Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Cyber-enabled crimes cost Americans nearly $21 billion in 2025, a 26% increase from the previous year, according to the FBI’s latest Internet Crime Report. Phishing, extortion, and investment scams were the most commonly reported attacks, with AI-related scams driving some of the costliest losses. Phishing was the top attack vector, with these attacks leading to more than $215 million in losses. Notably, AI-assisted business email compromise (BEC) attacks cost victims more than $30 million.

For security teams, credential sprawl is like dust; you don't notice it until it has accumulated.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! Another patching weekend ahead then?

When it comes to real-time payments, fraud moves fast — but liquidity stress can move even faster. A fraud or cyberattack can quickly become a liquidity event when it disrupts settlement funds, triggers abnormal transaction flows or forces payment services offline. That is why banks, payment processors and instant payment networks need real-time visibility into transaction activity, settlement exposure and emerging operational risk.

Artificial intelligence is everywhere at work. Yet for many teams, it still doesn’t feel very intelligent. The problem isn’t a lack of AI tools. It’s the opposite. AI has exploded across the enterprise, spreading into dozens of apps, assistants, and models. Each tool promises to help, but together they create fragmentation. Employees end up asking the same question in multiple places, switching between systems, and piecing together answers manually.

The extended detection and response (XDR) market has evolved rapidly in recent years. What once seemed like a race to add new features is now giving way to a different debate: how to effectively integrate the different security layers that make up modern infrastructure. With increasingly distributed IT environments, including endpoints, identities, networks, and cloud applications, the volume of security signals that need to be analyzed to detect threats has multiplied.

CVE-2026-40372 is an elevation of privilege vulnerability in ASP.NET Core caused by improper verification of cryptographic signatures in the Data Protection library. The flaw sits in the HMAC validation routine of the managed authenticated encryptor, where a defective comparison lets an attacker submit a forged payload that the application accepts as legitimately signed. The vulnerability carries a CVSS v3.1 base score of 8.1 (Important), as assigned by Microsoft in the official advisory.

A few years ago, we made a call that most of our industry was not ready to hear. AI agents were going to become the primary way enterprises get work done. Not as a concept, not as a research project, but as the operational reality of how the modern business runs. And the security infrastructure being built around them was designed for something fundamentally different. Prompt filtering. Model safety. Input guardrails.

In the modern software development lifecycle, the speed of innovation is often at odds with the security of our most sensitive data. As organizations embrace cloud-native development and AI-generated code, they face a phenomenon known as “secret sprawl”, aka, the uncontrolled and widespread distribution of API keys, passwords, and tokens across repositories, CI/CD logs, and developer collaboration tools.

JPMorganChase's Global Technology Leadership published "Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience" on April 17, 2026. It's a CISO mandate for every large enterprise. Snyk directly addresses 8 of those 10 actions — out of the box, in the developer workflow, with one platform.