Open standards strengthen national education systems while enabling French edtech to scale globally
BURLINGTON, Mass., Jan. 22, 2026 /PRNewswire/ — With the adoption of its new Interoperability Framework for Digital Services for Education, France is setting clear expectations for how digital education tools must work together nationwide. It requires “public middle and high schools to use digital tools and services that comply with technical requirements for security, interoperability and responsible digital technology set by the Minister.”
1EdTech stands ready to help educational organizations and education technology providers align with and benefit from the framework.
By requiring internationally recognized open standards, France is reducing technical barriers that have traditionally slowed adoption and market entry, especially for open tools and resources, and is creating conditions for a more open, competitive, and sustainable edtech ecosystem.
This standards-based approach supports:
Faster entry for startups and small-to-medium education technology providers
Lower long-term costs for educational institutions
Greater flexibility and choice for schools and educators
Just as importantly, it allows French education technology providers to build solutions that can operate not only within France, but also across international markets that rely on the same global standards.
“By requiring common interoperability standards, France is ensuring that digital education tools can work together by design,” said a French Ministry representative. “This approach helps lower long-term costs, protect student data, increase efficiency, and increase trust across the country. Interoperability is essential infrastructure for a modern, open, and future-ready education system.”
“In the past, digital learning tools often needed custom connections for every school system, which was costly and slowed innovation, especially for smaller companies,” said Curtiss Barnes, CEO of 1EdTech Consortium. “France’s new interoperability framework reflects the same vision we share at 1EdTech: replacing one-off integrations with trusted, shared standards. That’s why we’re investing in simpler certification pathways and a new OneRoster profile that more specifically meets France’s needs, so providers of all sizes can more easily adopt standards, scale globally, and give schools real choice based on quality.”
The 1EdTech standards named in France’s framework support different parts of digital learning:
OneRoster® helps schools share class and enrollment information, so teachers and students don’t have to manually add or update class lists across different tools.
Learning Tools Interoperability (LTI)® lets learning tools connect easily to learning platforms, allowing educators to launch tools with one click and students to use them without extra logins.
Common Cartridge® and Question & Test Interoperability (QTI)®make learning content and tests easier to share, so educators can reuse lessons and assessments across systems instead of rebuilding them from scratch.
Caliper Analytics® helps schools understand how students learn online by using shared data formats, making it easier to spot what’s working, what’s not, and where students need support.
Open Badges allows students to earn digital credentials they can keep and use anywhere, giving learners portable proof of their skills that can move with them between schools, jobs, and training programs.
Together, these standards help schools build learning systems that can change and grow over time.
French public middle and high schools, and education technology providers that serve them, will need to comply with the framework’s requirements. All 1EdTech standards are open and publicly available, and 1EdTech members have access to additional tools, guidance, and certification resources to support alignment with France’s framework.
About 1EdTech Consortium
1EdTech® Consortium is a global community committed to building an integrated foundation of open standards that make educational technology work better for everyone. Our mission is to reduce complexity, accelerate innovation, and expand possibilities for learners worldwide. Our members represent K-12, primary, secondary, and postsecondary education organizations, workforce and corporate education providers, and technology providers. Together, we create and evolve community-developed technical standards and practices that support learner success throughout the lifelong learning continuum. Our organization gives a voice to all stakeholders working to improve education. 1EdTech hosts the Learning Impact Conference, Digital Credentials Summit, Learning Impact Europe Conference, and other engagement opportunities to advance the leadership and ideas that shape the future of learning. Visit our website at 1edtech.org.
In our January 2026 Short-Term Energy Outlook, we forecast U.S. crude oil production next year will remain near the record 13.6 million barrels per day (b/d) produced in 2025 before decreasing 2% to 13.3 million b/d in 2027. If realized, a fall in annual U.S. crude oil production will mark the first since 2021.
Read More ›
In-brief analysis
Jan 21, 2026
When military aircraft are retired, they live out their days in the sunbelt at the U.S. Air Force’s facility on Davis-Monthan Air Force Base in Arizona, otherwise known as the Boneyard.
Read More ›
In-brief analysis
Jan 20, 2026
In our latest Short-Term Energy Outlook, we forecast retail U.S. gasoline prices will be lower the next two years than in 2025, falling 6% in 2026 and then increasing 1% in 2027. Our gasoline price forecast generally follows a similar path as global crude oil prices, but decreasing U.S. refinery capacity this year may offset some of the effects of lower crude oil prices on gasoline, especially in the West Coast region.
Read More ›
In-brief analysis
Jan 16, 2026
Electricity generation by the U.S. electric power sector totaled about 4,260 billion kilowatthours (BkWh) in 2025. In our latest Short-Term Energy Outlook (STEO), we expect U.S. electricity generation will grow by 1.1% in 2026 and by 2.6% in 2027, when it reaches an annual total of 4,423 BkWh. The three main dispatchable sources of electricity generation (natural gas, coal, and nuclear) accounted for 75% of total generation in 2025, but we expect the share of generation from these sources will fall to about 72% in 2027. We expect the combined share of generation from solar power and wind power to rise from about 18% in 2025 to about 21% in 2027.
Read More ›
In-brief analysis
Jan 14, 2026
We expect the U.S. benchmark natural gas spot price at the Henry Hub to decrease about 2% to just under $3.50 per million British thermal units (MMBtu) in 2026 before rising sharply in 2027 to just under $4.60/MMBtu, according to our January Short-Term Energy Outlook (STEO). We expect the annual average Henry Hub price in 2026 to decrease slightly as annual supply growth keeps pace with demand growth over the year. However, in 2027, we forecast demand growth will rise faster than supply growth, driven mainly by more feed gas demand from U.S. liquefied natural gas (LNG) export facilities, reducing the natural gas in storage. We forecast annual average spot prices will decrease by 2% in 2026 and then increase by 33% in 2027.
Read More ›
In-brief analysis
Jan 9, 2026
In 2025, the wholesale U.S. natural gas spot price at the national benchmark Henry Hub in Louisiana averaged $3.52 per million British thermal units (MMBtu), based on data from LSEG Data. The 2025 average Henry Hub natural gas spot price increased 56% from the 2024 annual average, which—when adjusted for inflation—was the lowest on record. On a daily basis, the Henry Hub natural gas spot price ranged from $2.65/MMBtu to $9.86/MMBtu, reflecting a narrower range of daily prices compared with the previous year.
Read More ›
In-brief analysis
Jan 7, 2026
The U.S. retail price for regular grade gasoline averaged $3.10 per gallon (gal) in 2025, $0.21/gal less than in 2024. This year marks the third consecutive year of declining nominal retail gasoline prices, according to data from our Gasoline and Diesel Fuel Update.
Read More ›
In-brief analysis
Jan 5, 2026
Data source: U.S. Energy Information Administration, based on Thomson Reuters data Data values: Europe Brent Spot Price FOB (free on board)
Crude oil prices generally declined in 2025 with supplies in the global crude oil market exceeding demand. Crude oil inventory builds in China muted some of the price decline. Events such as Israel’s June 13 strikes on Iran and attacks between Russia and Ukraine targeting oil infrastructure periodically supported prices.
Read More ›
In-brief analysis
Dec 22, 2025
Source: U.S. Energy Information Administration
Below is a list featuring some of our most popular and favorite articles from 2025. We will resume regular Today in Energy publications on January 5, 2026. Thanks for your continued readership of Today in Energy.
Read More ›
In-brief analysis
Dec 19, 2025
Data source: U.S. Energy Information Administration, Short-Term Energy Outlook Data values: Total Crude Oil Production Note: While EIA does not forecast unplanned production outages, they are assumed to remain at the most recent historical month’s level throughout the forecast period.
Each month we publish estimates of key global oil market indicators that affect crude oil prices and movements in our Short-Term Energy Outlook (STEO). Among the most important indicators for global crude oil markets are estimates of OPEC’s effective crude oil production capacity and surplus production capacity, as well as any disruptions to liquid fuels production. Low surplus production capacity among OPEC countries can put upward pressure on crude oil prices in the event of unplanned supply disruptions or strong growth in global oil demand.
Read More ›
In-brief analysis
Dec 17, 2025
We forecast that global crude oil production will increase by 0.8 million barrels per day (b/d) in 2026, with supply from Brazil, Guyana, and Argentina accounting for 0.4 million b/d of the expected global growth forecast in our December Short-Term Energy Outlook (STEO). Global crude oil production growth since 2023 has been driven by countries outside of OPEC+.
Read More ›
In-brief analysis
Dec 15, 2025
Our estimates for residential energy expenditures this winter (November 2025 through March 2026) have increased since the publication of our initial Winter Fuels Outlook forecasts in mid-October. We now expect a colder winter, and our retail energy price forecasts have risen, especially for natural gas and propane.
Read More ›
In-brief analysis
Dec 12, 2025
In our latest Short-Term Energy Outlook, we forecast U.S. crude oil production will average 13.5 million barrels per day (b/d) in 2026, about 100,000 b/d less than in 2025.
This forecast decline in production follows four years of rising crude oil output.
Production increased by 0.3 million b/d in 2024 and by 0.4 million b/d in 2025, mostly because of increased output in the Permian Basin in Texas and New Mexico.
In 2026, we forecast modest production increases in Alaska, the Federal Gulf of America, and the Permian will be offset by declines in other parts of the United States.
We forecast that the West Texas Intermediate crude oil price will average $65 per barrel (b) in 2025 and $51/b in 2026, both lower than the 2024 average of $77/b.
Read More ›
In-brief analysis
Dec 10, 2025
Data source: U.S. Department of the Interior’s 2025 list of critical minerals; U.S. Department of Energy’s 2023 list of critical materials and a recently proposed addition Note: This Today in Energy article launches the Energy Minerals Observatory, a new project of the U.S. Energy Information Administration. In 2026, as part of the Observatory and the Manufacturing Energy Consumption Survey (MECS), EIA plans to conduct field studies of three minerals: graphite, vanadium, and zirconium.
Critical minerals, such as copper, cobalt, and silicon, are vital for energy technologies, but most critical minerals markets are less transparent than mature energy markets, such as crude oil or coal. Like other energy markets, many supply-side and demand-side factors influence pricing for these energy-relevant critical minerals, but critical minerals supply chains contain numerous data gaps.
Read More ›
In-brief analysis
Dec 8, 2025
Data source: U.S. Energy Information Administration, based on data from S&P Global Market Intelligence Data note: The specifics of the calculation methodology are detailed in a previous article with minor adjustments to heat rates used. The heat rate used for the dark spread was 10,500 British thermal units per kilowatthour (Btu/kWh), while the heat rate for the spark spread was 7,000 Btu/kWh.
Higher average daily wholesale electricity prices between January and November 2025 may be improving the operational competitiveness of some natural gas- and coal-fired generators in the PJM Interconnection compared with the same period in 2024. PJM is the largest wholesale electricity market in the United States. The spark and dark spreads, common metrics for estimating the profitability of natural gas- and coal-fired electric generators, have both increased over the past two years.
Certification accelerates leadership in trusted AI governance, enabling organizations to outpace AI-accelerated threats with speed and control
AUSTIN, Texas – January 22, 2026 – CrowdStrike (NASDAQ: CRWD) today announced it has achieved ISO/IEC 42001:2023 certification, validating its disciplined, externally audited approach to the responsible design, development, and operation of AI-powered cybersecurity. This certification spans core CrowdStrike Falcon® platform capabilities, including CrowdStrike Endpoint Security, Falcon® Insight XDR, and CrowdStrike® Charlotte AI.
ISO 42001 provides organizations with a globally recognized framework as they navigate emerging AI standards and regulatory expectations. It reinforces trust in CrowdStrike’s responsible AI governance and accelerates leadership in the AI era, delivering the speed, precision, and control to outpace AI-accelerated threats safely and at scale.
“CrowdStrike is among the first cybersecurity companies to achieve ISO 42001 certification, the world’s first AI management system standard,” said Michael Sentonas, president of CrowdStrike. “For a cybersecurity vendor, responsible AI governance is foundational. This certification validates the maturity, discipline, and leadership behind how we develop and operate AI across the Falcon platform.”
CrowdStrike pioneered AI-native cybersecurity and continues to deliver the platform innovation needed to stop evolving threats. Modern adversaries are weaponizing AI to scale attacks faster than defenders can respond. To safely gain the speed advantage, organizations need AI-powered protection built for the realities adversaries ignore. Defenders must operate under AI governance, regulation, and accountability that attackers do not – requiring AI that delivers intelligent automation, adheres to standards, and avoids introducing risk.
Innovation for the Agentic Era
The AI-native Falcon platform continuously analyzes behaviors and delivers real-time protection across the entire attack surface. Charlotte AI defines cybersecurity in the agentic era, elevating analysts from alert handlers to orchestrators of the agentic SOC. Intelligent agents trained on years of expertise from the world’s top SOC operators automate time-consuming tasks across the security lifecycle – always under defender control – freeing analysts to focus on the strategic decisions that strengthen security. Charlotte AI powers the agentic SOC on these foundational innovations:
The Agentic Security Workforce provides mission-ready agents trained on human expertise and response actions from Falcon® Complete and incident response engagements.
Charlotte AI AgentWorksenables organizations to build and customize their own agents without writing a single line of code.
Charlotte Agentic SOAR is the orchestration layer that allows CrowdStrike, custom-built, and third-party agents to work together as one coordinated defense system guided by human expertise.
Responsible Agentic Transformation
Charlotte AI operates within a model of bounded autonomy, ensuring security teams maintain full oversight of AI-driven decisions and define when and how AI-driven and automated actions occur. AI data, models, and agents are protected with governance and controls designed for highly regulated environments.
Accelerating CrowdStrike’s ongoing commitment to protecting the security and privacy of customer and organizational data in the AI era, ISO 42001 certification was awarded following an extensive audit conducted by an independent, accredited certification body. The assessment evaluated CrowdStrike’s AI management system, including governance, policies, risk management, and development practices for designing, deploying, and operating AI responsibly.
To learn more about CrowdStrike’s ISO 42001 certification, visit the CrowdStrike Compliance and Certification Page.
About CrowdStrike
CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.
Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities.
Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity, and immediate time-to-value.
CrowdStrike: We stop breaches.
Learn more: https://www.crowdstrike.com/
Follow us: Blog | X | LinkedIn | Instagram
Start a free trial today: https://www.crowdstrike.com/trial
Challenge: Bridging expertise and client understanding in the AI era
Even with a strong advisory foundation, Papin CPA faced a critical challenge: bridging the gap between technical expertise and client understanding, especially in an era where AI-generated content often gives clients a false sense of confidence. As Chris Papin explained, “There’s a lot of noise in our industry … and we get a lot of questions from clients that are sometimes misplaced.”
Internally, the firm also strived for consistency. While their workflows were well-developed, there was no guarantee that every team member would follow the same steps or deliver the same quality of insight. Junior staff, in particular, lacked the confidence to step into advisory roles, often unsure of how to translate complex tax concepts into client-friendly language.
The result was a bottleneck in scaling advisory services and a missed opportunity to fully leverage the team’s collective potential. Without a reliable framework to validate expertise and empower all staff members, Papin CPA risked limiting their growth and impact.
Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page.
This isn’t merely an illusion. It’s the next frontier of web attacks where attackers use generative AI (GenAI) to build a threat that’s loaded after the victim has already visited a seemingly innocuous webpage.
In other words, this article demonstrates a novel attack technique where a seemingly benign webpage uses client-side API calls to trusted large language model (LLM) services for generating malicious JavaScript dynamically in real time. Attackers could use carefully engineered prompts to bypass AI safety guardrails, tricking the LLM into returning malicious code snippets. These snippets are returned via the LLM service API, then assembled and executed in the victim’s browser at runtime, resulting in a fully functional phishing page.
This AI-augmented runtime assembly technique is designed to be evasive:
The code for the phishing page is polymorphic, so there’s a unique, syntactically different variant for each visit
The malicious content is delivered from a trusted LLM domain, bypassing network analysis
It is assembled and executed at runtime
The most effective defense against this new class of threat is runtime behavioral analysis that can detect and block malicious activity at the point of execution, directly within the browser.
Palo Alto Networks customers are better protected through the following products and services:
The Unit 42 AI Security Assessment can help empower safe AI use and development across your organization.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
LLM-Augmented Runtime Assembly Attack Model
Our previous research shows how attackers can effectively use LLMs to obfuscate their malicious JavaScript samples offline. Reports from other sources have documented campaigns that leverage LLMs during runtime execution on compromised machines to tailor attacks (e.g., LLM-powered malware and ransomware).
Anthropic researchers have also published reports indicating that LLMs have aided cybercriminals and played a role in AI-orchestrated cyberespionage campaigns. Motivated by these recent discoveries, we researched how threat actors could leverage LLMs to generate, assemble and execute phishing attack payloads within a webpage at runtime, making it challenging to detect with network analysis. Below we outline our proof of concept (POC) for this attack scenario and offer steps to help mitigate the impact of this potential attack.
Attack Model For Our PoC
The attack scenario begins with a seemingly benign page. Once loaded in the victim’s browser, the initial webpage makes requests for client-side JavaScript to popular and trusted LLM clients (e.g., DeepSeek and Google Gemini, though the PoC could be effective across a number of models.).
Attackers can then trick the LLM into returning malicious JavaScript snippets using carefully engineered prompts that circumvent safety guardrails. These snippets are then assembled and executed in the browser’s runtime to render a fully functional phishing page. This leaves behind no static, detectable payload.
Figure 1 shows how we developed our PoC to leverage LLMs to enhance existing attacks and bypass defenses. The first two steps involve initial preparation, while the final step details the generation and execution of phishing code within the browser at runtime.
Figure 1. Workflow of the PoC. The first two steps are initial preparation, and the third is an example of generating malicious content to be rendered in the browser.
Step 1: Select a Malicious or Phishing Webpage
The attacker’s first step would be to select a webpage from an active phishing or malicious campaign to use as a model for the type of malicious code that would perform the desired function. From there, they can create JavaScript code snippets that will be generated in real-time to dynamically render the final page displayed to the user.
Step 2: Translate Malicious JavaScript Code Into LLM Prompts
The attacker’s next step would be to craft prompts describing the JavaScript code’s functionality to the LLM in plain text. They could iteratively refine prompts, generating malicious code that bypasses existing LLM guardrails. These generated snippets could differ structurally and syntactically, allowing attackers to create polymorphic code with the same functionality.
Step 3: Generate and Execute Malicious Scripts at Runtime
From there, attackers could embed these engineered prompts inside a webpage, which would load on the victim’s browser. The webpage would then use the prompt to request a popular, legitimate LLM API endpoint to generate malicious code snippets. These snippets could then be transmitted over popular, trusted domains to bypass network analysis. Subsequently, these generated scripts could be assembled and executed to render malicious code or phishing content.
How This Attack Technique Helps with Evasion
This technique builds upon existing evasive runtime assembly behaviors that we often observe on phishing and malware delivery URLs. For example, 36% of malicious webpages we detect daily exhibit runtime assembly behavior, such as executing constructed child scripts with an eval function (e.g., retrieved, decoded or assembled payloads). Leveraging LLMs during runtime on a webpage gives attackers the following benefits:
Evading network analysis: The malicious code generated by an LLM could be transferred over the network from a trusted domain, as access to domains of popular LLM API endpoints is often allowed from the client side.
Increasing the diversity of malicious scriptswith each visit: An LLM can generate new variants of phishing code, leading to higher polymorphism. This can make detection more challenging.
Using runtime assembly and executing JavaScript codeto complicate detection: Assembling and executing these code snippets during runtime enables more tailored phishing campaigns, such as selecting a target brand based on the victim’s location or email address.
Obfuscating code in plain text: Translating code into text for subsequent concealment within a webpage can be viewed as a form of obfuscation. Attackers commonly employ various conventional techniques (e.g., encoding, encryption and code fragmenting) to visually conceal malicious code and evade detection. While advanced analyses often identify conventional obfuscation methods by evaluating expressions, it will be more challenging for defenders to evaluate text as executable code without subjecting each snippet to an LLM.
PoC Example
In researching the PoC we were able to demonstrate how this augmentation could be applied to a real-world phishing campaign, illustrating its ability to enhance evasion techniques through the steps we outline above. A brief overview of this PoC is provided below.
Step 1: Selecting a Malicious/phishing Webpage
For our PoC, we replicated a webpage from an advanced real-world phishing campaign known as LogoKit. The original phishing attack uses a static JavaScript payload to transform a benign-looking web form into a convincing phishing lure. This script performs two key functions: personalizing the page based on the victim’s email in the address bar and exfiltrating captured credentials to an attacker’s web server.
Step 2: Translating Malicious JavaScript Code Into LLM prompts
Our PoC uses a popular LLM service, accessible via a chat API query from within the browser’s JavaScript. To mitigate potential misuse by attackers, we are not disclosing the name of this specific API. We used this LLM API to dynamically generate the code necessary for credential harvesting and impersonate target webpages. Because the malicious payload is generated dynamically in the browser, the initial page transmitted over the network is benign, allowing it to inherently bypass network-based security detectors.
The attack’s success hinged on careful prompt engineering to bypass the LLM’s built-in safeguards. We found simple rephrasing was remarkably effective.
For instance, a request for a generic $AJAX POST function was permitted (shown in Figure 2), while a direct request for “code to exfiltrate credentials” was blocked. Furthermore, indicators of compromise (IoCs) (e.g., Base64-encoded exfiltration URLs) could also be hidden within the prompt itself to keep the initial page clean.
Figure 2. Example of prompt engineering to bypass LLM guardrails and generate JavaScript code for phishing content.
The non-deterministic output of the model provided a high degree of polymorphism, with each query returning a syntactically unique yet functionally identical variant of the malicious code. For example, Figure 3 shows differences in code snippets highlighted in red. This constant mutation makes detection more difficult.
Of note, LLM-generated code can include hallucinations but we mitigated this through prompt refinement and increased specificity, effectively reducing syntax errors. As a result, the final, highly specific prompt successfully generated functional code in most instances.
Step 3: Executing Malicious Scripts at Runtime
The generated script was assembled and executed at runtime on the webpage to render the phishing content. This process successfully constructed a functional, brand-impersonating phishing page, validating the attack’s viability (shown in Figure 4). The successful execution of the generated code, which rendered the phishing page without error, confirmed the efficacy of our PoC.
Figure 4. Example of a phishing page rendered by assembling dynamically generated JavaScript on runtime in-browser.
Generalizing the Threat and Expanding the Attack Surface
Alternate Methods to Request LLM API
Our attack model, demonstrated through a PoC, could be implemented in various ways. However, each methodology described in the PoC speaks to how an attacker connects to LLM APIs for transferring malicious code as snippets that are executed in the browser at runtime.
As shown in our PoC, attackers could bypass security measures by directly connecting to a well-known LLM service API endpoint from a browser to execute code-generation prompts. Alternatively, they might use a backend proxy server on trusted domains or content delivery networks (CDNs) to connect to the LLM service for prompt execution. A further tactic could involve connecting to this backend proxy server via non-HTTP connections such as WebSockets, a method we have previously reported in phishing campaigns.
Other Abuses of Trusted Domains
Attackers have abused the trust of legitimate domains to circumvent detections in the past, as seen in instances like EtherHiding. In EtherHiding, attackers concealed malicious payloads on public blockchains associated with reputable and trusted smart contract platforms.
The attack detailed in this article uses a combination of diverse, LLM-generated malicious code snippets and the transmission of this malicious code through a trusted domain, to evade detection.
Translation of Malicious Code Into Text Prompts for More Attacks
This article focuses on the conversion of malicious JavaScript code into a text prompt to facilitate the rendering of a phishing webpage. This methodology presents a potential vector for malicious actors to generate diverse forms of hostile code. For example, they could develop malware or establish a command-and-control (C2) channel on a compromised machine that generates and transmits malicious code from trusted domains associated with popular LLMs.
The attack model presented here exemplifies runtime assembly behaviors, where malicious webpages are dynamically constructed within a browser. Prior research has also documented different variants of runtime assembly for crafting phishing pages or malware delivery. For example, this article mentions a technique where an attacker breaks down malicious code into smaller components, subsequently reassembling them for execution at runtime within the browser (termed by SquareX as last mile reassembling attack). Various reports describe attackers using HTML smuggling techniques to deliver malware.
The attack model outlined in this post goes further, as it involves the runtime generation of novel script variants that are later assembled and executed, posing a significantly elevated challenge to detection.
Recommendations for Defenders
The dynamic nature of this attack in combination with runtime assembly in the browser makes it a formidable defense challenge. This attack model creates a unique variant for every victim. Each malicious payload is dynamically generated and unique, transmitted over a trusted domain.
This scenario signals a critical shift in the security landscape. Detection of these attacks (while possible through enhanced browser-based crawlers) requires runtime behavioral analysis within the browser.
Defenders should also restrict the use of unsanctioned LLM services at workplaces. While this is not a complete solution, it can serve as an important preventative measure.
Finally, our work highlights the need for more robust safety guardrails in LLM platforms, as we demonstrated how careful prompt engineering can circumvent existing protections and enable malicious use.
Conclusion
This article demonstrates a novel AI-augmented approach where a malicious webpage uses LLM services to dynamically generate numerous variants of malicious code in real-time within the browser. To combat this, the most effective strategy is runtime behavioral analysis at the point of execution through in-browser protection and by running offline analysis with browser-based sandboxes that render the final webpage.
Palo Alto Networks Protection and Mitigation
Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:
Prisma AIRS customers can secure their in-house built GenAI applications against inputs that attempt to circumvent guardrails.
Customers using Advanced URL Filtering and Prisma Browser (with Advanced Web Protection) are better protected against various runtime assembly attacks.
Prisma Browser customers with Advanced Web Protection are protected against Runtime Re-assembly attacks from the first attempt, or “patient zero” hit, because the defense uses runtime behavioral analysis directly within the browser to detect and block malicious activity at the point of execution.
The Unit 42 AI Security Assessment can help empower safe AI use and development across your organization.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
In a strong close to 2025 for our Capital Market Team in Cairo, Barakat, Maher & Partners, in association with Clyde & Co, is proud to have advised Capital for Securitization on the second issuance of the tenth programme at EGP 478,000,000, structured across three tranches against a securitization portfolio assigned by Erada Microfinance Co.
The team was led by Mostafa Elsakaa, partner and head of capital market in Cairo, with the support of senior associate Walid Enany, and associates Omar Mahmoud and Mahmoud Toraya.
The issuance was approved by the Financial Regulatory Authority (FRA) on 30 December 2025, and the transaction brought together leading institutions across the market, with CI Capital Securities Brokerage acting as the financial advisor and lead arranger; and Arab African International Bank (AAIB) serving as the custodian, while Suez Canal Bank acted as the subscription receiver and underwriter.
Mostafa Elsakaa commented,
Mohamed Barakat added,
Two years since opening our Cairo office, our team has established itself as a transactional powerhouse, advising local and international businesses across a wide range of sectors. We have successfully handled complex M&A transactions,including advising on the first merger in Egypt’s private sector insurance industry, as well as handling private equity, anti-trust, competition, regulatory and corporate matters. Our teams expertise also extends to joint ventures (JVs), restructurings, separations and carve-outs, together with initial public offerings (IPOs) and securitization deals including four closings for Capital for Securitization on the mortgage portfolio of Bedaya, the fourth issuance valued at EGP 1,637,000,000 on 26 March 2025, the third issuancevalued at EGP 1,780,500,000 on 25 December 2024 and the first two issuances, valued at EGP 843 million on 29 December 2023 and EGP 1,415,500,000 on 10 October 2024. As well as closing the successful securitization deal, Capital for Securitization on the microfinance portfolio of Erada Microfinance valued at EGP 718 million in January 2025.
Solution: ONESOURCE centralizes global tax operations
Technology such as Thomson Reuters ONESOURCE was identified as a way to improve how JLL manages its tax and financial reporting across the regions where it does business.
With a user-intuitive interface, global footprint, and 150 years of tax content expertise, Thomson Reuters ONESOURCE was the obvious choice. With out-of-the-box tools already in place to support in-country deployments, Thomson Reuters ONESOURCE was able to help the JLL tax team drive efficiencies and minimize the cost and effort of implementation almost immediately.
Working with Thomson Reuters allowed JLL to improve their end-to-end processes by looking at its own data, identifying potential pain points, and then designing a configuration within its global ERP solution to help standardize and simplify its operating procedures while ensuring all regulatory requirements were being met.
The partnership with Pagero, a Thomson Reuters company, also helped guide JLL through the evolving requirements for e-invoicing mandates around the world. A dedicated point of contact helps ensure JLL can meet the changing regulatory requirements as quickly and accurately as possible.
In addition, Thomson Reuters ONESOURCE provided greater visibility and oversight, enabling JLL to better manage its tax spend and leverage the reporting capabilities to track and monitor their global filings more effectively.
Dubai, UAE; 22 January 2026: Dubai International Financial Centre (DIFC), a key cultural and lifestyle hub in Dubai, has unveiled ROOFLINE, a new addition to the city’s dynamic social space. Aimed at celebrating homegrown dining and culture concepts, the limited-time open-air rooftop destination runs till 31 March 2026, offering visitors new ways to experience Dubai through one gate.
Located across the connecting podium levels between Gate District and Gate Avenue in DIFC, Roofline provides a seamless rooftop connection between two key precincts and a prime space to enjoy Dubai’s unique skyline and DIFC’s architecture. Designed as a community-led destination, ROOFLINE champions Dubai’s homegrown culinary and creative scene.
Participating concepts at the debut of ROOFLINE include; FLTR, blending 3D design with speciality coffee, the iconic reflective mirror café Uncommon, community club and café IYKYK, Karak House with its modern take on traditional Emirati favourites, Rascals known for its hand cut doughnuts, speciality coffee and desserts place Badou, luxury smash burger spot Beau Burger and more.
From 22 January to 15 February, ROOFLINE hosts live Arabic music and open-air cinema screenings every Thursday to Sunday across Gate Avenue, adding an elevated entertainment layer to the rooftop experience. Screenings take place at Gate Avenue 4, Index Tower, while live music performances animate Gate Avenue 1 near Beau Burger, opposite Peet’s Coffee, with timings varying by date.
Saleh Al Akrabi, Chief Real Estate Officer, Dubai International Financial Centre, said; “As one of Dubai’s most vibrant lifestyle destinations, DIFC has launched ‘ROOFLINE’ to capture the spirit of Dubai in one setting. By bringing together the city’s best homegrown dining and culinary concepts, we are creating a destination that celebrates local creativity and invites people to come together, discover something new and enjoy great experiences, all in the heart of DIFC.”
Offering an elevated after-work and weekend experience for residents and visitors to Dubai, as well as DIFC professionals, theopen-air rooftop space has a modern urban feel balancing dining, culture and social connection. Mini activations, pop-ups and curated entertainment are set to keep visitors enthralled throughout the season.
Roofline will also host a special Ramadan exhibition by Curated Playlist from 16 February to 8 March 2026, bringing immersive pop-up experiences that blend fashion, culture and music.
DIFC’s growing portfolio of homegrown and independent brands draws discerning visitors seeking after work and weekend dining options in a culturally rich and vibrant setting. With the opening of ROOFLINE, visitors to the venue can now discover more at Dubai International Financial Centre, where every experience begins at the Gate.
To keep up with the latest schedules and line-ups, visit: https://www.difc.com/whats-on/events/roofline-by-difc
DIFC is easily accessible by Dubai Metro with the Financial Centre Metro Station a 3-minute walk away.
Applications of Hyaluronic Acid in Pharmaceuticals, Healthcare and Cosmetics and Its Biosynthesis Wiley Online Library
Hyaluronic Acid Skin Care Products Market Set to Reach USD 3.90 Billion by 2033 as Global Demand for Advanced Hydration Surges Strategic Revenue Insights (SRI) Yahoo Finance
Hyaluronic Acid Market to Grow Immensely at a CAGR of 8% From 2025 To 2034 openPR.com
Are the benefits of hyaluronic acid just skin-deep? Here’s the science Australian Broadcasting Corporation
Hyaluronic Acid Market Set to Reach $4.9 Billion by 2035, Growing at 7.12% CAGR openPR.com
TOKYO — Japan posted a trade deficit for the fifth straight year in 2025, according to government data released Thursday, as exports were hit by U.S. President Donald Trump’s tariffs and a diplomatic rift with neighboring China.
For the full year, Japan logged a 2.65 trillion yen ($17 billion) trade deficit, the Finance Ministry reported in its preliminary data.
That was nearly 53% smaller than the deficit Japan marked the previous year. Exports for the year rose 3.1%, while imports remained about the same on-year, gaining less than 1%.
For the month of December, Japan recorded a 105.7 billion yen ($669 million) trade surplus.
The monthly surplus was 12% smaller than what was racked up a year ago. Imports grew 5.3% from the same month a year ago, while exports grew 5.1%.
By nation, exports to the U.S. declined 11% in December, while exports to Britain, Africa and some other Asian countries rose. Imports from Europe were strong.
The United States has imposed a 15% tariff on most imports from Japan, a reduction from the 25% that Trump initially proposed but an increase from before he took office a year ago.
Another looming concern is the impact on Japanese manufacturing, including automakers, from China’s curbs on exports of rare earths.
The controls were announced by Beijing after Prime Minister Sanae Takaichi suggested a Chinese move on Taiwan could prompt a Japanese military response.
Takaichi has called a snap elections for next month in hopes her party can gain strength in Parliament while she is popular with the public.
Overall, Japan’s economy has held up, despite grumbling from the public about rising prices and stagnant wages. The benchmark Nikkei on the Tokyo Stock Exchange keeps hitting new records.
___
Yuri Kageyama is on Threads: https://www.threads.com/@yurikageyama
