On March 10, 2026, AppsFlyer’s JavaScript SDK was compromised in an active supply chain attack. If you run an ecommerce site and that script loads on your payment pages, you’ve potentially been serving malicious code to every customer who checked out over the past 72+ hours. No changes to your codebase required. No alerts from your WAF. No red flags on your server logs.
This is actively happening.
And for anyone who’s been wondering why the PCI Security Standards Council added requirements 6.4.3 and 11.6.1 to PCI DSS 4.0.1, this is your answer.
A reality check on why running your environment through Vanta, Drata, Secureframe,Delve, or a SaaS app doesn’t make you PCI-DSS compliant, and why enterprises should be asking harder questions about their vendors.
AI agents are no longer chatbots. They call APIs, execute code, and make decisions with real consequences. The OWASP Agentic Top 10 is the first industry framework built to address this new attack surface, and the numbers behind it should concern every security professional.
When we talk about PCI DSS compliance, the conversation tends to stay clinical. Scoping exercises. Network diagrams. Encryption at rest. But compliance doesn’t exist in a vacuum. It exists because there’s a thriving, industrialized criminal economy on the other end waiting to monetize every gap you leave open.
Rapid7 published a detailed piece of research this month that every QSA, security engineer, and compliance leader should read: their analysis of the carding-as-a-service (CaaS) ecosystem and the underground dump shops that power it. Having spent years on the assessor side of PCI, I want to connect what Rapid7 found directly back to what it means for your cardholder data environment and your scoping decisions.
If you’ve spent any time on LinkedIn or at a cybersecurity conference in the last couple of years, you’ve seen the headlines. “Quantum computing will break all encryption.” “Your data is already at risk.” “The cryptographic apocalypse is coming.”
It makes for great conference talks and even better vendor marketing. But here’s the thing: encryption has always been broken. And every single time, we’ve replaced it with something stronger. The lifecycle of cryptographic algorithms isn’t a flaw in the system; it is the system. So why would quantum computing be any different?
OpenClaw made remarkable security strides since my January article, hired dedicated security leadership, patched 40+ vulnerabilities, partnered with VirusTotal. Then ClawHavoc exposed 341 malicious skills. And now the founder just joined OpenAI. Here’s everything that changed, what still worries me, and how to think about deploying OpenClaw in this new reality.
Security research reveals OpenClaw (formerly Clawdbot) has fundamental architectural flaws that make it function like malware. With 100,000+ users, exposed instances leaking credentials, and infostealers already targeting it, this viral AI agent proves we need AI governance now.