Supply-Chain Attack Spurs Patching as CISA Warns; AWS Adds Controls

Shai-Hulud 2.0: Inside a Major npm Supply-Chain Attack

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

OnSolve CodeRED Cyberattack Disrupts U.S. Alert Systems

🚨 Crisis24 confirmed its CodeRED emergency-notification platform was breached, disrupting alerts for state and local governments, police, and fire agencies nationwide. The company decommissioned the legacy environment and is rebuilding from a March 31, 2025 backup, so recent accounts may be missing. Crisis24 says the incident was contained to CodeRED, but names, addresses, emails, phone numbers and passwords were stolen; no public posting has been confirmed.

Zenitel TCIV-3+ Multiple Remote Code Execution Flaws

⚠️ Zenitel has disclosed multiple high‑severity vulnerabilities in the TCIV-3+ intercom device, including three OS command injection flaws, an out‑of‑bounds write, and a reflected XSS. The issues (CVE-2025-64126 through CVE-2025-64130) carry high CVSS ratings — several are scored CVSS v4 10.0 — and can be exploited remotely with low complexity. Zenitel advises upgrading to version 9.3.3.0 or later; CISA recommends isolating devices, minimizing Internet exposure, and applying defensive controls until patches are deployed.

Manage SageMaker HyperPod Clusters with AI MCP Server

🔧 The Amazon SageMaker AI MCP Server now provides tools to set up and manage HyperPod clusters, allowing AI coding assistants to provision and operate clusters for distributed training, fine‑tuning, and deployment. It automates prerequisites and orchestrates clusters via Amazon EKS or Slurm with CloudFormation templates that optimize networking, storage, and compute. The server also delivers lifecycle operations — scaling, patching, diagnostics — so administrators and data scientists can manage large-scale AI/ML clusters without deep infrastructure expertise.

Fluent Bit Bugs Could Enable Complete Cloud Takeover

⚠️ Fluent Bit, a widely deployed log-processing agent used across containers, Kubernetes DaemonSets, and major cloud platforms, contains multiple critical vulnerabilities that can enable authentication bypass, arbitrary file writes, and full agent takeover. Oligo Security, in cooperation with AWS, disclosed five severe flaws impacting in_forward authentication and the tag-handling logic, plus path traversal and buffer-overflow defects. The project has released patches in v4.1.1 and v4.0.12; operators should update and validate configurations immediately to prevent log tampering, telemetry rerouting, and potential remote code execution.

Shai-Hulud Worm Resurfaces, Infects Hundreds of npm Packages

🐛 Security teams have warned of a rapidly spreading secret-stealing worm, Shai-Hulud, that has resurfaced in the npm ecosystem and already infected hundreds of packages with tens of millions of downloads. First seen in September, attackers hijack developer accounts to publish trojanized packages that exfiltrate AWS keys and GitHub tokens to attacker-controlled repositories. Vendors including Wiz Security and Mondoo report explosive scaling—hundreds of new repos discovered every 30 minutes—and urge urgent dependency audits. Recommended mitigations include rotating credentials, disabling npm postinstall scripts in CI, enforcing MFA, pinning versions, and using tools like Safe-Chain to block malicious packages.

Amazon SageMaker Adds EAGLE for Faster Inference Throughput

⚡ Amazon SageMaker AI now supports EAGLE (Extrapolation Algorithm for Greater Language-model Efficiency) speculative decoding to boost large language model inference throughput by up to 2.5x. The capability enables models to predict and validate multiple tokens in parallel rather than one at a time, preserving output quality while reducing latency. SageMaker automatically selects between EAGLE 2 and EAGLE 3 depending on model architecture and provides built‑in optimization jobs using curated or customer datasets. Optimized models can be deployed through existing SageMaker inference workflows without infrastructure changes, and the feature is available in select AWS Regions.

AWS Secrets Manager Introduces Managed External Secrets

🔐 AWS Secrets Manager now supports managed external secrets, a new secret type that standardizes storage and enables automated rotation for third-party application credentials such as Salesforce, Snowflake, and BigID. The feature separates rotation metadata from secret values and integrates directly with providers to remove the need for custom rotation functions. It leverages existing IAM, CloudWatch, CloudTrail, GuardDuty, and KMS controls and follows standard Secrets Manager pricing with no additional charge.

SiRcom SMART Alert Missing Authentication Vulnerability

⚠️ SiRcom SMART Alert (SiSA) version 3.0.48 contains a Missing Authentication for Critical Function vulnerability that allows unauthenticated access to backend APIs and bypass of the login screen using browser developer tools. Assigned CVE-2025-13483, the issue has a CVSS v3.1 base score of 9.1 and a CVSS v4 base score of 8.8. Exploitation could enable remote activation or manipulation of emergency sirens, and CISA reports no vendor coordination; network isolation and secure remote access are recommended.

AWS Network Firewall Proxy Now Available in Preview

🔒 AWS has launched Network Firewall Proxy in public preview, providing centralized controls to block data exfiltration and malware injection across application traffic. In explicit proxy mode you can set up filters in just a few clicks to control outbound requests and the responses your applications receive, protect against domain or SNI spoofing, and restrict access to trusted domains or IPs. The service supports TLS inspection and granular HTTP header filtering, and emits detailed logs to Amazon S3 and AWS CloudWatch. Preview access is free in US East (Ohio).

Exchange Online outage prevents classic Outlook access

⚠️ Microsoft is investigating an Exchange Online outage (incident EX1189820) preventing customers from accessing mailboxes via the classic Outlook desktop client, with reports of server connection and login failures. The company says impact is specific to users in Asia Pacific and North America and has classified the event as an incident in the admin center. As a workaround, affected users are advised to use Outlook on the Web while Microsoft analyzes the issue.

AWS Glue: Zero-ETL Replication for Self-Managed Databases

🔁AWS Glue now supports zero-ETL for self-managed database sources, enabling no-code replication from Oracle, SQL Server, MySQL, and PostgreSQL hosted on-premises or on EC2 to Amazon Redshift. The feature auto-creates ongoing integrations to simplify setup, reduce operational overhead, and eliminate much of the engineering work previously required to build ingestion pipelines. It is available in multiple AWS Regions and aims to save teams weeks of engineering effort.

OpenSearch Service Introduces Agentic Search for NLP Queries

🔎 Amazon Web Services has introduced Agentic Search for OpenSearch Service, an agent-driven layer that interprets natural-language intent, orchestrates search tools, and generates OpenSearch DSL queries while providing transparent summaries of its decision process. The built-in QueryPlanningTool uses LLMs to plan and emit DSL, removing the need for manual query syntax. Two agent types are available: conversational agents with memory and flow agents optimized for throughput. Administrators can configure agents via APIs or OpenSearch Dashboards, and Agentic Search is supported on OpenSearch Service version 3.3+ across AWS Commercial and GovCloud regions.

SageMaker AI Inference Adds Bidirectional Streaming

🎙️ Amazon SageMaker AI Inference now supports bidirectional streaming, enabling real-time speech-to-text transcription that returns partial transcripts while audio is still being captured. Using the new Bidirectional Stream API, clients open an HTTP/2 connection to the SageMaker AI runtime, which automatically creates a WebSocket to your model container so audio frames and interim transcripts flow continuously. Any container that implements a WebSocket handler per the SageMaker AI contract works out of the box, allowing real-time models such as Deepgram to run without modification. The feature eliminates weeks or months of custom streaming infrastructure work so teams can focus on model accuracy, latency tuning, and agent behavior.

AWS Glue Data Quality Adds Preprocessing Queries Support

🛠️ AWS announces general availability of AWS Glue Data Quality preprocessing queries, enabling transformations before running data quality checks through the Glue Data Catalog APIs. The feature lets you create derived columns, filter datasets, perform calculations, and validate column relationships as part of the quality evaluation. This capability removes separate preprocessing steps, streamlines workflows, and tailors recommendations and rules to specific data subsets across commercial AWS Regions.

AWS Issues Behavioral Guidelines for Network Scanning

🔍 AWS published behavioral guidelines for network scanning to help legitimate scanners distinguish themselves from malicious actors when probing AWS IP space. The guidance defines four pillars—observational, identifiable, cooperative, and confidential—and gives practical examples (non‑mutating checks, reverse DNS, meaningful user‑agents, opt‑out mechanisms). Conforming scanners should limit impact, secure collected data, and respect opt‑out requests to reduce abuse reports and improve internet security.

Human and AI Collaboration in the GenAI-Powered SOC

🛡️ Microsoft Defender Experts outlines how autonomous AI agents are transforming Security Operations Centers by automating repetitive triage and amplifying analyst impact. Built with expert-defined guardrails, curated test sets, and human-in-the-loop validation, these agents already process about 75% of phishing and malware cases and help resolve incidents nearly 72% faster. The program emphasizes human governance, auditability, and iterative rollout through dark-mode evaluation and pilot partnerships.

Years of JSONFormatter and CodeBeautify Credentials Leak

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.

Festo Compact Vision and Controller Products: Critical Flaws

⚠️ Festo has disclosed two critical vulnerabilities affecting multiple Compact Vision System, control block, controller, and operator unit products, with CVSS ratings up to 9.8. One issue stems from an insecure default that allows remote, unauthenticated access if passwords are not enabled; the other permits an authenticated attacker to read or modify configuration files. Festo and CERT@VDE recommend enabling password protection, using online user management where applicable, and minimizing network exposure of affected devices.

The Dilemma of AI: Malicious LLMs and Security Risks

🛡️ Unit 42 examines the growing threat of malicious large language models that have been intentionally stripped of safety controls and repackaged for criminal use. These tools — exemplified by WormGPT and KawaiiGPT — generate persuasive phishing, credential-harvesting lures, polymorphic malware scaffolding, and end-to-end extortion workflows. Their distribution ranges from paid subscriptions and source-code sales to free GitHub deployments and Telegram promotion. The report urges stronger alignment, regulation, and defensive resilience and offers Unit 42 incident response and AI assessment services.

Shai-Hulud 2.0 Worm Spreads Through npm and GitHub

⚠️ Researchers at Wiz, JFrog and others are tracking a renewed campaign of the Shai‑Hulud credentials‑stealing worm spreading through the npm registry and GitHub. The new Shai‑Hulud 2.0 executes during the preinstall phase, exfiltrates developer and CI/CD secrets to randomized repositories, and injects malicious payloads into other packages. Widely used modules, including @asyncapi/specs, Zapier, Postman and others, have been compromised, prompting immediate remediation steps for affected developers and organizations.

Code-formatters leak credentials from major organizations

🔓 Researchers discovered that the code-formatting services JSONFormatter and CodeBeautify exposed more than 80,000 user-saved JSON pastes totaling over 5GB via an unprotected Recent Links feature. The listings and predictable URLs allowed simple crawlers to enumerate and retrieve sensitive data including credentials, API keys, private keys, and PII. The findings show active scraping and confirmed access attempts after uploads expired.

Developers Exposed Large Cache of Credentials Online

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.

Code formatters left 80,000+ secrets exposed publicly

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.

Blender .blend Files Weaponized to Deliver StealC V2

🛡️ Cybersecurity researchers disclosed a campaign that leverages Blender .blend files hosted on public asset sites to deliver the information stealer StealC V2. Malicious .blend assets contain embedded Python scripts that execute when Blender's Auto Run is enabled, fetching PowerShell code and two ZIP archives — one deploying StealC V2 and the other a secondary Python stealer. Vendors advise keeping Auto Run disabled and verifying asset sources.

Dartmouth Confirms Data Breach After Clop Extortion

🔒 Dartmouth College says threat actors linked to the Clop extortion gang exploited a zero-day in Oracle E-Business Suite to steal files and leak them on a dark web site. The college reported unauthorized access between August 9 and August 12, 2025, and on October 30 identified files containing names and Social Security numbers. A filing with Maine's Attorney General lists 1,494 individuals whose data was found in reviewed files and notes that financial account information was also taken. Dartmouth has not provided details on any ransom demand or the full scope of impacted people.

CISA: Active Spyware Campaigns Target Messaging Apps

🔐CISA warns that threat actors are actively using commercial spyware and remote-access trojans to target users of mobile messaging apps, combining technical exploits with tailored social engineering to gain unauthorized access. Recent campaigns include abuse of Signal's linked-device feature, Android spyware families ProSpy, ToSpy and ClayRat, a chained iOS/WhatsApp exploit (CVE-2025-43300, CVE-2025-55177) targeting a small number of users, and a Samsung flaw (CVE-2025-21042) used to deliver LANDFALL. CISA urges high-value individuals and organizations to adopt layered defenses: E2EE, FIDO phishing-resistant MFA instead of SMS, password managers, device updates, platform hardening (Lockdown Mode, iCloud Private Relay, app-permission audits, Google Play Protect), and to prefer modern hardware from vendors with strong security records.

FBI: $262M Stolen in Bank Support Impersonation Scams

⚠️ The FBI warns that cybercriminals impersonating bank and payroll support teams have stolen over $262 million in account takeover (ATO) fraud since January 2025, with more than 5,100 complaints reported to the Internet Crime Complaint Center. Attackers use calls, texts, phishing sites and SEO‑poisoned search results to harvest credentials and MFA/OTP codes, then quickly wire funds to crypto wallets and lock owners out. The FBI advises monitoring accounts, using unique complex passwords, enabling MFA, bookmarking official banking sites, contacting financial institutions immediately to request recalls and indemnification, and filing detailed complaints with IC3.

JackFix uses fake Windows update pop-ups to deliver stealers

⚠️ Cybersecurity researchers report a JackFix campaign that uses fake Windows Update pop-ups on cloned adult sites to trick users into running mshta.exe and PowerShell commands. According to Acronis and Huntress, the attack chain leverages obfuscation, privilege escalation and can deploy multiple stealers including Rhadamanthys, RedLine and Vidar. Organizations are advised to train users and consider disabling the Windows Run box via Group Policy or Registry changes to reduce risk.

ToddyCat Tools Target Outlook, Steal M365 Tokens Now

🛡️ Kaspersky researchers report that the ToddyCat APT has evolved tactics to harvest corporate email and Microsoft 365 access tokens. Operators deployed a C++ utility, TCSectorCopy, to copy Outlook OST files sector-by-sector and then extract messages with XstReader. They also used SharpTokenFinder to enumerate and steal JWTs and, when blocked, relied on ProcDump to obtain Outlook memory dumps. PowerShell variants of TomBerBil were observed stealing browser cookies, credentials and DPAPI keys across network shares.

Opto 22 groov View: API exposes user API keys and metadata

🔒 CISA warns that Opto 22's groov View API exposes API keys and user metadata through a users endpoint that returns keys for all accounts to any principal with an Editor role. The issue affects groov View Server for Windows R1.0a–R4.5d and GRV‑EPIC‑PR1/PR2 firmware prior to 4.0.3. Successful exploitation could disclose credentials, reveal keys, and enable privilege escalation; Opto 22 has released patches and recommends upgrading to Server R4.5e and firmware 4.0.3 alongside network-level mitigations.

Amazon Aurora adds PostgreSQL minor versions and DDM

🔒 Amazon Aurora PostgreSQL-Compatible Edition now supports minor PostgreSQL releases 17.6, 16.10, 15.14, 14.19, and 13.22. The update introduces Dynamic Data Masking (DDM) for versions 16.10 and 17.6, masking column values at query time via role-based policies without changing stored data. It also adds a shared plan cache and delivers improved performance, faster RTO, and better Global Database switchover behavior. These versions are available in all commercial AWS Regions and AWS GovCloud (US); you can create new clusters or upgrade existing databases through the RDS console.

Holiday Cyberthreat Surge 2025: What CISOs Must Know

🛡️ FortiGuard Labs' 2025 holiday analysis documents a marked increase in malicious infrastructure, credential theft, and targeted exploitation of e-commerce systems during the pre-holiday period. Attackers registered tens of thousands of holiday- and retail-themed domains and sold over 1.57 million account records from stealer logs, fueling credential stuffing and account takeover. The report highlights active exploitation of critical flaws in platforms such as Magento, Oracle EBS, and WooCommerce, and emphasizes urgent mitigations: patching, MFA, bot management, domain monitoring, and payment-page integrity checks to reduce fraud and protect customers.

Four Ways AI Is Strengthening Democracies Worldwide

🗳️ The essay argues that while AI poses risks to democratic processes, it is also being used to strengthen civic engagement and government function across diverse contexts. Four case studies—Japan, Brazil, Germany, and the United States—illustrate practical deployments: AI avatars for constituent engagement, judicial workflow automation, interactive voter guides, and investigative tools for watchdog journalism. The authors recommend public AI like Switzerland’s Apertus as a democratic alternative to proprietary models and stress governance, transparency, and scientific evaluation to mitigate bias.

AWS Service Quotas: Automatic Quota Management Launch

🚀 AWS announced general availability of automatic quota management in Service Quotas. The feature sends configurable notifications (email, SMS, Slack) via the Service Quotas console or API when usage approaches allocated limits and can automatically and safely adjust service quota values in response to observed consumption. This reduces operational overhead from tracking and requesting quota increases across accounts and Regions and helps prevent unexpected interruptions. The capability is available at no additional cost in all AWS commercial regions.

AWS Lambda Adds Node.js 24 Runtime and Container Base

🆕 AWS Lambda now supports creating serverless applications with Node.js 24, available as both a managed runtime and a container base image. AWS will automatically apply updates to the managed runtime and base image as they become available, and the runtime is offered in all Regions including GovCloud (US) and China. The release emphasizes modern async/await handlers and removes callback-based handlers; Lambda@Edge and Powertools for AWS Lambda (TypeScript) are also supported, and standard AWS deployment tools (Console, CLI, SAM, CDK, CloudFormation) can be used to deploy Node.js 24 functions.

FlexibleFerret macOS Campaign Uses Go-Based Backdoor

🦊 Jamf Threat Labs reports a macOS malware chain, named FlexibleFerret, that employs staged scripts, credential‑harvesting decoys and a persistent Go-based backdoor to maintain long-term access. The campaign uses a second-stage shell script that reconstructs download paths and fetches different payloads for arm64 and Intel systems, then unpacks and runs a loader while writing a LaunchAgent for persistence. A decoy app mimics Chrome permission prompts and a Chrome-style password window to steal credentials, which are exfiltrated via the legitimate Dropbox API. The final stage invokes a Golang backdoor, CDrivers, that provides remote command-and-control and extensive data-theft capabilities.

Ashlar-Vellum Products: Out-of-Bounds Write & Heap Overflow

🔒 Ashlar-Vellum has released updates addressing two vulnerabilities—an Out-of-Bounds Write (CVE-2025-65084) and a Heap-based Buffer Overflow (CVE-2025-65085)—affecting Cobalt, Xenon, Argon, Lithium, and Cobalt Share up to version 12.6.1204.207. Both flaws could allow local attackers to disclose information or execute arbitrary code; vendor updates to 12.6.1204.208 or later are available. CISA assigns a CVSS v4 base score of 8.4, notes low attack complexity, and reports no known public exploitation; these issues are not remotely exploitable.

AWS Glue Data Quality Adds Rule Labeling for Reporting

🔖 AWS has made AWS Glue Data Quality rule labeling generally available, allowing teams to attach custom key-value labels to data quality rules for better organization and targeted reporting. Labels can represent business context, team ownership, compliance tags, or priority and can be authored in DQDL. Queryable in rule outcomes, row-level results, and APIs, labels enable focused reports and streamlined remediation workflows across all commercial AWS Regions where the service is available.

Cloudflare Hosts Black Forest Lab FLUX.2 on Workers AI

🖼️ Cloudflare now hosts Black Forest Lab's FLUX.2 image model on the Workers AI inference platform. The licensed dev release builds on the popular FLUX.1 lineage with stronger physical-world grounding, improved fidelity for faces, hands and small objects, and advanced multi-reference editing to preserve character and product consistency. Workers AI exposes FLUX.2 via multipart form-data (up to four 512×512 inputs) and returns images up to 4 megapixels, while supporting JSON prompting, hex color controls, multilingual prompts, and a server-side binding for integration into production pipelines.

Cyberattack Forces Mainz University to Shut Down IT Systems

🔒 Mainz University of Applied Sciences reported a cyberattack on Monday, 24 November, and has shut down all IT systems. The university says most services are unavailable while IT teams and investigative authorities analyse the threat and potential damage. A crisis team was mobilised to maintain essential operations, but restoration timelines remain uncertain. No further details have been released and it is unclear how the attackers gained access.

2026 Predictions: Autonomous AI and the Year of the Defender

🛡️In 2026 Palo Alto Networks forecasts a shift to the Year of the Defender as enterprises counter AI-driven threats with AI-enabled defenses. The report outlines six predictions — identity deepfakes, autonomous agents as insider threats, data poisoning, executive legal exposure, accelerated quantum urgency, and the browser as an AI workspace. It urges autonomy with control, unified DSPM/AI‑SPM platforms, and crypto agility to secure the AI economy.

Rockwell Arena Stack-Based Buffer Overflow Patch Released

🔒 Rockwell Automation has released an update for Arena Simulation to address a stack-based buffer overflow (CWE-121) in the parsing of DOE files that could allow local attackers to execute arbitrary code. The issue, tracked as CVE-2025-11918 (CVSS v4 7.1), affects versions 16.20.10 and earlier and requires opening a malicious DOE file. Rockwell fixed the vulnerability in 16.20.11; users should upgrade or apply recommended mitigations to reduce exposure.

CISA Releases Seven Industrial Control Systems Advisories

🔔 CISA released seven new Industrial Control Systems advisories addressing vulnerabilities across multiple vendors and product families. The advisories cover Ashlar-Vellum, Rockwell Automation, Zenitel, Opto 22, Festo, SiRcom, and an update for Mitsubishi Electric FA engineering software. Administrators are urged to review technical details and apply recommended mitigations promptly.

Microsoft adds Teams call handler to speed Windows client

⚡Microsoft will introduce a new Teams call handler, ms-teams_modulehost.exe, that runs as a child process to manage the calling stack separately from the main ms-teams.exe application, improving startup times and in-meeting performance. The change is transparent to end users and requires no retraining. Administrators should allowlist the new process in security and endpoint protection systems and notify helpdesk staff to avoid false positives during the rollout.

AI and Deepfakes Drive Surge in Sophisticated Identity Fraud

🔍 Sumsub’s 2025 Identity Fraud Report finds that global identity fraud attempts fell slightly to 2.2%, but highly sophisticated attacks rose 180%. These multi-vector schemes combine synthetic identities, AI-driven deepfakes, layered social engineering, device tampering and cross-channel manipulation, making them far harder to detect. The report warns organisations to replace manual controls with real-time behavioural and telemetry analysis to counter this shift from quantity to quality in fraud.

Amazon Quick Suite: Scheduling for Quick Flows Automation

🕒 Amazon Quick Flows now supports scheduled execution, allowing teams to automate repetitive workflows at specified times or custom intervals. You can configure flows to run daily, weekly, monthly, or on custom schedules and schedule any flow you can access—whether you created it or it was shared with you. Scheduling is set via the Quick Flows scheduling icon and is available now in IAD, PDX, and DUB. There are no additional charges beyond standard Quick Flows usage, and common use cases include recurring report generation, summarizing open items in external services, and producing daily meeting briefings.

Tor adopts Counter Galois Onion (CGO) for relay encryption

🔐 Tor has replaced its legacy tor1 relay encryption with a new design called Counter Galois Onion (CGO) to strengthen circuit traffic confidentiality and integrity. CGO is built on a Rugged Pseudorandom Permutation (RPRP) construction named UIV+ and provides wide-block encryption, tag chaining, per-cell key updates for immediate forward secrecy, and a 16-byte authenticator that removes SHA-1. The change is currently experimental in the C Tor implementation and the Rust client Arti, will be deployed transparently to Tor Browser users, and aims to block tagging and other malleability attacks with only modest bandwidth cost.

Smishing Triad Expands Phishing Campaigns Targeting Egypt

🔍 Dark Atlas has uncovered a growing cluster of fraudulent domains used by the Chinese-speaking Smishing Triad to impersonate major Egyptian and global service providers, including Fawry, Egypt Post and Careem. Analysts traced malicious infrastructure in AS132203 — linked to Tencent facilities — after examining HTTP headers and running targeted Shodan searches, which revealed additional spoofed pages for brands such as UnionPay and TikTok. The group advertises a configurable smishing kit on Telegram that automates deployment of multilingual phishing templates for delivery, telecom, government and payment services worldwide.

The 2026 Tech Tsunami: AI, Quantum, and Web 4.0 Collide

🌐 Check Point's 2026 analysis warns that an unprecedented convergence of AI, quantum computing, and an immersive Web 4.0 will reshape digital risk. Autonomous systems and hyper-automation will blur boundaries between cloud, networks, and physical infrastructure, expanding attack surfaces and changing the nature of digital trust. The report calls for updated cryptography, enhanced detection, and cross-industry resilience planning.

UK Lawmakers Urge Legal Shift on Economic Cybersecurity

🔒 The House of Commons Business and Trade Committee has urged the UK government to enshrine a new approach to economic security in law, warning that cyber and other threats increasingly imperil the nation's open economy. The committee's report, Toward a new doctrine for economic security, stresses that economic security cannot be achieved without cybersecurity and highlights attacks on critical national infrastructure and private firms. Key recommendations include making the voluntary Software Security Code of Practice mandatory, introducing tax relief for IT services that enhance operational resilience, and consulting on a mandatory cyber-incident reporting regime.

Telecom Security Reboot: Making Zero Trust Operational

🔒 Telecom operators must abandon perimeter assumptions and adopt a zero trust mindset that treats verification as continuous rather than a one-time event. This shift is organizational as much as technical, requiring unified IT/OT policies, least-privilege access and microsegmentation to limit lateral movement. The article recommends pragmatic steps — wrapping legacy systems with secure gateways and centralized authentication — and aligning controls with frameworks such as NIST and NIS2, while tracking concrete KPIs in the first 180 days.

Influencers Targeted by Cybercriminals: Account Risks

🔒 Social media influencers are increasingly attractive targets for cybercriminals who hijack trusted accounts to distribute scams, malware and fraudulent offers. Attackers use spearphishing, credential stuffing, brute-force attacks and SIM swapping, and AI is making those lures more convincing. Compromised accounts may be sold or used to push crypto and investment scams, exfiltrate follower data or extort victims. Practical defences include long, unique passwords, app-based 2FA, phishing awareness, device separation and up-to-date security software.

8 Effective Multicloud Security Tips and Best Practices

🔐 Multicloud adoption improves flexibility but introduces security and visibility risks unless managed centrally. Establish a central authority to define strategy, enforce policies and select cross-cloud tools, while implementing unified governance backed by identity management and automation. Treat every environment as a single trust boundary, enforce least privilege, and correlate telemetry for a unified detection-and-response posture. Limit access with short-lived sessions, recording and DLP to reduce attack surface and support auditability.

The AI Fix — Episode 78: Security, Spies, and Hype

🎧 In Episode 78 of The AI Fix, hosts Graham Cluley and Mark Stockley examine a string of headline-grabbing AI stories, from a fact-checked “robot spider” scare to Anthropic’s claim of catching an autonomous AI cyber-spy. The discussion covers Claude hallucinations, alleged state-backed misuse of US AI models, and concerns about AI-driven military systems and investor exuberance. The episode also questions whether the current AI boom is a bubble, while highlighting real-world examples like AI-generated music charting and pilots controlling drone wingmen.

How CloudGuard WAF Reduces Risk and Total Cost of Ownership

🔒 Check Point's CloudGuard WAF combines high prevention accuracy with reduced operational overhead to lower risk and total cost of ownership. In the WAF Comparison Project 2024–25 (1,040,242 legitimate requests across 692 sites, 13 vendors) it delivered ~99.4% detection and ~0.8% false positives. That accuracy, paired with less manual tuning and faster false-positive triage, cuts hidden expenses and breach exposure while protecting apps and APIs.

Key SOC Challenges to Solve Now to Prepare for 2026

⚠️ 2026 will reshape SOC priorities as adversaries adopt AI to scale evasive attacks, creating urgent challenges across detection, triage, and proving business value. The piece identifies three critical problems: increasingly evasive threats, alert overload and analyst burnout, and the need to quantify ROI for security investments. It recommends interactive malware analysis to reveal full attack chains, real-time threat intelligence to enrich alerts and speed triage, and continuous, measurable intelligence (API/SDK-driven) to turn SOC activity into demonstrated business value.

Seven Signs Your Cybersecurity Framework Needs Overhaul

🛡️ Organizations should rebuild security frameworks when they fail to sense environmental change, respond effectively to incidents, or support proactive risk management. Experts recommend a dynamic sensing-and-response capability, routine reviews (biannual heavy reviews with interim cursory checks), and deliberate integration of NIST baselines with industry-specific controls. Key warning signs include any breach, chronic alert overload, negative KRIs/KPIs, endpoint and AI gaps, and a compliance-only posture that ignores business risk. Rebuilds are also warranted after major business or regulatory shifts or when incremental fixes no longer suffice.

Year-End Cybersecurity Spend: Focus on Measurable Risk

🔒 As year-end budgets close, organizations should prioritize security purchases that reduce real business risk and produce measurable outcomes. Skip vendor wish lists; focus on strengthening identity controls — expanding MFA, tightening privileged access, and auditing Active Directory — and on short, outcome-based engagements such as attack-surface reviews, tabletop exercises, and purple-team testing. Consolidate redundant tools, pre-buy continuity capacity, and document KPIs to justify future funding.

Black Friday 2025: Cybersecurity, VPN and Antivirus Deals

🔒 Black Friday 2025 brings a broad selection of verified promotions across security software, VPNs, password managers, antivirus suites, online training, and hardware from major vendors. Highlights include up to 86% off VPN subscriptions, up to 70% off antivirus products, deep discounts on password managers, and reduced pricing for privacy removal services and certification courses. Most offers run from late November through early December and include date-limited coupons; availability and exact savings vary by provider, so confirm terms before buying. BleepingComputer discloses some links are affiliate-supported; if a listed promotion fits your needs, act promptly while the offer remains live.