Everything feels secure—until one small thing slips through. Even strong systems can break if a simple check is missed or a trusted tool is misused. Most threats don't start with alarms—they sneak in through the little things we overlook. A tiny bug, a reused password, a quiet connection—that's all it takes.

Staying safe isn't just about reacting fast. It's about catching these early signs before they blow up into real problems. That's why this week's updates matter. From stealthy tactics to unexpected entry points, the stories ahead reveal how quickly risk can spread—and what smart teams are doing to stay ahead. Dive in.

⚡ Threat of the Week

U.S. Disrupts N. Korea IT Worker Scheme — Prosecutors said they uncovered the North Korean IT staff working at over 100 U.S. companies using fictitious or stolen identities and not only drawing salaries, but also stealing secret data and plundering virtual currency more than $900,000 in one incident targeting an unnamed blockchain company in Atlanta. The actions are the latest steps to stop the scheme, which has seen North Korea earn millions through thousands of people who use fake identities to get hired as IT workers at companies based in the West and other parts of the world. Authorities conducted 21 searches across 14 states last month, adding to searches that were conducted at eight locations in October 2024 spanning three states. In at least one case, North Korean IT workers gained access to "sensitive employer data and source code, including International Traffic in Arms Regulations (ITAR) data," after they were hired by a California-based defense contractor that develops artificial intelligence-powered equipment and technologies, the Justice Department said. In all, the coordinated action led to the arrest of one individual, and the seizure of 21 web domains, 29 financial accounts used to launder tens of thousands of dollars, and nearly 200 laptops and remote access devices, including KVMs. The U.S. State Department is offering rewards of up to $5 million for information leading to the "disruption of financial mechanisms of persons engaged in certain activities that support North Korea." The actions reveal that North Koreans didn't merely falsify IDs to insinuate themselves into Western tech firms, but also allegedly stole the identities of "more than 80 U.S. persons" to impersonate them in jobs at more than 100 U.S. companies and funnel money to the Kim regime.

🔔 Top News

Chinese Threat Actor Targets French Orgs Using Ivanti Flaws — A China-linked intrusion set known as Houken targeted a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in France in early September 2024 using three vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices as zero-days. The attacks have been observed paving the way for PHP web shells, deploying a kernel rootkit, and even attempting to patch the vulnerabilities, likely to prevent exploitation by other unrelated actors. It's suspected that Houken is an initial access broker that obtains a foothold into target networks, and passes on that access to other threat actors for follow-on post-exploitation activities.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws—sometimes within hours. Whether it's a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week's high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week's list includes — CVE-2025-32462, CVE-2025-32463 (Sudo), CVE-2025-20309 (Cisco Unified CM and Unified CM SME), CVE-2025-49596 (Anthropic MCP Inspector), CVE-2025-6554 (Google Chrome), CVE-2025-5622, CVE-2025-5623, CVE-2025-5624, CVE-2025-5630 (D-Link DIR-816 routers), CVE-2025-49151, CVE-2025-49152, CVE-2025-49153 (Microsens NMP Web+), CVE-2025-6463 (Forminator plugin), CVE-2025-36630 (Tenable Nessus), CVE-2025-52891 (ModSecurity Web Application Firewall), CVE-2025-48927, CVE-2025-48928 (TeleMessage TM SGNL), CVE-2024-58248 (nopCommerce), CVE-2025-32897 (Apache Seata), CVE-2025-47812 (Wing FTP), CVE-2025-4404 (FreeIPA), CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192 (Grafana), CVE-2025-34067 (Hikvision Integrated Security Management Platform), CVE-2025-1735, CVE-2025-6491 (PHP), CVE-2025-53367 (DjVuLibre), and CVE-2025-49826 (Next.js).

📰 Around the Cyber World

Apple and Google App Stores Offer China-linked VPN Apps — Both Apple's and Google's online stores offer free virtual private network (VPN) apps that have undisclosed ties to Chinese companies, likely posing a privacy risk. Thirteen virtual private network (VPN) apps on Apple's App Store and 11 apps on Google's Play Store (seven common to both) have ties to Chinese companies, the Tech Transparency Project said. "VPNs are of particular concern because anyone using a VPN has the entirety of their online activity routed through that application," Katie Paul, the TTP's director, told NBC News. "When it comes to Chinese-owned VPNs, that means this data can be turned over to the Chinese government based on China's state laws."

— The weaponization of Windows shortcut (LNK) files for malware distribution has increased by 50%, according to telemetry data gathered by Palo Alto Networks Unit 42, with malicious samples rising from 21,098 in 2023 to 68,392 in 2024. "The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware," Unit 42 researchers said. Percentages of system targets for malicious file execution FBI Investigates Ransomware Negotiator for Extortion Kickbacks — The U.S. Federal Bureau of Investigation (FBI) is probing a former employee of security firm DigitalMint for allegedly taking a cut from ransomware payments. According to Bloomberg, the employee is said to have assisted the company's customers in negotiating ransoms during ransomware attacks. But unknown to them, the employee had secret deals with ransomware gangs to take a slice of the ransom the companies ended up paying. DigitalMint said it fired the employee as soon as it heard of the investigation and started notifying its customers.

— The U.S. Federal Bureau of Investigation (FBI) is probing a former employee of security firm DigitalMint for allegedly taking a cut from ransomware payments. According to Bloomberg, the employee is said to have assisted the company's customers in negotiating ransoms during ransomware attacks. But unknown to them, the employee had secret deals with ransomware gangs to take a slice of the ransom the companies ended up paying. DigitalMint said it fired the employee as soon as it heard of the investigation and started notifying its customers. Cloudflare Open-Sources Orange Meets — Cloudflare has implemented end-to-end encryption (E2EE) to its video calling app Orange Meets and open-sourced the solution for transparency. The web infrastructure company said the solution is powered by Selective Forwarding Units (SFUs) and uses Messaging Layer Security (MLS) to establish end-to-end encryption for group communication. "To do so, we built a WASM (compiled from Rust) service worker that sets up an MLS group and does stream encryption and decryption, and designed a new joining protocol for groups, called the designated committer algorithm, and formally modeled it in TLA+," Cloudflare said.

— Cloudflare has implemented end-to-end encryption (E2EE) to its video calling app Orange Meets and open-sourced the solution for transparency. The web infrastructure company said the solution is powered by Selective Forwarding Units (SFUs) and uses Messaging Layer Security (MLS) to establish end-to-end encryption for group communication. "To do so, we built a WASM (compiled from Rust) service worker that sets up an MLS group and does stream encryption and decryption, and designed a new joining protocol for groups, called the designated committer algorithm, and formally modeled it in TLA+," Cloudflare said. Russia to Build Database of Known Scammers — The Russian government has announced plans to build a database of known telephone scammers that will include voice samples, phone numbers, and caller IDs. Once the service launches on April 1, 2026, mobile operators in the country are expected to show scam warnings on phone screens for calls coming from known scam numbers. The voice recordings will be shared with law enforcement for possible investigations.

— The Russian government has announced plans to build a database of known telephone scammers that will include voice samples, phone numbers, and caller IDs. Once the service launches on April 1, 2026, mobile operators in the country are expected to show scam warnings on phone screens for calls coming from known scam numbers. The voice recordings will be shared with law enforcement for possible investigations. C4 Bomb to Bypass App-Bound Encryption in Google Chrome — Last year, Google introduced a new security measure called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. While stealers have since found ways to defeat this guardrail, CyberArk has detailed another method dubbed C4 (short for Chrome Cookie Cipher Cracker) Attack, which makes it possible to decrypt the cookies as a low-privileged user. "Furthermore, this technique also allowed us to abuse Google's new security feature to attack Windows machines and access data that should typically only be available to the privileged SYSTEM user," security researcher Ari Novick said. The technique essentially employs a padding oracle attack to brute-force the encryption and bypass the SYSTEM-DPAPI, recovering the cookie key. Following responsible disclosure in December 2024, Google has put in place a "partial solution" to remediate the padding oracle attack. But it's disabled by default.

— Last year, Google introduced a new security measure called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems. While stealers have since found ways to defeat this guardrail, CyberArk has detailed another method dubbed C4 (short for Chrome Cookie Cipher Cracker) Attack, which makes it possible to decrypt the cookies as a low-privileged user. "Furthermore, this technique also allowed us to abuse Google's new security feature to attack Windows machines and access data that should typically only be available to the privileged SYSTEM user," security researcher Ari Novick said. The technique essentially employs a padding oracle attack to brute-force the encryption and bypass the SYSTEM-DPAPI, recovering the cookie key. Following responsible disclosure in December 2024, Google has put in place a "partial solution" to remediate the padding oracle attack. But it's disabled by default. Exploit Attempts Target Apache Tomcat and Camel Flaws — Malicious actors are probing for servers running vulnerable versions of Apache Tomcat and Camel that are unpatched against CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891 to achieve remote code execution. Palo Alto Networks said it blocked 125,856 probes/scans/exploit attempts originating from more than 70 countries related to these vulnerabilities in March 2025.

— Malicious actors are probing for servers running vulnerable versions of Apache Tomcat and Camel that are unpatched against CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891 to achieve remote code execution. Palo Alto Networks said it blocked 125,856 probes/scans/exploit attempts originating from more than 70 countries related to these vulnerabilities in March 2025. Let's Encrypt Begins Issuing Certificates for IP Addresses — Let's Encrypt has started this month issuing certificates for IP addresses. These certificates are short-lived and valid only for six days – a trend pointing to declining certificate lifespans. Potential scenarios where one might need an IP address certificate include use cases like serving a default page for hosting providers, accessing a website without a domain name, securing DNS over HTTPS (DoH) services, protecting network-attached storage servers, and safeguarding ephemeral connections within cloud hosting infrastructure.

— Let's Encrypt has started this month issuing certificates for IP addresses. These certificates are short-lived and valid only for six days – a trend pointing to declining certificate lifespans. Potential scenarios where one might need an IP address certificate include use cases like serving a default page for hosting providers, accessing a website without a domain name, securing DNS over HTTPS (DoH) services, protecting network-attached storage servers, and safeguarding ephemeral connections within cloud hosting infrastructure. Google Open-Sources Privacy Tech for Age Verification — As online services increasingly introduce age verification barriers, Google has open-sourced its Zero-Knowledge Proof (ZKP) libraries to help people verify their age without giving up sensitive information. "In layperson's terms, ZKP makes it possible for people to prove that something about them is true without exchanging any other data," Google said. "So, for example, a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all." The ZKP library, called Longfellow ZK, is currently being vetted by independent academic and industry experts. The results of the reviews are expected to be available by August 1, 2025.

— As online services increasingly introduce age verification barriers, Google has open-sourced its Zero-Knowledge Proof (ZKP) libraries to help people verify their age without giving up sensitive information. "In layperson's terms, ZKP makes it possible for people to prove that something about them is true without exchanging any other data," Google said. "So, for example, a person visiting a website can verifiably prove he or she is over 18, without sharing anything else at all." The ZKP library, called Longfellow ZK, is currently being vetted by independent academic and industry experts. The results of the reviews are expected to be available by August 1, 2025. Apple Adds ML-KEM to iOS and macOS 26 — Speaking of cryptographic solutions, Apple is adding post-quantum cryptography support to its operating systems. The upcoming versions of iOS, iPadOS, macOS, and visionOS will support the FIPS 203 (aka ML-KEM) cryptography algorithm by means of a hybrid, quantum-secure key exchange. "The ClientHello message from iOS 26, iPadOS 26, macOS Tahoe 26 and visionOS 26 devices will include X25519MLKEM768 in the supported_groups extension, along with a corresponding key share in the key_share extension," Apple said. "Servers can select X25519MLKEM768 if they support it, or use another group advertised in the ClientHello message."

— Speaking of cryptographic solutions, Apple is adding post-quantum cryptography support to its operating systems. The upcoming versions of iOS, iPadOS, macOS, and visionOS will support the FIPS 203 (aka ML-KEM) cryptography algorithm by means of a hybrid, quantum-secure key exchange. "The ClientHello message from iOS 26, iPadOS 26, macOS Tahoe 26 and visionOS 26 devices will include X25519MLKEM768 in the supported_groups extension, along with a corresponding key share in the key_share extension," Apple said. "Servers can select X25519MLKEM768 if they support it, or use another group advertised in the ClientHello message." Spain Arrests 2 for Leaking Personal Data of Government Officials — Spanish police arrested a 19-year-old computer science student and an accomplice for allegedly leaking the personal data of senior government officials and journalists. The main suspect, identified as Yoel OQ, was detained at his parents' home on the island of Gran Canaria. His alleged accomplice, Cristian Ezequiel SM, was also arrested, according to local media citing law enforcement sources. The duo has been described as a "serious threat to national security."

— Spanish police arrested a 19-year-old computer science student and an accomplice for allegedly leaking the personal data of senior government officials and journalists. The main suspect, identified as Yoel OQ, was detained at his parents' home on the island of Gran Canaria. His alleged accomplice, Cristian Ezequiel SM, was also arrested, according to local media citing law enforcement sources. The duo has been described as a "serious threat to national security." AT&T Launches Wireless Account Lock to Prevent Sim Swapping Attacks — U.S. mobile carrier AT&T has launched a new feature to lock accounts and prevent SIM swapping attacks. Wireless Account Lock can be enabled exclusively via AT&T's myAT&T app. Once enabled, it blocks any changes to a customer's billing details or wireless number transfers until it's disabled again. Similar features already exist on other carriers like T-Mobile, Verizon, and Google Fi. "The lock forces an extra step before important account changes can be made. It prevents anyone from buying a device on the account, for example, or conducting a SIM swap – moving a phone number to a SIM in a different device," AT&T said.

— U.S. mobile carrier AT&T has launched a new feature to lock accounts and prevent SIM swapping attacks. Wireless Account Lock can be enabled exclusively via AT&T's myAT&T app. Once enabled, it blocks any changes to a customer's billing details or wireless number transfers until it's disabled again. Similar features already exist on other carriers like T-Mobile, Verizon, and Google Fi. "The lock forces an extra step before important account changes can be made. It prevents anyone from buying a device on the account, for example, or conducting a SIM swap – moving a phone number to a SIM in a different device," AT&T said. Pakistani Freelancers Behind Websites That Deploy Stealers — A group of Pakistani freelance web developers is behind a network of more than 300 websites advertising cracked software that infects users with information-stealing malware, per Intrinsec. It's believed that these websites have been built for a third party and that the group incorporates search engine optimization techniques and Google Ads to maximize visibility and victim engagement. "Additionally, little can be done to prosecute Pakistani individuals behind these malicious activities as there is no extradition treaty between the US and Pakistan," the company said. "Servers and domains can be seized but it is only a temporary measure until new ones are rebuilt." The development coincides with the emergence of new stealer variants like Amatera Stealer (ACR Stealer) and Odyssey Stealer (Poseidon Stealer), becoming the latest entrants in a crowded field of infostealer malware.

— A group of Pakistani freelance web developers is behind a network of more than 300 websites advertising cracked software that infects users with information-stealing malware, per Intrinsec. It's believed that these websites have been built for a third party and that the group incorporates search engine optimization techniques and Google Ads to maximize visibility and victim engagement. "Additionally, little can be done to prosecute Pakistani individuals behind these malicious activities as there is no extradition treaty between the US and Pakistan," the company said. "Servers and domains can be seized but it is only a temporary measure until new ones are rebuilt." The development coincides with the emergence of new stealer variants like Amatera Stealer (ACR Stealer) and Odyssey Stealer (Poseidon Stealer), becoming the latest entrants in a crowded field of infostealer malware. Spain Details 21 Suspects in Connection with Investment Scam — Spanish authorities have detained 21 suspects on charges of running an investment scam ring. The group operated call centers in Barcelona and used social media ads to promote fake investment platforms and trick hundreds of victims across the country into investing their funds in them, netting the gang over €10 million ($11.8 million). In late June 2025, U.S. authorities extradited a Ghanaian national, Joseph Kwadwo Badu Boateng, to face charges related to a romance and inheritance scheme targeting the elderly from 2013 through March 2023. Last week, a 41-year-old Nigerian man named Ehis Lawrence Akhimie pleaded guilty on similar charges in a separate case. "Akhimie admitted to defrauding over $6 million from more than 400 victims, many of whom were elderly or otherwise vulnerable," the U.S. Justice Department said.

— Spanish authorities have detained 21 suspects on charges of running an investment scam ring. The group operated call centers in Barcelona and used social media ads to promote fake investment platforms and trick hundreds of victims across the country into investing their funds in them, netting the gang over €10 million ($11.8 million). In late June 2025, U.S. authorities extradited a Ghanaian national, Joseph Kwadwo Badu Boateng, to face charges related to a romance and inheritance scheme targeting the elderly from 2013 through March 2023. Last week, a 41-year-old Nigerian man named Ehis Lawrence Akhimie pleaded guilty on similar charges in a separate case. "Akhimie admitted to defrauding over $6 million from more than 400 victims, many of whom were elderly or otherwise vulnerable," the U.S. Justice Department said. Chinese Student Sentenced to Prison in U.K. for Smishing Campaign — Ruichen Xiong, a student from China, has been sentenced in a London court for operating an SMS Blaster to conduct a mass smishing campaign against victims with an aim to harvest their personal details between March 22 and 27, 2025. "The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link," British trade association UK Finance said. "The link would subsequently take them to a malicious site that was designed to harvest their personal details."

— Ruichen Xiong, a student from China, has been sentenced in a London court for operating an SMS Blaster to conduct a mass smishing campaign against victims with an aim to harvest their personal details between March 22 and 27, 2025. "The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link," British trade association UK Finance said. "The link would subsequently take them to a malicious site that was designed to harvest their personal details." Microsoft Takes Steps Against Email Bombing and File System Redirection Attacks — Microsoft revealed that it's rolling out an email bombing protection feature by default in Exchange Online Protection and Microsoft Defender for Office 365 plans to counter the risks posed by attacks that seek to flood target inboxes with thousands of messages by subscribing their email addresses to a large number of legitimate newsletter and subscription services. "By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user's inbox and the messages are rather sent to the Junk folder (of Outlook)," Microsoft said. Separately, the tech giant has also detailed a new mitigation called RedirectionGuard that it has put in place in Windows 11 to mitigate file system redirection attacks.

— Microsoft revealed that it's rolling out an email bombing protection feature by default in Exchange Online Protection and Microsoft Defender for Office 365 plans to counter the risks posed by attacks that seek to flood target inboxes with thousands of messages by subscribing their email addresses to a large number of legitimate newsletter and subscription services. "By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content. It prevents mail bombs from being dropped into the user's inbox and the messages are rather sent to the Junk folder (of Outlook)," Microsoft said. Separately, the tech giant has also detailed a new mitigation called RedirectionGuard that it has put in place in Windows 11 to mitigate file system redirection attacks. Hunters International Shuts Down — In an unusual turn of events, the Hunters International ransomware operation has shut down and promised to release free decryption keys for all past victims. The group announced the shutdown in a message posted on its dark web leak site on July 3, 2025. "After careful consideration and in light of recent developments, we have decided to close the Hunters International project," the gang wrote on its darknet extortion site. It did not elaborate on what these "recent developments" were. The operation launched in November 2023 and was a rebrand of the Hive ransomware, which had its infrastructure seized earlier that year. The demise of Hunters International is not surprising, given that a report from Group-IB earlier this year found that the group had already rebranded again and launched an extortion-only operation known as World Leaks. Despite these claims, French security firm Lexfo said it identified World Leaks victims that had ransomware deployed on their network before being extorted. According to DataBreaches.net, World Leaks is operated by individuals previously associated with Hunters International. World Leaks has also claimed that they are no longer in touch with Hunters International. However, Group-IB said the shutdown is "designed to control the narrative and delay attribution."

🎥 Cybersecurity Webinars

The Future of Logins: AI, Trust, and Privacy Collide - Users are rejecting creepy AI and demanding frictionless logins—and the stakes have never been higher. This webinar reveals exclusive findings from the Auth0 2025 Trends Report, exposing how identity threats are evolving and how leading teams are designing trust-first login flows that users love. If you're still relying on outdated UX patterns or ignoring privacy shifts, you're already falling behind.

Users are rejecting creepy AI and demanding frictionless logins—and the stakes have never been higher. This webinar reveals exclusive findings from the Auth0 2025 Trends Report, exposing how identity threats are evolving and how leading teams are designing trust-first login flows that users love. If you're still relying on outdated UX patterns or ignoring privacy shifts, you're already falling behind. Your Pip Install Might Be Malware—Here's How to Fix It - Pip install isn't just risky—it's dangerous. Repójacking, fake packages, and infected containers are quietly poisoning thousands of apps. This isn't a theory—it's happening right now. Join top security experts to uncover how the Python ecosystem is being attacked, what tools like Sigstore and SLSA actually do, and the real steps you need to secure your builds before it's too late.

🔧 Cybersecurity Tools

CloudFlare's Orange Meets - It is a fully end-to-end encrypted video calling app that runs entirely on the client side—no changes needed to the server or SFU. Built with WebRTC, Rust, and Messaging Layer Security (MLS), it supports secure group calls with real-time key rotation and formally verified joining logic. It's open source, scalable, and ready to use or customize.

Octelium - It is a free, open source, self-hosted platform for secure, zero trust access to internal and cloud resources. It replaces VPNs, tunnels, and gateways with identity-based, secret-less access and fine-grained, policy-driven control. Built on Kubernetes, it supports both client and browser-based access, and works for apps, APIs, SSH, databases, and more—without exposing your infrastructure.

Disclaimer: These newly released tools are for educational use only and haven't been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Shrink Your Attack Surface with Smart Defaults - Many cyberattacks begin by leveraging legitimate Windows features that are rarely needed by most users or environments. Office macros, Windows Script Host, legacy protocols like LLMNR and NetBIOS over TCP/IP, and background COM script interfaces are common culprits. But even more obscure surfaces—such as ActiveX controls, Component Object Model elevation paths, or exposed DCOM/RPC endpoints—can be entry points for lateral movement and privilege escalation.

Beyond basic hardening, consider advanced techniques like disabling Win32 optional features via "DISM /Online /Disable-Feature," disabling legacy input/output subsystems (like 16-bit support via NtVDM), or auditing unexpected network listeners using "netstat -abno" and "Sysinternals TCPView." Apply Software Restriction Policies (SRP) or AppLocker to block execution from temp directories, USB drives, and user profile folders. Harden PowerShell with Constrained Language Mode and enable AMSI logging to catch script obfuscation attempts.

For users who want safe defaults without diving into the registry or GPO, Hardentools offers a well-balanced baseline. It disables commonly exploited scripting engines, Office macro execution, and certain Windows Explorer behaviors with a single click. But to go further, pair it with community scripts like "Attack Surface Analyzer" (by Microsoft) or tools like O&O ShutUp10++ to disable telemetry and reduce exposure to cloud-connected attack vectors.

The more obscure the vector, the less likely defenders are monitoring it—but that's exactly why attackers love it. Effective attack surface reduction is not just about minimizing visible services; it's about knowing what's silently enabled and ensuring it's needed. This week, go beyond basic macro blocking—review what's running under the hood and shut down the silent risks.

Conclusion

It's one thing to defend against outside attackers—it's another when the risk is already inside. This week's revelations about stolen identities, fake hires, and silent access show how trust can be turned into a weapon.

The takeaway is clear: identity isn't just a login—it's a security boundary. And when that fails, everything behind it is at risk.