My wish for 2026 is that web developers move back to server side input validation, away from client side input validation.
As a subset, lets move away from client JavaScript in general.
1. There is no practical reason to load 100MB of JavaScript libraries every time I visit a webpage. 99% of them are not used and wasting resources and my time.
2. Client side input validation is one of the OG exploitable vulnerabilities and I don't care how large or complex your UI framework is, if the attacker can bypass the UI all bets are off.
Is server side validation perfect, no. But it will protect systems when attackers go after the underlying API functionality or try to compromise the frontend stack, as is often their want.
You cannot adequately demonstrate empathy and competency when your communications look like form letters. The details matter. The context matters. The specific circumstances of THIS incident affecting THESE people at THIS moment — all of it matters.
Hello cyber practitioners! It's been a pretty active 24 hours with a significant legal development in ransomware, a nasty zero-day spyware campaign, and some cutting-edge research into AI privacy. Let's dive in:
Yanluowang Ransomware IAB Pleads Guilty
- A Russian national, Aleksei Volkov ("chubaka.kor"), has pleaded guilty to multiple charges related to acting as an initial access broker for the Yanluowang ransomware group. - Volkov facilitated attacks on seven US businesses between July 2021 and November 2022, with two victims paying a combined $1.5 million in ransoms. Victims faced data theft, encryption, DDoS attacks, and harassing phone calls. - He exploited vulnerabilities to gain network access, selling this access for a flat fee or a percentage of the ransom. Volkov faces up to 53 years in prison and has been ordered to pay nearly $9.2 million in restitution.
- A previously unknown Android spyware, "Landfall," actively exploited CVE-2025-21042, a critical zero-day in Samsung Galaxy devices (Android 13, 14, 15, and 16) for almost a year. - The "zero-click" attacks involved sending maliciously crafted images via messaging applications, primarily targeting specific devices in the Middle East (Iraq, Iran, Turkey, Morocco). - Landfall provides extensive surveillance capabilities, including call recording, contact and message collection, and access to photos and other files. Samsung patched the flaw in April, and while direct attribution is difficult, C2 infrastructure shows similarities to Stealth Falcon.
- Microsoft researchers have detailed "Whisper Leak," a novel side-channel attack capable of inferring sensitive conversation topics from encrypted Large Language Model (LLM) traffic. - The attack analyses packet size and timing sequences in streaming LLM responses, even over HTTPS, allowing an adversary to classify the topic of a user's prompt with over 98% accuracy on several models (Mistral, xAI, DeepSeek, OpenAI). - Mitigations include adding a random sequence of text of variable length to each response to mask token lengths, and users are advised to avoid sensitive topics on untrusted networks, use VPNs, or opt for non-streaming LLM models.
- Mozilla fellow Esra'a Al Shafei launched "Surveillance Watch," an interactive map documenting over 695 surveillanceware providers, their government customers, and financial backers globally. - The project highlights the widespread use of commercial spyware like Pegasus, Predator, Graphite (Paragon), and Accurint (LexisNexis) by both authoritarian and democratic states, with the US reportedly leading in surveillance investment. - Al Shafei's personal experience with FinFisher spyware underscores the normalisation of mass surveillance, its profound impact on individual privacy and digital behaviour, and the critical need for greater transparency.
CISA’s Automated Indicator Sharing (AIS) program once delivered real-time, machine-readable threat intelligence across sectors to help organizations detect and respond faster.
But with participation disrupted, collective defense is at risk. In this video, we explain how AIS worked, why it mattered, and what your organization can do to stay protected in a post-AIS environment.
Google researchers observed experimental malware families that call out to LLMs during execution to generate or alter commands - a notable step toward adaptive malware.
Defensive priorities: expand telemetry for outbound API use, enforce least privilege and MFA, add detection for anomalous runtime script generation, and update IR playbooks for dynamic-behavior incidents.
Comment your hardening tips & follow @technadu for deeper analysis.
This breach may have affected 2M of Veradigm's clients' patients, but it's pretty much flown under the media radar, and its explanation of how the breach occurred didn't make sense to me after I took a look at a data tranche.
Remember that frustrating situation where some of us couldn't get a vendor to respond to notifications that court-sealed records and sensitive files were exposed? One entity eventually reached the vendor by phone and was so angry at their response that they wound up canceling their account with them.
Yesterday, I finally reached the second court entity. They, too, wound up telling the vendor to take the share down.
How many other clients may still have exposed data because the vendor tells clients that everything's fine when it isn't? I don't know. If you know any entity using Software Unlimited Corp software (not Software Unlimited Inc, but Software Unlimited CORP), you may want to point them to my coverage:
The past few months have been incredibly productive for the FIRST community!
#FIRSTCON25 Copenhagen Success - Over 40 TLP-CLEAR presentations now available on YouTube
New FIRST CORE Initiative - Expanding our Community and Capacity Building Program globally
Completed Season 1 of "Improving Security Across Nations with FIRST," featuring spotlight segments with global representation, designed to showcase member expertise and impact
Digital Sovereignty Insights - Exploring community-driven approaches to tech independence
SIG Innovations - Launched weekly malware analysis challenges for community education and welcomed the new Detection Engineering & Threat Hunting SIG
Global Training Expansion - Continued capacity building in underserved regions
Read our complete Q3 newsletter for more updates, details on upcoming events, and how you can get involved: https://go.first.org/SffSq
Key takeaway: even hyperscale clouds are vulnerable when automation bypasses validation. Reliability at scale depends as much on change-control discipline as on redundant hardware.
Email breach response cases are surging — proving phishing remains the oldest yet most effective way in. Awareness still beats any filter. #EmailSecurity#IncidentResponse
We have a brand new drill this week that puts you in the aftermath of an npm supply chain attack -- and as always, inspired by recent real-world incidents.
Here's the twist: Instead of practicing live incident response, you're in the post-mortem, analyzing what went wrong with communication and building the infrastructure you needed BEFORE the incident.
This week we'll coach you through:
→ How disclosure delays destroy community trust → Elevating disclosures from legal confessions to helpful leadership → Building rapid decision frameworks so everyone can move faster → Coordinating between security teams, volunteer maintainers, and the developer community
Perfect for anyone responsible for coordinating incident response in organizations with public open source projects.
CyberScoop | 
The Register | 
The Hacker News | 
Read our complete Q3 newsletter for more updates, details on upcoming events, and how you can get involved: 
Let's help support our cowboys... we mean 
Wrangle up and register early for 
Submit today! 