Identity‑first attacks rising

Attackers are stealing logins, tokens, and session cookies faster than many companies can reset them, turning identity systems into the main entry point for intrusions. (spycloud.com) SpyCloud said its 2026 Identity Exposure Report recaptured 65.7 billion distinct identity records from the criminal underground, up 23% from the prior year. The report also counted 5.3 billion credential pairs, 38.5 million third-party application credentials, 18.1 million exposed API keys and tokens, and 8.6 billion stolen cookies. (spycloud.com) Identity abuse means an attacker uses a real account, token, or cookie the way a stolen house key opens a real door. SpyCloud said 49% of phishing victims in its 2025 dataset were corporate users, and 40% of infostealer infections happened on endpoints that already had endpoint detection or antivirus tools installed. (spycloud.com) Recent campaigns show how that plays out. CYFIRMA said APT36, also called Transparent Tribe, used spoofed Indian government domains in August 2025 to harvest email passwords and Kavach one-time codes in real time, a tactic designed to beat multi-factor authentication. (cyfirma.com) Proofpoint said TA446, also known as Callisto or Star Blizzard, sent fake Atlantic Council invitations on March 26, 2026 and used the leaked DarkSword iPhone exploit kit to target Apple devices. Proofpoint said the Russia-linked group had already built a record of credential-harvesting spear-phishing before it expanded into iCloud and iPhone targeting. (thehackernews.com) Google Threat Intelligence Group attributed a March 31, 2026 supply-chain attack on the axios JavaScript package to UNC1069, according to Tenable and the Cloud Security Alliance. Tenable said malicious axios versions 1.14.1 and 0.30.4 were live for about three hours, used a stolen maintainer token, and should be treated as full system compromise if installed. (tenable.com, labs.cloudsecurityalliance.org) Ransomware crews are using the same access-first pattern. The Byer-Nichols brief for February 1-15, 2026 said recent adversaries, including UNC1069, “leaned heavily on stealthy access, cloud abuse, and long-dwell espionage,” while exploited flaws in Apple, Microsoft, Notepad++, and SolarWinds underscored the need for faster patching and tighter identity controls. (phishtankdigital.com) Bearlyfy shows the other end of the chain, where access turns into disruption. The Hacker News reported on March 27, 2026 that the pro-Ukrainian group had carried out more than 70 attacks on Russian companies since January 2025 and had shifted to a custom Windows ransomware strain called GenieLocker. (thehackernews.com) The defensive advice in these reports is narrower than “buy more security.” Tenable told affected axios users to rotate credentials and rebuild from clean snapshots, while the Byer-Nichols brief pointed to fast patching and tighter identity controls as the priority response. (tenable.com, phishtankdigital.com) The common thread is simple: when attackers can sign in with a stolen token, cookie, or maintainer credential, they do not need loud malware to get inside. The current wave of phishing, cloud abuse, and supply-chain compromises keeps pushing defenders back to the same basics — harden identity, patch fast, and assume exposed credentials are already in circulation. (spycloud.com, tenable.com, phishtankdigital.com)