A single compromised account pushed malicious code to 42 repos across Microsoft and Azure GitHub orgs in under an hour. If you trust code because of who published it, that trust is now a liability.
A self-propagating worm is using a blind spot in npm's native build system to execute code the moment you install a package. No install scripts. No warnings. Just binding.gyp.
7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
An unauthenticated CRLF injection in cPanel gives full root control. If your website runs on shared hosting, your host might already be compromised. CVSS 9.8.
29 packages under the @redhat-cloud-services namespace were compromised with a self-propagating credential stealer. 80,000 weekly downloads. If Red Hat's packages aren't safe, neither are yours.
Attackers exploited FortiClient EMS to push a credential stealer disguised as a Fortinet firmware update. Your endpoint management system delivered the malware for them. You can't make this up.
There's almost no actual hacking involved in most breaches. It's your people. Here's the 10-item checklist to fix that before somebody else does.
Professional-grade hacking frameworks are free, open source, and documented with tutorials. The same tools nation-states use are now available to anyone with a laptop. Here's what that means for your business.
82% of phishing emails are now AI-generated. Attackers probe networks at 36,000 scans per second. Dwell time is down to 5 days. The game changed and most small businesses didn't notice.
Anonymous SQL injection in Drupal core. No login required. On CISA KEV. Mass scanning started within days. If you run Drupal on PostgreSQL, patch right now or take it offline.
Set one HTTP header and skip all middleware. Authentication, authorization, rate limiting, all of it. CVE-2025-29927. Confirmed exploitation in the wild. If you run Next.js, update now.
You don't need a six-figure security budget. These open source and free tools cover email authentication, endpoint protection, vulnerability scanning, password management, and more. No excuses.
AI-assisted credential stuffing against internet-exposed FortiGate admin panels. 600+ devices across 55 countries. Full configs extracted including VPN credentials. If your firewall management is internet-facing, read this now.
Microsoft's official Durable Task Python SDK was hijacked on PyPI with a credential stealer, a Linux file wiper, and worm logic that spreads using your own cloud keys. No CVE was assigned. Most scanners missed it.
An attacker registered a co-maintainer's expired email domain, reset the npm password, and published a credential stealer that exfiltrates over DNS. No hack required. Just a $12 domain registration.
A single threat actor called JINX-0163 is systematically harvesting credentials across AWS, Azure, GCP, Okta, and SaaS platforms. If you use any cloud service, you're in the blast radius.
1 in 5 small businesses that get hit with ransomware go bankrupt. 40% say an attack costing $100K would shut them down. The attacks are up 34% this year. Here's what to do.
You know you need to address security. You keep pushing it to next quarter. Here's exactly what that delay is costing you, in dollars, in risk, and in sleep.
They've been hijacking Docker containers, Kubernetes clusters, and cloud credentials since 2019. If you run anything in the cloud -- and you almost certainly do -- TeamTNT is looking for the door you left open.
Attackers are recruiting internet-exposed Jenkins servers into DDoS botnets using default credentials and built-in script consoles. Your CI server has high bandwidth, elevated privileges, and nobody watching it.
41% of applications get denied on first submission. 73% of small businesses fail their assessments. 82% of denied claims had no MFA. Cyber insurance in 2026 has teeth.
You've seen the term in headlines. Log4Shell. MOVEit. Exchange. Here's what a zero-day actually is, why it matters even if you're not a tech company, and what you can do about a threat you can't see coming.
A firewall and antivirus is not a security program. If you can't answer 5 basic questions about your security posture right now, you're running on luck. Luck is not a strategy.
An infostealer at a third-party AI company led to Vercel customer secrets being exposed. The attack chain: AI tool employee gets malware, attacker pivots to Vercel, customer API keys and DB credentials decrypted. Two months undetected.
That's not a scare tactic. That's Bureau of Labor Statistics data. If you don't have a security program, you're betting your business on luck. Here's why luck runs out.
You process credit cards, run a POS system, and have staff who've never heard of phishing. Attackers know this. Here's how to stop being easy money.
If your guest Wi-Fi and your POS system are on the same network, someone at table 6 with a laptop could reach your payment data. Here's how to fix your wireless security.
The breach started with stolen OAuth tokens from a chatbot integration. ShinyHunters pivoted through Salesforce, found GCP credentials, and exfiltrated nearly 1 petabyte including FBI background checks and customer call recordings.
IT support and cybersecurity are two different jobs. One keeps your email working. The other keeps your business alive. Most small businesses only have the first one.
Network printers have admin panels with default passwords, store copies of everything you print, and sit on your internal network with zero monitoring. They're the device nobody thinks about and attackers love.
The University of Mississippi Medical Center closed all 35 clinic locations after a ransomware attack. Statewide. Patients turned away. This is what happens when healthcare doesn't invest in security.
The average small business uses 47 SaaS apps. Each one stores data, holds credentials, and connects to other services. Most have no security oversight. Here's why that's a problem you need to solve.
92% of small businesses have security tools. 1 in 4 got breached anyway. Here are the 7 mistakes we find in almost every assessment we do, and how to fix each one this week.