# Top Stories

A critical vulnerability in Marimo was exploited in the wild within just 9 hours of public disclosure, with attackers building an exploit from the unauthenticated bug's advisory. This demonstrates the extremely narrow window defenders have to patch critical vulnerabilities before weaponization, highlighting the need for coordinated disclosure and rapid response capabilities.

Qualys analyzed 1 billion CISA KEV remediation records and found that most critical vulnerabilities are exploited before defenders can patch them, exposing fundamental limits of human-scale security operations. The research reveals that attackers consistently outpace patching efforts on Known Exploited Vulnerabilities, forcing organizations to reconsider traditional patch management strategies.

The GlassWorm campaign evolved to use a new Zig dropper that infects all integrated development environments on developer machines through a malicious Open VSX extension named 'specstudio.code-wakatime-activity-tracker' that impersonates WakaTime. This supply chain attack specifically targets the developer ecosystem, potentially compromising source code and development processes across multiple IDEs.

Juniper Networks patched dozens of vulnerabilities in Junos OS, including a critical-severity flaw that allows remote attackers to take over vulnerable devices without authentication. The widespread nature of these patches across Juniper's enterprise networking infrastructure highlights the continued targeting of network equipment by threat actors.

Chrome 147 patches 60 vulnerabilities including two critical flaws in the WebML component reported by anonymous researchers, with Google paying $86,000 in bug bounties. The critical vulnerabilities in Chrome's machine learning components demonstrate how AI-related browser features are becoming new attack surfaces for threat actors.

Citizen Lab revealed that Hungarian intelligence, El Salvador's national police, and U.S. law enforcement agencies used Webloc, an Israeli-developed advertising-based surveillance system, to track 500 million devices globally. The tool, now sold by Penlink after merging with Cobwebs Technologies in July 2023, represents a significant expansion of geolocation surveillance capabilities using commercial ad data.

The UK Ministry of Defence exposed Russian submarine activity near undersea cables, identifying a Russian attack submarine and vessels from the Main Directorate of Deep Sea Research (GUGI) conducting 'nefarious activity over critical undersea infrastructure.' This revelation highlights ongoing Russian hybrid warfare targeting critical internet infrastructure that could disrupt global communications.

Google rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows users to prevent session theft by cryptographically binding authentication to specific devices. This security feature renders stolen session cookies unusable by attackers, addressing a major attack vector used in account takeover campaigns targeting enterprise users.

Microsoft discovered a vulnerability in an EngageLab SDK that exposed millions of Android cryptocurrency wallet users to potential attacks. The security hole was reported to the vendor one year ago, demonstrating the lengthy disclosure and remediation process for third-party SDK vulnerabilities affecting mobile financial applications.

Critical vulnerabilities in Orthanc DICOM medical imaging software could allow attackers to execute arbitrary code, cause denial-of-service, or disclose sensitive information. These flaws affect medical imaging systems used in healthcare environments, presenting significant risks to patient data and hospital operations that rely on DICOM infrastructure.