{“lastseen”:”2026-05-28T22:05:07″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nRecently, Martin closed his introduction with a _warning_: Ready or not, the time of much patching is coming. I’ve been chewing on that one for a while because I’m rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it.\\n\\nHonestly speaking, most of us are still prioritising the wrong way. CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory? It’s a severity score, not a risk score. A CVSS 9.8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7.2 that’s being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you’respending finite operations capacity on hypotheticals.\\n\\nThis is where _EPSS_ (Exploit Prediction Scoring System) earns its place next to CVSS. EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions: \\n \\n\\n\\nFeature | CVSS | EPSS \\n—|—|— \\nFocus | Severity (impact) | Risk (likelihood of exploitation) \\nNature | Static (usually) | Dynamic (updated daily) \\nOutput | 0.0 to 10.0 score | 0.0 to 1.0 probability \\nPrimary use | Assesses technical impact | Prioritizes remediation \\n \\n \\n \\nCVSS tells you how bad it would be if exploited. EPSS tells you how likely it is to actually happen to you soon. Used together, a high CVSS and a high EPSS is your \\”drop everything\\” pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0.7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture.\\n\\nThe second ingredient is knowing what is actually being exploited — and here, many teams default to CISA’s KEV catalog. KEV is excellent, and I’ve quoted KEV numbers in this newsletter more times than I can count. CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program, _enriching records_ alongside the original CNA’s data. That model works well, but it’s also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U.S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — \\”Is this being exploited?\\” deserves a broader lens.\\n\\nThat broader lens is starting to take shape with _GCVE_ (Global CVE), a decentralized approach to vulnerability identification and enrichment. Two properties matter for the surge that’s coming:\\n\\n 1. **Speed of enrichment.** Because GCVE is decentralized, enrichment data — references, affected products, exploit indicators — doesn’t have to wait in a single queue. In practice, actionable context arrives meaningfully faster than the traditional NVD pipeline, which has visibly struggled with backlog over the past two years.\\n 2. **Broader exploitation signal.** Rather than a single authoritative list of what is being exploited, GCVE makes room for multiple sources of exploitation evidence to surface against the same identifier. That gives defenders outside the U.S. (and frankly, inside it too) a more complete picture than KEV alone.\\n\\n\\n\\nPair that with EPSS on top of CVSS, and you end up with a triage stack that is faster, broader, and probability-informed rather than only severity.\\n\\nNone of this removes the patching workload that is coming, but it does change which patches you sprint on at 2:00 a.m. and which ones can ride the normal cycle. Before the surge arrives, that’s a worthwhile thing to get right.\\n\\n## The one big thing\\n\\nCisco Talos released _EvidenceForge_, a new open-source tool designed to generate highly realistic, correlated synthetic security logs. This tool solves the chronic shortage of high-quality, labeled datasets needed to train threat hunters and validate detection logic. By using a single canonical event model and AI-assisted scenario authoring, EvidenceForge ensures causal and temporal consistency across more than 20 log formats.\\n\\n### Why do I care?\\n\\nRelying on heavily scrubbed public datasets or red team engagements often leaves security teams with incomplete telemetry. While most synthetic generators spit out independent events that fail to tell a coherent story, EvidenceForge injects realistic background noise, red herrings, and proper causal sequencing into the mix. This allows your team to work with synchronized datasets that (more) accurately mimic real-world network visibility without the compliance headaches of using production data.\\n\\n### So now what?\\n\\nSecurity teams can head over to GitHub to clone the EvidenceForge repository and use its guided conversation feature to build custom attack scenarios. Defenders can then use these newly generated datasets to build robust SOC analyst training programs, stress-test a new SIEM, and validate detection pipelines before they touch a production environment. You can find the full details and the link to the open-source repository in the _blog post_.\\n\\n## Top security headlines of the week\\n\\n**Lawmakers demand answers as CISA tries to** **contain** **data leak** \\nLawmakers are demanding answers from the U.S. Cybersecurity \\u0026 Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. (_KrebsOnSecurity_)\\n\\n**Over 5,500 GitHub repositories infected in \\”Megalodon\\” supply chain attack** \\nThe campaign relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows were injected through over 5,700 malicious commits pushed to the impacted repositories on May 18. (_SecurityWeek_)\\n\\n**Authorities seized 800 servers of hosting company used to launch cyber attacks** \\nThe investigation centers on a web hosting company established on Feb. 10, 2022, weeks before Russia invaded Ukraine. The infrastructure was allegedly used to support cyber attacks, disinformation campaigns, and sanctions evasion linked to Russia. (_CyberSecurityNews_)\\n\\n**Content** **delivery** **exploit** **opens** **websites to** **brand** **hijacking** \\nThe Underminr domain-fronting attack allows threat actors to modify web requests and leverage trusted websites to cloak malicious activity. (_Dark Reading_)\\n\\n**Cisco ‘s risk-based vulnerability disclosure in the age of AI** \\nCisco is adapting its vulnerability disclosure practices, focusing on increasing the visibility of detailed technical information for vulnerabilities that are critical, actively exploited, or have a higher likelihood of exploitation. (_Cisco blog_)\\n\\n## Can’t get enough Talos?\\n\\n** _DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap_** \\nHospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. Our latest white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.\\n\\n** _MediaArea heap-based buffer overflow vulnerabilities_** \\nMediaArea produces digital media analysis open-source software, as well as support tools for file investigation. Talos discovered four vulnerabilities in MediaInfoLib, which provides a UI for technical and tag data for video and audio media files.\\n\\n**_Breaking things to keep them safe with Philippe Laulheret_** \\nFrom his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research.\\n\\n## Upcoming events where you can find Talos\\n\\n * _Cisco Live U.S._ (May 31 – June 4) Las Vegas, Nevada\\n\\n\\n\\n## Most prevalent malware files from Talos telemetry over the past week\\n\\n**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507** \\nMD5: 2915b3f8b703eb744fc54c81f4a9c67f \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507_ \\nExample Filename: VID001.exe \\nDetection Name: Win.Worm.Coinminer::1201**\\n\\n**SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f** \\nMD5: 38de5b216c33833af710e88f7f64fc98 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f_ \\nExample Filename: sample.exe \\nDetection Name: Win.Tool.Procpatcher::1201\\n\\n**SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe** \\nMD5: a2cf85d22a54e26794cbc7be16840bb1 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe_ \\nExample Filename: a2cf85d22a54e26794cbc7be16840bb1.exe \\nDetection Name: W32.5E6060DF7E-100.SBX.TG\\n\\n**SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638** \\nMD5: cc4d231df34e57f59eb970353c7d9de2 \\nTalos Rep: _https:\/\/talosintelligence.com\/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638_ \\nExample Filename: AutoPico.exe \\nDetection Name: PUA.Win.Tool.Kmsactivator::1201″,”published”:”2026-05-28T18:00:27″,”modified”:”2026-05-28T18:00:27″,”type”:”talosblog”,”title”:”Less panic patching, more precision”,”source”:””,”references”:””,”id”:”TALOSBLOG:4FE4A1E5153F51581C603B5FCEB8D657″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/less-panic-patching-more-precision\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-28T22:05:07″,”description”:”\\n\\nWelcome to this week’s edition of the Threat Source newsletter.\\n\\nRecently, Martin closed his introduction with a _warning_: Ready or not, the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-57961","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n