GitHub Actions hardens checkout security to block ‘pwn request’ attacks
Blind spot If there’s a criticism that can be levelled at GitHub over this, it’s that it has taken so long to address a weakness…
Category: CISOOnline
AI-SPM buyer’s guide: 14 tools to secure your AI infrastructure
OneTrust AI Governance OneTrust offers AI Governance, a platform that automates compliance and provides continuous monitoring of the AI landscape, across the software lifecycle starting…
GRC is broken. FedRAMP 20x might fix it
No established playbook.No previous iteration.No deeply embedded understanding of how this model actually behaved in practice. At the same time, we weren’t trying to approach…
Rethinking the balance between AI oversight and innovation
The new CIO mandate is clear: facilitate AI adoption across the enterprise at speed. According to CIO.com’s State of the CIO survey, CEOs’ top priority…
Kahneman, ‘Where’s Waldo’ and the Nexus pass: A CISO’s mental model for the AI era
Security awareness training as a defense against phishing is dead. It has been dead for a while. The industry never held a funeral because the…
Be on the lookout for Mistic, a new backdoor used by ransomware broker
The backdoor itself reaches out to a command-and-control (C2) server and can execute code delivered from it directly in memory, without saving any file on…
Scattered Spider duo convicted over $38M Transport for London attack
The attack was investigated by the UK’s National Crime Agency and City of London Police. Police investigators quickly identified Flowers as a suspect prior to…
How a malicious AI agent skill passed security checks and reached 26,000 users
Once the skill had gained distribution, AIR changed the content behind the fake Stitch documentation. The revised page instructed agents to download and run a…
Attackers exploit Cisco Unified CM flaw weeks after patch release
The flaw is tracked as CVE-2026-20230 and carries a CVSS base score of 8.6. Cisco published the advisory and patches on June 3, when it…
Hole in widely-used FFmpeg codec could crash media servers or enable RCE
A newly discovered critical vulnerability in the FFmpeg media processing framework bundled in a huge number of open source and commercial applications points, again, to…
Meta pauses employee monitoring program after data protections fail
The data collected included full prompts and transcriptions, private conversations, people and performance data, Wired said, adding, “Meta executives have repeatedly defended the data-gathering project,…
Trump sets post-quantum crypto deadlines, launches broader federal quantum initiative
The administration argues that quantum technologies could eventually transform industries, including pharmaceuticals, manufacturing, logistics, energy, and defense, while providing strategic advantages in scientific research and…