The Off-Switch Is the Story, Not the Soundbite
Trump's tone on Anthropic softened. Nothing binding moved. What the last two weeks actually exposed is a federal lever that now hangs over every frontier vendor you depend on — and what to do about it.
Blinding the Watchman: Why an Unauthenticated RCE on Splunk Is a Detection-Integrity Emergency
CVE-2026-20253 is a CVSS 9.8 on Splunk Enterprise — but the score measures the bug, not the asset. When the box that lands a file-write primitive is the one your whole detection program treats as ground truth, the first thing an attacker buys is the power to make the watchman lie. Patch it, then assume its testimony is suspect.
There's no patch for Secure Boot's signed-binary problem — only a revocation the ecosystem can't push
CERT/CC's VU#457458 has no CVE and no patch, because the vulnerable UEFI binaries work exactly as designed. The only fix is withdrawing trust across every machine's DBX — and that's the part the industry keeps failing at.
Signed, Reviewed, Verified — and Still Malicious
Fifteen JetBrains plugins stole developer AI keys while passing every trust signal the marketplace offers. The controls did their jobs — their jobs were just the wrong ones.
The management plane is the front line: defending Tier-0 network gear after the 2026 KEV wave
Three mid-2026 vulnerabilities added to CISA's KEV catalog all hit devices built to protect networks — VPN, SD-WAN, and endpoint-management consoles. Here's how to prioritize and defend them.
AI Infrastructure Enters the Must-Patch Era
A command-injection flaw in the LiteLLM proxy just landed on CISA's Known Exploited Vulnerabilities list with a two-week fix deadline. The lesson isn't that AI is uniquely dangerous — it's that AI gateways, proxies, and MCP connectors now answer to ordinary vulnerability management.
Defending Against CI/CD Attacks in 2026.
The pipelines that ship your software have quietly become the softest part of the attack surface. A field guide to treating configuration as a security boundary.
The build pipeline is the target: what the 2026 axios npm compromise teaches about supply-chain defense
Two malicious axios versions ran attacker code at install time before any application ever called the library. Here is how install-time (postinstall) script attacks and self-propagating npm worms work, and the concrete steps that bound the damage to your CI/CD pipelines and publishing tokens.
The Phantom Ransomware Group That Ran Off a Phone
0APT posted 190-plus victims in its first week from an Android phone's SD card. None were real. The funny part is the phone; the useful part is what it tells you about every leak-site number you've ever counted.
The First Agentic CVE Is a 1990s Web Bug Wearing an Agent Costume
CVE-2026-25253 got crowned the first AI-agent CVE. Strip the costume and it's a secret in a URL plus a WebSocket that trusts any caller — OWASP-Top-10 hygiene from over a decade ago. The genuinely new part isn't the bug. It's what an autonomous agent does with it.
Where CISO liability really lives now
The SEC dropped its SolarWinds cyber-disclosure case against the company and its CISO with prejudice in November 2025. Here is why that narrows one enforcement avenue without removing the exposures that should actually drive your disclosure program, and what to check in the next 90 days.