Starkiller AitM Kits Turn MFA Bypass Into a Commodity

◆ DEEP DIVES

1. 01

   Starkiller + OAuth Weaponization: Your Authentication Architecture Needs Emergency Surgery

   <h3>The Convergence That Breaks Your Auth Stack</h3><p>Three distinct authentication attack vectors landed simultaneously, each targeting a different trust assumption your security program relies on. Together, they represent the most significant erosion of enterprise authentication controls in a single intelligence cycle.</p><h4>Starkiller: MFA Bypass as a Commodity Service</h4><p><strong>Starkiller</strong> is a new phishing-as-a-service platform using an Adversary-in-the-Middle reverse proxy to sit between victims and legitimate login pages. The victim sees the real login page, enters credentials and MFA codes, and the proxy captures the <strong>authenticated session cookie</strong>. The attacker replays that cookie — MFA is never bypassed, it's rendered irrelevant. This technique existed in tools like Evilginx and Modlishka, but Starkiller's commercialization makes it accessible to anyone willing to pay.</p><blockquote>MFA isn't being defeated — it's being made irrelevant. The attacker gets the post-authentication session, and your MFA event log shows a successful, legitimate login.</blockquote><h4>OAuth Redirect Abuse: Weaponizing Protocol-by-Design Behavior</h4><p>Microsoft's Defender Security Research Team identified campaigns using <strong>intentionally invalid OAuth scopes</strong> to force error redirects and re-authentication events. The technique delivers malicious ZIP payloads without stealing OAuth tokens — it exploits the trust that security tools place in OAuth redirect URLs because they <em>are</em> legitimate OAuth infrastructure. Current targets are government entities, but the technique is universally applicable. Microsoft removed several malicious OAuth apps but warns activity persists.</p><h4>Chrome/Gemini Privilege Escalation (CVE-2026-0628)</h4><p>Unit 42 disclosed <strong>CVE-2026-0628 (CVSS 8.8)</strong> — a Chrome extension with only basic <strong>declarativeNetRequests permissions</strong> could hijack Gemini Live, escalating to camera, microphone, screenshots, and local file system access. Patched in Chrome 143.0.7499.192 on January 5, 2026, but any unpatched instance remains vulnerable. This demonstrates that <strong>AI integrations in browsers create new privilege escalation classes</strong> that traditional extension permission models don't account for.</p><table><thead><tr><th>Attack Vector</th><th>What It Bypasses</th><th>Patch/Fix Status</th><th>Your Priority</th></tr></thead><tbody><tr><td>Starkiller AitM</td><td>TOTP, SMS, push MFA</td><td>No patch — architectural defense required</td><td>FIDO2 acceleration this week</td></tr><tr><td>OAuth redirect abuse</td><td>Email gateways + browser phishing protection</td><td>Partial — app removal ongoing</td><td>OAuth consent lockdown + detection rules</td></tr><tr><td>CVE-2026-0628 (Chrome/Gemini)</td><td>Chrome extension sandboxing</td><td>Patched in Chrome 143.0.7499.192</td><td>Verify fleet Chrome versions within 48 hours</td></tr></tbody></table><hr><h3>Detection Engineering for AitM</h3><p>Deploy detection rules targeting: authenticated sessions appearing from new IPs/devices <strong>without corresponding MFA challenge events</strong>, session tokens originating from known proxy infrastructure, and impossible travel patterns on authenticated sessions. Your XDR/SIEM should correlate authentication events with network telemetry to catch post-AitM session replay. Additionally, implement conditional access policies that flag proxy-based authentication anomalies.</p>

   Action items

   • Begin FIDO2/passkey enrollment for all privileged accounts (IT admins, finance, executives) this week; set org-wide migration timeline by end of month
   • Restrict OAuth app consent in Entra ID to admin-approved, verified publishers only; audit existing OAuth grants for excessive permissions (Mail.Read, Files.ReadWrite.All) by Friday
   • Verify Chrome auto-update across fleet to confirm version 143.0.7499.192+; audit extensions using declarativeNetRequests API against Google domains
   • Deploy AitM-specific SIEM detection rules correlating authentication events with network telemetry for session cookie replay indicators

   Sources:Android 0-Day, Chrome Exploit, Phishing Kit Bypasses MFA, Microsoft Flags OAuth Threats · SANS NewsBites Vol. 28 Num. 16 · Quantum Decryption of RSA is Much Closer than Expected

2. 02

   hackerbot-claw Compromised Trivy, DataDog & Microsoft — Plus a Node.js Flaw Nobody Will Fix

   <h3>AI-Automated Supply Chain Exploitation Is Now Real</h3><p>StepSecurity researchers uncovered <strong>hackerbot-claw</strong>, an automated bot that scanned <strong>47,000+ repositories</strong> for vulnerabilities and then <em>actually exploited</em> what it found — compromising 6 popular open-source projects including repos from <strong>DataDog, Microsoft, and Aqua Security</strong>. Trivy, one of the most widely-used container security scanners, was fully compromised, forcing Aqua Security to rename and privatize the repository.</p><blockquote>This isn't a scanner that filed bug reports. It weaponized its findings against the repos it scanned — automating the entire kill chain from reconnaissance through exploitation.</blockquote><p>The MITRE ATT&CK mapping spans <strong>T1195.001 (Supply Chain Compromise: Compromise Software Dependencies)</strong> and <strong>T1059 (Command and Scripting Interpreter)</strong>. If Trivy, DataDog open-source components, or Microsoft open-source repos are in your dependency tree, treat this as a potential supply chain incident requiring immediate SBOM analysis and artifact hash verification.</p><hr><h3>Node.js TOCTOU: The Vulnerability Nobody Will Fix</h3><p>A long-standing <strong>TOCTOU (Time-of-Check-Time-of-Use) race condition</strong> in Node.js <code>ClientRequest.path</code> allows attackers to bypass CRLF validation by mutating the path after construction but before header serialization. This enables <strong>header injection, body injection, and full HTTP request splitting</strong> across popular proxy and HTTP client libraries with roughly <strong>160M+ weekly downloads</strong>.</p><p>The critical detail: <strong>Node.js considers this out of scope for its threat model</strong>, explicitly shifting responsibility to library authors and application developers. No CVE will be issued. No upstream patch is coming. Your AppSec team owns this entirely.</p><table><thead><tr><th>Supply Chain Threat</th><th>Scope</th><th>Upstream Fix</th><th>Your Action</th></tr></thead><tbody><tr><td>hackerbot-claw</td><td>6 major OSS projects (Trivy, DataDog, Microsoft)</td><td>Repos remediated/privatized</td><td>SBOM audit + artifact verification today</td></tr><tr><td>Node.js TOCTOU</td><td>160M+ weekly downloads</td><td><strong>None — declared out of scope</strong></td><td>Application-layer audit and mitigation this week</td></tr></tbody></table><hr><h3>The Broader Pattern</h3><p>Three separate supply chain stories this cycle reinforce that <strong>third-party risk is your primary attack surface</strong>: hackerbot-claw demonstrates automated exploitation at scale, the Node.js refusal to fix shows upstream won't always save you, and the DHS/ICE vendor data leak (6,000+ vendor contracts exposed by hacktivist group "Department of Peace") provides a reconnaissance goldmine for targeting the federal supply chain. The traditional model of trusting popular, well-maintained repos is breaking down when AI bots can find and exploit vulnerabilities faster than maintainers can patch them.</p>

   Action items

   • Run SBOM analysis against hackerbot-claw compromised repos (Trivy, DataDog, Microsoft OSS) today; verify artifact hashes against known-good versions and check for unexpected commits
   • Audit all Node.js HTTP client and proxy library usage for TOCTOU path mutation vulnerability this week; implement path immutability at application layer
   • Determine if your organization appears in the leaked DHS/ICE vendor dataset; brief SOC to watch for spear-phishing referencing specific contract details
   • Deploy Kerberos TGT anomaly detection using Windows Event ID 4768 flag analysis to identify Metasploit and similar tooling in AD environments

   Sources:Qualcomm Zero Day Patch, Detecting Kerberos Anomalies, Hackerbot-Claw Exploits Repos · SANS NewsBites Vol. 28 Num. 16 · Quantum Decryption of RSA is Much Closer than Expected

3. 03

   Wi-Fi Client Isolation Is Universally Broken — And RESURGE Is Sleeping in Your Ivanti Appliances

   <h3>AirSnitch: Every Tested Router Vendor Fails</h3><p>UC Riverside researchers demonstrated that <strong>every tested router vendor</strong> — Netgear, Cisco, Ubiquiti, ASUS, TP-Link, and more — is vulnerable to at least one AirSnitch attack technique. The attacks bypass client isolation through GTK abuse, gateway bouncing, and port stealing to achieve <strong>full bidirectional MitM</strong>. In enterprise environments, this enables stealing uplink RADIUS packets and deploying rogue RADIUS servers.</p><p>This is an <strong>architectural flaw, not a patchable vulnerability</strong>. No CVE exists because the problem is in the design of Wi-Fi client isolation itself. If your guest networks, conference rooms, or branch offices use client isolation as the sole barrier between wireless clients, you have a segmentation gap that compensating controls must address.</p><blockquote>Wi-Fi client isolation is no longer a security control — it's a speed bump. Remove it from your risk register as 'mitigated' and deploy actual segmentation.</blockquote><h4>Compensating Controls Required</h4><ul><li><strong>VLAN segmentation</strong> on all Wi-Fi networks — the only reliable isolation mechanism</li><li><strong>802.1X authentication</strong> with per-user VLAN assignment</li><li><strong>IP spoofing prevention</strong> at the AP layer</li><li>Request <strong>per-client GTK randomization</strong> from your AP vendor</li><li>For critical wireless segments, begin <strong>MACsec evaluation</strong></li></ul><hr><h3>RESURGE: The Sleeper in Your Ivanti Perimeter</h3><p>CISA updated malware analysis report <strong>AR25-087A</strong> with new IoCs for RESURGE, exploiting <strong>CVE-2025-0282</strong> (critical stack-based buffer overflow) in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The key finding that distinguishes this from previous Ivanti advisories: RESURGE can <strong>remain dormant indefinitely</strong>, hooking the web process and waiting for a specific remote connection to activate. It uses a fake Ivanti certificate — transmitted unencrypted — to authenticate with its operator.</p><p>This means a compromised appliance looks completely normal until the attacker decides to wake it up. <strong>Standard vulnerability scanning and even patching won't detect an already-implanted RESURGE instance.</strong> You need to actively hunt using CISA's updated IoCs, specifically looking for fake Ivanti certificates transmitted unencrypted and anomalous web process hooking behavior.</p><table><thead><tr><th>Threat</th><th>Type</th><th>Detection Method</th><th>Urgency</th></tr></thead><tbody><tr><td>AirSnitch Wi-Fi bypass</td><td>Architectural flaw — no CVE</td><td>Cannot detect; must deploy compensating controls</td><td>Deploy VLANs this sprint</td></tr><tr><td>RESURGE on Ivanti</td><td>Dormant implant — CVE-2025-0282</td><td>CISA AR25-087A IoCs; hunt for fake certs</td><td>Hunt on all Ivanti appliances today</td></tr></tbody></table>

   Action items

   • Initiate threat hunt on all Ivanti Connect Secure, Policy Secure, and Neurons for ZTA appliances using CISA's updated AR25-087A IoCs today; invoke full IR if indicators found
   • Deploy VLAN segmentation on all Wi-Fi networks this sprint; remove client isolation from security control documentation
   • Request per-client GTK randomization support timeline from your AP vendor; begin MACsec evaluation for critical wireless segments

   Sources:SANS NewsBites Vol. 28 Num. 16 · Quantum Decryption of RSA is Much Closer than Expected · 7 factors impacting the cyber skills gap

4. 04

   AI-Generated Code Ships Vulnerabilities 45% of the Time — While Your Engineers Use 3 AI Tools You Haven't Vetted

   <h3>The Numbers Are In: AI Code Is a Systemic AppSec Liability</h3><p>Veracode's testing found that <strong>AI-generated code introduced security flaws in 45% of tests</strong>. A Stanford study compounds this: developers using AI assistants wrote <em>less secure</em> code while being <em>more confident</em> it was safe. This is the textbook definition of a false sense of security — your developers are shipping more vulnerabilities faster and trusting them more.</p><p>Now layer on the adoption data from a survey of <strong>906 experienced software engineers</strong> (median 11-15 years experience): <strong>95% use AI tools weekly</strong>, 70% use 2-4 tools simultaneously, and 55% regularly use autonomous AI agents. Claude Code — a terminal-first agent with direct filesystem access that didn't exist before May 2025 — is now the #1 tool, overtaking GitHub Copilot. Cursor hit <strong>$2B ARR with 60% enterprise revenue</strong>.</p><table><thead><tr><th>Tool Category</th><th>Examples</th><th>DLP Visibility</th><th>Security Gap</th></tr></thead><tbody><tr><td>IDE Plugins</td><td>GitHub Copilot, Cursor</td><td>Partial (browser-based IDEs)</td><td>Medium</td></tr><tr><td>Terminal Agents</td><td>Claude Code, Gemini CLI</td><td><strong>None — invisible to network monitoring</strong></td><td>Critical</td></tr><tr><td>Autonomous Agents</td><td>Codex, Factory, SWE-AF</td><td>None</td><td>Critical</td></tr></tbody></table><h4>The Shadow AI Dimension</h4><p>Claude Code is 9 months old. At companies with bureaucratic tool approval processes, it may not be on the approved list — yet it's the most-used tool in the survey. The gap between what's approved and what's preferred virtually guarantees shadow usage. Additionally, Chinese-origin models (<strong>DeepSeek, Alibaba Qwen, Moonshot Kimi</strong>) are in active use by some engineers, routing proprietary code through jurisdictions with mandatory data sharing laws.</p><hr><h3>LLM-Powered Deanonymization: $4 Per Target</h3><p>A separate but related finding: researchers demonstrated a four-stage LLM pipeline called <strong>ESRC</strong> that can deanonymize pseudonymous accounts at scale for <strong>$1-4 per person</strong>. It extracts identity features from unstructured text and matches profiles across platforms. This breaks pseudonymity as a privacy control for threat intel personas, whistleblower channels, and security researcher accounts.</p><blockquote>Pseudonymity is no longer a privacy control — it's a speed bump that costs an attacker $4 to bypass.</blockquote>

   Action items

   • Conduct an AI tool inventory across engineering teams this week — survey actual usage (not just approved tools) and map data flows for each, including terminal-based agents invisible to CASB
   • Ensure SAST/DAST/SCA runs on 100% of PRs with specific rules for AI-generated vulnerability patterns (hardcoded secrets, missing input validation, insecure deserialization)
   • Audit all pseudonymous accounts operated by your organization — threat intel personas, researcher accounts, whistleblower channels — and implement stylometric countermeasures
   • Establish pre-commit secrets scanning as a tool-agnostic safety net across all repositories; deploy detection for AI tool API endpoints in network traffic

   Sources:AI News Weekly - Issue #468 · AI Tooling for Software Engineers in 2026 · TLDR Dev · The Neuron · Qualcomm Zero Day Patch, Detecting Kerberos Anomalies, Hackerbot-Claw Exploits Repos