I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

Microsoft Defender for Endpoint previews automatic device isolation to contain in-progress attacks

Microsoft Defender for Endpoint has added a preview capability that automatically isolates a suspected-compromised workstation from the network as part of Automatic Attack Disruption, aiming to contain ransomware and other intrusions without waiting for analyst action. Isolated devices keep a management/telemetry connection to the Defender for Endpoint service, preserving visibility while cutting off attacker lateral movement paths.

Key Details

  • Scope is limited to onboarded end-user workstations managed by Defender for Endpoint (not servers, per the current feature scope described).
  • CSO Online notes a SANS research warning that attackers may be able to abuse automated response features if they’re not carefully tuned and tested, potentially disrupting administrative response (article cites a scenario involving disabling user accounts).

Next Steps

  • If you use Defender for Endpoint, pilot automatic device isolation in preview with explicit scoping/exclusions for critical endpoints and validate that containment triggers and release workflows behave as expected before wider rollout.
  • Update incident runbooks so responders know where to audit and reverse automatic isolation actions

Read more at CSO Online, Cybersecurity News, BleepingComputer

OWASP launches “Agentic Skills Top 10” as real-world attacks poison AI agent skill registries and turn skill configs into an execution layer

OWASP published the Agentic Skills Top 10 (AST10) to identify and address a largely overlooked security gap: the “skills” layer that controls how AI agents autonomously use tools and execute workflows. **The project establishes the first formal security framework for this attack surface, **including a proposed Universal Skill Format to standardize how skills declare permissions, signing, and risk across platforms — giving developers, security teams, and platform vendors a shared vocabulary and baseline to work from.

Key Details

  • Snyk’s Feb 2026 “ToxicSkills” scan found 1,467/3,984 skills (36.82%) with security flaws, including 534 (13.4%) with critical issues and 76+ confirmed malicious payloads.
  • OWASP highlights the “Lethal Trifecta” for skill risk: access to private data + exposure to untrusted content + ability to communicate externally—conditions the page states are common in production agent deployments.

Next Steps

  • Pin skill versions and restrict installs to verified/code-signed publishers
  • Run agent/skill execution in isolated environments (containers/sandbox) with network restrictions to limit the blast radius of skills that can read local secrets and exfiltrate data.
  • Review the AST10 risk taxonomy against your current AI agent deployments to identify governance gaps — particularly around skill inventories, approval workflows, and audit logging (AST09), which OWASP flags as the most common missing control in enterprise environments today.

Read more at OWASP

Anthropic ships a real-time security-guidance plugin for Claude Code and a self-hosted sandbox option for managed agents

Anthropic added a security-guidance plugin to Claude Code that flags and helps fix insecure code patterns during edits, after AI-generated changes, and at commit time. It also introduced a public-beta sandbox where tool execution can run inside customer-controlled infrastructure while orchestration remains on Anthropic, aiming to keep repositories and files within an organization’s perimeter.

Key Details

  • The plugin is free and available on all Claude Code plans, installable from the in-product plugin marketplace via the /plugins command.
  • Detection combines deterministic pattern matching (about 25 vulnerability classes) with model-based reviews of session diffs and commit-time, broader-context checks intended to reduce false positives.
  • Examples of covered issues include SQL injection, command injection, XSS, hardcoded secrets, insecure deserialization, SSRF, IDOR, auth bypass, and weak crypto (coverage varies by the plugin’s review stage).
  • Anthropic says internal testing showed a 30–40% reduction in security-related pull-request comments after introducing the capability.

Next Steps

  • If you use Claude Code, deploy the security-guidance plugin org-wide via managed settings / .claude/settings.json and standardize a repo threat-model file (.claude/claude-security-guidance.md) for consistent guidance.

Read more at Anthropic, Cybersecurity News, Cybersecurity News, SecurityWeek

Chrome Enterprise adds open-source agent tooling so AI assistants can automate browser security and policy management

Google added agentic automation to Chrome Enterprise, including an open-source Model Context Protocol (MCP) server that lets AI agents call Chrome Enterprise APIs to carry out IT and security tasks. Using Gemini CLI or other chat interfaces, teams can describe tasks in plain language and have agents deploy policies, review data loss events, and run posture checks across managed and unmanaged devices.

Key Details

  • Google described built-in shortcuts for organization-wide security posture workflows, including “/cep:health” (configuration review), “/cep:optimize” (audit/improve rules), and “/cep:expert” (guided Q&A).
  • In a data loss prevention example, an agent can create and configure a credit-card-number content detector and attach it to triggers such as file uploads, document commits, external transfers, and admin warnings.
  • Google said policies generated by agents are automatically annotated with a robot emoji prefix so they can be distinguished from human-created rules.

Next Steps

  • If you’re not yet using Chrome Enterprise, consider adopting it to have more control over employees Chrome usage across installed extensions, policy management and security posture visibility. There’s a free version.
  • If you use Chrome Enterprise, evaluate the MCP server + Gemini CLI workflow in a test tenant for high-volume tasks like DLP rule creation and policy rollout before enabling it broadly.
  • Decide how you will control and audit agent-created changes—e.g., require review of robot-annotated rules before they’re promoted to production policy sets.

Read more at SiliconANGLE

Researchers say WhatsApp stores decrypted chat history in plaintext on iOS and macOS via a shared app container

Researchers from Mysk report that WhatsApp chat history is stored locally in an unencrypted SQLite database on iOS and macOS after messages are decrypted, despite end-to-end encryption protecting messages in transit. They say the database resides in an Apple “app group” shared container, meaning other apps in the same developer group could access the plaintext chat store without additional user prompts.

Key Details

  • Mysk says WhatsApp stores chats in a local SQLite file commonly named “Axolotl.sqlite”.
  • Because Apple app groups allow intentional data sharing between apps from the same developer, the researchers claim other Meta apps on the device (e.g., Facebook/Instagram) could read WhatsApp chats in plaintext within that container.
  • The described exposure includes scenarios like forensic extraction from compromised/jailbroken devices and cross-app access risks tied to shared container permissions.

Next Steps

  • Consider this location is a possible source of evidence in digital forensic investigations.

Read more at Cyber Security News

Survey: 58% of CISOs say their organizations would pay a ransomware demand despite government guidance

In a survey of 750 CISOs in the US and UK, 58% said their organization would be willing to pay to end a ransomware incident. This runs counter to guidance from the UK NCSC and the FBI, and the article notes that even when victims pay, recovery is not assured and stolen access can still be reused or shared.

Key Details

  • Absolute Software (which commissioned the survey) polled 750 CISOs across the US and UK.
  • An IDC survey (referenced in the article) reported 37% of ransomware-hit companies paid, with IDC’s David Clemente suggesting the real number may be higher due to underreporting.
  • IDC also found that among payers, about 5% reported decryption was incomplete.
  • The article cites a Hiscox survey indicating only 60% of SMEs that paid recovered all or part of their data.

Next Steps

  • Run a tabletop and update your incident decision framework so ransom payment authority, legal/insurance steps, and evidence preservation are clear before a crisis.
  • Validate restore readiness by performing regular full restore tests of critical systems from backups (not just backup success reports), and document realistic RTO/RPO for leadership.

Read more at CSO Online

Google has made Chrome’s Device Bound Session Credentials (DBSC) generally available on Windows, with rollout to Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts. DBSC cryptographically binds session cookies to the device (via hardware-backed keys) so stolen cookies can’t be reused on another machine, disrupting “pass-the-cookie” account hijacking that can bypass MFA.

Key Details

  • DBSC ties sessions to hardware-backed key material (e.g., Windows TPM; macOS Secure Enclave referenced by Google), so attackers who steal cookie data still lack the private keys needed to use it elsewhere.
  • Google says DBSC is enabled by default for Google Workspace customers and cannot be disabled via the Admin console once rolled out.
  • Organizations can monitor DBSC “binding events” in the Security Investigation Tool audit logs to track session integrity and spot anomalies.
  • When first announced in April, macOS support was promised at a future date. No commitments has been made about Linux, the likely reason is that Linux lacks a standardized secure hardware interface equivalent to TPM (Windows) or Secure Enclave (macOS).

Next Steps

  • In the Google Admin console, review and baseline DBSC binding events in Security Investigation Tool audit logs so unusual binding patterns stand out during investigations.
  • If you use Google Workspace Context-Aware Access, validate and tune CAA policies to take advantage of the added device/session signals alongside DBSC.

Read more at BleepingComputer, Cyber Security News

India’s CERT-In sets 12-hour remediation target for exploited internet-facing flaws, citing AI-driven faster exploitation

India’s CERT-In published a new cybersecurity blueprint urging organizations to remediate known exploited vulnerabilities on internet-facing and critical systems within 12 hours (where feasible). The guidance argues that AI tools and LLMs are compressing the time from vulnerability discovery to weaponization, and also increasing attacks against AI systems themselves via techniques like prompt injection and model manipulation.

Key Details

  • India’s 12-hour target is the most aggressive national-level vulnerability remediation standard in the world right now — the US is still debating whether to cut from 14 days to 3, the UK mandates 30 days, and the EU hasn’t even set a hard remediation deadline yet.
  • CERT-In sets additional timelines: critical externally exposed vulnerabilities within 1 day, and known exploited internal vulnerabilities within 1 day unless compensating mitigations are implemented and documented.
  • For internal remediation, the blueprint recommends 3 days for critical vulnerabilities on high-value systems and 5 days for high-severity vulnerabilities based on risk prioritization.
  • When immediate patching isn’t possible, CERT-In suggests temporary mitigations such as system isolation, restricted access controls, WAF/API protections, enhanced monitoring, or disabling affected features until an official fix is available.

Next Steps

  • Update vulnerability SLAs and on-call workflows so KEV on internet-facing systems can be remediated within 12 hours (patch or documented compensating controls).
  • Where same-day patching is not feasible, pre-approve a playbook for temporary mitigations (isolation, access restriction, WAF/API rules, feature disablement) to reduce exposure until vendor fixes land.

Read more at CSO Online, The Hacker News, The Cyber Express

Malicious npm packages use dependency confusion (99.99.99/100.100.100) and postinstall hooks to profile dev and CI environments

Microsoft and Sonatype reported coordinated campaigns where attackers published malicious npm packages with internal-looking names and inflated versions so that misconfigured builds pull the public package instead of the intended private dependency. Once installed, the packages auto-run via npm lifecycle hooks to fingerprint the host and exfiltrate developer/CI context, with some variants staging additional platform-specific payloads.

Key Details

  • Sonatype identified 176 malicious npm packages, many using the same high version (notably 99.99.99) to win semantic-version resolution against internal packages.
  • The packages abused embedded postinstall scripts that execute automatically during npm install, then downloaded platform-specific JavaScript payloads and, in Sonatype’s analysis, followed with a second-stage binary for Windows/macOS/Linux.
  • Data targeted for collection/exfiltration included environment variables, CI/CD secrets, authentication tokens/credentials, plus system and developer-context information (user/host details, OS/arch, working directories, Node runtime info).
  • Microsoft observed packages published in bursts (May 28–29, 2026) under three maintainer aliases using yandex[.]ru emails, impersonating internal corporate namespaces across nine scoped orgs and spoofing enterprise metadata (e.g., fake GitHub Enterprise/Jira/docs URLs) in package.json.

Next Steps

  • Verify your npm configuration so private scopes always resolve only to your internal registry (and don’t fall back to the public registry) for any internal package namespaces.

Read more at Microsoft Security Blog, Sonatype

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.