Category: Uncategorized

As federal agents and their state and local supporters began terrorizing communities on Jan. 20, 2025 with renewed vigor granted them by the Trump administration, something happened that may have surprised some observers: Clergy showed up. Not just with humanitarian work like food pantry boxes or grief counseling, but with their bodies, their preaching, their prayers, their public presence and their institutional credibility. Ministers organized rapid response networks. Priests, rabbis and imams positioned themselves as witnesses, as shields, as a very particular kind of good trouble.

If the broader progressive movement is going to understand what faith leaders bring to resistance work and why their contribution is irreplaceable, it has to grapple with something that can feel counterintuitive: Our robes, our collars, our candles and the sometimes ancient words of our prayers are not incidental to this work. They are the work.

I can speak to this as a queer and progressive pastor in Columbus, Ohio, and the executive director of a nonprofit working at the intersection of LGBTQIA+ identity and Christian faith. In years of organizing before I was ordained and since, my faith and the model I find in Jesus Christ, the brown-skinned Palestinian refugee living under colonial occupation, are what compel me to show up, act up and speak up against the lies of nationalism and authoritarianism.

I want to make an argument to anyone who might be skeptical of people of faith, particularly clergy: You need us in this fight, and not just for our buildings or our mailing lists. You need the specifically theological, liturgical and prophetic tools that faith leaders carry.

Why Clergy Are A Distinct Political Force

Christian nationalists strive to control the Christian narrative and what it demands of Christians. Why? Because faith and the language of faith still carry extraordinary weight in American public life. That narrative has the power to grab people’s attention and inform how hundreds of millions of people understand authority, community, obligation and resistance. When the Center for Christian Virtue, an anti-LGBTQIA+ hate group with an office across the street from the Ohio Statehouse, frames its legislative agenda in the language of faithfulness, it is making a move that secular counter-messaging cannot fully answer. Policy arguments can rebut policy arguments. But the claim that God demands the exclusion and erasure of LGBTQIA+ people can only be most powerfully answered by other people of faith who demonstrate that lie for what it is.

This is the first thing people need to understand about clergy organizing: When faith leaders show up publicly for justice, we’re not just adding bodies to a coalition. We are contesting the theological ground that Christian nationalism depends on. Every pastor who testifies at a statehouse hearing in a clerical collar or a stole, every minister who stands at a protest with a sign that quotes scripture, every congregation that rewrites its liturgy to name and resist what is happening in this country, is committing an act of theological resistance.

One powerful tool available to clergy is their physical presence. For Christian clergy, the clerical collar is a credential that reads differently than almost any other in American public life. It communicates moral seriousness and a claim to speak from within a tradition. When collared clergy appear at ICE actions, at state legislative hearings, at Pride marches, at protests outside detention facilities, they are deploying that credential in public. They are also countering the narrative that Christians are conservative, nationalistic and aligned with fascism and authoritarianism.

Clergy showing up at protests also changes the dynamics of those protests in ways that matter strategically. It complicates the narrative that resistance to authoritarian policies is purely secular or anti-religious. It creates moments of genuine cognitive dissonance for observers who have been told that faith and progressive politics are incompatible. And in moments of potential confrontation with law enforcement or counter-protesters, a visible clerical presence can function as deescalation, not because clergy are above the fray, but because their presence reframes the moral stakes of what is happening.

This visibility matters for organizing. One of the persistent challenges in mobilizing progressive Christians is the sense of isolation, the feeling that they are anomalies in a tradition that has been captured by the MAGA-aligned nationalism. When faith leaders show up visibly and publicly, they give permission and accessibility to progressive faith leaders to start showing up and acting out. This public act of witness has the power to activate other faith leaders and people of faith.

For several years now, my organization has hosted an interfaith service during Columbus’s Pride week. We intentionally encourage clergy to dress in whatever garb is appropriate to their position in their tradition. Yes, it’s fun for us to break out the rainbow stoles, rainbow tallitot (Jewish prayer shawls) and rainbow forms of many religious garments, but we also understand the import. We are creating moments when LGBTQIA+ meet the first affirming clergy from their tradition or any tradition, which is a powerful witness to a community so often rejected by religious communities. And while the presence — the very existence in fact — of queer clergy is important, even more powerful is the sight of heterosexual, cisgender clergy de-centering themselves by explicitly making their quiet presence and solidarity known.

Writing As A Prophetic Act

The prophetic tradition in many religions is, at its core, a written and oral tradition. The Hebrew prophets were poets and rhetoricians. They named what was happening in their lived realities, called it by its true name and insisted that the community of faith had an obligation to respond. Progressive faith leaders working in that tradition today are doing the same thing in op-eds, in open letters, in legislative testimony, in denominational statements and in the newsletters and social media posts that reach beyond the people actually sitting in pews.

This writing is not merely commentary. It is a form of counter-narrative construction. When I write about LGBTQIA+ dignity, about the cruelty of anti-immigrant mass deportation, about the theological bankruptcy and moral perversion of Christian nationalism, I’m doing something specific. I’m claiming the language of faith for a different set of commitments than Christian nationalists have claimed.

For people of faith, the power of our prophetic traditions has less to do with hearing from the divine, though that’s important, and more to do with hearing from an otherwise normal person who has taken it upon themselves to challenge the establishment, the empire and the status quo. We respect them as much for their message as we do for the courage they had to speak that message. Prophets are rarely popular in their own times, and their messages are often silenced through exile, deportation and even death. Yet, the example prophets set and the fire of their messages persist.

Liturgy As Resistance

Liturgy, the sometimes structured, repeated and often communal practice of reflection and devotion, from highly choreographed pageantry to repeating mantras quietly, is one of the most effective tools for formation and communication that human communities have ever developed. What communities rehearse together, they become. What they name in worship, they are shaped to see in the world. What they pray shapes what they are willing to do.

Exemplified by the historic work of people like Fannie Lou Hamer and the modern activism of Bishop William J. Barber II, BIPOC faith communities have long practiced liturgy that is embodied in resistance. Progressive white faith communities are catching up to that understanding. Our liturgy shouldn’t just inform our resistance; it needs to be our resistance. Liturgy, ritual and worship that remain contained to the walls of a building aren’t true worship. We have to pray with our feet and worship with our bodies. “Friends, our service is ended, but our worship has just begun,” I say at the end of each Sunday service at my church. “So go now and proclaim the resurrection by loving and serving the Lord and each other.”

For secular organizers, the implication is this: When you partner with faith communities, take the worship seriously. It’s not preamble, it’s where the formation occurs so that the work can happen out there, beyond the walls. Were you curious why it was so important to disrupt a service at Cities Church in Minnesota where the acting director of the local ICE office was also a pastor? This is why.

Organizing Faith Leaders: What Actually Works

We need faith leaders in this moment, but how do we get there? How do we bring faith leaders into progressive activism and advocacy? Organizing faith leaders is similar to organizing other leaders, but it has its own challenges and considerations. There are many moderate and progressive faith leaders out there, but some are uncertain about public engagement. To encourage them, start first with the theological and the scriptural. They are more responsive to a conversation about what their tradition requires than to a conversation about which side they’re on. All too often they’re accustomed to walking a thin line between their convictions and their role in maintaining communal harmony. Aim for open conversations rather than partisan framing.

Second, similar to how you would organize other leaders, you need to build networks before a crisis occurs. The rapid response capacity that showed up in Minnesota and elsewhere existed because relationships and infrastructure had been built in advance. Clergy networks, interfaith coalitions and shared commitments to show up need to be organized in ordinary times, not assembled in the emergency. The good news is that many cities and towns, even rural areas, already have these sorts of organizations and networks in place.

Third, remember, it’s a fallacy that clergy only work on their specific holy day. Many clergy are busy people and, with a few exceptions, they, too, have lives and families. It’s also becoming very common for progressive Christian clergy to work more than one job; some traditions do not pay their clergy as a matter of tradition or policy, and others cannot afford to.

Fourth, remember that for many clergy, particularly those with large congregations, their specific position and often why we want and need them in the fight, is also their career and way they support themselves and their families. When I speak out or write publicly, under my name, with my ordination and institutional role attached, I know that I risk losing those positions. Activism will impact a clergyperson’s ability to secure future pastoral positions. It will have consequences for their ability to lead in certain church spaces or to speak in forums that even other progressive clergy can access.

One of the most difficult positions for many progressive clergy, including those of us fully committed to justice, is when the activism our faith demands of us runs afoul of the opinions and sentiments of the congregations that employ us. Choosing between your livelihood and the call you sense from your God is more difficult than it might seem even to faithful observers.

With those points in mind, make your asks specific: Will you sign this letter, will you show up at this hearing, will you stand with us at this action? These asks require a real decision, and that decision is itself formative. People who say yes once are more likely to say yes again.

When progressive clergy do step forward and speak out, secular activists can support and amplify their work in concrete ways: by platforming faith voices in progressive media and by including clergy in coalitions where their theological and scriptural framing will be heard by audiences that respond to it.

What’s At Stake

Christian nationalism is no longer a fringe movement, but a governing ideology with enormous institutional power. It has captured much of the federal executive branch, evidenced by the implementation of Project 2025, a Christian nationalist initiative if there ever was one, and explicitly Christian ideological statements made by President Trump and Secretary of Defense Pete Hegseth. It has held hostage entire state legislatures, shaped court decisions and established itself as the default voice of American Christianity in too much of our public life. The progressive movement cannot counter that with secular arguments alone. Secular arguments aren’t wrong, but they don’t reach the people who most need to hear a different account of what faith demands, and they often lack the ability to affect people still hoping for a different and better Christianity.

What progressive faith leaders offer is the ability to fight on religious and spiritual grounds. To say, from inside the tradition, with all the credibility that comes from living inside it and all the passion they share with true believers, that this movement masquerading as Christian is an aberration and perversion.

The Jesus I follow was a refugee. He was born into an occupied land, lived under the forces of empire and was executed by the state for the trouble he had the potential to cause. The movement that bears his name has spent 2,000 years arguing about what that means and who gets to say. Right now, Christian nationalism appears to be winning that argument in the public square. Their theology isn’t sound, but they showed up and we didn’t.

Yet change is happening. Here in Ohio and across the United States, faith leaders are making a different kind of good trouble — in collars and stoles, in op-eds and testimony, in liturgy that mobilize people for courageous response rather than compliance. If the progressive movement can learn to see us as partners rather than curiosities, to make room for the theological alongside the political, we have a chance to contest the ground that authoritarianism depends on. The tradition that Christian nationalism has weaponized against the vulnerable was never theirs to claim. We’re taking it back.

Ravie LakshmananApr 05, 2026Malware / DevSecOps

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant.

“Every package contains three files (package.json, index.js, postinstall.js), has no description, repository, or homepage, and uses version 3.6.8 to appear as a mature Strapi v3 community plugin,” SafeDep said.

All identified npm packages follow the same naming convention, starting with “strapi-plugin-” and then phrases like “cron,” “database,” or “server” to fool unsuspecting developers into downloading them. It’s worth noting that the official Strapi plugins are scoped under “@strapi/.”

The packages, uploaded by four sock puppet accounts “umarbek1233,” “kekylf12,” “tikeqemif26,” and “umar_bektembiev1” over a period of 13 hours, are listed below –

• strapi-plugin-cron
• strapi-plugin-config
• strapi-plugin-server
• strapi-plugin-database
• strapi-plugin-core
• strapi-plugin-hooks
• strapi-plugin-monitor
• strapi-plugin-events
• strapi-plugin-logger
• strapi-plugin-health
• strapi-plugin-sync
• strapi-plugin-seed
• strapi-plugin-locale
• strapi-plugin-form
• strapi-plugin-notify
• strapi-plugin-api
• strapi-plugin-sitemap-gen
• strapi-plugin-nordica-tools
• strapi-plugin-nordica-sync
• strapi-plugin-nordica-cms
• strapi-plugin-nordica-api
• strapi-plugin-nordica-recon
• strapi-plugin-nordica-stage
• strapi-plugin-nordica-vhost
• strapi-plugin-nordica-deep
• strapi-plugin-nordica-lite
• strapi-plugin-nordica
• strapi-plugin-finseven
• strapi-plugin-hextest
• strapi-plugin-cms-tools
• strapi-plugin-content-sync
• strapi-plugin-debug-tools
• strapi-plugin-health-check
• strapi-plugin-guardarian-ext
• strapi-plugin-advanced-uuid
• strapi-plugin-blurhash 

The evolution of the payloads distributed as part of the campaign is as follows –

• Weaponize a locally accessible Redis instance for remote code execution by injecting a crontab (aka cron table) entry to download and execute a shell script from a remote server every minute. The shell script writes a PHP web shell and Node.js reverse shell via SSH to Strapi’s public uploads directory. It also attempts to scan the disk for secrets (e.g., Elasticsearch and cryptocurrency wallet seed phrases) and exfiltrate a Guardarian API module.
• Combine Redis exploitation with Docker container escape to write shell payloads to the host outside the container. It also launches a direct Python reverse shell on port 4444 and writes a reverse shell trigger into the application’s node_modules directory via Redis.
• Deploy a reverse shell and write a shell downloader via Redis and execute the resulting file.
• Scan the system for environment variables and PostgreSQL database connection strings.
• An expanded credential harvester and reconnaissance payload to gather environment dumps, Strapi configurations, Redis database extraction by running the INFO, DBSIZE, and KEYS commands, network topology mapping, and Docker/Kubernetes secrets, cryptographic keys, and cryptocurrency wallet files.
• Conduct PostgreSQL database exploitation by connecting to the target’s PostgreSQL database using hard-coded credentials and querying Strapi-specific tables for secrets. It also dumps matching cryptocurrency-related patterns (e.g., wallet, transaction, deposit, withdraw, hot, cold, and balance) and attempts to connect to six Guardarian databases. This indicates that the threat actor is already in possession of the data, obtained either via a prior compromise or through some other means.
• Deploy a persistent implant designed to maintain remote access to a specific hostname (“prod-strapi”).
• Facilitate credential theft by scanning hard-coded paths and spawning a persistent reverse shell.

“The eight payloads show a clear narrative: the attacker started aggressively (Redis RCE, Docker escape), found those approaches weren’t working, pivoted to reconnaissance and data collection, used hardcoded credentials for direct database access, and finally settled on persistent access with targeted credential theft,” SafeDep said.

The nature of the payloads, combined with the focus on digital assets and the use of hard-coded database credentials and hostname, raises the possibility that the campaign was a targeted attack against a cryptocurrency platform. Users who have installed any of the aforementioned packages are advised to assume compromise and rotate all credentials.

The discovery coincides with the discovery of several supply chain attacks targeting the open-source ecosystem –

• A GitHub account named “ezmtebo” has submitted over 256 pull requests across various open-source repositories containing a credential exfiltration payload. “It steals secrets through CI logs and PR comments, injects temporary workflows to dump secret values, auto-applies labels to bypass pull_request_target gates, and runs a background /proc scanner for 10 minutes after the main script exits,” SafeDep said.
• A hijack of “dev-protocol,” a verified GitHub organization, to distribute malicious Polymarket trading bots with typosquatted npm dependencies (“ts-bign” and “levex-refa” or “big-nunber” and “lint-builder”) that steal wallet private keys, exfiltrate sensitive files, and open an SSH backdoor on the victim’s machine. While “levex-refa” functions as a credential stealer, “lint-builder” installs the SSH backdoor. Both “ts-bign” and “big-nunber” are designed to deliver “levex-refa” and “lint-builder,” respectively, as a transitive dependency.
• A compromise of the popular Emacs package, “kubernetes-el/kubernetes-el,” that exploited the Pwn Request vulnerability in its GitHub Actions workflow by using the pull_request_target trigger to steal the repository’s GITHUB_TOKEN, exfiltrate CI/CD secrets, deface the repository, and inject destructive code to delete nearly all repository files.
• A compromise of the legitimate “xygeni/xygeni-action” GitHub Actions workflow using stolen maintainer credentials to plant a reverse shell backdoor. Xygeni has since implemented new security controls to address the incident.
• A compromise of the legitimate npm package, “mgc,” by means of an account takeover to push four malicious versions (1.2.1 through 1.2.4) containing a dropper script that detects the operating system and fetches a platform-specific payload – a Python trojan for Linux and a PowerShell variant for Windows called WAVESHAPER.V2 – from a GitHub Gist. The attack shares direct overlap with the recent supply chain attack targeting Axios, which has been attributed to a North Korean threat cluster tracked as UNC1069.
• A malicious npm package named “express-session-js” that typosquats “express-session” and contains a dropper that retrieves a next-stage remote access trojan (RAT) from JSON Keeper to conduct data theft and persistent access by connecting to “216.126.237[.]71” using the Socket.IO library.
• A compromise of the legitimate PyPI package, “bittensor-wallet” (version 4.0.2), to deploy a backdoor that’s triggered during a wallet decryption operation to exfiltrate wallet keys using HTTPS, DNS tunneling, and Raw TLS as exfiltration channels to either a hard-coded domain or one created using a Domain Generation Algorithm (DGA) that’s rotated daily.
• A malicious PyPI package named “pyronut” that typosquats “pyrogram,” a popular Python Telegram API framework, to embed a stealthy backdoor that’s triggered every time a Telegram client starts and seize control of the Telegram session and the underlying host system. “The backdoor registers hidden Telegram message handlers that allow two hardcoded attacker-controlled accounts to execute arbitrary Python code (via the /e command and the meval library) and arbitrary shell commands (via the /shell command and subprocess) on the victim’s machine,” Endor Labs said.
• A set of three malicious Microsoft Visual Studio Code (VS Code) extensions published by “IoliteLabs” – “solidity-macos,” “solidity-windows,” and “solidity-linux” – that were originally dormant since 2018 but were updated on March 25, 2026, to launch a multi-stage backdoor targeting Windows and macOS systems upon launching the application to establish persistence. Collectively, the extensions had 27,500 installs prior to them being removed.
• Multiple versions of the “KhangNghiem/fast-draft” VS Code extension on Open VSX (0.10.89, 0.10.105, 0.10.106, and 0.10.112) that execute a GitHub-hosted downloader to deploy a second-stage Socket.IO RAT, an information stealer, a file exfiltration module, and a clipboard monitor from a GitHub repository. Interestingly, versions 0.10.88, 0.10.111, and 0.10.129-135 have been found to be clean. “That is not the release pattern you expect from a single compromised build or a maintainer who has fully switched to malicious behavior,” Aikido said. “It looks more like two competing release streams sharing the same publisher identity.”

In a report published in February 2026, Group-IB revealed that software supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” adding that threat actors are going after trusted vendors, open-source software, SaaS platforms, browser extensions, and managed service providers to gain inherited access to hundreds of downstream organizations.

The supply chain threat can rapidly escalate a single localized intrusion into something that has a large-scale, cross-border impact, with attackers industrializing supply chain compromises and turning it into a “self-reinforcing” ecosystem, as it offers reach, speed, and stealth.

“Package repositories such as npm and PyPI have become prime targets, stolen maintainer credentials, and automated malware worms to compromise widely used libraries – turning development pipelines into large-scale distribution channels for malicious code,” Group-IB said

The next major breach hitting your clients probably won’t come from inside their walls. It’ll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That’s the new attack surface, and most organizations are underprepared for it.

Cynomi’s new guide, Securing the Modern Perimeter: The Rise of Third-Party Risk Management, makes the case that TPRM is no longer a compliance formality. It’s a frontline security challenge and a defining growth opportunity for MSPs and MSSPs who get ahead of it.

The Modern Perimeter Has Expanded

For decades, cybersecurity strategy revolved around a defined perimeter. Firewalls, endpoint controls, and identity management systems were deployed to protect assets within a known boundary.

That boundary has dissolved.

Today, client data lives in third-party SaaS applications, flows through vendor APIs, and is processed by subcontractors that internal IT teams may not even know about. Security no longer stops at owned infrastructure. It extends across an interconnected ecosystem of external providers, and the accountability that comes with it extends there, too.

The 2025 Verizon Data Breach Investigations Report found that third parties are involved in 30% of breaches. IBM’s 2025 Cost of a Data Breach Report puts the average remediation cost of a third-party breach at $4.91 million. Third-party exposure has become a core feature of modern business operations, not an edge case.

For proactive service providers, this shift creates a substantial opportunity. Organizations facing mounting third-party threats are looking for strategic partners who can own, streamline, and continuously manage the entire third-party risk lifecycle. Service providers who step into that role can introduce new service offerings, deliver higher-value consulting, and establish themselves as central to their clients’ security and compliance programs.

From Checkbox to Core Risk Function

The traditional approach to vendor risk relied on annual questionnaires, spreadsheets, and the occasional follow-up email. It was never adequate, and it’s especially costly now.

Regulatory frameworks like CMMC, NIS2, and DORA have raised the bar significantly. Compliance now requires demonstrable, ongoing oversight of third-party controls, not a point-in-time snapshot from twelve months ago. Boards are asking harder questions about vendor exposure. Cyber insurers are scrutinizing supply chain hygiene before writing policies. And clients who’ve watched competitors absorb the fallout from a vendor’s breach understand that “it wasn’t our system” doesn’t limit their liability.

But that’s also where the opportunity lies. Cynomi’s Securing the Modern Perimeter guide outlines how structured, technology-enabled TPRM can shift from a bespoke consulting engagement into a repeatable, high-margin service line that strengthens client retention, drives upsell, and positions service providers as integral partners in their clients’ security programs.

Turning TPRM Into a Revenue Engine

Third-party risk is a conversation starter that never runs out of material.

Every new vendor a client onboards creates a potential risk discussion. Regulatory updates are natural reasons to revisit vendor programs, and every breach in the news that traces back to a third party reinforces the stakes. TPRM, done well, keeps service providers embedded in client strategy rather than relegated to reactive support, and that positioning changes the nature of the relationship entirely. 

Providers who build out structured TPRM capabilities find that it opens doors to: 

• Broader security advisory work
• Higher retainer values
• Stronger client relationships built on genuine business impact
• Differentiation in a crowded managed services market
• Credible third-party risk governance, signaling maturity to prospective clients

The Bottom Line

Third-party risk isn’t going away. The vendor ecosystems your clients depend on will keep growing more complex, with more SaaS platforms, AI-powered tools, subcontractors, and regulatory scrutiny layered on top.Organizations that manage this exposure well will have a meaningful advantage in resilience and compliance.

Building a structured, scalable TPRM practice that delivers consistent oversight across your portfolio creates far more leverage than adding headcount or assembling bespoke programs from scratch for every client. The infrastructure you build once pays dividends across every account.

Cynomi’s Securing the Modern Perimeter: The Rise of Third-Party Risk Management is a practical starting point. It covers the full scope of modern third-party risk, what a governance-grade TPRM program looks like, and how service providers can build and scale this capability without sacrificing margins. 

Discover how Cynomi helps MSPs and MSSPs operationalize TPRM at scale, or request a demo to explore how it fits your service model.