• John Hammond
  • Posts
  • Cybersecurity Shenanigans #025: Nothing is safe, nobody is fine, and we need to talk (((about how awesome ContinuumCon was)))

Cybersecurity Shenanigans #025: Nothing is safe, nobody is fine, and we need to talk (((about how awesome ContinuumCon was)))

Here's this month's cybersecurity scoop.

👋 Hey friend,

Somehow, it's already mid-June and I feel like I blinked and missed half of it. Anyone else?

From an incredible ContinuumCon this last weekend to some kind of insane cybersecurity news headlines, it’s been a busy one. News-wise, we’ve got hackers weaponizing developer tools, a ransomware group hiding inside Microsoft Teams infrastructure, and AI stuff that has me right back on my soapbox. 😬

Let’s dig in. And as always, thanks for being here! 💙
— JH

ContinuumCon Was Amazing 🥲

Last weekend, I had the honor of co-hosting with my good friend Anthony Bendas of Level Effect. I’m a huge fan of this format for several reasons, mostly because it’s accessible (no travel required for you or me! 😏), and every talk is an actual hands-on workshop available all year ‘round.

It was action-packed. From the unforgettable opening panels (did you catch smelly AKA vxu 🤯) to our incredible speakers talking about everything from Detection Engineering to Threat Hunting and loads of AI… I loved every minute of it!

But it’s not over yet. In fact… It’s NEVER over!
It’s still free to stream and affordable to Hack-Along.

CC 2026 tickets are available until next year, so you didn’t miss the chance to get 30 workshops on JHT. That’s right… the Guardian Ticket gives lifetime access to ALL workshops from this year AND last year! Hurry… the 20% discount ends June 22.

Catch us live this Friday at 1:00 PM ET for ContinuumCon 2026 Redux, where Anthony and I recap highlights, announce CTF winners, share a JHT coupon code, and more.

News & Commentary

Are your developer tools being weaponized? 😱

This one’s for all my developer friends out there because what even is a good night’s sleep? 😅

Picture this: Someone sends you a GitHub repo. You clone it and open it up in VS Code. Annnnnd you’re compromised.

A group of North Korean hackers have figured out that VS Code has a built-in feature called runOn: folderOpen — and would you just like to take a wild guess on what this does? It’s a totally legitimate way to automate tasks when a project loads. But not when threat actors stuff malicious code into repos. 😬

Once this fires, a loader quietly installs a malicious VS Code extension disguised as a Google service. It runs recon on your machine, steals saved passwords, and goes straight for the crypto wallets. And get this: Researchers found three backdoored extensions sitting on the official VS Code marketplace dressed up as productivity tools, using Microsoft's own SharePoint and Graph API as their command-and-control channel so the traffic blends right in with normal Microsoft activity. Sneaky sneaky.

The bigger picture is what's honestly kind of wild to think about. This is an ecosystem, not just some one-off campaign. Fake npm packages, poisoned repos, fake LinkedIn recruiters, AI-generated job listings, and now automated exploitation through developer tooling. One infected machine can get weaponized to infect downstream developers through their own code contributions, turning the whole thing into something that spreads like a worm.

More than 2,700 developers hit and nearly 27,000 crypto wallets stolen just in early 2026. Nation-state level, industrialized, and targeting the people who build the software everyone else uses. So, if you're cloning repos from strangers, go peek at .vscode/tasks.json before you open anything. 😅

Does more AI = more incidents? 🤖

Bear with me — I’m back on my AI soapbox again. 😆

Jamf surveyed nearly 700 IT and security leaders on their use of AI, and the results are pretty telling. More than 1 in 5 organizations have already lost money from an AI-related incident, and 6 in 10 are expecting one soon.

The biggest culprit? (This will shock you. Just kidding.) Shadow AI. Employees spinning up unapproved tools that IT doesn't even know exist. Kinda hard to govern what you can’t see.

What's making this messier is the rise of agentic AI — systems that don't just answer questions but actually take actions on your behalf like writing code, managing files, or sending emails autonomously. Useful stuff, right? But at a cost. And it’s also a nightmare if the permissions aren't dialed in, because a misconfigured AI agent with too much access can cause serious damage before anyone notices.

The part that stings a little? When leaders were asked to rank priorities, AI governance came in third. AI security came in fifth. Meanwhile, the incidents keep stacking up.

The fix is boring but real: Audit which AI tools are being used across your org, lock down data access policies, and build governance in from day one instead of scrambling to retrofit it later. Boring, run-of-the-mill advice for an exciting problem. 😅

Hackers hid ransomware traffic inside Microsoft Teams ☠️

Not a fan of Microsoft Teams? I’m not saying that’s justified

A ransomware group called DragonForce hit a major US services firm and went completely undetected for 2 months — in part because their malware was hiding its command-and-control traffic inside Microsoft Teams.

Symantec's threat hunters found a backdoor called Backdoor.TURN that routes all its malicious traffic through Microsoft's own TURN relay servers. (?!) TURN servers are a totally legit part of how Teams handles real-time communication. Think video calls, voice, those sorts of things. So from a network defender's perspective, the traffic just looks like normal Teams activity. Nothing sus here.

Here’s how it works: The malware grabs an anonymous visitor token from Microsoft's Skype-backed identity services, uses that to authenticate with Teams infrastructure, and then establishes a covert connection back to the real attacker-controlled server hiding behind it. Once inside, the attackers did all the expected things: credential harvesting, lateral movement, Active Directory enumeration, creating new user accounts, and modifying firewall rules to make sure they stayed in.

The defense evasion component is worth a chat. The hackers used a technique called BYOVD (Bring Your Own Vulnerable Driver) which involves loading a known-vulnerable system driver to disable security tools at the kernel level. If you can get code running there, you can basically turn off whatever security software is on the machine. They exploited a Huawei driver to do this, plus a few others tied to known CVEs, and even deployed a custom malicious driver disguised as a legitimate Palo Alto one.

The big takeaway here is the trend we’re seeing. Attackers are increasingly hiding inside trusted infrastructure — Microsoft Teams, SharePoint, Google APIs — because it makes their traffic nearly invisible to defenders who are watching for connections to sketchy unknown domains. Behavioral detection is really the only answer here, because blocking "Microsoft traffic" obviously isn't on the table. 😅

Sponsor

150 hours saved in one month: Inside Jamf's IT Ops automation strategy

With more than 500 SaaS applications, thousands of devices, and a constant flow of support requests to manage, Jamf's 30-person IT team turned to intelligent workflows to scale operations and reduce manual work.

In this live session on July 10th, hear directly from their team on use cases that delivered early results — from responsive phishing reporting and employee alert notifications to on-demand FileVault key recovery.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-025.

(And as always, thanks for nothing, Clippy. 💙)

Latest Content

// …so I’m ~10 months late posting this. 😅 At DEFCON last year, I got the opportunity to hang out with my good friend @flangvik, and we had a little fun watching hAcKiNg clips from movies and talking about how realistic they are.

Just Hacking Training News 🤓

June Course Release
WMD 6 - Building Post-Exploitation Tools
20% Off in June!

20% Launch Discount Expires Midnight ET June 30

The 2nd Trilogy Closes with a Bang

We broke in. Now what? We code custom tools, of course.

Breaking in is just the beginning. The job of an emulated criminal is judged more by ‘how long can I persist’ and ‘what can I get out!’ As with the previous 5 Windows Malware Development (WMD) courses, let’s not just use some off-the-shelf tools or open source options with known signatures and maybe even some bloat. Let’s lay down some custom code! And rightfully so, the 2nd trilogy comes to an end with WMD 6 – Building Post-Exploitation Tools. This marks the completion of the WMD Advanced Path of courses 4 – 6.

See for yourself with Free Previews and a Live Demo by Dahvid Schloss:

📜 Course Introduction and Vitals
👴 Your Grandfather’s Post-Exploit Tooling
📼 The Legacy Pipeline

Save with WMD Bundles

46% Off WMD Intro Path

20% Off WMD Adv Path

OnlyLANS.ai:
Another Free Community Project!

Test Your AI / LLM Ethical Hacking Skills

OnlyLANs is a free educational hacking challenge. Solve Level 1 to enter a monthly drawing for a FREE JHT course! Originally built for the ContinuumCon prompt-injection workshop with Eva Benn and Andrew Bellini, we expanded on the idea and made it publicly available for the world to play!

Our Top Courses

❤️ Red Team

Blue Team 💙

Courses in Production: Home Lab, Coding for Cybersecurity, Networking for Pentesters, Reverse Engineering, MADS Vol 4, Jr Network Pentest, and more!

Additional New Training

With every talk being a hands-on workshop hosted on JHT, we now have 30 Hack-Alongs from last year and this year. Get access to them all at ONE LOW PRICE!

PowerShell has one of the most powerful logging systems of any shell on any OS. And nobody has it turned on much less knows it exists.

Enjoy the 3rd UC by Andrew Pla, MS MVP, on this little known but highly effective feature.

Happy Hacking!