Research
Threats move fast, so we build in the open. This is the engineering behind rfxn's detection updates: scan engine internals, signature design, and the analysis that drives them. When a new threat lands, the write-up ships with the code.
Field Notes: CVE-2026-41940 Exploitation in the Wild
Active-incident battle journal for CVE-2026-41940. Chronology of exploitation from the first probe forward: 17-day quiet zero-day arc, a single-host kill chain walked end-to-end from sessionscribe-ioc-scan output, three operator profiles distinguished by websocket-Shell terminal dimensions, the Pattern A through I catalog, the operator-toolkit usage cards, the Tier-1 attacker IP block list, and a flagged piece of pre-disclosure evidence still under corroboration. The campaign is still active; we update this page as we identify additional patterns, attacker IPs, and IOCs.
Portable Bash for 20 Years of Unix Fragmentation
rfxn ships Bash to CentOS 6, Rocky 9, Ubuntu 24.04, Gentoo, Slackware, and FreeBSD. Every red cell in the portability matrix has produced a production bug. A reference on the usr-merge cliff, the /sbin split, the Bash 4.1 floor, init-system detection, and the grep patterns that enforce the rules.
Closing the AF_ALG Window: Userspace Mitigation for CVE-2026-31431 ("Copy Fail")
CVE-2026-31431 ("Copy Fail") is an algif_aead AEAD scratch-write bug that gives any unprivileged tenant a 4-byte page-cache write to any readable file at attacker-chosen offset. On RHEL-family kernels the modules are builtin, so modprobe blacklists are no-ops and userspace cuts are the only defense that bites the running kernel. We dissect the primitive, lay out the five-rung defense ladder, and ship a signed RPM family (afalg-defense) that pairs a single-file LD_PRELOAD shim with a read-only host posture auditor.
Reverse-Engineering CVE-2026-41940 (SessionScribe): cPanel/WHM Session Forgery
CVE-2026-41940 is an unauthenticated session forgery in cPanel/WHM that composes two asymmetric defects in the session-write path into root RCE. We dissect the patch via snapshot-driven binary diff, derive the primitive mechanically, document an adjacent pre-validation identity-commit issue, publish a five-rule ModSecurity pack with a non-destructive probe and on-host IOC scanner, and standardize on proxy-endpoint enforcement as the forward posture for cPanel/WHM.
Composer Supply Chain: What PHP Didn't Learn From npm
npm supply chain attacks get the coverage, but Composer has the same RCE primitives, mutable Git tags instead of immutable registry hashes, and composer-plugin packages that activate transitively on every invocation. We map the trust chain, translate the npm attack classes, and put maldet on vendor/.
AI-Generated Webshells: Why Pattern-Based Detection Still Wins
LLMs generate novel PHP webshells on demand, and every sample is lexically unique. But a webshell must still read input, decode it, and hand it to an exec primitive. maldet's compound signature engine matches on that semantic skeleton, and the paraphrase problem collapses back into a known one.
WebRTC Skimmers: How Payment Thieves Bypass Content Security Policy
The first documented payment skimmer using WebRTC DataChannels for both payload delivery and data exfiltration. CSP connect-src cannot block RTCPeerConnection. DTLS-encrypted UDP is invisible to HTTP security tools. We break down the technique and connect it to the ongoing Magento PolyShell mass exploitation.
The MU-Plugin Menace: Five Malware Families Hiding in Plain Sight
WordPress must-use plugins auto-execute on every page load, don't appear in the admin panel, and can't be deactivated. Five distinct malware families, from simple redirectors to a 7-layer persistence fortress, have independently converged on this vector. We document them all and publish detection signatures.
Structured Audit Logging for Bash Applications
Most bash tools log unstructured text. We built elog_lib.sh, a shared event logging library that emits 23 typed events to six formats simultaneously: JSONL, CEF, syslog, GELF, and Elasticsearch ECS. One function call, zero-code SIEM integration, no compiled dependencies.
Axios npm Compromise: Lazarus Group Deploys Cross-Platform RAT
The axios npm package (50M+ weekly downloads) was compromised via maintainer account hijack. Malicious versions 1.14.1 and 0.30.4 inject a postinstall dropper that delivers a cross-platform RAT attributed to Lazarus Group (DPRK/APT38). We publish 33 maldet signatures covering the dropper, all platform payloads, and C2 infrastructure.
WordPress Supply Chain Attacks: BuddyBoss, Gravity Forms, and the Trust Problem
Three premium plugin supply chain compromises in 12 months (BuddyBoss, Gravity Forms, and Groundhogg) show attackers systematically targeting vendor update infrastructure. We publish 10 new maldet signatures including generic detection rules that catch future supply chain backdoors in any WordPress plugin.
Magento PolyShell: Detection, Mitigation, and maldet Signatures
A critical unauthenticated file upload vulnerability in Magento's REST API allows attackers to plant PHP webshells disguised as GIF images. We break down the attack, publish 7 ModSecurity rules, Apache hardening guidance, and four new maldet signatures.
Compound Signatures: Building a Boolean Detection Language in Bash
ClamAV's signature format cannot express boolean logic. We built a compound signature engine that evaluates AND/OR/threshold rules using shell-native primitives (grep, awk, sort) with 22x less memory and 2.1x higher detection rates. No daemon, no dependencies.
43x Faster: Rewriting maldet's Scan Engine with Batch Parallel Processing
Linux Malware Detect v1.6.6 forked 500,000 subprocesses per scan. The v2.0 rewrite uses batch parallel workers, Aho-Corasick grep, and awk preloading to scan 10,000 files in 28 seconds, zero external dependencies and a 44 MB memory footprint.