Mike Virginio

🔥 npm now requires human 2FA approval before staged package releases become installable — even from CI/CD workflows. https://t.co/Nv3wV9rPag New package versions uploaded with staged publishing are placed into a queue and must be explicitly approved by a maintainer before release. Requirements: • npm CLI 11.15.0+ • 2FA enabled • Existing npm package • Use npm stage publish npm also added new install controls: --allow-file --allow-remote --allow-directory The updates are designed to strengthen defenses against software supply chain attacks targeting open-source ecosystems.

Exploitation mostly solved with Mythos/AI - what a run! >We see that current frontier LLMs, given a V8 N-day bug and its patch commit, can frequently demonstrate exploits that achieve useful primitives. Evaluations on private frontier models show that a fully end-to-end exploit against hardened targets, reaching arbitrary code execution from just the patch commit, is feasible under our defined turn budgets and simplified agent scaffolding. https://t.co/2rEi0QzoS8

For most of 2025, I was skeptical that AI was already playing a major operational role in real intrusions. Most public examples seemed limited to phishing and supporting tasks. This report by my friend Eyal Eyal lines up with what I have been hearing elsewhere, too - in recent publications and in private conversations with people seeing this stuff up close. I think that phase is over. AI is moving into the operational core of attacks. With stronger models, open models, and jailbroken variants circulating, the economics have changed. Tailored tooling, exploit adaptation, and large-scale analysis get cheaper and faster. I expect AI to play a major role in future campaigns, and that means more variation, more fresh tooling, and less reliance by attackers on recycled code. All the more reason to focus on controls and detections that do not depend only on known samples. Worth reading.

The window between vulnerability disclosure and real-world exploitation keeps shrinking. The Zero Day Clock visualizes how fast attackers are operationalizing new CVEs. What used to take months now often happens in days, or hours. The future needs to be Secure by Design. https://t.co/zFXOSKB7eq #AppSec #CyberSecurity