Weekly INK

CTO New Year’s Resolutions for a More Secure 2026 Source: Dark Reading Experts lay out practical security goals for the new year, from operationalizing AI governance to hardening CI/CD and improving CISO–CTO alignment. For smaller teams, the list doubles as a roadmap: standardize secure-by-default build paths, tighten vendor access, and measure security like any other business KPI. Link to article Texas court blocks Samsung from collecting smart TV viewing data Source: Bleepi

Browser Extension Harvests 8M Users’ AI Chatbot Data Source: Dark Reading A popular Chrome extension marketed for privacy was quietly collecting and selling content from users’ AI conversations. For SMBs, that is a reminder to restrict browser extensions, enforce allow lists, and review permissions that can capture on-screen data and network traffic. Link to article Coupang data breach traced to ex-employee who retained system access Source: BleepingComputer Coupang says a fo

CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks Source: Dark Reading US agencies say Chinese state actors are deploying the Brickstorm backdoor in VMware vSphere environments, enabling persistence, VM snapshot theft, and lateral movement. For SMBs supporting critical sectors: harden vSphere, restrict remote access, enforce MFA, and monitor for anomalous VM and DNS-over-HTTPS activity. Link to article Pharma firm Inotiv discloses data breach after ransomware attack Source:

Arizona AG Sues Temu Over “Stealing” User Data Source: Dark Reading Arizona’s attorney general sued Temu, alleging the shopping app secretly harvests sensitive device data and evades reviews. U.S. firms should expect renewed scrutiny of mobile SDKs, background data collection, and consent. Review privacy notices, telemetry settings, and third-party code used in consumer apps. Link to article Google fixes two Android zero-days exploited in attacks (107 flaws total) Source: Ble

Critical Fortinet FortiWeb WAF Bug Exploited in the Wild Source: Dark Reading A newly disclosed FortiWeb flaw lets attackers run admin-level commands on unpatched web application firewalls. For SMBs that rely on WAFs to protect websites and portals, this is a patch-now event: exposed devices can be taken over pre-login, leading to data theft, website defacement, or downtime. Link to article Kraken Uses Benchmarking to Enhance Ransomware Attacks Source: Infosecurity Magazine A

OWASP Highlights Supply Chain Risks in New Top 10 List Source: Dark Reading A major OWASP refresh spotlights software supply chain failures and misconfiguration as top risks. For SMBs, this means looking beyond code bugs to vendor components, CI/CD pipelines, and cloud settings. The takeaway: add supply-chain checks to patching, and tighten configuration governance to reduce real-world breach paths. Link to article Microsoft Uncovers ‘Whisper Leak’ Attack That Identifies AI C

Multiple ChatGPT Security Bugs Allow Rampant Data Theft Source: Dark Reading Researchers found seven weaknesses that let attackers steal chat history and “memories,” bypass safety checks, and plant malicious instructions—no deep technical skill required. For SMBs exploring AI, this signals immediate risk: tighten browsing features, restrict plug-ins, and treat AI tools like any other internet-facing app. Link to article Microsoft: SesameOp malware abuses OpenAI Assistants API

Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation Source: The Hacker News Security researchers observed real-world exploitation of the WSUS bug shortly after disclosure. The write-ups outline initial access and payload delivery patterns. Admins should review egress traffic, restrict WSUS exposure, and verify that emergency patches applied cleanly across all downstream servers. Link to article Massive China-Linked Smishing Campaign Leveraged 194,000 Do

Verizon: Mobile Blindspot Leads to Needless Data Breaches Source: Dark Reading Verizon’s Mobile Security Index says companies still treat phones as second-class citizens for security. Smishing is surging, BYOD policies are lax, and simple controls like MDM and zero trust would cut incidents dramatically. SMB takeaway: secure personal/work mobiles now—phishing isn’t just in email anymore. Link to article CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw Source: