Why Organizations Are Still Leaking Data via Amazon S3
If you’ve been keeping up with IT security headlines over the past 5 years, you likely remember seeing hundreds or even thousands of headlines that look something like this: “(Insert Company X) leaks (X records) due to misconfigured Amazon S3 bucket”. In most cases, this misconfiguration is public accessibility- and especially for the larger organizations…
Critical React & Next.js Vulnerability Enables Full Server Takeovers
A newly disclosed flaw in React Server Components (RSC) and the frameworks built upon them—most notably Next.js—has exposed a massive attack surface across the modern web. Tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this vulnerability allows attackers to execute arbitrary code on vulnerable servers without authentication. While the immediate threat is Remote Code Execution (RCE),…
LexisNexis Intrusions
In late 2024, Casmer Labs tracked a breach affecting global legal data company LexisNexis, where information affecting over 360000 people was stolen. Albeit in a different manner, the organization was hit again in early March 2026, with attackers claiming possession of over 4000000 stolen personal information records. While the first incident was a third-party supply…
Attackers Weaponizing Internal OAuth Apps to Persist Past Password Resets
Adversaries are exploiting Microsoft’s OAuth model to maintain persistent access — even after users change passwords or enable MFA. First reported late in October of 2025 by ProofPoint, attackers are utilizing malicious internal OAuth applications within a victim’s tenant to maintain access to systems, including email and files, without detection. Unlike external third-party apps, these in-tenant…
More Prompt Injection and Agentic Browsers
A few months ago, we wrote an article covering Prompt Injection and Agentic Browsers, including how prompt injection attacks work, a real-world example we put together, and the widespread implications of the increasing popularity of their use. More recently, a Calendar Exploit discovered by LayerX has been observed on a small-medium scale, demonstrating that even…
Why “Discord alternatives” Searches Jumped 10,000% Overnight
On February 11 2026, Discord, one of the largest online communication platforms in the world, announced that it would begin implementing age-verification requirements starting at the end of February. The service, which was originally built for gamers as a more modern replacement for services such as TeamSpeak 3 and Mumble, has over 200 million active…
The Silent Bridge
In the past 24 months, many threat actors have begun to pivot from the saturation of Windows endpoints to a more focused targeting of Linux-based enterprise infrastructure. A recent example of this is the malware family SystemBC, which was originally discovered in 2019 as a Windows proxy bot. Recently, a new Linux variant of SystemBC…
The FortiGate “Phantom Patch”
In December 2025, Casmer Labs observed the disclosure of critical authentication bypass vulnerabilities in Fortinet’s Fortigate firewalls CVE-2025-59718 and CVE-2025-59719. In late January, however, Casmer Labs began tracking a campaign that bypassed the original patches pushed to remediate the aforementioned vulnerabilities. How It Works The two vulnerabilities primarily exploit the cryptographic verification process of SAML…
VoidLink: Context-Aware, Modular Malware
Over the past year, Casmer Labs has observed a marked increase in “cloud-aware” malware strains and families. VoidLink, which was discovered by researchers at Check Point in December 2025, is likely the most advanced we have seen so far, demonstrating a refined ability to ingest and recognize contextual details. The Cool (Scary) Parts Upon infection,…
Supply Chain Persistence and Shai-Hulud
The commonality of supply chain-focused malware has seen remarkable growth in the past 24 months, with Shai-Hulud, aptly named after the giant sandworms in Frank Herbert’s Dune, taking much of the spotlight. First detected in September 2025, Shai-Hulud is a self-propagating worm that targets the npm JavaScript package registry. Now in its third iteration, Shai-Hulud…
Casmer Labs 