Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In November of last year, Aaron Bray made some supply chain security predictions for 2025. Now, as we approach the close of the year, we are going to look at how those predictions turned out. But first let’s start with the high-level statistics and review some of the campaigns we have been tracking and reporting on this year. As this year is not yet over, we have excluded data from December for both 2024 and 2025.

Why outsourcing auth doesn't mean outsourcing risk.

Privilege is no longer a static control. It shifts dynamically with every action taken by an increasingly dynamic set of users, workloads, and AI agents, making traditional reliance on static credentials outdated and unfit for modern, fast-paced hybrid environments. As a result, organizations now need to evolve to a more agile and adaptive approach to securing privilege, one that can effectively handle the sheer volume and complexity of identities operating across cloud, on-prem, and hybrid ecosystems.

Why we’re bringing Zero Standing Privileges to M365, and why it matters. In the past decade, we collectively agreed that standing access to infrastructure is a security failure. No credible security team allows permanent root access on production servers or standing SSH keys for cloud instances. We built vaults, we implemented session recording, and we moved to Just-in-Time (JIT) access for infrastructure.

JSCEAL is an information stealer that’s been targeting users of cryptocurrency applications. As reported by Check Point Research (CPR) in July 2025, JSCEAL has developed into a more advanced form. In a new campaign observed by Cato CTRL in August 2025, JSCEAL has adopted a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. The campaign remains active.

This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year. Instead of bombarding you with just our own predictions, we’ve decided to cast the net far and wide. We’ve spoken to cybersecurity experts from around the world to answer what’s, for us, the most pressing question of all.

In 2025, we engineered a truly new era of modern DAST. We unlocked next-gen assessments with “infinite” payloads, eliminated the trade-off between broad attack surface visibility and deep application testing, and found the ultimate balance between human ingenuity and machine intelligence with our AI Researcher, Alfred. The result? A modern DAST product that delivers unmatched innovation and accuracy in the AppSec space.

An API token is like a small digital key that tells a system that a user or an app is allowed to act in the system. When this key gets stolen, attackers act as real users and misuse the account. It’s called API token hijacking, and this issue has grown in the last few years. Most companies are not able to detect this problem in time. It’s important for IT/security teams to understand token theft to respond quickly and build stronger protection for future attacks.

Phishing remains one of the most common cyber threats, affecting users across industries and regions. It targets human behavior rather than technology, which makes it more effective than many other attack methods. Now, attackers are using advanced tools, like AI, to make phishing more effective. To know how to avoid phishing attacks, you must understand how they work and the different forms they take.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! I’m sure techs were hoping for a gradual wind down for the holiday season…