Malik Haidar is a cybersecurity expert with extensive experience in combating threats and hackers within multinational corporations. His expertise encompasses analytics, intelligence, and security, with a strong focus on integrating business perspectives into cybersecurity strategies. In this interview, we explore the evolving landscape of digital threats, from the physical hardware used to intercept mobile communications to the sophisticated supply chain attacks targeting developers. We also discuss the massive exposure of remote access servers and the psychological tactics used in modern phishing campaigns.
Fake cellular towers are now being used to bypass carrier filters and push phishing links directly to nearby mobile devices. How do these “blaster” devices mimic legitimate network signals, and what specific steps should individuals take to verify messages that appear to originate from trusted organizations?
These “SMS blaster” devices, or fake Base Transceiver Stations, operate by emitting a signal that is stronger or more attractive than the legitimate local cell tower, effectively forcing nearby mobile devices to hand off their connection to the rogue hardware. Once the phone is connected, the attacker has a direct line to the device, allowing them to broadcast thousands of fraudulent texts that completely bypass the security filters usually managed by telecommunications providers. In recent cases, we have seen tens of thousands of devices compromised over just a few months by a single setup. To protect yourself, never trust the “sender name” on a text message, as these devices can easily spoof names of banks or government agencies. If you receive an urgent alert, do not click the link; instead, manually type the organization’s official URL into your browser or use their verified mobile app to check for notifications.
Malicious packages are increasingly targeting developers by stealing environment variables and SSH keys during the installation process. How should engineering teams audit their dependencies to prevent brandsquatting, and what are the best practices for securing CI/CD workflows against script-injection vulnerabilities that forge signed releases?
Brandsquatting, like the recent “tanstack” incident where a developer impersonated a popular library to demand a $10,000 bounty, relies on human error during a quick npm install. Engineering teams must implement automated dependency firewalls that flag packages with suspicious naming conventions or those maintained by unknown, new users like “sh20raj.” Beyond just naming, we are seeing attackers exploit GitHub Actions via script-injection to forge signed releases, effectively bypassing the master branch entirely to publish malicious versions like elementary-data 0.23.3. To defend against this, teams must strictly limit the permissions of the GITHUB_TOKEN, utilize OIDC for cloud authentication to avoid long-lived secrets, and ensure that any workflow triggered by external pull requests is isolated from the production environment.
Millions of RDP and VNC servers remain exposed on the internet, with many running unpatched software or lacking basic authentication. What is the standard remediation protocol for securing these remote access endpoints, and how does the exposure of OT/ICS control panels heighten the risk to physical infrastructure?
The scale of exposure is staggering, with 1.8 million RDP and 1.6 million VNC servers currently visible to anyone on the public internet, often with critical flaws like BlueKeep still unpatched on nearly 19,000 systems. The first step in any remediation protocol is to move these services behind a VPN or a Zero Trust Network Access gateway so they are never directly reachable from a public IP. We are particularly concerned about the 670+ VNC servers that have no authentication at all and lead directly to industrial control panels, as this allows an attacker to manipulate physical machinery or utility grids remotely. Organizations must enforce Multi-Factor Authentication, disable legacy versions of TLS, and perform regular external scans to ensure no “shadow IT” has left a back door open to their core infrastructure.
New phishing platforms now integrate automation, geofencing, and mailbox scanning to conduct high-precision, adversary-in-the-middle attacks. In what ways do these application-level kits differ from traditional phishing methods, and what specific technical defense layers are required to intercept such advanced campaigns?
Modern kits like Saiga 2FA and Phoenix System are no longer just static fake login pages; they are full-scale application platforms that can scan a victim’s mailbox in real-time or use geofencing to ensure only users in a specific region see the malicious content. By acting as a proxy between the user and the real service, these “Adversary-in-the-Middle” kits can capture session cookies and bypass standard two-factor authentication entirely. To counter this, organizations need to move toward FIDO2-compliant security keys or passkeys, which are hardware-bound and resistant to interception. Additionally, deploying AI-driven email security that analyzes the reputation of newly registered domains—like the 2,500 linked to Phoenix System—can help block these high-precision attacks before they reach the inbox.
Browser extensions and academic document repositories are frequently exploited to harvest user history and sensitive metadata like private keys or hardware details. What specific file types and metadata must be sanitized before public disclosure, and how can users identify extensions that legally sell their data for profit?
Public repositories like arXiv are gold mines for attackers because authors often inadvertently upload hidden .git directories, LaTeX comments containing private conversations, or configuration files with active API keys. Before any public disclosure, it is essential to use sanitization tools like ALC-NG to strip metadata, hardware details, and GPS information from the 2.7 million documents currently available to the public. Regarding browser extensions, users must realize that some “free” tools are legally data brokers; for instance, a network of 24 media extensions currently tracks 800,000 users across platforms like Netflix and Hulu. To identify these, you must look deep into the privacy policy for clauses about “reselling anonymized data,” though the best practice is to audit your extensions monthly and remove anything that isn’t strictly necessary for your daily workflow.
Electronic medical records platforms are often vulnerable to flaws that allow full database compromise and the exfiltration of protected health information. What are the immediate technical priorities for a healthcare provider when a critical vulnerability is disclosed, and how do these risks complicate long-term regulatory compliance?
When 38 vulnerabilities are found in a platform like OpenEMR, which serves 200 million patients, the immediate priority is to identify and patch SQL injection and path traversal flaws that could lead to remote code execution. Healthcare providers must assume a state of “breach” and immediately audit their database logs for any unauthorized access to Protected Health Information (PHI) to meet strict regulatory reporting windows. These vulnerabilities are particularly dangerous because they allow attackers to bypass authorization checks, potentially letting them tamper with patient records or export entire databases for sale on the dark web. Long-term, this creates a massive compliance burden, as evidenced by the $3.45 billion in privacy fines issued in 2025, proving that regulators are now focusing on enforcement rather than just awareness.
Threat actors are exploiting account creation flows and email username variations to send phishing messages from legitimate corporate domains. How does this “dot trick” technique bypass traditional spam filters, and what strategies should platforms implement to prevent their notification systems from being weaponized against the public?
The “dot trick” exploits a discrepancy between how different systems handle email addresses: Gmail ignores periods in usernames, but platforms like Robinhood may treat j.doe@gmail.com and jd.oe@gmail.com as two separate accounts. Attackers use this to create thousands of accounts that all point back to one inbox, triggering legitimate “welcome” or “security alert” emails from the platform’s own servers to be sent to a victim. Because the email comes from a trusted domain like noreply@robinhood.com, it sails past spam filters that would normally block suspicious senders. Platforms must implement stricter “one-to-one” mapping for email addresses and use rate-limiting on their sign-up flows to ensure their notification systems cannot be turned into a massive, automated phishing engine.
The information stealer landscape has shifted toward tools that utilize YouTube videos and Telegram channels for distribution and monetization. What metrics define the sudden rise of a particular malware strain, and how do these groups quickly turn stolen browser cookies and credentials into profit on underground markets?
The rise of Vidar Stealer 2.0 is a perfect example of how the market shifts when competitors like Lumma are taken down; Vidar filled that vacuum by leveraging “Cloud” Telegram channels for rapid distribution. These groups use social engineering, such as YouTube videos offering “free software,” to trick users into downloading executables from Mediafire that harvest billions of credentials. In 2025 alone, we tracked 2.86 billion compromised credentials, with 347 million coming directly from these infostealers across 3.9 million infected machines. Once the data is harvested, it is instantly uploaded to markets like the Russian Market, where session cookies are sold for a few dollars, allowing other criminals to hijack active accounts without needing a password or 2FA.
What is your forecast for the future of cybersecurity?
I anticipate a shift where the battleground moves entirely away from traditional “hacking” and toward the weaponization of legitimate infrastructure and supply chain automation. We are already seeing attackers use legitimate management tools like Komari to maintain backdoors and exploit CI/CD pipelines to sign their own malware. As we move into 2026 and beyond, the “basics” will become more difficult to manage as the volume of exposed data reaches a breaking point; we’ve already seen a massive eightfold increase in social media scam losses since 2020. My forecast is that privacy enforcement will become the primary driver for security spend, with companies forced to adopt “secure-by-design” principles or face the billions of dollars in fines that are now becoming the global standard for data negligence.
