{“lastseen”:”2025-11-26T20:05:12″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nBack in April, I _wrote_ about the risks of unintentionally leaking information while using search engines. Since then, I’ve been thinking: Life doesn’t just happen in front of a keyboard. There’s a social side, too (or so I’m told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care _that_ you share.\\n\\nFor my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, _NIS2_ and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures.\\n\\nSo, why emphasize \\”care that you share?\\”\\n\\nRecently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX\/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the _DKIW pyramid_ were, and then focusing on CVE, CVSS, and KEV — one of my favorite _topic clusters_.\\n\\nTo my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don’t remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects — many centered on authentication, TOTP, and SmartCards — I was genuinely impressed by their ideas and the real-world problems they were addressing.\\n\\n\\”Care that you share\\” is a mindset that helps us appreciate the knowledge exchange that happens in person, too.\\n\\nWhether sharing stories over dinner, IOCs over email, or ideas in a classroom, let’s all take a moment to consider not just what we share, but how and why we share it. I’ll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives.\\n\\nThis rings especially true during busy or understaffed times, when teams are stretched thin. It’s tempting to keep things to ourselves to avoid \\”bothering\\” others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context.\\n\\nSo this holiday season, care that you share. Thoughtful communication isn’t just about protecting information — it’s also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included.\\n\\n## The one big thing\\n\\nLast week, Cisco Talos announced _an initiative to retire outdated ClamAV signatures_ to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the \\”main.cvd\\” and \\”daily.cvd\\” databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management.\\n\\n### Why do I care?\\n\\nSmaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures.\\n\\n### So now what?\\n\\nWe will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes.\\n\\n## Top security headlines of the week\\n\\n**Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft** \\nThe new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (_The Hacker News_)\\n\\n**FBI: Cybercriminals stole $262M by impersonating bank support teams** \\nSince January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (_Bleeping Computer_)\\n\\n**Everest ransomware claims breach at Spain ‘s national airline Iberia with 596 GB data theft** \\nThe group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (_HackRead_)\\n\\n**CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users** \\nCISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (_The Hacker News_)\\n\\n**LINE messaging bugs open Asian users to cyber espionage** \\nResearchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (_Dark Reading_)\\n\\n## Can’t get enough Talos?\\n\\n** _Talos Takes: When you ‘re told \\”no budget\\”_** \\nFrom configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn.\\n\\n** _Humans of Talos: On epic reads, lifelong learning, and empathy_****** \\nIn this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals.\\n\\n** _The TTP: How Talos built an AI model into one of the internet ‘s most abused layers_** \\nHazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet.\\n\\n## Upcoming events where you can find Talos\\n\\n * _AVAR_ (Dec. 3 – 5) Kuala Lumpur, Malaysia\\n * _Black Hat Europe_ (Dec. 8 – 11) London, U.K.\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a** \\nMD5: 1f7e01a3355b52cbc92c908a61abf643 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a_ \\nExample Filename: cleanup.bat \\nDetection Name: W32.D933EC4AAF-90.SBX.TG\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe \\nDetection Name: Win.Worm.Coinminer::1201\\n\\n**SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59** \\nMD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59_ \\nExample Filename: ck8yh2og.dll \\nDetection Name: Auto.90B145.282358.in02\\n\\n**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974** \\nMD5: aac3165ece2959f39ff98334618d10d9 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974_ \\nExample Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe \\nDetection Name: W32.Injector:Gen.21ie.1201\\n\\n**SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff** \\nMD5: 71da0bf3094e3ed17bc5a1c78de80933 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff_ \\nExample Filename: cleanup.bat \\nDetection Name: W32.26FA67DB9A-90.SBX.TG”,”published”:”2025-11-26T17:00:48″,”modified”:”2025-11-26T17:00:48″,”type”:”talosblog”,”title”:”Care that you share”,”source”:””,”references”:””,”id”:”TALOSBLOG:F4B6739141B322648BB48BD5C838F7FC”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/care-that-you-share\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T20:05:12″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nBack in April, I _wrote_ about the risks of unintentionally leaking information while…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-27763","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n