Security Boulevard

An analysis of cybersecurity attacks published today by the X-Force arm of IBM finds there was a 44% increase in the exploitation of public-facing applications in 2025. More troubling still, out of the 40,000 vulnerabilities tracked by IBM X-Force, more than half (56%) didn’t require any type of authentication for an attacker to bypass before..

The post IBM X-Force Report Surfaces Increased Exploitation of Public-Facing Apps appeared first on Security Boulevard.

Master granular policy enforcement for decentralized MCP resource access using post-quantum cryptography and 4D security frameworks to protect ai infrastructure.

The post Granular Policy Enforcement for Decentralized MCP Resource Access appeared first on Security Boulevard.

What Are Non-Human Identities and Why Are They Crucial for Identity Security? A pressing question is: how does one secure machine identities to ensure robust identity security across industries? The answer lies in understanding and effectively managing Non-Human Identities (NHIs). Machine identities, or NHIs, are digital or machine representations that provide authentication and access rights […]

The post How free are industries to implement Agentic AI for identity security appeared first on Entro.

The post How free are industries to implement Agentic AI for identity security appeared first on Security Boulevard.

How Can Organizations Manage Non-Human Identities for Enhanced Cloud Security? Is your organization effectively managing the surge in non-human identities (NHIs) within your cybersecurity? Understanding NHIs involves recognizing their pivotal role in safeguarding data security, especially. While industries like financial services, healthcare, travel, and DevOps teams increasingly rely on machine identities, securing these NHIs becomes […]

The post How adaptable is Agentic AI to evolving compliance regulations appeared first on Entro.

The post How adaptable is Agentic AI to evolving compliance regulations appeared first on Security Boulevard.

How Safe Are Your Machine Identities in a Secure Cloud Environment? Can you confidently say that your organization’s machine identities are impenetrable? Non-Human Identities (NHIs) are at the forefront of conversations about protecting digital assets in secure cloud environments. These machine identities, a complex combination of encrypted passwords, tokens, or keys, represent both a challenge […]

The post How impenetrable are NHIs in secure cloud environments appeared first on Entro.

The post How impenetrable are NHIs in secure cloud environments appeared first on Security Boulevard.

What Role Do Non-Human Identities Play in Enhancing Cybersecurity? How can organizations effectively manage and secure the growing number of non-human identities (NHIs) their systems rely on? NHIs, which are essentially machine identities, are becoming increasingly significant with companies shift more operations onto the cloud. But how can businesses ensure these identities remain protected against […]

The post Is secrets sprawl management getting better with Agentic AI appeared first on Entro.

The post Is secrets sprawl management getting better with Agentic AI appeared first on Security Boulevard.

Nisos
Operation Red Card 2.0: Cybercrime Disruption

On February 18, 2026, INTERPOL announced the results of Operation Red Card 2.0, a sweeping multinational law enforcement action targeting online scams across sixteen African countries...

The post Operation Red Card 2.0: Cybercrime Disruption appeared first on Nisos by Nisos

The post Operation Red Card 2.0: Cybercrime Disruption appeared first on Security Boulevard.

 

The post Legit License Scanning and Policy Enforcement appeared first on Security Boulevard.

 

The post Software License Scanning vs. Manual License Review: The True Cost of Compliance appeared first on Security Boulevard.

Tenable Research investigated a malicious npm package with around 50,000 downloads in the public registry. We observed various detection-evasion techniques and saw it deploy multiple powerful open-source malware variants.

Key takeaways

1. A single malicious npm package reached 50,000 downloads in days, highlighting the speed at which supply chain risks propagate.
2. This attack confirms that npm install is a high-risk action. Malicious preinstall scripts can trigger full system compromise without the developer ever importing or invoking the infected code.
3. Attackers are successfully using open-source malware to gain immediate, high-level controls of compromised hosts.

Introduction 

Tenable Research has conducted an in-depth analysis of a malicious package in the npm public registry called “ambar-src” that was downloaded around 50,000 times before it was removed.

It employs multiple techniques to evade detection, and drops open-source malware with advanced capabilities, targeting developers on Windows, Linux and macOS hosts.

The package was first uploaded on February 13th, and npm users started downloading it right away. A new version containing malicious code was published on February 16th.

Unlike other supply chain attacks targeting the npm registry, such as s1ngularity and Shai-Hulud, in which legitimate packages were compromised, “ambar-src” doesn’t have any valid use cases, meaning all versions of this package must be treated as malicious.

FAQ What kind of security incident is this?

A malicious npm package was recently uploaded to the npm public registry. The package contains verified malicious code.
The package stealthily executes malicious code during the installation process. It also uses multiple detection evasion techniques, and drops a payload, based on the victim's operating system.

The only initial access vector we have identified is typosquatting of popular npm packages, most likely attempting to mimic the popular package “ember-source”, which has over 11 million downloads.

Unlike security vulnerabilities, which are a potential weak spot or software flaw that might be exploited, a malicious package is a confirmed attack containing harmful code, signifying an immediate security breach.

How to know if I am affected?

To determine if you are affected, inspect your environment for the presence of the “ambar-src” package.

The presence of the package in the filesystem likely means that it was installed using the npm package manager, and therefore, infected the relevant host.

That’s why you should treat any system where it is found as fully compromised, and apply relevant incident response and containment playbooks.

Please refer to the last section of the blog for additional IOCs and details about how Tenable can help you protect yourself.

How does the malware run code?

It abuses npm's preinstall script hook, which is a lifecycle script defined in “package.json” that executes during the package-installation process. 

This means that merely running “npm install ambar-src” (or resolving it as a dependency) is sufficient to trigger the malicious payload, requiring no explicit import or invocation of the package's code by the victim. 

The preinstall script is a file that is part of the npm package itself - “index.js”. It contains a log of legitimate code and various string manipulation utilities, or arithmetic operations utility functions.

However, at the same time it contains code that launches an OS-specific one-liner that kicks off the full infection chain. The one-liner is hex-encoded to make detection and analysis of the malicious code harder.
 

 

What payload does the malware install?

After the malicious package executes code using a preinstall script, it executes a one-liner shell command that differs based on the operating system the host is running.

In all operating systems, that one-liner is fetching another loader from a remote server and executing it.

For Windows systems, the decoded one-liner looks like this. As you can see, it also uses x-ya[.]ru to download the payload:
 

It downloads and executes a file called “msinit.exe”. It is a fairly small payload of only 400kb.

“msinit.exe” contains encrypted shellcode that is decoded and loaded into memory upon execution of “msinit.exe”.

In Linux systems, although the malicious code identifies the victim’s Linux architecture, it deploys the same one-liner regardless.

Here’s how the decoded hex string one-liner looks like:
 

The one-liner fetches a bash script from x-ya[.]ru and executes it. The bash script that is fetched from the remote URL looks like this:
 

This follows a similar pattern of fetching a payload from a remote server and executing it. However, in this case the malware is fetching an ELF binary from the remote URL, and saving it to the disk as “osa”, and then executing it.

During our own analysis, we identified another Linux ELF file in the memory of “osa” with the hash 83e131a2761d6f3a5636cf329182242a927a618174dd440989dc9286be4edeac
 

Please note that this is an ELF executable file, and not a Windows EXE file as the name suggests.

The binary can be identified as a client of “github.com/NHAS/reverse_ssh”, a reverse shell written in Golang, by inspecting the Golang build metadata: 
 

For macOS systems, the initial hex encoded command line looks like this:
 

It follows a similar pattern by fetching a script from a remote URL and executing it, all while using “nohup” to prevent the malicious code from blocking the installation process. 
The remote URL contains the following script, again fetching a JavaScript payload from a remote URL and executing it using “osascript”

“osascript” is a utility that comes with every macOS computer and that can be used to execute AppleScript or JavaScript for different purposes.

The file that is then fetched from the remote URL (a5aef90) is big, considering it is a JavaScript file: 500kb.

That file is the Apfell payload, which is part of the MythicAgents family of open-source payloads. 
Apfell is written in JavaScript specifically for macOS, and comes with a large set of impressive capabilities including:

• Basic reconnaissance
• Screenshot collection
• Theft of Google Chrome data
• Opening of fake password prompts

How does the malware exfiltrate data?

The initial infection uses the domain “x-ya[.]ru” to download the malicious payloads.
However, after the initial infection, all the different payloads communicate with function.yandexcloud[.]ru.

This is a well known technique (MITRE “Web Service T1102”), where malware uses well-known web services as a command-and-control relay. This technique makes the traffic looks more legitimate and less likely to be blocked by corporate network security solutions.

When did this security incident begin?

The package was first uploaded to the npm public registry on February 13th. However, the first versions of the malware didn’t contain any malicious code. Three days later, specifically at 2026-02-16 12:18:45 UTC, a new version of the package containing malicious code was uploaded to the public registry.

Is it linked to other campaigns?

JFrog Research recently published a blog about a similar malicious package called “eslint-verify-plugin” that was published in a similar timeframe as “ambar-src”.

From our analysis, “ambar-src” looks more mature than “eslint-verify-plugin”, and uses a couple of techniques to make detection harder:

• Hex encoding the malicious command strings
• Publishing multiple versions of the package without any malicious code
• Gaining almost 30k downloads, before publishing the malicious code
• Including legitimate code as part of the package to masquerade the malicious code

In addition, it contains a payload targeting Windows hosts.

What is the impact on a victim of this attack?

If this package is installed or running on a computer, that system must be considered fully compromised. Immediate action is required: all stored secrets and keys on the affected machine should be rotated from a separate, secure computer. 
While the package should be removed, please be aware that because an external entity may have gained full control of the computer, removing the package does not guarantee the elimination of all resulting malicious software.

Has npm addressed this malicious package?

npm removed the package from the public registry at 2026-02-16 17:02:44 UTC, less than five hours after the first version containing the malicious code was published.
In addition, a GitHub Advisory (GHSA), marking this package as malicious, was published.

Do end users need to take any steps to address this in their environment?

End users should check for the presence of the malicious package in their environment using the IOCs we provided.

Which Tenable product can be used to address this security incident and how can it be used to do so? 

Tenable Cloud Security can be used to detect the presence of the malicious package in your cloud environment.

You can do this using the “software” page and looking for a software item with the name “ambar-src”.
 

Any workload with the “ambar-src” package should be considered compromised.

IOCs Type IOC Description Package name ambar-src Name of malicious npm package filename msinit.exe Windows Payload sha256 9b76e275d989ebc3b43911a5e1d2b64ef9544a6b1dbc69a3412bd0ccadaed567 msinit.exe filename f8ca2c8d74f0785c549f09c36147cd0e Linux shell script sha256 8963568963f770e237bff2b228106e4ce7ebb0a1af0e0cf7b26028bdc8515bc5 Linux shell script called “f8ca2c8d74f0785c549f09c36147cd0e” sha256 83e131a2761d6f3a5636cf329182242a927a618174dd440989dc9286be4edeac Linux payload called “osa” sha256 1e6fa5021db4dd40b571cc4e654a71c22d0f607d13fb8a4a5a46a64060f3071e Linux payload of type “NHAS/reverse_ssh” filename 9a8c2a83f66f49b88e36d28894a34009 Mac shell script sha256 521ade4aeb95039e1712f8284eba333199fc819f1e0f9db41d6bc9849b131109 Mac shell script called
“9a8c2a83f66f49b88e36d28894a34009” filename a5aef90 Mac javascript payload sha256 492f2366ece5c544a4062da14da5883bc825d6f2bc58cda975799dca9f85b150 Mac javascript payload called “a5aef90” domain x-ya[.]ru Domain from which malicious payloads are fetched url https://functions.yandexcloud.net/d4eblscvbp200glhmmcoePl C2 communications url url https://functions.yandexcloud.net/d4eblscvbp200glhmmco0l C2 communications url url https://functions.yandexcloud.net/d4eblscvbp200glhmmcopl8 C2 communications url url https://functions.yandexcloud.net/d4eblscvbp200glhmmco C2 communications url Conclusion

We are seeing a rise in the malicious npm packages and supply chain attacks targeting the npm ecosystem, and their sophistication level.

In this blog we have reviewed the malicious package "ambar-src", that despite only being available in the public registry for three days, was downloaded over 50,000 times.

This malicious npm package used a preinstall script to execute code during the installation process. This is a very common technique used by malicious npm packages, and we expect to see more of these in the future.

We identified several intriguing detection evasion techniques used by this malware. In addition we observed it deploying various sophisticated open-source payloads tailored to the host's operating system. 

Although their capabilities differed, each payload was very powerful, potentially leading to a complete compromise of the infected host and subsequent network pivoting.

Learn more about Tenable Cloud Security

The post New Malicious npm Package “ambar-src” Targets Developers with Open Source Malware appeared first on Security Boulevard.

As one of the most popular open-source databases, widely used for web applications, MySQL is no stranger to PII and sensitive data. At the same time, its users need production-like data for effective development and testing. Here are the challenges involved in anonymizing MySQL databases and solutions for tackling them.

The post Generating high quality test data for MySQL through de-identification and synthesis appeared first on Security Boulevard.

Figuring out how to dockerize and seed your development mongoDB database for consistent replication across environments might not seem so straightforward. Check out this tutorial highlighting learnings that have worked for Tonic!

The post Dockerize Mongo to get consistent data across your development environments appeared first on Security Boulevard.

Session 13C: Side Channels 2

Authors, Creators & Presenters: Ruixuan Li (Choudhury), Chaithanya Naik Mude (University of Wisconsin-Madison), Sanjay Das (The University of Texas at Dallas), Preetham Chandra Tikkireddi (University of Wisconsin-Madison), Swamit Tannu (University of Wisconsin, Madison), Kanad Basu (University of Texas at Dallas)

PAPER
Crosstalk-induced Side Channel Threats in Multi-Tenant NISQ Computers

As quantum computing rapidly advances, its near-term applications are becoming increasingly evident. However, the high cost and under-utilization of quantum resources are prompting a shift from single-user to multi-user access models. In a multi-tenant environment, where multiple users share one quantum computer, protecting user confidentiality becomes crucial. The varied uses of quantum computers increase the risk that sensitive data encoded by one user could be compromised by others, rendering the protection of data integrity and confidentiality essential. In the evolving quantum computing landscape, it is imperative to study these security challenges within the scope of realistic threat model assumptions, wherein an adversarial user can mount practical attacks without relying on any heightened privileges afforded by physical access to a quantum computer or rogue cloud services. In this paper, we demonstrate the potential of crosstalk as an attack vector for the first time on a Noisy Intermediate Scale Quantum (NISQ) machine, that an adversarial user can exploit within a multi-tenant quantum computing model. The proposed side-channel attack is conducted with minimal and realistic adversarial privileges, with the overarching aim of uncovering the quantum algorithm being executed by a victim. Crosstalk signatures are used to estimate the presence of CNOT gates in the victim circuit, and subsequently, this information is encoded and classified by a graph-based learning model to identify the victim quantum algorithm. When evaluated on up to 336 benchmark circuits, our attack framework is found to be able to unveil the victim's quantum algorithm with up to 85.7% accuracy.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

The post NDSS 2025 – Crosstalk-induced Side Channel Threats In Multi-Tenant NISQ Computers appeared first on Security Boulevard.

To protect private information stored in text embeddings, it’s essential to de-identify the text before embedding and storing it in a vector database. In this article, we'll demonstrate how to de-identify and chunk text using Tonic Textual, and then easily embed these chunks and store the data in a Pinecone vector database to use for semantic search in RAG or other LLM applications.

The post How to create de-identified embeddings with Tonic Textual & Pinecone appeared first on Security Boulevard.

Preparing the data for use with generative AI tools is a major impediment that affects time-to-value for enterprise AI use cases. We've expanded Tonic Textual’s functionality to take your unstructured data from raw to AI-ready in just a few minutes, while you ensure that sensitive data is protected.

The post Creating unstructured data pipelines for retrieval augmented generation appeared first on Security Boulevard.

WILMINGTON, Del., Feb. 24, 2026, CyberNewswire — Sendmarc has released a new fireside chat featuring Todd Herr, Principal Solutions Architect at GreenArrow Email and co-editor of DMARCbis, on the upcoming update to DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Led … (more…)

The post News alert: Sendmarc highlights impact of DMARC update on evolving email security standards first appeared on The Last Watchdog.

The post News alert: Sendmarc highlights impact of DMARC update on evolving email security standards appeared first on Security Boulevard.

Authors, Creators & Presenters: Shichen Zhang (Michigan State University), Qijun Wang (Michigan State University), Maolin Gan (Michigan State University), Zhichao Cao (Michigan State University), Huacheng Zeng (Michigan State University)

PAPER
RadSee: See Your Handwriting Through Walls Using FMCW Radar

This paper aims to design and implement a radio device capable of detecting a person's handwriting through a wall. Although there is extensive research on radio frequency (RF) based human activity recognition, this task is particularly challenging due to the through-wall requirement and the tiny-scale handwriting movements. To address these challenges, we present RadSee---a 6 GHz frequency modulated continuous wave (FMCW) radar system designed for detecting handwriting content behind a wall. RadSee is realized through a joint hardware and software design. On the hardware side, RadSee features a 6 GHz FMCW radar device equipped with two custom-designed, high-gain patch antennas. These two antennas provide a sufficient link power budget, allowing RadSee to "see'' through most walls with a small transmission power. On the software side, RadSee extracts effective phase features corresponding to the writer's hand movements and employs a bidirectional LSTM (BiLSTM) model with an attention mechanism to classify handwriting letters. As a result, RadSee can detect millimeter-level handwriting movements and recognize most letters based on their unique phase patterns. Additionally, it is resilient to interference from other moving objects and in-band radio devices. We have built a prototype of RadSee and evaluated its performance in various scenarios. Extensive experimental results demonstrate that RadSee achieves 75% letter recognition accuracy when victims write 62 random letters, and 87% word recognition accuracy when they write articles.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – RadSee: See Your Handwriting Through Walls Using FMCW Rada appeared first on Security Boulevard.

OAuth is a commonly used authorisation framework, that allows websites and web applications to request limited access to a user’s account on another application. Users can grant this limited access to their account, without ever needing to expose their password with the requesting website or application.  This is commonly seen with sites that allow you…

The post OAuth security guide: Flows, vulnerabilities and best practices appeared first on Sentrium Security.

The post OAuth security guide: Flows, vulnerabilities and best practices appeared first on Security Boulevard.

Ofcom and the Information Commissioner's Office respectively fined a US porn company and Reddit for failing to protect children online.

The post Reddit, porn sites fined by UK regulators over children’s safety and privacy appeared first on Security Boulevard.

Los Angeles County sued the online gaming platform Roblox for its alleged failure to protect children from danger.

The post Roblox gives predators “powerful tools” to target children, says LA County appeared first on Security Boulevard.