Forged VPN Sessions, Autonomous AI Worm, and Hotel…

Six stories, one thread: at scale, systems are trading "is this true?" for "is this probably true?" Attackers live in that gap. Here's what stood out from the operator chair.

Nobody cracked the login; they forged the token that skips it. This was never an attack on authentication; it was an attack on the feature built to make authentication less painful, which is a much softer target. Palo Alto disclosed a GlobalProtect bypass (CVE-2026-0257) where, in vulnerable configurations, a forged authentication-override cookie is accepted with no signature check, and Rapid7 saw it exploited four days later. To an operator, a convenience layer that stands in for re-authentication is exactly where you go looking: trusted by design and rarely watched. Read the four-day window less as a nudge to patch faster and more as confirmation that disclosure-to-exploitation is now short enough that the attacker is usually moving before you are. And the gateway is only the doorway. A state-linked crew isn't collecting VPN boxes; they're collecting whoever sits behind them.

What stops an autonomous worm is a network too messy to predict. Read past the nightmare headlines and the shift underneath is small but real: this worm doesn't think it's malware, it behaves like a tireless junior pen tester — one that read every doc, never gets bored, and reasons its way to a fresh exploit on each box it lands on. University of Toronto researchers let it loose in a simulated network, and it took three-quarters of the machines with no human in the loop. The one thing it can't do is tell when it's being lied to, and a real network is built out of exactly that friction. Honeypots, name resolution that half-works, the legacy box where the password fails for no reason, a Jackie in accounting who notices her machine acting strange and calls it in. That's what derails a script that's certain it's right. So, the takeaway isn't a CVE to patch. It's that the messiness defenders usually apologize for is, this once, the control that's working.

They talked the support bot into helping. Strip the AI framing and nothing here was hacked. Somebody social-engineered a robot that happened to be holding the keys. Attackers talked Meta's AI support assistant into binding a new email to a target account and firing off the reset code, taking over high-value Instagram handles with no exploit involved. The real lesson is about agents: the more human an assistant acts, the more it can be conned like a human, and this one had write access to account recovery while judging identity on soft tells like location instead of proof. That's the same lapse a green help-desk rep makes, except agents scale and never gets suspicious. The only thing that actually held was 2FA, the unglamorous control everyone treats as optional right up until it's the last one standing.

A single RCE gets you a box; one help-desk call gets you everything. The blunt takeaway: you can't patch people, and an attacker will keep dialing until a persona lands. ShinyHunters turned one voice-phishing call into one employee's Microsoft Entra account at Charter, pivoted into Salesforce, and left with 4.9 million customer records. An RCE buys you one box and a long climb. One trusted IT login buys the support panels, the CRMs, and everything those roles touch with no climb required. That asymmetry is why crews keep running the same Salesforce play target after target: it isn't clever, it's just the highest-leverage move on the board. The exposure was never the phone call. It's how much access organizations quietly stack behind a single login.

Every phishing tell we taught people disappeared. The whole security-awareness playbook — check the sender, check the URL, watch for the detail that's off — just stopped working. In the "reservation hijacking" campaign, attackers phish into a hotel's booking system and then message guests through the real platform, citing the real reservation, dates, and amount due, so there's nothing wrong left to catch. One guest approved a €1,000-plus charge with a legitimate one-time code, and because every signal was authentic the bank wouldn't reverse it. Everyone in the chain was just following the rules. The question this leaves defenders is what do you even tell a user when the malicious message genuinely comes from the channel you told them to trust. The honest answer is that you stop putting the last line of defense on the user at all.

Distributed C2 beats a single takedown. The headline is a takedown; the lesson is that resilient infrastructure now loses only to equally resilient cooperation. GlassWorm scattered its command-and-control across Google Calendar titles, Solana memos, and BitTorrent specifically, so killing one channel left the others to rebuild it, which is why CrowdStrike, Google, and Shadowserver had to take all of them down in the same instant. It worked, and it burned those hiding spots for good. The part worth sitting with is what it reveals about the other side: these operators run a business, with bulletproof-hosting bills, tiered burned-versus-fresh tooling, and campaigns tracked like a sales pipeline. Even threat actors have a risk appetite, so the real win isn't the outage, it's making the next rebuild expensive enough to give them pause.