GhostPoster, and Why Browser Extensions Are Your Next Major Blind Spot

Posted in Commentary with tags on March 17, 2026 by itnerd

Browser extensions have quietly become one of the more dangerous and overlooked attack surfaces within the enterprise. Fortra Intelligence and Research Experts (FIRE) have released a new Browser Extension Threat Guide that breaks down why this risk is escalating and what security teams need to do now to close the gap.

This in‑depth guide covers:

  • A deep forensic analysis of the GhostPoster campaign, including staged payloads, obfuscation techniques, and real-world impact.
  • How modern extension malware evades EDR by hiding inside legitimate browser processes and abusing trusted APIs.
  • Actionable detection and threat hunting playbooks focused on manifest analysis, sideloading identification, and high‑risk behaviors.
  • Clear mitigation strategies, including extension governance, default‑deny controls, and browser-layer security recommendations.

If extensions aren’t already on your threat model, this guide will show you why they need to be. You can access it here: https://www.fortra.com/resources/guides/browser-extension-threat-guide

Leave a comment »

Chatbot logs and audio exposed in data breach at major department store chain

Posted in Commentary with tags on March 17, 2026 by itnerd

Cybersecurity researcher Jeremiah Fowler recently discovered 3 separate databases that were neither password-protected nor encrypted and contained a total of 3.7 million chat log transcripts, audio recordings, and text transcriptions of phone calls exposing Sears Home Services.

The publicly exposed databases totaled over 4TB and contained:

  • 2,116,011 txt files that exposed names, phone numbers, physical addresses, and user-submitted personally identifiable information (PII).
  • 207,381 xlsx files and audio recordings totaling 415.2GB.
  • 1,442,577 audio recordings of customers and their text transcripts totaling 3.9TB.

Jeremiah’s detailed findings are published on the ExpressVPN blog here: https://www.expressvpn.com/blog/searshomeservices-data-exposed/.

Leave a comment »

Hammerspace Launches AI Data Platform Based on NVIDIA Reference Design 

Posted in Commentary with tags on March 17, 2026 by itnerd

Hammerspace announced today the general availability of its new AI Data Platform (AIDP) solution. AIDP is a turnkey approach that removes one of the biggest barriers preventing enterprise AI pilot projects from reaching production: seamless access to distributed enterprise datasets. It does this without creating new copies, performing slow migrations, or relying on manual preparation and curation, dramatically simplifying and securing the process of curating AI-ready data.

The Hammerspace AIDP meets enterprises where they are by allowing them to start making their existing data AI-ready using the infrastructure they already own, without deploying a separate AI storage system. By uniquely leveraging data in place, Hammerspace eliminates the need to purchase massive amounts of new flash just to house AI data. 

Solving the Primary Blockers to Enterprise AI Success
 

Eliminate Data Fragmentation. Identifying, gathering, organizing, and transforming unstructured data into an AI-ready format remains labor-intensive and highly manual. In most enterprises, the same work–finding the right data, enriching metadata, and shaping it into a form AI agents and models can use–is repeated across teams, projects and platforms because the data estate is fragmented. Hammerspace eliminates data fragmentation by providing a unified view across heterogeneous systems and automating the entire pipeline that produces AI-ready data for applications.
 

Skip Costly Mass Migrations. By enabling customers to use data in place, Hammerspace eliminates tedious migrations and the heavy manual work behind copy-first pipelines that consume human capital and stall initiatives. Instead of requiring a new AI storage buildout just to get started, the platform accelerates time to value and time to answer by making distributed data immediately usable for enterprise AI.
 

Reduce Data Copies. Hammerspace defeats data gravity by continuously cataloging distributed data in place, then using its Model Context Protocol (MCP) server to coordinate with NVIDIA and other AI tools and applications so only the data that’s needed moves, when it’s needed. With policy- and security-driven automation managing placement and flow end to end, vectors and source data stay continuously synchronized with consistent governance, compliance and performance. This allows pilot programs to scale cleanly into production with operational simplicity.

Image 1: The Hammerspace AI Data Platform: Seamless Access to Distributed Enterprise Datasets
 

Delivered and Validated by SHI, the Premier Experts in AI Transformation
 

SHI has been a key partner in the development and testing of the Hammerspace AI Data Platform solution, using its AI and Cyber Lab to quickly showcase the value and integrations across technologies for enterprise-scale AI factories.
  

Full End-to-End Solution on Cisco UCS with Secuvy DSPM

Hammerspace also delivers solutions that meet enterprise demands across the spectrum by combining best-of-breed technologies from its ecosystem partners. To provide organizations with a complete, validated and secure AI infrastructure, Hammerspace has established key partnerships and achieved major integration milestones.
 

All-in-One Orchestration: Hammerspace collapses as many as 15 disconnected tools for data discovery, cataloging, classification, policies and movement into a single orchestration layer, providing unified data insight, management and access. The platform is also the first to deliver a fully agentic data foundation, intelligently managing data placement and flow based on real-time demand.
 

  • NVIDIA Partnership: The Hammerspace AIDP is built on NVIDIA’s reference design, ensuring optimal performance and compatibility with accelerated computing platforms, including NVIDIA RTX PRO 6000 and RTX PRO 4500 Blackwell Server Edition GPUs. Using NVIDIA AI Enterprise software, including NIM microservices and NeMo Retriever, Hammerspace converges data management with data orchestration across heterogeneous storage to simplify and automate the data pipeline and deliver the security, governance and content indexing required for high-performance inference, retrieval-augmented generation (RAG) and agentic AI.
      
  • Secuvy DSPM Integration: The Hammerspace AIDP is integrated with Secuvy’s Data Security Posture Management (DSPM) technology, providing customers with an end-to-end solution that prepares and delivers AI-ready data while ensuring continuous security monitoring, compliance, and governance throughout the entire data pipeline. 

Hardware Platform Flexibility: Hammerspace’s software-defined architecture provides the ultimate flexibility for the modern enterprise. Our AIDP can be delivered on a broad ecosystem of industry-leading hardware from partners including Cisco, Lenovo, and Supermicro. It seamlessly integrates with any server environment that meets performance specifications, ensuring organizations can leverage their preferred infrastructure without compromise.
 

Availability and More Information

Hammerspace will feature its AI Data Platform in Booth #7040 at NVIDIA’s GTC 2026, March 16-19, in San Jose, California. 

The solution is immediately available. Customers can contact their Hammerspace sales representative or authorized partners to operationalize their data for AI success.

Learn More

Leave a comment »

Black Kite Introduces Open FAIR™-Based Risk Assessments

Posted in Commentary with tags on March 17, 2026 by itnerd

Black Kite today announced the release of Open FAIR™-Based Risk Assessments, which extends its CRQ capabilities to its AI-powered cyber assessment offering. Black Kite fully automates the calculation of probable financial impact in the event of a data breach, ransomware attack, or business disruption scenario using the industry-leading Open FAIR™ methodology, eliminating the complexity and manual effort typically associated with CRQ analysis. This latest release brings CRQ directly into the cyber risk assessment workflow, enabling customers to instantly calculate financial risk during onboarding and periodic risk reviews.

As the industry’s first provider to automate Cyber Risk Quantification (CRQ) for third party risk management, Black Kite has long delivered real-time CRQ through its continuous monitoring offering. These insights help them prioritize remediation efforts and vendor outreach, and clearly communicate risk and program success to executive and business stakeholders.

By introducing Open FAIR™-based risk quantification into the assessment workflow, customers can model onboarding decisions through  “what-if” analysis. For example, they can simulate  how sharing more or fewer records with a vendor impacts financial risk so that they can set clear vendor approval conditions. Additionally, customers are able to view real-time CRQ alongside assessment-based CRQ captured at onboarding and during periodic risk reviews to track how vendor risk is trending over time.

Customer key benefits include:

  • Turn risk decisions into business decisions: Instantly quantify a company’s financial risk during onboarding and annual assessments to inform vendor selection, renewal decisions, and even insurance underwriting.
  • Clearer vendor comparisons: Use a consistent financial risk language (e.g., “Are we willing to accept $10M vs. $2M of cyber risk in a ransomware scenario?”) to objectively compare vendors and select the best option.
  • Understand risk trends over time: Track how a vendor’s financial risk changes by comparing point-in-time CRQ from assessments with real-time CRQ from continuous monitoring to get a high-level understanding of vendor maturity, remediation progress, and the impact of outreach campaigns over time.
  • Model scenarios with full customization: Adjust model inputs to test different decision conditions, like onboarding a vendor only if data access is limited, and see how each scenario changes probable financial impact.

Open FAIR™-Based Risk Assessments key features include:

  • Automated FAIR model population: Never start with a blank model with Open FAIR™ factors that are automatically populated and enhanced by assessment responses, uploaded documentation, and insights from continuous monitoring.
  • Assessment-based private modeling: Run private, assessment-specific analysis to estimate probable financial risk impact at key moments, such as onboarding, renewal, post major outreach campaign, and more. 
  • Full customization: Customize exposure metrics and FAIR inputs across key scenarios or entirely custom scenarios to test different assumptions.

For more information, visit https://blackkite.com/platform/financial-impact.

Leave a comment »

DH2i Launches DxEnterprise v26.0 and DxOperator v2

Posted in Commentary with tags on March 17, 2026 by itnerd

DH2i today announced the general availability (GA) launch of DxEnterprise v26.0 and DxOperator v2, featuring significant high availability (HA), disaster recovery (DR), and operational resilience capabilities enhancements for SQL Server deployments across Windows, Linux, and Kubernetes environments. Together, the releases introduce meaningful advances in availability group (AG) protection, security controls, observability, and automation for both traditional and containerized SQL Server deployments.

In today’s enterprises, a perfect storm has emerged where applications have become direct revenue channels, infrastructure complexity has increased while IT staffing has not, modernization initiatives are no longer optional, security and compliance requirements are tightening, and software update velocity has accelerated. Together, these forces expose the limits of traditional HA approaches. What once worked for small, static clusters no longer scales when SQL Server deployments span hybrid, multi-platform, and containerized environments that demand continuous availability, stronger safeguards, and higher levels of automation. DxEnterprise v26.0 and DxOperator v2 address these challenges head-on.

DxEnterprise v26.0 focuses on improving cluster resilience, visibility, and administrative confidence through enhanced monitoring, stronger safeguards against split-brain scenarios, expanded credential support, and platform modernization. DxOperator v2 extends those capabilities into Kubernetes environments, giving users greater control over scale, updates, and network configuration for SQL Server AGs running in containers.

What’s New in DxEnterprise v26.0

Deeper SQL Server and Availability Group Intelligence

  • Database-level health monitoring is now enabled by default, allowing faster detection of issues affecting individual databases within an AG
  • Split-brain scenarios are prevented via automatic per-availability-group quorum enforcement by demoting or shutting down replicas when quorum requirements are not met
  • Improved replica connectivity alerts provide real-time notification when replicas disconnect or when SQL Server replica configurations diverge from expected cluster state

Improved Security and Credential Resilience

  • Support for secondary SQL Server backup credentials enables automatic fallback if primary authentication fails, reducing downtime caused by credential changes or expirations
  • Administrative sessions are automatically disconnected when the cluster passkey changes, ensuring only authorized users with current credentials retain access
  • The DxAdmin user interface now includes clearer prompts, stronger validation, and improved feedback for passkey configuration

Greater Stability and Observability

  • Core monitoring services, including DxLMonitor, DxCMonitor, DxStorMonitor, and DxHealthMonitor, have received reliability and stability improvements to reduce unexpected restarts and improve overall cluster resilience
  • Basic anonymous telemetry is now available to help improve product quality and diagnostics, with opt-out configuration for customers who prefer not to participate

Platform and Usability Enhancements

  • DxEnterprise’s Linux version now runs on the .NET 8.0 runtime, delivering improved performance, security, and long-term support alignment
  • Virtual hosts can now be renamed using a new rename-vhost command, simplifying cluster management and reorganization
  • Additional safeguards prevent accidental overwriting of existing data stores during SQL Server high availability virtualization
  • Enhancements to DxCLI and DxPS improve command-line usability, including human-readable XML output and new PowerShell cmdlets
  • The DxCollect utility now includes expanded command-line options for more targeted diagnostics and log collection.

What’s New in DxOperator v2

Flexible Scaling Up and Down

  • Availability group clusters can now be expanded or reduced dynamically
  • Unlike the previous version, DxOperator v2 can safely de-configure and remove replicas from a running cluster, enabling true scale-down operations

Automated Rolling Updates

  • Administrators can automate rolling updates of SQL Server or DxEnterprise container images, allowing pods to be updated one at a time without manual intervention
  • Updates can also be performed manually when desired, giving operators full control over rollout strategy
  • DxOperator does not automatically check for new container versions, ensuring that administrators remain in control of when and how updates are applied

Advanced Network and Service Configuration

  • Flexible service templates allow load balancers and other network services to be fully specified and automatically deployed per availability group replica
  • This enables more consistent connectivity across different Kubernetes environments and cloud providers

Redesigned Custom Resource and StatefulSet Adoption

  • The custom resource definition has been redesigned for greater flexibility and now leverages Kubernetes StatefulSets
  • By delegating pod creation, storage allocation, and rolling upgrades to Kubernetes, DxOperator v2 simplifies internal logic while benefiting from native Kubernetes reliability and lifecycle management

DH2i’s DxEnterprise v26.0 and DxOperator v2 are now generally available

1 Comment »

Guest Post: How Meta and TikTok Turn User Rage into Revenue, While Pretending to Keep You Safe

Posted in Commentary with tags on March 16, 2026 by itnerd

By Jurgita Lapienytė, Editor-in-Chief at Cybernews 

A new BBC report revealed what we suspected all along – big tech platforms turn a blind eye to harmful content for the sake of profit. Platforms allow so-called borderline content – misogynistic, sexist, racist, conspiracy-driven – that is harmful yet legal.

According to the report, based on accounts from a dozen whistleblowers and insiders, Meta engineers were instructed to allow more borderline content to compete with TikTok. Meanwhile, TikTok is said to have prioritized several user complaints involving politicians to “avoid threats of regulation or bans.”

Unsurprisingly, big tech platforms denied any wrongdoing, insisting that they do not amplify harmful content.

Algorithms are allegedly designed to better understand user interests and needs, and cater to them accordingly. Unfortunately, most of what a user “wants” turns out to be conspiracy theories, AI slop, deepfakes, and pro-Nazi content. Or at least the algorithm seems to think so – because most of this is so-called ragebait content, designed to provoke a strong response from the user.

And since users engage with it, the algorithm is tricked into “thinking” this is what people want. Humans behind the algorithm must clearly understand this is not the case, but clicks translate to cash. So why would Big Tech cut the branch it’s sitting on?

In 2024, Meta earned $16 billion, or 10% of its annual revenue, from scam ads and banned goods. The information comes not from a third-party analytics firm but from Meta’s own documents, proving that the tech giant is well aware of how much harm it can spread – and how much money it can make along the way.

While platforms and lawmakers take their sweet time debating what borderline content is, people are left to deal with the psychological fallout of social media addiction. From the inability to tell right from wrong or fake from real, loss of concentration, sleep, and even sense of self, to radicalization, depression, and self harm – the consequences of companies toying with their algorithms to meet business goals are dire for humanity.

It’s not only our mental health that’s at stake. Adversaries, well aware of algorithmic logic, abuse it to spread misinformation and straightforward lies, sowing division to influence elections all over the world – making us wonder just how much harm performative compliance has already done to democracy.

ABOUT THE AUTHOR 

Jurgita Lapienytė is the Editor-in-Chief at Cybernews, where she leads a team of journalists and security experts dedicated to uncovering cyber threats through research, testing, and data-driven reporting. With a career spanning over 15 years, she has reported on major global events, including the 2008 financial crisis and the 2015 Paris terror attacks, and has driven transparency through investigative journalism. A passionate advocate for cybersecurity awareness and women in tech, Jurgita has interviewed leading cybersecurity figures and amplifies underrepresented voices in the industry. Recognized as the Cybersecurity Journalist of the Year and featured in Top Cyber News Magazine’s 40 Under 40 in Cybersecurity, she is a thought leader shaping the conversation around cybersecurity. Jurgita has been quoted internationally.

ABOUT CYBERNEWS

Cybernews is a globally recognized independent media outlet where journalists and security experts debunk cyber by research, testing, and data. Founded in 2019 in response to rising concerns about online security, the site covers breaking news, conducts original investigations, and offers unique perspectives on the evolving digital security landscape. Through white-hat investigative techniques, Cybernews research team identifies and safely discloses cybersecurity threats and vulnerabilities, while the editorial team provides cybersecurity-related news, analysis, and opinions by industry insiders with complete independence. For more, visit www.cybernews.com.

Leave a comment »

Review: Sharp Dynabook Tecra A40-M Laptop

Posted in Products with tags on March 16, 2026 by itnerd

Last week I got the chance to review not one, but two laptops from Sharp’s laptop division Dynabook. The first of these two laptops is the Tecra A40-M laptop. The specific variant that I have comes with these specs:

  • Intel Core Ultra 7 Processor 255U
  • Windows 11 Pro
  • 14″ diagonal widescreen that is also a touchscreen
  • 16 GB DDR5 5600
  • 512 GB PCIe NVMe SSD
  • Fingerprint Reader
  • Thunderbolt 4
  • 60Wh battery to give you up to 8 hours of battery life
  • Wi-Fi 6E and Bluetooth 5.2
  • Intel ARC Graphics
  • Weighs 3.18 pounds

These seem like decent specs on paper. And they are as I will highlight in a moment. But what got my attention is the build quality. This laptop felt really solid because of the fact that it is built to MIL STD 810-H. Every part of the laptop that I touched felt like it could take a beating if required. I point that out because a lot of PC laptops that I pick up do not come even close to feeling that way. In fact some laptops from some big name companies feel flimsy at times. Thus I am often concerned about how long they would last during a trip or the like. I would have none of those concerns if I was carrying this laptop.

Speaking of the laptop, you haven’t seen it yet. Here’s a few pictures:

The one thing that stands out to me is this 14″ screen. It’s sharp and clear. The other thing that stands out is the keyboard. I liked the typing feel and touch typists will really love it. I was not as enamoured with the track pad. But that’s like a “me” problem as I am used to Mac trackpads which are not diving board designs like this one. Thus the clicks on those feel consistent unlike this one. Die hard Windows users however will not care because they are used to this sort of feel.

On the left side of the laptop is the Kensington lock slot, a power connector (why isn’t it USB-C/Thunderbolt 4 to make life easier for users who want to go USB-C all the things including chargers), a HDMI port, two USB-C/Thunderbolt 4 ports and a headphone jack.

On the right is an Ethernet jack, USB-A port and an micro SD card slot.

What I was really interested in is how fast is this laptop. To find out I ran Geekbench 6 on it. Now synthetic benchmarks aren’t a definitive measure of how fast a computer is because how fast a computer is or isn’t is dependent on your use case. Having said that, it will give you a pretty good idea of what you can expect. I did two runs of the GPU and CPU tests. Once on power and once on battery as PC laptops perform worse when on battery to save battery. Here’s what I got. First here’s the results while on battery:

  • Single Core: 1750
  • Multi Core: 6928
  • GPU (OpenCL): 16747

And here’s the results while on AC Power:

  • Single Core: 2277
  • Multi Core: 8656
  • GPU (OpenCL): 18893

To put that in perspective, my M1 Pro MacBook Pro hit these numbers (both on battery and on AC power) for the CPU:

  • Single Core: 1762
  • Multi Core: 12431

That makes the Dynabook’s numbers more than respectable. In terms of disk speed, I ran Crystal Disk Mark both on battery and on AC power. Here’s the results that I got in both scenarios:

  • Read: 5280.89 MB/s
  • Write: 3072.29 MB/s

Whatever SSD that was chosen to be used in this Dnynabook, it’s a pretty quick one.

Finally there’s battery life. It’s rated for 8 hours. In testing the best that I did was 6.5 hours. Not bad for a PC laptop. Also give its size, it’s not surprising as you can only shove in so much batter for something thin and light.

Here’s the bottom line. The Dynabook A40-M is a well built reasonably fast laptop that is light and easy to tote around. It will survive your daily activities and come back for more while providing ample amounts of CPU and GPU power. The A40-M starts at around $1800, and in my opinion is well worth the money.

1 Comment »

TELUS Digital Pwned By Shiny Hunters

Posted in Commentary with tags , on March 13, 2026 by itnerd

Bleeping Computer is reporting that the notorious hacking group ShinyHunters has pwned TELUS Digital which provides outsourced business services. The data that TELUS Digital likely has a lot of sensitive info in its possession, it would be a big target for threat actors. .

Here’s what TELUS Digital said:

“TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely,” Telus told BleepingComputer.

“All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement. “

“We have implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.”

The thing is, today is March 13th. Bleeping Computer found out about this in January. And TELUS Digital didn’t respond to Bleeping Computer at that time. Read into that what you will. What worse is that ShinyHunters apparently demanded $65 million in ransom. TELUS clearly didn’t pay up, which by the way nobody should ever pay threat actors. So here we are talking about it.

Sucks to be TELUS Digital.

Leave a comment »

Forward Edge-AI Releases The Global PQC Implementation Playbook

Posted in Commentary with tags on March 12, 2026 by itnerd

Forward Edge-AI today announced the release of The Global PQC Implementation Playbook, a structured twelve-month roadmap designed to guide governments and enterprises through full-scale post-quantum cryptography (PQC) adoption.

The Playbook provides a phased implementation framework spanning governance formation, cryptographic asset inventory, proof-of-concept validation, AI-driven orchestration, workforce certification, production deployment, and continuous readiness auditing. It translates policy mandates into executable operational steps.

The release comes as international regulatory alignment accelerates. The European Union has established formal migration expectations beginning in 2026 under NIS2 and DORA, with enforcement mechanisms and financial penalties for non-compliance. The EU post-quantum roadmap and associated regulatory frameworks are publicly documented and continue to shape global migration timelines. The NIS2, DORA, and EU roadmap can be accessed here

The Playbook outlines seven sequential phases:

  1. Governance & Strategic Planning: Establishes national or enterprise-level PQC oversight structures aligned with digital trust policies.
  2. Cryptographic Asset Inventory: Uses structured assessment to map RSA, ECC, and legacy dependencies across critical systems.
  3. Proof of Concept (PoC) Demonstration: Deploys Isidore Quantum? or comparable programs devices in controlled environments to validate integration, performance, and uptime.
  4. Cassian or comparable programs Orchestration Enablement: Implements AI-driven fleet management for automated key generation, rekeying, and zeroization.
  5. Workforce Training & Capability Building: Certifies personnel on PQC operations, AI-assisted management, and compliance tracking.
  6. Full Production Deployment: Transitions prioritized infrastructure to quantum-safe cryptographic states.
  7. Continuous Monitoring & Readiness Auditing: Maintains long-term readiness through AI-driven monitoring, quarterly assessments, and compliance reporting.

The Playbook aligns with established governance and risk frameworks, including Quantum Readiness Index (QRI) domains and CSA 2025 standards, enabling organizations to demonstrate measurable quantum resilience at each stage of adoption.

Designed for government agencies, defense ministries, critical infrastructure operators, financial institutions, and multinational enterprises, The Global PQC Implementation Playbook provides a repeatable model for operationalizing quantum-safe migration without disrupting active systems.

A link to the full Playbook is available here: The Global PQC Implementation Playbook

Leave a comment »

The CISA orders agencies to patch actively exploited n8n vulnerability which enables server takeover

Posted in Commentary with tags on March 12, 2026 by itnerd

The CISA has ordered federal agencies to patch a remote code execution vulnerability in the n8n workflow automation platform that could allow attackers to steal stored credentials such as API keys, OAuth tokens, and passwords, or pivot into connected systems that rely on the automation platform.

Security researchers found that multiple vulnerabilities in n8n could allow attackers to execute commands on vulnerable systems, escape sandbox protections, and potentially take full control of affected servers. One flaw involves an expression injection vulnerability that allows attackers to submit malicious input that is evaluated by the platform, while a second issue can be chained to bypass sandbox protections and execute commands directly on the host system.

Because n8n often stores credentials used to connect to external services and infrastructure, researchers warned that a compromised instance could expose multiple integrated systems and sensitive data across an organization’s environment.

n8n has more than 50,000 weekly npm downloads and over 100 million Docker pulls.

John Carberry, Solution Sleuth, Xcape, Inc.:

   “Federal agencies are racing to patch n8n workflow automation servers following a CISA directive targeting an actively exploited expression injection vulnerability. Despite previous security updates, researchers discovered multiple bypasses (CVE-2026-25049 and CVE-2026-27577) that allow attackers to escape the platform’s sandbox and execute arbitrary code on the host system. This cycle of incomplete patching is particularly dangerous for automation tools that serve as a central repository for sensitive API keys and OAuth tokens across the Enterprise.

   “For security professionals, this highlights the fragility of relying on software-defined sandboxes when the underlying application logic remains inherently permissive. Defenders must prioritize immediate updates to version 1.76.3 or later and audit all connected service credentials for signs of lateral movement. We need to stop treating sandbox escapes as isolated bugs and recognize them as fundamental design failures that require more than a quick syntax fix.

   “Patching a sandbox escape with a regex filter is like trying to fix a leaky dam with a Post-it note.”

Denis Calderone, CTO, Suzu Labs:

   “n8n is under sustained assault from multiple angles right now, and CISA just confirmed this latest one is being actively exploited. We’ve seen four critical RCE vulnerabilities in just the last three months, and an active supply chain attack to boot.

   “At its core, n8n is a credential vault. It stores API keys, OAuth tokens, database passwords, cloud storage credentials for every service it connects to, and it connects to a lot of services. Compromise one n8n instance and you don’t just own the automation platform, you get the keys to every system it touches. Numerous vulnerabilities from VMware to Cisco to n8n have been bringing to light the inherited trust problem once again. The underlying issue here is that your management and orchestration tools carry the deepest trust in your environment, and attackers know it.

   “What makes this one particularly concerning is the attack surface. Shadowserver is tracking over 40,000 unpatched instances still sitting on the open internet, and researchers identified more than 100,000 potentially vulnerable deployments globally. The patch has been available since December. That’s three months of exposure while these things are being actively exploited, and exploitation apparently spiked over the Christmas holiday when teams were thin.

   “If you’re running n8n, patch immediately, audit what credentials are stored in it, and restrict who can create or edit workflows. Yes, n8n needs internet-facing endpoints for webhooks and forms, but that doesn’t mean the management interface and credential store should be exposed along with them. Separate your webhook endpoints from your admin panel, and put the editor behind a VPN or proper access controls.”

Vishal Agarwal, CTO, Averlon:

   “Automation platforms like n8n often sit in the middle of many internal systems and services, storing the API keys, tokens, and credentials needed to connect them. When vulnerabilities appear in these platforms, the real risk isn’t just the initial compromise. It’s the blast radius: what those stored credentials allow an attacker to reach next, and how far that reach extends across connected systems.

   “Even if the initial access comes from a regular user account, these vulnerabilities can expose much more powerful credentials stored within the platform. Organizations should not only patch quickly but also map the pathways those credentials create across their environment.”

I am glad that the CISA is around because it forces organizations to take cybersecurity seriously. Of course organizations have to take cybersecurity seriously. But that’s another story.

Leave a comment »

« Older Entries
Newer Entries »