Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In order to collect various security-related metrics, Bitsight scans the entire internet, collecting a unique set of data that enables us to carry out a variety of studies that would be extremely difficult for any other company to conduct. One of the metrics that we collect is related to the presence of certain vulnerabilities. For this, we need to take into consideration all possible mitigation strategies that are available and that allow us to reduce the risk.

In our day-to-day work and conversations with security experts, one concern comes up regularly: how consistent is our WAF protection? Our answer is always the same: not as much as you think. The truth is that in the case of enterprises, web application firewall (WAF) coverage is rarely uniform. Protection is often a mixed bag of products from different vendors, managed by separate teams, each guarding only part of the attack surface.

Industries, governments, and enterprises of all kinds have adopted large language models (LLMs) and generative AI (GenAI) into their operations and workflows, unlocking new possibilities for everything from customer interaction to complex data analysis. But with this innovation comes new challenges for security, observability, and data science teams.

Over night, starting at 01:16 UTC on September 9th, we were alerted to more packages being compromised, these included: These packages all had a new version 1.3.3 released (In the case of the wasm version, it was version 1.29.2), which contained the same malicious code as we saw in the compromise of packages with 2 billion+ downloads.

Delivering safe and reliable power around the clock is a huge challenge. A task made even more difficult by the sharp rise in cyberattacks on the energy and utilities sector. Recent research from Trustwave SpiderLabs found that cyber threats against the sector have surged by 80% year-over-year, costing organizations nearly half a million dollars more per breach than the cross-industry average of $4.8 million.

On September 9, 2025, SAP released its September 2025 Security Patch Day update with patches for 21 vulnerabilities. The most severe of these, CVE-2025-42944, is a maximum-severity deserialization vulnerability of untrusted Java objects in SAP NetWeaver that resides in the RMI-RP4 module. A remote unauthenticated threat actor can exploit this vulnerability by submitting a malicious payload to an open port to achieve arbitrary OS command execution.

A critical Server-Side Request Forgery (SSRF) vulnerability—CVE-2025-8085—has been discovered in the popular WordPress plugin “Ditty (News Ticker & Display Items)” for versions prior to 3.1.58. The issue resides in the displayItems REST API endpoint (wp-json/dittyeditor/v1/displayItems), which lacks authentication and authorization, allowing unauthenticated attackers to force the server to fetch arbitrary URLs—internal or external—via crafted JSON payloads.

Security analysts work on the front lines, responsible for protecting organizations every hour of the day from all threats. Our mission has always been to empower the SOC with end-to-end visibility to focus on what matters most and act with clarity, context and speed to resolve any attack.

By James Rees, MD, Razorthorn Security The Digital Operational Resilience Act (DORA) isn’t just another regulatory hurdle to clear. It’s fundamentally changing how financial institutions think about operational risk, particularly when it comes to the third party providers that now handle much of their critical technology infrastructure. DORA third party compliance has become a critical priority for EU financial institutions since the regulation came into force in January 2025.

Aviram Shmueli is a distinguished cybersecurity and cloud computing expert with a background steeped in 8200 and the Israeli Ministry of Defense. He has over 20 years of hands-on and senior managerial experience in engineering and product management. Yesterday, a critical supply chain attack impacting 18 widely used npm packages was disclosed. These packages collectively account for nearly 2 billion weekly downloads.