Newsletters

The European Union Commission has proposed a tech sovereignty package that covers a range of initiatives around semiconductors, cloud computing and AI. We'd be surprised if these initiatives have a major impact in the short term, but this is still a good move for Europe. 

The key initiative of the proposed package, in our view, is the Open Source Strategy which aims to "strengthen digital autonomy through open source". Although it's not stated explicitly, the intent here is to wean Europe off the US tech stack by encouraging open source alternatives. 

The strategy says it will take "concrete actions", for example reforming government procurement rules to make them more open source friendly. EU governments will also award grants to open source projects under the strategy. 

Social media company Meta says it found and disrupted a new NSO Group hacking campaign targeting WhatsApp users, in violation of a US court order issued last October.

The campaign was a spear-phishing operation that tried to lure certain users into clicking a malicious link sent to their WhatsApp accounts that took them to an external site.

Meta filed a legal complaint against the Israeli spyware company on Monday, asking the court to hold NSO in contempt.

The RubyGems package manager has added support for dependency cooldowns as a way to counter a recent spate of supply chain attacks. The move copies similar efforts made in the JavaScript and Python ecosystem this year.

Dependency cooldowns are parameters that tell the package manager to install dependencies only if they are of a certain age in days. For example, a dependency cooldown of "7" will only install packages that are at least a week old.

The idea behind dependency cooldowns is to allow security tools, the admins of package repositories, and library maintainers time to detect compromises and pull down malicious versions.

The European Commission unveiled on Wednesday a plan to decouple from American companies and boost the bloc's tech sovereignty.

The plan would boost chip production, triple data center capacity, and fund open-source projects as alternatives to US-dominated software.

The proposals cut the typical EU red tape around developing new infrastructure, such as data centers, and provide generous funding for homegrown solutions.

Last week, The Grugq and I travelled to Estonia for CyCon, NATO CCDCOE's conference on Cyber Conflict. Our biggest takeaway from the conversations we had there is that NATO, unsurprisingly, is well prepared for one-off, large-scale military attacks. But it is failing to counter small, unremitting cyberattacks, and this needs to change.

NATO was created to deter the Soviet Union from military aggression. It still defines itself as a defensive alliance that can deliver a "resounding response" in the event of an unlikely but devastating Russian military attack.  

Russian cyber operations, however, are continuous and conducted well below the threshold of armed conflict. Individual operations just aren't damaging enough to attract a robust response. These continuous aggressive incursions are favoured by states like Russia and China as a way to harass their adversaries during peacetime. 

One in every ten new domains registered in 2025 were linked to malicious activity and were eventually added to one or more cybersecurity blocklists.

A total of 84,961,989 domains were created last year and 8,496,811 were later added to a blocklist, according to an Interisle report published on Monday.

Researchers believe the actual number of malicious domains may be double that, at around 16.8 million, with new domains expected to be blacklisted once they are deployed in operations in the wild later on.

The Russian government has greatly expanded the amount of personal and technical data that mobile operators and internet service providers must collect from their customers and share with state authorities.

This data collection is part of a surveillance system used in Russia named SORM, which stands for the System for Operative Investigative Activities. SORM works through special equipment installed at local telcos that collects data on the company's traffic and uploads it to a government database where the police and intelligence services can query it for their investigations.

Over the years as networking equipment has become more powerful, SORM has been slowly updated with new collection rules that telcos must comply with or face a fine.

Dutch authorities have conducted one of the largest-ever malware disruptions and took down a botnet that infected more than 17 million devices across the world.

The botnet was made up of computers, tablets, and smartphones that had been used to send out spam emails, phishing lures, and carry out DDoS attacks.

Dutch Police and the country's national cybersecurity agency seized more than 200 servers at a local provider, servers that had been used to grow and control the botnet.

A major bug has been disclosed in a little known middleware component used in many AI server infrastructure products.

Codenamed BadHost (and tracked as CVE-2026-48710), the vulnerability impacts Starlette, a lightweight Python framework for building asynchronous web services.

In the simplest way to explain it, the bug can allow attackers to trick servers into thinking they want to access a public URL and there's no need to authenticate. In reality, the attackers get connected to private endpoints from where they can download or harvest sensitive data or tell the server to perform malicious actions.

Six weeks after it launched Project Glasswing and its Mythos cybersecurity model, Anthropic says researchers and partners have found more than 23,000 vulnerabilities across more than 1,000 open-source projects.

Analysis is still ongoing, but the company claims that more than a quarter (6,202) of the found bugs (23,019) received or are suspected of having a high or critical severity rating, confirming they are real issues and not just random vulnerability scanning chaff.

More than 1,500 of these critical bugs have been confirmed to be legitimate issues and almost 100 have already received patches. Anthropic expects the 1,500 confirmed figure to go as high as 3,900.