惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

Sysdig Blog

Masterclass: AI is more than ChatGPT and LLMs CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace Kubernetes 1.36 - New security features 5 steps to securing AI workloads Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours Security briefing: March 2026 The Sysdig MCP server is now available in AWS Marketplace Risk isn’t reduced until you take action: How teams resolve issues in the cloud AI infrastructure security: Why it deserves its own category Three pillars for building effective runtime-powered cloud defense, the right way Closing the cloud security gap with runtime security Seeing risk isn’t stopping it: Why visibility alone isn’t enough TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions AI coding agents are running on your machines — Do you know what they're doing? Runtime security for AI coding agents: Protecting AI-assisted development How runtime insights power every cloud security use case CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours Inline Cloud Response: Accelerating AWS threat containment for SOC teams Runtime malware detection for AWS Fargate Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes Malware detection with Sysdig Security briefing: February 2026 Leveling up Kubernetes Posture: From baselines to risk-aware admission Eliminating runtime blind spots: How CleanStart and Sysdig build continuous trust across the container lifecycle LLMjacking: From Emerging Threat to Black Market Reality Real risks live at runtime: Why CISOs must care about deep telemetry in 2026 Sysdig named a Leader in the Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 How to run rootless containers AI-assisted cloud intrusion achieves admin access in 8 minutes Security briefing: January 2026 Securing GPU-accelerated AI workloads in Oracle Kubernetes Engine Bringing OSS runtime security to AWS: Falco integration with AWS Security Hub CSPM Our customers have spoken: Sysdig rated a Strong Performer in Gartner® Voice of the Customer for Cloud-Native Application Protection Platforms Protecting sensitive business data in preparation for the organization's Gen AI VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits AI is still a workload: A practical guide to securing AI workloads How threat actors are using self-hosted GitHub Actions runners as backdoors How Sysdig Sage delivers AI-powered, real-world vulnerability management Top 10 ways to get breached in 2026 EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2 Introducing runtime file integrity monitoring and response with Sysdig FIM How to detect multi-stage attacks with runtime behavioral analytics EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js The rise of AI agents: How autonomous AI Is transforming cloud security Kubernetes 1.35 - New security features The Urgency of Securing AI Workloads for CISOs Security briefing: November 2025 Quantum and the cloud: Science fiction turned security strategy Cloud security, the right way: What the industry should demand (and why "good enough" isn't) Return of the Shai-Hulud worm affects over 25,000 GitHub repositories Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns What’s old is new again: How to demystify AI security with AIBOMs Securing Kubernetes with agentic cloud security How agentic cloud security reduces real risks Hunting reverse shells: How the Sysdig Threat Research Team builds smarter detection rules Shifting left with AI and MCP: Sysdig + Amazon Q Developer How Falco and Stratoshark close the gap between open source runtime detection and deep forensic analysis Investigating security issues with ChatGPT and the GitHub MCP server New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 Harden your LLM security with OWASP Security briefing: October 2025 How agentic AI is changing cloud security Kubernetes Incident Response: Detect, investigate, and contain in under 10 minutes Sysdig recognized as a Cloud Security Leader in Latio Tech Cloud Security Market Report AI echolocation of cloud risks using Sysdig & Snyk MCP servers Sysdig MCP Server: Bridging AI and cloud security insights Understanding CVE-2025-49844: “RediShell” Critical Remote Code Execution in Redis How Sysdig secures your containers and Kubernetes Sysdig Security Briefing: September 2025 Cloud security, the right way: The 3 pillars of real-time defense Open source spotlight: Bringing web application security to Falco with Falcoya's Nginx plugin Malicious NPM packages: Are you exposed? AI for SOC teams: 5 cloud security prompts to start your day with Sysdig Sage™ Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT Modern vulnerability management, built for the cloud Build your AWS incident response playbook with open source tools 2025 Gartner® CNAPP Market Guide: Runtime visibility is no longer optional Threat hunting with Sysdig: Uncovering “IngressNightmare” Open source spotlight: From alerts to action with AI-powered Falco Vanguard From triage to action: How Sysdig’s agentic cloud security platform slashes noise and accelerates remediation The vision comes to life: Agentic cloud security with Sysdig Sage™ Data security findings: A technical deep dive Connecting runtime to source: Sysdig and Semgrep integration Fix what matters, faster: How Sysdig and Semgrep are unifying security without silos – from code to runtime Defending sensitive data with Sysdig Secure Redefining cloud security, the right way Join the movement: The Sysdig Open Source Community is live A smarter, safer cloud in the age of AI Unifying detection and response: Sysdig + Cortex XSOAR for security at cloud speed The future of security is open, and it needs a unified hub: The Sysdig Open Source Community is here CVE-2025-53104: Command injection via GitHub Actions workflow in gluestack-ui Why MCP server security is critical for AI-driven enterprises What’s new in Sysdig — June 2025 AI-powered CNAPP with Sysdig Sage™ Revolutionizing Cybersecurity Search with Sysdig Sage™ Sysdig Threat Bulletin: Iranian Cyber Threats The end of the prioritization-only era: Vulnerability management needs action Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories
Security briefing: December 2025
Crystal Morin · 2026-01-06 · via Sysdig Blog

Security briefing: December 2025

Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.

learn more

Green background with a circular icon on the left and three bullet points listing: Automatically detect threats, Eliminate rule maintenance, Stay compliant, with three black and white cursor arrows pointing at the text.

Closing the year under pressure

December is typically a month of pause and transition to round out the year. While others see slowdowns and change freezes, on-call security teams wait anxiously for threat actors to take advantage of shoppers, generosity, and guards being down. Attackers continued to innovate as 2025 came to a close with a handful of notable APT-level campaigns. 

Dec. 3: React2Shell CVE-2025-55182

  • ReactShell is a maximum severity, unauthenticated RCE vulnerability affecting applications built with React Server Components.
  • A public proof-of-concept exploit was released shortly after the vulnerability disclosure, allowing attackers to inject and execute arbitrary code and achieve RCE.
  • Organizations must patch affected React and Next.js versions, but also update related frameworks and dependencies, as well as monitor for anomalous process execution or unexpected network activity.
  • Sysdig’s response: On December 5, the Sysdig Threat Research Team (TRT) published a blog with recommended steps for all impacted organizations and detections for both Sysdig Secure customers and Falco users. A threat bulletin was also emailed to customers.

Dec. 4: BRICKSTORM backdoor

  • News of BRICKSTORM malware resurfaced in December, following its initial discovery in September. 
  • The NSA, CISA, and the Canadian Centre for Cyber Security published a detailed report, including IOCs and detections, on the use of BRICKSTORM by China state-sponsored threat actors.  
  • The threat actors target Linux-based cloud environments in the government services, critical infrastructure, and IT sectors.
  • The malware enables persistent remote system control by mounting a remote server to the victim’s local VM, extracts credentials, and enables lateral movement. It also abuses legitimate cloud tooling and APIs to evade detection and uses multiple layers of encryption to hide C2 communications.
  • Initial access vectors are still unknown, so organizations are encouraged to use detections and IOCs to identify possible BRICKSTORM activity. 

Dec. 28: MongoBleed CVE-2025-14847

  • MongoBleed is a long-standing data exposure issue affecting nearly all versions of MongoDB since 2017.
  • The vulnerability is being actively exploited with tens of thousands of instances at risk.
  • It is a flaw in the MongoDB zlib message compression path, and with network access, an unauthenticated attacker can repeatedly probe the MongoDB server to leak memory fragments and gather a variety of sensitive data, such as credentials and internal application information.
  • Organizations should conduct an audit and patch all MongoDB deployments, enforce authentication and segmentation, and monitor for irregular memory-read patterns.

Additional TRT findings

Following the disclosure of the React2Shell vulnerability in December, the Sysdig TRT identified a notable new threat. On December 8, the team published a technical analysis on a novel malware the team dubbed EtherRAT. This highly sophisticated campaign brought unique nation-state TTPs to React2Shell vulnerability exploitations. EtherRAT is a multi-stage attack chain that uses Ethereum blockchain smart contracts for command and control.

On December 16, the Sysdig TRT published an additional blog detailing the five different payloads recovered from the attacker’s C2 infrastructure. Both blogs include IOCs and other suggested detection and response actions.

Also in the news

  • European Space Agency breach: While the incident has been downplayed, with emphasis on “external” and “unclassified,” ESA confirmed on December 30 that some of its servers were breached. An unaffiliated threat actor already claimed responsibility on BreachForums. With access for over a week to Bitbucket and JIRA, the threat actor allegedly stole over 200GB of source code, hardcoded credentials, tokens, documents, and more for the agency’s collaborative engineering projects. A breach is a breach, but on the bright side, proper network segmentation appears to have limited the blast radius and prevented impact to core, internal systems.
  • Kubernetes 1.35 was released: The World Tree Release on December 17 includes a transition to WebSockets, new limitations when using the impersonation mechanism, and the default separation of kubectl user preferences from cluster credentials and server configurations.
  • DDoS disrupts French national postal and banking services: On December 22, La Poste and La Banque Postale were impacted by a DDoS attack during one of the busiest times of the year. Online mail and bank services, webpages, and apps were down for hours, and package deliveries were disrupted.

Closing thoughts

December closed 2025 the same way the year began: with pressure on defenders and attackers searching for opportunity. Security work is often invisible when it’s done right, and December reinforced how little room there is in the field for complacency. 

Three lessons come to mind after reviewing the critical application vulnerabilities and nation-state tradecraft of the month: in 2026, defenders must prioritize visibility, design for resilience, and never underestimate collaboration and information sharing. We know the threats will continue to evolve, and so must we. 

About the author

Test drive the right way to defend the cloud
with a security expert