On December 12, 2025, the MongoDB Security Engineering team disclosed a high-severity security flaw in the core MongoDB Server product — a vulnerability that quickly earned the nickname “MongoBleed.” In the weeks that followed, this issue transitioned from academic concern to active exploitation, making it one of the most important database security stories heading into 2026.
(more…)Category: Vulnerabilities
-
The Master Key Vulnerability: How GitHub PATs Became the Crown Jewel of Cloud Compromise
In our recent analysis of the Shai-Hulud worm’s devastating impact on the npm ecosystem, we observed how supply chain attacks have evolved from opportunistic package poisoning to systematic ecosystem compromise. At the heart of that attack—and increasingly at the centre of modern cloud breaches – lies a deceptively simple credential: the GitHub Personal Access Token (PAT).
These tokens, designed to streamline developer workflows and enable seamless automation, have become the skeleton key that unlocks entire organisational infrastructures. From the SolarWinds compromise to recent attacks on major cloud service providers, GitHub PATs consistently appear as both the initial attack vector and the mechanism for persistent access.
This isn’t coincidental. GitHub PATs represent a perfect storm of high privilege, broad scope, and minimal oversight, making them irresistible targets for sophisticated threat actors. To understand why these tokens have become the crown jewel of cloud compromise, we must examine how their design philosophy— prioritising developer convenience over security boundaries—creates systemic vulnerabilities that extend far beyond GitHub itself.
(more…) -
The Silent Breach: Why Stolen Tokens Are More Dangerous Than Stolen Passwords
In our previous briefings, we dissected the campaigns of UNC6040’s vishing attacks and UNC6395’s supply chain compromise. The common thread weaving through these devastating breaches wasn’t a software zero-day or a brute-forced password; it was the abuse of a legitimate, fundamental component of the modern cloud: the OAuth token.
This isn’t a problem limited to a few threat actors. Throughout 2024 and 2025, a wave of attacks has exploited the core logic of OAuth, allowing adversaries to bypass MFA and breach major corporations like Google, Allianz Life, and Louis Vuitton by tricking users into authorising malicious applications. The attackers don’t need to break in when they can be invited in through a legitimate, token-based handshake.
This is the threat of the OAuth Replay Attack. It’s an attack on the very architecture of trust that connects our cloud applications. To defend against it, you must understand that the target isn’t just your password; it’s the digital key that the password unlocks.
(more…)