Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! I’m sure techs were hoping for a gradual wind down for the holiday season…

When it comes to distributing PHP applications, discussions often swing between two extremes: fully open-source everything or lock all your code behind encryption/encoding. Critics of encoding often argue that open source is superior because users can still inspect and customise code. But the truth is far more nuanced, and the most successful software vendors already know it.

When Anthropic dropped the Model Context Protocol (MCP) in late 2024, it felt like the missing puzzle piece for AI tooling: a standard way for Large Language Models (LLMs) to talk to data sources, APIs, and pretty much anything else you can think of. Think of it as a USB-C port for AI, as the protocol’s creators like to say. But like most shiny new standards, the devil’s in the details.

It’s not hard for secrets to sprawl, buried under layers of commits and forgotten branches. Most teams don’t notice it until one bad push exposes everything. Secret leaks don’t come from breaches, but from configuration drift and forgotten credentials; a gap that traditional vault tools struggle to close on their own. Here’s the scale of that mess. Machine identities now outnumber human users by more than 80 to 1, and each one relies on credentials to function.

When your application crashes or a region goes offline, the difference between backup and replication determines whether you’re back online in minutes or scrambling for days. Most IT teams confuse these two strategies, but they solve different problems. Backup creates point-in-time copies of your data for recovery after corruption or deletion. Replication maintains synchronized copies across systems for high availability and failover.

Imagine a procurement manager from a verified enterprise logging into your Shopify Plus store to place a bulk order — only to find they can’t access the wholesale catalog or exclusive pricing. Therefore, admins must step in manually to verify the company and assign access, turning what should be a simple order into hours of work.

As businesses move more workloads to cloud apps like Microsoft 365, Google Workspace, Salesforce, and dozens of SaaS tools, the biggest question becomes: “How to keep business data stored on cloud apps safe?” With employees accessing cloud apps from different devices, networks, and locations, the risk of data exposure growns significantly. To address this, many organizations rely on two key security solutions: Cloud Access Security Brokers (CASB) and Data Loss Prevention (DLP).

On December 3, 2025, CVE-2025-55182, a critical remote code execution (RCE) vulnerability in React Server Components (RSC), dubbed “React2Shell.” This flaw, carrying a maximum CVSS v3.1 score of 10.0 (Attack Vector: Network; Attack Complexity: Low; Privileges Required: None; User Interaction: None; Scope: Unchanged; Confidentiality/Integrity/Availability: High), stems from unsafe deserialization in the RSC “Flight” protocol.