| Website | https://www.first.org |
π #FIRSTCTI26 is officially a wrap, and it's the people who made it. Three days of workshops, plenary sessions, and hands-on training across the CTI landscape in Munich, Germany.
Sessions were led by practitioners and researchers from Google, AWS, the European Commission CSOC, ENISA, CIRCL, CERT-In, Intel 471, BlackRock, Deloitte, NTT DATA, Expel, and dozens more.
Highlights:
β
From Signal to Action was the dominant theme β practitioners tackled the gap between data and defensive action, building CTI pipelines under resource constraints and automating enrichment to cut through noise
β
AI took center stage as a double-edged force β sessions explored how LLMs and RAG architectures can multiply analyst capacity, while also confronting poisoned OSINT, compromised pipelines, and adversarial manipulation of AI-assisted analysis
β
New capabilities and partnerships were announced: Silobreaker unveiled agentic AI to speed up analyst research; CTM360 launched its AI-powered external CTEM platform; and Venation announced a partnership with UK-based POKKIT to deliver plain-English and Dutch cyber resilience guidance to smaller EMEA organizations
TLP:CLEAR sessions were live-streamed and are available now on FIRST's YouTube Channel.
A huge thank you to everyone who attended, presented, sponsored, and supported this event.
See you at the next one!
π Read more: https://go.first.org/zqJyk
The CVE funding disruption exposed a single point of failure in the infrastructure that underpins global vulnerability management. In this Help Net Security interview, ENISA's Nuno Rodrigues Carvalho, #VulnCon26 speaker, breaks down what needs to change.
π Read more: https://go.first.org/bSrxK
New on the FIRST blog: Jenn Gile, Co-Founder of OpenSourceMalware and #VulnCon26 speaker, on why malicious open source packages don't fit the traditional vulnerability intelligence model.
The response motion looks familiar. A malicious package appears in a public registry, a record lands in OSV, tools fire an alert, and someone opens a ticket. But the data and the playbook don't actually match the threat.
π Vulnerabilities are passive. They wait to be exploited.
β‘ Malicious packages are active. They execute on install.
π§ Vulnerabilities have a fixed version.
π« Malicious packages ARE the latest version.
That mismatch leaves three investigative gaps vulnerability databases weren't built to fill:
π¦ Payload: what the malware did and which files were affected.
π€ Threat actor: C2 infrastructure and accounts reused across campaigns.
π Campaign: how one package connects to broader activity.
Case in point: the axios account takeover on March 30, 2026. OSV surfaces three IOCs. The campaign has at least nine, two of them shared with other malicious assets.
Jenn's argument: malicious packages need their own intelligence track, built around a different set of questions.
π Read more: https://go.first.org/BwFfv
Malicious open source packages and software vulnerabilities may look alike on the surface, but they demand entirely different response playbooks. Treating a malicious npm or PyPI package like a CVE leaves critical questions unanswered: what did it execute, where did it phone home, and what campaign is it part of? Purpose-built malicious package intelligence infrastructure is needed to answer those questions.
