Velvet Ant Shows Authentication Infrastructure Is Critical Infrastructure
Velvet Ant’s Operation Highland shows why PAM, OpenSSH, jump hosts, and proxy paths deserve the same defensive priority as identity providers and domain controllers.
General CTI
Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries
Zscaler ThreatLabz says the Shai-Hulud campaign has expanded across package ecosystems and introduced prompt-injection tactics aimed at automated AI security triage. The defense lesson is simple: treat package content as hostile input, even when an LLM is doing the review.
Maine Breach Portal Hoax Shows Disclosure Systems Need Verification Controls
Maine took its public breach notification database offline after fake disclosures were published. The lesson for SMBs and government contractors: public trust workflows need verification, moderation, and correction controls.
Portainer CVE-2026-33590 Shows Container Admin Tools Need Least Privilege Defaults
intWave disclosed CVE-2026-33590 in Portainer, where insecure default Docker security settings could let regular users escalate toward host takeover. Here is what SMBs and government contractors should lock down.
MaXSS and Spyder Show AI Browser Extensions Are an Endpoint Risk
Rebora disclosed MaXSS and Spyder, two critical flaws in AI browser-extension side panels. The lesson for SMBs and government contractors: browser extensions are endpoint software with identity-session reach and need governance.
ShinyHunters PeopleSoft Exploitation Shows ERP Admin Endpoints Are Breach Surface
GTIG and Mandiant report active ShinyHunters exploitation of Oracle PeopleSoft CVE-2026-35273. Here is what defenders should lock down, hunt, and segment now.
LangGraph Checkpointer Bugs Show AI Agent Memory Is Backend Attack Surface
Check Point Research disclosed LangGraph checkpointer flaws that could turn user-controlled state-history filters into SQL injection, unsafe deserialization, and remote code execution. The lesson for SMBs and government contractors: AI agent memory is application infrastructure, not magic middleware.
IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk
A reported IMA Diligence breach affecting more than 525,000 people shows why legacy third-party servers need ownership, monitoring, decommissioning, and data-risk review.
C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem
Fortinet researchers detailed C0XMO, a Gafgyt variant spreading through DD-WRT and other exposed devices. Here is what SMBs and government contractors should lock down before compromised routers become DDoS infrastructure.
SolarWinds Serv-U Exploitation Shows File Transfer Availability Is Security
CISA added actively exploited SolarWinds Serv-U CVE-2026-28318 to KEV. Here is what SMBs and government contractors should do about file-transfer availability risk.