Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Part 1 covered CanisterWorm, the self-spreading npm worm. Part 2 covered the malicious LiteLLM package. Part 3 covered the telnyx WAV steganography attack. Part 4 covered the xinference AI inference attack. This post covers: a compromised @bitwarden/cli package that combines a self-propagating npm worm, a GitHub Actions secrets dumper, and a novel AI assistant poisoning technique.

Revisiting a conversation between LimaCharlie co-founder Christopher Luft and Chris Cochran, Field CISO & Vice President of AI Security at SANS Institute, on The Cybersecurity Defenders Podcast. For most of cybersecurity’s history, defenders could operate under a safe assumption: somewhere on the other end of an attack, a human was making decisions. Scripts might automate parts of the kill chain, tools might accelerate execution, but a person was in the loop.

The halls of RSAC 2026 were buzzing with a singular question: "How do we defend an ecosystem that is moving faster than we can think?" During a featured session last week, Brian Dye (CEO, Corelight) talked with Deneen DeFiore (CISO, United Airlines) about the realities of protecting one of the world's most complex digital environments.

Three supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, 2026. All three targeted secrets: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD pipelines.

On 27 April 2026, the National Cyber Security Centre (NCSC) will officially implement Cyber Essentials v3.3, delivered through a new self-assessment question set known as Danzell, which replaces the previous Willow set. The foundational five technical controls remain the bedrock of the scheme, but this latest iteration tightens wording, scoping, and marking criteria in ways that have immediate consequences.

That is not a failure of fuzzing. It is a failure of interpretation. In a recent AFL++ fuzzing campaign targeting libarchive, we ran approximately 8.5 billion executions across all fuzzing phases, generated over a thousand crash files, and ultimately reduced them to two unique crash sites through structured crash triage and deduplication. This blog is a practical, engineering-first guide to that process: If your fuzzing pipeline stops at crash counts, you are not measuring security.

Cyber-enabled crimes cost Americans nearly $21 billion in 2025, a 26% increase from the previous year, according to the FBI’s latest Internet Crime Report. Phishing, extortion, and investment scams were the most commonly reported attacks, with AI-related scams driving some of the costliest losses. Phishing was the top attack vector, with these attacks leading to more than $215 million in losses. Notably, AI-assisted business email compromise (BEC) attacks cost victims more than $30 million.

For security teams, credential sprawl is like dust; you don't notice it until it has accumulated.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! Another patching weekend ahead then?

When it comes to real-time payments, fraud moves fast — but liquidity stress can move even faster. A fraud or cyberattack can quickly become a liquidity event when it disrupts settlement funds, triggers abnormal transaction flows or forces payment services offline. That is why banks, payment processors and instant payment networks need real-time visibility into transaction activity, settlement exposure and emerging operational risk.