Weekly Security Roundup: Identity Controls and Dev Workflow Abuse

by TechHub

Security coverage followed a consistent theme: trusted developer surfaces are being tightened while also being actively abused. After last week’s authentication weaknesses (OAuth redirection abuse, AiTM phishing) and supply-chain controls (Dependabot workflow improvements, AI-assisted vulnerability discovery), this week shows convergence on default surfaces. Identity is moving closer to the data plane (even SFTP), GitHub scanning is shifting earlier in workflows, and attackers are blending into routine engineering habits (interview repositories, “VPN download” searches). AI security also continued the shift noted last week from theory to operations, with more guidance on monitoring, audit, and governance as agentic tools land in enterprises.

Identity-centered secure access for file transfer (Azure Blob Storage SFTP + Entra ID)

After last week’s identity abuse coverage, this is the defensive counterpart: reduce identity islands by bringing legacy access under central policy. Azure Blob Storage SFTP is adding public preview support for Microsoft Entra ID authentication, replacing local storage-account SFTP users that required separate identities, passwords/keys, and offboarding. Users (including B2B guests via Entra External Identities) authenticate with Entra ID and receive a short-lived SSH certificate per session, which reduces reliance on long-lived secrets and aligns SFTP with enterprise identity controls. Authorization and operations change with this model. Access is enforced via Azure RBAC/ABAC plus POSIX-like ACLs for path permissions, unifying access semantics across SFTP, REST, and Azure CLI. MFA, Conditional Access, Identity Protection, and PIM apply directly to SFTP integrations, and offboarding becomes disabling the Entra identity or revoking access rather than rotating keys and removing local users. For regulated partner/vendor exchange, this supports time-bound, policy-driven access with centralized auditing. Guidance is to enroll and validate in non-production. Local users still exist, but the direction is toward Entra-backed access as the default model.

GitHub Advanced Security updates: sharper code scanning and stronger leak prevention

Continuing last week’s shift-left and supply-chain thread, GitHub’s updates focused on improving what analysis can model and preventing secrets from reaching repositories. CodeQL 2.24.3 expands coverage and modeling. Java/Kotlin scanning supports Java 26 and improves Maven builds by reading Java version from POMs (and trying Java 17+ when needed), reducing toolchain mismatch failures. Modeling also improves: better detection of MobX observer React components for JS/TS, improved Python SSRF analysis via a new AntiSSRF sanitization barrier model, and better interpretation of boolean guards like isSafe(x) == true / != false to reduce false positives. Ruby taint tracking now follows Shellwords.escape / shellescape (with exceptions for command-injection queries), Rust adds neutral models to ease custom sources/sinks/summaries, C/C++ refines a query to reduce false positives, and C# parsing supports the field keyword (C# 14). Since CodeQL rolls out automatically on GitHub.com, teams should expect alert shifts and plan for scan re-runs and review of custom packs/models. GitHub’s March 2026 secret scanning update adds 28 detectors across 15 providers and expands default push protection so more leaks are blocked at git push time. This ties to last week’s structured ownership/triage theme: earlier blocking reduces rotation and incident coordination later. New Azure/Entra patterns for azure_active_directory_application_id and azure_active_directory_application_secret catch common app artifacts before commit. Validators also expand (Airtable, DeepSeek, npm, Pinecone, Sentry), helping triage by confirming active credentials vs noise. Overall, it pushes security earlier into the developer loop: fewer scan failures, fewer false positives, and more secrets stopped before they reach the remote.

Threat research: attackers blending into developer workflows (interviews, GitHub assets, and signed installers)

Last week highlighted identity abuse and stolen EV cert signing. This week extends the same theme into common distribution and execution paths that developers and IT already treat as routine. These campaigns do not need exotic exploits if they can embed in everyday workflows. Microsoft’s “Contagious Interview” report shows recruitment social engineering wrapped around normal coding tasks. Targets get assignments that involve cloning a repository and installing/running dependencies (often npm) from platforms like GitHub/GitLab/Bitbucket. VS Code workspace trust is a key hinge: once trusted, task files can run background commands, which bridges “open repo” to “execute code.” The campaign uses multiple payload families (Invisible Ferret, FlexibleFerret, BeaverTail/OtterCookie) for backdoors, persistence, and theft, targeting source, CI/CD tokens, cloud credentials, code-signing keys, password stores, and wallets. Guidance is operational: treat hiring pipelines as an attack surface, isolate interview environments from corporate credentials, add review/approval gates before running external code, and hunt for suspicious Node/Python behavior, download-and-execute patterns, and unusual outbound infrastructure. Microsoft Threat Intelligence also described Storm-2561 using SEO poisoning so VPN-client searches land on lookalike domains serving trojanized installers, sometimes hosted as GitHub release assets to blend into a trusted channel. The chain uses a ZIP with an MSI, a signed executable, and malicious DLL side-loading (for example, dwmapi.dll, inspector.dll) in legitimate-looking paths. The fake VPN captures credentials, steals VPN configs, persists via RunOnce, and uses an in-memory loader to deploy Hyrax infostealer. Defender mitigations include cloud protection, EDR in block mode, web/network protection, ASR rules, SmartScreen, and hunting for suspicious signed binaries (including the cited certificate subject) and unusual DLL loads in VPN directories. The takeaway is practical: tighten acquisition habits (especially search → download) and treat GitHub-hosted binaries as requiring provenance checks and reputation-aware controls, because “looks legitimate” signals are being used as cover.

Securing enterprise AI usage: prompt abuse playbooks and agent governance control planes

Last week covered attackers operationalizing AI and the need to protect AI usage (including malicious extensions harvesting chat histories). This week adds day-two defensive detail: detecting/responding to prompt abuse and how identity/governance may apply to agents in enterprise environments. Microsoft Incident Response guidance focuses on indirect prompt injection as an operational risk. Hidden instructions embedded in ingested content (including URL fragments after #) can be pulled into prompts and silently steer outputs. It categorizes attacker patterns (direct overrides, extractive attempts, indirect injection) and maps detection/response to common Microsoft stacks: discover sanctioned vs shadow AI usage with Defender for Cloud Apps and Purview DSPM; monitor with Purview DLP and CloudAppEvents; constrain with Entra Conditional Access plus DLP; and investigate via Sentinel, Purview audit logs, and Entra identity signals. Engineering takeaways include explicit sanitization in ingestion pipelines (including stripping/normalizing URL fragments) and treating AI tool usage as observable and policy-governed, like other data-handling systems. Microsoft also introduced Agent 365 and Microsoft 365 E7: The Frontier Suite as a security/admin control plane for agentic AI, including third-party agents. It centers on an Agent Registry (inventory), observability reports, near real-time risk evaluation using Defender/Entra/Purview signals, and an “Agent ID” model where agents get Entra identities so Conditional Access and identity governance apply like they do to users. It also mentions inline DLP for Copilot Studio agents, sensitivity label inheritance, auditing/eDiscovery/retention for agent data, and Defender protections for prompt manipulation and model tampering. For developers, this implies more deployment requirements - registration, identity assignment, least privilege, label/DLP compliance, auditability - becoming part of “done.” (Availability is stated as May 1, 2026, with Agent 365 at $15/user/month and E7 at $99/user/month.)

Other Security News

Mark Russinovich described using Anthropic Claude Opus 4.6 to decompile and reason about 6502 machine code from an Apple II utility he wrote in 1986. The model flagged a silent incorrect-behavior bug (not checking the carry flag after a line-lookup routine). The takeaway is not that this specific tool is exploitable. It is that LLMs can increasingly help reason about binaries and legacy code (useful for firmware and long-lived systems), while still requiring disciplined verification to manage noise.