Security Boulevard

How Secure is Your Organization’s Approach to Non-Human Identities? Have you ever considered the scale of machine identities within your organization? With the expansive growth of digital, Non-Human Identities (NHIs) are becoming crucial in effective data protection strategies. These machine identities are essentially technological constructs that necessitate vigilance, given their pivotal role in accessing sensitive […]

The post How to protect your data with Agentic AI appeared first on Entro.

The post How to protect your data with Agentic AI appeared first on Security Boulevard.

Have You Ever Considered How Securing Non-Human Identities Could Transform Your Organization? Non-Human Identities (NHIs) security is increasingly crucial across various sectors, from financial services to healthcare and beyond. These machine identities are not mere technical entities but fundamental components that define a company’s cybersecurity. By understanding and managing NHIs effectively, organizations can bridge the […]

The post What makes Non-Human Identities safe for companies appeared first on Entro.

The post What makes Non-Human Identities safe for companies appeared first on Security Boulevard.

How Does NHI Management Enhance Security and Efficiency? Is your organization effectively tackling security gaps caused by machine identities? This question becomes critical with Non-Human Identities (NHIs) grows exponentially, driven by cloud adoption and automated systems. In cybersecurity, NHIs are machine identities comprising encrypted credentials—like passwords, tokens, or keys—paired with the permissions assigned by the […]

The post How reliable are NHIs in identity management appeared first on Entro.

The post How reliable are NHIs in identity management appeared first on Security Boulevard.

Author, Creator & Presenter: Shruti Datta Gupta, Product Security Engineer, Adobe & Chandrani Mukherjee, Product Security Engineer, Adobe

Our thanks to [un]prompted for publishing their Creators, Authors and Presenter’s outstanding [un]prompted 2026 AI Security Practitioner content on the Organizations') YouTube Channel.

Permalink

The post [un]prompted 2026 – The Hard Part Isn’t Building the Agent: Measuring Effectiveness appeared first on Security Boulevard.

Author, Creator & Presenter: Joshua Saxe, Al Security Technical Lead, Meta

Our thanks to [un]prompted for publishing their Creators, Authors and Presenter’s outstanding [un]prompted 2026 AI Security Practitioner content on the Organizations') YouTube Channel.

Permalink

The post [un]prompted 2026 – The Hard Part Isn’t Building The Agent: Measuring Effectiveness appeared first on Security Boulevard.

Recent supply chain attacks have highlighted an urgent need for organizations to shift from a reactive security posture to a preemptive exposure management strategy. Learn why endpoint detection and response tools don’t have you covered when highly privileged developer credentials get exposed.

Key takeaways:

1. Recent supply chain attacks are emblematic of an insidious new trend in cybercrime: Threat actors are increasingly using supply chain attacks to harvest highly privileged developer credentials and create a “Developer Credential Economy,” a lucrative black market for API keys, secrets, and cloud access tokens.
    
2. Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because these tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization actually occur.
    
3. Neutralizing the systemic infrastructure risk created by the Developer Credential Economy requires a continuous threat exposure management (CTEM) approach to proactively identify and eliminate exposure conditions, such as long-lived access tokens, before an attacker can exploit them.

Background

The convergence of the Anthropic Claude Code source leak and the Sapphire Sleet (UNC1069) Axios compromise has collapsed the boundary between traditional malware and systemic infrastructure risk. Our analysis of the exposure intelligence data reveals that the cluster of supply chain attacks observed in March 2026 should not be viewed as disparate incidents; rather, they signify the new operational reality of a high-velocity “Developer Credential Economy,” a black market for highly privileged developer credentials.

In this new reality, attackers are no longer just hacking software supply chains; they’re systematically using supply chain attacks to harvest the very keys to the kingdom from the tools security teams trust most.

The myth of the EDR singularity

Microsoft and Google have independently attributed the recent Axios compromise to a North Korean state actor. Industry narratives have framed the compromise, which backdoored an npm-managed JavaScript library package with 100 million weekly downloads, as a victory for endpoint detection and response (EDR). The logic seems simple: EDR caught and stopped the payload at execution, therefore EDR is the solution.

This is a dangerous miscalculation. The concept of an EDR singularity, where Endpoint Detection and Response (EDR) solutions become so comprehensive, intelligent, and autonomous that they negate the need for virtually all other security tools and human intervention at the endpoint is a powerful and seductive myth dominating the current security landscape. This narrative suggests that, through advancements in machine learning, behavioral analytics, and automated response capabilities, a single, all-encompassing EDR platform will eventually unify and solve the bulk of security challenges.

Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. Our analysis shows that by the time an EDR agent fires on the WAVESHAPER.V2 RAT, the true damage — the exposure — has already occurred. This demonstrates the urgent need for organizations to shift from a reactive to a preemptive cybersecurity posture.

• EDR is reactive: It monitors execution, not the conditions that allow it. It cannot see the misconfigured GitHub Action or the over-privileged npm token that enabled the compromise in the first place.
• The coverage gap: EDR has zero visibility into the ephemeral CI/CD runners and build environments where these credentials are stolen. In the Developer Credential Economy, the theft happens where the agents aren't.
• The fail-deadly speed: In the Axios campaign, the malware was designed to exfiltrate secrets and self-destruct within seconds; typically faster than an EDR alert can be triaged by a human analyst.
• EDR evasion is not theoretical: EDR evasion is an active, industrialized capability. Threat actors routinely bypass kernel-level EDR through bring your own vulnerable driver (BYOVD) attacks, where adversaries load legitimately signed but vulnerable kernel drivers to disable or blind EDR agents.

Targeting analysis: Mapping the credential generation layer

Adversaries are increasingly compromising and weaponizing critical chokepoint tools used by developers and security teams, like the Axios npm package and the KICS IaC scanner. This trend, which involves moving upstream in the development lifecycle, reveals a distinct division of labor within this emerging threat economy.

 

Actor / Group Operational focus Primary target Vertical Impact TeamPCP Generation layer: Bulk credential harvesting via tool exploitation Trivy, LiteLLM, KICS (Security/Dev tools) Global SaaS & AI infrastructure Sapphire Sleet Weaponization layer: State-sponsored exfiltration and revenue generation Axios, npm ecosystem Fintech, Crypto, Government GlassWorm Opportunistic layer: High-volume automated theft VSCode extensions, OpenVSX Blockchain & Web3

Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture.

Exposure intelligence: The shift to CTEM

To escape this pattern, defenders must shift from merely reacting to malware to adopting continuous threat exposure management (CTEM) as a preemptive strategy.

While AI companies market their frontier models as security tools, the recent leak of 512,000 lines of Claude source code demonstrates that AI is just another asset with its own massive exposure profile.

A mature CTEM program, powered by exposure intelligence, focuses on the preemptive actions that actually reduce risk:

1. Phase 1: Hardening (The Kill Switch): Organizations must audit lockfiles and kill lifecycle hooks (--ignore-scripts) immediately. This eliminates the postinstall vector that Sapphire Sleet used to deploy WAVESHAPER.V2.
2. Phase 2: Human/Identity defense: We must eliminate long-lived tokens. The Axios compromise succeeded because a single stolen token bypassed every security control. Transitioning to short-lived, OIDC-based automation is an exposure management requirement, not a nice-to-have.
3. Phase 3: Counter-recon: Use Tenable One to map your full attack surface, including the CI/CD pipelines and cloud-native build stages that EDR cannot reach.

The bottom line

The Axios and Anthropic events are a wake-up call for the C-suite. Theoretical severity and reactive detection (EDR) are insufficient against an adversary that has industrialized the theft of developer identities.

Exposure management should be your first and primary line of defense. By identifying and remediating the exposure conditions that supply chain attacks depend on, we can stop the payload before it ever reaches the endpoint.

Get more information

• Read the Tenable Research Special Operations Advisory on the Axios npm Compromise
• Accelerate your preemptive security with Tenable’s agentic engine, Hexa AI
• Explore Tenable One for Exposure Management

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post The developer credential economy: Why exposure data is the new front line in the supply chain war appeared first on Security Boulevard.

I spent the last week

The post Everything I Learned About Harness Engineering and AI Factories in San Francisco (April 2026) appeared first on Security Boulevard.

I spent the last week

The post Everything I Learned About Harness Engineering and AI Factories in San Francisco (April 2026) appeared first on Security Boulevard.

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Amperage’ appeared first on Security Boulevard.

Praetorian is excited to announce the release of Vespasian, a probabilistic API endpoint discovery, enumeration, and analysis tool. Vespasian watches real HTTP traffic from a headless browser or your existing proxy captures and turns it into API specifications (OpenAPI, GraphQL SDL, WSDL). We built it because pentesters spend the first days of every API engagement […]

The post Meet Vespasian. It Sees What Static Analysis Can’t. appeared first on Praetorian.

The post Meet Vespasian. It Sees What Static Analysis Can’t. appeared first on Security Boulevard.

Author, Creator & Presenter: Heather Adkins, VP of Security Engineering, Google & Four Flynn, VP Security and Privacy, Google

Our thanks to [un]prompted for publishing their Creators, Authors and Presenter’s outstanding [un]prompted 2026 AI Security Practitioner content on the Organizations') YouTube Channel.

Permalink

The post [un]prompted 2026 – Evaluating Threats & Automating Defense At Google appeared first on Security Boulevard.

Governments are each inventing their own flavor of an age based ban for social media. Is the cure worse than the disease?

The post Blocking children from social media is a badly executed good idea appeared first on Security Boulevard.

Learn how GitGuardian supports NHI governance with a secrets-first model that improves visibility, reduces sprawl, and helps teams manage machine identity risk.

The post NHI Governance Is the Outcome. GitGuardian Is How You Get There appeared first on Security Boulevard.

TL;DR

Board-ready security metrics translate technical capabilities into financial risk and business outcomes. Boards need visibility across three dimensions: risk exposure, incident response capability, and governance compliance. Runtime application security contributes meaningful data points to these broader metrics, helping security leaders present more complete organizational risk assessments.

The post Board-Ready Security Metrics That Actually Matter appeared first on Security Boulevard.

AI is being positioned as the fastest path to efficiency, scale, and smarter decisions. But for most businesses, that promise is not translating into results....Read More

The post How to Prepare Your Business for AI: A Workflow-First Approach appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.

The post How to Prepare Your Business for AI: A Workflow-First Approach appeared first on Security Boulevard.

Your banking app knows your face. It reads your fingerprint. It trusts that the person holding the phone is really you. But what if it’s wrong? Mobile-first banking has made financial services more accessible than ever. You can transfer money, pay bills, and apply for loans all from your phone, all in seconds. But this […]

The post AutoSecT Mobile: Automating Android and iOS Security Testing appeared first on Kratikal Blogs.

The post AutoSecT Mobile: Automating Android and iOS Security Testing appeared first on Security Boulevard.

Originally published at The MSP Ultimate Marketing Playbook by EasyDMARC.

The MSP Ultimate Marketing Playbook [2026 Edition] 12 ...

The post The MSP Ultimate Marketing Playbook appeared first on EasyDMARC.

The post The MSP Ultimate Marketing Playbook appeared first on Security Boulevard.

Cyber warfare is no longer an obscure strategy—it's the primary arena of global conflict. Explore how Generative AI, "Living off the Land" techniques, and vendor concentration are creating a new era of systemic risk for enterprises.

The post The Future of Cyber Warfare and its Impact on Global Business Stability  appeared first on Security Boulevard.

Master granular policy enforcement for hybrid classical-quantum AI workflows. Secure your MCP servers with post-quantum encryption and advanced threat detection.

The post Granular Policy Enforcement for Hybrid Classical-Quantum AI Workflows appeared first on Security Boulevard.

TL;DR

Security cameras, IoT, and OT devices that are meant to protect us, are easily compromised and turned against defenders, enabling nation-state reconnaissance (Iranian hacks on Hikvision/Dahua cameras during strikes, Russian webcam abuse in Ukraine), espionage via exposed live feeds, ransomware pivots (Akira group bypassing EDR), massive botnets (Mirai/Eleven11bot), and physical disruption. Structural weaknesses like default credentials, poor patching, internet exposure, supply-chain risks and espionage by design makes them ideal attacker tools, especially since they can’t receive endpoint security agents. Zero Trust Connectivity (ZTc) solves this by enforcing network-level Zero Trust: it blocks unauthorized connections before they form, requires no endpoint agents, prevents lateral movement, and supports decentralized deployment with sovereign data custody — giving defenders a powerful way to secure all devices without traditional detection or centralized decryption. In short, the watcher must be properly isolated at the network layer. In cybersecurity, the watcher must be watched most closely of all.

When Your Own Eyes Turn Against You: How Compromised Security Cameras and IoT/OT Devices Become Tools for Your Attackers

Turning Defense Technology Against the Defenders

We live in an era where security cameras, smart sensors, industrial controllers, other Internet of Things (IoT) and Operational Technology (OT) devices are deployed everywhere—from traffic poles, corporate boardrooms and factory floors to homes and critical infrastructure. They are meant to watch, alert, and protect. Yet when attackers gain control, these very devices become potent weapons in their hands: silent observers feeding real-time intelligence, hidden pivots into protected networks, launchpads for massive distributed denial-of-service (DDoS) attacks, or even tools for physical disruption and espionage.

The problem is structural. Many IoT and OT devices ship with default credentials, receive infrequent (or no) firmware updates, lack proper network segmentation, and are exposed directly to the internet. Even in well managed deployments of IoT and OT, the supply chain threat is an additional attack vector. In cases where defenders patch devices to the latest firmware update, attackers could still be turning their equipment against them by pushing compromised firmware to the devices.

Once breached they grant attackers low-effort footholds. From there, the devices can be repurposed for reconnaissance, lateral movement, data exfiltration, or amplification of larger campaigns. In OT environments, where these devices increasingly converge with IT networks, a single compromised camera or sensor can open the door to industrial control systems (ICS) that manage physical processes. Cyber as a warfare domain could be the area where underfunded or outgunned adversaries can cause the most damage.

Security researchers and government agencies have repeatedly warned against these risks but the threat is no longer theoretical. Adding to the complexity is the problem that no endpoint agent can be deployed on these devices and a single device compromised could be the only potential connection point the attackers need to advance their attack.

In the light of defending against abuse of security cameras, the following are important aspects to consider:

State Actors Weaponize Cameras for Battlefield Intelligence
In March 2026, researchers at Check Point documented hundreds of hacking attempts by Iranian-linked threat actors targeting internet-connected Hikvision and Dahua IP cameras across Israel, Bahrain, Cyprus, Kuwait, Lebanon, Qatar, and the UAE. The attempts were timed to coincide with Iranian missile and drone strikes, suggesting the cameras were being hijacked for real-time reconnaissance—spotting targets, assessing damage, or guiding follow-on kinetic operations. The attackers exploited known vulnerabilities in the cameras’ firmware and used commercial VPNs and VPS infrastructure to scan and compromise devices.

This mirrors earlier Russian tactics. In January 2024, Russian operatives compromised residential webcams in Kyiv, Ukraine, to monitor air-defense systems and critical infrastructure ahead of missile strikes; some feeds were even streamed publicly on YouTube. A May 2025 joint advisory from more than 20 international agencies (including the U.S., UK, Australia, and others) warned of an ongoing Russian GRU campaign that systematically targeted RTSP servers hosting IP cameras at Western logistics and technology firms, primarily to harvest live imagery and metadata from Ukrainian networks.

Exposed Cameras as Everyday Espionage Tools
In June 2025, cybersecurity firm Bitsight identified more than 40,000 security cameras worldwide with live feeds accessible via nothing more than a web browser and an IP address. Many were located in homes, offices, factories, and public spaces; attackers could view interiors, employee movements, or manufacturing processes in real time. Dark-web forums openly discussed tools to locate and abuse these exposures.

Nation State Espionage Interest
Nation States with an interest in espionage are funnelling data in huge quantity to be processed and harvested for information. Especially concerning China, a myriad of reports show concrete evidence of automatic “phoning home” behavior, persistent data exfiltration even when cloud features are disabled, and specific incidents of communication with China-based servers. This aligns with broader concerns under China’s National Intelligence Law, which requires companies to assist state intelligence efforts.

IoT Cameras as Ransomware Springboards
In early 2025, the Akira ransomware group demonstrated a particularly creative pivot. After endpoint detection and response (EDR) tools blocked their Windows-based encryptor, attackers gained remote shell access to an unsecured Linux-based IP webcam on the victim’s network. From the camera they mounted network shares, exfiltrated data, and launched the ransomware payload—bypassing traditional defenses entirely.

Botnet Armies Built from Hijacked Cameras
Compromised IP cameras and network video recorders (NVRs) remain favorite building blocks for massive botnets. In June 2025, the Eleven11bot malware infected roughly 30,000 devices—mostly outdated IP cameras and NVRs—turning them into a coordinated attack infrastructure. Variants of the decade-old Mirai malware continue to evolve, exploiting unpatched flaws such as those in AVTECH cameras as late as 2024–2025.

Critical Infrastructure at Risk
Unpatched vulnerabilities in AVTECH IP cameras—widely used in finance, healthcare, transportation, and other critical sectors—were actively leveraged to spread Mirai-based malware, prompting advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Physical disruption is easily achieved. In July 2025, a cyberattack on the Netherlands’ Public Prosecution Service rendered dozens of speed cameras permanently offline (or at least kept them from being reactivated), demonstrating how compromised camera infrastructure can directly impair law-enforcement capabilities.

What This Means for Organizations and Individuals

These incidents show a clear pattern: attackers no longer need sophisticated zero-days to cause harm. They simply locate the weakest link in the expanding IoT/OT attack surface—often a camera —and repurpose it. The consequences range from privacy violations and espionage to physical-world kinetic support in Cyber War and large-scale service outages.

The good news is that advances in technology does not only provide more leverage to attackers - Defenders also have access to new tools: Enter Zero Trust Connectivity - a new expression of Zero Trust that is implemented on the network level, can disrupt attacks before they could establish a connection. This requires no endpoint agent and does not rely on detecting an attack before the attack could be disrupted. Deployment is decentralized which aids in resilience and facilitates sovereign data custody - meaning there is no centralized data flow or decryption required that has traditionally hindered IoT devices that contain confidential data from being protected by 3rd party security systems.

Defenders must treat every camera, sensor, and OT endpoint with the same rigor as traditional IT assets: enforce strong, unique credentials; implement network segmentation (never expose OT/IoT devices directly to the internet); apply verified patches promptly; monitor for anomalous behavior; and adopt zero-trust principles even for “dumb” devices. The vulnerability protection of ZeroTrust Connectivity without the need to detect intrusions & asset inventory are no longer optional—they are table stakes.

The uncomfortable truth is that the eyes we install to watch over us can just as easily watch for our adversaries. In cybersecurity, the watcher must be watched most closely of all.

Additional Reading:

Purdue 2.0? : Rising to the Challenge to secure OT with Zero Trust Connectivity - The ADAM Blog - ADAMnetworks - Explains the role of Zero Trust Connectivity applied to the protection of OT and Critical Infrastructure

“Wartime Usage of Compromised IP Cameras Highlight Their Danger” – Discusses Iranian, Russian, and other actors exploiting cameras for real-time intelligence in conflicts.

“When Smart Cameras Turn Blind: The Growing Cyber Threat to IoT Security Systems” – Covers vulnerabilities in smart camera infrastructure and attacks like the Netherlands speed camera incident.

“The Hidden Security Crisis: Why Your IoT Devices Are Handing Attackers the Keys to Your Network” – Details the Akira ransomware case using a compromised IP webcam as a pivot.

Healing a Broken Philosophy that Keeps Hurting Healthcare - Explores the vulnerability of IoT technologies and how Zero Trust Connectivity provides a solution for protecting technology debt in IoT-rich environments.

1 post - 1 participant

Read full topic

The post When Your Own Eyes Turn Against You: How Compromised Security Cameras and IoT/OT Devices Become Tools for Your Attackers appeared first on Security Boulevard.