Security Leftovers

posted by Roy Schestowitz on Apr 14, 2026

• SANS ☛ Scans for EncystPHP Webshell, (Mon, Apr 13th)

  Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials. But some attackers are paying attention and are deploying webshells with more difficult-to-guess credentials. Today, I noticed some scans for what appears to be the "EncystPHP" web shell. Fortinet wrote about this webshell back in January.

• Security Week ☛ CPUID Hacked to Serve Trojanized CPU-Z and HWMonitor Downloads

  Download links were replaced by a Russian-speaking threat actor to distribute a recently emerged malware named STX RAT.

• Scoop News Group ☛ Here’s how cyber heavyweights in the US and UK are dealing with Claude Mythos [Ed: Mostly hype, marketing pitch]

  Two reports from former high-level U.S. cyber officials and the UK government’s top Hey Hi (AI) research institution reveal how top defenders think about the tool’s hacking capabilities.

• Bruce Schneier ☛ On Anthropic’s Mythos Preview and Project Glasswing

  The cybersecurity industry is obsessing over Anthropic’s new model, Claude Mythos Preview, and its effects on cybersecurity.

• Tom's Hardware ☛ Website backup crippled by 1.6MB Friends GIF that was replicated 246,173 times, breaking Linux's EXT4 filesystem limit — Jennifer Aniston's 'happy dance' animation ate up 377 gigabytes of data due to security policy

  A single reaction animation, frequently duplicated in chats by community members, added 377GB to a site's backup quota.

• Dhole Moments ☛ Hybrid Constructions: The Post-Quantum Safety Blanket

  The funny thing about safety blankets is they can double as stage curtains for security theater.

• Securepairs ☛ Open Letter To Colorado Senators: We’re Cyber Experts: This Bill Is Bad For Security.

  Secure Repairs is urging Colorado Senators to oppose SB26-090, a bill that seeks to gut the state's right to repair law under the false pretense that repair poses a cyber risk.

• HackRead ☛ OpenSSF Flags Malware Campaign on Slack Posing as Linux Foundation Figures

  Open Source Security Foundation (OpenSSF), a group of open source software security specialists, is warning about a new phishing scam where hackers are targeting software developers using the Slack chat app.

  These scammers pretend to be well-known leaders from the Linux Foundation, with the aim of getting developers to download malware that could give them total control over a computer. Their modus operandi is based on mimicking a legitimate Google Workspace flow, which redirects unsuspecting developers to a malicious page.

• TechRadar ☛ Proton VPN promises better stability for Linux users with latest app update

  Proton VPN has just rolled out a major update for its Linux community, promising significantly improved reliability and performance.

  Whether you are trying to bypass censorship or simply want the best VPN to secure your daily browsing, connection drops are a major pain point. To tackle this head-on, Proton VPN has officially moved its command-line interface (CLI) out of beta access.

  Releasing version 1.0.0 for Linux, the provider emphasized that the core objective of this milestone was to eliminate bugs and smooth out the user experience.

• Windows TCO / GitHub TCO

  • Security Week ☛ Fake Claude Website Distributes PlugX RAT

    The malware mimics the legitimate Anthropic installation, relies on DLL sideloading, and cleans up after itself.

  • Security Week ☛ OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack

    The Hey Hi (AI) giant is taking action after determining that a macOS code signing certificate may have been compromised.

  • Scoop News Group ☛ OpenAI’s Mac apps need updates thanks to the Axios hack

    The company said a developer tool automatically retrieved a malicious version of the popular open-source library, but insists the integrity of its systems and software were not impacted.