Major claims management firm Sedgwick has suffered a breach by the TridentLocker group, with attackers claiming to have stolen sensitive government services data. This highlights the risk of third-party service providers being used as leverage for extortion.
Business impact
If your organization uses Sedgwick for claims processing, sensitive employee or customer data may be compromised—expect potential third-party notification requirements and legal review.
Recommended action
Ask your Vendor Risk Management team: "Do we have active data sharing with Sedgwick? If so, initiate our third-party incident response protocol."
A maximum-severity vulnerability in the n8n workflow automation tool allows attackers to execute code remotely and seize control of the system without logging in. This is particularly dangerous as n8n often has access to other internal APIs and sensitive data sources.
Business impact
If exploited, attackers gain immediate access to all connected business services (CRM, Email, Database) managed by the automation tool—expect massive data exfiltration and potential lateral movement.
Recommended action
Ask your IT team: "Do we use n8n for automation, and if so, is it exposed to the internet? Have we applied the patch for CVE-2026-21858 immediately?"
The Coolify self-hosting platform has disclosed multiple critical vulnerabilities that allow attackers to bypass authentication and execute code on the server. This affects organizations managing their own infrastructure via this popular open-source tool.
Business impact
Compromise of the hosting control plane means attackers own the infrastructure—expect service downtime, data theft from hosted applications, and potential ransomware deployment.
Recommended action
Ask your DevOps team: "Are we running self-hosted Coolify instances? Verify they are updated to the latest version to mitigate CVE-2025-66209."
The U.S. CISA has confirmed active exploitation of vulnerabilities in HPE OneView (infrastructure management) and Microsoft PowerPoint, mandating federal agencies to patch. This signals that attackers are actively using these flaws in the wild right now.
Business impact
Failure to patch these specific flaws leaves the organization open to known, active attack vectors—expect regulatory scrutiny and potential breach if these legacy issues remain unaddressed.
Recommended action
Ask your Security Operations team: "Have we scanned for and patched the specific HPE OneView and PowerPoint versions listed in the latest CISA KEV update?"
Intelligence reports indicate a tenfold increase in cyberattacks targeting Taiwan's energy and critical infrastructure sectors by China-linked groups. This escalation suggests a shift toward more aggressive pre-positioning in critical networks.
Business impact
Organizations with operations or supply chains in East Asia should anticipate potential disruptions—expect increased latency or outages in regional services.
Recommended action
Ask your CISO: "Do we have critical dependencies or infrastructure in Taiwan? Have we increased monitoring for state-sponsored TTPs in those segments?"
A security bypass vulnerability in Google Chrome 143 puts billions of users at risk. This flaw could allow attackers to circumvent browser security mechanisms.
Business impact
Widespread browser vulnerabilities increase the risk of drive-by downloads and credential theft for all employees accessing the web.
Recommended action
Ask your IT team: Is the enforcement of Chrome updates automated, and have we verified that version 143 is being updated to a patched release?
Cisco has patched a vulnerability in its Identity Services Engine (ISE) where a public proof-of-concept (PoC) exploit is already available. While rated medium severity by CVSS, the existence of a public exploit dramatically increases the likelihood of automated attacks.
Business impact
Unpatched identity systems could allow attackers to disrupt network access control—expect potential unauthorized network access or denial of service for legitimate users.
Recommended action
Ask your Network Security team: "Have we applied the patch for CVE-2026-20029 on our Cisco ISE nodes, given that exploit code is publicly available?"
Security researchers are tracking indicators of a preparing malware campaign targeting software supply chains. This proactive warning suggests attackers are staging assets for a broad distribution attack.
Business impact
Supply chain attacks can bypass perimeter defenses—expect potential compromise through trusted software updates if vendors are hit.
Recommended action
Ask your AppSec team: "Are we monitoring our software dependencies for unexpected changes or new vulnerabilities?"
Users are reporting active infections involving `memory-scanner.cc` and abuse of the Windows `MSHTA.exe` process to hijack browser tokens and bypass 2FA. This appears to be a targeted campaign stealing Discord and Reddit credentials.
Business impact
Token hijacking bypasses MFA—expect account takeovers even on secured accounts if endpoints are infected.
Recommended action
Ask your SOC: "Do we have detection rules for `MSHTA.exe` making external network connections to unknown domains?"
CVE: n/a | Compliance: General Enterprise | Source:Reddit ↗
A leaked handbook reveals romance scammers are using sophisticated scripts and astrology-based targeting to defraud victims, highlighting the psychological engineering aspect of modern fraud.
New research presented at NDSS 2025 highlights weaknesses in how email systems auto-detect security settings, potentially allowing downgrade attacks on encrypted communications.
A strategic framework for integrating Site Reliability Engineering (SRE) with security teams to enhance organizational resilience, emphasizing shared goals and automation.
Orca Security's research team identified the maximum-severity RCE in n8n, demonstrating the power of their SideScanning technology. Unlike agent-based tools, Orca connects to the cloud control plane to detect vulnerabilities in shadow IT, self-hosted tools (like Coolify), and automation platforms (like n8n) without requiring installation on the workload itself. This is crucial for identifying unmanaged assets that are often the entry point for attacks.
Actionable Platform Guidance: Use Orca's asset inventory query to immediately locate all instances of n8n or Coolify running in your cloud environment to verify patch status, even if they are not managed by central IT.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Orca Security
# Orca Security CLI / API Query to detect vulnerable n8n instances
# This query searches the asset inventory for n8n software versions < vulnerable_version
# and checks for public exposure.
query_assets \
--filter "software.name = 'n8n'" \
--filter "vulnerability.id = 'CVE-2026-21858'" \
--filter "network.publicly_exposed = true" \
--output table
# Verification Step:
# 1. Run query against all connected cloud accounts.
# 2. For any results, immediately isolate the instance via security group restrictions.
3. SIEM Query — Suspicious Process Execution (CISA KEV/Malware)
index=security sourcetype="WinEventLog:Security"
(NewProcessName="*\\staxs.exe" OR NewProcessName="*\\MSBuild.exe" OR NewProcessName="*\\aspnet_compiler.exe")
| eval risk_score=case(
NewProcessName LIKE "%\\staxs.exe", 100,
NewProcessName LIKE "%\\MSBuild.exe" AND NOT (ParentProcessName LIKE "%\\Visual Studio%"), 80,
1==1, 50)
| where risk_score >= 50
| table _time, Computer, SubjectUserName, NewProcessName, CommandLine, risk_score
| sort -_time
4. PowerShell Script — Check for Coolify/n8n Ports
$computers = "localhost", "SERVER01", "WKSTN01"
$targetPorts = 5678, 8000 # Common ports for n8n and Coolify
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
foreach ($port in $targetPorts) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.Connect($computer, $port)
if ($tcp.Connected) {
Write-Host "ALERT: Port $port is OPEN on $computer (Possible n8n/Coolify instance)" -ForegroundColor Red
$tcp.Close()
}
} catch {
# Port closed or filtered
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
Finance (PCI-DSS)
ELEVATED
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT