<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: nithiya-rajesh</title>
    <description>The latest articles on DEV Community by nithiya-rajesh (@nithiyarajesh).</description>
    <link>https://dev.to/nithiyarajesh</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015073%2F75d373d9-03ab-4505-8933-f1e12eca5095.png</url>
      <title>DEV Community: nithiya-rajesh</title>
      <link>https://dev.to/nithiyarajesh</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/nithiyarajesh"/>
    <language>en</language>
    <item>
      <title>The First Ransomware Attack With No Humans in the Loop Just Happened — and Your Playbook Isn’t Ready</title>
      <dc:creator>nithiya-rajesh</dc:creator>
      <pubDate>Sun, 12 Jul 2026 07:34:28 +0000</pubDate>
      <link>https://dev.to/nithiyarajesh/the-first-ransomware-attack-with-no-humans-in-the-loop-just-happened-and-your-playbook-isnt-ready-2ph5</link>
      <guid>https://dev.to/nithiyarajesh/the-first-ransomware-attack-with-no-humans-in-the-loop-just-happened-and-your-playbook-isnt-ready-2ph5</guid>
      <description>&lt;p&gt;Three weeks ago, security researchers watched something they’ve been warning about for a year actually happen: an AI agent ran a complete ransomware attack by itself. No human attacker typing commands. No delays waiting for approval. Start to finish — reconnaissance, exploitation, lateral movement, data exfiltration, and the extortion demand — all orchestrated by software.&lt;/p&gt;

&lt;p&gt;The attack is called JADEPUFFER. It’s the first confirmed case of end-to-end autonomous ransomware. And it means your incident response playbook, which is built around the assumption that humans are doing the attacking, is already obsolete.&lt;/p&gt;

&lt;p&gt;What JADEPUFFER actually did&lt;br&gt;
On July 7, 2026, Sysdig (a container security firm) published the technical details. JADEPUFFER isn’t a new piece of malware — it’s a proof of concept showing how an agentic AI can automate every stage of a ransomware intrusion without a human operator stopping to check in, approve, or adjust course.&lt;/p&gt;

&lt;p&gt;The kill chain it executed:&lt;/p&gt;

&lt;p&gt;Reconnaissance — the agent mapped the target network, identified high-value systems, and located backup infrastructure&lt;br&gt;
Initial access — exploited a known vulnerability to get a foothold&lt;br&gt;
Privilege escalation — moved from user-level to admin access&lt;br&gt;
Lateral movement — spread across the network to reach other systems&lt;br&gt;
Data exfiltration — identified and copied sensitive files to staging areas&lt;br&gt;
Encryption — deployed ransomware to lock files across the environment&lt;br&gt;
Extortion — crafted and delivered the ransom demand with proof of stolen data&lt;br&gt;
Every step. No operator. No waiting for a human to decide what to do next.&lt;/p&gt;

&lt;p&gt;If you’ve been in security long enough, you know what makes this different from ransomware as it’s existed for the past five years. Ransomware attacks have always been authored by humans — a team of specialists sitting at keyboards, making decisions, checking in on progress. An intrusion that takes hours or days to unfold is slow enough for a skilled defender to spot, interrupt, or at least slow down. The human operators’ need to sleep, coordinate, and think things through created natural choke points.&lt;/p&gt;

&lt;p&gt;JADEPUFFER removes that. An AI doesn’t sleep. It doesn’t second-guess. It doesn’t need to wait for approval to move to the next step. It moves at CPU speed.&lt;/p&gt;

&lt;p&gt;Why this is the story of the month&lt;br&gt;
The cybersecurity industry has spent the last year talking about agentic AI as a threat. Researchers have published white papers. Conferences have panels. Security vendors have released products claiming to defend against it.&lt;/p&gt;

&lt;p&gt;But JADEPUFFER is different. It’s not a theory anymore. It’s not a “we ran a simulation and here’s how bad it could be.” It’s a real attack, against a real target, documented and analyzed.&lt;/p&gt;

&lt;p&gt;That pivot from “this might happen” to “this is happening” changes everything about how you should think about your defenses. And most organizations haven’t caught up yet.&lt;/p&gt;

&lt;p&gt;Why your current playbook doesn’t work against this&lt;br&gt;
Every incident response plan ever written assumes something that’s no longer true: that the attacker is human and is therefore subject to human constraints.&lt;/p&gt;

&lt;p&gt;Your playbook probably says things like:&lt;/p&gt;

&lt;p&gt;“Monitor for unusual administrative login patterns”&lt;br&gt;
“Alert if someone accesses the backup infrastructure outside normal hours”&lt;br&gt;
“Catch lateral movement by tracking network traffic spikes”&lt;br&gt;
Those work great when an attacker has to be awake, has to coordinate with team members, and has to fit their attack into hours of elapsed time. An AI doesn’t care about “normal hours.” It doesn’t get tired and make mistakes. It doesn’t need to wait for a partner to respond on Slack.&lt;/p&gt;

&lt;p&gt;A machine-speed attack can cross your entire network and encrypt your most critical systems in minutes — faster than a human operator can even detect something’s wrong, let alone respond. Your SIEM is still indexing the first log when the attack is already over.&lt;/p&gt;

&lt;p&gt;The uncomfortable truth: detection now requires a different model&lt;br&gt;
Here’s what keeps security leaders up at night about JADEPUFFER: traditional threat detection is built around finding patterns of human behavior. An attacker who’s unusual or slow or hesitant triggers alarms. But an AI that’s perfectly normal, fast, and methodical might not.&lt;/p&gt;

&lt;p&gt;Think about it. What does an AI-driven reconnaissance look like? It looks like thorough documentation of network architecture. What does lateral movement look like? It looks like legitimate network administration. The AI isn’t trying to be sneaky in the way a human would be — it’s just executing the most efficient path to its goal, which happens to look like normal business operations if you’re only looking at individual events.&lt;/p&gt;

&lt;p&gt;The countermove isn’t to get smarter at detecting humans who pretend to be machines — it’s to shift your entire defensive model.&lt;/p&gt;

&lt;p&gt;What your organization should do starting today&lt;br&gt;
I know that’s a terrifying framing. Here’s the practical side: you don’t need to rebuild your entire security infrastructure overnight. But you do need to change how you think about detection and response.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Assume breach, accept speed. Your old playbook said “detect, contain, eradicate.” That takes days or weeks. Against JADEPUFFER-class attacks, the timeline is minutes. You need to shift from “detect and investigate” to “assume it’s happening and verify containment.” That means:&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Your backups aren’t just backed up — they’re tested to restore quickly. Can you recover your most critical systems in under an hour?&lt;br&gt;
Your disaster recovery plan isn’t a theoretical document — it’s exercised monthly.&lt;br&gt;
You know exactly which data is most critical and where it lives.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Network segmentation isn’t optional anymore. If an AI can move laterally at machine speed, the only real defense is making it impossible to reach crown jewels from infected systems. Segment your network so that a breach in one area doesn’t automatically grant access to everywhere else. Backup infrastructure especially: it should be on a separate network, with separate credentials, and never reachable from user-facing systems.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Continuous verification of access. Your current access controls probably work on an annual cycle — hire someone, they get access, leave the company, access gets revoked eventually. A machine-speed attack exploits the gaps: stale credentials, over-privileged service accounts, unused admin rights that never got cleaned up. You need:&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Monthly review of who has what access (not annual)&lt;br&gt;
Zero-trust principles: don’t assume a logged-in session is legitimate just because it has valid credentials MFA on everything, especially backup access and sensitive systems&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Immutable backups. If your backups can be deleted or encrypted, they’re not backups — they’re targets. JADEPUFFER’s attack chain specifically includes identifying and compromising backup infrastructure. Your backups need to be:&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Stored offline or in immutable storage that can’t be modified, even by a system administrator Tested regularly (not just assumed to work)&lt;br&gt;
Kept separate from your production systems and network&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Rethink your incident response timeline. Your playbook probably says “Alert → Investigate → Contain → Eradicate.” That assumes hours. For AI-driven attacks, you need a different sequence:&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Alert (seconds): Automated response triggers&lt;br&gt;
Contain (minutes): Isolate affected systems before the attack spreads&lt;br&gt;
Verify (minutes): Confirm what happened&lt;br&gt;
Recover (hours): Restore from backups&lt;br&gt;
Investigate (days): Figure out how it happened after you’re back online&lt;br&gt;
The hard conversation with your leadership&lt;br&gt;
Here’s what you need to say to your board or executive team: the ransomware threat changed on July 7, 2026. Not in degree, but in kind. An attacker that moves at machine speed doesn’t just need better defenses — it needs a different strategy.&lt;/p&gt;

&lt;p&gt;Enterprise security used to be built on prevention and detection. “Stop the bad thing from happening, and if it does, catch it before it causes damage.” That model relied on the attacker being slower than your response. JADEPUFFER proves that assumption is broken.&lt;/p&gt;

&lt;p&gt;The new model is: recovery by design. You assume the attack will succeed. You focus on making sure that when it does, you can get back online faster than the attacker can extract value or destroy systems. That changes where your security budget goes. It’s less “fancy detection tools” and more “immutable backups, network segmentation, and recovery drills.”&lt;/p&gt;

&lt;p&gt;It’s also less comfortable. Nobody likes admitting that the attacker might win the initial engagement. But it’s the only model that works when the attacker doesn’t need a human to coordinate the attack.&lt;/p&gt;

&lt;p&gt;What happens next&lt;br&gt;
JADEPUFFER was a proof of concept, not a widespread campaign — yet. But the playbook is published. Other threat actors will study it. The techniques will spread. Within months, expect to see AI-driven ransomware attempts against real targets from real adversaries, not just security researchers.&lt;/p&gt;

&lt;p&gt;The organizations that survive those attacks will be the ones that started planning now, not the ones that wait for the first breach to rewrite their playbook.&lt;/p&gt;

&lt;p&gt;Here’s my question for you: If an AI agent could cross your entire network in 10 minutes, could you restore from backups and be back online in an hour? If the answer is “I’m not sure,” that’s your starting point. What’s the first step you’d take this week?&lt;/p&gt;

&lt;p&gt;Drop it in the comments — or better yet, talk to your team about it this week.&lt;/p&gt;

&lt;p&gt;Publisher’s note: JADEPUFFER was disclosed by Sysdig on July 7, 2026. At time of writing, there was no evidence of widespread exploitation — this is a warning signal, not an active campaign.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>devops</category>
      <category>infosec</category>
    </item>
    <item>
      <title>Stop Running GitHub PoCs on Your Workstation. You’re Being Hunted.</title>
      <dc:creator>nithiya-rajesh</dc:creator>
      <pubDate>Sat, 04 Jul 2026 14:30:30 +0000</pubDate>
      <link>https://dev.to/nithiyarajesh/stop-running-github-pocs-on-your-workstation-youre-being-hunted-3igc</link>
      <guid>https://dev.to/nithiyarajesh/stop-running-github-pocs-on-your-workstation-youre-being-hunted-3igc</guid>
      <description>&lt;p&gt;When a new critical CVE drops, we race to be the first to verify it. Fueled by caffeine and the pressure of a ticking clock, we scour GitHub for a Proof of Concept (PoC) to see how the exploit works. We find a repo with a few stars, skim the Python script, see nothing "obvious," and hit run.&lt;/p&gt;

&lt;p&gt;In 2026, that speed is exactly what is going to get your entire enterprise compromised.&lt;/p&gt;

&lt;p&gt;The recent "ChocoPoC" campaign isn't just another malware report; it is a professional wake-up call. It proves that attackers have stopped targeting the software—they are now targeting the defender’s process.&lt;/p&gt;

&lt;p&gt;The Death of the "Quick Code Review"&lt;/p&gt;

&lt;p&gt;The old-school way of staying safe was to "read the code before you run it." But the ChocoPoC campaign has officially made the "eye-ball test" obsolete.&lt;/p&gt;

&lt;p&gt;Researchers from &lt;strong&gt;YesWeHack and Sekoia&lt;/strong&gt; recently deconstructed a series of repositories claiming to exploit fresh CVEs. To the naked eye, the exploit script looked perfectly legitimate.&lt;/p&gt;

&lt;p&gt;The malware wasn't in the script. It was in the dependencies.&lt;br&gt;
By hiding malicious code (nicknamed ChocoPoC) inside a Python package listed in the requirements.txt, the attackers bypassed the human reviewer. The moment you ran the script, the dependency executed quietly in the background, exfiltrating your saved passwords, browser cookies, and session tokens before handing the attacker a shell on your machine.&lt;/p&gt;

&lt;p&gt;If you are only reviewing the .py file and not the entire supply chain of the repository, you aren't doing a security review. You’re just gambling.&lt;/p&gt;

&lt;p&gt;Why Researchers are the "Golden Ticket"&lt;/p&gt;

&lt;p&gt;Why would an attacker spend time building fake exploits instead of just phishing a CEO? Because a security researcher's laptop is a Golden Ticket.&lt;/p&gt;

&lt;p&gt;A single infected workstation in a SOC or DevSecOps team provides:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Privileged Access: You likely have active session cookies for cloud consoles (AWS/Azure) or internal GitLab instances.&lt;/li&gt;
&lt;li&gt;Source Code: Access to the "crown jewels" of your organization.&lt;/li&gt;
&lt;li&gt;The Ultimate Cloak: Traffic coming from a security pro’s machine is rarely questioned by automated alerts.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Attackers aren't looking for random victims anymore. They are looking for the keys to the castle, and we are handing them over in our rush to be "first."&lt;/p&gt;

&lt;p&gt;The Professional Standard: Building a "Zero-Trust" Workflow&lt;/p&gt;

&lt;p&gt;If you are still running untrusted code on your bare-metal workstation because you "don't have time" to spin up a VM, you are a liability to your team.&lt;/p&gt;

&lt;p&gt;Here is the 2026 baseline for running any community PoC:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Containment is the only Control: Assume "eyeballing" code will fail. Use a disposable, air-gapped Virtual Machine or a strictly isolated sandbox (like Tenzir or a dedicated lab VPC).&lt;/li&gt;
&lt;li&gt;Audit the Supply Chain: Before running pip install -r requirements.txt, verify every package on PyPI. Look for typosquatted names (e.g., requests-auth-lib vs request-auth-lib).&lt;/li&gt;
&lt;li&gt;The 72-Hour Rule: The window immediately following a CVE disclosure is the "Danger Zone." This is when fake PoCs are seeded. If a repo is less than 3 days old and has 100+ stars, it’s a red flag. Stars are cheap; reputation is earned.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The Hard Truth&lt;/p&gt;

&lt;p&gt;This campaign is a neat illustration of a trend that will define this decade: attackers weaponizing the "defender's rush."&lt;/p&gt;

&lt;p&gt;We need to stop rewarding "fast and loud" research and start rewarding "contained and verified" research. The fix isn't paranoia—it’s building a workflow where running malicious code is cheap and inconsequential because it’s trapped in a sandbox.&lt;/p&gt;

&lt;p&gt;The Question for the Community:&lt;/p&gt;

&lt;p&gt;How many of you can honestly say you haven't run a PoC on your host machine in the last 30 days? Are we actually sandboxing our research, or are we just hoping the "Star" count on GitHub means the code is safe?&lt;/p&gt;

&lt;p&gt;Let’s be honest in the comments—how does your team handle the "rush" of a new CVE?&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>beginners</category>
      <category>security</category>
      <category>infosec</category>
    </item>
  </channel>
</rss>
