The Yeti Journal on Yeti.Security — Pen-testing & security consultinghttps://yetisecurity.cz/journal/Recent content in The Yeti Journal on Yeti.Security — Pen-testing & security consultingHugoen-usThu, 07 May 2026 00:00:00 +0000Crampon-7: credential-stuffing wave targeting fleet-management SaaShttps://yetisecurity.cz/journal/crampon-7-credential-stuffing/Thu, 07 May 2026 00:00:00 +0000https://yetisecurity.cz/journal/crampon-7-credential-stuffing/<div class="callout crit"><span class="label">// TLP:AMBER · limited distribution</span> This brief contains active-campaign indicators. Share inside your organization and with trusted partners only. Do not redistribute publicly. </div> <p>A coordinated credential-stuffing campaign is targeting US-based fleet-management platforms. Yeti has observed activity against three customers in the last 72 hours. Recommended actions are at the bottom of this post.</p> <p><span class="stat-inline"> <span class="v">HIGH</span> <span class="l">severity</span> </span> <span class="stat-inline"> <span class="v">11</span> <span class="l">known victims</span> </span> <span class="stat-inline"> <span class="v">~3%</span> <span class="l">success rate</span> </span> <span class="stat-inline"> <span class="v">05.04</span> <span class="l">first seen</span> </span> </p> <h2 id="summary">Summary</h2> <p>Threat actor <strong>CRAMPON-7</strong> is replaying credentials harvested from a 2025 unrelated SaaS breach against fleet-management login endpoints. Distributed across approximately 4,200 residential proxies; rate-limited at 1.5 requests/second per IP — well below typical naive rate-limiting thresholds.</p>The first six findings we see, every timehttps://yetisecurity.cz/journal/first-six-findings/Fri, 10 Apr 2026 00:00:00 +0000https://yetisecurity.cz/journal/first-six-findings/<p>Eighteen months in, we&rsquo;ve completed 38 engagements. They span fintechs, fleet- management SaaS, two robotics companies, and a healthtech firm we can&rsquo;t name. Different stacks, different teams, very different threat models.</p> <p>And yet — the same six findings appear in roughly the same order, every time.</p> <p>Treat this list as a <strong>pre-emptive remediation roadmap</strong>. If you can knock these out before our next visit (or, ideally, before someone else&rsquo;s first visit), the rest of the engagement is materially more useful.</p>Northstar Robotics: fixing twelve findings before the report shippedhttps://yetisecurity.cz/journal/northstar-case-study/Sun, 22 Mar 2026 00:00:00 +0000https://yetisecurity.cz/journal/northstar-case-study/<p>In Q2 2026 we ran a four-week penetration test against <strong>Northstar Robotics</strong>, a fleet-management SaaS for autonomous logistics vehicles. The engagement covered their production web app, the operator mobile apps (iOS + Android), and their customer-facing API.</p> <p>We found 28 issues — two critical, four high, nine medium, eight low, five informational. None of those numbers are unusual. The unusual part: by the time we sent the final report, <strong>20 of the 28 were already fixed</strong>. Six more had open PRs. Two were deferred deliberately, with a documented exception.</p>