Secnora INC

Zero Trust sounds simple. 🔐

“Never trust, always verify.”

But in real cybersecurity work, it is much more than a slogan.

In the new episode of the Secure by Design Podcast by Secnora, Daniel Kulig hosts cybersecurity expert Adeel Shaikh Muhammad for a practical conversation about the realities, myths, and marketing hype surrounding Zero Trust security. 🎙️

They discussed:

🔹 why Zero Trust matters in modern cybersecurity
🔹 how organizations can implement it effectively
🔹 where the biggest myths and buzzwords show up
🔹 why leadership matters as much as technology
🔹 how AI is changing the Zero Trust journey

One of the strongest takeaways from the episode:

Zero Trust is not just a product you buy. ⚠️

It is a security mindset, operating model, and leadership discipline that needs to be built into the organization over time.

Adeel brings a very practical, no-nonsense perspective to the topic, cutting through the buzzwords and focusing on what actually matters. 💡

Listen to the episode on Spotify here:
👉 https://open.spotify.com/episode/1i79d54ZOKbhrPWVW403tS

Watch, subscribe to Secure by Design, and share it with someone who still thinks Zero Trust is just another vendor buzzword.

Let’s make some commotion around better cybersecurity conversations. 🚀

🛡️ 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁 𝗶𝘀 𝗼𝗻𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗵𝗮𝗿𝗱𝗲𝘀𝘁 𝘁𝗵𝗶𝗻𝗴𝘀 𝘁𝗼 𝗺𝗮𝗸𝗲 𝘃𝗶𝘀𝗶𝗯𝗹𝗲

Not because it is not happening but because the strongest evidence of progress in security is often the absence of something, the incident that never occurred, the access that was stopped before it was abused, the vulnerability that was remediated before someone else found it.

That makes conversations around security progress genuinely difficult.

Leadership teams want to see progress, Security leaders need to demonstrate it. Yet many of the numbers commonly reported in security programmes, such as vulnerabilities identified, patches applied and controls marked compliant, say little about how much harder the organisation is to compromise.

The more important question is "Is the organisation systematically becoming harder to compromise over time?"

In many organisations, the early warning signs are subtle at first.

Remediation backlogs begin growing faster than teams can close them. Incidents are identified externally before internal teams detect them. Access reviews happen once a year or sometimes less. Incident response plans exist on paper but have never been tested under real pressure. Third-party risk assessments are completed during onboarding and quietly forgotten afterward.

Security reporting continues upward but very little of it influences operational decisions on the ground. Over time, programmes that begin gaining traction start to look noticeably different.

📈 Mean time to remediate trends downward across consecutive quarters
🔍 Incidents are detected earlier in the attack chain by internal teams
🔄 Access reviews run on a defined cycle with documented outcomes
🧪 Tabletop exercises expose gaps that are actually addressed afterward
🤝 Third-party risk gets reassessed during renewals and scope changes
📊 Security data starts driving decisions instead of simply satisfying reporting requirements

The shift between those two states is rarely dramatic. It does not come from a single engagement, tool deployment or investment. It comes from consistent, structured improvement and from measuring what matters rather than what is easiest to report.

Over time, the real indicator of progress is not the number of findings reported, it is whether attackers have fewer opportunities, less room to move and a harder time succeeding than they did six months earlier.

That kind of improvement is not always obvious while it is happening but when organisations begin detecting threats earlier, reducing remediation delays and turning security insights into action, the difference becomes visible, not just in reports or audits but in how resilient the environment becomes under real conditions.

🎯 The gap between security effort and visible progress is often smaller than it seems but harder to measure clearly.

🚨 𝗧𝗵𝗲 "𝗠𝗶𝗻𝗶 𝗦𝗵𝗮𝗶-𝗛𝘂𝗹𝘂𝗱" 𝗪𝗼𝗿𝗺 𝗦𝘁𝗿𝗶𝗸𝗲𝘀 𝗔𝗴𝗮𝗶𝗻, 𝗜𝗺𝗽𝗮𝗰𝘁𝗶𝗻𝗴 𝗧𝗮𝗻𝗦𝘁𝗮𝗰𝗸, 𝗨𝗶𝗣𝗮𝘁𝗵 & 𝗠𝗶𝘀𝘁𝗿𝗮𝗹 𝗔𝗜 𝗘𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺𝘀

If your organization relies on TanStack, UiPath or Mistral AI, this incident highlights how modern supply chain attacks can quickly evolve beyond a developer-level issue into a broader enterprise security concern. Recent activity linked to TeamPCP demonstrates how attackers are targeting npm ecosystems and CI/CD infrastructure to distribute self-propagating malicious packages through trusted software pipelines.

🏗️ 𝗧𝗵𝗲 𝗢𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗧𝗵𝗿𝗲𝗮𝘁: 𝗖𝗜/𝗖𝗗 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗧𝗵𝗲𝗳𝘁
The breach bypassed MFA and traditional password theft by targeting the build environment identity layer. A triple-vulnerability chain in GitHub Actions enabled a malicious pull request, cache poisoning via a compromised pnpm store and OIDC token exposure from runner process memory. Using these tokens, malicious package versions were published to npm without compromising account passwords or additional authentication controls.

🐛 𝗧𝗵𝗲 𝗣𝗮𝘆𝗹𝗼𝗮𝗱: 𝗘𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺 𝗖𝗼𝗻𝘁𝗮𝗴𝗶𝗼𝗻
• Credential Siphoning: It targets AWS IMDSv2, GCP, Azure cloud metadata, Kubernetes service accounts, HashiCorp Vault secrets and CI/CD tokens such as GitHub Actions, GitLab or CircleCI.
• Self-Propagation: It uses stolen corporate tokens to access other writable registries and repositories and automatically publish poisoned updates to spread further.
• Evasive C2: Exfiltration uses a "Triple C2" setup involving git-tanstack[.]com, Session messenger network getsession[.]org and GitHub API dead drops.

💣 𝗧𝗵𝗲 𝗥𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲-𝗦𝘁𝘆𝗹𝗲 𝗥𝗲𝘁𝗮𝗹𝗶𝗮𝘁𝗶𝗼𝗻 𝗧𝗿𝗶𝗴𝗴𝗲𝗿
The malware establishes persistence on developer endpoints through a hidden gh-token-monitor background service that continuously validates GitHub tokens. Revoking a compromised token before removing the service may trigger a destructive rm -rf ~/ routine capable of wiping the user’s home directory.

🛠️ 𝗦𝘁𝗲𝗽-𝗯𝘆-𝗦𝘁𝗲𝗽 𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹
To help neutralize this threat across the organization, engineering teams should follow these steps:
• Neutralize Persistence First: Scan systems for the hidden gh-token-monitor background service in macOS LaunchAgents or Linux systemd user services and remove it before revoking GitHub tokens.
• Audit Lockfiles & IDE Directories: Search lockfiles and CI logs for affected package versions. Inspect .claude/ and .vscode/directories for persistence artifacts like 'router_runtime.js' or 'setup.mjs' which may remain after npm uninstall.
• Block Network Exfiltration: Block traffic to git-tanstack[.]com and getsession[.]org at corporate DNS/proxy level.
• Purge & Rotate: Once the local environment is verified clean, revoke and rotate all affected cloud credentials, npm tokens and GitHub secrets.

Four years in a row as a CREST-accredited firm and for SECNORA, that is more than a badge. It means our methodologies, governance, technical capabilities and ethics are independently reviewed and re-validated every year, not claimed once and left unchecked.

Grateful to the team that puts in the work behind the scenes and to the clients who keep pushing us to raise the bar.

SECNORA® continues to maintain CREST accreditation across:
🔍 Pe*******on Testing
📱 CREST OVS Mobile Applications
🌐 CREST OVS Web Applications
🔎 Vulnerability Assessment

For the organisations we work with, this means engagements backed by independently assessed methodologies, validated technical standards, and consistent delivery quality.

This recognition reflects our long-term focus on practical, high-quality cybersecurity services that help organisations strengthen security, manage risk, and build resilience with confidence.

➡️ Swipe through to see what CREST accreditation means and why it matters.

*******onTesting