Does the Promptbook replace a pentest?

No. It helps identify signals and organize review. Impact validation, exploitation chain, and fix confirmation stay in the Manual Pentest.

Why is the Manual Pentest not sold through public checkout?

Because scope, authorization, environment, and operational risk need to be evaluated before a proposal.

What is the infostealer to credential stuffing chain?

It's the most common attack sequence of 2026: malware (an infostealer) steals passwords saved in the browser, the data is resold on deep-web stealer-log markets, and an attacker replays those credentials on logins and panels (credential stuffing). It's what took down Civil Defense in the misantropia case.

How do you break the infostealer and credential stuffing chain?

Phishing-resistant MFA is the decisive defense. Add updated EDR, don't save sensitive passwords in the browser, monitor credentials on stealer logs, use one unique password per service, leaked-password blocking and login rate-limiting.

Why isn't a strong password enough against an infostealer?

Because the infostealer copies the whole password from the browser and hands it to the attacker. Complexity is irrelevant when the password is stolen already usable; only a second factor (MFA) blocks access.

Infostealer → credential stuffing: the #1 attack chain of 2026

Steal the browser password, resell it on the deep web, replay it on your login. That's how Civil Defense fell. The numbers show why this chain dominates 2026.

TL;DR (AI Summary)

The infostealer → resale → credential stuffing chain is the most common entry point of 2026, and it's exactly what took down Brazil's Civil Defense alert system. Malware steals passwords saved in the victim's browser, the data flows to stealer-log markets on the deep web, and an attacker replays those credentials on panels and logins. The numbers are stark: 1.8 billion credentials stolen in the first half of 2025, and 54% of ransomware victims already had credentials for sale before the attack. This guide explains each link and how to break it.

The chain that toppled a national system

The misantropia attack, which fired fake alerts to millions of phones across Brazil in June 2026, did not start with a criminal mastermind. It started with cheap malware and a password nobody rotated. The sequence is the same in almost every 2026 incident:

An infostealer infects the machine of someone with access.
Browser passwords are stolen in seconds.
The data is resold on deep-web "stealer log" markets.
An attacker replays those credentials (credential stuffing) on a panel or login.
With no MFA, access works — and the damage begins.

Understanding each link is understanding how to close the door.

Link 1 — The infostealer

An infostealer is malware specialized in stealing saved data: browser passwords, session cookies, tokens, wallets. Families like RedLine, Lumma, Vidar and StealC are rented by subscription on Telegram channels — anyone with little technical skill can operate them. RedLine alone accounts for nearly half the cases in our region.

The infection vector is usually mundane: a pirated installer, an attachment, a fake extension, a "crack". The victim never notices — the malware collects and leaves.

Link 2 — The resale

Stolen credentials become a product. Stealer-log markets sell packs with login, password, cookies and the source site — organized and searchable. 1.8 billion credentials were stolen in the first half of 2025 alone, an 800% jump over the prior period, from 5.8 million infected devices.

That's why "my password is strong" isn't enough: password strength doesn't matter when the password is handed to the attacker whole.

Link 3 — Credential stuffing

Holding the credentials, the attacker automates: testing login/password pairs across services, betting on password reuse. That's how it worked on Civil Defense's IDAP — the leaked credential worked because the password was never rotated and there was no MFA. 54% of ransomware victims had their credentials for sale before the attack: the chain is the early warning almost nobody reads.

How to break each link

Link	Defense
Infostealer	Updated EDR/antivirus, block pirated software, don't save sensitive passwords in the browser, password manager with a vault
Resale	Monitor corporate credentials on stealer logs and the dark web; rotate on detection
Credential stuffing	Phishing-resistant MFA, leaked-password blocking, rate-limiting, strong captcha, anomalous-login detection
Reuse	One unique password per service (manager), never reuse across personal and corporate

The key point: the decisive defense is MFA. Even if links 1, 2 and 3 happen, a phishing-resistant second factor blocks access. That's what Civil Defense lacked.

What this means for your SaaS

If you run a product with login, an admin panel, payments or customer data, this chain is the most likely way you get breached in 2026 — not an exotic attack. The good news: every link has a known, cheap defense. RET reviews exactly this: where a leaked credential would enter your product, and what's missing to block it — in Risk Review and manual pentest.

Sources

Infostealer steals, the deep web resells, credential stuffing replays. The chain is cheap, automated and dominates 2026 — and it breaks at MFA. Without a second factor, your password is already the attacker's.

Infostealer → credential stuffing: the #1 attack chain of 2026

Steal the browser password, resell it on the deep web, replay it on your login. That's how Civil Defense fell. The numbers show why this chain dominates 2026.

TL;DR (AI Summary)

Link

Defense

Infostealer

Updated EDR/antivirus, block pirated software, don't save sensitive passwords in the browser, password manager with a vault

Resale

Monitor corporate credentials on stealer logs and the dark web; rotate on detection

Credential stuffing

Phishing-resistant MFA, leaked-password blocking, rate-limiting, strong captcha, anomalous-login detection

Reuse

One unique password per service (manager), never reuse across personal and corporate