Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

According to Bitsight TRACE’s 2025 State of the Underground report, the most exposed devices tied to critical vulnerabilities were found in the United States, and the most affected sectors included Information (telecom, IT) and Professional, Scientific, and Technical Services (including security and software vendors).

Our API scanner can test for dozens of vulnerability types like prompt injections and misconfigurations. We’re excited to share today that we’re releasing vulnerability tests for OAuth API authorization for organizations that use JWT tokens. These JWT, or JSON Web Tokens, are meant to prove that you have access to whatever it is you are accessing. One of the most critical JWT vulnerabilities is algorithm confusion.

Picture this: it’s 3 AM, and your message broker is acting up. Queue depths are climbing, consumers are dropping off, and your on-call engineer is frantically restarting pods in a Kubernetes cluster they barely understand. Sound familiar? For years, we lived this reality with our self-hosted RabbitMQ running on EKS.

A phishing campaign is impersonating LastPass and Bitwarden with phony breach notifications, BleepingComputer reports. “An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager,” BleepingComputer writes.

In late September 2025, several European airports reported significant delays and flight cancellations due to issues with their check-in and passenger systems. Collin’s Aerospace, the vendor of the vMUSE check-in system, had been hit by a ransomware attack. ARINC error message: Source: Cyberplace.social.

Having joined visionary leaders and top practitioners at ZenityLabs’ AI Agent Security Summit in San Francisco, I came away inspired and laser-focused on the incredible opportunities and responsibilities ahead for any organization looking to adopt and secure AI agents.

Cybercrime doesn’t differentiate between individuals. It can happen to anyone, anytime. We have all heard about phishing attacks, where attackers deceive innocent people into clicking on malicious links and expose their sensitive information. It happens through text messages, emails, and phone calls. When such phishing targets high-profile individuals, like CEOs, CFOs, or top executives of organizations, it’s called a ‘Whaling Attack’.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! House of cards some would say…

Low-code workflow builders have flourished in the AI wave, providing the “shovels and picks” for non-technical users to make AI-powered apps. Flowise is one of those tools and, like others in its category, it has the potential to leak data when configured without user authentication. To understand the risk of misconfigured Flowise instances, we investigated over a hundred data exposures found in the wild.

Maintaining an Active Directory (AD) enterprise environment is no easy task. Between all the permissions, security compliances, update cycles, emergency patches, appliance configurations and more, covering all the bases could feel overwhelming at times and could lead to errors that may result in major consequences.