Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Microsoft has announced the retirement of the Windows UEFI CA 2011 certificate and the transition to the Windows UEFI CA 2023 certificate, with hard enforcement beginning in 2026. This update is part of Microsoft’s ongoing effort to preserve the integrity of the Windows Secure Boot trust chain and ensure continued delivery of boot-level security updates. For enterprise IT teams, this is not simply a certificate replacement.

On March 31, 2026, a threat actor used stolen maintainer credentials to compromise the widely used HTTP client library Axios Node Package Manager (npm) package and deploy platform-specific ZshBucket variants. CrowdStrike Counter Adversary Operations attributes this activity to STARDUST CHOLLIMA with moderate confidence based on the adversary’s deployment of updated variants of ZshBucket (malware uniquely attributed to STARDUST CHOLLIMA) and overlaps with known STARDUST CHOLLIMA infrastructure.

CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research.

The era of human-speed defense is over. With eCrime breakout times collapsing to as fast as 27 seconds and attacks from AI-powered adversaries increasing 89% year-over-year, the traditional SOC has reached a breaking point. Manual processes, fragmented tools, and rule-based playbooks were built for a different era. Today, if your defense depends on human reaction time, you’re not just behind — you’re at risk.

Interest in cloud-native application protection platforms (CNAPPs) has exploded over the recent years, partly due to their ability to reduce alert noise by translating siloed misconfigurations into correlated, theoretical attack paths and exposures. While many organizations have adopted these solutions in pursuit of outcomes like zero critical issues, cloud breaches continue to rise.

In modern organizations, sensitive data lives everywhere and is constantly moving. It is created, accessed, transformed, and shared across endpoints, browsers, SaaS applications, cloud services, GenAI tools, and agentic workflows. CrowdStrike is introducing CrowdStrike Falcon Data Security to protect data across constantly evolving business environments.

As organizations race to adopt new AI tools, deploy AI agents, and build AI-powered software, they create new attack surfaces that traditional security controls were never designed to protect. A key example is the prompt and agentic interaction layer, which faces novel threats like indirect prompt injection and agentic tool chain attacks.

CrowdStrike is expanding CrowdStrike Falcon Next-Gen SIEM to support third-party endpoint detection and response (EDR) solutions — beginning with Microsoft Defender — with no Falcon sensor required. This evolution will enable organizations to modernize their SOC without replacing existing endpoint agents. Adversaries are moving faster than ever, exploiting cross-domain gaps across endpoint, identity, network, and cloud.

While investigating a spike in script execution detections across several CrowdStrike Falcon platform customers, CrowdStrike’s Engineering team traced the activity to a compromised GitHub Action named aquasecurity/trivy-action. This popular open-source vulnerability scanner is frequently used in CI/CD pipelines.

The biggest challenge for developers building AI applications is no longer the translation of user intent into action, but rather limiting its scope to stay within stated business goals and prevent abuse. This challenge has moved from theoretical to mission-critical as AI agents transition from experimental projects to mainstream business tools, where a single compromised agent can expose customer data, execute unauthorized transactions, or violate compliance requirements across thousands of interactions.