ANY.RUN report reveals how the new CastleLoader malware targets US government agencies using stealthy ClickFix tricks and memory-based attacks to bypass security.

A new name is surfacing in cyber intelligence reports that has security teams on edge. Known as CastleLoader, it has become a go-to tool for attackers targeting high-security environments since early 2025.

As Hackread.com reported in December 2025, earlier versions of CastleLoader were analysed in July and August 2025. Cybersecurity analysis firm ANY.RUN has now detected a newer and more stealthy version.

ANY.RUN researchers identified it as a ‘loader,’ which is essentially a specialised software that acts as a silent entry point for far more destructive attacks. Investigation revealed that CastleLoader has already compromised at least 469 devices, with a heavy focus on US government agencies and critical infrastructure across Europe, including the logistics and travel sectors.

****Tricked into Clicking****

Researchers noted that CastleLoader doesn’t always rely on complex hacking; often, it just needs a person to make one mistake. It uses a social engineering trick known as ClickFix. In these cases, a user might see a fake “update” or “verification” pop-up. If the user clicks to “fix” the issue, they are actually giving the malware permission to start its work. The malware often uses a fake message saying:

“The program can’t start because VCRUNTIME140.dll is missing from your computer.”

It’s a clever disguise because it looks like a boring, everyday Windows glitch. But while the user is confused, CastleLoader is already busy. It typically arrives as a package using Inno Setup, a common installer tool, and runs a script called AutoIt to prepare the system for the next stage of the attack.

After it successfully invades a system, the malware performs process hollowing. This is a trick where a legitimate Windows tool called jsc.exe is hijacked. According to researchers, the malware “hollows out” the safe code and replaces it with malicious instructions. Because the “bad” code runs inside a “good” program’s memory, most standard antivirus tools won’t even flag it.

Further probing revealed that once CastleLoader is settled in, it calls back to a command center at the address 94.159.113.32. From there, it can download information stealers to grab passwords or RATs (Remote Access Trojans) to give a stranger total control of the network.

What is most dangerous is that CastleLoader uses memory-based attacks. Instead of saving a visible file to your hard drive, the malicious code hides entirely in the computer’s temporary memory (RAM). Since it never leaves a permanent file, it acts like a ghost, allowing it to evade standard antivirus programs that only scan for bad files on the disk. Because this malware is so evasive, traditional security measures are usually unable to detect it.

CastleLoader’s discovery proves that the best defence is a mix of smart technology and staying alert. While security experts work to block the technical backdoors, our own caution with suspicious pop-ups remains the strongest shield we have against digital threats.

New CastleLoader Variant Linked to 469 Infections Across Critical Sectors

Silver Spring, Maryland, 15th January 2026, CyberNewsWire

**Silver Spring, Maryland, January 15th, 2026, CyberNewsWire**

Aembit today announced the agenda and speaker lineup for NHIcon 2026: The Rise of Agentic AI Security, a virtual conference scheduled for Jan. 27. The second-annual event will examine the technical, operational, and security challenges emerging as agentic artificial intelligence systems enter enterprise environments.

NHIcon 2026 will feature keynote addresses from Phil Venables, partner at Ballistic Ventures and former chief information security officer (CISO) at Goldman Sachs and Google Cloud; Misam Abbas, staff AI engineer and technical lead for generative AI safety at LinkedIn; and Jason Clinton, deputy CISO at Anthropic.

The program brings together practitioners from a broad range of enterprise and technology organizations, with speakers representing companies including Pinterest, Dolby, Walmart, Snowflake, IBM, and others actively working with agentic AI.

NHIcon 2026 is presented by Aembit, with community partnership support from the Cloud Security Alliance and the Identity Defined Security Alliance. Event sponsors are GitGuardian, Silverfort, WitnessAI, and Entro.

The agenda includes more than 20 practitioner-led sessions reflecting how AI systems are being designed, assessed, deployed, and secured in practice. Topics include large language model evaluation, agent behavior, techniques for controlling secrets usage, platform telemetry and investigative visibility, the OWASP Top 10 for agentic AI, MCP adoption challenges, and the limits of existing frameworks as autonomy increases.

Clinton of Anthropic will deliver the closing keynote, addressing security considerations associated with “frontier-scale” AI systems, including observations on AI-enabled nation-state activity and the implications of continued model scaling for security operations, engineering practices, and the software development lifecycle. Due to the nature of the material discussed, this session will not be recorded.

In addition to individual sessions, NHIcon 2026 will feature a cross-industry CISO panel examining how security leaders are establishing guardrails for agentic AI as accountability models shift and standards remain unsettled. Panelists will discuss approaches to risk assessment, responsibility, and enforcement in environments where autonomous systems act

The program also includes a “Lightning Talk Lunch” featuring six ten-minute presentations of concise instruction and immediately applicable techniques. Live discussion and opportunities for attendee interaction are incorporated throughout the program, including interactive challenges with prizes.

> “Organizations are encountering agentic systems that behave in ways earlier security models did not anticipate,” said David Goldschlag, co-founder and CEO of Aembit. “NHIcon creates a forum for practitioners to compare experience, test assumptions, better understand how these systems change long-standing security expectations, and leave with guidance they can apply directly.”

Registration for NHIcon 2026 is free and available at NHIcon.com.

**About Aembit**

Aembit is the identity and access management platform for agentic AI and workloads. It enforces access based on identity, context, and centrally managed policies, giving organizations a singular place to control access risk from AI agents, automate credential management, and accelerate AI adoption. With Aembit, enterprises can confidently control access to sensitive resources across all the workloads that power their business. Users can visit aembit.io and follow the company on LinkedIn.

**Contact**

**Chief Marketing Officer**  
**Apurva Davé**  
**Aembit**  
**\[email protected\]**

Aembit Announces Agenda and Speaker Lineup for NHIcon 2026 on Agentic AI Security

Over 387,000 users downloaded vulnerable Apache Struts versions this week. Exclusive Sonatype research reveals a high-risk flaw found by AI. Is your system at risk?

It turns out that even in the world of software, ‘old’ doesn’t mean ‘gone.’ In a report shared with Hackread.com, cybersecurity researchers at Sonatype revealed a massive spike in downloads of long-outdated Apache Struts versions.

We are talking about a specific flaw called CVE-2025-68493. What makes this discovery unique is how it was found. According to the Apache Struts security bulletin (S2-069), it was identified by Zast AI, an autonomous AI security research system.

As we know it, AI is now hunting for bugs faster than humans can, which is a bit of a double-edged sword because while it finds the holes, it also gives organisations almost no time to react before someone else exploits them.

Full breakdown of downloads (Credit: Sonatype)

****What’s actually broken?****

According to Sonatype researchers, the problem lies in the XWork component, which is the main engine that helps the software process data, whereas the flaw involves ‘unsafe XML parsing,’ basically, the way the software reads instructions.

“The real risk does not emerge at disclosure,” the researchers noted in the blog post, “it emerges in the lag between knowing and changing what is actually deployed.”

Further probing revealed that an attacker doesn’t need to be a master spy or take full control of a computer to cause trouble. By sending “crafted input,” they can force the system into an infinite loop, eating up CPU and memory until it crashes. It is a digital heart attack for a web server. This flaw impacts a huge range of versions, from 2.0.0 through 6.1.0, and carries a high severity score of 8.8.

****The Dead Software Problem****

The real shocker is the scale of the risk. In just one week, over 387,000 people downloaded these vulnerable versions, and a whopping 98% of those downloads were for End-of-Life (EOL) versions.

These are versions like Struts 2.3, which haven’t seen an official update in over 2,200 days. If you are using these, there is no official patch coming to save you because the creators stopped supporting them years ago.

Versions without any official update (Credit: Sonatype)

****The Fix****

Further investigation revealed that while a safe version, Struts 6.1.1, is available, almost nobody is using it yet. This new version includes “stricter parser hardening” to block these attacks. Currently, only about 1.8% of the downloads (6,243 downloads) over the same period were for the secure version.

Researchers noted that these old versions remain “deeply embedded” in company systems, making them a ticking time bomb. Every version before 6.1.1 should be considered dangerous. If you’re a developer or a business owner, check your versions now, as the window to fix this is closing fast.

Years-Old Vulnerable Apache Struts 2 Versions See 387K Weekly Downloads

Researchers have discovered VoidLink, a sophisticated new Linux malware framework designed to infiltrate AWS, Google Cloud, and Azure. Learn how this Chinese-affiliated toolkit uses adaptive stealth to stay hidden.

In December 2025, cybersecurity experts at Check Point Research (CPR) discovered a sophisticated new toolkit called VoidLink. While most hackers target Windows, VoidLink is a cloud-first threat built specifically to live inside Linux-based cloud environments used by major corporations.

The research reveals that the developers, likely a Chinese-affiliated group, possess elite technical skills. They are proficient in languages like Zig, Go, C, and React, and they even created a professional web dashboard in Chinese to control their targets.

****How VoidLink Operates****

VoidLink is remarkably intelligent. Once it infects a system, it automatically checks if it is running on Amazon (AWS), Google Cloud, Microsoft Azure, Alibaba, or Tencent. There are even plans to expand this list to include DigitalOcean and Huawei.

Once inside, it acts as a digital spy. According to researchers, it hunts for credentials, essentially the secret keys used by software engineers, such as SSH keys and Git logins. It can also hide within containers like Docker and Kubernetes, which are the building blocks companies use to run their modern apps.

****Advanced Stealth and Hiding****

Researchers noted that VoidLink is a master of disguise. Depending on the version of Linux it finds, it chooses between three different hiding methods: LD_PRELOAD, eBPF, or LKM. To talk to its operators, it uses a custom protocol called VoidStream. This protocol camouflages stolen data, making it look like innocent website files, such as images (PNGs) or standard code (JS/CSS).

Further investigation revealed that the software is incredibly “modular,” featuring a 37-plugin system. This allows hackers to add new features on the fly, such as tools to wipe evidence or boost their own access levels.

VoidLink’s overview (Image via CPR)

****Adaptive Defence Evasion****

As we know it, most malware is static, but VoidLink uses adaptive stealth. It scans for security software and gives the environment a risk score. If the risk is high, it works more slowly to blend in. It can even form a mesh network with other infected computers to pass messages without connecting directly to the open internet.

Perhaps most impressively, if VoidLink detects a security expert trying to analyse it, it will self-delete to leave no evidence behind. While no real-world victims have been reported yet, researchers noted that the code is so polished and well-documented that it could even be intended for sale to other criminals. For now, experts urge companies to strengthen their cloud defences against this emerging threat.

(Photo by Growtika on Unsplash)

New China Linked VoidLink Linux Malware Targets Major Cloud Providers

A successful e-commerce platform requires more than just a good-looking design. Security, stability, speed, and scalability are key…

A successful e-commerce platform requires more than just a good-looking design. Security, stability, speed, and scalability are key factors that determine the performance of an online store. Behind every smooth webshop lies a technical foundation that supports daily operations. Understanding this infrastructure helps in making smart decisions for growth and continuity.

**Scalability tailored to traffic peaks**

Online stores often face unpredictable spikes in traffic. Promotions, holidays, or product launches can all cause a surge in visitors. A system that can adapt to these changes ensures performance remains steady. Scalable resources help maintain user experience regardless of demand.

**Security for transactions and customer data**

E-commerce relies heavily on trust. Customers need to feel confident that their personal and payment information is protected. Hosting environments must include strong defenses against unauthorized access, misuse, and data leaks. Tools like encryption, access management, and continuous oversight play a critical role here.

**Speed influences conversion**

Load times directly affect how users behave. Online shoppers expect pages to load quickly. If a page takes too long, they may abandon their purchase. Factors such as server configuration, caching, and code structure all impact website speed.

**Continuous uptime is essential**

Downtime can lead to lost sales and reduced credibility. A stable e-commerce platform needs to be online at all times. Redundancy, monitoring tools, and recovery systems help minimize interruptions and keep the webshop operational.

**Access to technical support**

Technical questions or configuration issues are common in complex systems. Reliable access to skilled support helps resolve problems faster. Having the right people available makes a difference during unexpected events or critical updates.

**Regular maintenance and updates**

Online platforms require consistent care. Software needs to be updated, security risks monitored, and performance tuned. Businesses using managed eCommerce hosting benefit from a setup where these tasks are handled professionally and proactively, minimizing risk and downtime.

**Backups Provide A Safety Net**

Mistakes happen. A recent backup can be the fastest way to restore functionality after a failure, whether it’s due to an update error, user mistake, or technical issue. Automated backups reduce the risk of data loss and support recovery efforts.

**Optimization for specific platforms**

Not all hosting environments are ready for e-commerce applications out of the box. Platforms like Magento, Shopware, or WooCommerce often require specific server settings and tuning. A properly configured environment prevents conflicts and enhances platform performance.

**Insights through monitoring and logs**

Monitoring tools track how a webshop performs. They detect delays, errors, or unusual activity. Logging systems record events, providing insight into what happened when things go wrong. This makes it easier to take corrective action and avoid future issues.

**Preparing for future growth**

A strong webshop will attract more users over time. This means the hosting environment must be able to grow along with it. More storage, faster processing, and connections to other systems may be needed. Planning ensures that technical limitations don’t become obstacles later on.

Structure and reliability in e-commerce platforms

A hacker claims a full breach of Russia’s Max Messenger, threatening to leak user data and backend systems if demands are not met.

A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum.

The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code.

****What is Max Messenger****

Max is a cross-platform messaging and multifunction app released on March 26, 2025, by the tech company VK through its subsidiary, Communication Platform LLC. It has been heavily promoted within Russia as a “national messenger” alternative to foreign services like WhatsApp and Telegram and has seen growth in registered users, reportedly reaching millions across Russia and neighboring countries.

The service provides messaging, voice, and video calls, file sharing, and is intended to integrate digital identity and service features for government and commerce. In many cases, devices sold in Russia and Belarus have been required to ship with Max pre-installed under government policy.

Max is positioned as more than a simple chat app, aiming to combine messaging with state services and additional tools, similar to China’s WeChat model. Critics and independent analysts have previously raised concerns about privacy and the potential for state access to metadata and user information, given Max’s structural integration with the Russian government’s digital infrastructure

****Details of the breach claim****

In the DarkForums post, CamelliaBtw claims to have exfiltrated the entire production database, estimating the total compressed data size at 142 GB. The hacker states that the stolen data includes:

*   **Approximately 15.4 million user records containing full names, usernames, and verified phone numbers.**
*   **Active authentication tokens capable of bypassing two-factor authentication.**
*   **Bcrypt hashed passwords.**
*   **Complete communication metadata, including timestamps and sender and receiver identifiers, dating back to the platform’s launch.**
*   **Internal infrastructure assets such as SSH keys, API documentation, and Amazon S3 bucket configurations.**
*   **Unencrypted media files stored in cloud storage.**
*   **Backend source code, including what the attacker claims are hardcoded backdoors inside the platform’s encryption module**.

The post alleges that access was achieved through a previously unknown remote code execution vulnerability in Max Messenger’s media processing engine. According to the attacker, the flaw could be triggered by injecting a malformed payload into sticker pack metadata, allowing persistent backend access. The hacker claims the vulnerability existed since the beta phase in early 2025 and was never patched.

****Extortion threat****

The post includes a direct ultimatum to Max Messenger’s developers. CamelliaBtw claims the company has already been notified privately, but has not responded. The attacker states they have verified accounts belonging to politicians and corporate executives who joined the platform during its early growth period.

If a financial settlement described as a “bug bounty” is not negotiated within 24 hours, the hacker threatens to release the first 5 GB of raw SQL database files across more than ten public torrent trackers.

CamelliaBtw’s post on DarkForums (Image credit: Hackread.com)

****No confirmation yet****

As of publication, Max Messenger has not issued a public statement confirming or denying the breach. No sample data has yet been released publicly to independently verify the claims. Cybersecurity experts note that while some breach announcements on underground forums are exaggerated, the level of technical detail provided in this post suggests the claims warrant serious scrutiny.

If confirmed, the incident would represent one of the most severe messaging platform breaches in recent years, with long term implications for user privacy, account security, and trust in encrypted communication services.

Hacker Claims Full Breach of Russia’s Max Messenger, Threatens Public Leak

As software supply chains become longer and more interconnected, enterprises have become well aware of the need to…

As software supply chains become longer and more interconnected, enterprises have become well aware of the need to protect themselves against third-party vulnerabilities. However, the rampant adoption of artificial intelligence chatbots and AI agents means they’re struggling to do this.

On the contrary, the majority of organizations are exposing themselves to unknown risks by allowing employees to access AI services and software packages that include AI integrations, with little oversight.

This revelation is one of the main findings of Panorays’ latest CISO Survey for Third-Party Cyber Risk Management, which revealed that 60% of CISOs rate AI vendors as “uniquely risky,” primarily due to their opaque nature.

Yet despite knowing how dangerous they are, only 22% of CISOs have established proper processes for vetting AI tech vendors, leading to potentially dangerous situations where employees may unwittingly leak sensitive information via the prompts they enter.

According to Panorays, this creates risks that traditional third-party vulnerability assessment tools cannot properly capture, meaning organizations have no real way of knowing the dangers they’re exposing themselves to.

****Organizations Face New Risks with AI****

The survey of 200 U.S. CISOs found that 62% see AI vendors as having a distinct risk profile compared to traditional third-party software vendors, with 9% describing them as “significantly different” and 53% saying they are “somewhat different.”

The problem with AI chatbots is that most are closed-source, which means their underlying code is proprietary. Consequently, security teams have little understanding of how chatbots process the data that’s fed into them. It also means there’s no easy way for organizations to properly audit them.

In addition, AI users often lack security awareness regarding chatbots, increasing the risk that they might unwittingly feed sensitive information such as corporate secrets and customer data into these models.

While there’s lots of uncertainty about how AI systems use the data fed into them, the anecdotal evidence regarding how it might later be exposed is not encouraging. One of the most infamous examples of this was a 2023 incident involving Samsung, which discovered that its employees had pasted proprietary code into ChatGPT as well as the minutes of confidential internal meetings involving senior executives.

In both cases, ChatGPT seemingly retained this data and used it for training to improve its underlying large language model, which means it could have informed output in response to later prompts. Prompt injections and prompt leaks have rarely been reported by LLM developers, but they have indeed been known to happen.

****CISOs Aren’t Doing Enough****

What’s most alarming is that CISOs seem to be doing little to address these risks. Despite knowing the dangers of AI chatbots, 52% of organizations still rely on the same general processes they use for vetting traditional third-party software vendors to onboard AI tools. Yet the unpredictable nature of AI chatbots in comparison to traditional software means that general-purpose onboarding is clearly ill-suited to the task. 

Panorays found that just 22% of CISOs have developed dedicated and documented policies for vetting AI tools, with 25% relying on informal or case-by-case evaluations, which might be more desirable, but still pose risks due to the lack of standardization.

The worrying lack of proper processes for onboarding third-party AI tools is one of the main reasons why CISOs admit to having diminished visibility with regard to third-party vulnerabilities. The survey found just 17% of respondents claim to have “full visibility” into such threats, meaning that 83% are essentially unaware of just how large and expansive their organization’s threat surface really is.

That likely explains why 60% of CISOs said they’ve witnessed an increase in incidents stemming from third-party vulnerabilities over the last year.

If there’s one bright spot from the report, it’s that CISOs do at least recognize the need for a newer approach to onboarding AI, and there’s evidence to show that some larger organizations are getting it together. Breaking down the results, Panorays said 38% of companies with 10,000 or more employees have established AI-specific onboarding policies, compared to just 26% of organizations with between 5,000 and 9,999 employees, and only 10% of firms with less than 5,000 staff.

The findings underscore the evolving nature of the CISO’s role. AI tools have become extremely popular among enterprise workers because they’re so convenient, enabling faster decision-making and accelerated productivity.

Simply put, they make life easier and enable workers to get more done, and these benefits cannot easily be ignored. But they also put more pressure on CISOs, who must balance the integration of AI with more robust vetting and security measures to ensure compliance is maintained and sensitive data isn’t leaked.

****Adoption Outpacing Policy****

As Panorays notes, the findings suggest organizations are adopting AI tools faster than they can be secured, creating a dangerous visibility gap where risky models are being given access to all kinds of sensitive information without proper scrutiny.

Fortunately, CISOs do at least seem to recognize the urgent need for AI-specific onboarding policies, and implementing these will likely be one of their top priorities in the coming months.

Survey: Rapid AI Adoption Causes Major Cyber Risk Visibility Gaps

Microsoft kicks off 2026 with 115 security updates, including a fix for an actively exploited zero-day. Protect your Windows and Office systems today.

Microsoft has released its first Patch Tuesday of 2026, delivering a massive wave of security fixes to protect users from various digital threats. This month, the tech giant addressed 115 vulnerabilities, out of which eight are considered Critical, the highest risk level, while 106 are labelled Important.

For those unfamiliar with the term, Patch Tuesday is the day Microsoft regularly releases updates to fix security holes. This January, the updates cover everything from Windows 11 and Microsoft Office to the Edge browser.

****Zero-Day Threats and Active Risks****

One of the most pressing issues is the fix for three zero-day vulnerabilities, which refer to flaws discovered before a fix was ready. These include:

CVE-2026-20805 (Desktop Window Manager): According to data from research firms like Qualys and CrowdStrike, this flaw is already being used by attackers in the wild. It is an information disclosure bug that lets hackers peek at sensitive data in the computer’s memory.

Patches details (Source: Qualys)

Experts warn that it is often used as a stepping stone for deeper attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has urged everyone to apply this patch before February 3, 2026.

CVE-2023-31096 (Agere Soft Modem Driver): Publicly disclosed but not yet seen in active attacks, this flaw allowed hackers to gain full _SYSTEM_ control. Microsoft fixed this by removing the old drivers entirely.

CVE-2026-21265 (Secure Boot): This involves expiring certificates that could let attackers bypass the Secure Boot protection that ensures your computer only starts with trusted software.

****Critical Fixes for Office and Windows****

The update also fixes dangerous Remote Code Execution (RCE) flaws, which, if left unpatched, can allow hackers to run malicious software on your computer from a remote location.

It is worth noting that several bugs, including CVE-2026-20952, CVE-2026-20953 (Office), CVE-2026-20944 (Word), and CVE-2026-20955 (Excel), could allow hackers to take over a computer if a user simply opens a malicious file or views a rigged email in the _Preview Pane._

****Insights from Security Researchers****

In research shared exclusively with Hackread.com, the team at Action1 provided further insights into these risks. Their Director of Vulnerability Research, Jack Bicer, noted that the Windows Graphics bug (CVE-2026-20822) is especially urgent for businesses, as it allows a limited user to escalate their access to full control.

The company further noted in their blog post that even the Windows authentication service, LSASS, was at risk via CVE-2026-20854. As we know it, this service handles passwords, and a flaw here could allow hackers to move through an entire office network. Additionally, CVE-2026-20876 was identified as a critical threat to protected layers of the operating system.

It is worth noting that while 115 fixes might seem overwhelming, most home users will receive these updates automatically. The next round of updates is expected on February 10.

Microsoft January 2026 Patch Tuesday: 115 Vulnerabilities Fixed

Austin, TX / USA, 14th January 2026, CyberNewsWire

**Austin, TX / USA, January 14th, 2026, CyberNewsWire**

**New monitoring capability delivers unprecedented visibility into vendor identity exposures, moving enterprises and government agencies from static risk scoring to protecting against actual identity threats.** 

SpyCloud, the leader in identity threat protection, today announced the launch of its **Supply Chain Threat Protection** solution, an advanced layer of defense that expands identity threat protection across the extended workforce, including organizations’ entire vendor ecosystems. Unlike traditional third-party risk management platforms that rely on external surface indicators and static scoring, SpyCloud Supply Chain Threat Protection provides timely access to identity threats derived from billions of recaptured breach, malware, phished, and combolist data assets, empowering organizations – from enterprise security teams to public sector agencies – to act on credible threats rather than simply observe and accept risk.

Supply Chain Threat Protection addresses a critical gap in enterprise security: the inability to maintain real-time awareness of identity exposures affecting third-party partners and vendors. According to the 2025 Verizon Data Breach Investigations Report, third-party involvement in breaches doubled year-over-year, jumping from 15% to 30% primarily due to software vulnerabilities and weak security practices. As supply chain compromises continue to escalate, security teams need intelligence that goes beyond questionnaires and external scans to reveal active threats like phishing campaigns targeting their trusted partners, confirmed credential theft, and malware-infected devices exposing critical business applications to criminals. 

For government agencies and critical infrastructure operators, supply chain threats present national security risks that demand heightened vigilance. Public sector organizations managing sensitive data and critical services increasingly rely on contractors and technology vendors whose compromised credentials could provide adversaries with pathways into classified systems or essential infrastructure. Last year alone, the top 98 Defense Industrial Base suppliers had over 11,000 dark web exposed credentials – an 81% increase from the previous year. SpyCloud Supply Chain Threat Protection enables federal, state, and local agencies to identify when suppliers or contractors have been compromised – allowing them to take proactive measures before an identity exposure escalates into a matter of national security.

> “Third-party threats have evolved far beyond what traditional vendor assessment tools can detect,” said Damon Fleury, Chief Product Officer at SpyCloud. “Public and private sector organizations need to know when their vendors’ employees are actively compromised by malware or phishes, when authentication data is circulating on the dark web, and which partners pose the greatest real downstream threat to their business. Our new solution delivers those signals by transforming raw underground data into clear, prioritized actions that security teams use to protect their organization.”

Supply Chain Threat Protection enables organizations and agencies to continuously monitor thousands of suppliers, with each company’s threats enumerated in detail, and also represented in an at-a-glance Identity Threat Index. The Index is a comprehensive and continuously updated analysis that quantifies vendor security posture through the lens of identity exposure, from both active and historical phishing, breach, and malware sources, and surfaces which partners pose the most significant risk based on verified dark web intelligence.

**Key Capabilities Include:**

*   **Real Evidence of Compromise:** Timely recaptured identity data from breaches, malware, and successful phishes collected continuously from the criminal underground, with context that gives security teams enhanced visibility into the identity threats facing suppliers today.
*   **Identity Threat Index:** Aggregates multiple verified data sources weighted by the recency, volume, credibility, and severity of compromise, emphasizing verified identity data over static breach records for more robust and real-time visibility into vendor risk.
*   **Compromised Applications**: Identifies the internal and third-party business applications exposed on malware-infected supplier devices to support deeper investigation and risk assessment.
*   **Enhanced Vendor Management and Communications:** Facilitates sharing of actionable evidence and detailed executive-level reports directly with vendors to collaboratively improve security posture, transforming vendor relationships from adversarial scoring to collaborative protection.
*   **Integrated Response:** Leveraging SpyCloud’s console, teams now have access to identity threat protection beyond the traditional employee perimeter with this extension to suppliers, allowing analysts to respond to workforce identity threats within a single tool. 

SpyCloud Supply Chain Threat Protection is designed to support multiple use cases across Security Operations, Infosec, Vendor Risk Management, and GRC teams. Organizations can leverage the solution for vendor due diligence during procurement and onboarding, continuous risk reviews to strengthen vendor relationships, and accelerated incident response when vendor exposures threaten their own environments.

> “Security teams and their counterparts across the business are overwhelmed with vendor assessments, questionnaires, and risk scores that often don’t translate to real prevention,” said Alex Greer, Group Product Manager at SpyCloud. “Our customers have often reported that when they’re evaluating doing business with a new vendor, they lack the actionable data their legal and compliance teams need for evidence-based decision making. That’s where SpyCloud stands out. Surfacing verified identity threats tied directly to vendor compromise, letting teams escalate to leadership when to restrict data access and prioritize efforts for the greatest impact on reducing organizational risk.”

Unlike existing solutions that rely on external surface indicators and static scoring, SpyCloud provides threat data derived from underground sources – the same recaptured darknet identity data that criminals actively use to target organizations and agencies. This fundamental difference enables SpyCloud customers to move from passive risk acceptance to proactive and holistic identity threat protection.

To learn more about defending organizations from the exposures of vendors and suppliers, registration is open for SpyCloud’s upcoming Live Virtual Event, **Beyond Vendor Risk Scores: How to Solve the Hidden Identity Crisis in Your Supply Chain,** on **Thursday, January 22, 2026, at 11 am CT**. 

**About SpyCloud**

SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, users can visit spycloud.com.

**Contact**

**Media Specialist**  
**Phil Tortora**  
**REQ on behalf of SpyCloud**  
**\[email protected\]**

SpyCloud Launches Supply Chain Solution to Combat Rising Third-Party Identity Threats

New York, NY, 14th January 2026, CyberNewsWire

**New York, NY, January 14th, 2026, CyberNewsWire**

**Leading secrets security platform sees accelerated adoption across Fortune 500, with 60% of new customers choosing multi-year commitments.**

GitGuardian, the leading secrets and Non-Human Identity security platform, today announced record growth in ARR and customer expansion throughout 2025, reinforcing its position as the enterprise standard for protecting code, collaboration tools, and cloud infrastructure from exposed secrets and credentials.

With 70% of its revenue coming from the US, GitGuardian’s momentum in North America continued to accelerate in 2025, **as the region accounted for over 80% of new ARR**.

**Enterprise Trust & Adoption**

GitGuardian’s momentum was driven by deep adoption among global enterprise customers, including:

*   Deutsche Telekom
*   BASF
*   A leading enterprise cloud platform provider with 25,000+ employees globally headquartered in the USA
*   A major technology-enabled mobility and delivery platform with 30,000+ employees worldwide headquartered in the USA
*   A global pharmaceutical and biotechnology company with 90,000+ employees, headquartered in Europe
*   A major enterprise software vendor with 110,000+ employees
*   Leading financial services cooperative with 55,000+ employees in North America

Demonstrating confidence in GitGuardian’s long-term value, +**60% of new enterprise customers signed multi-year agreements** in 2025.

**Platform Scale & Coverage**

GitGuardian’s Secrets Security platform now protects:

*   **More than 115K developers** across enterprise customers globally.
*   **More than 610K enterprises’ repositories** continuously monitored for exposed secrets.
*   **More than 210K connected collaboration tool sources**, including Slack, Jira, Confluence, and major cloud platforms, this is 7 times 2024 number.
*   More than **16M free users’** **repositories,** 40% more than in 2024.

The platform detected and helped enterprises remediate 350K **new potential secret exposures** in 2025 alone, preventing security incidents before they could impact customers. It also remediated 5x more secrets than in 2024.

**Strong Global & Sector Growth**

The company strengthened its leadership in **Technology & Telecommunications, its core and most mature market**, while achieving **deep adoption across highly regulated industries** including Financial Services, Healthcare, and Insurance, where stringent security and compliance requirements drive platform value.

GitGuardian’s customer base also reflects strong industry diversification, spanning **Energy, Manufacturing, Media, Retail, and Professional Services sectors**.

**Customer Success & Retention**

GitGuardian maintained **industry-leading customer retention**, with customers expanding their use of the platform’s capabilities, including:

*   Digital Ocean
*   Orange

> “GitGuardian Platform has helped save significant time for the security team by eliminating the need to seek out development teams and work with them on exposed secrets, as much of this is now handled proactively.” Ari Kalfus Senior Manager, Product Security at DigitalOcean

> “At the scale of a large enterprise, we wanted to ensure our secrets management approach would meet regulatory standards well ahead of future requirements” Grégory Maitrallain, Solution Architect at Orange Business

**Looking Ahead**

> “Enterprise security teams are recognizing that secrets sprawl across their entire development ecosystem—from code repositories to collaboration tools to AI coding assistants,” said Eric Fourrier, CEO at GitGuardian. “Our customers are not just buying a point solution, but investing in a comprehensive Non-Human Identity security platform that scales with their business, which is why we’re seeing such strong multi-year commitment.”

**About GitGuardian**

GitGuardian is an end-to-end NHI Security platform that empowers software-driven organizations to secure their Non-Human Identities (NHIs) and comply with industry standards. With attackers increasingly targeting NHIs, such as service accounts and applications, GitGuardian integrates Secrets Security and NHI Governance. This dual approach enables the detection of compromised secrets across your dev environments while also managing non-human identities and their secrets’ lifecycles. The platform is the world’s most installed GitHub application and supports over 550+ types of secrets, offers public monitoring for leaked data, and deploys honeytokens for added defense. Trusted by over 600,000 developers, GitGuardian is the choice of leading organizations like Snowflake, ING, BASF, and Bouygues Telecom for robust secrets protection.

**Contact**

**Sr. Partner**  
**Holly Hagerman**  
**Connect Marketing**  
**\[email protected\]**

Source

HackRead