Tens of millions of downloads of the popular Java logging library Log4j this year were vulnerable to a CVSS 10.0-rated vulnerability that first surfaced four years ago, according to Sonatype. The security vendor claimed 13% of Log4j downloads in 2025… Read More "Log4Shell Downloaded 40 Million Times in 2025"
“If someone is not asking you right now to consult for them, it can take 12-18 months before you land your first client,” says Carlota Sage. She held a part-time CISO role at a nonprofit before transitioning into vCISO work.… Read More "From in-house CISO to consultant. What you need to know before making the leap"
Google has patched a zero-click vulnerability in Gemini Enterprise that could lead to corporate data leaks. The flaw was discovered in June 2025 by security researchers at Noma Security and reported to Google the same day. Dubbed ‘GeminiJack’ by the… Read More "Google Fixes Gemini Enterprise Flaw That Exposed Corporate Data"
Loosely organized pro-Russia hacktivist groups have been observed exploiting exposed virtual network computing connections to breach operational technology systems across multiple sectors. According to a new report by CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA),… Read More "Pro-Russia Hackers Target US Critical Infrastructure in New Wave"
A new malware campaign using a Python-based delivery chain to deploy the emerging CastleLoader family has been discovered by cybersecurity researchers. According to Blackpoint, the activity revolves around the use of ClickFix social engineering prompts that convince users to open… Read More "ClickFix Social Engineering Sparks Rise of CastleLoader Attacks"
The vast majority of US small businesses suffered a data or security breach over the past year, with many (38%) putting up their prices as a result, according to a new study from the Identity Theft Resource Center (ITRC). The… Read More "“Cyber Tax” Warning as Two-Fifths of SMBs Raise Prices After Breach"
Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild. The patches come in a Chrome security update issued on December 10. In this advisory, the high-severity… Read More "Google Releases Critical Chrome Security Update to Address Zero-Days"
The UK’s financial regulator has launched a new tool designed to help consumers avoid online investment fraud and other scams. The Financial Conduct Authority (FCA) explained that “Firm Checker” will enable consumers to see if a financial firm they’ve been… Read More "Scam-Busting FCA Firm Checker Tool Given Cautious Welcome"
The Notepad++ problem began with the discovery that the IT infrastructure hosting Notepad++ had been compromised in June 2025, and a custom backdoor had been installed in the application. In the highly-targeted attack, traffic from certain users was selectively redirected… Read More "Notepad++ author says fixes make update mechanism ‘effectively unexploitable’"
A campaign involving 19 Visual Studio (VS) Code extensions that embed malware inside their dependency folders has been uncovered by cybersecurity researchers. Active since February 2025 but identified on December 2, the operation used a legitimate npm package to disguise… Read More "Malware Discovered in 19 Visual Studio Code Extensions"
