As explored in CYJAX’s recent blog, “PhishinGit – GitHub.io pages abused for malware distribution”, a core feature of GitHub is that it allows users to create and host free static webpages for repositories on github.io. Whilst this service is primarily used to display legitimate projects and host functional webpages, it is known to be used to host malicious files, infrastructure, and content.

JFrog Security Research found 3 zero-day critical vulnerabilities in PickleScan, which would allow attackers to bypass the most popular Pickle model scanning tool. PickleScan is a widely used, industry-standard tool for scanning ML models and ensuring they contain no malicious content.

UL 2900 is a cybersecurity standard used for networked products and systems. This certification framework is part of the response to the growing security challenges posed by connected devices across various sectors. It defines testing guidelines, security requirements, and continuous maintenance steps, enabling manufacturers to create secure products from the outset. UL 2900 penetration testing and certification is much more than foundational compliance.

Unexpected attacks are the hardest to fend off. In the realm of cyber, Zero Day vulnerabilities are among the greatest risks, as these software flaws are unknown and exploited before a fix is available, potentially compromising the thousands of organizations that are unwittingly using vulnerable software.

After six years of tracking third-party risk management programs (TPRM), one thing has become clear: having a program doesn't necessarily mean it's working. Our latest The State of Supply Chain Defense report reveals an interesting shift. Organizations are spending more than ever on securing their vendor ecosystem, with 95% planning to increase their budgets in the next year. Programs are maturing, with nearly half of surveyed organizations reporting established and optimized initiatives.

Application security is becoming increasingly fragmented. Development and security teams use a wide array of tools for testing, protection, and supply chain security. While each tool serves a purpose, they often operate in silos. This fragmentation creates a disconnected view of an organization’s security posture, making it difficult to prioritize and remediate risk effectively.

In today’s geopolitical and regulatory climate, organizations and nations are increasingly embracing digital sovereignty—the ability to control and protect their data, infrastructure and operations within defined jurisdictions. The sovereign-cloud market is growing fast as governments and regulated enterprises demand local control, auditable supply-chains, and cloud-native resiliency.

This year has been one of the most transformative in our collaboration with AWS. As organizations move faster toward AI-driven development and cloud-native architectures, secure access has become a foundational requirement, not an afterthought.