Every day, billions of people place their trust in websites they know little about. Behind each one is a hosting provider, but not all of them play by the same rules. 

Traditionally, privacy policies let web visitors understand how their data would be handled, and SSL (Secure Sockets Layer) certificates ensured their connection was encrypted. Those safeguards were once sufficient. Today, they are not.

The online threat landscape is evolving at the speed and scale of AI development, and many on the front lines are unprepared. A recent survey of 600 enterprise IT leaders found that just 10% of respondents were very confident in their ability to address AI-enabled attacks targeting their organizations. 

Before AI, cyberattacks were primarily rule-based, scripted, and manually executed. These attacks now deploy everything from deepfake phishing calls to automated vulnerability scanning. AI has enhanced their scale, personalization, and automation, making them easier to adapt and harder to detect. That should alarm us all. 

This isn’t only about evolving to meet technological advancements — it’s also about trust. Consumers and businesses alike must be able to identify which providers meet high standards for transparency, reliability, and accountability. Without that clarity, they are left in the dark, unable to make informed choices about who they rely on to keep their digital lives safe. In an era of relentless cyberattacks, the internet needs a higher standard to safeguard not just websites, but the very trust that keeps the entire system running. 

That’s why the Secure Hosting Alliance (SHA) is introducing the SHA Trust Seal. The seal sets a clear bar for providers by demanding transparency, accountability, and resilience. Certified hosts commit to offering fair and understandable terms of service, with no hidden surprises. They act quickly and responsibly when their infrastructure is misused, maintain reliable and resilient services through proactive monitoring and recovery planning, and handle government requests with documented, lawful processes that respect privacy and due process. Most importantly, they commit to ongoing accountability. 

In recent years, transparency has become a cornerstone of the larger cybersecurity community, with companies expected to back up their claims through independent audits, public disclosures, and measurable outcomes. Trust seals are already standard in industries like e-commerce, finance, and health care, where sensitive information is exchanged and verified authentication is essential. Given that the web-hosting industry is part of the internet’s critical infrastructure, it too deserves a clear symbol of trust. The SHA Trust Seal delivers exactly that, translating providers’ promises from words on a website into commitments that can be verified against clear, rigorous standards.

The Trust Seal also reflects a larger shift in how the industry tackles problems. Instead of every company responding in isolation, SHA works with partners such as the Malware and Mobile Anti-Abuse Working Group (M3AAWG) and the Anti-Phishing Working Group (APWG) to build common approaches for preventing cybercrime, improving incident response, and reducing misuse of hosting resources. By creating consistent expectations across providers, the seal helps establish a baseline for what responsible stewardship of the internet should look like.

The stakes are high. From ransomware to supply chain breaches, hackers increasingly target the companies behind the websites we use every day. Earlier this year, Cloudflare blocked a record-breaking distributed denial-of-service (DDoS) attack of 7.3 terabits per second — the largest in history. Attacks like this strike at the very infrastructure of the internet, yet most consumers remain unaware of how fragile that foundation can be. 

This lack of visibility is exactly why a trust seal is needed. The SHA Trust Seal is more than just a badge — it’s a promise. It gives responsible providers a way to make their commitments visible, reassuring customers, elevating industry standards, and strengthening the foundation of a safer internet. By embracing a trust seal, the web hosting industry can transform security from a hidden feature into a visible standard.

Christian Dawson is the co-founder of the Internet Infrastructure Coalition (i2Coalition)and the Coalition on Digital Impact (CODI). 

The post Why the web-hosting industry needs a trust seal appeared first on CyberScoop.

Earlier this week, Aikido Security disclosed what is being described as the largest npm supply chain compromise to date. Attackers successfully injected malicious code into 18 popular npm packages, collectively accounting for more than 2.6 billion weekly downloads. The entire campaign began not with a technical exploit, but with a single, well-trained maintainer clicking on a convincingly crafted phishing email.

The scale of this incident should serve as a wake-up call for the industry. Even though the financial fallout has been labeled “minimal,” attackers were able to compromise packages at the very core of the JavaScript ecosystem. That reality should concern every developer, security leader, and policymaker.

We can’t afford to normalize these events as routine, low-stakes occurrences. Each successful package takeover exposes the fragility of our collective software infrastructure. The fact that defenders managed to contain this “leaking roof” in time should not reassure us — it should motivate us to act before the next one.

Anatomy of the compromise

The attack began with a familiar but effective tactic: account takeover. According to Aikido, attackers tricked the maintainer of the affected libraries using a phishing email impersonating npm support, requesting a two-factor authentication update. With those stolen credentials in hand, the attackers published malicious versions of popular packages — including chalk and debug — by modifying their index.js files.

The injected payload was designed to hijack cryptocurrency transactions. By monitoring browser APIs like fetch, XMLHttpRequest, and wallet interfaces such as window.ethereum, the malware could redirect funds to attacker-controlled addresses.

Fortunately, the malicious versions were identified within minutes and publicly disclosed within the hour. This rapid response helped prevent widespread damage. Still, millions of developers pulled compromised versions during that brief window — a reminder of how much trust we place in open source infrastructure and how quickly that trust can be exploited.

Adding to the picture, further research has revealed that additional npm packages were hijacked as part of this campaign, including duckdb, which alone sees nearly 150,000 downloads per week. These findings reinforce the breadth of the operation and highlight how difficult it is to measure the full scope of supply chain compromises in real time.

A playbook that’s here to stay

This compromise was not an isolated incident. Package takeovers have become a standard tactic for threat actors because they provide unmatched reach: compromise one popular project, and you instantly gain access to millions of downstream systems. 

We have seen this strategy become a key tool for advanced persistent threats (APTs), including groups like Lazarus most recently. Package takeovers allow them to infiltrate massive portions of the world’s developer population by targeting a single under-resourced project.

The npm ecosystem is not unique in this regard. Whether it’s PyPI, RubyGems, or Maven Central, package registries are critical distribution points in the modern software supply chain. They represent single points of failure that adversaries will continue to exploit.

The “it wasn’t that bad” narrative

Since disclosure, some industry commentary has downplayed the incident. Reports note that the attackers appear to have stolen just a handful of crypto assets: roughly 5 cents of ETH and $20 worth of a small memecoin.

But this framing is short-sighted. The true cost is not the stolen cryptocurrency; it’s the thousands of hours of engineering and security work required worldwide to clean up compromised environments, not to mention the contracts, compliance requirements, and audits that inevitably follow. 

What’s also striking is how quickly attackers are now able to act. In this case, malicious versions of npm packages were downloaded potentially millions of times within minutes. The same pattern has played out for years in vulnerability exploitation — from HeartBleed to Equifax — where the time between disclosure and exploitation has shrunk to nearly zero.

The “minimal impact” narrative risks lulling organizations into complacency. It encourages a mindset where each incident is dismissed as “low risk” until one day, it isn’t.

What needs to change

Focusing on what didn’t happen ignores the reality that attackers had the opportunity to hit far harder. This incident underscores several urgent priorities, including:

• Strengthen maintainer security: Package maintainers are the new frontline of cyberattacks. Protecting their accounts with phishing-resistant authentication, hardware keys, and stronger identity protections must become the norm, not the exception.
• Improve ecosystem-level safeguards: Registries must continue to invest in stronger safeguards, such as mandatory MFA, anomaly detection for unusual publishing activity, and proactive monitoring for malicious code patterns.
• Shift industry mindset: Organizations need to treat every compromise of a widely used package as a major security incident — even if the immediate payload looks trivial. A malicious package should trigger the same urgency as a zero-day exploit, because the potential blast radius is just as large.
• Invest in supply chain visibility: Software bills of materials (SBOMs) and automated dependency tracking are essential. Enterprises must be able to quickly identify whether they’re pulling compromised versions and take immediate action.

This npm compromise may go down as the “largest to-date,” but its significance has little to do with its size or the negligible cryptocurrency stolen. Its importance lies in what it reveals about the state of modern software security: our trust in open-source infrastructure is more fragile than we like to admit, and attackers know it.

If we keep measuring the significance of these breaches only by their immediate dollar impact, we’ve missed the point. This was like catching a leaking roof before the storm — the damage was limited only because it was discovered quickly. Next time, we may not be so fortunate.

Brian Fox is co-founder and CTO at Sonatype. 

The post When ‘minimal impact’ isn’t reassuring: lessons from the largest npm supply chain compromise appeared first on CyberScoop.

Every chief information security officer understands that unresolved vulnerabilities can eventually become entry points for threats. In the private sector, we don’t ignore gaps in leadership when they pose security risks. However, that’s precisely the risk our nation faces with the ongoing vacancy at the head of the Cybersecurity and Infrastructure Security Agency.

As the executive director of the National Technology Security Coalition (NTSC), a nonpartisan organization representing chief information security officers and senior security technology leaders from across the country, I can confidently say that this vacancy presents a national cybersecurity risk and must be addressed immediately. The appropriate corrective action is for the Senate to confirm Sean Plankey as the next director of CISA.

Our members live and breathe cybersecurity every day. They are responsible for protecting America’s leading enterprises from cyber threats, building resilient systems, and responding to incidents that could disrupt operations, damage reputations, or compromise the personal data of millions of Americans. These challenges are not just theoretical; they are immediate, complex, and constantly evolving. That’s why public-private collaboration is essential, and why a strong, capable leader must be at the helm of CISA.

Sean Plankey is precisely that kind of leader.

Plankey combines strategic vision, operational experience, and a strong commitment to public service — qualities essential for this role. He served as principal deputy assistant secretary at the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, where he played a key role in safeguarding the nation’s critical energy infrastructure from cyber threats. His work there gave him direct experience managing risk at the intersection of digital and physical security.

At the White House, Plankey served as director for maritime and pacific cybersecurity policy at the National Security Council. In that role, he co-authored the National Maritime Cybersecurity Plan and contributed to presidential directives on offensive cyberspace operations, efforts that strengthened national strategy and improved interagency coordination. His leadership helped protect America’s ports and shipping lanes from cyber threats, which are vital to both our economic security and military readiness.

Plankey’s qualifications are extensive. As a commissioned officer in the U.S. Coast Guard, he was deployed to Afghanistan, where he took part in offensive cyber operations. This gave him direct experience with the cyber side of modern warfare. He understands not only the policy impacts of cyber threats but also the tactical realities — insights that few others possess.

In addition to his technical and strategic credentials, Plankey has demonstrated a clear understanding of how to navigate government agencies and work with the private sector. His ability to operate across organizations and industries is exactly what is needed now, as cybersecurity is no longer just a technical matter but a vital national security issue.

For CISOs and national security professionals alike, leadership at CISA is not a luxury; it’s a necessity. With increasing geopolitical instability, the expanding use of artificial intelligence by both defenders and attackers, and the rapid growth of digital infrastructure, we face a threat landscape that demands clarity, coordination, and expertise at the highest level. Leaving CISA without someone in charge during this period of heightened risk is like leaving a ship adrift in stormy seas.

Our country cannot afford any further delays. The cybersecurity community needs a leader at CISA who can work with industry, state, and local partners, as well as international allies, to strengthen defenses and respond quickly to emerging threats. Plankey has earned the trust and respect of both the public and private sectors. He is prepared to lead from day one.

The Senate should act quickly to confirm Plankey as the new director of CISA. This would not only fill a critical leadership void but also strengthen America’s digital defenses.

Patrick D. Gaul is the executive director of the National Technology Security Coalition, a nonprofit, non-partisan organization that serves as an advocacy voice for chief information security officers across the nation.

The post Patch the vulnerability: Confirm Sean Plankey as CISA director appeared first on CyberScoop.

During a Senate Homeland Security and Governmental Affairs Committee hearing earlier this month in which lawmakers considered if Sean Plankey is fit to become director of the Cybersecurity and Infrastructure Security Agency, ranking member Gary Peters asked the CISA nominee how he would ensure the agency meets all of its statutory requirements, including those in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. 

The problem is, it can’t. To meet the statutory deadline established by Congress, CISA will need to publish a final rule by October. That means CISA has two months left. 

Ever since CIRCIA was signed into law in March 2022, CISA has had every intention of meeting this deadline. I know that because I ran the program while at CISA, from the day it was signed into law through when I left government in January. 

You don’t have to take my word for it. CISA was shouting its commitment to this timeline from the rooftops. You can check the Unified Agenda — the government’s official record of planned regulatory action — from both fall 2024 and spring 2024, both of which state that CISA was targeting an Oct. 4 final rule due date. These commitments are additionally reinforced by the updates provided in the National Cybersecurity Strategy Implementation Plan published by the Office of the National Cyber Director. The formal publications mirror the consistent public statements made by senior officials from CISA and the Department of Homeland Security over multiple years. 

However, since January there has been silence from the agency regarding CIRCIA. Despite receiving hundreds of public comments on the CIRCIA Notice of Proposed Rulemaking, which necessitates an internal policy process to decide how to respond to those comments and adjust the rule, the agency has made no public statements about its progress.  

There is no way for CISA to address hundreds of policy decisions, revise a 450-page piece of regulation, coordinate those revisions with all relevant agencies, and gain the necessary White House approval in two months. This work could have been accomplished had it been prioritized by the current administration on Day One. However, without a CISA director, that work does not appear to have occurred.

In response to Sen. Peters’ question, Plankey responded that he is “going to empower those operators to operate.” I know the operators who worked nights and weekends analyzing the public comments, modernizing existing technology systems, building new tools using CIRCIA funds appropriated by Congress, and expanding the agency’s capacity to support victims ahead of CIRCIA’s launch. I know those people are prepared to present critical policy matters to the next CISA director and to move quickly to draft a final rule. 

Peters also asked Plankey how he would achieve those goals amid budget cuts and the hundreds of personnel leaving the agency. While the CIRCIA program has faced personnel changes, its core staff remain committed to the cause. 

Congress has provided substantial funding for CIRCIA, but without a centralized division or subdivision dedicated to this work within the agency, it’s hard for the program to protect and target these funds exclusively for CIRCIA’s new requirements. Although not fully funded, the program has strong support, and the new director should ensure all resources and people appropriated by Congress for CIRCIA implementation are focused on preparing CISA to serve as the nation’s central cyber incident repository. 

Now that Plankey is poised to become the CISA director, I hope he will prioritize these statutory requirements from Congress and act immediately to advance the CIRCIA final rule for our national security. Plankey said that if confirmed he would like to “get in, provide them the direction, tell them the hill we are going to take, and protect the American public from cybersecurity attacks on critical infrastructure.” 

I hope that in partnership with the CIRCIA team, he does just that.

Lauren Boas Hayes is a cybersecurity and tech trust & safety expert with experience working at CISA, Meta, and Deloitte. She is a founding fellow of the Integrity Institute and an adjunct professor at Georgetown University & John Hopkins SAIS.

The post CISA is facing a tight CIRCIA deadline. Here’s how Sean Plankey can attempt to meet it appeared first on CyberScoop.

The U.S. is stepping into a new cyber era, and it comes not a moment too soon.

With the Trump administration’s sweeping $1 billion cyber initiative in the “Big Beautiful Bill” and growing congressional momentum under the 2026 National Defense Authorization Act (NDAA) to strengthen cyber deterrence, we’re seeing a shift in posture that many in the security community have long anticipated, although often debated: a decisive pivot toward more robust offensive cyber operations.

While many may disagree with the decision to “go on offense,” we need to recognize the changing threat landscape and the failure of our previous restrained approach. The U.S. has the most advanced cyber capabilities in the world. Yet for the past two decades, our posture has been dominated by defense, deterrence-by-denial, and diplomatic restraint. This strategy has not yielded peace or dissuaded our adversaries. On the contrary, it has only served to embolden them.

With geopolitical tensions now at a boiling point and adversaries escalating both the scale and ambition of their cyber campaigns, it is time to remove the handcuffs. This doesn’t mean acting recklessly, but it does mean meeting our adversaries on the same battlefield so that we can use our unmatched capabilities to hold them at risk.

The strategic landscape has changed

The cyber threat environment in 2025 is fundamentally different from what it was even five years ago. Operations like China’s Volt Typhoon and Russia’s relentless campaigns against Ukraine’s infrastructure illustrate a broader shift: our adversaries are no longer limiting themselves to espionage or IP theft. They are actively preparing for conflict.

Volt Typhoon, in particular, marks a strategic evolution as Chinese state actors are actively prepositioning in U.S. critical infrastructure not for surveillance, but for disruption. Salt Typhoon’s operations, targeting civilian infrastructure with apparent tolerance for detection, suggest a loosening of China’s risk calculus. Meanwhile, Russia’s destructive malware targeting industrial control system (ICS) environments, and Iran’s growing reliance on cyber proxies, show how aggressive and emboldened our rivals have become.

Offensive capabilities are a military imperative

The proposed $1 billion investment isn’t about launching retaliatory attacks. It’s about building the infrastructure, tools, and talent needed to make cyber a fully integrated and reliable component of U.S. military and intelligence operations.

While the U.S. possesses world-class cyber capabilities, current policies have kept these tools locked behind layers of classification, bureaucracy, and operational disconnect. As a result, offensive cyber operations have been limited to highly targeted missions. While they’re often executed with surgical precision, they usually lack the speed, adaptability, or scale demonstrated by our adversaries.

When a U.S. technique is exposed, it can take months to retool and mount another operation. In contrast, our adversaries rely on publicly known vulnerabilities, social engineering, and agile teams that can quickly weaponize newly disclosed exploits.

Zero-days are among our most valuable (and expensive) cyber assets. But having the exploit isn’t enough. Effective use requires real-time intelligence, targeting infrastructure, trained operators, and a legal framework that enables rapid deployment.

This new investment represents a serious effort to evolve our approach. It will enable the Department of Defense, U.S. Cyber Command, and the intelligence community to proactively shape the digital battlefield, both independently and in coordination with conventional military operations.

Adversaries respond to force, not diplomacy

Over the past 15 years, we’ve watched top adversaries China and Russia test, prod, and exploit our most sensitive networks, from government systems to critical infrastructure companies, often with minimal consequence. We’ve also sustained numerous damaging attacks, from the massive OPM and Equifax breaches to SolarWinds, NotPetya and Colonial Pipeline. The list goes on and on.

In all of these cases, we’ve responded, at best, with indictments, sanctions, or strongly worded statements. In the meantime, our adversaries have only grown bolder and more sophisticated. Their actions suggest one conclusion: they don’t believe we’ll strike back.

This lack of proportional response is viewed as weakness, not restraint. Deterrence only works when the adversary believes you will act. That belief is fading. But a more muscular cyber posture, backed by operational capacity and political will, can restore it.

Ransomware is now a national security threat

The line between criminal and nation-state activity is becoming blurred amid rising geopolitical tensions. Ransomware, once seen as a law enforcement issue, now poses one of the most serious threats to national infrastructure.

We’ve already seen its disruptive power in attacks on Colonial Pipeline, JBS Foods, Mondelez International, and United Natural Foods Inc. However, as damaging as those were, they pale in comparison to what a determined adversary — especially one that is backed by a state — could accomplish.

Essential services like electricity, water, health care, and transportation are increasingly vulnerable. Many ransomware groups operate in jurisdictions that ignore or even support their activities. U.S. adversaries are now integrating these actors into broader state-aligned campaigns, using them as asymmetric tools of disruption.

The weaponization of ransomware and other destructive malware like “wipers” is a clear and present danger. Countering it requires more than law enforcement.

While the Department of Homeland Security and the FBI play vital roles in tracking threats, they lack the global reach and strategic authority of the military. Offensive cyber capabilities are needed to disrupt operations, dismantle infrastructure, and impose real costs.

There are risks with doing nothing, too

Critics of these operations rightly point out there are plenty of risks: escalation, unintended consequences, and blowback. Yes, these risks are real. Any use of cyber capabilities, especially against state-linked infrastructure, must be carefully weighed, governed by rules of engagement, and aligned with broader geopolitical strategy. 

Historically, cyber has not had clear rules for what constitutes “crossing the line,” though the general assumption has been that loss of life or large-scale disruptions to critical infrastructure would qualify. 

But inaction has its own risks. If we continue playing defense while our adversaries go on offense, we are signaling that they can operate with impunity. This is not de-escalation; it’s appeasement. And it will only invite more aggression. 

On the other hand, offensive action may at times be the most effective path to de-escalation, by showing that the U.S. is both willing and able to impose real costs.

It’s time for real deterrence

Cyber deterrence has long been an elusive concept. Unlike nuclear deterrence, which relies on mutually assured destruction, cyber deterrence is far more ambiguous. The lack of clear red lines, uncertain attribution, and the diverse range of actors all complicate strategy.

But these are not reasons to avoid building deterrence. This is why it’s even more important to build smarter, more flexible capabilities that combine intelligence, cyber offense, and traditional diplomacy to manage escalation while signaling resolve.

The shift we’re seeing now, both from Congress and the administration, is a necessary first step. However, in order to be effective, it must be followed by clear doctrine, strong oversight, and close coordination between military, intelligence, and homeland security stakeholders. 

Offensive cyber operations are not a silver bullet, but they are an essential tool of statecraft in the modern world. 

Dave Kennedy is the founder of TrustedSec and Binary Defense.

The post Why it’s time for the US to go on offense in cyberspace appeared first on CyberScoop.