarial relevance, and faster cross-team remediation workflows. The practical guidance emphasizes compensating controls such as segmentation, identity hardening, automation, and incident readiness for cases where patch windows are too slow for AI-assisted attacker timelines.
+
+[Read original article](https://www.sygnia.co/threat-reports-and-advisories/mythos-effect-ai-accelerated-exploitation-vulnerability-management/){: .btn .btn-primary }

site/_posts/2026-04-18-threat-brief-escalation-of-cyber-risk-related-to-iran-update.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)"
+date: 2026-04-18 03:10:48 +0300
+categories: [RSS]
+tags: [iran, ics, ot, phishing, threat-intelligence]
+toc: true
+---
+
+Unit 42’s updated threat brief tracks multiple Iran-linked campaigns tied to the 2026 regional conflict, including renewed OT/ICS targeting by CL-STA-1128 (Cyber Av3ngers/Storm-0784) against Rockwell Automation and Allen-Bradley environments. The report says the actor appears to have installed Rockwell FactoryTalk on VPS infrastructure to support exploitation, an assessment based on distinctive port combinations that matched FactoryTalk’s static service mappings, and notes internet-exposed Rockwell or Allen-Bradley SCADA/PLC assets on roughly 5,600 IPs globally. It also documents a separate March phishing cluster with 7,381 URLs across 1,881 hostnames using conflict-themed lures, telecom and airline impersonation, top-level-domain rotation, subdomain chaining, and fake payment or donation workflows for credential theft and fraud. While much of the piece is operational threat-intel rather than vulnerability research, it provides useful technical signal on current Iranian operator infrastructure, ICS targeting trends, and phishing tradecraft relevant to defenders monitoring critical infrastructure and regional targeting.
+
+[Read original article](https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/){: .btn .btn-primary }

site/_posts/2026-04-18-we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysi.md

@@ -0,0 +1,12 @@
+---
+layout: post
+title: "We beat Google’s zero-knowledge proof of quantum cryptanalysis"
+date: 2026-04-18 03:10:50 +0300
+categories: [RSS]
+tags: [zero-knowledge, zkvm, rust, cryptography, memory-safety]
+toc: true
+---
+
+Trail of Bits shows that Google’s published zero-knowledge proof for optimized quantum cryptanalysis was forgeable because the Rust-based zkVM prover pipeline contained multiple memory-safety and logic bugs, not because the underlying quantum circuit improved. Google’s setup used Succinct Labs’ SP1 zkVM to verify a private kickmix quantum circuit by deserializing the circuit, simulating elliptic-curve point addition over 9,024 sampled inputs, and committing public bounds for total operations, qubits, and Toffoli gates. By crafting malicious private input that exploits flaws in the simulator and circuit-handling logic, Trail of Bits produced a proof accepted by Google’s original unpatched verifier with the same verification key while falsely claiming dramatically better metrics, including zero Toffoli gates and fewer qubits. The practical takeaway is that zk proofs inherit a real application-security attack surface: bugs in guest code, parsing, or metric accounting can make cryptographically valid proofs attest to false performance claims even when the math of the proving system itself remains sound.
+
+[Read original article](https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/){: .btn .btn-primary }

state/processed_urls.json

@@ -1335,7 +1335,19 @@
     "http://blog.quarkslab.com/obfuscation-vs-the-optimizer-an-llvm-middle-end-arms-race.html": "2026-04-17",
     "https://www.datadoghq.com/blog/github-actions-iac-security/": "2026-04-17",
     "https://www.datadoghq.com/blog/otel-ai-observability-pipelines-clickhouse/": "2026-04-17",
-    "https://www.datadoghq.com/blog/single-step-instrumentation-rules/": "2026-04-17"
+    "https://www.datadoghq.com/blog/single-step-instrumentation-rules/": "2026-04-17",
+    "https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/": "2026-04-18",
+    "https://labs.cognisys.group/posts/Beyond-the-Perimeter-How-an-On-Premises-Domain-Admin-Compromise-Unlocked-the-Cloud/": "2026-04-18",
+    "https://shellsharks.com/scrolls/scroll/2026-04-17": "2026-04-18",
+    "https://projectdiscovery.io/blog/neo-vs-diy": "2026-04-18",
+    "https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/": "2026-04-18",
+    "https://trustedsec.com/blog/mythos-memory-loss-and-the-part-infosec-keeps-missing": "2026-04-18",
+    "https://www.sygnia.co/threat-reports-and-advisories/mythos-effect-ai-accelerated-exploitation-vulnerability-management/": "2026-04-18",
+    "https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/": "2026-04-18",
+    "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-16-7/": "2026-04-18",
+    "https://www.wiz.io/blog/wiz-iac-inventory": "2026-04-18",
+    "https://www.datadoghq.com/blog/governance-console/": "2026-04-18",
+    "https://falconforce.nl/northsec-may-2026/": "2026-04-18"
   },
-  "last_updated": "2026-04-17T03:12:33.861618+00:00"
+  "last_updated": "2026-04-18T03:10:53.358550+00:00"
 }