Supply Chain Security | Breaking Cybersecurity News | The Hacker News

While AI reduces some coding flaws, credential sprawl accelerates, expanding the non-human identity attack surface, and making remediation the new security bottleneck. AI is changing software development faster than most security teams can adapt. As coding assistants and autonomous agents become embedded in daily workflows, many assume traditional application security controls will steadily lose relevance. If machines can scan code, catch flaws, and even suggest safer alternatives in real time, then software risk should start to shrink. But that's not what is happening in the real world, according to GitGuardian's security research. The battle isn't in the code anymore, because AI is shifting where the control point is. It's in the credentials, tokens, service accounts, and machine identities that AI systems need in order to access data and take action. This matters because the attack surface has fundamentally changed. AI-assisted commits grew exponentially in 2025 and leaked secr...

When Shai-Hulud 2.0 hit in late 2025, it was a brutal, expensive wake-up call for DevSecOps teams. It showed that the industry's direction of shifting left, where teams pass security onto developers, wasn't the silver bullet everyone hoped for. Pushing that responsibility was fine in theory, but it crumbled quickly because the foundation it was built on was inherently flimsy. As we move further into 2026, we need a more definitive fix to the structural weakness in the pipelines in light of a potential Shai-Hulud 3.0. A major lesson from 2.0 was that internal CI/CD runners were easily hijacked and turned into attack botnets. Teams need to take that finding and come back with a truly proactive defense. A curated catalog is a way for security teams to control exactly what code and components enter their environment, while still giving engineering teams a fast, secure way to build - it is the key to creating a sustainable solution. More on a curated catalog later. The Anatomy o...

In the digital world, the secure exchange of cryptographic keys is the foundation upon which all private communication is built. It's the initial, critical handshake that allows two parties, like a user's browser and a web server, to establish a shared secret and communicate securely over the untrusted expanse of the internet. As the quantum computing era approaches, the very mathematics underpinning our traditional key exchange mechanisms are facing an existential threat. This spurred the development of new, quantum-resistant algorithms. This blog post provides a deep dive into how modern key exchange works, from the trusted classical methods to the emerging post-quantum standards, and explores how Zscaler leverages hybrid key exchange to bridge the gap. The Key Components of Modern Key Exchange At a high level, a secure key exchange protocol must achieve the following: Confidentiality: The established key must be a secret shared only between the two communicating parties. An ea...

Enterprise adoption of AI is no longer a future trend; it's a present-day reality. As organizations race to leverage AI for innovations, security teams are grappling with a new, complex, and dynamic attack surface. AI is breaking the operational silos that currently segregate Cloud, SaaS and Endpoint Security; AI is everywhere and it is consuming enterprise data and assets across these channels. Traditional security tools, designed for cloud infrastructure and SaaS applications, are fundamentally ill-equipped to handle the unique risks posed by AI.  AI security posture management (AI-SPM) solutions can provide relief by protecting critical AI assets, but it's important to note that not all AI-SPM solutions are created equal. Many solutions offer only basic posture checks and are focused predominantly on infrastructure and vulnerability management. In addition, most focus solely on Cloud or SaaS, leaving many blind spots when trying to get the full picture of your AI landscape. ...

Employees are increasingly using personal AI tools, AI-powered extensions, and emerging agentic browsers to accelerate their work. But unlike sanctioned AI platforms, these tools operate inside the browser runtime, where neither CASBs, SWGs, EDRs, nor DLP solutions have visibility. This has quietly turned the browser into an unmanaged AI execution environment, giving way to a new threat known as shadow AI. Shadow AI isn't just the latest buzzword; it's a serious risk that leaves organizations vulnerable to data loss, cyberattacks, compliance violations, and more.  What is Shadow AI? Shadow AI refers to GenAI-powered tools, browser extensions, and browsers that workers use on their own, without any company vetting or guidance. Different from shadow IT, where unsanctioned apps or devices slip through the cracks, shadow AI lives directly in the browser.  For example, employees might use their personal Claude accounts to work with sensitive company data or work on important pr...

After decades of frustration, downstream users are about to get laws and regulations passed to force upstream IoT manufacturers to produce more secure IoT devices. This seems like a good thing, however, we are about to see an enactment of how new laws and regulations work to the advantage of big companies and to the disadvantage of small companies, eventually driving the latter out of business. As presented by Ruchir Sharma in his excellent book [1] , regulations tend to favor large companies for two reasons: (1) large companies can afford the necessary resources to conform to the new laws and regulations and (2) large companies have the necessary resources to shape the new laws and regulations to favor themselves. Although these may be well-intentioned, initially, the eventual result is that smaller companies are forced out of business and only the large companies survive. Are we about to see this scenario play out for IoT device manufacturers? That is the subject of this paper. The...

Patching and updating is pretty much baked-in to the thinking, standards, and coming legislation of the device security community. Yet  isolation via partitioning  is another viable approach for security, and it comes with many advantages. Patching The primary advantage of patching and updating known vulnerabilities is that the vulnerabilities are usually permanently fixed. Hence the fix is demonstrable for standard and legal compliance. Some problems with this approach are: Modern IoT device firmware has tens, hundreds, even thousands of components, and components routinely come with dozens of their own dependencies [1] . Finding vulnerabilities in components of an SBOM is not an easy process. There are several databases, and component identification is not consistent [1] Achieving 100% complete and accurate SBOMs is still an elusive goal [1] . A high percentage of vulnerabilities in components are not exploitable [1] . Fixing non-ex...