Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Compromised Jscrambler npm Releases Target Developer Environments with Cross-Platform Rust Infostealer

 



Developers and organizations using the Jscrambler npm package are being urged to audit their systems after multiple malicious releases were uploaded to the npm registry through a compromised publishing credential. The incident transformed a trusted development dependency into a malware delivery mechanism capable of stealing credentials, browser sessions, cryptocurrency wallets, and sensitive configuration files from Windows, macOS, and Linux systems. Jscrambler has confirmed the compromise was limited to its Code Integrity npm package and has advised users to upgrade to version 8.22.0 after revoking the affected publishing credentials and strengthening its release pipeline.

Security researchers first identified version 8.14.0 as the initial compromised release after discovering that it introduced a previously undocumented npm "preinstall" lifecycle hook. Unlike the legitimate 8.13.0 release, the malicious package included new files that were absent from Jscrambler's public source repository. During installation, the package silently unpacked and executed a native binary tailored to the victim's operating system, allowing the malware to run before developers ever interacted with the package itself. Socket detected the malicious release within minutes of publication, highlighting how quickly software supply chain attacks can unfold.

Technical analysis showed the package concealed separate native payloads for Linux, Windows, and macOS inside an obfuscated container embedded within the package. A lightweight loader selected the appropriate binary for the host operating system, wrote it to a temporary directory under a randomized filename, granted execution permissions where required, and launched it as a background process with minimal user visibility. Researchers also noted that these components never appeared in the project's public GitHub repository, suggesting the malicious code bypassed the project's normal development workflow and was introduced during package publication.

The payload itself is a Rust-based infostealer engineered to harvest assets commonly found on developer workstations and build infrastructure. Investigators found code targeting cloud credentials associated with AWS, Microsoft Azure, and Google Cloud, browser-stored passwords and cookies, cryptocurrency wallets, Bitwarden vault data, communication platforms such as Slack, Discord and Telegram, and developer secrets that could provide access to production environments. Researchers also observed the malware searching for configuration files belonging to AI-assisted development tools, including Claude Desktop, Cursor, Windsurf, Visual Studio Code and Zed, where API keys and Model Context Protocol credentials are frequently stored.

Beyond credential theft, the malware incorporated platform-specific capabilities intended to strengthen its foothold on compromised systems. Analysts found Linux-specific code interacting with eBPF, a kernel technology that allows programs to execute within the operating system kernel, although the precise purpose of this functionality remains under investigation. Windows and macOS variants incorporated persistence mechanisms designed to survive system reboots, while encrypted command-and-control communications complicated static analysis and hindered efforts to identify the attackers' infrastructure. Runtime monitoring also identified outbound connections associated with the campaign's command infrastructure.

The campaign expanded rapidly after the initial discovery. Additional malicious versions, including 8.16.0, 8.17.0, 8.18.0 and 8.20.0, were subsequently identified. While the earlier releases relied on npm's preinstall hook to execute the malware automatically during installation, later versions embedded the same payload directly into the package's runtime code. This change allowed the malware to execute when the package was imported or its command-line interface was launched, reducing the effectiveness of mitigations such as disabling lifecycle scripts during installation. Researchers described the shift as an example of attackers quickly adapting to evolving software supply chain defenses.

Further investigation by JFrog linked the malware to an evolved variant of the IronWorm infostealer. According to the researchers, the malware extends beyond information theft by attempting to propagate itself across the npm ecosystem. The code searches compromised systems for npm authentication tokens, validates the stolen credentials, identifies valuable packages, injects malicious components into package archives, and attempts to publish trojanized versions directly to the npm registry. JFrog also reported that the malware broadens its search to include VPN configurations, password managers, Tor-related files and directories associated with penetration testing frameworks, indicating an effort to compromise developers, security researchers and enterprise engineering teams alike.

The incident adds to a growing series of attacks targeting open source software distribution channels, where compromising trusted packages offers attackers access to developer workstations and CI/CD pipelines instead of directly attacking production systems. Because these environments often contain deployment credentials, signing keys, cloud secrets and proprietary source code, a single compromised dependency can expose far more than the application that depends on it. Researchers have increasingly warned that software supply chain attacks are shifting toward development infrastructure, making continuous dependency monitoring and rapid package verification critical components of modern software security.

Organizations that installed any affected version should immediately upgrade to Jscrambler 8.22.0 or later, investigate development workstations and build systems for signs of compromise, and assume any credentials accessible to the affected environment have been exposed. Security teams should rotate cloud credentials, npm and GitHub tokens, API keys, browser sessions and other secrets, inspect lockfiles and build logs for compromised package versions, and review systems for persistence artifacts before returning affected machines to service.

Zimbra Urges Immediate Update to Fix Critical Classic Web Client XSS Vulnerability

 

Zimbra has released a security update to address a critical vulnerability in the Zimbra Classic Web Client that could allow malicious actors to compromise user accounts and execute unauthorized code. The company recommends that customers install the latest update to mitigate the threat. The flaw is a stored cross-site scripting (XSS) vulnerability that could allow an unauthenticated attacker to execute malicious JavaScript in the browser of a user viewing a specially crafted email message. 

The problem exists in the Classic Web Client component of Zimbra Collaboration Suite. While no CVE identifier has been assigned yet, Zimbra warned that successful exploitation of the vulnerability would lead to the exposure of mailbox content and settings, as well as session details. A stored XSS vulnerability occurs when the application stores user-supplied input without proper sanitization and later displays it to other users. 

In this case, an attacker could utilize this flaw to deliver specially crafted email messages that would execute arbitrary JavaScript code in the browser of a user who opens this message in the Zimbra Classic Web Client. The malicious script would then steal the victim’s session and potentially access their mailbox content, modify account settings, or perform other actions. While Zimbra has not reported any confirmed attacks using this vulnerability, several similar XSS flaws in the Zimbra Collaboration Suite have been actively exploited in the past. 

Attackers have targeted the webmail platform multiple times to hijack the accounts of high-profile organizations, including the Brazilian military, with no success, according to Zimbra. Previously exploited flaws affecting the product are CVE-2025-27915, CVE-2023-37580, and CVE-2024-27443. Therefore, organizations must ensure they have applied the latest security update to address the newly discovered vulnerability. 

The Zimbra Collaboration Suite 10.1.19 release notes mention the fix for the stored XSS in the Classic Web Client. Users must always access the updated version of the webmail platform via HTTPS to avoid man-in-the-middle attacks and other threats. Moreover, security analysts recommend monitoring the email traffic for any signs of suspicious activity and reviewing account access logs for unauthorized changes. 

Users must not open any attachments or links in emails that seem suspicious as these may contain malicious scripts that target webmail clients. Organizations must ensure they apply all security updates to their collaboration platforms as they provide critical protection against potential threats. 

In this case, the newly discovered vulnerability is yet another reminder of the importance of timely software updates. Attackers will continue targeting collaboration platforms such as Zimbra webmail to compromise user accounts by exploiting flaws such as XSS.

Counterfeit USB Drives Spread China-Linked Virus in Japan’s Military

 

Counterfeit USB flash drives supplied to Japan’s Ground Self-Defense Force (JGSDF) in March 2024 spread a China-linked computer virus across secure military networks for nearly a year before the breach was finally detected. The incident, first reported by Japan’s Nikkei newspaper in June 2026, highlights how seemingly innocuous hardware can compromise even tightly controlled, air-gapped systems when supply-chain oversight and procurement protocols are insufficient. 

The infected drives were distributed to the JGSDF during earthquake relief operations in central Japan and were assumed to be legitimate, low-cost storage devices. An internal review later determined that six of eight USB sticks tested contained embedded malware that activated automatically upon insertion into a computer. Despite existing protocols that required scanning of external drives both upon receipt and during use, the infection remained undetected until February 2025, when a soldier in Itami, near Osaka, noticed unusually sluggish computer performance and initiated a diagnostic scan.

By that time, more than 50 of roughly 480 computers at the regional command had connected to the compromised drives, with nearly half of them handling classified information such as troop movements and operational plans. Forensic analysis by the JGSDF’s cyber defense unit revealed that the devices were counterfeit, using cheaper, slower microSD cards instead of standard memory chips and preloaded with malicious code. 

Security researchers linked the malware to Mustang Panda, also known as Earth Preta or Camaro Dragon, a China-associated advanced persistent threat (APT) group previously observed targeting government, education, and telecommunications sectors in Vietnam and Australia. Japanese officials stated there was no confirmed evidence of data exfiltration or external command-and-control communication, but the episode demonstrated how supply-chain compromises can silently bridge isolated networks without triggering conventional defenses. 

The fallout extended well beyond the military, as identical counterfeit USB drives were found circulating on major e-commerce platforms such as Amazon and Rakuten, priced 30 to 50 percent below authentic brands and traced to seller accounts in China. Reports of similar infections emerged in Japanese factories, research laboratories, and hospitals—environments that rely on removable media to transfer data across segmented or legacy systems. Security experts warn that such attacks exploit the tension between operational necessity and security policy: while outright bans on USB drives are often impractical in critical infrastructure, trusting removable media without rigorous, purpose-built validation leaves sensitive systems exposed to persistent threats. 

The JGSDF incident underscores three enduring lessons for organizations and governments: verify hardware provenance through trusted suppliers, treat all removable media as untrusted until scanned by dedicated security tools, and assume air gaps are permeable wherever physical media can cross them. For cybersecurity professionals and content creators tracking evolving threats, this case illustrates that supply-chain risk is not an abstract concept but a tangible vulnerability embedded in everyday devices—from USB sticks to firmware updates—demanding layered defenses that combine procurement discipline, technical controls, and continuous monitoring to protect critical networks.

Authentic GitHub Repository Can Trick AI Agents Into Installing Malware


An agentic AI coding tool built for making a GitHub repository and cloning could launch a malicious payload that stays hidden to AI agents, human reviewers, and security scanners. 

Malicious payload with no exploit code

Experts from Mozilla Zero Day Investigative Network (0DIN) AI security platform said that the exploit takes place without any warning, no exploit code, and no malicious command approved by anyone.

Experts showed how a threat actor could deploy an interactive shell on a developer’s system via Claude Code to launch a cloned project with no malicious code in the repository.

The attack tactic relies on three patterns that show no signs of exploit:

  • An authentic-looking GitHub repository with setup details, like deploying dependencies and starting the project.
  • The python package is then intentionally built to deny execution until it has started; it shows an error commanding the user to run pyhton3 -m axiom init. Claude code perceives it as a normal setup issue and automatically runs the instructed command while trying to recover from the error.
  • Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command.

About the technique

oDIN experts said that this technique requires no malicious parts in the cloned repository as the AI agent automates the full attack line, also comprising a level that impersonates a user error.

Once successful, the threat actor would get a shell with developer’s privileges, allowing them access to API keys, environment variables, making establish persistence, and local configuration files.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” oDIN experts said. “The attacker now has an interactive shell running as the developer's own user.”

Future implications

Currently, the attack tactic is just a concept, but experts warn that hackers could effectively spread such GitHub repositories via fake job postings, direct messages, tutorials, and blog posts.

To avoid such exploits in future, oDIN researchers advise that AI agents should reveal the full deployment chain of setup instructions, like scripts and code retrieved dynamically at runtime. 

JadePuffer: First AI-Agent Ransomware Automates Entire Attack

 

Security researchers have identified JadePuffer as the first ransomware operation conducted entirely by an AI agent, marking a watershed moment in automated cyberattacks. Discovered by cloud security firm Sysdig, this incident demonstrates how large language model (LLM) agents can now execute complex intrusion campaigns without human intervention during the attack itself. 

Attack methodology 

The attack began by exploiting CVE-2025-3248, a critical remote code execution vulnerability in Langflow, an open-source platform for building LLM applications. Once inside the initial server, the AI agent systematically gathered intelligence, harvested credentials, and mapped the network to identify higher-value targets. It then pivoted to a production server running MySQL and Nacos configuration management, where it leveraged another known authentication bypass vulnerability to gain administrative access. 

What made JadePuffer particularly notable was its ability to detect and correct errors autonomously during the attack. When the agent's first attempt to create an administrator account failed, it analyzed the error and launched a corrected procedure just 31 seconds later, successfully modifying its credential generation approach. Sysdig researchers emphasized that this rapid self-correction capability is a strong indicator of genuine agentic behavior rather than a human operator using conventional automation tools. 

After securing access, JadePuffer encrypted more than 1,300 configuration elements in the database, deleted the original tables, and left a ransom note with a Bitcoin address and contact email. However, analysis revealed a disturbing detail: the encryption key was never stored or transmitted to any attacker-controlled server, suggesting victims could not recover their data even if they paid. Researchers believe this indicates the attack was oriented more toward data destruction than financial extortion, with claims of external backups appearing to be psychological pressure tactics without evidence of actual exfiltration. 

Security implications 

While JadePuffer has drawn attention to AI's role in cybercrime, experts stress that the fundamental vulnerability was poor security hygiene rather than the AI itself. Exposed credentials, unpatched vulnerabilities, default configurations, and excessive privileges enabled the agent to traverse the infrastructure within minutes. This incident underscores the urgent need for organizations to harden their AI application deployments, implement zero-trust architectures, and maintain rigorous patch management, as autonomous agents will increasingly exploit any weakness they encounter at machine speed.

Google Sent Earthquake Warnings Before Venezuela Tremor Reached Millions


In Venezuela, millions of Android users received earthquake alerts on their phones just minutes before two devastating 7.1 and 7.5 earthquakes struck, highlighting the increasing importance of smartphone-based early warning systems for disaster response. 


Google reported that its Android Earthquake Alerts System issued warnings to approximately 11.4 million people during the earthquakes in Venezuela. It was estimated that nearly 1.4 million users received the highest priority "Take Action" alerts, with warning times ranging from a few seconds to nearly two minutes based on their distance from the epicentre. 

Using Google's Android Earthquake Alert System, alerts were generated at the earliest signs of seismic activity and sent to affected areas prior to the strongest ground shaking. Warnings included an estimation of magnitude and an approximate distance from the epicentre to allow recipients to take immediate protective measures before destructive shaking began. 

Experts pointed out that Google did not predict the earthquake. The system detected primary seismic waves (P-waves), which are fast-moving and travel in advance of secondary waves (S-waves), which are stronger and more destructive. Within approximately three seconds after the earthquake began, stationary Android phones detected the initial P-waves, while Google's servers confirmed the event and began issuing alerts approximately six seconds later. 

As Nikhar Arora, Director at BOTS, explains, the magnitude shown in the initial alert is merely a preliminary estimate and can be revised if more seismic data becomes available. According to HR Anexi, Android smartphones are essentially a large-scale distributed sensor network. With their accelerometers, Android smartphones can detect unusual ground movement, allowing Google to analyze data from multiple nearby devices, estimate the location and magnitude of an earthquake, and send an alert rapidly. 

After launching the Android Earthquake Alerts System in California in 2020, Google expanded the system worldwide in 2021. In regions where monitoring infrastructure is limited, this platform uses data from national seismological agencies along with crowdsourced Android smartphone networks to identify earthquakes and to deliver rapid alerts. 

It is estimated that hundreds of millions of earthquake warnings have been delivered worldwide by the Android Earthquake Alerts System, thus significantly expanding access to early warning technology to areas without dedicated seismic alert infrastructure. With limited earthquake early warning infrastructure in Venezuela, Google's crowdsourced smartphone network was instrumental in estimating the location and intensity of an earthquake by analysing motion data from thousands of Android devices before stronger shaking reached nearby areas. 

A new debate has arisen over the role of technology in disaster management following the Venezuela incident. In his opinion, Hrishit Panthry, the Co-Founder of Envirocare Foundation, stated that smartphones have become a powerful tool for delivering emergency alerts directly to citizens. With the growth of cities and the interconnection of infrastructure, early-warning systems are becoming increasingly important as cities continue to expand. It is also believed that lessons can be applied beyond earthquakes.

A similar real-time warning technology would improve community resilience by facilitating faster communication during other natural disasters, such as flooding, severe storms, and extreme heat. Additionally, the incident highlighted differences between how earthquake alerts are delivered via smartphone platforms. The built-in sensors on Android devices can detect seismic activity in conjunction with official monitoring systems, while other platforms in many regions rely primarily on government-run alert systems for emergency notification.

Experts believe that the wider adoption of integrated warning technologies could help to further strengthen public safety. During the recent Venezuelan earthquakes, governments, scientists and technology companies have demonstrated how they are increasingly utilizing connected devices and real-time data in order to strengthen emergency response efforts. 

Although early warning systems cannot prevent earthquakes, experts say even a few seconds prior notice can assist in saving lives. During the Venezuela earthquake, advances in smartphone-based early warning systems were demonstrated as a major factor in improving disaster preparedness. 

Even though no technology can predict an earthquake in advance, rapid detection and timely alerts can provide crucial seconds to help reduce injuries and improve emergency responses. As these systems continue to evolve, collaboration among technology companies, scientists, and governments will be crucial to expanding access to life-saving warnings worldwide.

India Orders Telegram to Crack Down on Pirated Movies and OTT Content, Seeks Compliance Report

 

Ministry of Information and Broadcasting (MIB) has directed the messaging platform Telegram to take down the pirated films, OTT content and other audio-visual material uploaded on it. It also called upon the company to put in place measures to actively detect, report, disable and remove such unauthorized content from its platform instead of waiting for the government to notify it of alleged violations. 

As per the ministry's direction, the company was also asked to provide the details regarding steps taken by it against repeat offenders of copyright infringement on its platform like channels, groups, bots, admins, users and other entities. As per the notice sent by the ministry, the company was also asked to provide the details about its grievance redressal mechanism for film producers, OTT platforms, broadcasters, and law enforcement agencies concerning copyright infringements. 

At the same time, Telegram was also asked to suggest the steps it has taken to prevent, detect and remove the unauthorized copyrighted content. The ministry clarified that with the directions issued, there is an attempt to move to the next level in taking action against copyright infringement on online platforms. It emphasized that apart from responding to individual complaints, the onus is upon the companies to put in place robust systems to proactively prevent and detect such violations. 

The government has already taken down over 3,000 Telegram channels for hosting and distributing pirated content. However, it is felt that the step taken so far by blocking channels one by one is not an effective approach and the companies need to move to the next level. The ministry reminded Telegram that it was obliged to comply with the requirements of the Information Technology Act, 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 concerning its responsibility as an intermediary platform. 

It observed that due diligence by the companies so that they are not host to any unlawful activities on their platforms cannot be left to the authorities to identify the channels hosting unlawful content. The ministry drew attention to the fact that violation of copyright laws in India is not only a civil wrong but also a punishable offence under Copyright Act, 1957 and Cinematograph Act, 1952. 

Therefore, continued availability of unauthorized content on Telegram, lack of adequate response as expected by the ministry, and failure to address the issues raised by it may trigger further regulatory actions. The latest initiative by the ministry reflects its commitment to protecting and promoting India's creator economy and the content ecosystem. 

It may be noted that the government has taken several steps to ensure that the rights of filmmakers, broadcasters, OTT platforms, producers, distributors and other content creators are protected against online piracy. By asking the online intermediaries to take more responsibility, the government is encouraging them to adopt better moderation practices in order to prevent the unlawful use of content on their platforms.

Centre Plans New Cybersecurity Norms for Electric Two- and Three-Wheelers to Address Battery Tampering Risks

 

The Central government is preparing to introduce new cybersecurity measures aimed at preventing unauthorised tampering with the batteries of electric two-wheelers and three-wheelers. The proposed regulations are expected to mandate stronger software security standards for electric scooters and e-rickshaws, including fully imported models, which have so far operated with limited cybersecurity oversight.

As part of the initiative, authorities are also considering banning mobile applications that can be used to exploit vulnerabilities in electric vehicles equipped with imported Chinese batteries. 

Officials from the Ministry of Heavy Industries and the Ministry of Electronics and Information Technology have reportedly held discussions on addressing these security concerns.

"The software security vulnerability will be plugged," a senior official told ET, adding downloads of mobile apps that can disturb e2w and e3w are expected to be curbed.

According to officials, the decision to restrict such software stems from the difficulty of individually fixing every electric two-wheeler and three-wheeler already in circulation. The software reportedly takes advantage of weaknesses in battery troubleshooting systems, enabling unauthorised users to interfere with vehicle operations.

Another official said electric rickshaws and low-speed electric scooters were initially permitted to encourage wider adoption of electric mobility. However, this also resulted in a significant influx of low-cost imported electric vehicles from China.

"A call has been taken to ensure more safety and software safeguards in new e2w and e3w sold in the country," the official said, adding roadworthy certificates will be issued only to new vehicle models that are free from such vulnerabilities.

The upcoming regulations are also expected to cover completely imported electric vehicles sold in India, ensuring they comply with the same cybersecurity and software safety requirements as locally manufactured models.

Operation Endgame Disrupts Global Cyber Crime Assembly Line


Private companies and international authorities have disrupted a malicious “assembly line” that let hackers steal millions of login details and theft of $47 million in ransom payments via extortion. The operation aimed at catching two tools that are used in online scams.

The first tool is called Amadey, a malware-as-a-service platform for disrupting devices and deploying infected payloads for ransomware and related attacks. Amadey was first discovered in 2018 and in 2025, it exploited GitHub as it stored system info from malicious devices and deployed custom payloads.

The second tool is called StealC, it is an infostealer-as-a-service tool that steals cryptocurrency wallets, browser extensions, authentication cookies, and login credentials.

Disrupting a crucial link in the cyberattacks chain

Amadey and StealC are distinct tools that function autonomously. They are widely used, but many people use them in their personal cybercrime operations. 

The tools depend on the same infrastructure to function. Microsoft made this link after analyzing the tools using AI. The discovery allowed Microsoft to stop both tools simultaneously.

“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain,” Microsoft said.

About the investigation

Companies gathered proof that the tools shared the same infrastructure and invoked RICO statutes against organized crime. This resulted in treating the two tools as part of a single scam. 

Microsoft has disrupted over 200 C2 servers and shut down criminal control of over 18,000 compromised computers. Europol also assisted in the operation to track down the culprits and recovered around 27 million stolen login details and found $47 million worth of crypto assets tied to cybercriminals.

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover,”  Europol said.

Operation Endgame

Other firms that helped in “Operation Endgame” are ESET, IBM X-Force, ESET, Mitsui Bussan Secure Directions, and Bitsight. 

According to Europol, another tool that disrupted Operation Endgame was SocGholish. It is a malware installer tied to the Russian cybercrime group Evil Corp. that distributes via hacked websites. If you visit such sites, you will be tricked into installing malware apps mimicking as browser extensions or genuine software.  

IBM Explores Vertical Chip Architecture to Extend the Future of Semiconductor Scaling

 




IBM researchers have developed a new semiconductor architecture that could dramatically increase the number of transistors packed onto a silicon chip while improving both computing performance and energy efficiency. The company's experimental design, known as NanoStack, represents a departure from conventional chip scaling by expanding vertically instead of relying solely on shrinking transistor dimensions.

According to IBM, the new architecture has the potential to accommodate approximately 100 billion transistors on a silicon chip roughly the size of a fingernail. Although the technology remains in the research phase and is still years away from commercial manufacturing, the announcement underlines one of the industry's latest efforts to overcome the physical limitations confronting modern semiconductor development.

IBM says NanoStack is comparable to a 0.7-nanometre technology generation, placing it below the 1-nanometre threshold that has long been viewed as a significant milestone in chip manufacturing. While node names such as 2 nm or 0.7 nm no longer represent the exact physical dimensions of transistors, they generally indicate successive generations of manufacturing technology that deliver greater transistor density, improved performance, and lower power consumption.

In laboratory testing, IBM reported that its prototype achieved up to 50% higher performance than its previously demonstrated 2 nm research chip while consuming as much as 70% less energy under comparable conditions. Those improvements, if successfully translated into commercial manufacturing, could support faster artificial intelligence workloads, improve cloud computing efficiency, reduce power consumption in data centres, and extend battery life in mobile devices.

Rather than focusing exclusively on making individual transistors smaller, NanoStack introduces a new architectural approach by stacking multiple layers of transistors vertically. Traditional semiconductor manufacturing has primarily increased computing capability by placing more transistors across the surface of a silicon wafer. As transistor miniaturization approaches fundamental physical limits, researchers are increasingly exploring three-dimensional designs that use vertical space to continue increasing transistor density without proportionally expanding chip size.

Transistors serve as the fundamental electronic switches inside every processor, enabling calculations performed by smartphones, personal computers, gaming systems, enterprise servers, networking equipment, and the rapidly expanding infrastructure supporting artificial intelligence. As more transistors are integrated into a processor, chips are generally able to execute more operations simultaneously, improving computational performance across a wide range of applications.

The continued drive toward higher transistor density has historically been guided by Moore's Law, the observation that the number of transistors integrated onto a chip approximately doubles every two years. For decades, that trend has driven advances in computing performance while reducing the cost of processing power. However, maintaining that pace has become increasingly difficult as transistor dimensions approach atomic scales, where issues such as heat generation, electrical leakage, manufacturing complexity, and quantum effects become far more challenging to manage.

IBM's NanoStack architecture represents one possible response to those constraints by building upward rather than outward. Industry researchers often compare this concept to urban development. Instead of constructing additional houses across limited land, engineers create increasingly taller buildings to accommodate more occupants within the same footprint. Similarly, vertically stacking transistor layers allows exponentially more computing elements to occupy the same silicon area.

The concept also distinguishes IBM's research from other advanced semiconductor initiatives pursuing three-dimensional integration. While several major chip manufacturers have already adopted various forms of 3D packaging and transistor architectures, IBM's proposal seeks to extend vertical integration even further, reflecting the growing industry focus on architectural innovation as conventional transistor scaling becomes more difficult.

Despite its promise, vertically stacked semiconductor designs introduce substantial engineering challenges. Heat generated by densely packed transistors becomes more difficult to dissipate as additional layers are added, potentially affecting reliability and long-term performance. Extremely thin insulating materials separating transistors may also allow unintended electrical leakage, making it harder for components to switch cleanly between operating states. Engineers must additionally solve complex manufacturing problems involving layer alignment, interconnections between stacked components, power delivery, fabrication precision, and production yield before such architectures can be manufactured at commercial scale.

Although NanoStack remains an experimental technology, IBM's latest research illustrates how semiconductor innovation is evolving beyond simply reducing transistor size. Future advances are increasingly expected to depend on new chip architectures, advanced materials, and sophisticated three-dimensional integration techniques capable of delivering the computing performance required by artificial intelligence, high-performance computing, cloud infrastructure, and next-generation consumer electronics.

U.S. Security Expert Sentenced for Aiding BlackCat Ransomware Gang

 

A cybersecurity professional has become the third U.S. security expert sentenced to prison for aiding a ransomware gang, marking a significant escalation in insider threat cases involving incident response firms. Angelo Martino, a 41-year-old from Florida, pleaded guilty to providing confidential victim information to the BlackCat/Alphv cybercrime group while ostensibly working to help companies negotiate with attackers. 

Modus operandi 

Martino worked as a ransomware negotiator for DigitalMint, a Chicago-based incident response company hired by victims to minimize damage and negotiate lower payouts. Instead, he fed critical details to BlackCat operators, including insurance policy limits and negotiation strategies, enabling the gang to maximize ransom demands across five separate incidents. Prosecutors revealed that Martino also assisted co-conspirators Kevin Martin and Ryan Goldberg in deploying BlackCat ransomware against U.S. victims for six months in 2023, effectively becoming an affiliate of the criminal group. The trio earned more than $1.2 million from a single victim during this period. 

Martino faces up to 20 years in prison at his sentencing hearing scheduled for July 2026, following guilty pleas from Martin and Goldberg in late 2025, who each received four-year sentences in April 2026. Federal authorities have already seized $10 million worth of assets from Martino as part of the investigation. The Justice Department emphasized that Martino's actions directly assisted ransomware actors and increased the financial burden on victim organizations, undermining trust in the cybersecurity incident response ecosystem. 

Lessons for the Industry 

This case highlights a concerning trend of cybersecurity professionals exploiting their trusted positions to facilitate cybercrime, raising questions about vetting processes and oversight within incident response firms. Organizations are now urged to conduct thorough background checks on security personnel and implement strict compliance measures to prevent similar insider threats. The BlackCat/Alphv gang, once a dominant ransomware outfit, has been linked to numerous high-profile attacks, and this collusion scheme demonstrates how criminal groups increasingly target the defenders themselves. 

As the cybersecurity field grapples with this breach of trust, the Martino case serves as a stark reminder that even those hired to protect can become perpetrators. Companies must strengthen internal controls, monitor negotiator activities, and ensure transparency in ransomware response engagements. With sentencing underway and more cases potentially emerging, the industry faces a critical moment to restore confidence in its ability to defend against evolving ransomware threats without internal compromise.

Six U-Boot Vulnerabilities Could Enable Pre-Boot Code Execution and Persistent Firmware Attacks

 



Security researchers have identified six vulnerabilities in the widely deployed U-Boot bootloader that could allow attackers to execute malicious code during the earliest stages of a device's startup process. If successfully exploited, the flaws could enable firmware-level attacks capable of bypassing security protections before the operating system loads and establishing malware designed to remain on affected systems.

As one of the most widely used open-source bootloaders, U-Boot plays a fundamental role in the startup sequence of embedded Linux devices by initializing hardware and loading the operating system. It is integrated into a broad range of technologies, including enterprise server Baseboard Management Controllers (BMCs), networking equipment, industrial control systems, Internet of Things (IoT) devices, and numerous other embedded appliances.

Because the bootloader executes before the operating system and endpoint security tools become active, vulnerabilities at this stage can have far-reaching consequences. An attacker who gains control during the boot process may be able to interfere with the system's trusted startup sequence before conventional security controls have an opportunity to detect or prevent malicious activity.

One of U-Boot's primary security mechanisms is Verified Boot, which uses cryptographic signatures to verify the authenticity of firmware and operating system images before they are executed. During startup, only images signed with a trusted cryptographic key are intended to be loaded, helping prevent unauthorized or modified firmware from running on the device.

In a technical report published this week, firmware security company Binarly disclosed six vulnerabilities affecting U-Boot's Flattened Image Tree (FIT) signature verification code. The FIT framework is responsible for validating firmware images during the boot process, making it a critical component of the platform's chain of trust.

According to Binarly, researchers examined the verification logic because of its importance in maintaining firmware integrity during startup. Their analysis uncovered six distinct vulnerabilities ranging from denial-of-service conditions that can interrupt the boot process to flaws capable of enabling arbitrary code execution while processing untrusted firmware images.

The researchers said two of the vulnerabilities could potentially allow arbitrary code execution during firmware verification, while the remaining four can be exploited to trigger crashes during the boot process. Since these weaknesses affect the validation of firmware before the operating system starts, a successful exploit could allow malicious instructions to execute before higher-level security mechanisms become operational.

The disclosed vulnerabilities include a flaw identified as BRLY-2026-037 that can cause U-Boot to crash when processing a specially crafted firmware image and, under certain conditions, may also permit arbitrary code execution. BRLY-2026-038 is a memory corruption vulnerability that could enable attackers to execute malicious code during firmware signature verification. BRLY-2026-039 involves an out-of-bounds read that may force U-Boot to access memory beyond the firmware image, resulting in a system crash. BRLY-2026-040 is a null pointer dereference vulnerability that allows crafted firmware images to terminate the bootloader unexpectedly. BRLY-2026-041 stems from insufficient validation of externally stored firmware data and can also be used to crash vulnerable systems. The sixth flaw, BRLY-2026-042, involves unbounded recursion that can exhaust available stack memory and prevent the bootloader from completing the startup process.

Binarly noted that much of the affected code has been present since U-Boot version 2013.07, meaning the vulnerabilities could impact more than 50 stable releases of the project. Because many hardware manufacturers maintain customized downstream versions of U-Boot within their own firmware, the potential exposure extends beyond the upstream project to a large number of commercial products deployed across multiple industries.

If the arbitrary code execution vulnerabilities are successfully exploited, attackers could gain execution during one of the earliest phases of system initialization. Operating at this level may allow threat actors to alter the boot sequence, disable firmware security mechanisms, deploy persistent firmware malware, or perform other privileged actions before the operating system begins loading.

Firmware-based attacks can also be considerably more difficult to identify than malware operating within the operating system. Since malicious activity occurs before the operating system initializes, traditional endpoint security software and many monitoring tools may have limited visibility into the compromise, allowing malicious modifications to remain undetected for extended periods.

Binarly also noted that exploitation does not necessarily require physical access to a device. Systems equipped with Baseboard Management Controllers that support remote firmware updates could become vulnerable if an attacker first compromises the management interface. In such cases, a specially crafted firmware image could be uploaded and processed during the update process, potentially triggering the identified vulnerabilities.

The researchers reported all six vulnerabilities to the U-Boot maintainers and submitted patches addressing each issue. Those fixes have since been accepted into the project's upstream codebase. However, because U-Boot is incorporated into firmware by individual hardware manufacturers, vendors must integrate the patches into their own firmware releases before updates become available to customers.

Organizations operating embedded systems should monitor firmware advisories issued by their hardware vendors and apply security updates as they become available. Restricting access to firmware management interfaces, securing remote administration services such as BMCs, and verifying firmware authenticity before deployment can further reduce exposure while patches are being distributed.

Devices that have reached end-of-life or no longer receive firmware updates may remain permanently vulnerable, underscoring the long-term security challenges posed by legacy embedded systems that continue operating long after vendor support has ended.

Meta Faces Privacy Questions After Employee Data Exposure Report


 

After sensitive employee information was reportedly made available throughout the organization, Meta has suspended an internal employee monitoring initiative intended to assist in the development of artificial intelligence systems. 

Initially introduced in April, the Model Capability Initiative was intended to collect workplace activity data to assist Meta in improving its artificial intelligence models through the collection of work activity data. The system was reportedly used by employees to monitor interactions across various workplace applications including Gmail, Google Chat, and Meta’s AI assistant, as well as capture screenshots and usage patterns. 

In response to concerns about privacy and consent, the initiative quickly drew criticism from employees. More than 1,600 Meta employees, including engineers, researchers, and designers, have signed a petition advocating the discontinuation of this program. Prior to the latest incident, the monitoring initiative had already been under scrutiny. A Reuters report reported that the program collected more information than originally indicated and stored some of the data unencrypted, raising concerns among employees about privacy. 

In internal discussions, employees were also concerned that personal information, including tax and medical records accessed from work devices, could be disclosed, despite assurances that the data would be protected and used solely for legitimate business purposes. According to the petition, employees argued that responsible AI development should not be compromised by individual privacy concerns. 

A company's stated commitment to building trustworthy and responsible artificial intelligence systems is in conflict with the company's collection of workplace data without meaningful consent. Following reports that sensitive employee information had been accessed internally by employees, the controversy became more intense. 

According to information cited in media reports, the exposed data could have included private communications, AI prompts, transcriptions, as well as performance data. The incident has sparked an internal investigation, though there is no evidence of the information being improperly accessed or misused. Meta, according to Reuters, suspended the initiative after filing an internal security incident (SEV) in response to employee data being widely accessible within the organization. 

As indicated in internal documentation, this information included artificial intelligence prompts and transcriptions, private conversations, personnel records, and classifications of data sensitivity. This incident raised new concerns regarding the collection, storage, and protection of employee information. The Meta program has been suspended while the matter is being investigated. 

A company spokesperson confirmed the initiative was designed with privacy safeguards and stressed the absence of any indication of unauthorized access during the investigation. As of the time of the investigation, Meta had not announced when the initiative might resume, and executives of Meta indicated that it would remain halted while the investigation continued. As Meta stated, the Model Capability Initiative will be suspended gradually and might not reach all employees immediately. 

A source familiar with the matter told Reuters that the monitoring tool was still recording employee activity on Monday afternoon while the company attempted to disable it across all its systems. An additional clarification of the incident was provided by Meta Chief Technology Officer Andrew Bosworth in a later interview, in which he stated that the incident was not the result of an external security breach. Bosworth reported that employee information generated through the program initially could only be accessed by a small number of authorized employees, but was accidentally stored in an internal location incorrectly by a researcher. 

According to Meta, there was no evidence of malicious activity found, and the incident was an internal error that caused the company to suspend the initiative while investigating the matter. The development indicates growing tensions between rapid advancement of artificial intelligence and employee privacy rights. The majority of technology companies are exploring new sources of training data to enhance the performance of their models, as well as investing heavily in artificial intelligence. 

Despite increasing competition in the AI industry, Meta is expected to spend more than $135 billion on infrastructure in 2018. According to leaked audio from an internal Meta meeting, Mark Zuckerberg was in favor of using employee-generated data for AI training, asserting that highly skilled employees could serve as valuable examples for AI systems. It has been criticized by privacy advocates, however. 

Digital rights experts have argued that extensive workplace monitoring raises serious concerns about employee consent and transparency. According to the incident report, maintaining employee trust and protecting sensitive information are critical challenges that organizations should not overlook as they accelerate the development of artificial intelligence. 

A growing concern is how to strike a balance between rapid AI innovation and employee privacy and data security, as exemplified by the incident. As Meta continues its internal investigation, the outcome will likely influence how organizations approach AI training, workplace monitoring, and responsible data governance in the years to come.

Okta Uncovers Vishing Campaign Using Fake Microsoft Entra ID Pages to Hijack Microsoft 365 Accounts

 

Okta has identified a sophisticated vishing campaign targeting organizations across multiple industries, where attackers attempt to steal Microsoft 365 credentials by directing victims to fraudulent Microsoft Entra ID login pages.

The campaign, which began in April, uses voice calls to persuade employees that they need to register a new passkey for their Microsoft account. Victims are then guided to convincing fake Microsoft Entra ID pages designed to capture their credentials.

The threat activity, tracked as O-UNC-066 and also referred to as CL-CRI-1147 or Pink, has primarily targeted organizations in the automotive, aviation, construction, food and beverage, healthcare, and technology sectors. The group's primary objective appears to be data extortion.

To support the campaign, the attackers have registered multiple domains containing the word "passkey" and created phishing pages that closely imitate Microsoft's legitimate passkey enrollment experience.

“It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account,” Okta says.

According to Okta, the fake Microsoft Entra ID login portals are customized for each intended victim through the phishing kit's backend. These pages incorporate authentic Microsoft branding and even load content directly from Microsoft's content delivery network to appear legitimate.

Unlike conventional phishing kits that automatically harvest usernames, passwords, MFA tokens, and session cookies, this toolkit relies on a manually operated PHP control panel. The attacker actively interacts with victims in real time, adjusting the phishing pages throughout the authentication process to accommodate different multi-factor authentication methods.

“It is likely that the threat actor uses the kit to take over the user account and trick the user into approving an attacker-initiated registration of a passkey,” Okta notes.

Throughout the attack sequence, the phishing pages conduct anti-analysis checks, collect usernames without redirecting users to federated identity providers, and prompt victims to enter their passwords. The attackers are believed to use these credentials immediately to access the targeted Microsoft account.

After the initial login, victims are shown a processing screen while the attacker determines which MFA method is enabled, such as SMS one-time passwords, time-based one-time passwords (TOTP), or push notifications, and modifies the phishing flow accordingly.

As part of the deception, victims are eventually redirected to a fake passkey registration page. There, they are instructed to save a recovery key generated from a list of attacker-controlled BIP-39 seed phrases before verifying the final word in the phrase.

“The phishing kit appears to prey on the lack of user familiarity with passkey authentication. In a real passkey registration ceremony, the user might expect a system dialog to register a passkey on their device. The passkey pages in this phishing kit appear to mimic this process without registering a passkey,” Okta notes.

Okta points out that BIP-39 seed phrases have no apparent role in Microsoft Entra passkey registration, suggesting that this step is merely a distraction while attackers secretly enroll their own passkeys into compromised accounts.

The company also highlighted that Microsoft automatically sends legitimate email notifications whenever a new passkey is registered. However, because the attackers complete the enrollment directly with Microsoft, they can assign the passkey an innocent-looking name, reducing the likelihood of raising suspicion.

“Any time a user enrolls a passkey with Microsoft, the owner of the compromised account receives a legitimate Microsoft email to notify them that a new passkey has been registered in their account. During an attack, the passkey was actually enrolled by the threat actor directly with Microsoft, and the threat actor is in a position to name the passkey with something the targeted user would view as benign,” Okta explains.

Hackers Target Industries in Japan, Attacks Share One Pattern


Four big Japan cyberattacks point to a common trend: threat actors are getting access via third-party infrastructure and subsidiaries, not from corporate headquarters. 

While the attacks impacted companies from varying industries such as telecommunications, manufacturing, insurance, and brewing, the breaches have one same characteristic.

Attacks share same patterns

Instead of directly disrupting corporate headquarters, hackers gained access via third-party infrastructure, subsidiaries, and overseas operations. 

The impacted organizations are Nidec, KDDI, Aflac Japan, and Sapporo Holdings. While the attacks involved different contexts, the incidents hint towards an increasing attack surface that expands well beyond a company’s primary network.

About KDDI incident 

KDDI, a telecommunications provider, reported illegal access to an email platform used by various Japanese internet service providers.

KDDI reported the incident surfaced from a bug in third-party software, revealing around 14.22 million email account records throughout six ISPs.

The attack shows how a single bug inside shared infrastructure can impact various organizations continuously.

Aflac Japan incident

On June 30, Aflac Japan revealed that between June 15 and June 25, hackers gained access to its Japanese operations. The company claims that some 4.38 million clients and agents were impacted, and a portion of the documents included bank account details used to pay insurance premiums.

According to the insurance, the incident only affected its company in Japan and had no bearing on its operations in the United States.

The alleged tactics are similar to social engineering strategies previously linked to Scattered Spider, even though the business has not linked the attack to any particular threat organization.

Sapporo Holdings and Nidec incident

Sapporo Holdings revealed possible illegal access involving two foreign subsidiaries, Canadian brewer Sleeman and Singapore-based Pokka. After identifying suspicious activity, the company shut down the impacted systems and started an investigation to find out if any data had been taken or accessed.

Nidec, a manufacturing company, has revealed that its Taiwanese subsidiary, Nidec Chaun Choung Technology, was the subject of a ransomware attack.

More than two gigabytes of firm data, including personnel, financial, procurement, manufacturing, legal, and IT information, were allegedly taken by the BlackField ransomware organization, which claimed responsibility for the attack. A $2 million ransom was allegedly demanded by the organization.

Injective Labs GitHub Compromise Distributes Malicious npm Package Targeting Crypto Wallet Keys

 

Cybersecurity researchers have detected a software supply chain attack in which threat actors compromised the Injective Labs SDK GitHub repository and utilized it to distribute a backdoored version of the npm package containing cryptocurrency wallet credentials stealing capabilities. Researchers at security company Socket have identified that the attackers distributed the malicious code in the @injectivelabs/sdk-ts version 1.20.21 after compromising the GitHub account of one of the trusted maintainers. 

The compromised package was published to the npm registry on July 8, 2026, and subsequently deprecated. Nevertheless, the distribution channel for the malicious artifacts remained available on GitHub at the time of publication. The attackers distributed the backdoored SDK to 17 other @injectivelabs packages, including the wallet, utility, networking, and crypto modules. Since the packages include various apps as dependencies, developers who did not directly install the SDK might also be affected. 

Unlike traditional supply chain malware that typically persists in the compromised software at installation time, the detected backdoor was not activated when the developers installed the package. Rather, the malicious code was designed to exfiltrate the cryptographic assets when the developers used the SDK’s wallet generation feature. 

Thus, the threat actors could hide the malicious payload’s presence by avoiding the use of suspicious scripts typically associated with malware. The detected malware consisted of modified cryptographic functions that replaced the legitimate implementation with the backdoor, which the attackers masked as a performance telemetry component. The additional function exfiltrated the cryptographic assets, including the mnemonic seed phrase and private key generation details, required to recreate the cryptocurrency wallet. 

Researchers noted that the malware persisted in the compromised repositories by sending the collected data to the remote server in aggregated fashion to avoid suspicion by grouping multiple exfiltration requests into one encrypted HTTPS session. The security analysts at OX Security stated that the detected threat was capable of intercepting the master recovery phrase used to seed cryptocurrency wallets. Since the mnemonic seed phrase gives the adversary full access to the wallet funds, threat actors could reproduce the cryptographic assets to gain unauthorized access to the blockchain assets. 

The malware’s distribution channel was compromised using the trusted publishing infrastructure and OpenID Connect (OIDC) publishing pipeline. The detected threat utilized the legitimate account of one of the maintainers, which implies that the attackers did not have to use supply chain malware or impersonate the project on a third-party registry. The developers who installed the affected package should switch to the latest version, 1.20.23, which has been released. 

The security analysts advise the developers to consider all private keys and mnemonic phrases generated with the compromised version of the code as compromised and take the appropriate actions to rotate the cryptographic assets. Moreover, the developers should review their project dependencies to ensure that they do not use the affected versions of the packages indirectly. 

The incident demonstrated how the threat actors could target the software supply chain to compromise the cryptocurrency ecosystem and gain unauthorized access to the crypto assets by compromising the open-source developer infrastructure.

Injective SDK Supply Chain Attack Exposed Developers to Cryptocurrency Wallet Theft


 

InjectiveLabs/SDK-TS, a widely used package, was briefly published on Node Package Manager (npm) as a malicious version after attackers gained access to a legitimate contributor's GitHub account, exposing developers to the theft of cryptocurrency wallet credentials. Several security researchers from Socket, Ox Security, and StepSecurity identified the supply chain attack as targeting Injective Labs' TypeScript/JavaScript SDK, which is used to develop applications based on Injective's blockchain.

The SDK is widely adopted by developers who create cryptocurrency wallets, decentralized finance (DeFi) applications, decentralized exchanges, trading bots, and payment platforms, with approximately 50,000 downloads per week on NPM. 

A significant security issue is the responsibility of the SDK when it comes to creating and importing cryptocurrency wallets, as it occupies a critical position in the development process. Developers and end users alike are particularly vulnerable to any compromise of the SDK because the wallet creation functions are crucial to the handling of users' mnemonic recovery phrases and private keys. 

Researchers have determined that hackers gained access to a legitimate contributor's GitHub account on June 8 and introduced malicious code, which was later released as version 1.20.21 for the @injectivelabs/sdk-ts package. Additionally, 17 additional Injective-related packages were referenced by the compromised release, resulting in a significant impact on downstream projects. According to security researchers, attackers compromised a legitimate maintainer's account after exploiting the trust-worthy GitHub publishing workflow of the project. 

As opposed to stealing an NPM publishing token or creating a fake package, the malicious version was distributed through the repository's normal release process, making the compromise appear genuine. Package maintainers detected the malicious activity within minutes, reverting the unauthorized changes and releasing a version that is free of malicious activity, 1.20.23. 

Nevertheless, systems that downloaded or updated the compromised package during the brief exposure window may still have been affected. In contrast to conventional malware that is executed during installation, the injected code is activated when developers create or import cryptocurrency wallets using SDK functions. 

When this was achieved, the malware captured private wallet keys and mnemonic seed sentences, encoded the information, and sent it via HTTP POST request to what appeared to be an official Injective Labs infrastructure endpoint in order to blend into normal network traffic. As a method of minimizing detection, the malware disguised its outbound communication as legitimate injective network traffic in order to prevent detection. 

By capturing multiple wallet secrets temporarily, encoding them, and transmitting them as a single request, the malicious activity was able to blend in with blockchain-related communications, avoiding detection. The malware, according to StepSecurity researchers, collected wallet secrets for approximately two seconds before bundling them into a single request to minimize suspicion while maximizing the amount of data stolen. 

In a recent report, Socket reported that 310 malicious packages had been downloaded before they were deprecated, but there is reportedly still availability of the associated malicious GitHub release artifacts. As a consequence of Ox Security's warning, the compromised SDK is dependent on 87 direct NPM packages, accounting for more than 112,000 cumulative downloads, illustrating the risk to a larger supply chain.

Researchers noted that even though the malicious payload was contained within @injectivelabs/sdk-ts, the compromised release affected 17 additional injective packages that depended on the infected SDK version. This could have resulted in developers installing the backdoored package unknowingly through normal project dependencies, thereby significantly expanding the attack's impact. 

It is advised that developers who suspect they may have installed the affected version transfer cryptocurrency assets immediately into new wallets, replace compromised private keys and seed phrases, and rotate any sensitive credentials stored within their development environment immediately. The incident underlines the growing threat posed by software supply chain attacks, particularly within the cryptocurrency ecosystem where a compromised development dependency may result in a significant financial loss to both developers and end users.

Due to the increasing sophistication of software supply chain attacks, organizations and developers must strengthen dependency verification, monitor package integrity, and respond quickly to compromised components so that credential theft and downstream compromise can be reduced.


QIZ Security Raises $17 Million to Expand Cryptographic Security and Post-Quantum Readiness Platform

 

Israeli cybersecurity startup QIZ Security has raised $17 million in seed funding to fuel the development of its cryptographic security management solution and post-quantum cryptographic (PQC) readiness platform. The Israeli cybersecurity company has seen rising demand for its service, which assists firms in inventorying their cryptography assets in preparation for the transition to post-quantum cryptography algorithms. 

The round was led by Bessemer Venture Partners and Merlin Ventures, with Evolution Equity Partners, Qbeat Ventures, Singtel Innov8, and Qino Cyber Capital also participating. The funding will support the company’s expansion and product development, with the company’s QIZ Security cryptographic governance platform’s research and development being the main focus. 

The startup was founded in 2022 by Ben Volkow, Lenny Ridel, and Itan Barmes, and its cybersecurity solution allows organizations to manage and inventory all cryptographic assets in on-premises, cloud, and hybrid environments without the need to scan their networks. Using industry standard APIs, QIZ Security’s cryptographic governance platform enables enterprises to detect and assess the risk of all certificates, encryption assets, security controls, protocols, cipher suites, and cryptographic keys. 

These details are automatically correlated to the organization’s applications and business processes discovered across hybrid cloud infrastructure environments. Moreover, the application detects vulnerabilities, weaknesses, and exposures to outdated encryption technologies that put enterprise data at risk in both transit and at rest. 

In addition, the company’s solution helps enterprises prioritize risks according to their technical and business significance and guides enterprises in responding to each identified risk. This empowers security operations and compliance teams to coordinate and accelerate activities and responses to cryptographic risks, ensuring that application owners and security stakeholders reduce exposure to business-specific threats. 

Modern cryptographic infrastructure governance is necessary for enterprises to inventory and better understand their cryptography assets, identify risks, and respond to them in a timely and cost-effective manner. With the upcoming quantum computing era, enterprises and government agencies are preparing to migrate their cryptographic infrastructure to post-quantum algorithms. This migration requires organizations to fully understand where their cryptography is, which encryption technologies put them at risk, and how best to respond. 

According to Chief Executive Officer Ben Volkow, enterprises are unable to effectively plan their transition to modern cryptography without gaining continuous visibility into their cryptography assets. Organizations need to take a step back and understand the overall state of cryptography in their IT environments to be prepared for upcoming changes. With the quantum era of computing arriving, businesses need to ensure they are taking the right steps now to safeguard their sensitive data. 

The news comes as governments and enterprises worldwide are beginning to acknowledge the need to inventory cryptographic assets to develop migration plans for post-quantum cryptography algorithms. Additionally, with increased concerns over the implications of quantum computing, multiple cybersecurity startups are positioning their services to assist enterprises in preparing their cryptography infrastructure for the transition to post-quantum cryptography algorithms.

OpenMandriva Accuses Former Contributor of Project Sabotage

 

OpenMandriva Linux is facing a serious internal security dispute after it said a former contributor abused administrative access to damage the project’s infrastructure. The alleged actions included deleting GitHub repositories and publishing an empty package that could have broken desktop systems for users of GNOME and COSMIC. 

According to the project, the problem did not begin with code but with conflict inside the community. OpenMandriva says an abusive incident in its Matrix chat led to one contributor being removed, which then triggered a chain of resignations and escalating anger among some members. 

The most damaging part of the incident involved repository access. Long-time maintainer AngryPenguin said the contributor had admin privileges because he had previously helped migrate and mirror project repositories to a private OneDev instance, and that access was later used to delete part of a repository the team had maintained for nearly 10 years. 

OpenMandriva also says the contributor pushed an empty package into its Cooker development branch. That package obsoleted the GNOME and COSMIC packages, meaning it could have caused real disruption for people relying on those desktop environments if the issue had not been caught quickly. 

The accused contributor, Davide Beatrici, rejects the sabotage allegation and says his goal was not to harm users or the distro itself. He argues that his actions were tied to a dispute over the project’s direction, including disagreement about OpenMandriva’s support for GNOME and COSMIC alongside KDE and LXQt. OpenMandriva says it is now restoring deleted repositories, repairing affected packages, and conducting a full audit to confirm that nothing else was altered. 

The project has also said the incident may meet the threshold of a criminal offense, though it has chosen not to pursue legal action at this stage. This case is a reminder that open-source projects do not only face technical threats from outside attackers. Internal access, trust, and governance can become just as dangerous when disputes turn personal and administrative privileges are misused.