Cybersecurity

An audit of the world's largest open source package registries finds they spend 12 percent of their budgets fighting malware and just 2 percent on new features, with no path to sustainable security funding.

Microsoft's February Patch Tuesday fixes 58 flaws including six zero-days already under attack, with CISA ordering immediate federal remediation.

Researchers say Git-sourced dependencies can re-enable code execution paths even when npm is run with --ignore-scripts, undermining a widely recommended mitigation after 2025’s Shai-Hulud worm.

OpenAI launches a tiered access framework for cybersecurity professionals alongside $10 million in API grants, as GPT-5.3-Codex becomes the company's first model rated 'high' for cyber risk.

A CVSS 9.9 command-injection bug in BeyondTrust Remote Support and Privileged Remote Access lets unauthenticated attackers execute OS commands, echoing the zero-days that gave Chinese state hackers access to the U.S. Treasury in 2024.

Binding Operational Directive 26-02 gives agencies 18 months to inventory and replace end-of-life firewalls, routers, and switches that advanced threat actors are actively exploiting.

Substack disclosed a breach that went undetected for four months, with a hacker leaking email addresses, phone numbers, and internal metadata for hundreds of thousands of users on BreachForums.

Lotus Blossom APT group compromised Notepad++ update infrastructure from June to December 2025, delivering Cobalt Strike and custom backdoors to select government and telecom targets

Threat actor exploited infostealer-harvested passwords to breach enterprise file-sharing platforms at major companies lacking MFA protection.