Agentic Tools Expand as Supply-Chain Attacks and ICS Risks Surface

Cloud and network platforms pushed deeper automation and testing while defenders confronted fresh software supply‑chain compromises. Amazon introduced Security Agent for on‑demand penetration testing across hybrid estates. A new advisory from CISA highlighted a critical MAVLink authentication weakness in PX4 Autopilot, reinforcing the need to harden exposed control links and segment operational networks.

Agentic operations and observability expand

In AWS’s observability stack, new agentic capabilities in OpenSearch add natural‑language chat that generates and refines PPL queries, an autonomous investigation agent that plans multi‑step analyses and returns ranked root‑cause hypotheses, and session memory that preserves context across pages. Amazon also made DevOps Agent generally available, positioning it as an autonomous assistant that learns application topologies, correlates telemetry with code and deployment data, and automates triage across multicloud and on‑prem environments. Together these updates aim to compress mean time to resolution by coupling iterative query generation with guided remediation.

Google Cloud introduced preview support for Active Buffer in GKE, a native implementation of the upstream CapacityBuffer API that reserves headroom so nodes are provisioned or kept warm ahead of demand. By turning buffer intent into pending demand for the autoscaler, latency‑sensitive services can launch immediately during spikes, improving SLO adherence without permanent over‑provisioning.

Cloudflare launched Flow Protection in beta for Magic Transit Enterprise, letting customers deploy verified eBPF programs that run across its network to apply custom, stateful DDoS mitigations for proprietary UDP protocols. The approach moves beyond coarse rate‑limits by enabling application‑aware decisions—pass, drop, or challenge—based on protocol semantics, while confining untrusted bytecode in a verified userspace VM for safety.

Testing and AI safety tooling

To raise assurance for agentic applications, Amazon Bedrock introduced AgentCore Evaluations, combining continuous online sampling of production traces with on‑demand tests for CI/CD. Teams can mix 13 built‑in evaluators with custom LLM‑ or code‑based checks, validate against ground truth, and stream alerts via integrated observability—providing measurable gates for change management and safety monitoring. For modernization programs, AWS also made Transform custom’s comprehensive codebase analysis GA, producing architecture documentation, technical‑debt reports, and dependency findings at multi‑language, million‑line scale to inform remediation and migration plans. Why it matters: pairing agent evaluation with large‑scale static analysis helps reduce operational risk as organizations adopt autonomous tooling.

Supply‑chain intrusions and developer risk

Unit 42 detailed a multi‑stage campaign by TeamPCP that weaponized trusted security and developer infrastructure, compromising GitHub Actions, PyPI and npm workflows to distribute loaders, harvesters, and a worm/wiper across widely used projects. The research at Unit 42 describes abuse of incomplete credential rotations and stolen publishing tokens, the use of steganography and double‑encoded payloads, and resilient C2 via decentralized canisters and typosquatted endpoints. Estimated exposure reaches hundreds of thousands of hosts and hundreds of gigabytes of harvested secrets. Immediate steps include auditing CI/CD and SBOMs, rotating publishing and GitHub tokens, enforcing package pinning and integrity checks, pruning unused dependencies, and using the provided IOCs and hunting queries to scope and contain impact.

In a separate incident, Google’s threat team reported that a compromised maintainer account pushed trojanized releases of the widely used Axios npm library. GTIG attributes the operation to a North Korea–nexus actor and documents a postinstall dropper that fetched platform‑specific RAT payloads, beaconed on a distinctive C2 pattern, and attempted self‑cleaning to hinder forensic analysis. Recommended actions include pinning to known‑good Axios versions, auditing lockfiles for the attacker‑added dependency, pausing and validating CI/CD pipelines, rotating credentials, blocking identified domains/IPs, and treating developer workstations with the malicious versions as compromised.

Advisories, patches, and access controls

A new CISA advisory for PX4 Autopilot (CVE‑2026‑1579, CVSS 9.8) warns that when MAVLink 2.0 signing is not enabled, unauthenticated actors with interface access can issue messages—including SERIAL_CONTROL—to obtain interactive shells and execute arbitrary commands. CISA urges enabling message signing for all non‑USB links, minimizing control‑network exposure, segmenting behind firewalls, and using secure remote access; PX4 provides signing as a cryptographic mitigation. CISA reports no known public exploitation of this specific issue at this time.

Separately, a five‑month‑old F5 BIG‑IP APM issue was reclassified as critical pre‑auth RCE (CVE‑2025‑53521) and is under active exploitation. CSO Online reports that F5 raised the CVSS to 9.8, patches are available (17.1.3, 17.5.1.3, 16.1.6.1, 15.1.10.8), and observed intrusions deploy persistent malware, tamper with system binaries, and disguise traffic. Teams should patch immediately, hunt with published IOCs, and consider rebuilding configurations when compromise timing is uncertain due to potential persistence in backups.

For regulated access management in Europe, AWS European Sovereign Cloud added Identity Center in its Germany Region. The service centralizes workforce SSO and user‑aware access controls within an EU‑only environment at no additional cost, helping organizations align with data‑residency and sovereignty requirements while connecting existing identity sources.