https://karmine05.github.io/dirtyfrag-blog/tags/fleet/ Recent content in Fleet on investigator's notes Hugo en-us Wed, 13 May 2026 09:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/fleet-mcp-manifesto/ Wed, 13 May 2026 09:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/fleet-mcp-manifesto/ Why fleet-mcp exists. A manifesto for natural-language endpoint security: ask a question in English, get a real osquery scan across every host you own, with the SQL shown to you and the assumptions named. https://karmine05.github.io/dirtyfrag-blog/posts/mini-shai-hulud-tanstack-supply-chain/ Tue, 12 May 2026 08:00:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/mini-shai-hulud-tanstack-supply-chain/ CVE-2026-45321 is an active npm supply chain worm daemonizing on install and harvesting developer credentials across GitHub Actions, AWS, Vault, and Kubernetes. Full IoC set, Fleet detection tooling, and results from scanning 30 hosts — plus the critical gap in Fleet's npm table and why the deep scan scripts exist. https://karmine05.github.io/dirtyfrag-blog/posts/pre-cve-response-with-fleet/ Fri, 08 May 2026 13:30:00 -0400 https://karmine05.github.io/dirtyfrag-blog/posts/pre-cve-response-with-fleet/ How to respond to a public Linux exploit before it has a CVE assigned, using artifact-based queries instead of vulnerability catalogs. A worked example with Fleet, osquery, and a Slack bot wired to MCP.