I’m hosting ContinuumCon Again June 12-14!

CC 2026 is the cybersecurity conference that never ends, and EVERY talk is a hands-on workshop with online access after the event!

ContinuumCon is a virtual cybersecurity conference that I’ll be hosting along with my good friend Anthony Bendas from Level Effect. It’s built around practical workshops and interactive labs across core blue-team and reverse-engineering domains. We’ll be active on Discord while covering content organized by tracks like DFIR, Detection Engineering, Reverse Engineering, Threat Hunting, Malware Analysis, CTI, SecOps, Tactical GRC, and AI/ML.

If you want the best parts of a con (learning by doing, labs that actually work, and content you can come back to when your brain is ready), that’s the vibe of CC 2026. Show up live for the energy, then keep the workshops for when it’s 2AM, and you’ve decided today is the day you finally learn detection engineering. 😅

News & Commentary

A CISA contractor accidentally left the keys to the kingdom under the doormat ☠️

A government contractor working with CISA — which, I remind you, is the agency literally responsible for securing critical U.S. infrastructure — maintained a public GitHub repository called Private-CISA (again, 💀) that exposed AWS GovCloud credentials, plaintext passwords, cloud tokens, and internal system access to, well, anyone who knew where to look.

The repo was apparently being used as a personal file sync tool between a work laptop and home computer. (…) A file named importantAWStokens held admin keys to three AWS GovCloud servers. Another file was a CSV of plaintext usernames and passwords for dozens of internal CISA systems. And here’s the best part: The contractor had manually disabled GitHub's built-in secret scanning protection to make this all possible. (😅)

Security researcher Philippe Caturegli confirmed the AWS keys were valid and could authenticate at a high privilege level, noting the internal code repository access alone would be a goldmine for an attacker looking to backdoor software packages and hitch a ride through CISA's build pipeline every time they deploy something new. The repo was taken down after Krebs and Seralys notified CISA, but the exposed AWS keys stayed valid for another 48 hours after that. ☠️

Worth noting: CISA has shed nearly a third of its workforce since the start of this year. But even that context doesn't excuse a passwords123-style security failure at a cybersecurity agency. It does, however, paint a picture of an organization under significant strain.

The best thing any of us can take from this one is a reminder to scan your own repos for accidentally committed secrets. Tools like GitGuardian, truffleHog, and git-secrets exist exactly for this purpose.

The zero-days that didn't get the memo about Patch Tuesday ⚠️

Hey friends, did you have a nice, quiet, relatively relaxed Patch Tuesday this month? Did you? Because that was just the cyberverse lulling you into a false sense of security. 😁

Patch Tuesday came and went, and then just days later, a research group called Nightmare Eclipse dropped three new Windows vulnerabilities. Meet YellowKey, GreenPlasma, and MiniPlasma. Microsoft has so far officially assigned a CVE and released a patch only for one of them: BlueHammer (CVE-2026-33825), which has already landed on CISA's Known Exploited Vulnerabilities (KEV) list. Another, RedSun, appears to have been quietly patched without any CVE or public advisory. The remaining three? Still unpatched as I’m sitting down to write this.

GreenPlasma is a local privilege escalation bug, and researchers note it's the kind of thing that pairs nicely with a social engineering attack: trick someone into installing remote monitoring and management (RMM) software, use the remote access to trigger the exploit, and suddenly you've gone from generic user to SYSTEM. Joy. MiniPlasma, meanwhile, is an exploit for a vulnerability that was reported to Microsoft back in 2020. Six (6) years ago. 🫠

The good news: most of these require some level of user interaction or physical access to pull off. The less-good news: "requires user interaction" has never stopped a determined attacker, and "unpatched" is never a great column to be in. Keep an eye on Microsoft's advisories and patch the moment fixes land.

New macOS infostealer impersonates Apple, Google, and Microsoft in a single attack chain 🍎

Meet Reaper: a new macOS infostealer variant (part of the SHub malware family) that's doing something a little ~extra~. It borrows the identity of three globally trusted tech brands across a single infection chain, and it does it smoothly enough that most users wouldn't notice anything was wrong.

Here's how it plays out. You download what looks like a WeChat or Miro installer from a typosquatted domain impersonating Microsoft infrastructure. The payload executes masqueraded as an Apple security update, routing through Script Editor instead of Terminal specifically to bypass Apple's built-in mitigations. Then, for persistence, it drops a fake Google Software Update LaunchAgent, complete with a realistic directory structure mimicking Google's legitimate Keystone update service, that quietly phones home to the attacker every 60 seconds.

Microsoft lure → Apple disguise → Google persistence. Three brands, one attack. How…innovative.

Once it's in, Reaper does its thing. It scans your Desktop and Documents folders for anything that looks valuable (wallet files, .rdp configs, keys, documents), stages them in /tmp/, chunks them into 10MB pieces, and ships them off via curl. It also goes after Exodus, Ledger Live, Atomic, and Trezor Suite if you have any crypto wallets lying around. And if a researcher opens DevTools to poke around the delivery page, it replaces the content with a Russian-language "access denied" message. (Stay classy, Reaper. 😂)

The guidance is straightforward: Apple will never ask you to open Script Editor and run a command. If a website is prompting you to do that, throw your entire computer out the window…or, you know, just close the tab.

Sponsor

The IT and security field guide to AI adoption

AI is everywhere right now. But for many teams, the reality hasn’t matched the promise.
 
Tools that look great in demos don’t hold up in real workflows. And instead of reducing workload, AI can introduce new risks and oversight.
 
So what’s actually working?

Tines just released a guide that takes a more practical look at AI adoption for security and IT teams. Inside, you’ll get:

• A framework for evaluating tools beyond the demo

• A step-by-step approach to selecting tools that hold up in production

• Best practices for keeping humans in the loop

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-024.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training News 🤓

May Course Release:
Web App Pentesting - Jr Analyst
Only $80 in May!

Mike Lisi, Founder of Maltek Solutions and President of the Red Team Village, has taken the JHT philosophy of preparing students for the job and did what we only hear about on the interwebs… He created an apprenticeship!

Don’t just hack. Prepare for a career!

You played CTFs, learned some hacking tricks and maybe even dabbled in bug bounty hunting. That’s a great start. But do you use a proper methodology, work on real-world, live web applications, or even know what will be expected of you as a member of a penetration testing team delivering paid services for clients? You will!

See for yourself with Free Previews and a Live Demo:
📖 Course Overview
🔍 Anatomy of a Web Application
💻 1.1 Search Engine Discovery (WSTG-INFO-01)

After completing the material in each lesson, you are assigned actual work tasks by your team! As you complete your “work,” you are reminded of the importance of taking notes. This becomes vastly important, because you are required to “Report to the Team” regularly… just as the job would require!

Our Free Gift to the Community!

CrossWind Systems Corporation is a fictitious tech company created for this training. The learning process is structured like a real pentesting engagement. Their entire online presence, vulnerabilities and all, is available for EVERYONE!

If you would like to play with a live, purposely vulnerable web app, have at it. If you prefer more structured, curriculum-based training, then this course is for you!

JHT Top Courses

Future Courses: WMD 6, Coding for Cybersecurity, Hacking Home Lab & more!

New Free Upskill Challenges

Save Big with Bundles!

• The “Mishaal” Bundle: Get EVERYTHING Mishaal Khan has on JHT for only $345 (25% Off) including 4 courses (3 OSINT, 1 OpSec) & 2 geoINT Hack-Alongs.
• Mastering Active Directory Security (MADS) Volumes 1 – 3: (20% Off)
• Win MalDev Intro Path includes Courses 1 – 3: (46% Off)
• 7 CTF Bundle: 50% Off, 7 Hack-Along Bundle: 75% Off
• Get DW1 (Dark Web & Cybercrime Investigations $125) and DW2 (CTI Researcher $175) in my Bundle to Save 25%. Only $300 $225!

Discord | FB | IG | LinkedIn | RSS | Twitch | TikTok | X | YouTube

Are you loving this thing? Can it be improved? Either way, I want to know.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!