Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Memcyco recently featured in an ITSP Magazine podcast episode snippet, which this post is based on. You can listen to the full feature here, or below. Our thanks go to the podcasters for having our CEO, Israel Mazin, on with them. Account takeover attacks are surging, fueled by off-the-shelf phishkits and AI tools that make it faster and cheaper for bad actors to impersonate trusted brands and steal customer credentials.

Business Email Compromise is often discussed as an email security problem. Something to be solved with better filters, stronger phishing detection, or tighter domain controls. That framing misses the real issue. BEC succeeds because businesses treat email identity as a trusted signal for decision-making. A familiar name implies authority. A known role implies intent. Once those assumptions are accepted, attackers no longer need malware or technical exploits to cause real damage.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs the handling of personal data belonging to individuals in the European Economic Area (EEA). It is considered one of the strictest data privacy regulations globally. ‍ If your organization processes the personal data of EU/EEA residents, complying with the GDPR is mandatory.

We are surrounded by generative AI tools, cloud-based solutions, and AI assistants that often perform functions for us. We tend to share data with them for smoother operations and to automate our work for enhanced productivity. The non-human tools are a playground for cybercriminals to access the data and damage critical infrastructures. So, it is paramount for us, especially organizations, to protect the shared information, along with the access rights of the non-human entities.

CVE-2026-23745 is a high-severity path traversal flaw in node-tar (the tar library for Node.js). Versions ≤7.5.2 fail to sanitize linkpath in hardlink and symlink entries when preservePaths is false (default secure mode). Malicious tar archives bypass extraction root restrictions, enabling arbitrary file overwrite via hardlinks and symlink poisoning via absolute targets. Discovered January 2026, patched in 7.5.3. Impacts npm ecosystems, CI/CD pipelines, and apps extracting untrusted archives.

Traditional HIPAA response plans were built for the incidents everyone can picture, like a compromised server, ransomware in the network, or unauthorized access to a clinical database. But website PHI leaks are different altogether. Often, there’s no attacker and no break-in. The leak comes from authorized tracking pixels or third-party analytics scripts simply collecting and sending data as designed, but on pages where it should never touch patient information in the first place.

Open source is one of the best things to ever happen to software development. It is also one of the easiest ways to accidentally ship legal obligations you did not sign up for. Most teams know they rely heavily on open-source dependencies. Fewer teams know exactly what licenses those dependencies use, what obligations come with them, or how those licenses travel through transitive dependencies and container images. That gap is what we call open-source license risk.

Artificial intelligence (AI) adoption is fast becoming a strategic necessity for modern businesses. With adoption continuing at pace, a carefully considered strategy is essential for gaining or maintaining a competitive advantage, managing downside risk and addressing the continued regulatory, legal, ethical and operational complexities presented by AI.

On October 13, 2025, security researchers from FearsOff identified and reported a vulnerability in Cloudflare's ACME (Automatic Certificate Management Environment) validation logic that disabled some of the WAF features on specific ACME-related paths. The vulnerability was reported and validated through Cloudflare’s bug bounty program. The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*).