Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Inside the Hidden VM: How Attackers Stay Undetected

Apr 29, 2026 By Sophos In Sophos
Threat actors are getting better at hiding in plain sight through using virtual environments to evade detection and deliver ransomware. New research from Sophos X-Ops reveals an increase in the abuse of QEMU, an open-source emulator, to conceal malicious activity inside virtual machines. While this technique isn’t new, its use for defense evasion is accelerating, making visibility and detection even more challenging for defenders.
View Video
sophos

'Mini Shai-Hulud' supply chain attack targets SAP npm packages

Apr 29, 2026 By Sophos Counter Threat Unit Research Team In Sophos
On April 29, 2026, security researchers detailed a campaign known as ‘mini Shai-Hulud’ that involves compromised versions of npm packages used in SAP’s Cloud Application Programming Model (CAP). The malicious packages reportedly contain functionality to steal sensitive data such as credentials. The stolen data is encrypted and exfiltrated via public GitHub repositories. The maintainers of known-compromised packages have released updated versions.
Read Post
sophos

Supply chain attacks hit Checkmarx and Bitwarden developer tools

Apr 24, 2026 By Sophos X-Ops In Sophos
Sophos X-Ops is aware of reports that two widely-used developer tools – the Checkmarx KICs security scanner and the Bitwarden CLI – were hijacked on April 22, 2026, to steal credentials from development environments. These attacks occurred within hours of each other and share the same command-and-control (C2) domain – potentially pointing to a single threat actor running a coordinated campaign. Both vendors have since reportedly contained the incidents.
Read Post
sophos

Strengthening authentication with passkeys: A CISO playbook

Apr 22, 2026 By Ross McKerchar In Sophos
For decades, passwords have been the standard method for protecting access to systems and accounts. However, passwords can be compromised or stolen via tactics such as brute-force attacks, phishing attacks, and infostealer malware. The shift to multi-factor authentication (MFA) added another layer of security by requiring additional authentication to verify the user’s identity – some combination of something you know, own, or (in the case of biometrics) are.
Read Post
sophos

QEMU abused to evade detection and enable ransomware delivery

Apr 16, 2026 By Morgan Demboski In Sophos
Sophos analysts are investigating the active abuse of QEMU, an “open-source machine emulator and virtualizer,” by threat actors seeking to hide malicious activity within virtualized environments. Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself.
Read Post
sophos

Secure by Design: Building cybersecurity into the foundation

Apr 15, 2026 By Sophos In Sophos
Secure by Design: Building cybersecurity into the foundation An explainer of why this philosophy matters and how it reduces attack surface from the inside Secure by Design is a software development philosophy that treats security as a foundational requirement rather than an afterthought.
Read Post

Sophos Firewall: Configuration Studio

Apr 15, 2026 By Sophos In Sophos
An overview of the new Sophos Firewall Configuration Studio, the newest version of the Firewall Configuration Viewer. This standalone, browser-based tool converts firewall configurations into a clear, human-readable format, enhancing your viewing, auditing, documentation, and comparison capabilities. All data is processed locally, so your information remains 100% private. Ask questions and get expert answers in the Sophos Community.
View Video

Copyright © 2026 OpsMatters™. All rights reserved.