#inl — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #inl, aggregated by home.social.
-
New #openaccess publication #SciPost #Physics
Two topological phases in exchange alternating spin-1 nanographene chains
João C. G. Henriques, Yelko del Castillo, Ricardo Segundo, Jan Phillips, Joaquín Fernández-Rossier
SciPost Phys. 21, 009 (2026)
https://scipost.org/SciPostPhys.21.1.009#INL #USC #MinhoUniversity #FCT_NOVA
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics
Two topological phases in exchange alternating spin-1 nanographene chains
João C. G. Henriques, Yelko del Castillo, Ricardo Segundo, Jan Phillips, Joaquín Fernández-Rossier
SciPost Phys. 21, 009 (2026)
https://scipost.org/SciPostPhys.21.1.009#INL #USC #MinhoUniversity #FCT_NOVA
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics
Two topological phases in exchange alternating spin-1 nanographene chains
João C. G. Henriques, Yelko del Castillo, Ricardo Segundo, Jan Phillips, Joaquín Fernández-Rossier
SciPost Phys. 21, 009 (2026)
https://scipost.org/SciPostPhys.21.1.009#INL #USC #MinhoUniversity #FCT_NOVA
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics
Two topological phases in exchange alternating spin-1 nanographene chains
João C. G. Henriques, Yelko del Castillo, Ricardo Segundo, Jan Phillips, Joaquín Fernández-Rossier
SciPost Phys. 21, 009 (2026)
https://scipost.org/SciPostPhys.21.1.009#INL #USC #MinhoUniversity #FCT_NOVA
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics
Two topological phases in exchange alternating spin-1 nanographene chains
João C. G. Henriques, Yelko del Castillo, Ricardo Segundo, Jan Phillips, Joaquín Fernández-Rossier
SciPost Phys. 21, 009 (2026)
https://scipost.org/SciPostPhys.21.1.009#INL #USC #MinhoUniversity #FCT_NOVA
#AgenciaEstatalInvestigación -
#AviationWeek:
"
Space Nuclear Ambitions Face A Defining Test
"
"Flying SR-1 before attempting a lunar landing will reduce mission risk and help NASA .. agency says."".. integrated with.. HALEU-fueled kilowatt-class nuclear reactor derived from the INLs ongoing Versatile Autonomous Lightweight Kilowatt-class Reactor Experiment (Valkre) .."
https://aviationweek.com/space/launch-vehicles-propulsion/space-nuclear-ambitions-face-defining-test
30.6.2026
#Artemis #Atomkraft #INL #Kernenergie #NASA #Raumfahrt #Reactor #SpaceFlight #SR1 #USA #VALKRE
-
#AviationWeek:
"
Space Nuclear Ambitions Face A Defining Test
"
"Flying SR-1 before attempting a lunar landing will reduce mission risk and help NASA .. agency says."".. integrated with.. HALEU-fueled kilowatt-class nuclear reactor derived from the INLs ongoing Versatile Autonomous Lightweight Kilowatt-class Reactor Experiment (Valkre) .."
https://aviationweek.com/space/launch-vehicles-propulsion/space-nuclear-ambitions-face-defining-test
30.6.2026
#Artemis #Atomkraft #INL #Kernenergie #NASA #Raumfahrt #Reactor #SpaceFlight #SR1 #USA #VALKRE
-
#AviationWeek:
"
Space Nuclear Ambitions Face A Defining Test
"
"Flying SR-1 before attempting a lunar landing will reduce mission risk and help NASA .. agency says."".. integrated with.. HALEU-fueled kilowatt-class nuclear reactor derived from the INLs ongoing Versatile Autonomous Lightweight Kilowatt-class Reactor Experiment (Valkre) .."
https://aviationweek.com/space/launch-vehicles-propulsion/space-nuclear-ambitions-face-defining-test
30.6.2026
#Artemis #Atomkraft #INL #Kernenergie #NASA #Raumfahrt #Reactor #SpaceFlight #SR1 #USA #VALKRE
-
#AviationWeek:
"
Space Nuclear Ambitions Face A Defining Test
"
"Flying SR-1 before attempting a lunar landing will reduce mission risk and help NASA .. agency says."".. integrated with.. HALEU-fueled kilowatt-class nuclear reactor derived from the INLs ongoing Versatile Autonomous Lightweight Kilowatt-class Reactor Experiment (Valkre) .."
https://aviationweek.com/space/launch-vehicles-propulsion/space-nuclear-ambitions-face-defining-test
30.6.2026
#Artemis #Atomkraft #INL #Kernenergie #NASA #Raumfahrt #Reactor #SpaceFlight #SR1 #USA #VALKRE
-
#AviationWeek:
"
Space Nuclear Ambitions Face A Defining Test
"
"Flying SR-1 before attempting a lunar landing will reduce mission risk and help NASA .. agency says."".. integrated with.. HALEU-fueled kilowatt-class nuclear reactor derived from the INLs ongoing Versatile Autonomous Lightweight Kilowatt-class Reactor Experiment (Valkre) .."
https://aviationweek.com/space/launch-vehicles-propulsion/space-nuclear-ambitions-face-defining-test
30.6.2026
#Artemis #Atomkraft #INL #Kernenergie #NASA #Raumfahrt #Reactor #SpaceFlight #SR1 #USA #VALKRE
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
CW: release notes for Malcolm v26.06.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the
zeekcontainer causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0
- 🛡️ Security Remediation & Hardening (#996)
- Unauthenticated reflected XSS / open redirect in
/dashboards/app/refred; also addedContent-Security-Policyframing headers (frame-ancestors,base-uri,form-action) andX-Frame-Options: SAMEORIGINglobally to mitigate clickjacking (#997) - Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
- Password stored as MD5-crypt for SFTP (#1009)
- Authenticated archive zip-slip file write in filebeat container (#999)
- OpenSearch path injection via
/mapi/fields?template(#1000) submit.phpLocation:open redirect viaReferer(#1007)- htadmin proxied with no nginx auth gate (#1003)
- Keycloak OIDC
ssl_verifyalways set to false (#1006) - NetBox
SUPERUSER_PASSWORD=adminshipped default (#1011) - RBAC
defaultdict(lambda: True)fail-open for unlisted handlers in Malcolm API (#1004) - Read-only Arkime deny-regex omits
addtags/removetags(#1008) - Read-only deployment allows
POST /mapi/event(#1002) - WISE auth path selectable by client
User-Agent(#1001) ARKIME_PASSWORD_SECRET=Malcolmshipped default (#1005)requestsCVE bump reverted in logstash image (#1010)- Fix API auth errors and hide NGINX version disclosure (#989)
- Unauthenticated reflected XSS / open redirect in
- 🐛 Bug fixes
- auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
- Ensure list of archive file types supported by Malcolm for uploading Zeek logs (
application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform. zeekcontainer continually grows/usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
- ✅ Component version updates
- 🧹 Code and project maintenance
- Fixed some incorrect links in documentation (#988, thanks @jsoref)
- Refactored NGINX error pages configuration into its own
includefile and added a401.htmlpage
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
KEYCLOAK_SSL_VERIFY(defaultfalse) tokeycloak.envfor #1006 - The Arkime password hash secret
ARKIME_PASSWORD_SECRETinarkime-secret.envno longer has a default value: it must be set duringauth_setup(for #1005) - The Netbox superuser password
SUPERUSER_PASSWORDinnetbox-secret.envno longer has a default value: it must be set duringauth_setup(for #1011)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- 🛡️ Security Remediation & Hardening (#996)
-
“Utilizing nuclear electric propulsion allows for higher speeds with minimal fuel. This #technology leverages uranium-235 and ionized #xenon to provide continuous #thrust, potentially shortening future human voyages to just a few months.”
6M to 6W 🚀
#NASA / #NEP ☢️ / #U235 / #SR1Freedom / #Fission / #DOE #INL / #Mars 2028 <https://nasaspacenews.com/2026/04/nasas-2028-nuclear-mars-mission/> / <https://www.science.org/content/article/history-and-mystery-surround-nasa-s-2028-nuclear-mars-mission>
-
“Utilizing nuclear electric propulsion allows for higher speeds with minimal fuel. This #technology leverages uranium-235 and ionized #xenon to provide continuous #thrust, potentially shortening future human voyages to just a few months.”
6M to 6W 🚀
#NASA / #NEP ☢️ / #U235 / #SR1Freedom / #Fission / #DOE #INL / #Mars 2028 <https://nasaspacenews.com/2026/04/nasas-2028-nuclear-mars-mission/> / <https://www.science.org/content/article/history-and-mystery-surround-nasa-s-2028-nuclear-mars-mission>
-
“Utilizing nuclear electric propulsion allows for higher speeds with minimal fuel. This #technology leverages uranium-235 and ionized #xenon to provide continuous #thrust, potentially shortening future human voyages to just a few months.”
6M to 6W 🚀
#NASA / #NEP ☢️ / #U235 / #SR1Freedom / #Fission / #DOE #INL / #Mars 2028 <https://nasaspacenews.com/2026/04/nasas-2028-nuclear-mars-mission/> / <https://www.science.org/content/article/history-and-mystery-surround-nasa-s-2028-nuclear-mars-mission>
-
“Utilizing nuclear electric propulsion allows for higher speeds with minimal fuel. This #technology leverages uranium-235 and ionized #xenon to provide continuous #thrust, potentially shortening future human voyages to just a few months.”
6M to 6W 🚀
#NASA / #NEP ☢️ / #U235 / #SR1Freedom / #Fission / #DOE #INL / #Mars 2028 <https://nasaspacenews.com/2026/04/nasas-2028-nuclear-mars-mission/> / <https://www.science.org/content/article/history-and-mystery-surround-nasa-s-2028-nuclear-mars-mission>
-
“Utilizing nuclear electric propulsion allows for higher speeds with minimal fuel. This #technology leverages uranium-235 and ionized #xenon to provide continuous #thrust, potentially shortening future human voyages to just a few months.”
6M to 6W 🚀
#NASA / #NEP ☢️ / #U235 / #SR1Freedom / #Fission / #DOE #INL / #Mars 2028 <https://nasaspacenews.com/2026/04/nasas-2028-nuclear-mars-mission/> / <https://www.science.org/content/article/history-and-mystery-surround-nasa-s-2028-nuclear-mars-mission>
-
Lavoro nero, a Milano e Brianza settanta ispettori per 2 milioni di lavoratori. L’Ispettorato: “Carenza di personale”.
Sempre meno ispettori e sempre più aziende da controllare. È questa la realtà che devono affrontare ogni giorno gli ispettori di INL, Inps e Inail per contrastare lo sfruttamento nel mondo del lavoro.
-
Lavoro nero, a Milano e Brianza settanta ispettori per 2 milioni di lavoratori. L’Ispettorato: “Carenza di personale”.
Sempre meno ispettori e sempre più aziende da controllare. È questa la realtà che devono affrontare ogni giorno gli ispettori di INL, Inps e Inail per contrastare lo sfruttamento nel mondo del lavoro.
-
Lavoro nero, a Milano e Brianza settanta ispettori per 2 milioni di lavoratori. L’Ispettorato: “Carenza di personale”.
Sempre meno ispettori e sempre più aziende da controllare. È questa la realtà che devono affrontare ogni giorno gli ispettori di INL, Inps e Inail per contrastare lo sfruttamento nel mondo del lavoro.
-
https://www.europesays.com/lu-de/8344/ Tageblatt.lu | Sprachlernplattform | 3,8 Millionen Euro für LLO – doch die App streikt #Bildung #INL #LLO #Luxemburg
-
CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.
Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2
- ✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
- ✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
- This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
- these NetBox plugins were also updated:
- netbox-initializers to v4.5.1
- netbox-topology-views to v4.5.1
- Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
- thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
- critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
- high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
- high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
- medium: Injection in auth_http and XCLIENT CVE-2026-28753
- medium: OCSP result bypass in stream CVE-2026-28755
- high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
- 🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
filescan's python-statfs (#960 #962) - Added a few missing Suricata fields (
suricata.tc_progress,suricata.ts_progress,suricata.tunnel.pcap_cnt,suricata.tunnel.pkt_src) to the index mapping template - When
suricata.app_proto_tsand/orsuricata.app_proto_tcreported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination ofproto_parse_failed,client_stream_failed, orserver_stream_failedare added totags. - Suricata's HTTP version was not being normalized to
network.protocol_version.
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
- 🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.
Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2
- ✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
- ✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
- This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
- these NetBox plugins were also updated:
- netbox-initializers to v4.5.1
- netbox-topology-views to v4.5.1
- Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
- thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
- critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
- high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
- high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
- medium: Injection in auth_http and XCLIENT CVE-2026-28753
- medium: OCSP result bypass in stream CVE-2026-28755
- high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
- 🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
filescan's python-statfs (#960 #962) - Added a few missing Suricata fields (
suricata.tc_progress,suricata.ts_progress,suricata.tunnel.pcap_cnt,suricata.tunnel.pkt_src) to the index mapping template - When
suricata.app_proto_tsand/orsuricata.app_proto_tcreported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination ofproto_parse_failed,client_stream_failed, orserver_stream_failedare added totags. - Suricata's HTTP version was not being normalized to
network.protocol_version.
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
- 🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.
Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2
- ✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
- ✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
- This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
- these NetBox plugins were also updated:
- netbox-initializers to v4.5.1
- netbox-topology-views to v4.5.1
- Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
- thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
- critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
- high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
- high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
- medium: Injection in auth_http and XCLIENT CVE-2026-28753
- medium: OCSP result bypass in stream CVE-2026-28755
- high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
- 🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
filescan's python-statfs (#960 #962) - Added a few missing Suricata fields (
suricata.tc_progress,suricata.ts_progress,suricata.tunnel.pcap_cnt,suricata.tunnel.pkt_src) to the index mapping template - When
suricata.app_proto_tsand/orsuricata.app_proto_tcreported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination ofproto_parse_failed,client_stream_failed, orserver_stream_failedare added totags. - Suricata's HTTP version was not being normalized to
network.protocol_version.
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
- 🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.
Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2
- ✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
- ✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
- This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
- these NetBox plugins were also updated:
- netbox-initializers to v4.5.1
- netbox-topology-views to v4.5.1
- Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
- thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
- critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
- high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
- high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
- medium: Injection in auth_http and XCLIENT CVE-2026-28753
- medium: OCSP result bypass in stream CVE-2026-28755
- high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
- 🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
filescan's python-statfs (#960 #962) - Added a few missing Suricata fields (
suricata.tc_progress,suricata.ts_progress,suricata.tunnel.pcap_cnt,suricata.tunnel.pkt_src) to the index mapping template - When
suricata.app_proto_tsand/orsuricata.app_proto_tcreported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination ofproto_parse_failed,client_stream_failed, orserver_stream_failedare added totags. - Suricata's HTTP version was not being normalized to
network.protocol_version.
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
- 🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.2, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.2 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.
Malcolm v26.05.2 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.2
- ✨ Features and enhancements
- Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
- Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
- Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
- ✅ Component version updates
- Filebeat to v9.4.1
- Fluent Bit to v5.0.5
- GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
- Logstash to v9.4.1
- NetBox to v4.5.x (#955)
- This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
- these NetBox plugins were also updated:
- netbox-initializers to v4.5.1
- netbox-topology-views to v4.5.1
- Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
- thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
- OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
- critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
- high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
- high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
- high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
- medium: Injection in auth_http and XCLIENT CVE-2026-28753
- medium: OCSP result bypass in stream CVE-2026-28755
- high: SSL upstream injection CVE-2026-1642
- urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
- 🐛 Bug fixes
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
filescan's python-statfs (#960 #962) - Added a few missing Suricata fields (
suricata.tc_progress,suricata.ts_progress,suricata.tunnel.pcap_cnt,suricata.tunnel.pkt_src) to the index mapping template - When
suricata.app_proto_tsand/orsuricata.app_proto_tcreported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination ofproto_parse_failed,client_stream_failed, orserver_stream_failedare added totags. - Suricata's HTTP version was not being normalized to
network.protocol_version.
- Reference Counting (Use-After-Free) Bug for PyList_SetItem in
- 🧹 Code and project maintenance
- Added Malcolm Dashboard Reference to documentation
- Completely rewrote Upgrading Malcolm in documentation
- Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0
- ✨ Features and enhancements
- #726 — use hierarchical structure for NetBox device roles
- Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
- #867 — examine large chown'ed directories in container images and see if they can be reduced
- #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
./netbox/custom-scriptsand automatic script registration at startup - Renamed NetBox startup/control scripts from
netbox/scriptstonetbox/control-scripts
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
- Added
file.stringsextraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE - Added configurable Zeek file analyzer timeout via
ZEEK_FILE_ANALYZER_TIMEOUT_SEC netdevusers in ISO-installed environment can runnmcliandnmtuito configure network interfaces.- the
malcolm_appliance_packager.shscript that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
- #726 — use hierarchical structure for NetBox device roles
- ✅ Component version updates
- 🐛 Bug fixes
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
0 - OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
- #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
- Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
- Hedgehog Raspberry Pi image now forces password change for
sensoron first login and disables direct root password login by default - Refactored Raspberry Pi GitHub Actions build into reusable workflow
.github/workflows/raspi-build-push.yml
- #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
- Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
- Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
- Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
- #957 — configuration script can disable ICS parsers unintentionally
- #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
- Fixed one-off cleanup of interrupted Zeek intel files during
stop --wipe
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- 🧹 Code and project maintenance
- Documentation improvements
- #913 — replace ingress-nginx which is EOL
- Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
- Fixed malformed indentation in
kubernetes/01-volumes-nfs.yml.examplefor thefilescanvolume section - Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
opensearchis no longer part of thehedgehogDocker Compose profile, and somedepends_onrelationships were adjusted accordingly
- #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
- #917 — develop IronBank (US DoD) images for Malcolm
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ZEEK_FILE_ANALYZER_TIMEOUT_SEC(default5) tozeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. ZEEK_CLUSTER_BACKENDcan be specified inzeek.envto specify the Zeek cluster backend (ZeroMQvsBroker).
- Added
- ❌ Errata
- Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0
- ✨ Features and enhancements
- #726 — use hierarchical structure for NetBox device roles
- Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
- #867 — examine large chown'ed directories in container images and see if they can be reduced
- #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
./netbox/custom-scriptsand automatic script registration at startup - Renamed NetBox startup/control scripts from
netbox/scriptstonetbox/control-scripts
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
- Added
file.stringsextraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE - Added configurable Zeek file analyzer timeout via
ZEEK_FILE_ANALYZER_TIMEOUT_SEC netdevusers in ISO-installed environment can runnmcliandnmtuito configure network interfaces.- the
malcolm_appliance_packager.shscript that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
- #726 — use hierarchical structure for NetBox device roles
- ✅ Component version updates
- 🐛 Bug fixes
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
0 - OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
- #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
- Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
- Hedgehog Raspberry Pi image now forces password change for
sensoron first login and disables direct root password login by default - Refactored Raspberry Pi GitHub Actions build into reusable workflow
.github/workflows/raspi-build-push.yml
- #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
- Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
- Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
- Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
- #957 — configuration script can disable ICS parsers unintentionally
- #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
- Fixed one-off cleanup of interrupted Zeek intel files during
stop --wipe
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- 🧹 Code and project maintenance
- Documentation improvements
- #913 — replace ingress-nginx which is EOL
- Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
- Fixed malformed indentation in
kubernetes/01-volumes-nfs.yml.examplefor thefilescanvolume section - Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
opensearchis no longer part of thehedgehogDocker Compose profile, and somedepends_onrelationships were adjusted accordingly
- #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
- #917 — develop IronBank (US DoD) images for Malcolm
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ZEEK_FILE_ANALYZER_TIMEOUT_SEC(default5) tozeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. ZEEK_CLUSTER_BACKENDcan be specified inzeek.envto specify the Zeek cluster backend (ZeroMQvsBroker).
- Added
- ❌ Errata
- Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0
- ✨ Features and enhancements
- #726 — use hierarchical structure for NetBox device roles
- Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
- #867 — examine large chown'ed directories in container images and see if they can be reduced
- #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
./netbox/custom-scriptsand automatic script registration at startup - Renamed NetBox startup/control scripts from
netbox/scriptstonetbox/control-scripts
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
- Added
file.stringsextraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE - Added configurable Zeek file analyzer timeout via
ZEEK_FILE_ANALYZER_TIMEOUT_SEC netdevusers in ISO-installed environment can runnmcliandnmtuito configure network interfaces.- the
malcolm_appliance_packager.shscript that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
- #726 — use hierarchical structure for NetBox device roles
- ✅ Component version updates
- 🐛 Bug fixes
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
0 - OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
- #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
- Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
- Hedgehog Raspberry Pi image now forces password change for
sensoron first login and disables direct root password login by default - Refactored Raspberry Pi GitHub Actions build into reusable workflow
.github/workflows/raspi-build-push.yml
- #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
- Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
- Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
- Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
- #957 — configuration script can disable ICS parsers unintentionally
- #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
- Fixed one-off cleanup of interrupted Zeek intel files during
stop --wipe
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- 🧹 Code and project maintenance
- Documentation improvements
- #913 — replace ingress-nginx which is EOL
- Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
- Fixed malformed indentation in
kubernetes/01-volumes-nfs.yml.examplefor thefilescanvolume section - Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
opensearchis no longer part of thehedgehogDocker Compose profile, and somedepends_onrelationships were adjusted accordingly
- #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
- #917 — develop IronBank (US DoD) images for Malcolm
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ZEEK_FILE_ANALYZER_TIMEOUT_SEC(default5) tozeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. ZEEK_CLUSTER_BACKENDcan be specified inzeek.envto specify the Zeek cluster backend (ZeroMQvsBroker).
- Added
- ❌ Errata
- Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0
- ✨ Features and enhancements
- #726 — use hierarchical structure for NetBox device roles
- Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
- #867 — examine large chown'ed directories in container images and see if they can be reduced
- #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
./netbox/custom-scriptsand automatic script registration at startup - Renamed NetBox startup/control scripts from
netbox/scriptstonetbox/control-scripts
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
- Added
file.stringsextraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE - Added configurable Zeek file analyzer timeout via
ZEEK_FILE_ANALYZER_TIMEOUT_SEC netdevusers in ISO-installed environment can runnmcliandnmtuito configure network interfaces.- the
malcolm_appliance_packager.shscript that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
- #726 — use hierarchical structure for NetBox device roles
- ✅ Component version updates
- 🐛 Bug fixes
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
0 - OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
- #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
- Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
- Hedgehog Raspberry Pi image now forces password change for
sensoron first login and disables direct root password login by default - Refactored Raspberry Pi GitHub Actions build into reusable workflow
.github/workflows/raspi-build-push.yml
- #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
- Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
- Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
- Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
- #957 — configuration script can disable ICS parsers unintentionally
- #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
- Fixed one-off cleanup of interrupted Zeek intel files during
stop --wipe
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- 🧹 Code and project maintenance
- Documentation improvements
- #913 — replace ingress-nginx which is EOL
- Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
- Fixed malformed indentation in
kubernetes/01-volumes-nfs.yml.examplefor thefilescanvolume section - Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
opensearchis no longer part of thehedgehogDocker Compose profile, and somedepends_onrelationships were adjusted accordingly
- #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
- #917 — develop IronBank (US DoD) images for Malcolm
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ZEEK_FILE_ANALYZER_TIMEOUT_SEC(default5) tozeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. ZEEK_CLUSTER_BACKENDcan be specified inzeek.envto specify the Zeek cluster backend (ZeroMQvsBroker).
- Added
- ❌ Errata
- Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: release notes for Malcolm v26.05.0, a network traffic analysis tool suite for network security monitoring
Malcolm v26.05.0 delivers a mix of feature improvements, performance improvements, bug fixes, dependency updates, and deployment refinements across Malcolm and Hedgehog for both Docker- and Kubernetes-based workflows.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.https://github.com/idaholab/Malcolm/compare/v26.04.1...v26.05.0
- ✨ Features and enhancements
- #726 — use hierarchical structure for NetBox device roles
- Expanded/reworked NetBox preloaded device roles into a hierarchical taxonomy (thanks Crubumble)
- #867 — examine large chown'ed directories in container images and see if they can be reduced
- #954 — allow users to provide custom netbox scripts to be automatically registered on startup (thanks PrudhviChanda)
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
./netbox/custom-scriptsand automatic script registration at startup - Renamed NetBox startup/control scripts from
netbox/scriptstonetbox/control-scripts
- Added NetBox custom script support in the container/runtime and docs, including bind-mounting
- Added
file.stringsextraction/indexing/search support across Strelka → Logstash → OpenSearch templates (wildcard field mapping type) → Arkime/WISE - Added configurable Zeek file analyzer timeout via
ZEEK_FILE_ANALYZER_TIMEOUT_SEC netdevusers in ISO-installed environment can runnmcliandnmtuito configure network interfaces.- the
malcolm_appliance_packager.shscript that creates a tarball of Malcolm images can now package for both Malcolm and Hedgehog profiles.
- #726 — use hierarchical structure for NetBox device roles
- ✅ Component version updates
- 🐛 Bug fixes
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
0 - OpenSearch self-signed internal cert generation can now be skipped when external/preexisting certs are being used
- OpenSearch post-start setup now supports configurable default replica counts instead of always forcing single-node replicas to
- #827 — Fix raspberry pi build which is broken since v25.12.0 Hedgehog/Malcolm platform unification
- Updated Hedgehog Raspberry Pi docs and first-boot behavior/documentation
- Hedgehog Raspberry Pi image now forces password change for
sensoron first login and disables direct root password login by default - Refactored Raspberry Pi GitHub Actions build into reusable workflow
.github/workflows/raspi-build-push.yml
- #878 — Arkime capture Fails to Start on Hedgehog When WISE Web Config Is Enabled
- Arkime RBAC role-mapping injection is now only applied when role-based access control is enabled
- Arkime WISE configuration initialization now handles missing/empty persistent config files more robustly
- Arkime live capture now normalizes WISE URLs better, follows redirects when probing, and avoids some bad URL construction edge cases
- #957 — configuration script can disable ICS parsers unintentionally
- #959 — Arkime sessions view attempts to load PCAP for Zeek and Suricata logs (which don't have PCAP) (see also arkime/arkime#3934)
- Fixed one-off cleanup of interrupted Zeek intel files during
stop --wipe
- #757 — multiple OpenSearch nodes (using Malcolm-Helm) fail to communicate with each other due to self-signed certs (thanks scott-jeffery)
- 🧹 Code and project maintenance
- Documentation improvements
- #913 — replace ingress-nginx which is EOL
- Switched Kubernetes ingress example/docs from ingress-nginx to Traefik and replaced the old Vagrant example with a new RKE2/Traefik-based environment
- Fixed malformed indentation in
kubernetes/01-volumes-nfs.yml.examplefor thefilescanvolume section - Removed deprecated Kubernetes example files for ingress-nginx and the old separate NFS-server Vagrant setup
opensearchis no longer part of thehedgehogDocker Compose profile, and somedepends_onrelationships were adjusted accordingly
- #942 - Fixed mutable default argument usage in Zeek threat feed helper functions (thanks @stef41)
- #917 — develop IronBank (US DoD) images for Malcolm
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ZEEK_FILE_ANALYZER_TIMEOUT_SEC(default5) tozeek.env. This is the default amount of time a file can be inactive before the file analysis gives up and discards any internal state related to the file. ZEEK_CLUSTER_BACKENDcan be specified inzeek.envto specify the Zeek cluster backend (ZeroMQvsBroker).
- Added
- ❌ Errata
- Under NetBox → Plugins → NetBox HealthCheck Plugin → HealthCheck the error "unavailable: Unable to connect to Redis: Connection Error" is displayed. This is a side effect of #882 and does not actually indicate a problem with NetBox or its connection to Valkey. This will be fixed in the next release.
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
New #openaccess publication #SciPost #Physics Core
Remote spin control in Haldane spin chains
Yelko del Castillo, Alejandro Ferrón, Joaquín Fernández-Rossier
SciPost Phys. Core 9, 024 (2026)
https://scipost.org/SciPostPhysCore.9.2.024#INL #Minhoniversity #CONICET #UNNE
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics Core
Remote spin control in Haldane spin chains
Yelko del Castillo, Alejandro Ferrón, Joaquín Fernández-Rossier
SciPost Phys. Core 9, 024 (2026)
https://scipost.org/SciPostPhysCore.9.2.024#INL #Minhoniversity #CONICET #UNNE
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics Core
Remote spin control in Haldane spin chains
Yelko del Castillo, Alejandro Ferrón, Joaquín Fernández-Rossier
SciPost Phys. Core 9, 024 (2026)
https://scipost.org/SciPostPhysCore.9.2.024#INL #Minhoniversity #CONICET #UNNE
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics Core
Remote spin control in Haldane spin chains
Yelko del Castillo, Alejandro Ferrón, Joaquín Fernández-Rossier
SciPost Phys. Core 9, 024 (2026)
https://scipost.org/SciPostPhysCore.9.2.024#INL #Minhoniversity #CONICET #UNNE
#AgenciaEstatalInvestigación -
New #openaccess publication #SciPost #Physics Core
Remote spin control in Haldane spin chains
Yelko del Castillo, Alejandro Ferrón, Joaquín Fernández-Rossier
SciPost Phys. Core 9, 024 (2026)
https://scipost.org/SciPostPhysCore.9.2.024#INL #Minhoniversity #CONICET #UNNE
#AgenciaEstatalInvestigación -
CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.
- ✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
- ✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
- 🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated
ssl_certificate_verificationsetting [https://github.com/cisagov/Malcolm/issues/915] - fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
- 🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ARKIME_PCAP_LIBPCAPtoarkime.envshould uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (defaultfalse) FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default infilescan.envhas been changed from1024to512redis.envhas been renamed tovalkey.envand its variables also have been renamed accordinglySTRELKA_SCANNERShas been added topipeline.envfor #935ZEEK_DISABLE_SPICY_ZIPhas been added tozeek.envfor #922 (defaulttrue)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.
- ✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
- ✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
- 🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated
ssl_certificate_verificationsetting [https://github.com/cisagov/Malcolm/issues/915] - fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
- 🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ARKIME_PCAP_LIBPCAPtoarkime.envshould uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (defaultfalse) FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default infilescan.envhas been changed from1024to512redis.envhas been renamed tovalkey.envand its variables also have been renamed accordinglySTRELKA_SCANNERShas been added topipeline.envfor #935ZEEK_DISABLE_SPICY_ZIPhas been added tozeek.envfor #922 (defaulttrue)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.
- ✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
- ✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
- 🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated
ssl_certificate_verificationsetting [https://github.com/cisagov/Malcolm/issues/915] - fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
- 🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ARKIME_PCAP_LIBPCAPtoarkime.envshould uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (defaultfalse) FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default infilescan.envhas been changed from1024to512redis.envhas been renamed tovalkey.envand its variables also have been renamed accordinglySTRELKA_SCANNERShas been added topipeline.envfor #935ZEEK_DISABLE_SPICY_ZIPhas been added tozeek.envfor #922 (defaulttrue)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.
- ✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
- ✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
- 🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated
ssl_certificate_verificationsetting [https://github.com/cisagov/Malcolm/issues/915] - fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
- 🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ARKIME_PCAP_LIBPCAPtoarkime.envshould uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (defaultfalse) FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default infilescan.envhas been changed from1024to512redis.envhas been renamed tovalkey.envand its variables also have been renamed accordinglySTRELKA_SCANNERShas been added topipeline.envfor #935ZEEK_DISABLE_SPICY_ZIPhas been added tozeek.envfor #922 (defaulttrue)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
CW: Release notes for v26.04.1 of Malcolm, a powerful, easily deployable network traffic analysis tool suite for network security monitoring
Malcolm v26.04.1 contains improvements, bug fixes, security updates, and component bumps.
If you are upgrading from an existing Malcolm installation, run
./scripts/statusfor Malcolm to migrate some settings prior to running./scripts/configure,./scripts/start, or other Malcolm control scripts.Note that v26.04.1 is the same as v26.04.0 released last week, apart from the fix for bug #943. If you're already running v26.04.0 and don't use the encrypted install option in the installer ISO, you probably don't need to worry about updating to v26.04.1. The full release notes from v26.04.0 are also included here.
- ✨ Features and enhancements
- implemented easier way to enable/disable Strelka scanners #935
- Handle nested file scanning (e.g., from ZIP files) with Strelka #922
- index selected Strelka result fields #919
- ✅ Component version updates
- Zeek to v8.1.1
- Arkime to v6.1.1
- crytography to v46.0.6 (for CVE-2026-34073)
- evtx to v0.11.2
- Flask to v3.1.3 (for CVE-2026-27205)
- Fluent Bit to v5.0.2
- Logstash to v9.2.7
- Requests to v2.33.1 (for CVE-2026-25645)
- supercronic to v0.2.43
- yq to v4.52.5
- Updates for ICSNPP Hart IP parser #924
- 🐛 Bug fixes
- Hedgehog Linux Breaking on Reboot after Encrypted Quick Install with Multiple Drives #943
- Fix YAML syntax error in kubernetes/15-redis.yml due to missing end quote #926
- Using remote elasticsearch data store uses deprecated
ssl_certificate_verificationsetting [https://github.com/cisagov/Malcolm/issues/915] - fix Malcolm API loopback webhook to handle RBAC and non-JSON formatted events #916
- fix issues in zeekdeploy.sh to handle long crypto handshakes and Zeek's state DB getting out of sync
- 🧹 Code and project maintenance
- swap redis out for valkey #882
- pin all third-party GitHub CI actions at known good SHA sums to mitigate things like the Trivy supply chain attack #933
- some minor tweaks to various Dockerfiles and ISO build scripts to address vulnerability scanner findings
- some documentation updates
- 📄 Configuration changes for Malcolm (in environment variables in
./config/). The Malcolm control script (e.g.,./scripts/status,./scripts/start) automatically handles creation and migration of variables according to./config/env-var-actions.yml.- Added
ARKIME_PCAP_LIBPCAPtoarkime.envshould uses wish to revert to older libpcap mode for PCAP file processing rather than faster scheme processing (defaultfalse) FILEBEAT_SCANNER_FINGERPRINT_LENGTH's default infilescan.envhas been changed from1024to512redis.envhas been renamed tovalkey.envand its variables also have been renamed accordinglySTRELKA_SCANNERShas been added topipeline.envfor #935ZEEK_DISABLE_SPICY_ZIPhas been added tozeek.envfor #922 (defaulttrue)
- Added
Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.
Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.
Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (
release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.
#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL
- ✨ Features and enhancements
-
The Indian National League (INL) has approached the Chennai Police seeking action against actor-politician Vijay. The party alleges that promotional visuals for his film 'Jana Nayagan' depict the Muslim community in a negative light. https://english.mathrubhumi.com/movies-music/news/indian-national-league-files-complaint-against-actor-vijay-over-alleged-derogatory-portrayal-of-community-p8c9v5uq?utm_source=dlvr.it&utm_medium=mastodon #Vijay #TVK #Jananaayagan #INL #ChennaiNews
-
The Indian National League (INL) has approached the Chennai Police seeking action against actor-politician Vijay. The party alleges that promotional visuals for his film 'Jana Nayagan' depict the Muslim community in a negative light. https://english.mathrubhumi.com/movies-music/news/indian-national-league-files-complaint-against-actor-vijay-over-alleged-derogatory-portrayal-of-community-p8c9v5uq?utm_source=dlvr.it&utm_medium=mastodon #Vijay #TVK #Jananaayagan #INL #ChennaiNews
-
The Indian National League (INL) has approached the Chennai Police seeking action against actor-politician Vijay. The party alleges that promotional visuals for his film 'Jana Nayagan' depict the Muslim community in a negative light. https://english.mathrubhumi.com/movies-music/news/indian-national-league-files-complaint-against-actor-vijay-over-alleged-derogatory-portrayal-of-community-p8c9v5uq?utm_source=dlvr.it&utm_medium=mastodon #Vijay #TVK #Jananaayagan #INL #ChennaiNews
-
Shopping on the German version of Craigslist and at flea markets was successful; two old devices are being migrated to the new version.
Before anyone asks why there are #CISA Post-its all over the hardware, they’re a reminder of good times in the U.S. at #INL, which were marked by friendship, open dialogue, and learning. And that’s where the basic configuration is noted.
Unfortunately, I don’t have any left :/
#Cybersecurity #OT #IT #Network #Hardwarehacking #SCADA #ICS #Research #OpenSource #foss
-
Shopping on the German version of Craigslist and at flea markets was successful; two old devices are being migrated to the new version.
Before anyone asks why there are #CISA Post-its all over the hardware, they’re a reminder of good times in the U.S. at #INL, which were marked by friendship, open dialogue, and learning. And that’s where the basic configuration is noted.
Unfortunately, I don’t have any left :/
#Cybersecurity #OT #IT #Network #Hardwarehacking #SCADA #ICS #Research #OpenSource #foss
-
@RoganDawes I felt something was missing in my IT/OT dropboxes, and these have surpassed Phantap in terms of functionality and capabilities for years now.
The difference between an OT dropbox and an IT dropbox lies in their intended use and functionality.
Please excuse me for not revealing more, but I protect my work and research. All too often, companies like hak5... have misused the work of others for their own commercial purposes, and I won’t tolerate that. There will be discussions about the boxes, and the dropboxes will be sent to people I know personally at #INL, #CISA, #Iberdrola, and others.
And since I was asked: my employer won’t be getting a single one, for good reason.