#mac

The complex risks facing modern IT environments make IT security a strategic imperative, not a back-end detail. Furthering this is cloud computing, which serves as the foundation of the AI economy, meaning that enterprises and nations require greater control, transparency, and assurance over data location and protection. Trust has become not just a technical question, but a matter of national policy, corporate strategy, and even societal resilience.At the same time, the explosion of AI and machine learning (ML) workloads is reshaping infrastructure requirements. But these shifts pose a complex

### Summary On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a [Windows batch script](https://en.wikipedia.org/wiki/Batch_file), capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ `nbconvert` searches for an `inkscape` executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104 The MITRE page on [CWE-427 (Uncontrolled Search Path Element)](https://cwe.mitre.org/data/definitions/427.html) summarizes the root cause succinctly: > In Windows-based systems...

This week, Joe laments on 2025, and what we can think of in 2026 in the wild world of cybersecurity.

On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks. The vulnerability is a bug in how Storybook handles environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised. ## Who is impacted? For a project to be vulnerable to this issue, it must: - Build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) - The `.env` file contains sensitive secrets - Use Storybook version `7.0.0` or above - Publish the built Storybook to the web Stor...

### Summary ```tinacms``` uses the ```gray-matter``` package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. ### Details The ```gray-matter``` package executes by default the code in the markdown file's front matter. ```tinacms``` does not change this behavior when process markdown file, e.g., by passing a custom engine property for js/javascript in the options object. ### PoC 1. Create a tinacms app using the cli/documentation: ``` npx create-tina-app@latest ``` 2. Modify one of the blog posts to contain the following front matter: ```js ---js { "title": "Pawned" + console.log(require("fs").readFileSync("/etc/passwd").toString()) } --- ``` 3. Start the tinacms server, e.g., with ```npm run dev``` 4. Observe the console of the server printing the password file, showing that attackers can execute arbitrary commands. ### Impact RCE: attackers can execute arbitrary JavaScript code on th...

North Korea’s Lazarus Group deploys a new BeaverTail variant to steal credentials and crypto using fake job lures, dev tools, and smart contracts.

A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "

This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what

Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole

Within the past year, artificial intelligence copilots and agents have quietly permeated the SaaS applications businesses use every day. Tools like Zoom, Slack, Microsoft 365, Salesforce, and ServiceNow now come with built-in AI assistants or agent-like features. Virtually every major SaaS vendor has rushed to embed AI into their offerings. The result is an explosion of AI capabilities across