CyberWire Daily Caught in the funnel. [Research Saturday]
17 snips
Jan 24, 2026 
Andrew Northern, Principal Security Researcher at Censys who studies web-based malware, walks through multi-stage JavaScript injects and how compromised sites funnel victims through shared redirect chokepoints. He outlines a tracing method to map those chains. Topics include fake CAPTCHAs, reuse of script paths, blockchain-based hiding, and practical defender detection and mitigation steps.
AI Snips
Chapters
Transcript
Episode notes
Compromised Sites Funnel To Few Chokepoints
- Large numbers of compromised sites funnel victims into a small set of shared redirectors and payload hosts.
- Monitoring those chokepoints yields higher-confidence visibility than chasing tens of thousands of edge sites.
Hunt With Seed Patterns And Graphs
- Hunt using seed patterns like fake CAPTCHA templates, script names, and HTML snippets to find injects at scale.
- Build graphs of redirects and shared resources to identify and validate choke points before manual reconstruction.
Shared Techniques Make Detection Feasible
- Attack clusters share techniques and swap tricks rapidly, so copied patterns can indicate active campaigns.
- Reusable injection targets like commonly used JS libraries and resource paths make detection feasible.