Kategorie

Cloud software security firm Minimus today expanded its product portfolio with the general availability of Minimus Supply Chain Protection and minicli. The tools introduce a unified approach to managing third-party software risks and container image configurations.

The release of Supply Chain Protection directly targets vulnerabilities found within the application package universe, where interwoven dependencies are frequently maintained by isolated third parties. Operating seamlessly as a pull-through proxy for NPM and PyPI, the solution evaluates public packages based on popularity, commit data, and cooling-off periods before they reach CI/CD pipelines. Platform teams can deploy multiple configurations tailored to the risk tolerances of different development environments.

In tandem, Minimus has launched minicli, a public command-line tool downloadable for macOS and Linux (AMD and ARM). The utility allows developers to inspect custom image structures—including internal file bundles and environment variables—and manage private images directly from the terminal. By converting image recipes into YAML files, teams can easily integrate change controls and automation into their existing technology stacks.

Together with Minimus Images, which eliminate up to 98% of standard container base image vulnerabilities, these updates offer an end-to-end strategy for securing both OS packages and application dependencies.

About Minimus

Minimus delivers a modern foundation for secure container software, open-source dependency management, and software supply chain security. The company was founded in October 2022 by container security pioneers Ben Bernstein, Dima Stopel, and John Morello (co-authors of NIST SP 800-190 and founders of Twistlock) to solve the ongoing operational burden of cloud vulnerability remediation. By engineering high-security container images directly from upstream project sources with only the absolute minimum software required to run, Minimus completely neutralizes 98% of typical cloud software vulnerabilities. Minimus offers a highly scalable, developer-friendly solution that deploys instantly via standard tools, and is backed by a $51M seed investment from YL Ventures and Mayfield. 

Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones). [...]

Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication. [...]

Everybody is watching to see what comes from Apple at its annual Worldwide Developer Conference (WWDC) today. There’s a great deal at stake, as when it comes to artificial intelligence (AI) today’s event represents an existentially important moment for the company. 

Apple execs absolutely must convince developers, industry watchers, users — all of us — that it has learned from its well-publicized mistakes of the past two years and put together a serious proposition for AI across its platforms.

What we think we know

Right now, we think Apple intends to offer a hybrid of its own self-developed AI tools and services combined with others made with Google Gemini — all supported by an open approach to using AI services from third-party providers such as Anthropic or OpenAI. 

When it comes to implementation, this should mean a contextually sensitive Siri that can respond to what you have on the screen of your device, or in the viewfinder of your camera app. The idea here is that you’ll be able to do contextual tasks like book restaurants or send a message to your granny, translate a sign, or even navigate around a room. More than this, you should also be able to combine tasks giving Siri complex — agentic AI — tasks it can then transact on your behalf.

Many of these functions will take place on device. Some will rely on Apple’s own fleet of Private Cloud Compute servers, supported by additional capacity from Google and Nvidia. When Apple Intelligence/Google Gemini can’t accomplish a task, you’ll be able to request that another service handle it on your behalf outside Apple’s managed garden. Siri itself will also gain a brand new interface.

What developers expect and how we got here

As discussed here, developers expect Apple will make access to many of its new Apple Intelligence APIs available to them.  This will let them deploy useful functionality in their apps at no charge, in part because the intelligence takes place on the device. 

It will also be possible for developers to permit their apps to run without being opened, which means a user should be able to ask Siri to do complex tasks that also include functionality from their apps. During this past weekend, we were warned that some or all of the new Siri functionality might be introduced on a staggered basis using a waiting list.

Apple has come a long way since that tense meeting in early 2025 when the company’s senior leadership established a new approach to AI. With Apple CEO Tim Cook taking an uncharacteristic interest in driving his teams to pull their act together, Apple developed a new, partnership-based approach to try to recapture lost ground.

Has Apple achieved it? That’s the test

Has Apple finally regained the initiative?

To a great extent, that will be the big focus across the industry once the company tells us what it’s done. Cook’s final WWDC as CEO sees a company at the absolute top of its game in so many ways, including soaring Mac sales. But to some extent he will be judged on how successfully Apple’s AI pivot comes across.

Weekend analyst notes summed it up, with bears and bulls tossing insights along. In one camp, you’ll find the true believers who argue that if Apple does come to us with something convincing, it has a chance to absolutely dominate consumer AI. “Siri/Apple Intelligence 2.0 has the potential to become the ultimate AI resource offload and deliver a form of Agentic AI to the consumer at a lower cost than incumbents,” said Morgan Stanley analyst Eric Woodring.

Cynics, however, warn that Apple really must demonstrate the kind of contextual, agentic AI it first announced (and failed to ship) two years ago; they want a chatbot with muscle, and will see right through any attempt to place a PR veneer over something weaker than what others already provide. If Apple fails to deliver on this, it can expect its stock to be utterly savaged over the next few days, though some analysts believe that Apple’s previous missteps mean the damage is already priced in.

A chance to shine, but can it?

Ultimately, of course, in addition to convincing industry watchers, Apple will need to find a way to deliver the kind of AI power consumers have been told to expect — while also protecting privacy. If it does get that right, particularly if it truly exploits its powerful hardware to ensure the most common tasks take place directly on the device, it has a major opportunity to deliver a form of Agentic AI at a lower cost than incumbents can. And it can do so while leaving the core AI bubble to burst as and when it will.

Will Apple succeed? We’ll know in a few hours, when you should check back for first takeaways on what Apple has to share. Join me on the Core for the headline summaries.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon and The Core.

A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again.

Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

IronWorm steals credentials and uses them to spread beyond the original victim, turning developer access into a supply chain risk. 

Security teams are increasingly overwhelmed by alert fatigue, infrastructure maintenance, and complex hybrid environments. This article explores how Wazuh Cloud helps simplify SIEM/XDR operations through managed infrastructure, automated scaling, and AI-driven security analysis. [...]

Phishing has always been a numbers game. AI has turned it into a volume machine. Attackers can now create convincing emails, fake login pages, and tailored lures in minutes. Every polished message adds another case for Tier 1 to review, another link to inspect, and another alert that cannot be dismissed at a glance. As the queue grows, a credential theft attempt or malware delivery can easily [email protected]

Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked. A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail andRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Israeli cybersecurity company Check Point has released security updates to patch a critical flaw affecting Remote Access VPN and Mobile Access deployments, which was exploited in zero-day attacks. [...]

Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity, [email protected]

The European Commission published its tech sovereignty package last week, including the clearest signal yet of its intention to strengthen European cloud sovereignty and reduce its dependence on US hyperscalers.

It’s a response to growing concerns among European organizations and regulators about the reliance on US tech firms and legislation such as the US CLOUD Act, which could give US officials access to data — even if it is stored in Europe.

But any shift toward local, sovereign cloud providers will necessarily be gradual, analysts, said as the Cloud and AI Development Act (CADA) proposals leave plenty of room for US providers to continue supplying cloud computing services to European public sector customers.

“The direction is right. The execution will be slow,” said Fernando Pereiro, senior director analyst at Gartner.

While the Commission has correctly identified areas where the EU is most dependent on foreign providers, delivering on its ambitions is another challenge, he said. Scaling alternatives to US suppliers “takes time, capital, and coordination at a level that is difficult to sustain in Europe.”

Dario Maisto, senior analyst at Forrester, played down the prospect of a major short-term shift towards European cloud providers as a result of the CADA proposals, even after recent interest in local European vendors for mission-critical workloads and highly sensitive data.

“I do not expect an immediate impact on the cloud infrastructure market,” Maisto said. “Full-blown migrations are costly and take several years. They are not going to happen in the near future.”

Instead, Pereiro expects the gradual emergence of “sovereign enclaves” or controlled environments for sensitive workloads, particularly in government and regulated sectors. “Outside of those areas, the market will remain global, but increasingly shaped by European rules,” he said.

Nevertheless, the three US hyperscalers that account for around 70% of the European cloud market – Amazon Web Services (AWS), Google, and Microsoft —  will likely see a more competitive environment.

“The real shift is symbolic and structural: hyperscalers move from being the default choice to one option among others, and their competitiveness will increasingly depend on how well they align with European control requirements, not just on technology or price,” said Pereiro.

What is CADA and what could it mean for Europe’s cloud market? 

CADA is part of a range of policy and legislative proposals — known as the Tech Sovereignty Package — published by the Commission, alongside Chips Act 2.0, the Open Source Strategy, and Strategic Roadmap for Digitalization and AI in Energy.

CADA includes measures to boost European tech sovereignty. Among other things, it aims to triple data center capacity in the next five to seven years by easing restrictions on new infrastructure projects across the EU, as well as efforts to support research and development of cloud and AI technologies.

It also includes a sovereignty framework that, if enacted, would require EU public bodies to assess sovereignty risks and procure cloud services that meet four assurance levels.

The various levels portray “a political vision with many open questions,” said Maisto. In more detail:

• Level 1 requirements are achievable by hyperscalers, Maisto said, with requirements focused mostly on data residency. 
• Level 2 is “more controversial,” he said, as it includes requirements around third-country access to data and disruption of services.
• Level 3 leaves room for US providers to win procurement contracts — particularly where they enter a joint venture with a European cloud provider such as S3NS, a Thales subsidiary that has partnered with Google.
• Level 4 applies to only a small proportion (1%) of the most sensitive workloads.

The first two levels could be open to US hyperscalers, said Maisto, with 70% of existing EU public sector workloads falling under Level 1 and 20% at Level 2, according to Commission’s own impact assessment. Just 9% of the workloads would require Level 3. 

The most stringent Level 4 would require cloud providers that “have full transparency and control over their software supply chain and no interference from a third country,” the Commission said.

For public sector organizations, the CADA rules could create more clarity around procurement, said Pereiro. “Today, the concept of ‘sovereign cloud’ is often vague and inconsistently applied in providers’ marketing and messaging,” he said. “This package standardizes what sovereignty must look like in practice, effectively ending the era of ‘sovereign washing.’”

The proposals give public sector organizations a “stronger set of requirements with which to assess risk, especially around jurisdiction and access to data,” he said.

“For enterprises, it’s less about regulation and more about leverage,” said Pereiro. “They gain clearer benchmarks and more viable alternatives, particularly through open source and emerging European providers.”

European cloud industry sees ‘a step in the right direction’

The Cloud Infrastructure Services Providers in Europe (CISPE) — a nonprofit trade group — welcomed the “strong definitions” of Levels 3 and 4, and said that, if implemented well, the proposed rules could “help to challenge the commercial dominance of established foreign cloud and AI vendors.”

However CISPE also called the current Level 1 and 2 criteria “confusing and non-sensical,” and said they should not be designated as “sovereign” since US hyperscalers can meet the requirements. “This will continue to confuse the market, both public and private customers, and encourage more sovereignty washing attempts,” CISPE said in a blog post Thursday.

CISPE also said the proposals fail to require public authorities to check whether a European service exists before opting for a foreign supplier. “We see a significant risk that assessments become a ‘rubber-stamp’ exercise that allow IT departments to continue to buy non-sovereign services out of convenience,” the organization said.

French firm OVHcloud — one of the leading European cloud computing and web hosting companies — welcomed the proposals, though it said any rules must be carefully scoped to ensure they are effective.

“This text is a step in the right direction and represents an opportunity to strengthen European strategic autonomy — something unthinkable just a few years ago,” an OVHcloud spokesperson said. “It provides a useful framework, but one that must not leave too much room for exceptions and workarounds. 

“Europe must and can move much faster, with very clear rules and a genuine European preference. Beyond this text, the Commission has demonstrated with its sovereign procurement call that it is possible to act right now to reduce critical dependencies. The time for waiting is over. We must accelerate. We must clarify. We must own it. 

“Europe has the players and the expertise,” the spokesperson said. “It is time to turn political ambition into European industrial capability.”

The overall tech sovereignty package “marks the overdue shift from diagnosis to treatment,” said a spokesperson at Ionos, a German cloud and hosting company. Ionos pointed to the EC’s claims that more than 80% of digital products, services and infrastructures in the EU originate from non-European providers, while 264 billion euros flow from EU organizations into predominantly US-based IT products.

“This is a strategic failure that must now be corrected,” the spokesperson said. While the company applauded the Commission’s focus on “secure and sovereign cloud and AI infrastructure for highly critical use cases,” it argued the CADA proposals fall short. “The central weakness of the package: the approach remains predominantly supply-side. The decisive lever — the demand side – is missing. Public procurement is the most powerful instrument for digital sovereignty. The public sector as anchor customer is critical for scaling sovereign cloud and AI solutions.

“Europe will remain dependent on Nvidia and AMD for GPU computing, the spokesperson said. “What matters is not whether to cooperate, but on what terms: data under European law, operations by European providers, no extraterritorial access. …If EU funding earmarked for ‘sovereign cloud’ ends up with the European subsidiaries of US hyperscalers, the package will have failed its objective.”

The real impact on hyperscalers

The proposed rules could require hyperscalers to change tactics to cater to European customers, or to at least ramp up existing sovereign cloud strategies. “For vendors, this is essentially a shift in what ‘competitive’ means,” said Pereiro. “For the last decade, scale and hyperscaler alignment were enough. That’s no longer the case.”

Cloud providers will need to demonstrate real control over data, infrastructure, and operations, he said, and not just label solutions as “sovereign.”

“The bar has been raised, and some existing offerings simply won’t clear it,” he said.

While the CADA rules are designed to favor European providers in some cases, the proposals stop short of barring US providers from public sector contracts. “It doesn’t shut them out,” said Pereiro, “but it changes competitive conditions substantially.”

The proposed procurement requirements make sovereignty a “gating factor” for sensitive workloads, said Pereiro, and “create real friction for providers whose operating models depend on centralized control or non-EU jurisdiction.”

US tech firms tout support

US hyperscalers publicly welcomed the proposals, and indicated plans to work with policy makers and ensure the importance of customer choice in cloud service procurement.

“We look forward to reviewing the proposed rules and continuing to work alongside our partners to ensure European organizations have the power of choice and sovereign control,” a Google spokesperson said.

An AWS spokesperson said the company has invested ”tens of billions of euros” in European cloud infrastructure, which it claims has “already advanced the continent’s competitiveness, helped organizations innovate and grow, and supported the development and resilience of both public and private services that Europeans now rely on every day.

“European organizations deserve access to the best technology available from trusted providers, chosen on the basis of security, performance, verifiable controls, and value,” the AWS spokesperson said. “We look forward to working with policymakers to ensure the Cloud and AI Development Act promotes technology choice and rewards long-term investment in Europe’s digital future.”

A Microsoft spokesperson said the company shares the EU’s “ambition to strengthen technological sovereignty and global competitiveness in AI, grounded in openness, partnership and fair competition.

“Achieving this will depend on access to world-class infrastructure and technologies at scale,” the Microsoft spokesperson said. “That means enabling European companies and public administrations to make procurement choices based on a broad, risk-based assessment in an open and competitive market.

“Microsoft offers secure and sovereign cloud solutions that put customers in control, and we stand ready to help build a strong, resilient and globally connected AI ecosystem in Europe.”

While the proposals present potential hurdles for US hyperscalers, those that adapt to the new regulatory direction — and concerns of European organizations — will benefit, said Pereiro. “If your offering aligns with sovereignty requirements, your company will be likely to see more opportunities, not fewer,” he said.

The University of Oxford disclosed a new data breach last week after being informed by its third-party provider, Group GTI, that its CareerConnect career services platform had been compromised. [...]

A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT) and AGENTPSD to target Linux systems. The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo, which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Microsoft has announced that Visual Studio Code (VS Code) will apply a two-hour delay before extensions for the integrated development environment (IDE) are updated automatically to a newer version in an attempt to tackle software supply chain threats. "When automatic updates are enabled, new versions are auto-updated two hours after they are published, adding an extra layer of protection Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Meta has revealed that 20,225 Instagram users had their accounts hijacked in a recent incident where attackers used Meta's AI-powered support system to reset passwords. [...]

Microsoft has created an open-source fork of Windows Terminal called "Intelligent Terminal," and it allows you to use AI directly inside Terminal without interfering with the regular session. [...]

A new variant of the Gafgyt botnet called C0XMO is targeting DD-WRT router firmware and can move to other device types with various CPU architectures. [...]