Five defender priorities from the Talos Year in Review

A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures -- all without code. One such case was recently...

Simplifying AWS defense with Microsoft Sentinel UEBA

In this article 1. Under the hood: The tables 2. Traditional vs. new approach 3. Real-world attack scenarios: Microsoft Sentinel UEBA in action 4. Practical implementation: Getting started 5. Limitations and constraints 6. From raw logs to behavioral context With the expansion of Microsoft Sentin...

Simplifying AWS defense with Microsoft Sentinel UEBA

In this article 1. Under the hood: The tables 2. Traditional vs. new approach 3. Real-world attack scenarios: Microsoft Sentinel UEBA in action 4. Practical implementation: Getting started 5. Limitations and constraints 6. From raw logs to behavioral context With the expansion of Microsoft Sentin...

Spring Boot's PID file write follows symlinks at predictable default path

When an application is configured to use ApplicationPidFileWriter, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 fix 4.0.6, 3.5.0–3.5.13 fix 3.5.14, 3.4.0–3.4.15 fix 3.4.16,...

JLSEC-2026-236 Applications that use a non-default option when verifying certificates may be vulnerable to an...

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that...

JLSEC-2026-215 OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include...

OpenSSL 1.1.1 introduced a rewritten random number generator RNG. This was intended to include protection in the event of a fork system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A...

Malicious code in @pyme-web/web-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e52ac4b8d97b81cff5824f4ddc38897183df4e20ecd3f1e7df62e8f6645f236a The package @pyme-web/web-api was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3119 Malicious code in @pyme-web/ui-widget (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a73f6d1f150b07a8023fdef84fc4cc091a7cecbed37ff3364bfb328747951526 The package @pyme-web/ui-widget was found to contain malicious code. Source: ghsa-malware...

Malicious code in @taxmoninor/taxmon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42f9358f8af80b7021c6d4bb86f10796de5ad8ef2ec941d0057954b9e6a18355 The package @taxmoninor/taxmon was found to contain malicious code. Source: ghsa-malware...

Malicious code in @activation_code/success (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d00bacff8cfa3ae8a22cfb51c4be0ad025ce42bc29929c07a7eaad6be36c702c The package @activationcode/success was found to contain malicious code. Source: ghsa-malware...

Malicious code in @activation_code/activate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 051c685a7704a23fd8a744185c9b8551c7acda63ebf95feabd3ca4b9e1f8ede6 The package @activationcode/activate was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3106 Malicious code in @activation_code/activate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 051c685a7704a23fd8a744185c9b8551c7acda63ebf95feabd3ca4b9e1f8ede6 The package @activationcode/activate was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3107 Malicious code in @activation_code/error (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fec73b17468bf333bb1bf6a071209103b774e371dfbf9961ad522dbd006fff7d The package @activationcode/error was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3114 Malicious code in @apple-pay-trust/finish (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9abd2d210c4a5df0e95f326e80b2e6618647c03ba4158e1d6ffbd36d9f7b800a The package @apple-pay-trust/finish was found to contain malicious code. Source: ghsa-malware...

Malicious code in @apple-pay-trust/check-apple-pay-result (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e1519a2b638e44ce9001f6e843a09909254897aa84597b6476e1004efbf0a16 The package @apple-pay-trust/check-apple-pay-result was found to contain malicious code. Source: ghsa-malware...

RUSTSEC-2026-0126 AVX2 Implementation Did Not Fully Reduce Intermediate Values

The AVX2 implementation of ML-DSA did not fully reduce intermediate inputs to the inverse NTT, which leads to a testable difference in panic behaviour of internal functions compared to the portable implementation. Impact We are not aware of inputs to the public key generation, signing or...

AVX2 Implementation Did Not Fully Reduce Intermediate Values

The AVX2 implementation of ML-DSA did not fully reduce intermediate inputs to the inverse NTT, which leads to a testable difference in panic behaviour of internal functions compared to the portable implementation. Impact We are not aware of inputs to the public key generation, signing or...

MAL-2026-3124 Malicious code in apple-internal-dev-check (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

From Spoofing to Trust: Emergency Alerts Spoofing Testbed and Cross-Cell Verification

Public warning systems PWS in cellular networks enable authorities to broadcast emergency alerts to all mobile phones in a geographic region in the event of threats such as earthquakes or severe weather. If an attacker can imitate these alerts and transmit a forged warning containing fake news or...

Malicious code in @clearpool/streaming (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector febaceb862fd80f68bdcefbbed2667f056ba0b09cc0607d92962dd0d1c2a8b5d The package @clearpool/streaming was found to contain malicious code. Source: ghsa-malware...