// Cybersecurity

Source: The Register

Physical IoT devices in low-security zones like break rooms are becoming reliable entry points for attackers because IT teams assume consumer-grade appliances fall outside their threat model—but networked coffee makers, printers, and vending machines sit on the same corporate network as sensitive systems. The vulnerability is organizational negligence: nobody owns the security of the breakroom, so nobody patches it. Every connected object becomes an implicit backdoor when IT assumes perimeter defense is sufficient.

Source: The Register

ESET’s data reveals that cyber incidents against British factories are now baseline operational risk rather than anomalies, with attackers targeting production lines and supply chains for immediate economic damage rather than data theft. The shift from IT breaches to OT (operational technology) attacks means manufacturers face concrete losses—halted production, missed deliveries, customer penalties—that directly crater quarterly results, creating pressure to either invest heavily in segmented factory networks or absorb rising insurance costs as a cost of doing business. Manufacturing lobby groups across Europe and North America now treat cyber resilience as industrial policy, not IT hygiene.

Source: Socket

Axios processes 100 million weekly downloads across the JavaScript ecosystem, making it a high-value target for attackers seeking distribution at scale. This compromise shows that even foundational infrastructure packages with massive adoption remain vulnerable to dependency injection despite increased scrutiny. The multi-stage payload approach suggests attackers are moving beyond single-purpose malware toward reconnaissance-first tactics, likely to avoid detection while maximizing extraction of sensitive data from downstream applications. The breach exposes a core fragility in open-source security: trusted packages sit in the critical path of production systems with minimal runtime visibility, and remediation requires coordinated updates across millions of dependent projects.

Source: Socket

A malicious dependency injected into Axios—downloaded 100M times weekly—shows that even heavily-scrutinized open-source infrastructure remains vulnerable to multi-stage payload attacks, where attackers use initial compromise to deploy secondary malware rather than immediate damage. Enterprises must update their threat model: the risk isn’t just that dependencies get poisoned, but that poisoning can be weaponized in staged, evasive ways that delay detection across thousands of downstream applications. The attack surface of npm’s dependency graph now includes not just code review vulnerabilities but also timing-based exploitation tactics borrowed from advanced persistent threats.

Source: MacRumors

Apple is iterating on end-to-end encryption for RCS messaging rather than shipping it, indicating either technical hurdles in cross-platform implementation or strategic reassessment of the feature’s competitive value—particularly as RCS itself becomes standard for Android interoperability rather than a differentiation point. The repeated removal and reinsertion of E2EE in beta cycles shows Apple is optimizing for something specific (compatibility with Google’s RCS stack, key management at scale, or user experience), not simply building it. The delay matters because it leaves iPhone-Android message threads unencrypted by default while both companies claim to prioritize privacy, creating a genuine security gap that users can’t work around.

Source: SiliconANGLE

Traditional SIEM platforms are buckling under the volume and velocity of modern security data, forcing vendors like Splunk, Elastic, and emerging players to rebuild from the ground up rather than patch legacy architectures. Detection and response times have shifted from minutes to sub-seconds because dwell time in breaches costs real money—every second of delay compounds financial and reputational damage. For enterprises managing hybrid cloud and edge infrastructure, the choice between aging monoliths and purpose-built alternatives is no longer optional—it’s a competitive and compliance necessity.