DataBreachToday.com

Continuous Integration Has Its Downsides
As supply-chain attacks against widely-used, open-source software repositories continue, experts are urging developers to not only rely on code integrity tools, but also to introduce a delay before merging new repos, since unfolding attacks tend to get spotted in days, if not hours or minutes.

'Firestarter' Backdoor Can Survive Reboots, Upgrades and Standard Fixes
The Cybersecurity and Infrastructure Security Agency issued an emergency directive warning a newly-discovered Cisco backdoor can survive routine remediation processes, forcing agencies to investigate edge devices that anchor federal firewall and VPN security.

HHS OCR Breach Investigators Again Find All-Too-Common Risk Analysis Failures
Faulty or non-existent security risk analyses cost a medical imaging provider, a women's healthcare group, a health plan and a third-party insurance administrator a collective $1.7 million in fines after federal regulators concluded they didn't do enough to prevent ransomware attacks.

Acquisition Adds Advisory, GRC and Vulnerability Services to ImagineX's MDR Core
TekStream acquired ImagineX’s cyber division to integrate advisory, vulnerability management and GRC with its MDR services, aiming to help CISOs defend against faster, AI-driven attacks by unifying proactive and reactive security into a single operational model.

AMA Wants Privacy, Security AI Tool Protections, Especially in Mental Health
The American Medical Association says using artificial intelligence chatbots carries risks - including data privacy and security breaches - and the largest U.S. professional association for physicians and medical students is urging Congress to take action to protect patients from potential harm.

Berlin Proposes 3 Month Requirement to Store IP Addresses
The German government says it's unlocked the secret to passing a law that would require internet service providers to keep customer data without running afoul of privacy and security concerns that sunk earlier attempts. Critics say that's impossible

Recent Package Compromises Pushed Software Component Trust to the Security Agenda
Cloudsmith raised a $72 million Series C led by TCV to expand policy enforcement, auditability and real-time package risk analysis as CISOs focus more closely on software supply-chain threats tied to open-source dependencies, AI-assisted development and compromised artifacts.

Also, Europol Cracks DDoS Networks, Mythos Finds Bugs, France Portal Hit
This week, scam compounds. Attackers exploit flaws pre-disclosure. A crackdown on DDoS-for-hire. No Mythos for CISA, yes for Mozilla. France ID portal breach. Israeli and Venezuelan critical infrastructure targeted. Russian hacking in Ukraine. An Apache flaw. A ransomware negotiator aided BlackCat.

Deal Would Help Cisco Expand Footprint Beyond Authentication, ITDR and ISPM
Cisco's cyber M&A dry spell could soon come to an end, with the company reportedly in talks to acquire New York-based non-human identity startup Astrix Security for between $250 million and $350 million. That would represent at least a 25% premium to the startup’s last valuation of around $200 million.

Nation-State Hits Now Comprise Majority of Serious Incidents Probed by Government
British intelligence officials said they investigate about four major incidents per week, with the majority involving nation-state actors. Officials said the shape and scope of how cyberattacks are being wielded by the nation's adversaries continues to change as fast as the technology evolves.

AI Enthusiasts Haven't Used Model to Probe for Vulns, Source Tells Bloomberg
An unauthorized group of users gained access to Claude Mythos Preview artificial intelligence model and have regularly used it since the day that AI firm Anthropic revealed the model's existence while pronouncing it too dangerous to release to the public, reports Bloomberg.

Pact Is Among Other Similar Biotech, AI Firm Collaborations to Speed Up Drug R&D
Merck has struck a multi-year deal with Google Cloud worth up to $1 billion to enhance the pharmaceutical and life sciences giant's digital backbone "as an AI-enabled enterprise." The initiative includes deploying an agentic AI platform across R&D, manufacturing, commercial and corporate functions.

TrendAI's Tom Kellermann on Defending Against Agentic Attacks, APT Collaboration
AI-driven threats now operate with speed, scale and persistence. Defenders need expanded telemetry, a global research team and an advanced XDR platform to predict and suppress adversaries defenders, said Tom Kellermann, vice president of AI security and threat intelligence at TrendAI.

How We Talk About AI Says as Much About Human Cognition as It Does About Them
The debate about AI consciousness misses the point. Asking better questions about what these systems are reveals as much about human thinking as about the technology itself.

House Democrats Are the Latest to Raise Data Collection Privacy, Security Alarms
A plan by the U.S. federal agency that oversees federal benefits that would require insurers to hand over the identifiable health data of civil servants received pushback from House of Representatives Democrats who said it throws up privacy and security risks.

French Vendor's QShield Offering Protects Edge Systems From Reverse Engineering
Aircraft manufacturer Airbus plans to acquire 100-person French cybersecurity vendor Quarkslab to strengthen sovereign European defenses by protecting aerospace and defense software, data and edge systems from AI-driven reverse engineering and exploitation.

Security demands keep growing, but your team can’t. For many SLTT and education organizations, limited staff, complex environments, and constant alerts make it difficult to keep up. This webinar shows how you can close the gap by strengthening detection and response without adding complexity, cost, or headcount.

Overhaul, Restructuring Puts Cyber at Core of Digital Warfare
Defense officials told House lawmakers the newly-released budget request positions cyber as a core warfighting domain, funding expanded offensive operations, AI-driven capabilities and a major Cyber Command overhaul as adversaries shift from espionage to pre-positioned disruptive attacks.