Security Staff Picks To Read This Month, Handpicked by Splunk Experts

Hello and welcome! Every month, our Splunk staff of security experts share their favorite reads of the month — this way, you can follow the most interesting, news-worthy, and innovative stories coming from the wide world of cybersecurity.

Here, we'll share a variety of articles, original research, presentations, whitepapers, and customer case stories. Topics that may be covered in these hand-picked reads may include:

• Cybersecurity news 
• InfoSec and computer security
• Threat hunting and detection engineering
• AI & security
• Risk management
• Emerging trends
• And much more!

We've been running this Security Picks series for years, and now we're making some updates: bookmark this URL, because we'll be making all of our recommendations here moving forward. So anytime you have a little downtime or are wondering what to read to stay on the nose, check out these security articles hand-picked by security experts. 

Security Articles To Read in November 2025

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors

Author: Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs, Austin Larsen
Recommended by: Audra Streetman (LinkedIn)

Why we like it: “In this blog, Google Threat Intelligence Group and Mandiant provide a detailed overview of BRICKSTORM, a stealthy backdoor deployed across Linux- and BSD-based virtualization and network appliances, targeting Software-as-a-Service (SaaS) providers and other high-value sectors. The backdoor has been linked to UNC5221, a Chinese state-nexus threat actor known to exploit zero-day vulnerabilities in VMware vCenter and ESXi hosts. By compromising the virtualization layer itself, the actor has demonstrated the ability to maintain dwell times exceeding a year, using hypervisor access both as a persistence mechanism and as a data exfiltration vector.   Increasingly, these operations also reflect a broader strategic shift from traditional software supply chain attacks to what can be described as “operational enablement compromise.” Rather than delivering malicious updates to downstream customers, threat actors now compromise upstream technology suppliers and service providers to harvest proprietary vulnerability research, exploit development data, and privileged credentials. This approach enables the development of new intrusion capabilities and future access operations that transform today’s compromises into tomorrow’s exploitation opportunities across entire customer ecosystems.”

Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says

Author: James Pearson 
Recommended by: Jeffrey Walzer  (LinkedIn) 

Why we like it: “This incident, deemed the most economically damaging cyber event in UK history, forced a nearly six-week halt in JLR's production, demonstrating how a single breach can cause substantial disruption to manufacturing, ripple through complex supply chains, and necessitate significant government intervention to support affected businesses. The wide-ranging financial and operational consequences highlight that cybersecurity is not merely an IT concern but a fundamental aspect of economic stability, demanding that all organizations prioritize identifying critical networks, strengthening defenses, and developing comprehensive contingency plans to mitigate such far-reaching impacts.”

First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails

Author: Idan Dardikman
Recommended by: Bhavin Patel (LinkedIn)  

Why we like it: “What I like about this example is the sheer simplicity of the payload — a single line silently exfiltrating sensitive data for weeks without detection. It shows how AI-integrated tools like MCP servers can easily slip malicious code into trusted workflows, making them incredibly hard to monitor or control. We should be fundamentally rethinking how we secure the supply chain within our organizations, treating these integrations with the same scrutiny as any critical production dependency.”

GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace

Author: Idan Dardikman
Recommended by: Shannon Davis (LinkedIn)

Why we like it: "This malware should be called, "But Wait, There's More!" Why you ask? Well, pause Terminator 2 and stop waiting for the SkyNet to wreak havoc. As opposed to the scare-mongering AI-generated super malware, GlassWorm does some pretty crazy, and scary stuff. Being the world's first worm targeting VS Code extensions on OpenVSX and VSCode marketplaces, GlassWorm compromised OpenVSX extensions to begin its naughtiness. It harvests NPM, GitHub, and Git credentials for supply chain propagation. It targets 49 different cryptocurrency wallet extensions to drain funds. It deploys SOCKS proxy servers, turning developer machines into criminal infrastructure. It installs hidden VNC servers for complete remote access. It then uses stolen credentials to compromise additional packages and extensions, spreading the worm further. Oh, and the code in the initial compromised extensions is invisible. It's encoded in unprintable Unicode characters making any human, or static analysis tools blind to its debauchery. But JavaScript will still execute the code, gotta love JavaScript. Anyway, not trying to dampen your spirits, but maybe put some attention back on traditional human-written malware as it's getting ever more advance, and not going anywhere anytime soon, sorry ChatGPT.”'

Agentic AI’s OODA Loop Problem

Author: Barath Raghavan & Bruce Schneier 
Recommended by: Warren Myers (LinkedIn)  

Why we like it: “With the rise in focus on "agentic AI", more than ever focus needs to be given to the quality, reliability, and factualness of the LLM's training data.”

ChatGPT Atlas Raises Alarm Over New AI Browser Security Risks 

Author: Lily Morris  
Recommended by: Mark Stricker (LinkedIn) 

Why we like it: “AI companies are rolling out new capabilities every week, it seems like!  It's like drinking from a firehose.  And with those capabilities come security risks.  This week, the newest thing is AI Browsers.  ChatGPT released Atlas, and Perplexity released Comet.  Cybersecurity professionals must assess the threat surface associated with these products.  This article is a beginning attempt to explore the security risks with these new browsers!”

A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

Author: Dan Goodin, Ars Technica
Recommended by: Tamara Chacon (LinkedIn)

Why we like it: “Dan Goodin's article looks at how android devices could allow hackers to intercept one of the most trusted protections we use online — two-factor authentication codes. The exploit takes advantage of a hidden weakness in how certain apps handle sensitive data, creating opportunities for stealthy attacks. The blog dives into how researchers uncovered this threat, what it means for everyday smartphone users, and why industry experts are sounding the alarm. It’s a wake-up call for anyone who thinks their accounts are fully shielded.”

More Security Recommendations & Resources

That rounds out this month's security reading recommendations! Check back next month for your next to-reads. In the meantime, check out these resources for more security content:

Splunk Security Teams To Follow

SURGe

• Listen to The Security Detail Podcast
• Sign up for the SURGe Newsletter

Splunk Threat Research Team (STRT)

• Read original STRT research & blogs
• Get the latest Splunk Security Content (ESCU)

More Recommendations

• The PEAK Threat Hunting Framework 
• Must-Read Cybersecurity Books & Articles 
• Top Security Podcasts
• Cybersecurity & InfoSec Conferences and Events