← Back to Posts

Posts

OS Weekly: A Poisoned npm Package, CISA's Patch Deadline & AI's Double Edge

The software supply chain stayed the softest target in the room this week: a poisoned npm package was quietly dropping an infostealer on developer machines within minutes of publishing. CISA gave federal agencies a hard deadline on an actively exploited AI-framework flaw, and two separate pieces this week wrestled with the same question from opposite directions — is AI tipping the scales toward attackers or defenders? Here’s the rundown.

Critical Threats & Active Exploits

A compromised npm package was dropping an infostealer within six minutes of publishing

Illustration representing the compromised jscrambler npm package supply-chain attack

Version 8.14.0 of the jscrambler npm package shipped with a malicious preinstall hook that silently deployed a Rust-based infostealer on Windows, macOS, and Linux alike. Socket flagged the release just six minutes after it went live on July 11 — impressively fast detection, but also a stark reminder of how little friction stands between “npm install” and a compromised machine. Automated preinstall/postinstall scripts remain one of the ugliest blind spots in the JavaScript ecosystem, and this is a case study worth walking new team members through.

For aspiring practitioners: this is exactly the kind of incident that rewards people who actually read package changelogs and pin dependency versions instead of blindly accepting “latest.”

Read more →

CISA gives federal agencies until Friday to patch an actively exploited Langflow flaw

Illustration representing CISA’s directive on the Langflow authentication bypass flaw

CISA has ordered federal agencies to patch an authentication bypass vulnerability in Langflow, the visual framework many teams use to build AI agents, after confirming the flaw is being actively exploited in the wild. The short turnaround underscores a trend worth tracking closely: as AI tooling gets wired into production infrastructure, the frameworks powering it become just as attractive a target as anything else sitting on the network — and just as in need of a mature patch-management story.

Read more →

A China-linked actor keeps refining the malware behind its ORB network

Illustration representing the UAT-7810 ORB network expansion with LONGLEASH malware

Cisco Talos flagged continued, active development from UAT-7810, the advanced persistent threat behind the “LapDogs” Operational Relay Box (ORB) network first identified in mid-2025. The group’s newest tool, dubbed LONGLEASH, specifically targets internet-facing networking devices to expand the ORB’s reach. It’s a solid reminder that edge devices — routers, VPN appliances, IoT gear — deserve the same patch discipline and monitoring as core infrastructure, since they’re frequently the easiest way in.

Read more →

18 vulnerabilities patched across WolfSSL, GeoVision, and VTK-DICOM

Illustration representing vulnerabilities disclosed in WolfSSL, GeoVision, and VTK

Cisco Talos’ Vulnerability Discovery & Research team disclosed 18 issues this week: three in WolfSSL, fourteen in GeoVision hardware, and one in VTK-DICOM. All have been patched by the respective vendors under Cisco’s third-party disclosure policy. If you’re trying to build vulnerability-research chops, this batch is a great study prompt — three very different codebases (a TLS library, camera firmware, and a medical-imaging toolkit), one coordinated, responsible disclosure timeline.

Read more →

Australia warns of a global campaign hitting vulnerable CMS platforms

Illustration representing Australia’s warning on CMS platform exploitation

The Australian Cyber Security Centre (ACSC) issued an alert on active, widespread exploitation targeting vulnerable content management systems and their plugins. Attackers are using the access to steal data, deface sites, and distribute malware. If CMS patch management isn’t a standing line item on your (or your organization’s) security checklist, this is the nudge to add it — outdated plugins remain one of the most consistently exploited attack surfaces on the open web.

Read more →

FBI seizes NetNut proxy domains tied to the two-million-device Popa botnet

Illustration representing the FBI seizure of NetNut proxy domains and the Popa botnet takedown

Working with industry partners, the FBI seized hundreds of domains tied to NetNut, a residential proxy service run by publicly traded Alarum Technologies (NASDAQ: ALAR), after multiple security firms — including KrebsOnSecurity — linked the service to the Popa botnet. Popa reportedly compromised over two million devices, largely without their owners’ knowledge or consent. It’s a useful case study in how “legitimate,” commercially available proxy infrastructure can end up laundering botnet traffic, and why residential proxy services deserve real scrutiny before you trust or build on top of them.

Read more →

A U.S. government entity paid $1M to a group that may never have had ransomware at all

Illustration representing the Kairos data-theft extortion case involving a U.S. government entity

A Ransom-ISAC case study by Rakesh Krishnan traced roughly $1 million in payments from a U.S. government entity to a group calling itself Kairos. Based on leaked negotiation chats and blockchain payment-trail analysis, Krishnan found no evidence Kairos ever actually deployed ransomware to encrypt anything — the entire operation may have relied purely on the threat of leaking stolen files. It’s a sharp illustration of how extortion tactics have evolved: encryption isn’t always necessary when the threat of exposure alone is enough leverage.

Read more →

Tools, Strategy & AI

The asymmetric future of AI in cybersecurity

Illustration representing AI’s evolving role in cybersecurity

A sharp piece on how AI cuts both ways in security work: faster, more accurate threat detection and response on the defensive side, but also more sophisticated, AI-assisted attacks on the offensive side. The practical takeaway for practitioners is to avoid treating AI tooling as a set-and-forget layer in your stack — continuous validation matters more, not less, once both attackers and defenders have access to comparable capabilities.

Read more →

The EU unveils a plan to tackle AI’s risks and opportunities for cybersecurity

Illustration representing the EU’s plan on AI and cybersecurity

The European Commission announced a new initiative — targeting completion by 2026 — aimed at strengthening regulatory frameworks, encouraging cooperation among member states, and boosting investment in AI-driven security capabilities. It’s a plan worth tracking for anyone interested in how policy will shape the compliance landscape for AI-adjacent security tooling in the years ahead, particularly if you work with or sell into EU-regulated markets.

Read more →

What board games can teach you about defending a network

Illustration representing the parallels between board game strategy and cybersecurity defense

Cisco Talos researchers drew a fun but genuinely useful parallel between tabletop strategy games and defensive security work, arguing that pattern recognition, adaptability, and — above all — curiosity are shared traits between good board-game players and good defenders. If you’re early in your career, it’s a good reminder that the “soft” skill of staying curious about how systems break is as valuable long-term as any single certification.

Read more →

Industry & People

A cybersecurity startup fronted by convicted felons is offering millions for zero-days

Illustration representing the offensive cybersecurity startup led by individuals with criminal pasts

Brian Krebs reports on an offensive-security startup offering substantial payouts for zero-day vulnerabilities in popular software — run by two individuals with backgrounds as far-right conspiracy theorists and convicted felons, with prior ventures including fake intelligence firms and a defunct AI lobbying platform operated under false identities. It’s a pointed reminder to vet who’s actually behind a bug-bounty program or vulnerability broker before you sell them anything, no matter how attractive the payout.

Read more →

Jen Ellis named MBE for her work connecting researchers and policymakers

Illustration representing Jen Ellis’s advocacy connecting the cybersecurity community with policymakers

Jen Ellis has been named a Member of the Order of the British Empire (MBE) for her advocacy work bridging security researchers and policymakers, including efforts to secure legal protections for responsible vulnerability disclosure. For anyone mapping out a career path in the field, it’s a good reminder that policy and advocacy work is a legitimate, high-impact lane inside cybersecurity — not a detour from “real” security work.

Read more →

Could Estonia set the precedent for state-issued IDs for AI agents?

Illustration representing Estonia’s proposal for state IDs for AI agents

Estonia, long known as a digital-governance testing ground, is exploring formal identity infrastructure for AI agents acting on behalf of citizens in government services. It’s an early but meaningful signal of how identity and access management may need to evolve once “the user” behind a request isn’t always a human — a question that’s going to matter a lot more to IAM and zero-trust architects over the next few years.

Read more →


That’s the week. Stay curious, patch early, and keep questioning who’s really behind the tools you trust — that instinct is half the job in this field. Follow CyberShield for the next issue.


Canva (cyber-themed content kit): If you’re writing up incident recaps, threat-model briefs, or tool one-pagers, this free Canva kit — dark-mode slides, hex accents, monospace vibes — is built specifically for security folks who’d rather spend their time on the content than the layout. Grab it here. Transparency: this is an affiliate link — if you sign up, it may support CyberShield at no extra cost to you.

Carrd (portfolio & landing pages): Building a personal site to showcase your security work or a CTF team page? Carrd is the lean, no-dark-patterns page builder we lean on when we want something live fast without fighting a CMS. Check it out. Transparency: this is an affiliate link — if you sign up, it may support CyberShield at no extra cost to you.

comments powered by Disqus