🔓 BREACHES & SECURITY INCIDENTS

🇬🇧 🇺🇸 A hacker redirected a contractor payment and stole £700,000 from Zephyr Energy’s U.S. subsidiary. The company says the incident is contained and operations are normal. Zephyr is working with banks and added extra security to try to recover the funds.

💸 Bitcoin Depot said hackers stole about 50.9 bitcoin, worth roughly $3.6 million, after an intrusion on March 23. The company says customer platforms were not affected and the incident is under investigation. Bitcoin Depot may face reputational, legal, and recovery costs and has insurance that may or may not cover the loss.

🚂 Eurail says attackers stole personal data of about 308,777 people in a December 2025 breach. Stolen details may include names, passport numbers, IBANs, health data, and contact info. Affected customers are urged to watch for scams, change passwords, and monitor bank accounts.

🇺🇸 🚓 Hackers stole and leaked a large cache of sensitive Los Angeles Police Department documents, including personnel files, internal affairs records, and unredacted discovery materials. The leak, blamed on extortion gang World Leaks and totaling about 7.7 terabytes and 337,000 files, appeared on a leak site then was removed. The LAPD says its systems were not breached and it is working with the LA City Attorney’s Office to investigate.

🇺🇸 Wynn Resorts says a 2025 hack by the ShinyHunters group affected 21,775 employees. The attackers stole HR data, possibly including SSNs, and later claimed they deleted it. Affected workers are being offered free credit monitoring and identity-theft protection.

❄️ 🇮🇱 A SaaS integrator was breached and stolen authentication tokens were used to steal data from over a dozen companies. Most attacks targeted Snowflake customers, who experienced unusual activity and had some accounts locked as a precaution. The extortion group ShinyHunters claims responsibility and says the incident ties to Anodot.

🇩🇪 The Qilin ransomware group stole data from the German political party Die Linke and is threatening to leak it. Die Linke says member records were not taken and has notified police while working with IT experts. The party and observers warn the attack may be politically motivated and part of hybrid warfare.

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

Cybercrime losses jumped 26% to $20.9 billion in 2025

The FBI’s annual report on digital crimes exposes a worsening environment. Yet, an unknown number of victims still suffer in the shadows never reporting the crimes they endure.

CyberScoop • Matt Kapko

👀 📰 Researchers say a hack-for-hire campaign used Android spyware to target journalists and activists in the Middle East and North Africa. The attacks, traced to shared infrastructure linked to the Bitter group, used spearphishing via fake social accounts. Victims feel threatened and groups warn such spying endangers journalists, sources, and press freedom.

🇷🇺 Russian state-linked hackers (Fancy Bear/APT28) broke into thousands of home and small-business routers worldwide. They redirected users’ internet traffic to steal passwords and login tokens. Authorities and researchers say the campaign hit many countries and targeted outdated MicroTik and TP-Link devices.

🇩🇪 🇷🇺 German police say a 31-year-old Russian, Daniil Shchukin, led the GandCrab and REvil ransomware groups from 2019 to 2021. He and associates carried out about 130 extortion attempts, causing over $40 million in damage and collecting more than $2 million in ransoms in 25 cases. Shchukin, known by several aliases, is believed to be in Russia and has been linked in past arrests and investigations.

🇨🇳 Microsoft says Storm-1175, the China-based cybercrime group, uses n-day and zero-day exploits to quickly deploy Medusa ransomware. The group moves from initial access to data theft and ransomware in days or even 24 hours, often chaining exploits and disabling defenses. Their attacks have hit healthcare, education, finance and other sectors across multiple countries and abused many known vulnerabilities.

🇨🇳 🇪🇺 China‑linked TA416 resumed targeting European government and diplomatic bodies since mid‑2025, using OAuth redirection, fake Cloudflare pages, web bugs, and updated PlugX backdoors. They spread malware via phishing links, cloud storage (Azure, Google Drive), compromised SharePoint, and MSBuild/C# project files with DLL side‑loading. TA416 also expanded into the Middle East after late‑2025, showing adaptive, long‑term intelligence‑collection operations tied to geopolitical events.

Trenchant Exec Says He Had Depression, Money Troubles When He Decided to Sell Zero Days to Russian Buyer; Also, New Info Reveals Nature of His Work for Australian Intelligence Agency

Peter Joseph Williams, a former L3 Trenchant executive recently convicted of secretly selling zero-day exploits to a Russian broker, says he was suffering anxiety, burnout, years of depression, and financial difficulties when he decided to steal exploits from his US employer and sell them to the Russian buyer. Williams, who

ZERO DAY

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 💸 The Trump administration proposes cutting the Cybersecurity and Infrastructure Security Agency budget by about $707 million for 2027. Officials say the cuts will refocus CISA on core federal network and infrastructure protection and eliminate duplicative programs. Critics warn the cuts come after staff losses and amid rising major cyberattacks, and accuse the administration of politicizing CISA.

🇺🇸 ⚖️ A judge sentenced Bryan Fleming, maker of stalkerware pcTattleTale, to supervised release and a $5,000 fine after his guilty plea. His software secretly recorded texts, calls, location, web activity, and video from victims’ devices. pcTattleTale shut down in 2024 after a data breach.

FBI Extracts Suspect’s Deleted Signal Messages Saved in iPhone Notification Database

The case was the first time authorities charged people for alleged “Antifa” activities after President Trump designated the umbrella term a terrorist organization.

404 Media

🦠 MALWARE & THREATS

🧩 A malicious VS Code extension named specstudio.code-wakatime-activity-tracker hides a Zig-compiled native binary that infects all IDEs on a developer's machine. The binary downloads and silently installs a fake extension that steals data, fetches commands via Solana, and deploys a RAT and a malicious Chrome extension. If you installed specstudio.code-wakatime-activity-tracker or floktokbok.autoimport assume compromise and rotate all secrets.

🇹🇼 Security researchers tracked a new threat cluster, UAT-10362, using spear-phishing to target Taiwanese NGOs and universities. The attackers deploy a Lua-based stager called LucidRook via DLL side-loading and droppers (LucidPawn/LucidKnight) to collect and exfiltrate data. The campaign uses geo-checks, obfuscation, and public or compromised infrastructure, showing stealthy, targeted tradecraft.

🇷🇺 🎣 Russian APT28 has been running spear-phishing attacks against Ukraine and NATO allies to deploy a new malware suite called PRISMEX. PRISMEX uses steganography, COM hijacking, and cloud services, and was spread using fast weaponization of zero-day Windows flaws. The campaign appears aimed at espionage and possible sabotage of military, logistics, and critical services.

🧩 Malicious actors published 36 Strapi-focused NPM packages that deliver payloads like Redis remote code execution, Docker escapes, credential harvesting, and reverse shells. SafeDep says the campaign specifically targets Guardarian cryptocurrency payment systems and seeks wallet files, API modules, and database access. Infected users should immediately rotate all credentials and secrets.

🇺🇦 🎠 Ukraine's CERT-UA warned of a phishing campaign that impersonated the agency to spread a remote access trojan called AGEWHEEZE. The attackers sent password‑protected ZIPs to many targets and claimed to have emailed 1 million ukr.net accounts. The campaign mostly failed, with only a few infections found and CERT-UA helping affected organizations.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

Is Anthropic limiting the release of Mythos to protect the internet — or Anthropic? | TechCrunch

Anthropic said this week that it limited the release of its newest model, dubbed Mythos, because it is too capable of finding security exploits in software relied upon by users around the world. Are real cybersecurity concerns a cover for a bigger problem at the frontier lab?

TechCrunch • Tim Fernholz

🔎 🐛 Anthropic released Claude Mythos, a powerful new AI that greatly improves coding and agentic reasoning. It found thousands of old and critical software vulnerabilities, showing huge benefits for defense but also big risks if misused. Anthropic launched Project Glasswing with major tech partners to use Mythos to secure critical software before attackers can exploit it.

🔓️ 🍎 Researchers at RSAC found a way to bypass Apple Intelligence’s guardrails using two tricks: Neural Execs prompt injection and Unicode right-to-left manipulation. They used these methods to make the on-device LLM produce offensive content and potentially access private app data, succeeding on 76% of test prompts. Apple was notified in October 2025 and released protections in iOS 26.4 and macOS 26.4; no real-world abuse has been seen.

🪄🤖 Google DeepMind researchers show that malicious web content can trick autonomous AI agents and make them act against their goals. They identify six classes of "agent traps" that hide commands, manipulate memory and behavior, or exploit group dynamics and humans-in-the-loop. Defenses include model hardening, runtime checks, better web hygiene, and shared standards and benchmarks.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Severe StrongBox Vulnerability Patched in Android

• Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000

• Data Leakage Vulnerability Patched in OpenSSL

• Juniper Networks Patches Dozens of Junos OS Vulnerabilities

• Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities

🅰️ 💥 Attackers have been exploiting an unpatched Adobe Reader zero-day since at least December using malicious PDFs. The exploit can steal local data and may enable remote code execution just by opening a file. Users should avoid PDFs from untrusted sources and Adobe is working on a patch.

🪶 A 13-year-old RCE vulnerability in Apache ActiveMQ Classic (CVE-2026-34197) lets attackers invoke management operations via Jolokia to fetch remote configs and run OS commands. Chained with older flaws (CVE-2022-41678 and sometimes CVE-2024-32114), it can bypass authentication and lead to remote code execution. Fixes are in ActiveMQ Classic 5.19.4 and 6.2.3; update immediately.

😶 Researchers at Noma Security disclosed "GrafanaGhost," a vulnerability that silently steals data from Grafana by chaining multiple security bypasses. The attack uses crafted URLs and prompt injection to trick Grafana’s AI and exfiltrate data without user interaction or visible alerts. Grafana Labs was notified and issued a fix.

🚢 A high-severity Docker Engine bug (CVE-2026-34040) lets attackers bypass authorization plugins by sending a padded API request that strips the request body. This can let them create privileged containers, mount the host filesystem, and steal credentials. Update to Docker 29.3.1 or use rootless mode and restrict Docker API access.

🔎 ☁️ A botnet campaign is scanning internet-exposed ComfyUI instances and exploiting unsafe custom nodes to run attacker Python code. Compromised hosts are enrolled in Monero and Conflux miners and a Hysteria V2 proxy botnet, with persistence and cleanup mechanisms. Over 1,000 public ComfyUI instances are reachable, making opportunistic cryptomining profitable for the attackers.

🐛 A critical CVSS 10.0 code-injection bug in Flowise (CVE-2025-59528) lets attackers run arbitrary JavaScript and gain full Node.js privileges. Over 12,000 internet-facing Flowise instances are exposed and active exploitation has been observed. Flowise patched the issue in version 3.0.6, but many systems remain at risk.

🇰🇵 💻️ A viral video shows an interviewer asking a suspected North Korean job applicant to insult Kim Jong Un. The applicant freezes, acts confused, and leaves the call. The trick can expose some fake North Korean workers but does not always work.

🔓️ A researcher leaked working exploit code for an unpatched Windows local privilege escalation called BlueHammer. The bug lets attackers gain SYSTEM or elevated admin access by abusing a TOCTOU and path confusion, though the PoC has reliability issues. Microsoft has not patched it and gave no comment.

🛰️ ICS, OT & IoT

🇮🇷 🇺🇸 U.S. agencies warn Iran-backed hackers are targeting American critical infrastructure to cause disruption. They have attacked industrial control systems like SCADA and PLCs, causing operational and financial harm. The activity is seen as an escalation linked to recent conflicts involving Iran.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

Medtech giant Stryker says it’s back up after Iranian cyberattack

The Handala group claimed responsibility for hitting the company with a wiper attack last month.

CyberScoop • Tim Starks

🧸 Hasbro says it was hacked and took some systems offline after detecting the intrusion on March 28. The company is using continuity plans to keep orders and shipments moving while cybersecurity teams investigate. Hasbro warns the disruption and investigation may take several weeks and it is not yet clear if data was stolen.

🇪🇺 CERT-EU says the TeamPCP group used a stolen AWS API key to breach the European Commission cloud and steal data. The leaked 90GB archive (about 340GB uncompressed) contains tens of thousands of files with names, emails, and email content affecting 42 Commission clients and at least 29 other EU entities. No websites were altered and investigations are ongoing while data protection authorities and affected entities are being notified.

🤖 Mercor, an AI recruiting startup, says it was hit by a supply-chain cyberattack tied to the open-source LiteLLM project. Extortion group Lapsus$ claimed it stole Mercor data, though details and the connection to LiteLLM remain unclear. Mercor says it is investigating with third-party forensics and working to contain the incident.

🇬🇧 Lloyds Banking Group had a software update glitch on March 12 that exposed transaction details for about 447,936 mobile users. The exposure was brief and only happened when two users viewed their transaction lists almost simultaneously. No money was lost, Lloyds fixed the issue quickly and made goodwill payments to some customers.

🇺🇸 CareCloud, a healthcare IT company, reported a March 16 cybersecurity incident that disrupted one of its six electronic health record environments for about eight hours. The company is investigating whether patient data were accessed or stolen but says the issue was limited to its CareCloud Health environment and systems are restored. CareCloud believes the incident is not materially damaging and expects cyberinsurance to cover any losses.

🇳🇱 The Dutch Finance Ministry shut down several systems, including the treasury banking portal, after a March 19 cyberattack — About 1,600 public institutions cannot view treasury balances or use portal services, though funds and payments remain accessible. Authorities are investigating with the NCSC and external experts, and no data loss or attacker has been confirmed.

→ More:

• 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital

• T-Mobile Sets the Record Straight on Latest Data Breach Filing

• Mercor Hit by LiteLLM Supply Chain Attack

• Hims & Hers warns of data breach after Zendesk support ticket breach

HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

For a hobby project built in my spare time to provide a simple community service, Have I Been Pwned sure has, well, "escalated". Today, we support hundreds of thousands of website visitors each day, tens of millions of API queries, and hundreds of millions of password searches. We're processing billions

www.troyhunt.com/passkeys-k-anonymity-searches-massive-speed-enhancements-bulk-domain-verification-api

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇰🇵 💰️ North Korean-linked hackers stole about $285 million from DeFi platform Drift in a coordinated, high-speed attack. They pre-signed transactions, gained admin control, created a fake token market, and drained multiple vaults in about 10 seconds. The thieves then laundered funds through thousands of wallets and automated bots across many chains.

🇷🇺 Russian APT Star Blizzard has started using the DarkSword iOS exploit kit in a recent phishing campaign. The group sent more emails than usual that link to mobile-targeted exploits for iCloud and Apple devices. Proofpoint says the kit appears aimed at stealing credentials and gathering intelligence across finance, government, education, legal, and think-tank targets.

🇺🇸 ⚖️ A Maryland man, Jonathan Spalletta, is charged with stealing about $53.3 million by hacking the Uranium Finance crypto exchange … twice. He laundered the funds through Tornado Cash and spent millions on rare collectibles before authorities seized about $31 million. He faces up to 10 years for computer fraud and up to 20 years for money laundering.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

Podcast: The Company Secretly Turning Your Zoom Meetings into Podcasts

www.404media.co/email/d7d7979a-494c-4729-8bf2-88e75ffe366b

🇺🇸 👀 ICE confirmed it is using Paragon spyware to target encrypted communications in fentanyl and national security investigations. Three House Democrats criticized the move, saying there is no congressional oversight or proof of strong safeguards. Civil liberties groups and past incidents involving journalists and WhatsApp raise additional concerns.

🇺🇸 🇨🇳 👀 The FBI warned Americans to avoid or be cautious with foreign-developed mobile apps, especially those from China, because of privacy and data security risks. These apps can collect extensive personal data, store it on servers in China, and may share it under Chinese national security laws. The FBI advises disabling unnecessary data sharing, updating devices, using verified apps, and reporting suspicious activity to IC3.

🍎 👮 Apple’s “Hide My Email” can mask addresses but Apple gave real customer identities to federal agents. Court records show Apple provided names, emails, and many anonymized-address records in two investigations. The case shows Apple’s privacy tools don’t block lawful government access to stored or unencrypted data.

Twitter tweet

🦠 MALWARE & THREATS

🎠 Attackers used a compromised Axios maintainer account to publish two malicious Axios versions that add a fake dependency, plain-crypto-js@4.2.1. The dependency runs a postinstall dropper that installs a cross-platform RAT (macOS, Windows, Linux) and then hides its traces. Users should downgrade to safe Axios versions, remove the malicious package, check for RAT artifacts, and rotate credentials.

Figure: Socket’s automated malware detection flagged the package within minutes/socket.dev

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup.

Unit 42 • Unit 42

🙊 A new Android malware called NoVoice was hidden in 50+ Google Play apps and infected at least 2.3 million devices. It used steganography and old exploits to gain root, persist through factory resets, and inject code to steal WhatsApp data. Infected apps were removed, but users should assume compromise and update devices or reinstall from trusted sources.

🥷 Researchers warn of a new malware campaign called DeepLoad that steals credentials and hides in enterprise systems. The attackers used AI-generated obfuscation and evasion at every stage to evade traditional signature-based defenses. Experts say defenders must shift to behavioral and runtime detection to catch these fast-changing attacks.

🛣️ 🩸 Security firm Blackpoint found a new Node.js implant called RoadK1ll that turns a compromised host into a relay to reach internal systems. It uses an outbound WebSocket tunnel to forward TCP traffic and supports multiple concurrent connections and reconnection. RoadK1ll has no traditional persistence but enables stealthy lateral pivoting inside breached networks.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

OpenClaw gives users yet another reason to be freaked out about security

The viral AI agentic tool let attackers silently gain admin unauthenticated access.

Ars Technica

🔓️ 💸 Google researchers say quantum computers could break the cryptography that protects Bitcoin and other cryptocurrencies much sooner than thought. They show a way to break 256-bit elliptic curve keys using far fewer qubits and operations, cutting resource estimates by about 20×. Google urges faster moves to post-quantum cryptography and released a zero-knowledge proof instead of the attack details.

🍎 ⚠️ Apple added a Terminal safety feature in macOS Tahoe 26.4 that delays and warns when users paste potentially dangerous commands. The change aims to block ClickFix social-engineering attacks that trick people into pasting malicious commands. Users should still avoid running commands from untrusted sources because the warning’s detection method is unclear.

🐛 Researchers found a command-injection flaw in OpenAI Codex that let attackers grab short-lived GitHub OAuth tokens. BeyondTrust showed automation could steal and abuse those tokens to access repos and move across companies. OpenAI fixed the issue, but the report warns AI agents must be secured like live execution environments to prevent token theft.

🤷 Documents about Anthropic's secret "Claude Mythos" model were exposed in a public CMS. Anthropic confirmed the model exists but said the leak happened. Reddit users debated whether the leak was accidental or a publicity stunt.

→ Claude Code source code accidentally leaked in NPM package

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Apple expands iOS 18 updates to more iPhones to block DarkSword attacks

• Cisco Patches Critical and High-Severity Vulnerabilities

• Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

• Google fixes fourth Chrome zero-day exploited in attacks in 2026

• OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability

🔼 Two critical ShareFile flaws let attackers reach admin pages and upload files without logging in. By chaining CVE-2026-2699 and CVE-2026-2701, researchers showed an attacker can place a web shell and get remote code execution. The issues were fixed in ShareFile 5.12.4 (versions 6.x are not affected).

🔓️ ✏️ GIGABYTE Control Center has a critical arbitrary file-write vulnerability (CVE-2026-4415) that lets unauthenticated remote attackers write files and potentially run code, escalate privileges, or cause denial of service. The flaw affects versions 25.07.21.01 and earlier when the "pairing" feature is enabled. Users should immediately update to version 25.12.10.01 from GIGABYTE’s official portal.

📈 F5 reclassified a BIG-IP APM flaw (CVE-2025-53521) from DoS to critical remote code execution after attackers began exploiting it to install webshells. F5 and CISA warn unpatched systems are at risk and published IOCs and mitigation guidance. Organizations should check logs, disks, and follow incident-handling and patching procedures immediately.

🛰️ ICS, OT & IoT

🤷 

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🪱 A supply-chain attack on Trivy pushed trojanized Docker images that stole credentials and spread an infostealer. Attackers (TeamPCP) used the stolen data to infect npm packages with a self-propagating worm and to deface Aqua Security repos. They also deployed a Kubernetes wiper that targets Iranian clusters and urged organizations to avoid the compromised Trivy versions.

→ Trivy Supply Chain Attack Expands to Compromised Docker Images

→ TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions

→ TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise

→ TeamPCP pushed malicious telnyx versions 4.87.1 and 4.87.2 to PyPI 

🇮🇷 🇺🇸 😵‍💫 Iran-linked hacking group Handala says it breached FBI director Kash Patel’s personal Gmail and posted photos and files. TechCrunch verified some leaked emails as authentic and Reuters says the Justice Department confirmed the breach. Handala has ramped up attacks since the U.S.-Israeli war with Iran, and U.S. prosecutors accuse Iran’s intelligence ministry of running the group.

🇪🇺 ☁️ The European Commission is investigating a breach after a threat actor accessed its Amazon cloud infrastructure. The attacker claims to have stolen over 350 GB of data and shared screenshots as proof. The Commission's cybersecurity team detected the intrusion and is investigating while the attacker says they will later leak the data.

🇪🇸 🚢 A ransomware attack hit Spain’s Port of Vigo, forcing officials to disconnect parts of the network. Cargo moves continue, but many tasks are being done manually with paper. An investigation is underway and the port won’t reconnect systems until they are declared safe.

🇸🇪 🇬🇧 The Lapsus$ extortion group claims it hacked AstraZeneca and stole about 3GB of internal data. Stolen files allegedly include code, cloud infrastructure details, credentials, and employee info. AstraZeneca has not confirmed the breach and researchers say links to a recent supply-chain attack are unproven.

🇺🇸 HackerOne says 287 of its employees had personal data stolen after a hack of benefits administrator Navia. Exposed details include names, Social Security numbers, addresses, dates of birth, and plan enrollment information. Affected workers are being offered 12 months of identity protection and warned to watch for phishing.

🇺🇸 Healthcare management firm QualDerm Partners says a December 2025 data breach exposed personal, medical, and insurance information for about 3.1 million people. The attackers accessed the network for two days and stole names, contact details, medical records, diagnoses, insurance data, and in some cases IDs. QualDerm is investigating, notified authorities, and is offering 12 months of free identity and credit monitoring to affected people.

🇳🇱 🚓 Dutch National Police say a phishing attack led to a security breach with limited impact. Investigators quickly blocked the attackers and report no citizen or investigative data was accessed. A criminal probe is ongoing and authorities are tightening security measures.

🇳🇱 The Dutch Ministry of Finance said some of its systems were breached in a cyberattack detected on March 19. Access to the affected systems has been blocked and the investigation is ongoing. Tax, customs, and benefits systems were not impacted and no data loss or attacker identity has been disclosed.

🇯🇵 Mazda said a security breach last December exposed 692 records of employee and business partner data from a warehouse management system tied to parts from Thailand. The leaked fields include names, user IDs, emails, company names, and partner IDs, though no customer data was involved. Mazda notified authorities, tightened its IT security, and found no confirmed misuse so far.

🇸🇬 Trio-Tech said a Singapore subsidiary suffered a ransomware attack on March 11 that encrypted some files. The subsidiary took systems offline, hired cybersecurity experts, notified law enforcement, and is investigating the impact. Stolen data was posted by a ransomware group, and the company now considers the incident possibly material.

→ More:

• Ajax football club hack exposed fan data, enabled ticket hijack

• Hightower Holding Data Breach Impacts 130,000

• Infinite Campus warns of breach after ShinyHunters claims data theft

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

Unit 42 uncovers multiple clusters of cyberespionage targeting a Southeast Asian government organization with USBFect, RATs and loaders.

unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org

🇷🇺 Russian police arrested the suspected administrator of LeakBase, a large marketplace for stolen personal and financial data. Authorities seized equipment and said the site held hundreds of millions of credentials and over 147,000 registered users. U.S. and Russian reports tied the forum to a threat actor known as Chucky and said the site was dismantled in a recent takedown.

🇷🇺 ⚖️ 🇺🇸 A Russian man, Ilya Angelov, was sentenced to two years for running a phishing botnet used in BitPaymer ransomware attacks. The botnet infected thousands of computers and helped affiliates extort over $14 million from more than 70 U.S. companies. The group sold access to infected machines to other cybercriminals and partnered with multiple ransomware gangs.

🇷🇺 ⚖️ 🇺🇸 Aleksei Volkov, a 26-year-old Russian, was sentenced to 6.75 years in the U.S. for helping ransomware groups cause over $9 million in real losses. He sold access to company networks that attackers used to encrypt data and demand cryptocurrency ransoms. Volkov must pay full restitution and forfeit the tools used in the crimes.

🆙 ✅ Tycoon 2FA, a subscription phishing service that bypasses MFA, remains fully operational despite a recent international takedown. The disruption briefly cut activity but attacks and cloud compromises soon returned to previous levels. Law enforcement seized domains and pursued operators, but CrowdStrike says the platform’s tactics and reach continue.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

Twitter tweet

🤷‍♂️ 🇺🇸 Four former NSA and U.S. Cyber Command leaders warned that the U.S. is losing its offensive edge in cybersecurity. They said rising AI threats, China, and cybercrime outpace government and industry response. They urged stronger public-private cooperation and bolder policy action.

🇬🇧 🇨🇳 The UK has sanctioned Xinbi, a Chinese-language marketplace that sells stolen data and crypto services to Southeast Asian scam centers. Xinbi is linked to laundering billions and to North Korean thefts, according to Chainalysis. The sanctions also target Cambodia's #8 Park scam compound and aim to cut Xinbi off from legitimate crypto channels.

🇬🇷 Intellexa founder Tal Dilian, convicted in Greece for mass phone hacking, says he will appeal and denies being a "scapegoat." He hinted the Greek government may have authorized the hacks that targeted ministers, journalists, and others. The spyware Predator, sold mainly to governments, led to U.S. sanctions after being used against officials and journalists.

🇺🇸 🔋 The U.S. Department of Energy’s CESER released a 5-year plan (2026–2030) to protect the nation’s energy systems. It focuses on three goals: build advanced security technologies, harden critical energy infrastructure, and improve response and recovery. Programs like AI-FORTS and Project Armor aim to stop AI-enabled attacks and strengthen resilience.

🇮🇱 🇮🇷 Israel used hacked Iranian street cameras and AI to locate and help kill Iran’s supreme leader — Poorly secured cameras worldwide can be hijacked and turned into real-time targeting tools. Experts warn mass surveillance meant to control dissent can make leaders and civilians more vulnerable.

🇷🇺 ❌ Russian authorities have blocked the paywall-bypass site Archive.today and some of its domains, showing Roskomnadzor error pages. The agency confirmed access to at least one Archive.is page was limited but gave no reason. The extent of the block is unclear, and Archive.today and Roskomnadzor did not comment.

❌ 🇺🇸 The FCC has banned the sale of new consumer routers made outside the USA by adding them to its Covered List. The move follows a national security finding that foreign-made routers pose severe supply-chain and cybersecurity risks. Existing routers can still be sold, but future models may be harder to buy and cost more unless makers get special approval.

🇺🇸 🗳️ A California sheriff seized 650,000 Riverside County ballots claiming an election-fraud probe — State officials and experts say the claims are weak and the sheriff lacked authority. They warn the seizure risks breaking ballot security and undermining trust in elections.

🤔 ✅ An anonymous post accuses compliance startup Delve of giving customers fake audit evidence and claiming compliance they didn’t earn. Delve denies the claims, saying it only provides templates and access for independent auditors. The dispute raises possible legal and security risks and promises more allegations to come.

🦠 MALWARE & THREATS

GitHub is starting to have a real malware problem

In other news: Russian intelligence services compromise thousands of Signal accounts; Trivy vulnerability scanner compromised for supply chain attack; FBI takes down Aisuru and Kimwolf botnets.

news.risky.biz/risky-bulletin-github-is-starting-to-have-a-real-malware-problem

🍎 📲 Kaspersky found that the Coruna iOS exploit kit reuses and expands the kernel exploit code from 2023's Operation Triangulation. The kit now targets many iPhones and is being used in mass attacks and watering-hole campaigns. Its modular, updated design lets more attackers reuse it and puts unpatched users at risk.

🇦🇲 ⚖️ 🇺🇸 Armenian national Hambardzum Minasyan was extradited to the U.S. for allegedly running parts of the RedLine infostealer, including servers, domains, and payment handling. He faces charges including access device fraud, money laundering, and CFAA violations, with up to 20 years on some counts. RedLine is a popular malware-as-a-service that steals credentials and crypto data and remains active despite international takedown efforts.

🇺🇸 🤑 A malvertising campaign used Google Ads to lure U.S. tax-searchers to fake sites that install rogue ScreenConnect remote access tools. The attackers deploy a crypter and a Huawei-signed audio driver (HWAuidoOs2Ec.sys) as HwAudKiller to disable EDRs and steal credentials. They hide using commercial cloaking services and may be preparing ransomware or selling access.

🇮🇷 The FBI warns Iran-linked hackers are using Telegram to spread malware that targets dissidents, journalists, and others seen as threats to Iran. Attackers fake apps and contacts to trick victims into downloading files that give the hackers control. The malware has led to data theft, leaks, and reputational harm.

🎣 🤑 Microsoft warned of mass tax‑season phishing that stole credentials and installed remote‑management malware on devices. One Feb 10 campaign hit over 29,000 users across 10,000 U.S. organizations by spoofing the IRS and delivering ScreenConnect and other RMM tools. Organizations are urged to enforce 2FA, monyitor email/links, and block malicious domains to prevent persistent access.

ℹ️ 🔑 VoidStealer is a new info‑stealer that bypasses Chrome’s Application‑Bound Encryption to extract the browser's master key. It uses a debugger trick with hardware breakpoints to read the v20_master_key from Chrome memory during startup. The technique appears based on the open‑source ElevationKatz tool and is the first such method seen in the wild.

The phone call is the new phishing email

Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, reflecting a concerning shift in tactics.

cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends

🤖 🧰 AI, CRYPTO, TECH & TOOLS

💰️ OpenAI launched a public safety bug bounty for AI-specific abuse and safety risks in its products. The program accepts non-security issues like prompt injection, data exfiltration, agentic misuse, and connector vulnerabilities. Researchers can earn up to $7,500 for high-severity, reproducible reports with clear mitigations.

🍎 🔐 Apple says that since launching Lockdown Mode nearly four years ago, it has not seen any successful mercenary spyware hacks on devices with the feature enabled. Independent researchers and organizations have documented attacks but found no confirmed bypasses of Lockdown Mode, and some cases show it blocking spyware. Experts say Lockdown Mode greatly reduces attack surfaces and is recommended for people at high risk.

📆 🔐 Google will finish switching its products to quantum-resistant encryption by 2029 — The company sped up its plan because quantum computing progress is faster than expected. Google hopes its aggressive timeline will push other companies to act sooner.

🆕 🔐 Mozilla released Firefox 149 with a built-in VPN that gives signed-in users 50 GB of browser-only traffic per month. The VPN routes browser traffic through a U.S.-based proxy, can be toggled on per site, and will roll out first in the U.S., UK, Germany, and France. Firefox 149 also adds Split View, tighter SafeBrowsing controls, and patches many security flaws.

🆕 🔎 GitHub is adding AI-powered security detections to Code Security to find vulnerabilities in more languages and frameworks beyond what static analysis covers. These AI detections work with CodeQL and show risks and suggested fixes directly in pull requests. Copilot Autofix can then help developers fix issues quickly before code is merged.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• BIND Updates Patch High-Severity Vulnerabilities

• Cisco Patches Multiple Vulnerabilities in IOS Software

• Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

• Chrome 146 Update Patches High-Severity Vulnerabilities

• iOS, macOS 26.4 Roll Out With Fresh Security Patches

• QNAP Patches Four Vulnerabilities Exploited at Pwn2Own

• TP-Link warns users to patch critical router auth bypass flaw

🔓️ 📲 A hacker has posted a newer version of the DarkSword iPhone exploit kit on GitHub. The leaked code makes it easy for anyone to hack iPhones and iPads running older iOS versions, likely affecting hundreds of millions of devices. Apple urges users to update their software to stay protected.

🔓️ ☁️ Researchers found eight ways attackers can exploit AWS Bedrock by abusing permissions, logs, agents, flows, knowledge bases, and prompts. A single over‑privileged identity can redirect data, hijack agents, poison prompts, or access corporate systems. Securing Bedrock requires tight permissions, inventory of AI workloads, and mapping attack paths.

💥 🔓️ Arctic Wolf found activity suggesting attackers exploited CVE-2025-32975, a critical authentication bypass in unpatched Quest KACE SMA appliances. The flaw can let unauthenticated actors impersonate users and gain full admin control, and Quest patched it in May 2025. Organizations with internet-exposed, unpatched KACE SMAs should apply the patch immediately.

🛰️ ICS, OT & IoT

🤷 🤷 🤷 

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇫🇷 🏃‍♂️ 📍 A French Navy officer logged a run on the deck of the Charles de Gaulle and uploaded it to Strava, revealing the carrier’s exact location. Strava defaults to public, and similar data has exposed military movements before. The French Armed Forces said the officer broke guidelines, and users should consider setting accounts to private.

🇺🇸 🚗 A cyberattack on breathalyzer firm Intoxalock has left drivers across the U.S. unable to start their cars — The company paused systems and cannot perform required device calibrations. Intoxalock did not disclose attack details or a recovery timeline.

🇺🇸 Security researcher Jeremiah Fowler found publicly exposed Sears chatbot databases that contained millions of chat logs, audio files, and transcripts with customers' names, addresses, and phone numbers. Some recordings lasted hours and captured private conversations, raising risks of phishing and fraud. Transformco (the company that owns Sears and Sears Home Services) secured the data after being notified, but it’s still unclear who else accessed it.

🇺🇸 Intuitive Surgical said it was hit by a targeted phishing cyberattack that exposed some internal business and contact data. The company says its surgical robots, manufacturing systems, and hospital networks were not affected. The breach is contained, regulators are being notified, and no timeline or attacker details were given.

🇺🇸 Marquis says hackers stole personal and financial data from at least 672,075 people in an August 2025 ransomware attack. Stolen data included names, birth dates, addresses, bank and card numbers, and Social Security numbers. Marquis blames a SonicWall security failure that let attackers access its network and deploy ransomware.

🇺🇸 Stryker is restoring its internal systems after a cyberattack that wiped thousands of employee devices. A pro‑Iran group called Handala claimed responsibility and said it used company admin access to remotely erase laptops and phones. The breach disrupted operations but Stryker says its internet‑connected medical devices are safe.

→ CISA urges US orgs to secure Microsoft Intune systems after Stryker breach

→ FBI seizes pro-Iranian hacking group’s websites after destructive Stryker hack

🤔 ⁉️ Several major companies named by the Cl0p ransomware group in the Oracle E-Business Suite hack have not commented on the breach — Broadcom, Bechtel, Estée Lauder, and Abbott remain silent despite torrents claiming large amounts of stolen data. Companies may stay quiet for legal, strategic, or investigatory reasons.

🇬🇧 Companies House fixed a security flaw in its WebFiling service that exposed data for up to five million U.K. companies. The bug, introduced in October 2025, let logged-in users view other companies' dashboards and some non-public details like dates of birth and addresses. The agency says no passwords or identity documents were accessed, has reported the incident, and is investigating.

🇨🇦 Canadian retailer Loblaw says a criminal third party accessed customer names, email addresses, and phone numbers. The company says passwords, health details, credit card data, and PC Financial were not affected. It is unclear how many customers were impacted.

🇬🇧 The Guardian found that sensitive UK Biobank health data from 500,000 volunteers has been leaked online many times. Researchers accidentally posted datasets to sites like GitHub, exposing diagnoses and dates that could allow re-identification. Biobank says no names were shared and has issued takedown notices, but experts warn privacy risks remain.

→ More:

• Aura confirms data breach exposing 900,000 marketing contacts

• Bitrefill blames North Korean Lazarus group for cyberattack

• Navia discloses data breach impacting 2.7 million people

• ¹Thousands of Magento Sites Hit in Ongoing Defacement Campaign

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

Boggy Serpens Threat Assessment

Iranian threat group Boggy Serpens' cyberespionage evolves with AI-enhanced malware and refined social engineering. Unit 42 details their persistent targeting.

unit42.paloaltonetworks.com/boggy-serpens-threat-assessment

🇺🇸 🤑 A former Brightly Software contractor stole payroll and corporate data and then sent over 60 extortion emails demanding $2.5 million. Brightly paid $7,540 in Bitcoin and reported the theft, leading the FBI to seize devices and charge 27-year-old Cameron Curry. He faces up to 12 years in prison for the extortion scheme.

🇷🇺 🇺🇦 A Russian state-sponsored group has exploited a high-severity XSS flaw in Zimbra to attack Ukrainian targets. The bug lets malicious CSS/JavaScript in email steal credentials, session tokens, 2FA backups and mailbox data. CISA added the flaw to its KEV list and urges immediate patching of Zimbra.

🇮🇷 Researchers found Iran-linked cyber groups built and staged hidden infrastructure for months before the Feb 28, 2026 US/Israeli strikes. After the strikes, about 60 coordinated hacktivist and APT groups launched attacks mainly against US, Israeli, and Gulf targets. Kinetic strikes damaged Iranian internet links but did not stop or seriously degrade Iran’s cyber capabilities.

🇨🇳 👀 China-linked hackers have run a patient cyberespionage campaign against Southeast Asian militaries since at least 2020. They used custom tools (AppleChris, MemFun, Getpass), PowerShell, and DLL hijacking to stay hidden and steal sensitive military files. Evidence like time-zone patterns, Chinese infrastructure, and Simplified Chinese suggests the group operates from China.

🇰🇭 Cambodia says it will close all online scam centers within weeks. Authorities have opened dozens of cases, arrested hundreds, and repatriated nearly 10,000 workers. Experts warn past raids left networks intact and say key beneficiaries may not be targeted.

🎣 A convicted scammer, Kwamaine Jerell Ford, is accused of running a new phishing scheme from prison by impersonating an adult film star. He allegedly tricked professional athletes into giving iCloud logins and MFA codes, then stole their data and charged many fraudulent transactions. Prosecutors also say he coerced an OnlyFans model into sex acts and used videos to target more victims; he faces 22 charges and is held without bail.

→ More:

• Police take down 373,000 fake CSAM sites in Operation Alice

• 3 Men Charged With Conspiring to Smuggle U.S. Artificial Intelligence to China

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

NetBlocks (@netblocks@mastodon.social)

Attached: 1 image ⚠️ Update: #Iran's internet blackout has entered day 16 as the measure continues in its third week, with the public cut off from international networks for 360 hours. Chosen influencers enjoy whitelisting while state media report a new wave of arrests targeting Starlink users.

mastodon.social/@netblocks/116232059137625268

🇮🇹 💰️ Cloudflare appealed a €14.2M fine from Italy for refusing to block sites via its 1.1.1.1 DNS service. The company says Italy’s Piracy Shield forces rapid, opaque blocking that breaks Internet architecture and risks widespread overblocking. Cloudflare is fighting the law in Italian courts and with EU regulators.

🇺🇸 National Cyber Director Sean Cairncross said the Trump administration is not asking companies to carry out offensive cyberattacks — Instead, the government wants private firms to share technical threat information so officials can respond. The FBI also says companies should report breaches and work with law enforcement to disrupt attackers.

🇺🇸 💰️ The FBI confirmed it has resumed buying Americans’ location and other data from commercial data brokers to aid investigations. Critics say this lets agencies bypass warrant requirements and may violate the Fourth Amendment. Lawmakers have proposed a bill to require court warrants before agencies can buy people’s data.

🇪🇺 🇨🇳 🇮🇷 The EU sanctioned three companies and two individuals from China and Iran for major cyberattacks. One Chinese firm helped hack over 65,000 devices and another offered hacking-for-hire services. The Iranian company ran influence operations, stole subscriber data, and spread misinformation at the 2024 Paris Olympics.

🇪🇺 🗳️ The European Parliament voted to ban untargeted mass scanning of private messages — Scans will be allowed only when a judge names specific users or groups suspected of child sexual abuse. Lawmakers extended a temporary CSAM rule until August 3, 2027, while negotiations continue.

Witness Caught Using Smartglasses in Court Blames it all on ChatGPT

A judge in London tossed out witness testimony after discovering the man was receiving coaching through a pair of smartglasses.

www.404media.co/witness-caught-using-smartglasses-in-court-blames-it-all-on-chatgpt

🦠 MALWARE & THREATS

Analyzing the Current State of AI Use in Malware

Unit 42 research explores how AI is currently used in malware, from superficial integrations to advanced decision-making, and its future impact.

unit42.paloaltonetworks.com/ai-use-in-malware

🐍 Researchers uncovered Speagle, malware that hijacks the Cobra DocGuard security program to steal data. It hides exfiltration by using compromised Cobra servers and a legitimate driver. The attack appears targeted, possibly for espionage, and may stem from a supply-chain compromise.

🔎 📄 Perseus is new Android malware that steals sensitive data by scanning users' note apps for passwords, recovery phrases, and financial info. It spreads via sideloaded IPTV apps and uses Accessibility Services to fully control devices, take screenshots, and hide activity. Users should avoid sideloading apps, stick to Google Play, and enable Play Protect.

🍀 Fraudsters used a legitimate Nordstrom email address to send a St. Patrick’s Day crypto scam promising to double deposits. Nordstrom warned the messages were unauthorized and said it is investigating after some customers paid. The breach likely came through an Okta SSO to Salesforce compromise, and customers are urged to ignore the promotion.

🪱 Researchers warn the GlassWorm campaign has escalated by abusing Open VSX extensionPack and extensionDependencies to turn benign-looking extensions into delivery vehicles for malware. At least 72 malicious extensions were found, mimicking developer tools and using obfuscation, invisible Unicode, and rotating Solana wallets to fetch commands and steal secrets. This tactic enables attackers to bypass review, inject malware transitively, and expand supply-chain compromises across registries and repositories.

🤑 Malicious JavaScript was delivered through the AppsFlyer Web SDK and could replace crypto wallet addresses with attacker-controlled ones. The injected code also stole the original addresses and metadata from users. AppsFlyer says the issue was contained and is investigating while customers should check logs and use known-good SDK versions.

🇺🇦 🇷🇺 A new malware campaign called DRILLAPP targets Ukrainian groups and likely links to Russian actors. It runs a JavaScript backdoor inside Microsoft Edge with special debug flags to access files, mic, camera, and screen. The attackers use paste services for control and changed tactics between February variants to improve file access and persistence.

🎣 Attackers hide phishing links and attachments by appending long blocks of benign text, links, and many HTML break lines to emails. This "noise" fools some NLP-based email security tools into seeing messages as safe. KnowBe4 found this technique often uses real signatures and links (e.g., Bank of America, Uber) to evade detection.

🎣 🇸🇪 A C-level executive at Outpost24 was targeted in a sophisticated phishing attack that used a phishing-as-a-service kit called Kratos. Attackers chained redirects through trusted services (Cisco, Nylas) and reused a reclaimed domain, then served a convincing Microsoft 365 credential-stealing page behind Cloudflare. Specops says the method fits Iran-linked group tactics but attribution remains uncertain.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

☁️ Bucketsquatting is (Finally) Dead — AWS added a new bucket namespace pattern (prefix-accountid-region-an) to stop bucketsquatting. This ensures only the owning account can create buckets with that name and helps prevent attacks. Use the namespace for all new S3 buckets and migrate existing ones if you need protection!

📲 ⏳️ Google will add a mandatory 24-hour wait before users can sideload apps from unverified Android developers to reduce malware and scams. Power users can enable an "advanced flow" with steps like developer mode, a restart, and biometric confirmation to allow sideloading after the wait. Google will also offer limited free developer accounts for hobbyists and students while its verification rules take effect.

Figure: The Advanced Flow/Google

🎵 🤑 North Carolina musician Michael Smith pleaded guilty to using AI-generated songs and automated bots to fraudulently stream music on major platforms. He and accomplices streamed the fake tracks billions of times, collecting over $10 million in royalties. Smith agreed to forfeit about $8.09 million and faces up to five years in prison.

🙊 🤖 A Meta AI agent shared a private internal answer without permission, exposing company and user data to unauthorized engineers for two hours. The agent also gave bad advice that led to the exposure, and Meta rated it a high-severity incident.

🤝 Major tech and retail companies, including Google, Meta, Microsoft, Amazon and OpenAI, signed a pact to fight online scams and fraud. They agreed to share threat information, strengthen prevention and verification, and help users report scams. They also urged governments to make scam prevention a national priority and improve data sharing and laws.

Figure: Industry Accord Signatories/Google.com

🐛 Researchers found several serious AI security flaws: Amazon Bedrock's sandbox allows DNS-based data exfiltration and remote shells, LangSmith had a token-theft URL injection flaw fixed in v0.12.71, and SGLang contains unpatched pickle deserialization bugs that enable remote code execution. Attackers could use these issues to steal data, take over accounts, or run arbitrary code if services are misconfigured or exposed. Administrators should restrict network access, audit IAM roles, migrate to VPC mode or apply DNS firewalls, and patch or isolate vulnerable deployments.

🍏 🔄 Apple released its first background security update for iPhone, iPad, and Mac to fix a Safari WebKit bug. The bug could let a malicious website access data from another site in the same browser session. The lightweight update installs quickly and is pushed between major software releases.

🇨🇳 🦞 Chinese cybersecurity officials warned that OpenClaw, the popular open-source AI agent, has weak default security and high system privileges that attackers can exploit. Researchers showed attackers can use indirect prompt injection—like poisoned web pages or link previews—to make the agent leak sensitive data or run malicious commands. Users are urged to tighten network controls, isolate the service, avoid untrusted skills, and keep the agent updated.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• ConnectWise patches new flaw allowing ScreenConnect hijacking

• Oracle pushes emergency fix for critical Identity Manager RCE flaw

Figure: Screenshot of Mauvehed’s Toot

→ https://attrition-org.github.io/web-hack-mirror/

🔓️ ☁️ A critical path-traversal bug (CVE-2026-22557) in Ubiquiti’s UniFi Network Application could let attackers take over accounts by accessing files. Ubiquiti released patches and advises users to update; a second fix (CVE-2026-22558) closes a privilege-escalation flaw. About 88,000 UniFi hosts are internet-exposed, many in the U.S., raising urgent risk.

💥 A critical Langflow vulnerability (CVE-2026-33017) allowed unauthenticated remote code execution via a POST endpoint. Attackers began exploiting it roughly 20 hours after public disclosure to steal keys and credentials. Sysdig observed multi-stage attacks from several IPs leading to data exfiltration and possible supply-chain risk.

📸 🔓️ Researchers found three serious flaws in Xiaomi camera setup protocol that let attackers bypass setup, predict crypto randomness, and trigger a heap overflow. Using these bugs they achieved remote root code execution and built a persistent “cloud jailbreak.” The jailbreak lets attackers control the camera, steal Wi‑Fi credentials, and cut the device off from Xiaomi cloud services.

😬 Cisco has had a recent flood of SD‑WAN and firewall vulnerabilities, and many were already being actively exploited — Attackers, including ransomware group Interlock, used zero‑days and other flaws to gain powerful management‑plane access. Researchers warn this shows attackers target network edge systems for broad, long‑lasting control.

→ Amazon found Interlock ransomware exploiting a critical Cisco firewall flaw and active since Jan 26, 2026, before Cisco disclosed it

🍎 🇷🇺 Researchers found a second iOS exploit kit, called Darksword, likely reused by suspected Russian hackers from tools originally made for the U.S. government. Darksword can steal passwords, crypto wallets, messages, and may be used for both money and surveillance, putting up to hundreds of millions of iPhones at risk. The kit shows use of AI-generated code and poor operational security, and researchers warn a growing secondary exploit market now targets mobile devices.

Figure: Timeline of DarkSword observations and vulnerability patches/cloud.google.com

→ Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks

🐧 A critical buffer-overflow bug in GNU InetUtils telnetd (CVE-2026-32746) lets unauthenticated attackers run code as root via port 23. The flaw is triggered during the initial Telnet handshake and affects versions through 2.7; a fix is expected by April 1, 2026. Until patched, disable Telnet, block port 23, or run telnetd without root to reduce risk.

🔎 🐛 RondoDox’s operators expanded their exploit list to 174 vulnerabilities and now track disclosures to strike before CVEs are assigned. They shifted from broad scanning to a more targeted exploitation strategy to increase successful infections. The botnet uses its own infrastructure to deploy evasive implants and mainly focuses on DDoS campaigns rather than mass propagation.

Twitter tweet

🛰️ ICS, OT & IoT

🇺🇸 🇨🇦 🇩🇪 U.S., Canadian and German authorities disrupted four large IoT botnets that had infected over three million devices and launched massive DDoS attacks. The botnets—Aisuru, Kimwolf, JackSkid and Mossad—sent hundreds of thousands of attack commands and were used for extortion. Investigators seized servers and domains and targeted alleged operators in coordinated international actions.

☁️ 🔓️ Researchers found serious security flaws in low-cost IP KVM devices from four manufacturers. These small gadgets let users control machines at the BIOS/UEFI level. If exposed to the Internet, misconfigured, or compromised, they can give insiders or hackers wide network access.

🇵🇱 Poland’s National Centre for Nuclear Research (NCBJ) was targeted in a recent cyberattack that was stopped before any systems were compromised. Officials say early indicators point to Iranian-linked hackers, but they warn the evidence could be misleading. This follows a separate cyber incident on Poland’s power grid two months earlier.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇬🇧 🏦 🙊 A technical glitch at Lloyds Banking Group let some Lloyds, Halifax and Bank of Scotland app users see other customers' transactions and personal details. The bank says the error was fixed quickly and apologised, while regulators are investigating. Customers reported seeing accounts, payments and even National Insurance numbers that were not theirs.

🇮🇱 🚉 🇮🇷 A cyberattack hacked advertising screens at Herzliya and Tel Aviv Hashalom stations and showed fake Iranian missile alerts. Authorities say the signs were from a private network, not connected to railway infrastructure, and were taken offline. National cybersecurity teams are investigating while Israel Railways works to restore and expand service.

🇮🇷 🇺🇸 Stryker, a major medical device maker, suffered a severe global cyberattack that shut down many systems and wiped devices. An Iranian hacktivist group called Handala claimed credit and said they erased servers and stole data. The company is working to restore operations while investigating the incident.

🛞 Tire maker Michelin confirmed it was hit in the large Oracle E-Business Suite (EBS) cyberattack tied to the Cl0p group. Investigators found an EBS zero-day was exploited and some files were accessed, but Michelin says only a small, non-sensitive data set was affected and no ransomware was used. The attackers have posted hundreds of gigabytes of alleged Michelin data online.

🤖 Researchers at CodeWall used an autonomous AI agent to hack McKinsey’s internal chatbot, Lilli, and gained full read-write access in about two hours. The agent exploited exposed API endpoints and an SQL injection to access millions of messages, files, user accounts, and writable system prompts. McKinsey patched the issues quickly, but the incident shows agentic AI can enable fast, automated cyberattacks.

How We Hacked McKinsey's AI Platform

An autonomous AI agent found a SQL injection in McKinsey's Lilli AI platform. What it extracted was worse than we expected.

codewall.ai/blog/how-we-hacked-mckinseys-ai-platform

🇺🇸 Ericsson Inc. says a service provider was hacked and some employee and customer data was stolen. The provider found the breach in April 2025 and finished an investigation in February 2026. Affected people are being offered free identity protection and compensation coverage.

🇨🇳 Salt Typhoon, a China-linked hacking group, has breached dozens of major phone and internet companies worldwide. They stole call logs, texts, and audio from senior officials and compromised telecom infrastructure. Officials say the campaign spans the Americas, Europe, Asia, Africa, and Oceania and risks serious national security harm.

→ Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules

☁️ Hackers from the ShinyHunters group claim they have been stealing data from misconfigured Salesforce Experience Cloud sites by abusing the /s/sfsites/aura API. Salesforce says the issue is due to customer guest-user settings, not a platform vulnerability, and advises auditing guest permissions and disabling API access for guests. ShinyHunters says they found ways to bypass record limits and urges disabling public access, which would remove guest access entirely.

Figure: ShinyHunters Salesforce Aura campaign/BleepingComputer

→ More:

• 238,000 Impacted by Bell Ambulance Data Breach 🇺🇸 

• Telus Digital confirms breach after hacker claims 1 petabyte data theft 🇺🇸 

• England Hockey investigating ransomware data breach 🏑 🇬🇧 

• Canadian retail giant Loblaw notifies customers of data breach 🇨🇦 

• Starbucks discloses data breach affecting hundreds of employees ☕️

• Poland's nuclear research centre targeted by cyberattack 🇵🇱 

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

❌ Interpol-led Operation Synergia III sinkholed tens of thousands of IP addresses and seized servers tied to global cybercrime. Authorities in 72 countries made 94 arrests, seized 212 devices, and are still investigating 110 more suspects. Investigations also found over 33,000 phishing sites and large fraud rings in Togo and Bangladesh.

❌ Law enforcement from many countries dismantled SocksEscort, a global proxy network used for large-scale fraud — The botnet hijacked hundreds of thousands of routers and IoT devices and took in millions of dollars. Authorities seized domains, servers, and cryptocurrency to disrupt the operation.

🇺🇸 ⚖️ The U.S. charged former DigitalMint employee Angelo Martino for secretly helping BlackCat ransomware operators and sharing negotiation details. He and accomplices allegedly ran attacks on many U.S. organizations and took ransoms, sometimes paying BlackCat a cut. DigitalMint fired the employees and says it cooperated with law enforcement.

🇺🇸 A foreign hacker broke into the FBI’s New York field office in 2023 and accessed files about Jeffrey Epstein — The breach exploited a vulnerable server at the Child Exploitation Forensic Lab. The FBI says it contained the incident and stopped the hacker’s access.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇫🇮 🇷🇺 🇨🇳 Finland’s 2026 security report warns that Russia and China are actively using cyber espionage against Finnish government, companies, and critical infrastructure. Both countries exploit supply chains, cloud services, and poorly protected consumer devices to steal information and hide their tracks. These operations raise risks for national security, influence campaigns, and Western dependence on Chinese technology.

🇺🇸 🇷🇺 🇨🇳 📲 Researchers say a powerful iPhone-hacking toolkit called Coruna was likely built by L3Harris’s Trenchant unit and sold to U.S. government customers. The tools leaked, were traded by brokers, and ended up used by Russian spies in Ukraine and by Chinese cybercriminals. The case links stolen contractor tools and a former employee who sold exploits to outside parties.

🇪🇺 🎣 An EU court adviser says banks must immediately refund customers for unauthorised transactions unless they have good reason to suspect customer fraud. The opinion came from a case about a phishing attack where a customer’s login was stolen and the bank refused a refund. Banks can later try to recover money if they prove the customer acted with intent or gross negligence.

🦠 MALWARE & THREATS

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft.

unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors

🔎 🎮️ The FBI is investigating a hacker who hid malware inside several games on Steam. The suspected titles include BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. Steam has removed similar malware-laced games before, but some users may have been infected.

🔙 🚪 Researchers found a new backdoor called Slopoly, likely generated with AI, used in an Interlock ransomware attack to steal data. Slopoly is a simple PowerShell client that beacons to a C2 server, runs commands, and keeps persistence. IBM X-Force links the attack to a financially motivated group known as Hive0163 and says AI tools are speeding custom malware development.

Figure: simplified infection chain/ibm.com

🥷 The PhantomRaven campaign pushed dozens of malicious npm packages that steal developer data by using remote dependencies to bypass scans. Endor Labs found 88 new packages across disposable accounts, with most still live and sending harvested credentials and system info to attacker servers. Developers should only use trusted packages and avoid copy-pasting unvetted code or AI suggestions.

🎣 🎅 A phishing campaign tricks victims into mounting a malicious ISO that looks like a resume and runs hidden PowerShell to load malware. The malware side‑loads a tampered DLL, contacts C2, and injects BlackSanta. BlackSanta kills antivirus and EDR at the kernel level to enable credential theft and data exfiltration.

🛜 Researchers found KadNap malware has infected over 14,000 edge devices, mainly Asus routers, to build a stealthy proxy botnet. It uses a peer-to-peer Kademlia DHT to hide its control infrastructure and resist takedowns. Users are urged to update, reboot, change default passwords, and replace unsupported routers.

🦞 🎠 Researchers found a malicious npm package named @openclaw-ai/openclawai that pretended to be an OpenClaw installer but installs a RAT called GhostLoader. It tricks users with a fake CLI and Keychain prompt, then steals macOS credentials, browser data, crypto wallets, SSH keys, iMessage/Notes, and more. The malware persists, monitors the system, clones authenticated browser sessions, and exfiltrates data to a C2 server and other channels.

🔙 🚪 Hackers used Microsoft Teams to social-engineer employees at financial and healthcare organizations into starting Quick Assist remote sessions. They installed signed MSI files and sideloaded a malicious DLL that decrypts and runs the A0Backdoor malware. A0Backdoor hides C2 traffic in DNS MX queries to steal host data and receive commands.

🇷🇺 💬 Russian state hackers are running a global campaign to hijack Signal and WhatsApp accounts of officials, military staff, journalists and others. They trick users into giving verification codes or abuse linked-device features to take over accounts and read messages. Dutch intelligence warns not to use these apps for sensitive information and gives steps to spot and remove compromised accounts.

🧩 Two Chrome extensions became malicious after ownership changed, allowing attackers to inject code, push malware, and steal browser and device data. The plugins delivered runtime JavaScript from a remote server to execute hidden payloads and trick users into running a Windows executable. Users should remove these extensions and avoid unverified browser add-ons.

→ More:

• PixRevolution: The Agent-Operated Android Trojan Hijacking Brazil’s PIX Payments in Real Time 🇧🇷 

• VENON: The First Brazilian Banker RAT in Rust 🇧🇷 🏦 

• BeatBanker: A dual‑mode Android Trojan 🏦 

• New 'Zombie ZIP' technique lets malware slip past security tools 🦴 

• Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 🔐 

🤖 🧰 AI, CRYPTO, TECH & TOOLS

MCP Servers and the Return of the Service Account Problem

Agentic AI is turning MCP servers into persistent access brokers, reviving the service account problem and expanding the access surface enterprises struggle to control.

aembit.io/blog/mcp-servers-and-the-return-of-the-service-account-problem

🎣 ⏱️ Researchers showed they could trick Perplexity's Comet AI browser into a phishing scam in under four minutes by feeding back the browser's own reasoning to a GAN. The attack trains a fake page until the AI stops flagging it, shifting the target from users to the AI agent. Experts warn prompt injection and agentic "blabbering" make such attacks hard to fully eliminate.

🤝 🤑 OpenAI is acquiring AI security startup Promptfoo to boost its safety tools. Promptfoo makes a platform that tests LLMs for attacks like prompt injections and data leaks. OpenAI will add these features to its Frontier platform and keep improving Promptfoo’s open-source tools.

🤯 🔓️ 💬 Instagram ending support for end-to-end encrypted messaging after 8 May 2026 - https://help.instagram.com/491565145294150

Figure: Instagram warning pop-up about the end of support of end-to-end encrypted messaging/https://hachyderm.io/@pheonix/116221805295722939

📺️ 🥸 YouTube is expanding its AI deepfake detection to a pilot group of politicians, government officials, and journalists. Eligible users can verify their identity, see detected AI-generated likenesses, and request removal under YouTube policies. The company aims to balance preventing harmful impersonation with protecting free expression and plans broader rollout.

🦞 How AI Assistants are Moving the Security Goalposts — AI assistants that act autonomously on users' computers are becoming popular and powerful. They blur lines between data and code and create big new security risks like credential exposure, prompt-injection, and automated attacks.

Figure: The lethal trifecta/krebsonsecurity.com

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches 80 Vulnerabilities Across Eight Products

• Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit

• Chrome 146 Update Patches Two Exploited Zero-Days

• Cisco Patches High-Severity IOS XR Vulnerabilities

• Microsoft Patches 83 Vulnerabilities

• Microsoft to enable Windows hotpatch security updates by default

• CISA: Recently patched Ivanti EPM flaw now actively exploited

• SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities

• Splunk, Zoom Patch Severe Vulnerabilities

💰️ 🐛 Google paid over $17 million in 2025 to 747 security researchers through its Vulnerability Reward Program. This was a record amount and a more than 40% increase from 2024. Google also expanded AI and open-source reward programs and paid millions across Android, Chrome, and Cloud programs.

🐛 A critical vulnerability (CVE-2026-29000) in the pac4j Java security library lets attackers bypass authentication using public RSA keys. The flaw affects many frameworks and is easy to exploit with a public proof-of-concept. Patches were released quickly, but downstream projects and users remain at risk until they update.

🧩 An SQL injection flaw in the Elementor Ally plugin (CVE-2026-2313) lets unauthenticated attackers steal data by injecting SQL via a URL parameter. Elementor patched it in version 4.1.0, but only ~36% of sites updated, leaving 250,000+ sites vulnerable. Site owners should update Ally and WordPress immediately.

🐛 Researchers found critical bugs in the n8n workflow platform that could let attackers run commands and expose stored credentials. One bug lets public form inputs execute code, and another lets authenticated users escape the expression sandbox. n8n patched the issues and urges updates or temporary restrictions on node use and workflow permissions.

🛰️ ICS, OT & IoT

The OT security time bomb: Why legacy industrial systems are the biggest cyber risk nobody wants to fix

We’re running million-dollar production lines on ancient software because no one wants to risk a shutdown, but ignoring that "time bomb" is becoming way too risky.

www.csoonline.com/article/4142548/the-ot-security-time-bomb-why-legacy-industrial-systems-are-the-biggest-cyber-risk-nobody-wants-to-fix.html

🩹 ICS Patch Tuesday — Major ICS vendors — Siemens, Schneider Electric, Mitsubishi Electric, and Moxa — released Patch Tuesday advisories fixing multiple vulnerabilities in industrial products. Issues range from critical remote code execution, stored XSS, and hardcoded credentials to DoS and third-party component flaws. CISA and Germany’s VDE-CERT also published advisories for affected ICS and building controllers, some allowing remote full compromise.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 🩺 Health tech company TriZetto says hackers stole personal and health data for more than 3.4 million people. The breach began in November 2024 but went undetected until October 2025. Some providers and patients across the U.S. have been confirmed affected.

🇳🇱 🇺🇸 Dutch paint giant AkzoNobel says hackers breached the network of one U.S. site. The Anubis ransomware gang claims to have stolen 170GB and leaked samples of confidential files. AkzoNobel says the incident is contained, impact is limited, and it is supporting affected parties.

🇺🇸 LexisNexis confirmed hackers breached its servers and stole files, which were later leaked by a group called FulcrumSec. The company says the data was mostly legacy, non-sensitive customer and business information from before 2020. LexisNexis has notified law enforcement, hired outside experts, and says the intrusion is contained.

🕹️ Cloud Imperium Games says attackers accessed backup systems in January and saw some users' basic account information. The company reports no passwords, payment data, or signs the data was leaked. CIG is monitoring the situation and warns the exposed details could be used for phishing.

🇺🇸 Madison Square Garden confirmed a data breach tied to the Cl0p ransomware group exploiting Oracle E-Business Suite zero-day flaws. Hackers stole and leaked personal data in August 2025, including names and Social Security numbers. MSG says a third-party vendor hosted the affected system and it is notifying impacted individuals.

🇨🇦 A October 2025 breach at Canadian Tire exposed more than 38 million customer accounts after attackers accessed an e-commerce database. Leaked data included names, emails, PBKDF2-hashed passwords, some dates of birth, partial credit card details, addresses, phones, and gender. The company says bank and loyalty data were safe and has emailed affected users.

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇮🇷 🇺🇸 🇮🇱 After US‑Israeli strikes on Iran, hacktivist attacks have surged but Iran’s state-backed cyber operations remain quiet. Security firms report many claim-driven website defacements, DDoS attacks, and unverified breach claims. Analysts warn the threat is evolving and urge organizations to strengthen defenses.

→ Talos on the developing situation in the Middle East

→ UK warns of Iranian cyberattack risks amid Middle-East conflict

→ Hackers and internet outages hit Iran amid U.S. air strikes

 🇮🇷 🇺🇸 🇮🇱 U.S. and Israeli forces used cyberattacks alongside airstrikes in the opening of the war with Iran to disrupt communications and gather intelligence. Hacked TV broadcasts and apps were used for psychological operations. The true impact of these cyber actions is unclear and may be overstated.

🇮🇷 🇺🇸 Iran-linked APT MuddyWater has breached networks of a U.S. airport, a bank, a software/aerospace contractor, and a Canadian NGO. The group deployed new backdoors named Dindoor and Fakeset, using fraudulent certificates to steal data. The intrusions persisted amid recent U.S.–Israel–Iran tensions and may still threaten other organizations.

🇮🇷 🇮🇱 Researchers observed Iran-linked actors intensifying scans and exploitation attempts against Hikvision and Dahua IP cameras across Israel, Gulf states, Lebanon, and Cyprus. This camera targeting aligns with missile strikes and likely supports battle-damage assessment and targeting. Defenders should patch cameras, remove public access, enforce strong credentials, and segment and monitor camera networks.

🇮🇷 💥 After the U.S.-Israel strikes on Iran, hacktivists launched 149 DDoS attacks on 110 organizations across 16 countries, mostly in the Middle East. Two groups, Keymous+ and DieNet, drove most attacks, targeting governments, infrastructure, finance, and telecoms. Security firms warn of continued cyber retaliation and urge stronger monitoring and defenses.

🇮🇷 🦠 A suspected Iran-linked group called Dust Specter targeted Iraqi officials by spoofing the Ministry of Foreign Affairs to deliver new malware. The campaign used two chains: SPLITDROP/TWINTASK/TWINTALK that poll files on disk, and GHOSTFORM that runs PowerShell in memory and hides artifacts. Attackers staged payloads on compromised Iraqi sites, used evasion and social engineering, and likely leveraged generative AI in malware development.

⚠️ 🇰🇵 🧑‍🏭 Microsoft says North Korean threat groups are using generative AI to create fake remote worker identities and get hired at global companies. AI speeds up making convincing personas, lures, voice and image forgeries, and helps maintain access. Researchers warn this boosts scale, sophistication, and the risk of more advanced, semi‑autonomous attacks.

🇷🇺 ⚖️ 🇺🇸 A 43-year-old Russian, Evgenii Ptitsyn, pleaded guilty in the U.S. for his role in the Phobos ransomware operation. He was arrested in South Korea in June 2024 and extradited to the U.S. in November. Ptitsyn faces up to 20 years for wire fraud conspiracy after helping run and sell the ransomware that hit over 1,000 organizations.

🇺🇸 🇫🇷 A U.S. contractor's son, John Daghita, was arrested in Saint Martin for allegedly stealing over $46 million in cryptocurrency from the U.S. Marshals Service. The arrest followed a joint FBI–French Gendarmerie operation after a blockchain investigator traced the stolen funds to Daghita. Authorities seized cash, hard drives, and security keys during the arrest.

🇪🇺 🎣 Europol and partners dismantled Tycoon 2FA, a large phishing-as-a-service toolkit that enabled adversary-in-the-middle attacks. The service powered tens of millions of phishing emails and was linked to over 64,000 incidents affecting schools, hospitals, businesses, and governments. Its tools stole credentials, MFA codes, and session cookies to allow account takeovers even after password changes.

🇪🇸 🇺🇦 Spanish and Ukrainian police broke up a criminal ring that exploited war-displaced Ukrainian women to run an online gambling and money-laundering scheme. The group forced the women to open bank accounts and used bots and stolen identities to place thousands of low-odds bets, laundering about €4.75 million. Authorities arrested 12 suspects, seized devices, cars, and accounts, and froze properties and funds across multiple countries.

❌ Authorities from 14 countries shut down LeakBase, a major online forum for stolen data and hacking tools. Law enforcement seized the site, arrested suspects, and took user accounts, posts, and logs for evidence. Officials said the site hosted hundreds of millions of stolen records and was linked to many high-profile attacks.

Figure: LeakBase Splash Page/justice.gov

🇺🇸 Hacktivists called “Department of Peace” say they hacked the Department of Homeland Security and leaked documents about ICE contracts. A transparency group published searchable data showing more than 6,000 contractors, contract amounts, and contact details, including big firms like Palantir, Microsoft, and Raytheon. The hackers said they acted to expose DHS ties after recent killings by federal agents.

🇺🇸 ⚖️ A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to hacking and extorting hundreds of women by stealing their social media passwords. He impersonated friends to get recovery codes, then threatened to post private nude images unless victims sent more photos, gave access, or paid him. Mosley faces sentencing on May 27.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements

An internal DHS document obtained by 404 Media shows for the first time CBP used location data sourced from the online advertising industry to track phone locations. ICE has bought access to similar tools.

www.404media.co/cbp-tapped-into-the-online-advertising-ecosystem-to-track-peoples-movements

🇺🇸 President Trump released a high-level national cyber strategy promoting offensive and defensive cyber operations, stronger federal network security, and use of AI and other emerging technologies. The plan has six pillars, including shaping adversary behavior, securing critical infrastructure and supply chains, streamlining regulation, and building cyber workforce capacity. Reactions were mixed, with industry praise for deterrence and regulation easing and critics saying the strategy is vague and lacks concrete implementation details.

🇺🇸 🔎 The FBI said it found and addressed suspicious activity on its networks but gave no details. Reports say the activity targeted a surveillance system used for warrants, wiretaps, and tracing data. It is unclear when the incident happened or who was responsible.

🇺🇸 🪖 Anthropic’s Claude is still being used by the U.S. military for targeting in the conflict with Iran. Many defense contractors and subcontractors are replacing Claude amid political and legal pressure. The Pentagon may label Anthropic a supply-chain risk, which could spark legal battles.

🙊 Anthropic CEO Dario Amodei accused OpenAI of lying about its Defense Department deal. Anthropic refused the DoD’s request over worries about mass surveillance and autonomous weapons. Public reaction favored Anthropic and hurt OpenAI’s reputation.

🦠 MALWARE & THREATS

🇷🇺 🇺🇦 🐾 🐈️ Researchers found a Russian-linked campaign targeting Ukraine that uses phishing to deliver new malware called BadPaw and MeowMeow. The attack tricks victims with a Ukrainian-language decoy, avoids sandboxes, and uses BadPaw to fetch the MeowMeow backdoor. MeowMeow can run remote PowerShell commands and manage files, and its Russian-language artifacts link it to APT28.

🪱 A self-propagating JavaScript worm infected Wikipedia by adding hidden scripts and vandalizing pages. It spread by modifying both user common.js files and the global MediaWiki:Common.js, affecting about 3,996 pages and ~85 users. Wikimedia engineers restricted editing, removed the malicious code, and reverted changes while investigating how the dormant script executed.

🎠 Malicious Packagist (PHP) packages pretending to be Laravel tools install a cross-platform remote access trojan (RAT) that works on Windows, macOS, and Linux. The RAT connects to a C2 server, sends system info, and executes commands with the web app's permissions. Users should remove the packages, assume compromise, rotate secrets, and audit outbound traffic.

🇰🇵 🪱 North Korean hackers published 26 malicious npm packages that hide command-and-control addresses using steganography in Pastebin posts. The packages install a loader that decodes C2 URLs and fetches platform-specific payloads, deploying a cross-platform RAT and credential stealers. The campaign uses Vercel hosting and typosquatting to evade detection and target developers.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

Uncover real-world indirect prompt injection attacks and learn how adversaries weaponize hidden web content to exploit LLMs for high-impact fraud.

unit42.paloaltonetworks.com/ai-agent-prompt-injection

🔓️ A new quantum algorithm called JVG may break RSA and ECC using far fewer qubits and gates than Shor’s algorithm. Researchers claim JVG could factor RSA-2048 in about 11 hours with under 5,000 qubits, though the results are new and need more scrutiny. Organizations should urgently adopt crypto-agility and post-quantum standards to protect data now.

💬 🔓️ TikTok says it will not add end-to-end encryption for direct messages — The company argues that end-to-end encryption could block police and safety teams from accessing messages when needed. TikTok keeps standard encryption and allows authorized access under strict conditions like valid law enforcement requests.

These are the countries moving to ban social media for children | TechCrunch

Australia was the first country to issue a ban in late 2025, aiming to reduce the pressures and risks that young users may face on social media, including cyberbullying, social media addiction, and exposure to predators.

techcrunch.com/2026/03/06/social-media-ban-children-countries-list

☁️ AWS announced Security Hub Extended, a plan that unifies AWS and curated partner security tools into one console. It simplifies buying, onboarding, and billing with pay-as-you-go pricing and single-vendor support. Security findings from all solutions are normalized into OCSF and aggregated in Security Hub for faster response.

🔐 Google plans to make Chrome HTTPS certificates resistant to quantum attacks by using Merkle Tree Certificates (MTCs). MTCs shrink certificate data, keep Certificate Transparency, and avoid slowing TLS with post-quantum keys. Google will test MTCs with partners and roll out a quantum-resistant root program by 2027.

→ Google Chrome shifts to two-week release cycle for increased stability

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco Patches Critical Vulnerabilities in Enterprise Networking Products

• Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities

🦊 🤝 🤖 Anthropic used its Claude Opus AI to find 22 vulnerabilities in Firefox over two weeks, 14 of them high-severity. Most bugs were fixed in Firefox 148, with a few patches delayed until the next release. The team struggled to build exploits, spending $4,000 in API credits but only making two proofs of concept.

🔎 🗒️ Google tracked 90 zero-day vulnerabilities actively exploited in 2025, a 15% rise from 2024. Nearly half targeted enterprise systems like security appliances, VPNs, and networking gear. Commercial spyware vendors and state-linked groups drove much of the exploitation, and Google warns high rates may continue into 2026.

⚠️ 🎣 LastPass warns of a new phishing campaign that tries to steal users' master passwords. Fake emails use a spoofed display name and link to counterfeit LastPass login pages. LastPass published IoCs and worked with partners to take down the malicious sites.

📱 Kaspersky says there is no evidence the Coruna iPhone exploit kit was made by the same group behind 2023 attacks blamed on the NSA. Google found Coruna uses many iOS zero-days and has been used in multiple campaigns. Some experts suspect US government links because of shared vulnerabilities, but Kaspersky rejects code-reuse claims.

😱 A critical FreeScout vulnerability (CVE-2026-28289) allows zero-click remote code execution by uploading a hidden .htaccess file. The bug bypasses a previous patch using a zero-width space in filenames and affects FreeScout 1.8.206 on Apache with AllowOverride All. Users should update to FreeScout 1.8.207 immediately to prevent full server compromise and data theft.

🇰🇵 Security researchers say APT28 likely exploited MSHTML zero-day CVE-2026-21513 before Microsoft patched it in February 2026. The flaw lets malicious HTML or LNK files trick Windows into running code outside the browser sandbox. Akamai found an artifact tied to APT28 and warned other MSHTML embedding methods could be abused too.

🦞 Security researchers found a high-severity "ClawJacked" flaw in OpenClaw that let malicious websites brute-force a local gateway and take control. The bug allowed hundreds of password guesses per second from browser JavaScript and auto-approved local device pairings. OpenClaw patched the issue in version 2026.2.26 — users should update immediately.

🛰️ ICS, OT & IoT

🥸 An old Rockwell Automation flaw (CVE-2021-22681) that lets attackers impersonate engineering workstations has been exploited in the wild. CISA added it to its Known Exploited Vulnerabilities list and ordered fixes by March 26. Exposed PLCs could be remotely manipulated, risking production disruption or physical damage.

🤷 A researcher says Honeywell’s IQ4 building controller can expose its web interface without authentication and allow attackers to create admin accounts during setup. Honeywell counters that devices are delivered unconfigured, meant for local setup by trained technicians, and not meant to be internet‑exposed. The researcher found thousands of internet‑visible instances and disputes Honeywell’s assessment, and a CVE is pending.

📡 The Global Coalition on Telecoms (GCOT) released principles for 6G security and resilience at Mobile World Congress 2026. The principles call for security-by-design, AI-enabled defenses, quantum-safe cryptography, and measures to protect supply chains, data, and service availability. GCOT says governments, telecoms, and suppliers must act now as 6G moves from research toward commercial rollout by 2029–2030.

🛞 🗺️ Researchers found tire pressure sensors broadcast a permanent ID in plain text that can be captured with cheap receivers. By collecting millions of messages, they showed these signals can be used to track vehicles and infer driver behavior. Attackers could use or spoof these transmissions for mass or targeted tracking and even to cause fake alerts.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

Have I Been Pwned: Canadian Tire Data Breach

In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data.

haveibeenpwned.com/Breach/CanadianTire

🇺🇸 A January 2025 ransomware attack on Conduent has exposed personal data for at least 25 million people in the U.S. The stolen data includes names, birthdates, addresses, Social Security numbers, and medical and insurance information. Conduent has given few details and even hid its incident notice from search engines.

🇳🇱 The ShinyHunters extortion gang claims it breached Dutch telecom Odido and stole millions of user records. Odido confirmed a February breach of its customer contact system affecting about 6.2 million customers but said passwords, call details, and billing data were not exposed. ShinyHunters posted leaked data and alleged it includes internal files and plaintext passwords, while Odido denies those additional claims.

🇨🇳 Chinese hackers used a secret backdoor in Pulse Secure VPN software owned by Ivanti to breach dozens of organizations. The compromise affected at least 119 customers and included U.S. and European military contractors. Cuts after private equity takeovers are blamed for weakening Ivanti’s security, and agencies were later ordered to disconnect Ivanti VPNs due to active exploits.

🇺🇸 🏥 Nearly 140,000 people may be affected by a data breach tied to Vikor Scientific (now Vanta Diagnostics). The breach appears to have originated at billing vendor Catalyst RCM, whose compromised credentials exposed names, DOBs, payment and medical details. It’s unclear if 139,964 is the final total, and some parties have not confirmed the full number.

🇺🇸 🏥 A ransomware attack forced the University of Mississippi Medical Center to close about three dozen clinics and cancel elective procedures. Staff are working offline while investigators, including the FBI, try to restore systems and determine if patient data was stolen. Hospitals and emergency rooms stayed open and patients with urgent needs are being contacted.

👁️ A huge unsecured database tied to IDMerit exposed about one billion sensitive identity records from at least 26 countries. The leaked data included names, birthdates, addresses, national IDs and verification logs, risking identity theft and targeted fraud. The server was later secured, but the incident highlights weak vendor security and major risks from third-party identity systems.

→ More Breaches and Incidents:

• Wynn Resorts confirms employee data breach after extortion threat

• CarGurus data breach affects 12.5 million accounts 🚗

• Ad Tech Company Optimizely Targeted in Cyberattack

• Medical Device Maker UFP Technologies Hit by Cyberattack

• European DYI chain ManoMano data breach impacts 38 million customers 🇪🇺 

• Olympique Marseille confirms 'attempted' cyberattack after data leak ⚽️ 

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇪🇺 Europol launched Project Compass to combat The Com, a global network of mostly young cybercriminals who commit violence, extortion, and child exploitation. The operation, backed by 28 countries, has helped identify 179 perpetrators, arrest 30, and find dozens of victims. Authorities say international information-sharing and sustained efforts are key to protecting victims and disrupting the group.

🇷🇺 🇪🇺 A Russia-aligned group called UAC-0050 (Mercenary Akula) used a spoofed Ukrainian domain and a phishing email to deliver RMS remote-access malware to a European financial institution. The attackers used layered archives and a fake PDF executable to bypass defenses and gain stealthy access for intelligence gathering or financial theft. This incident suggests the group may be expanding targeting beyond Ukraine to Western entities that support it.

🇨🇳 👀 Google says it disrupted a long-running China-linked cyberespionage campaign that targeted telecoms and governments in dozens of countries. The attackers used a new backdoor called GridTide and hid commands in cloud services like Google Sheets to steal or monitor sensitive data. Google, Mandiant and partners took down the malware infrastructure, disabled attacker accounts, and notified victims.

Figure: Countries with suspected or confirmed UNC2814 victims/Google.com

🇺🇸 The U.S. Department of Justice seized $61 million in Tether tied to “pig butchering” crypto scams. Scammers lured victims via dating and social apps, coerced workers in scam compounds, and laundered stolen funds through many wallets. Tether says it has frozen about $4.2 billion in assets linked to illicit activity, including nearly $250 million since June 2025.

🇺🇸 🇷🇺 The U.S. Treasury sanctioned Russian zero-day broker Operation Zero, its founder Sergey Zelenyuk, and related companies and associates for buying and selling stolen software exploits. Officials say Operation Zero bought tools stolen from a U.S. defense contractor and sold them to unauthorized users, posing national security risks. The sanctions also target UAE-linked firms tied to high-paying zero-day markets.

🇺🇸 🇷🇺 A former L3Harris executive was sentenced to 87 months in prison for selling eight zero-day exploits to a Russian broker. He admitted stealing the exploits from Trenchant and received about $1.3 million in cryptocurrency. Prosecutors said the theft caused $35 million in losses and restitution proceedings continue.

🇰🇵 North Korean state-backed Lazarus actors are now using Medusa ransomware to mount extortion campaigns. They have targeted U.S. healthcare and other organizations, sometimes unsuccessfully, and demanded about $260,000 on average. Researchers found tools and indicators linking these attacks to Lazarus but cannot yet pinpoint a single sub-group.

🇪🇸 Spanish police arrested four suspected members of "Anonymous Fénix", a hacktivist group blamed for DDoS attacks on government sites. The group targeted Spanish and some South American institutions, spiking after deadly Valencia floods. Authorities seized the group’s social accounts and closed its Telegram channel.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

FBI agents visited my home about an article I wrote, and now I can't go to Mexico

Mexico formally requested the FBI's help in seeking answers about one of my stories. Having federal agents on my doorstep sparked my own years-long effort to pry information out of the FBI to explain why it came to my house to begin with.

this.weekinsecurity.com/fbi-agents-visited-my-home-about-an-article-i-wrote-and-now-i-cannot-go-to-mexico

🍏 ✅ NATO has approved Apple iPhone and iPad for handling classified information at the "NATO RESTRICTED" level. The devices are now listed in NATO’s vetted product catalog and can access Mail, Calendar, and Contacts securely without special software. Germany’s security agency (BSI) tested and validated the devices, which Apple says met NATO requirements.

🇬🇷 🧑‍⚖️ A Greek court sentenced Intellexa founder Tal Dilian and three associates to eight years in prison for illegal wiretapping and privacy violations. The group was tied to a 2022 scandal where spyware called Predator was used to spy on politicians, journalists, businesspeople, and officials. The U.S. had already sanctioned Intellexa and some executives, and the sentence is stayed pending appeal while authorities investigate further.

🇺🇸 🙊 CISA is in trouble — CISA has lost a large share of its staff and key programs, weakening its cyber defenses and coordination. Political hostility and leadership delays have deepened the problem and eroded trust with industry and local governments. Experts warn CISA may not have the capacity to handle major cyber crises without rebuilding its workforce.

🇬🇧 💰️ The UK ICO fined Reddit £14.47 million for collecting and using data from children under 13 without proper safeguards. Reddit only added weak age checks in July 2025, which the regulator said were easy to bypass. Reddit will appeal, arguing most UK users are adults and that stronger ID checks hurt privacy.

🎦 🚗 🇺🇸 People across the U.S. are destroying Flock license-plate surveillance cameras in protest. Critics say the cameras help immigration authorities track and deport people. Cities and activists are cutting, smashing, or demanding removal of the cameras.

🖼️ 🤖 Data protection authorities from across the globe have published a Joint Statement on AI-Generated Imagery — Global privacy authorities warn against AI systems that create realistic images or videos of real people without consent. They urge organizations to follow data protection laws, add strong safeguards, be transparent, and remove harmful content quickly. Regulators call for proactive engagement to protect privacy, dignity, and vulnerable people.

🪪 🇬🇧 Discord is making age verification mandatory and will use either facial age checks or ID to control access. UK users say Discord changed its promise: some selfies and IDs may be sent to vendor Persona and stored up to seven days instead of always staying on-device. Users worry about data security and Persona’s backers, and Discord has been contacted for comment.

🦠 MALWARE & THREATS

🕹️ 🎠 Cybercriminals are distributing trojanized gaming tools through browsers and chat apps to install a Java-based remote access trojan (RAT). The malware uses stealthy loaders, Microsoft Defender exclusions, and persistence to enable data theft, remote control, and additional payloads. New RAT families like Steaelite, DesckVB, and KazakRAT bundle theft and ransomware features for powerful, easy-to-use attacker dashboards.

👀 📲 Predator spyware hides iOS camera and microphone recording indicators by hooking a SpringBoard function that blocks sensor status updates. It uses kernel-level access and technique like PAC redirection to bypass permission checks and keep feeds streaming to operators. Jamf’s analysis shows traces of the malware in SpringBoard and mediaserverd despite no visible status-dot indicators.

🪦 Arkanix Stealer was a short-lived malware-as-a-service that surfaced in October 2025 and vanished by December. It stole wide-ranging data — browsers, apps, VPNs, Telegram/Discord, files, wallets — and offered a control panel and post-exploitation tools. Kaspersky says the campaign was a one-shot effort for quick profit, with servers and Discord taken down.

🪱 Researchers found a worm-like campaign (SANDWORM_MODE) using at least 19 malicious npm packages to steal crypto keys, API tokens, and CI/GitHub secrets. The malware also uses a malicious GitHub Action, can wipe home directories, and injects a fake MCP server to trick AI coding tools and harvest LLM keys and SSH/AWS/NPM credentials. Users should remove the listed packages, rotate tokens and secrets, and check repos and workflows for unexpected changes.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

Twitter tweet

🐛 Researchers found serious vulnerabilities in Anthropic's Claude Code that let attackers run commands and steal API keys by simply opening malicious repositories. The flaws abused config files and MCP servers to bypass consent and send authenticated requests to attacker-controlled endpoints. If exploited, attackers could access project files, modify cloud data, and incur unexpected API costs.

❌ Anthropic has removed the core pledge in its safety policy that barred training new AI models unless safety could be guaranteed in advance. The company says the change reflects practical realities, more transparency, and plans for regular risk reports and safety roadmaps. Critics warn the move weakens constraints and could make managing catastrophic AI risks harder.

🇨🇳 Anthropic says three Chinese AI labs used fake accounts to send 16 million prompts to its Claude model to steal capabilities. The startup calls this “distillation” and warns it can remove safety guards and enable cyberattacks, surveillance, or disinformation. Anthropic urges stronger export controls and says the activity violated its terms.

→ Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline

→ Employees at Google and OpenAI support Anthropic’s Pentagon stand in open letter

→ Anthropic vs. the Pentagon: What’s actually at stake?

This App Warns You if Someone Is Wearing Smart Glasses Nearby

The creator of Nearby Glasses made the app after reading 404 Media's coverage of how people are using Meta's Ray-Bans smartglasses to film people without their knowledge or consent. “I consider it to be a tiny part of resistance against surveillance tech.”

www.404media.co/this-app-warns-you-if-someone-is-wearing-smart-glasses-nearby/?ref=daily-stories-newsletter

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco Patches Catalyst SD-WAN Zero-Day

• Trend Micro Patches Critical Apex One Vulnerabilities

• An out-of-band security update for Junos OS Evolved patches the remote code execution vulnerability CVE-2026-21902

🩹 SolarWinds patched four critical Serv‑U flaws that can allow attackers to gain root or admin access. All four bugs require attackers to already have high privileges, limiting but not eliminating risk. Thousands of Serv‑U servers are exposed online and the software has been repeatedly targeted by threat actors.

I found a Vulnerability. They found a Lawyer.

What happens when you responsibly disclose a critical vulnerability exposing personal data - including that of minors - and the organization responds with legal threats instead of a thank you?

dixken.de/blog/i-found-a-vulnerability-they-found-a-lawyer

⚠️ Attackers have been exploiting two Cisco SD-WAN zero-days since 2023 to gain long-term access to network edge devices. Authorities, including CISA and the Five Eyes, issued emergency guidance and threat-hunt steps after discovering the ongoing campaign. Officials warn the attacks are highly targeted and require urgent patching and forensic checks.

⏱️ CrowdStrike found attackers are moving through networks much faster, with average breakout time down to 29 minutes and some attacks taking seconds. Attackers increasingly use living-off-the-land tactics, stolen credentials, and cloud or edge device flaws to avoid detection. Nation-state and criminal groups are exploiting more zero-days and AI-driven techniques, widening threats and stressing defenders.

🧠 📲 Security researchers found 1,575 vulnerabilities in ten popular Android mental health apps with over 14.7 million installs. Many flaws could expose therapy data, intercept logins, or let attackers read local files and spoof app behavior. Some apps claim encryption or privacy but still use insecure coding and outdated protections.

✈️ 🪖 The Dutch Defense Secretary said the F-35’s software and cloud systems could be “jailbroken” like an iPhone to accept third-party updates. Experts warn doing so would be legally risky and would not replace U.S. maintenance, mission planning, or spare-part support. The comment highlights tensions for foreign F-35 operators reliant on U.S. control and logistics.

🇷🇺 A Russian-speaking hacker used AI tools to help breach over 600 FortiGate firewalls across 55 countries in five weeks. The attacker relied on exposed management interfaces and weak credentials, then used AI-assisted scripts to automate reconnaissance and lateral movement. Amazon warns AI services are lowering the bar for attackers and urges admins to remove internet-exposed interfaces and enable MFA.

100+ Kernel Bugs in 30 Days

High-Scale Driver Vulnerability Research with Agent Swarms

open.substack.com/pub/ydinkin/p/200-kernel-bugs-in-30-days?utm_campaign=post-expanded-share&utm_medium=web

🛰️ ICS, OT & IoT

Bring the Fight to the Edge: Turning Time Into an Advantage in OT Security

Unit 42 research reveals most OT attacks begin in IT. Learn how edge-driven defense stops threats early and turns dwell time into advantage.

unit42.paloaltonetworks.com/ot-edge-security

• Zyxel Patches Critical Vulnerability in Many Device Models

🌱 Gardyn indoor smart gardens had two critical and two high-severity security flaws that could allow remote attackers to take control. Gardyn and CISA say patches and app/firmware updates have been released and most devices should be updated automatically. Researchers estimate about 138,000 devices were affected but there is no evidence the flaws were exploited in the wild.

🔓️ 🛜 Researchers found a new Wi‑Fi attack called AirSnitch that can break encryption and expose data. The flaw affects home, office, and enterprise networks and exploits weaknesses in Wi‑Fi design. This shows many devices and users remain vulnerable despite past security improvements.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🅿️ PayPal says a software error exposed customers' personal data, including Social Security numbers, from July to December 2025. The company fixed the code, reset affected passwords, and is offering two years of free credit monitoring. Some customers saw unauthorized transactions and received refunds.

🇫🇷 🏦 France’s Ministry of Economy disclosed a breach of the national bank account registry FICOBA that exposed 1.2 million accounts — An attacker used stolen official credentials to access names, addresses, IBANs and some tax IDs; access is now blocked and affected people are being notified. Security experts warned that broad access tied to single identities makes such large exposures easier and companies should limit privileges by need.

🇩🇪 🚂 💥 Germany’s rail operator Deutsche Bahn was hit by a large DDoS attack that disrupted ticketing and some IT systems. The attack began Feb 17, came in waves, and briefly made websites and the DB Navigator app intermittently inaccessible. No culprit has been named, though similar attacks on German infrastructure have been linked to pro‑Russian hacktivist groups.

🇺🇸 Hackers breached Figure Technology Solutions and stole personal data from about 967,200 accounts. The stolen files included names, emails, phone numbers, addresses, and dates of birth. The ShinyHunters group claimed responsibility and leaked the data after a social-engineering attack.

🇳🇱 🚂 Hackers stole customer data from Eurail and are offering it for sale online — The leaked files may include names, contact details, passport copies, travel reservations, and bank info for millions of customers. Eurail says it is investigating while hackers threaten to publish all stolen data if no buyer is found.

🇨🇦 🐻 Hackers claiming to be ShinyHunters leaked a 1.67 GB dataset of over 600,000 Canada Goose customer records. Canada Goose says the data appears to be historical, it has found no breach of its systems, and no full payment card numbers were exposed. The leaked details could still enable phishing, fraud, and customer profiling.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇸 🇮🇷 Three former Google engineers and one husband were indicted for stealing trade secrets from Google and other tech firms and sending them to unauthorized locations, including Iran. The defendants allegedly copied files about processor security and cryptography, hid their actions, and photographed screens after access was revoked. If convicted, each faces up to 10 years for trade secret theft and up to 20 years for obstruction.

🇺🇦 🇰🇵 A Ukrainian, Oleksandr Didenko, was sentenced to five years for running a scheme that helped North Korea hire remote IT workers at U.S. companies. He stole identities, created over 2,500 fake accounts, and sold them to North Korean operatives. Authorities say the payments supported North Korea’s regime and posed national security risks.

🌍️ African police arrested 651 suspects in a coordinated INTERPOL operation against investment fraud, mobile money scams, and fake loan apps. Authorities across 16 countries seized devices, shut down 1,442 malicious sites, and recovered over $4.3 million while identifying 1,247 victims. The operation highlights cross-border collaboration to disrupt large cybercriminal networks.

🇳🇬 🇺🇸 ⚖️ A Nigerian man, Matthew Akande, was sentenced to eight years for running a five-year scheme that filed over 1,000 fraudulent U.S. tax returns. He and co-conspirators stole client data, used phishing and malware, and obtained more than $1.3 million in false refunds. Akande was arrested in 2024, extradited to the U.S., pleaded guilty, and must pay about $1.4 million in restitution.

🇪🇸 🏨 Spanish police arrested a 20-year-old who hacked a hotel booking site to pay as little as one cent for luxury rooms. He altered the payment validation so bookings looked fully paid while only one cent was charged. Hotels lost over €20,000 and he was caught staying in a Madrid hotel with a €4,000 reservation.

🇵🇱 Polish police arrested a 47-year-old suspect linked to the Phobos ransomware group and seized computers and phones with stolen credentials and server data. The arrest was part of Operation Aether, an international effort coordinated by Europol targeting Phobos infrastructure and affiliates. The suspect faces charges for creating and distributing hacking tools and could get up to five years in prison.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @infosecevents@infosec.exchange on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

Underground Facial Recognition Tool Unmasks Camgirls

The site, camgirlfinder, is explicitly built as a tool to let people find a model's presence on other streaming platforms. The creator says “If that is a problem for you then the sad reality is this job is not for you.”

www.404media.co/underground-facial-recognition-tool-unmasks-camgirls

🇵🇱 🇨🇳 Poland’s army now bars Chinese-made cars from entering protected military sites over information security risks. The ban targets vehicle systems that can record or transmit location, images, or sound. The rule is preventive, follows NATO practices, and does not affect public use of these cars.

🇺🇸 🧑‍⚖️ A judge scolded members of Mark Zuckerberg’s team for wearing Ray-Ban Meta AI glasses with a camera as they entered a Los Angeles courtroom — The judge ordered the glasses removed and warned anyone who recorded must dispose of footage or face contempt. The incident occurred during a trial over whether Meta and YouTube design platforms that harm children.

🇺🇸 🇨🇳 Texas sued TP-Link, accusing it of hiding that its routers are built from Chinese parts and are vulnerable to state-backed Chinese hackers. The suit says TP-Link misled consumers about security and that its devices were used in large botnets and credential-theft attacks. Texas seeks fines and orders forcing disclosure of Chinese origins and an end to collecting user data without consent.

Figure: “So when are they going to sue Cisco, Fortinet, F5, Palo Alto, Ivanti etc.?” / @cR0w

🇪🇸 ⚽️ A Spanish court ordered NordVPN and ProtonVPN to block 16 websites and related IPs that stream LaLiga matches illegally. The ruling was made without the VPNs being heard, and the companies say they were not notified. LaLiga says VPNs enable piracy and must help stop it, while VPNs argue the order is procedurally invalid and ineffective.

👀 🇦🇴 Amnesty International says Intellexa’s Predator spyware was used to hack an Angolan journalist’s iPhone via a WhatsApp link. The hack shows governments are using commercial spyware to target journalists and others. Researchers found forensic links to Intellexa but could not identify the exact customer.

🇮🇪 Ireland's Data Protection Commission has opened a formal probe into X over its Grok AI creating non-consensual sexual images, including of children. The investigation will check if X complied with GDPR rules like lawful processing and data protection by design. This adds to multiple international probes into Grok, which could lead to big fines across the EU.

🔕 👀 Amazon’s Ring ended plans to integrate with surveillance firm Flock Safety after announcing the joint project would take more time and resources than expected. The cancellation came amid backlash to a Super Bowl ad showing a camera network finding a lost dog, which sparked fears about intrusive tracking and face recognition. Privacy advocates and a U.S. senator warned Ring’s features could erode civil liberties.

→ Leaked Email Suggests Ring Plans to Expand ‘Search Party’ Surveillance Beyond Dogs

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

Hudson Rock Identifies Real-World Infostealer Infection Targeting OpenClaw Configurations

Following our initial research into ClawdBot, Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim's OpenClaw configuration environment. This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the "souls" and identities of personal AI agents.

www.infostealers.com/article/hudson-rock-identifies-real-world-infostealer-infection-targeting-openclaw-configurations

Figure: Adam Shostack’s Toot

Twitter tweet

→ OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts

→ Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

🏧 🤑 The FBI warns of a rise in ATM jackpotting, with over 700 attacks in 2025 and losses above $20 million. Attackers install malware like Ploutus to make ATMs spit out cash quickly. Authorities are prosecuting suspects and sharing detection tips.

📺️ Researchers found a new Android trojan called Massiv that hides in fake IPTV apps to steal banking data. It uses overlays, keylogging, SMS interception, and remote control to take over devices and commit fraud. Massiv spreads via SMS droppers and targets users in Spain, Portugal, France, and Turkey.

🤖 Researchers at ESET found PromptSpy, an Android malware that uses Google’s Gemini AI during runtime to guide taps and swipes for persistence. It uses a VNC module and Accessibility Services to steal PINs, capture screens, block uninstallation, and lock itself in recent apps. ESET says it may be a proof of concept with possible links to Chinese developers and a delivery domain aimed at Argentina.

🔙 🚪 📲 Kaspersky found a new Android backdoor called Keenadu preinstalled on many devices and pushed via firmware updates or fake apps. The malware gives attackers full remote control but is mainly used for ad fraud like hijacking searches and clicking ads. Infections were seen on about 13,000 devices worldwide and researchers link Keenadu to large botnets with likely Chinese origins.

🤖 Researchers found Microsoft Copilot and xAI Grok can be abused as stealthy malware command-and-control (C2) relays by using their web-browsing and URL-fetch features. This lets compromised machines fetch attacker commands and send data back through the AI without needing API keys or accounts. The technique could enable AI-driven malware that adapts and evades detection.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🔎 Anthropic launched Claude Code Security, an AI tool that scans code for vulnerabilities and suggests fixes. It will roll out first to select enterprise and team testers after extensive internal and lab testing. The company says the tool speeds up finding bugs but human experts are still needed for higher-level threats.

👀 📧 Microsoft confirmed a bug let Copilot Chat read and summarize customers’ confidential emails without permission — The issue affected emails labeled confidential since January, even when data-loss-prevention rules were in place. Microsoft says it started rolling out a fix in February.

🚫 DEF CON has banned three people—Pablos Holman, Vincenzo Iozzo, and Joichi Ito—after they appeared in DOJ files and emails connected to Jeffrey Epstein. The bans follow reporting linking them to Epstein and similar moves by other cybersecurity events. The three have disputed wrongdoing, saying interactions were business-related or minimal.

🍎 💬 🔐 Apple is testing end-to-end encrypted RCS messaging in the iOS and iPadOS 26.4 developer beta. The feature is limited to Apple devices and not all carriers or devices yet. The beta also adds stronger memory safety protections and stolen device safeguards.

📱 🤖 Google released the first Android 17 beta with new privacy and security defaults — It blocks unencrypted cleartext traffic by default for new apps and adds HPKE support for stronger encryption. Other changes include default certificate transparency, a new install-time localhost permission, and a push toward “secure-by-default” app behavior.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google Patches First Actively Exploited Chrome Zero-Day of 2026

• Microsoft Patches CVE-2026-26119 Privilege Escalation in Windows Admin Center

Critical Vulnerabilities in Ivanti EPMM Exploited

We discuss widespread exploitation of Ivanti EPMM zero-day vulns CVE-2026-1281 and CVE-2026-1340. Attackers are deploying web shells and backdoors.

unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340

💥 A critical pre-auth RCE in BeyondTrust remote support (CVE-2026-1731) lets attackers run OS commands and fully compromise systems. Unit 42 observed active exploitation using webshells, SparkRAT, VShell, lateral movement, and data exfiltration across multiple sectors and countries. Patches and mitigations exist, and many instances remain exposed, so urgent patching and monitoring are needed.

🇨🇳 🫥 Chinese-linked hackers used a Dell RecoverPoint zero-day (CVE-2026-22769) to get root access and stay hidden for about 18 months. Researchers say the group replaced older malware with a harder-to-detect backdoor and likely compromised dozens of organizations. Dell has released a patch and agencies are sharing detection guidance.

🔓️ ☁️ Researchers at ETH Zurich found that popular cloud password managers (Bitwarden, LastPass, Dashlane, 1Password) can have vaults compromised if the provider’s servers are fully malicious. They exploited recovery, SSO, sharing, and compatibility features to read and sometimes modify users’ stored credentials. Vendors say fixes and mitigations are being rolled out, but some issues are design trade-offs or hard to fully eliminate.

→ Password managers' promise that they can't see your vaults isn't always true

🛰️ ICS, OT & IoT

🎥 🐛 CISA warns a critical Honeywell CCTV flaw (CVE-2026-1670) lets attackers change recovery emails and take over accounts. The bug scores 9.8 and affects several mid‑level Honeywell camera models. Users should isolate devices, use secure remote access, and contact Honeywell for patch guidance.

🏠️ A security researcher found that DJI Romo robovacs and some power stations leaked lots of data to public servers he could read. He could see live video and control devices before DJI partially fixed the issue. The incident shows weak security and raises concerns about who can access people’s home cameras and data.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇯🇵 🍆 Happy Valentine’s Day — Sex toy maker Tenga alerted customers that a hacker accessed an employee email account and may have stolen names, emails, and past order or support messages. The attacker also sent spam to the compromised contacts. Tenga reset credentials, enabled multi-factor authentication, and urged customers to change passwords and watch for suspicious emails.

🇰🇷 💍 South Korea fined Louis Vuitton, Dior, and Tiffany $25 million for poor security that let hackers access customer data. The breaches exposed names, contacts, addresses, and purchase histories for over 5.5 million people. Authorities said using SaaS does not remove companies’ duty to protect data.

🇷🇴 🛢️ Romania's oil pipeline operator Conpet confirmed it was hit by a Qilin ransomware attack that stole company data. The company says operations were not affected but it is working with national cyber authorities to investigate. Leaked documents may contain sensitive personal and financial information, so people should be wary of suspicious requests.

🇳🇱 Dutch telecom Odido says a cyberattack exposed personal data of about 6.2 million customers. The breach hit their customer contact system and may include names, addresses, emails, phone numbers, IBANs, and ID numbers. Odido blocked access, alerted authorities, and is notifying affected customers.

🇺🇸 🥼 A May 2025 cyberattack on ApolloMD exposed PII and PHI for 626,540 people — Stolen data included names, addresses, dates of birth, medical and insurance details, and possibly Social Security numbers. ApolloMD notified affected parties, offered free credit monitoring, and the Qilin group posted the breach online.

🇺🇸 🚗 Volvo Group North America had personal data of about 17,000 customers and staff exposed after a breach at service provider Conduent. The stolen data included names, Social Security numbers, birthdates, IDs, and medical and insurance details. Conduent is notifying affected people and offering identity and credit monitoring.

👀 A hacktivist scraped about 536,000 payment records from a vendor of stalkerware apps, exposing customers’ email addresses and partial card details. The data covered services like uMobix, Xnspy, Geofinder and Peekviewer and was verified by TechCrunch. The vendor appears linked to companies called Ersten Group and Struktura, which did not respond to requests for comment.

→ Hacked, leaked, exposed: Why you should never use stalkerware apps

🇪🇺 👀 The European Commission’s CERT-EU found signs of a cyberattack on its IT systems used for mobile device management. The incident was contained and cleaned within nine hours, and no mobile devices were compromised. Some staff names and phone numbers may have been accessed and a full review is underway.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇵🇰 🇮🇳 Pakistan-linked groups SideCopy and APT36 are running cross-platform campaigns targeting Indian defense and government organizations. They use phishing lures to deliver remote access trojans (Geta RAT, Ares RAT, DeskRAT) for long-term data theft and access on Windows and Linux. The attacks use stealthy techniques and trusted regional lures to maintain persistence and avoid detection.

🇳🇱 Dutch police arrested a 21-year-old seller accused of offering JokerOTP, a phishing tool that intercepts one-time passcodes to hijack accounts. The JokerOTP service reportedly caused over $10 million in losses across 28,000+ attacks by automating calls that trick victims into revealing OTPs. Authorities dismantled the operation after a three-year probe and say more suspects and buyers will be prosecuted.

🇨🇳 ⚖️ 🇺🇸 Daren Li, a dual Chinese and St. Kitts and Nevis national, was sentenced in absentia to 20 years for his role in a cryptocurrency "pig butchering" scam that stole over $73 million from U.S. victims. The scheme used romance and messaging apps to launder funds through shell companies, banks, and crypto platforms. Li fled before sentencing after cutting off his ankle monitor, and investigators found hundreds of millions in related crypto wallets.

🇨🇳 🇸🇬 Singapore's Cyber Security Agency says China-linked UNC3886 targeted the country's four major telcos. Attackers used advanced tools, a zero-day exploit, and rootkits to gain access to network systems. CSA says no customer data was seen taken and has closed the attackers' access.

🇺🇸 ⚖️ Two Connecticut men are accused of using about 3,000 stolen identities to create fake accounts and steal roughly $3 million from FanDuel and other gambling sites. They allegedly bought PII on darknet and Telegram, used background-check services to pass verifications, and tracked victims in a spreadsheet. Prosecutors charged them with multiple counts including wire fraud, identity fraud, and money laundering.

A Peek Into Muddled Libra’s Operational Playbook

Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks.

unit42.paloaltonetworks.com/muddled-libra-ops-playbook

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

Twitter tweet

🎩 Hacker Vincenzo Iozzo (@_snagg), linked in newly released documents to Jeffrey Epstein, was removed from Black Hat and Code Blue conference websites. Iozzo says he only knew Epstein for business, denies wrongdoing, and welcomes an investigation. Conferences say his name was taken off their review boards amid the document release and unrelated membership updates.

🛑 💬 🇷🇺 Russia is trying to fully block WhatsApp and has already throttled Telegram to push users onto the state-backed MAX app. WhatsApp and Telegram say this move harms privacy and safety and they will try to keep users connected. People in Russia can still use VPNs or external DNS for now, but those tools are also under pressure.

Twitter tweet

🇺🇸 Nevada announced a new statewide data classification policy to standardize how agencies label and protect information. Data must be placed into four categories—public, sensitive, confidential, or restricted—with unclear items treated as more restrictive. The policy aims to improve cybersecurity and guide future protections after a disruptive cyberattack.

🇪🇺 🤝 The EU gave unconditional approval for Google’s $32 billion buyout of cloud security firm Wiz — Regulators found no competition concerns and said customers have credible alternatives. Google says Wiz will stay available on all major clouds, though some worry about lost neutrality.

Cops Are Buying ‘GeoSpy’, an AI That Geolocates Photos in Seconds

404 Media has obtained a cache of internal police emails showing at least two agencies have bought access to GeoSpy, an AI tool that analyzes architecture, soil, and other features to near instantly geolocate photos.

www.404media.co/cops-are-buying-geospy-ai-that-geolocates-photos-in-seconds

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🏦 Security researchers say a threat actor called UAT-9921 is using a new modular malware framework named VoidLink to target technology and financial firms. VoidLink provides stealthy, compile-on-demand implants and plugins for Linux, Windows, and cloud environments, lowering the skill needed to build hard-to-detect malware. Talos warns the framework includes RBAC, evasion features, and C2-driven plugin delivery, enabling broad reconnaissance and persistent access.

🧩 Researchers found 30 fake Chrome extensions, called AiFrame, that pose as AI assistants and have over 300,000 installs. The extensions load remote iframes and steal page content, credentials, and Gmail messages, sending data to a single malicious domain. Users should check the indicators, remove any infected extensions, and reset passwords.

✉️ 🧩 A hijacked Outlook add-in called AgreeTo was turned into a phishing kit that stole over 4,000 Microsoft account credentials. The attacker claimed the add-in's abandoned hosting URL, served a fake Microsoft login in Outlook, and exfiltrated data via a Telegram bot. Microsoft removed the add-in after researchers at Koi Security discovered the breach; users should uninstall AgreeTo and reset passwords.

ℹ️ Lumma Stealer, the malware that stole passwords and files from Windows PCs, infected hundreds of thousands of machines before last year. Authorities seized much of its infrastructure in May, but researchers say Lumma is back and spreading again. The malware uses lure sites and a cloud-based service model to make infections hard to stop.

🇰🇵 North Korean hackers (UNC1069) used deepfake video and social engineering to deliver new macOS and Windows malware against crypto targets. Researchers found seven distinct macOS malware families that steal credentials, browser data, and files for financial theft. The attack aimed to steal cryptocurrency and gather data to enable future scams.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

Srsly Risky Biz: Microsoft's Forgoes Its Secure Future

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Trail of Bits. You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS

news.risky.biz/srsly-risky-biz-microsofts-forgoes-its-secure-future

👨‍⚕️ Your AI doctor doesn’t have to follow the same privacy rules as your real one — AI tools from OpenAI, Anthropic, and Google are being used for medical advice but often are not legally bound by HIPAA. That means these apps may collect, share, or sell sensitive health data with weaker protections. People use them because they are cheap and convenient, but that creates real privacy risks.

Twitter tweet

🇨🇳 🇮🇷 🇰🇵 🇷🇺 State-backed hackers from China, Iran, North Korea, and Russia are using Google’s Gemini AI to help plan and carry out cyberattacks. They use it for reconnaissance, phishing, coding, vulnerability testing, and data exfiltration. Google says it has blocked abused accounts and added defenses but warns AI misuse and model theft remain serious risks.

🦞 🦠 OpenClaw now scans all ClawHub skills with VirusTotal to block or flag malicious uploads. The move follows findings that many skills hide backdoors, data exfiltration, or prompt-injection attacks. Despite scanning, OpenClaw warns risks remain and will publish a security roadmap and reporting process.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Fixes 44 Vulnerabilities in Creative Apps

• Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

• BeyondTrust Patches Critical RCE Vulnerability

• Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD

• Chrome 145 Patches 11 Vulnerabilities

• Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution

• Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025

• Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws

• SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities

💥 Attackers are exploiting two severe Ivanti EPMM zero-day flaws, spreading to dozens of victims including government agencies. Researchers found about 86 confirmed compromises and hundreds of attack attempts, with many exposed instances still online. Ivanti released detection tools but has not provided a full victim count.

→ Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

→ 83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

⚠️ BeyondTrust warned of a critical remote code execution flaw (CVE-2026-1731) in its Remote Support and Privileged Remote Access software that lets unauthenticated attackers run OS commands. The company patched cloud systems and urged on-premises customers to update to fixed versions immediately. Past BeyondTrust vulnerabilities have been exploited by threat actors, including incidents linked to state-backed groups.

🛰️ ICS, OT & IoT

🩹 ICS Patch Tuesday — Major industrial vendors — Siemens, Schneider Electric, Aveva, and Phoenix Contact — released Patch Tuesday advisories fixing multiple ICS/OT vulnerabilities. The flaws can allow unauthorized access, DoS, code execution, XSS, and privilege escalation. CISA and other vendors (Mitsubishi, Moxa, VDE CERT) also published related advisories.

🇺🇸 💬 CISA issues warning to U.S. audience — A destructive cyberattack on Poland’s power grid targeted 30 wind and solar sites and damaged control systems. CISA warned U.S. infrastructure operators that vulnerable internet-facing edge devices and OT/ICS systems are at risk. Security firms and foreign agencies say this shows distributed energy resources are now prime targets and must be secured.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇮🇹 🏫 Rome’s La Sapienza university was hit by a cyberattack that forced its IT systems offline and disrupted operations. Authorities and cybersecurity teams say it may be ransomware (linked to a pro-Russian group) and are restoring systems from backups. Students and staff are advised to watch for phishing and suspicious activity while recovery continues.

🇮🇹 ⛷️ 🇷🇺 Italy said it stopped cyberattacks aimed at its foreign ministry sites and Winter Olympics websites and hotels. Foreign Minister Antonio Tajani said the attacks were linked to Russia. Thousands of security officers are deployed across the Games.

📤️ Substack notified users that attackers accessed some email addresses, phone numbers, and internal metadata from an October 2025 breach. The company says passwords, credit card numbers, and financial data were not accessed and it has fixed the vulnerability. Substack warned users to watch for phishing and the leaked data appeared on a hacking forum.

Figure: e-mail received by Substack users notifying them of the breach

💸 Step Finance said hackers stole about $40 million after compromising executives' devices. The company worked with security teams and recovered roughly $4.7 million so far. Operations are paused, users told not to trade STEP while investigations continue.

Twitter tweet

🔓️ On January 7 attackers used a compromised account to force-push malicious JavaScript into several Plone GitHub repositories. The Plone team removed the code, enabled organization-wide rules to block force pushes and restrict tag updates, and advised checking personal access tokens. The injected code aimed to persist, steal credentials, and target developers’ build environments.

🇺🇸 Coinbase confirmed a contractor improperly accessed data for about 30 customers in a December insider breach — Screenshots of an internal support tool briefly appeared online, showing detailed customer information. The incident highlights growing attacks on outsourced support firms that give threat actors access to sensitive data.

🗒️ 🇨🇳 Notepad++ was hit by a supply-chain attack that redirected updater traffic through its hosting provider so some users got malicious updates. Security investigators say a China-linked, likely state-sponsored group targeted specific organizations and abused a compromised shared server. Notepad++ moved hosts and added update verification to stop the attack.

🇺🇸 🍞 A data breach at Panera Bread exposed records from a January 2026 attack. Have I Been Pwned says 5.1 million unique accounts were affected, not 14 million customers. The data leaked by the ShinyHunters gang included names, emails, phones, and addresses.

🕹️ NationStates confirmed a data breach after a player exploited a vulnerability and gained remote access to its production server. Exposed data may include email addresses, MD5 password hashes, IPs, and browser info, and some private messages may have been accessed. The site is offline for a full rebuild, security upgrades, and investigations while users are advised to check their account data.

→ More breaches:

• ShinyHunters publish personal information stolen during Harvard, UPenn data breaches

• Data breach at fintech firm Betterment exposes 1.4 million accounts

• Data breach at govtech giant Conduent balloons, affecting millions more Americans

• Flickr discloses potential data breach exposing users' names, emails

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

The Shadow Campaigns: Uncovering Global Espionage

In 2025 a threat group compromised government and critical infrastructure in 37 countries, with reconnaissance in 155.

unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage

🇩🇪 Germany warns that state-linked actors are phishing senior officials on Signal to hijack accounts and steal chats and contacts. Attackers trick victims into revealing PINs or scanning QR codes to register devices they control. Authorities advise blocking/reporting fake support messages, enabling Signal’s Registration Lock, and checking linked devices.

🇳🇴 🇨🇳 Norway says China-linked hackers Salt Typhoon broke into several Norwegian organizations — The group targeted weak network devices to spy on victims. Salt Typhoon has long attacked critical infrastructure worldwide.

🤑 💩 Ransomware group Nitrogen's ESXi-targeting malware corrupts its own public key, so decryptors cannot recover files even if victims pay. Coveware found a coding bug where a QWORD overwrote bytes of the public key. The mistake makes the attacks purely destructive and payment futile.

🇷🇺 Russian-state hackers quickly exploited a critical Microsoft Office flaw (CVE-2026-21509) within 48 hours of a patch. They used a novel, in-memory exploit and new backdoors to infect diplomatic, maritime, and transport organizations in several countries. The attacks were stealthy, used compromised government accounts, and hid command channels in legitimate cloud services.

🇺🇸 Sen. Maria Cantwell says AT&T and Verizon refused to share a Mandiant report about the Salt Typhoon hacks. She wants the CEOs to testify before Congress about how the breaches happened and what fixes were made. Cantwell warns telecoms’ resistance leaves Americans’ communications at risk.

🇨🇳 👀 A new China-linked group called Amaranth Dragon exploited a WinRAR flaw (CVE-2025-8088) to spy on government and law enforcement agencies in Southeast Asia. They used a custom loader, encrypted payloads, Cloudflare-hosted C2 servers with geofencing, and a new TGAmaranth RAT delivered via DLL sideloading. Defenders should update WinRAR to 7.13+ and use the provided IOCs and YARA rules to detect infections.

Figure: Campains timeline/Check Point

🐼 🇨🇳 Between December 2025 and January 2026, hackers linked to China’s Mustang Panda used fake diplomatic briefings to infect officials and diplomats. The malicious PDFs deployed a downloader called DOPLUGS (PlugX) and used DLL hijacking to quietly collect data. Security researchers warn to be cautious with unexpected summary or briefing documents, even if they look official.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

‘Hot mess’: Former Trump cyber leader slams DHS leadership void

Bridget Bean, the former acting director of the Cybersecurity and Infrastructure Security Agency, said in an exclusive interview that without permanent leadership, agencies under DHS are “not working.”

www.politico.com/news/2026/02/02/bridget-bean-dhs-interview-00758528

👁️ 🐾 🇺🇸 The DHS inspector general opened an audit of the department’s handling of biometric and personal data — The review will start with ICE and the Office of Biometric Identity Management. Senators raised concerns about mass collection, sharing, and possible civil liberties violations.

🇺🇸 ⚖️ A 23-year-old New York man, Aaron Corey, was arrested and charged with receiving child sexual abuse material — Investigators say he ran 764-related chats and had images and videos of young children on his devices. Authorities say this arrest is part of wider actions against the violent extremist network 764 and its offshoots.

🇺🇸 👀 Homeland Security has used administrative subpoenas to demand identity information from tech companies about people and anonymous accounts critical of the Trump administration. These subpoenas skip judicial oversight and can reveal login times, IPs, emails, and other identifiers. Civil rights groups say this chills free speech and some companies sometimes resist or push back.

🇺🇸 National Cyber Director Sean Cairncross urged industry to work with the Trump administration to reduce cybersecurity regulation and improve information sharing. He asked companies to support a 10-year extension of the Cybersecurity Information Sharing Act. He said the administration wants partnership, not punishment, and will roll out a new cybersecurity strategy soon.

🇯🇵 🤝 🇬🇧 Japan and Britain agreed to boost cooperation on cybersecurity and critical minerals as China’s influence grows. They will work to secure supply chains and strengthen economic and security ties. Both countries aim to make trade and defense partnerships more resilient.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🔄 SystemBC malware survived a law enforcement takedown and now infects over 10,000 devices worldwide. It turns infected machines into SOCKS5 proxies and helps distribute ransomware and other malware. Most victims are in the US, Germany, France, Singapore, and India.

🎣 A global spam wave is flooding inboxes with fake "Activate account" emails sent via unsecured Zendesk support forms. Attackers are abusing ticket submission to trigger mass confirmation messages that bypass filters. Despite Zendesk's earlier fixes, the abuse appears to be recurring.

🇷🇺 Russia-linked APT28 used a new Microsoft Office flaw (CVE-2026-21509) to deliver espionage malware in Ukraine, Slovakia, and Romania. Attackers sent localized lure documents that downloaded droppers which install an email stealer (MiniDoor) or a loader (PixyNetLoader) that hides shellcode in a PNG and launches a Covenant Grunt implant. CERT-UA and Zscaler say the campaign used targeted server checks, COM hijacking, and steganography to evade detection and hit government-related emails.

🧩 Attackers hijacked a trusted Open VSX publisher account and pushed malicious updates of four popular VS Code extensions. The malware targets macOS, steals browser data, crypto wallets, and developer credentials, and loads instructions from Solana transaction memos. The campaign uses runtime-decrypted loaders and leaked publishing tokens to evade detection and rotate infrastructure.

🦠 Attackers breached eScan's update servers and pushed a malicious update that installed a persistent downloader. The malware replaced legit files, blocked updates and fetched further payloads via PowerShell. Hundreds of machines in South Asia and elsewhere were targeted before the servers were isolated and patched.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🤖 The rise of Moltbook — In 1988 the Morris worm spread across the early Internet and crashed many systems because of a coding mistake. Today, AI agents can share and copy prompts across networks in a similar way. Experts warn these viral prompts could become a major new security threat.

🦞 OpenClaw, a self-hosted AI assistant, had a critical vulnerability allowing attackers to steal a user’s authentication token by tricking them into visiting a malicious website. With the stolen token, attackers could connect to the victim’s OpenClaw instance, disable protections, and run arbitrary commands on the host. The flaw (CVE-2026-25253) was patched in version 2026.1.29 after researchers disclosed the issue.

ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting

We audited all 2,632 skills on ClawHub and found 341 were malicious - 335 from a single campaign we're calling ClawHavoc. The attack exploits the trust between AI bots and their users, tricking them into installing infostealers disguised as legitimate tools.

www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting

🇫🇷 French prosecutors raided X's Paris offices and are investigating its Grok AI for generating sexual deepfakes and other illegal content. Elon Musk and X CEO Linda Yaccarino were summoned for voluntary interviews, and more employees will be questioned. The probe involves multiple alleged offenses and joins other EU and UK investigations into X's handling of the tool.

→ UK privacy watchdog probes Grok over AI-generated sexual images

🍎 📍 Apple is adding a "Limit Precise Location" setting in iOS 26.3+ that stops cellular networks from getting exact street-level location and only shares an approximate area. It works on select iPhone and iPad models and needs carrier support to function. Emergency calls and app Location Services are not affected.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco and F5 Patch High-Severity Vulnerabilities

• Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

• Two Google Looker flaws found - Google patched cloud instances in Sept 2025; self-hosted users must update

New survey reveals how security researchers and journalists experience legal and criminal threats

Over 100 security researchers and journalists answered our survey and told us how they experienced threats for doing their work. Here are some of the top takeaways.

this.weekinsecurity.com/new-survey-reveals-how-security-researchers-and-journalists-experience-legal-and-criminal-threats

🤖 👀 🐛 Anthropic says its new LLM, Claude Opus 4.6, found over 500 previously unknown high-severity security flaws in major open-source libraries. The model can read and reason about code like a human researcher and helped prioritize and validate real memory-corruption bugs that have since been patched. Anthropic calls such AI tools crucial for defenders but warns of misuse and plans added safeguards.

🐛 A critical vulnerability (CVE-2026-25049) in n8n allows authenticated users who can create or edit workflows to run arbitrary system commands. The flaw bypasses previous fixes by abusing expression evaluation and TypeScript runtime/type mismatches, and is especially dangerous when paired with public webhooks. Patch to versions 1.123.17 / 2.5.2 or restrict workflow permissions and harden deployments immediately.

💥 Researchers found attackers exploiting the React2Shell flaw to inject malicious NGINX configurations and hijack web traffic. The attackers use a multi-stage script toolkit to persist, discover targets (especially Asian and government/education TLDs), and redirect requests to attacker-controlled servers. Two IPs drove most exploitation attempts, with varied post-exploit payloads like cryptominers and reverse shells.

Figure: NGINX attack flow diagram/securitylabs.datadoghq.com

🔓️ 🫰 Attackers are automatically targeting unsecured, internet-exposed MongoDB servers and wiping data to demand small Bitcoin ransoms (about 0.005 BTC). Flare researchers found over 208,500 exposed instances, 3,100 without authentication, and nearly half of those had already been compromised. Administrators are urged to stop public exposure, enable strong auth, update MongoDB, and monitor for breaches.

Figure: Shodan search results/Flare

💥 Attackers have been exploiting a critical React Native development server bug (CVE-2025-11953, "Metro4Shell") since late December. The flaw lets remote actors run commands via Metro’s default external binding, enabling multi-stage PowerShell loaders that disable Defender and fetch Rust payloads. Thousands of internet-exposed React Native instances may be at risk.

🛰️ ICS, OT & IoT

Privileged File System Vulnerability Present in a SCADA System

We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack.

unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921

🇺🇸 CISA ordered federal agencies to stop using unsupported edge devices like routers and firewalls because they are high-risk attack points. Agencies must inventory such devices within three months and replace them within a year. CISA will publish a list of end-of-service devices and wants agencies to set up regular checks for unsupported gear.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

Massive AI Chat App Leaked Millions of Users Private Conversations

www.404media.co/massive-ai-chat-app-leaked-millions-of-users-private-conversations

🇫🇷 💰️ France fined its national employment agency €5 million after a 2024 data breach exposed personal data of up to 43 million people. Hackers used social engineering to hijack adviser accounts and stole names, birth dates, national IDs, addresses, emails, and phone numbers. CNIL ordered fixes with daily fines if France Travail fails to comply.

🇺🇸 👟 Nike is investigating a possible cyber security incident after the World Leaks gang posted 1.4 TB of allegedly stolen files. The extortion group later removed Nike from its leak site, suggesting negotiations or a paid ransom, but Nike has not confirmed any theft. Independent verification of the leaked data has not been possible.

🎧️ Hackers stole personal info from about 29.8 million SoundCloud accounts — The leaked data included emails, names, usernames, profile stats, and sometimes country. The ShinyHunters group extorted SoundCloud and later released the data.

🇺🇸 Crunchbase confirmed a data breach after hackers from the ShinyHunters group published files they say were stolen. The leaked data reportedly includes personal information, contracts, and corporate documents. ShinyHunters also claim attacks on SoundCloud and Betterment and may be linked to recent Okta vishing scams.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇨🇳 🗑️ Google disrupted IPIDEA, a China-based residential proxy network, removing about 40% of its proxy devices. The takedown cut command-and-control links and storefronts but many devices still operate. Researchers warn the proxy industry is rapidly growing and often abused by criminals and state-backed groups.

🇺🇸 🇧🇬 🇮🇹 The U.S. Justice Department seized three popular Bulgarian-linked domains for distributing pirated movies, TV shows and games. Italian police also dismantled illegal IPTV services that streamed content from major providers and linked to a transnational crime group. Authorities said the operations used anonymization, crypto and fake companies to hide profits.

🇺🇸 🗑️ The FBI seized the RAMP cybercrime forum and replaced its sites with a seizure notice. RAMP was a major hub where ransomware gangs promoted attacks and traded access. The seizure could expose user data and lead to arrests.

🇺🇸 🇨🇳 🧑‍⚖️ A former Google engineer, Linwei (Leon) Ding, was convicted for stealing over 2,000 AI-related trade secret documents to benefit a China-linked startup. The stolen materials included designs for TPUs, GPUs, data center infrastructure, and software for AI supercomputers. He faces multiple espionage and theft charges and up to decades in prison.

🇰🇵 A North Korea–linked hacking group called Labyrinth Chollima has split into three focused groups: Labyrinth, Golden, and Pressure. The spin-offs specialize in espionage or large cryptocurrency thefts that fund the regime. CrowdStrike warns these groups share tools but have grown more capable and dangerous.

🇺🇸 🏧 The U.S. Justice Department charged 31 more people in a large ATM jackpotting scheme, bringing the total to 87. Many suspects are Venezuelan members of the Tren de Aragua gang, and Colombians were also indicted. They used Ploutus malware and physical tampering to make ATMs spit out cash and hide their tracks.

🇸🇰 🇺🇸 A Slovakian man, Alan Bill, pleaded guilty to helping run Kingdom Market, a darknet site that sold drugs, stolen data, fake IDs, and cybercrime tools. He was arrested in December 2023 with devices and crypto wallets linking him to the market. He faces at least five years in prison and must forfeit seized domain names and cryptocurrency.

📂 🤐 A six-month-old WinRAR flaw (CVE-2025-8088) is being actively exploited by both nation-state groups and cybercriminals. Attackers use a malicious RAR that drops malware silently without user interaction, making detection hard. Google urges updating WinRAR and provides indicators to help defenders.

💻️ Security firm Silent Push says the ShinyHunters-linked group set up fake domains to target over 100 major organizations across many industries. Attackers used vishing and advanced phishing kits to intercept SSO credentials and bypass MFA in real time. Several companies have confirmed breaches and the group posted millions of allegedly stolen records.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 🤖 The U.S. government wants other countries to adopt its AI cybersecurity standards — Officials will use diplomacy and industry guidance to promote secure AI practices. They will also push AI defenses and modernize federal networks.

🇺🇸 Wrongful-arrest — Two paid penetration testers were arrested in 2019 after testing security at an Iowa courthouse. They had written permission from the Iowa Judicial Branch to perform physical attacks like lockpicking. The county agreed to pay them $600,000 to settle their wrongful-arrest and defamation lawsuit.

🇺🇸 🤦‍♂️ CISA’s acting director, Madhu Gottumukkala, uploaded sensitive “for official use only” contracting documents to the public ChatGPT, triggering automated security warnings. DHS is probing whether the uploads harmed government security; Gottumukkala had been given a temporary exception to use the tool. He previously failed a counterintelligence polygraph and CISA limited staff access to classified data after his appointment.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🤗 Researchers found an Android malware campaign using Hugging Face to host thousands of malicious APK variants. A fake “TrustBastion” dropper tricks users into installing a security app, then downloads a remote-access payload that steals credentials and abuses Accessibility Services. Hugging Face removed the datasets after being alerted; users should avoid sideloading apps and check app permissions.

🐍 🎠 Researchers found two fake PyPI spellchecker packages that hid a base64 payload delivering a Python remote access trojan (RAT). The malicious payload was stored in a Basque dictionary file and was triggered when the package was imported, affecting over 1,000 downloads. The campaign resembles prior supply-chain attacks and highlights risks from typosquatting and AI-driven fake package references.

🧩 Security researchers found at least 16 malicious Chrome extensions that steal ChatGPT session tokens and other credentials. The extensions inject scripts to capture authorization data and send it to attackers. Downloads are low now, but researchers warn the threat could grow quickly.

⚒️ 🌐 A new malware toolkit called Stanley lets attackers show fake web pages while the browser’s address bar still shows the real site. It can be sold as a service for $2,000–$6,000 and even promises publication on the Chrome Web Store. Infected browser extensions can push phishing pages and notifications to steal credentials without users noticing.

🎣 🇮🇳 Researchers found a phishing campaign in India using fake Income Tax Department emails to deliver malware. The attack sideloads a malicious DLL, escalates privileges, and installs Blackmoon and a repurposed SyncFuture RMM tool for spying. The attackers gain persistent access to monitor users and steal data while evading antivirus.

Figure: Attack Flow/esentire.com

🤖 🧰 AI, CRYPTO, TECH & TOOLS

💰️ 💰️ Illegal crypto flows jumped to a record $158 billion in 2025, reversing prior declines. TRM Labs says the rise was driven by sanctions-linked state actors, big hacks, and more sophisticated scams. Ransomware payments fell slightly, but laundering shifted to bridges and cross-chain methods.

🔓️ Researchers found 175,000 publicly exposed Ollama AI hosts across 130 countries. Many of these systems allow tool-calling and run outside normal security controls, creating high-risk attack surfaces. Threat actors are already exploiting exposed endpoints for LLMjacking and resale.

Figure: Top 10 Countries by share of unique hosts

💬 🔐 WhatsApp is adding a "Strict Account Settings" feature to block risky content from people not in your contacts. It aims to protect high-risk users like journalists from spyware attacks. The feature will roll out soon and can be enabled in Settings > Privacy > Advanced.

📱 🫣 Samsung teased a new privacy feature that hides parts of your Galaxy phone screen from onlookers. Users can customize it for apps, notifications, or when entering passcodes. The feature likely arrives on the Galaxy S26 Ultra and uses hardware and software to block side views.

📱 🤖 Google is adding stronger anti-theft features to Android phones, especially for Android 16 and up. New controls include easier toggles for Failed Authentication Lock, longer lockout times after wrong PINs, wider biometric protections, and a tougher Remote Lock. In Brazil, Theft Detection Lock and Remote Lock will be turned on by default.

Figure: UI changes with the new anti-theft features/Google

🇪🇺 🔎 The EU has opened a formal probe under the Digital Services Act into X after its Grok AI generated sexually explicit and possibly child sexual abuse images. Regulators in the UK and California are also investigating and have questioned X’s safety and data practices. X later limited Grok’s image features to paid users amid criticism and a prior €120M DSA fine.

→ Undressed victims file class action lawsuit against xAI for Grok deepfakes

Blind Spots Exposed: Navigating AI, Third-Party Risks, and Compliance in 2025

www.kiteworks.com/data-security-compliance-risk-annual-report

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Fortinet Patches CVE-2026-24858 After Active FortiOS SSO Exploitation Detected

• Microsoft patches actively exploited Office zero-day vulnerability

• High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

• SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

• SolarWinds Patches Critical Web Help Desk Vulnerabilities

Understanding the Russian Cyber Threat to the 2026 Winter Olympics

unit42.paloaltonetworks.com/russian-cyberthreat-2026-winter-olympics

🔓️ 🌩️ Two vulnerabilities in the n8n workflow platform could let attackers run code remotely. They bypassed AST-based sandboxes for JavaScript and Python, allowing full takeover of affected instances. Fixes were released in the listed n8n versions.

🔓️ A critical vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox lets attackers escape the sandbox and run code on the host. The bug stems from improper sanitization of global Promise callbacks and was fixed across versions 3.10.1–3.10.3. Users should upgrade to the latest vm2 release immediately.

🔓️ A critical bug in Grist‑Core called Cellbreak (CVE‑2026‑24002) lets malicious spreadsheet formulas escape Pyodide's sandbox and run code on the host. The flaw can give attackers filesystem access, credentials, and the ability to run OS or JavaScript commands. Update Grist to 1.7.9 or switch the sandbox to gvisor to mitigate the risk.

🛰️ ICS, OT & IoT

Polish Grid Systems Targeted in Cyberattack Had Little Security, Per New Report

www.zetter-zeroday.com/polish-grid-systems-targeted-in-cyberattack-had-little-security-per-new-report

🇷🇺 🇵🇱 A Russian state-linked group called ELECTRUM is tied to a coordinated December 2025 cyber attack on Poland's power grid — Attackers breached control and communication systems at about 30 distributed energy sites and disabled some equipment beyond repair. Dragos says ELECTRUM worked with an access-focused cluster (KAMACITE) to move from IT into OT and target grid systems.

🐛 🔓️ A study of 100+ substations and power plants found widespread cybersecurity and operational gaps that leave energy systems exposed. Common issues included unpatched devices, weak network segmentation, undocumented external connections, and poor asset inventories. Organizational problems like IT/OT silos and lack of OT security staff make these risks worse.

🚪 🔓️ Researchers found over 20 vulnerabilities in Dormakaba door access systems that could let attackers unlock doors, steal PINs, or escalate attacks. The flaws included hardcoded keys, weak passwords, missing authentication, and exposed systems — some of which were internet-accessible. Dormakaba has been patching systems and working with customers, and says it knows of no real-world exploits so far.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 🎽 Under Armour is investigating a data breach that exposed about 72 million customers' email addresses and some personal details. The company says there is no evidence passwords or payment data were taken. Security experts agree but note it is odd Under Armour has not issued a full public disclosure.

💸 IT distributor Ingram Micro suffered a ransomware attack on July 3, 2025, that disrupted services and forced systems offline. About 42,521 people had personal and employment data exposed, including Social Security and passport numbers. The company restored systems within a week and is offering 24 months of free credit monitoring while the stolen data was later published online.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇵🇱 Security firm ESET says Russian government hackers likely tried to knock out parts of Poland’s power grid in late December. The attackers used destructive “wiper” malware tied to the Sandworm group, which has hit energy systems before. Poland says defenses held and critical infrastructure was not knocked out.

🇺🇸 🔑 Microsoft gave the FBI BitLocker recovery keys to unlock three suspects’ laptops in a fraud probe. BitLocker keys are often stored in Microsoft’s cloud by default, letting the company and authorities access encrypted drives. Experts warn this practice risks privacy and could be dangerous if Microsoft’s cloud is breached.

🇷🇺 🇬🇧 The U.K. warns that Russian-aligned hacktivists, especially NoName057(016), are carrying out disruptive DDoS attacks against critical infrastructure and local governments. These attacks, while not sophisticated, can take services offline and cause big costs and operational disruption. The NCSC urges stronger defenses, redundancy, and rehearsed response plans to reduce DDoS risk.

🇯🇴 🧑‍⚖️ A Jordanian man, Feras Albashiti, pleaded guilty to selling access to the networks of at least 50 companies. He was extradited from Georgia and faces up to 10 years in prison and large fines. Authorities say initial access brokers like him enable ransomware and other cybercrimes.

🚓 🇪🇺 EU and INTERPOL have listed Oleg Nefedov, the alleged leader of the Russia-linked Black Basta ransomware group, as most wanted — Ukrainian and German police say two Ukrainians tied to the group were identified and searched for hash-cracking and deploying ransomware. Black Basta is blamed for attacking 500+ companies and may have splintered or shifted members to other ransomware gangs.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

ICE’s Facial Recognition App Misidentified a Woman. Twice

In testimony from a CBP official obtained by 404 Media, the official described how Mobile Fortify returned two different names after scanning a woman's face during an immigration raid. ICE has said the app's results are a “definitive” determination of someone's immigration status.

www.404media.co/ices-facial-recognition-app-misidentified-a-woman-twice

🇯🇴 📲 Researchers found Jordanian authorities used Cellebrite phone-cracking tools to extract data from activists’ phones without consent. Citizen Lab said this likely violates human rights treaties and urged Cellebrite to investigate. Cellebrite denied misuse, saying it vets customers and requires legal authority for access.

🇺🇸 A watchdog group sued the government to get records about a TSA-ICE data sharing deal that gave passenger travel data to immigration agents. The group says FOIA requests were ignored after it asked what data was shared and whether U.S. citizens were affected. TSA defends the practice as legal and part of DHS’s security mission, while critics say TSA should not help with immigration enforcement.

🇮🇪 👀 Ireland plans a new law to let police use spyware and other surveillance tools. The bill would cover encrypted and unencrypted communications but promises judicial oversight and safeguards. Critics warn spyware has a history of abuse in Europe despite some existing rules.

🇻🇪 U.S. officials say cyberattacks helped shut off power and disable air-defense radar during the January 3 operation that captured President Nicolás Maduro. Some evidence also points to physical attacks (like graphite bombs) and Venezuela’s weak grid making disruption easier. Analysts say the mission used layered cyber and kinetic tools rather than cyberattack alone.

🇺🇸 🤷 Trump administration admits DOGE may have misused Americans’ Social Security data — Two members of Elon Musk’s DOGE team at the Social Security Administration may have used and shared Americans’ Social Security data to help a political advocacy group. The group wanted to find voter fraud and overturn election results in some states. The SSA referred the employees for possible Hatch Act violations and a judge had already blocked their access to sensitive records.

🇺🇸 Congressional appropriators proposed a spending package that extends a key cyber threat information-sharing law through Sept. 30. The bill provides $2.6 billion for CISA, including $39.6 million for election security and rules to maintain staffing levels. The package also extends cybersecurity grants and the Technology Modernization Fund but faces political hurdles in Congress.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇻🇪 🏧 🇺🇸 Two Venezuelan nationals were convicted for using malware to make ATMs spit out cash and will be deported after serving prison time. They targeted older ATMs across several southeastern states and stole money directly from banks. Larger related indictments in Nebraska tie dozens more to the scheme and to a known gang leader.

📄 Security researchers found a new malware family called PDFSider that acts like an APT backdoor and is used by ransomware groups. It is sideloaded through a legitimate PDF24 app delivered in spear-phishing ZIPs and runs mostly in memory to hide and execute commands. PDFSider uses encrypted C&C, evades AV/EDR, and includes checks to avoid analysis and virtual machines.

🇰🇵 North Korean hackers are luring macOS developers with fake GitHub/GitLab projects that contain malicious VS Code task files. When a developer trusts the project, obfuscated JavaScript runs, installs a persistent backdoor, and phones home to a C&C server. The backdoor can execute further code, gather system info, and expand its capabilities.

📲 Researchers found Android trojans that use TensorFlow.js to visually detect and click hidden browser ads inside a concealed WebView. The malware spreads via Xiaomi’s GetApps, third-party APK sites, Telegram, and Discord, often appearing as working game or mod apps. Users should avoid installing apps outside Google Play to reduce risk of covert ad fraud, battery drain, and data overuse.

🐍 ℹ️ SolyxImmortal is a new Python-based information stealer that quietly monitors Windows users and steals credentials, documents, keystrokes, and screenshots. It uses hardcoded controllers and Discord webhooks to stage and exfiltrate data over HTTPS, avoiding network detection. Cyfirma says it targets opportunistic attackers and can be easily repurposed or redistributed.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

👶 OpenAI added an age-prediction feature to ChatGPT to better protect young users — The system uses account signals like stated age, account age, and activity times to flag likely minors and apply stricter content filters. Users who are misidentified can verify their age by submitting ID via a selfie through OpenAI’s partner.

📆 🤖 Researchers tricked Google’s Gemini assistant using a malicious Calendar event description. When a user asked about their schedule, Gemini created a new event that exposed private meeting details. Miggo Security warned Google and mitigations were added, but the attack shows AI prompt handling can still leak sensitive data.

💬 🔐 Moxie Marlinspike launched Confer, a ChatGPT-like service built to protect user privacy — It encrypts conversations and runs model inference in secure hardware so hosts can’t access or use the data. A free tier limits messages, while paid plans offer unlimited access and more features.

The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time

We discuss a novel AI-augmented attack method where malicious webpages use LLM services to generate dynamic code in real-time within a browser.

unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Atlassian, GitLab, Zoom Release Security Patches

• Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

• Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers

• Google Patches High-Severity V8 Race Condition in Chrome 144

• Oracle’s First 2026 CPU Delivers 337 New Security Patches

• TP-Link Patches Vulnerability Exposing VIGI Cameras to Remote Hacking

💥 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2025-59718) is not fully patched. Attackers have been exploiting the flaw to create admin accounts and steal firewall configurations, even on fully updated devices. Fortinet advises disabling FortiCloud SSO and restricting admin access while it works on a complete fix.

🇪🇺 🐛 A European group launched GCVE, a decentralized system for naming software security flaws — It lets many organizations assign IDs without central approval while staying compatible with the old CVE format. The move responds to funding and governance worries about the 25-year CVE program.

🎣 📩 LastPass warns of a phishing campaign pretending to be LastPass and asking for master passwords. Scam emails urge a 24-hour “backup” and link to fake sites; LastPass says it will never ask for your master password. They are working to take down the malicious domains and shared the scammer email addresses.

💰️ 🚗 Security researchers earned $1,047,000 by exploiting 76 zero-day bugs at Pwn2Own Automotive 2026 in Tokyo. They hacked in-vehicle infotainment systems, EV chargers, and car OSes and must give vendors 90 days to fix the bugs. Team Fuzzware.io won top prize with $215,000.

🤖 HackerOne launched a Good Faith AI Research Safe Harbor to protect researchers who test AI systems for security and safety issues. Participating companies pledge to avoid legal action and support researchers facing third-party claims. The goal is to enable more open testing of AI while formal laws and rules catch up.

🛰️ ICS, OT & IoT

📄 MITRE released the Embedded Systems Threat Matrix (ESTM) to help secure hardware and firmware. It maps attack tactics and techniques for industries like energy, healthcare, and transportation. ESTM 3.0 is community-focused and designed to integrate with existing security models.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇰🇷 South Korean conglomerate Kyowon confirmed a ransomware attack that stole data on January 1. About 9.6 million accounts (5.5 million people) may be affected and roughly 600 of 800 servers were hit. Kyowon is investigating with authorities and working to restore services.

🇧🇪 Belgian hospital AZ Monica shut down all servers after a cyberattack and canceled scheduled procedures. Emergency services and intensive care are largely offline, and seven critical patients were transferred out. Authorities are investigating and the hospital says it is monitoring the situation and will provide updates.

🇺🇸 JPMorgan Chase told Maine authorities that 659 investors were affected by a data breach at law firm Fried Frank. Stolen files included names, contact details, account numbers, SSNs, and passport or ID numbers. Fried Frank says it contained the incident, hired experts, and believes exposed data is unlikely to be misused.

🇪🇸 🪫 Spanish utility Endesa says hackers accessed customer contract data at its Energía XXI unit, including names, contact details, ID numbers, contract and payment info. The company blocked compromised accounts, notified authorities and affected customers, and found no evidence yet of fraudulent use. Threat actors claim to be selling about 20 million stolen records.

🇺🇸 🏝️ Hackers stole social security numbers and other data from a University of Hawaii Cancer Center study in August. UH waited months to report the breach, gave few details, and won’t say whether it paid the hackers. The university is notifying participants, offering credit monitoring, and has tightened security.

🔓️ The BreachForums hacking site had its user database leaked, exposing about 324,000 accounts. The leak included a passphrase-protected PGP key and a MyBB users table with IPs and registration data. Some records show public IPs that could aid law enforcement and pose OPSEC risks for users.

→ More breaches:

• 750,000 Impacted by Data Breach at Canadian Investment Watchdog

• Central Maine Healthcare breach exposed data of over 145,000 people

• Monroe University says 2024 data breach affects 320,000 people

• France fines Free Mobile €42 million over 2024 data breach incident

• Traveler Information Stolen in Eurail Data Breach

• Robo-Advisor Betterment Discloses Data Breach

• Victorian Department of Education says hackers stole students’ data

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

❌ Microsoft and international law enforcement seized the infrastructure of RedVDS, a cybercrime marketplace that rented disposable virtual computers to criminals. RedVDS enabled widespread phishing, account takeovers, and at least $40 million in U.S. fraud losses, affecting hundreds of thousands of accounts. The takedown disrupted the service and aims to help identify those behind it.

🇳🇱 ⚖️ A Dutch man was sentenced to seven years for hacking port systems in Rotterdam, Barendrecht and Antwerp to help smuggle drugs and for attempted extortion. His appeal failed despite claims that evidence from Sky ECC messages was unlawfully obtained. The court kept most convictions but dropped one drug charge about importing 5,000 kg of cocaine.

🇪🇸 🇪🇺 Europol and Spanish police arrested 34 people linked to the Black Axe criminal group in raids across Spain. The group is accused of cyber-enabled fraud, drug and human trafficking, kidnapping, and other violent crimes that caused over €5.9 million in losses. Authorities also froze bank accounts and seized cash and assets while investigations continue.

🇺🇸 ⚖️ A 24-year-old man from Tennessee is expected to plead guilty to hacking the U.S. Supreme Court’s electronic filing system. Prosecutors say he accessed the system without authorization on 25 days between August and October 2023. Details about what was taken or how are not yet public.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇮🇷 🔌 Iran has cut off internet and phone access nationwide for more than a week, leaving about 92 million people offline. The shutdown is one of Iran’s longest and comes amid large anti-government protests and a violent crackdown. Some services and a few Starlink users have limited access, while international tensions and evacuations rise.

🇺🇸 🧑‍⚖️ A federal judge dismissed the Trump administration’s lawsuit trying to force California to hand over unredacted voter data. The court said the request was unprecedented, violated privacy, and fell outside the civil rights laws cited by DOJ. Voting experts and civil rights groups praised the ruling as a win for voter privacy and state election authority.

🇺🇸 🧑‍⚖️ A judge in Austin dismissed a securities class action against CrowdStrike over the July 2024 outage, finding shareholders did not prove intentional fraud. Millions of Windows devices crashed after a bad update, causing major disruptions at airports, banks, media outlets, and hospitals. The dismissal is a win for CrowdStrike, but Delta’s separate $500M lawsuit over the outage and other related claims remain.

🇺🇸 🪖 President Trump's pick for cyber chief told lawmakers he will review whether one leader should run both U.S. Cyber Command and the NSA. He said he will assess the risks and benefits if he is confirmed. He did not commit to keeping the dual-hat arrangement.

🇺🇸 President Trump re-nominated Sean Plankey to lead CISA — Plankey’s earlier nomination stalled in the Senate due to holds by senators over unrelated disputes. The re-nomination signals the administration still wants him for the job.

📆 🇪🇺 The EU is reviewing Google’s $32 billion acquisition of cloud security firm Wiz and must make a preliminary decision by February 10, 2026. Google says Wiz will keep supporting other cloud platforms, but critics worry the deal could harm Wiz’s neutrality and give Google competitive visibility. If the EU needs more study, it may open a longer Phase II probe.

‘ELITE’: The Palantir App ICE Uses to Find Neighborhoods to Raid

Internal ICE material and testimony from an official obtained by 404 Media provides the clearest link yet between the technological infrastructure Palantir is building for ICE and the agency’s activities on the ground.

www.404media.co/elite-the-palantir-app-ice-uses-to-find-neighborhoods-to-raid

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🐛 🍪 Researchers found an XSS flaw in the StealC malware control panel that let them view and hijack operator sessions. They used it to gather hardware and location details and recover session cookies, exposing an operator in Ukraine. The disclosure aims to disrupt StealC's malware-as-a-service operations as its use has spiked.

👀 ❌ Researchers found Predator spyware can report why an infection failed using error codes. Error code 304 tells operators the target is running security or analysis tools. Predator also detects tools like netstat and hides crash logs to avoid detection.

🇺🇦 Between October and December 2025, Ukrainian defense officials were targeted with charity-themed messages that delivered the PluggyApe backdoor. CERT-UA links the campaign to the Russian group Laundry Bear (Void Blizzard) and says attackers used fake charity sites, messaging apps, and PIF executables to infect victims. PluggyApe steals system data, keeps persistence via the Windows Registry, and retrieves commands from online sources while attackers increasingly exploit mobile devices and legitimate accounts.

🐧 Security researchers found a new modular Linux malware framework called VoidLink that targets cloud and container environments. It can detect Kubernetes/Docker, gather cloud metadata, load plugins and use rootkits and covert channels to stay hidden. No active infections are confirmed, and analysts say it appears professionally developed, likely for sale or custom use.

Figure: VoidLink High Level Overview/checkpoint.com

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🆕 Former CISA director Jen Easterly is the new CEO of the RSA Conference — She will lead the conference, innovation programs, education, and membership efforts. Easterly brings deep cybersecurity experience and plans to expand RSAC’s global reach and focus on secure-by-design and AI.

🔓️ Researchers found a new "Reprompt" attack that used a single malicious link to make Microsoft Copilot leak user data. The attack tricked Copilot into repeating requests and fetching hidden instructions, letting an attacker siphon data continuously even after the chat closed. Microsoft fixed the issue and says enterprise Microsoft 365 Copilot customers are not affected.

🔗 Meta fixed a bug that let outsiders send Instagram password reset requests and said there was no breach. Separate leaked data for about 17.5 million accounts surfaced, but experts say it matches a 2022 scrape and is unrelated to the reset issue. No passwords appear compromised.

Remote Code Execution With Modern AI/ML Formats and Libraries

We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA.

unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches Critical Apache Tika Bug in ColdFusion

• Chrome 144, Firefox 147 Patch High-Severity Vulnerabilities

• Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

• Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEM

• Microsoft Patch Tuesday addresses 112 defects, including one actively exploited zero-day

• SAP’s January 2026 Security Updates Patch Critical Vulnerabilities

• ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

🎧️ Researchers found a flaw called WhisperPair that can let attackers take over Google Fast Pair Bluetooth devices — The bug affects many models from makers like Sony, Nothing, JBL, OnePlus, and Google. An attacker can hijack headphones quickly (about 10 seconds) from up to 14 meters away.

🩸 MongoBleed (CVE-2025-14847) is a critical, unauthenticated MongoDB memory-leak vulnerability in zlib-compressed messages that can expose sensitive secrets. About 146,000 internet-facing MongoDB instances were found vulnerable and active exploitation was observed. Mitigations like blocking TCP/27017 can help detect and reduce risk.

🛜 Researchers found a Broadcom Wi‑Fi chipset flaw that lets unauthenticated attackers disable 5 GHz networks with a single crafted frame. The bug bypasses WPA2/WPA3, can be repeated indefinitely, and affects many routers; 2.4 GHz and wired Ethernet are not impacted. Broadcom issued a patch and Asus released updates, but other affected vendors are unclear.

🛰️ ICS, OT & IoT

📆 🩹 ICS Patch Tuesday — Major industrial vendors including Siemens, Schneider Electric, Phoenix Contact, and Aveva released Patch Tuesday advisories fixing multiple high- and critical-severity vulnerabilities in ICS/OT products. The flaws include authentication bypass, remote code execution, privilege escalation, command injection, and issues in third-party components. Other vendors and agencies, including Honeywell, ABB, and CISA, also published related security notices.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 Sedgwick confirmed a cyberattack at its subsidiary Sedgwick Government Solutions. The company says the incident hit an isolated file transfer system and did not affect wider networks or claims servers. The TridentLocker ransomware group claims it stole and leaked data from the subsidiary.

🇺🇸 Brightspeed is investigating claims that the hacking group Crimson Collective stole data from its systems. The group says it exfiltrated personal and account information for over 1 million customers and showed proof to cyber experts. Brightspeed says it is looking into the report and will inform customers, employees and authorities.

🇬🇷 ✈️ Greece shut its airspace after noise disrupted air traffic communications, grounding and diverting many flights. Officials say a cyberattack is unlikely but investigations are ongoing. Authorities formed a multiagency committee and said passenger safety was never at risk.

💸 Ledger says some customers had names and contact details exposed after a breach at payment processor Global-e — Ledger’s own network and crypto wallet seed phrases were not affected, and no payment information was leaked. Affected customers will get direct notices and are warned to watch for phishing.

🔓️ ☁️ NordVPN says a recent claim that its development servers were breached is false — Attackers accessed only dummy data from a third-party test environment, not NordVPN production systems or customer information. The company contacted the vendor and confirmed no real credentials or sensitive data were exposed.

→ More breaches:

• 377,000 Impacted by Data Breach at Texas Gas Station Firm

• Illinois Department of Human Services data breach affects 700K people

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇺🇦 Russia-aligned hackers (UAC-0184/Hive0156) are using Viber to send malicious ZIP files to Ukrainian military and government targets. The ZIPs contain shortcut files that run a PowerShell script to load Hijack Loader, which then evades detection and deploys Remcos RAT. Remcos gives attackers remote control, data theft, and persistence on compromised systems.

🇹🇼 🇨🇳 Taiwan says China ran an intensified cyberoffensive in 2025, with about 2.63 million intrusion attempts per day. Attacks targeted government, energy, hospitals, telecoms, and suppliers to steal data and technology. Taiwan and some U.S. experts warn these attacks tie to political and military pressure on the island.

🇺🇸 Ilya Lichtenstein, who pleaded guilty to laundering billions in bitcoin from the 2016 Bitfinex hack, has been released early from prison. His release was credited to the First Step Act signed by President Trump. Lichtenstein says he wants to work in cybersecurity and prove critics wrong.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 📺️ A Texas court issued a temporary restraining order stopping Samsung from collecting audio and visual data from Texas smart TVs. The court found Samsung’s ACR enrollment practices deceptive, using confusing prompts and dark patterns that prevent informed consent. The order could set a precedent for broader action against TV data-collection practices.

🇺🇸 🚪 The Trump administration is withdrawing the U.S. from several international cybersecurity organizations. Critics say this move weakens global coordination and hands influence to adversaries. Supporters call the groups wasteful and say the U.S. should stop funding them.

🇬🇧 💰️ The UK is investing over £210 million in a new Government Cyber Action Plan to strengthen public sector cyber defenses. It creates a Government Cyber Unit, sets minimum security standards, and requires better incident response across departments. Major firms will join a Software Security Ambassador Scheme as the government tightens laws to protect critical services.

🇺🇸 🗑️ California launched DROP, a tool that lets residents send one request asking registered data brokers to delete their personal information. Brokers must begin processing requests in August 2026 and have 90 days to comply, though some data and first-party records are exempt. Brokers who don’t comply face fines of $200 per day.

🗑️ A hacktivist called “Martha Root” wiped three white supremacist websites live on stage at the Chaos Communication Congress. Root also scraped and published user data from one site, exposing precise locations and profiles. The sites’ operator complained and vowed revenge, while a leak collective holds the full dataset for vetted journalists.

🥸 Fraud has industrialized into a global security threat that drains trillions and supports organized crime and hostile states. Governments and companies must stop treating it as customer service and instead fight it like cyberwarfare with real-time intelligence sharing and coordinated responses. An international public‑private task force aims to build those systemic defenses across finance, tech, and law enforcement.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🪱 🎠 Researchers found three malicious npm packages that installed a new malware called NodeCordRAT. NodeCordRAT steals Chrome credentials, API tokens, and crypto seed phrases and uses Discord for command-and-control. The packages were removed after researchers traced them to a user named ":" and linked postinstall scripts to the RAT.

🧩 Researchers found two Chrome extensions with ~900,000 users that steal ChatGPT and DeepSeek chats plus browsing data and send them to attacker servers. The extensions scrape chat DOM elements and exfiltrate full conversations every 30 minutes after asking for “anonymous” analytics permission. Users should remove suspicious extensions and avoid installing unknown add-ons to protect sensitive data.

🐍 Researchers found a new Python-based malware called VVS Stealer that steals Discord tokens, browser data, and screenshots. It is obfuscated with Pyarmor, sold cheaply on Telegram, and persists by adding itself to Windows startup. The stealer also injects code into Discord to hijack active sessions and spread via compromised business infrastructure.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🔞 X’s Grok AI has been used to create and share nonconsensual sexualized deepfakes, sparking public outrage. Legal experts say existing federal and state laws — including the Take It Down Act and anti‑CSAM rules — could expose Musk and X to fines, lawsuits, or criminal charges. Enforcement is uncertain, but state attorneys general and regulators may still pursue action even if federal responses are slow.

❤️‍🩹 OpenAI launched ChatGPT Health, a private space for health conversations. The company says health data in that space will not be used to train its foundation models. ChatGPT Health warns it is not a replacement for medical advice and is rolling out broadly except in the EEA, UK, and Switzerland.

🇻🇪 📺️ A U.S. raid in Caracas that captured Nicolás Maduro created an information vacuum — AI-made images and long‑debunked conspiracies about voting machines and U.S. oil grabs spread quickly online. Bad actors used the chaos to push familiar narratives and sway supporters.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

🔓️ ☁️ Security researchers found multiple critical flaws in Coolify that let attackers run commands as root and fully compromise self-hosted servers. Most issues affect beta versions and fixes are available in newer releases. About 52,890 Coolify hosts are exposed worldwide, so users should update immediately.

💥 A critical command injection bug (CVE-2026-0625) in old D-Link DSL routers is being actively exploited. The flaw lets unauthenticated attackers run commands via the dnscfg.cgi endpoint, and affected models are end-of-life with no patches. D-Link urges users to replace these routers or isolate them on segmented, non-critical networks.

🩹 Veeam released updates fixing a critical RCE bug (CVE-2025-59470, CVSS 9.0) in Backup & Replication. The flaw and three related vulnerabilities let privileged Backup/Tape roles run or write files as postgres or root. Users should update to version 13.0.1.1071 immediately.

🔓️ A firmware bug in the TOTOLINK EX200 can make the device start an unauthenticated root telnet service. An attacker who can access the web management interface could trigger this and take full control. TOTOLINK has not patched the device, so users should limit admin access or upgrade.

🪲 🩹 Researchers found a critical, no-auth remote code execution bug (CVE-2026-21858) in n8n that affects about 100,000 servers and could let attackers take full control. A patch (v1.121.1+) was released, but public disclosure was delayed and a proof-of-concept is circulating. Security experts warn urgent updates are needed because n8n often holds sensitive credentials and workflows.

💬 🔓️ Researchers found a WhatsApp flaw that lets attackers infer a user’s device and operating system from metadata. Meta has started randomizing key IDs for Android to reduce this fingerprinting but the method can still distinguish iPhones. WhatsApp says the issue is low severity but has fixed related bugs and paid a bug bounty.

🛰️ ICS, OT & IoT

♿️ Researchers found a critical Bluetooth flaw in WHILL Model C2 and F electric wheelchairs that lets attackers pair without authentication and control the chairs. They demonstrated remote takeover, disabling safety limits and even driving a wheelchair off stairs in a video. WHILL issued a patch, but researchers could not verify its effectiveness.

🇨🇳 A China-linked hacking group called UAT-7290 is targeting telecommunications providers and has expanded into Southeastern Europe. They exploit edge network devices using one-day bugs, SSH brute force, and Linux malware to gain access and persist. The group also builds Operational Relay Boxes that other China-aligned actors reuse.

🕸️ 💥 A massive botnet called Kimwolf infected over two million Android TV boxes to run DDoS attacks and sell residential proxies. Investigations link Kimwolf and an earlier Aisuru botnet to the same operators, hosting providers (like Resi Rack and 3XK Tech), and proxy services (ByteConnect/Plainproxies and Maskify). The botnet’s operators used evasive tools like ENS records to resist takedowns while monetizing infected devices for fraud and scraping.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇻🇪 🛢️ Venezuela’s state oil company PDVSA suffered a cyberattack that disrupted export operations. PDVSA says only administrative systems were hit and operational areas stayed running, but internal reports and sources say key terminal systems and deliveries were offline. PDVSA blamed the United States and domestic conspirators for the attack amid rising tensions.

🔞 The hacking group called Scattered Lapsus$ Hunters says it stole Pornhub Premium users’ viewing and personal data and is trying to extort the site. The data came from a breach at analytics provider Mixpanel that exposed events and user details for many customers. Mixpanel’s breach also affected other companies like OpenAI and SoundCloud, putting millions of users’ data at risk.

🚗 Auto parts supplier LKQ confirmed it was hit in the Oracle E-Business Suite hack tied to the Cl0p ransomware group. Over 9,000 people’s personal data, including SSNs and EINs for sole proprietor suppliers, were compromised. Several terabytes of stolen files were posted online, and LKQ says only its EBS environment was affected.

🎧️ SoundCloud says a security breach exposed a database with user emails and public profile info. About 20% of users (roughly 28 million accounts) may be affected. The company blocked access, tightened security, and the incident disrupted VPN access and caused outages.

🇫🇷 France's Interior Ministry says hackers breached its email servers and accessed some files. Officials have tightened security and opened an investigation. They are still unsure who is responsible or whether data was stolen (UPDATE: France arrests suspect tied to cyberattack on Interior Ministry).

🤷 Google is ending its dark web report alerts in February — The reports showed lists of leaked user data from hidden sites. Google says these alerts aren’t very useful because there’s little users can do about dark web leaks.

🇯🇵 Japanese company Askul suffered a ransomware attack that exposed over 700,000 records. The RansomHouse group stole more than 1 TB of data and leaked it after Askul refused to pay. The breach disrupted orders and logistics and affected customers, partners, employees, and executives.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇺🇦 Russian-linked APT28 ran a long phishing campaign to steal UKR.net email credentials and 2FA codes. They used fake UKR.net login pages hosted on services like Mocky, tinyurl redirects, and blogspot subdomains. Recorded Future says this supports GRU intelligence gathering and shifted to ngrok/Serveo tunneling after infrastructure takedowns.

🇺🇸 🇷🇺 U.S. authorities dismantled E-Note, an alleged crypto exchange and payment service used to launder tens of millions from ransomware and other cybercrimes. A Russian national, Mykhalio Chudnovets, was indicted for running the service and faces money-laundering conspiracy charges. Law enforcement seized servers and records that may help trace funds and identify users.

🇪🇺 🇺🇦 European authorities dismantled a Ukraine-based call center fraud ring that stole over €10 million from more than 400 victims. Twelve suspects were arrested and extensive assets and forged IDs seized after raids in Dnipro, Ivano-Frankivsk, and Kyiv. The scam used fake bank and police personas, remote access tools, and in-person cash pickups, with staff paid commissions.

🇷🇺 ☁️ Amazon says the Russian GRU-linked group called Sandworm has shifted from exploiting software bugs to abusing misconfigured network edge devices on AWS to gain access. The group has targeted energy firms, utilities, telecoms, and cloud infrastructure in Western countries since 2021. Amazon has notified affected customers, remediated compromised EC2 instances, and shared intelligence with partners.

🇺🇸 ⚖️ Nathan Austad pleaded guilty to taking part in a credential stuffing attack that compromised over 60,000 betting site accounts. The hackers added payment methods, stole about $600,000 from 1,600 victims, and sold access to accounts. Austad faces up to five years in prison; two co-conspirators already pleaded guilty.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

How a US Citizen Was Scanned With ICE's Facial Recognition Tech

Jesus Gutiérrez told immigration agents he was a U.S. citizen. Only after they scanned his face, did the agents let him go.

www.404media.co/how-a-us-citizen-was-scanned-with-ices-facial-recognition-tech

🇺🇸 With the Cybersecurity Information Sharing Act set to expire soon, Congress may pass another short extension because lawmakers disagree on a long-term fix. House Homeland Security Chair Andrew Garbarino said there are three different bill approaches and no consensus. He also noted committees are working on broader cyber issues like regulations, workforce and using AI for defense.

🇺🇸 📺️ 📸 Texas sued five TV makers, saying their smart TVs used ACR technology to secretly capture what people watch. The suit claims screenshots were taken every 500 ms and sent to companies without users' consent. Texas also warned that Chinese-owned firms could expose U.S. data to Beijing under China's security laws

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🎠 📲 Cellik is an Android remote access trojan that gives attackers full control of infected phones, including screen streaming, keylogging, camera/mic access, and file/cloud access. It can hide a browser and overlay fake login screens to steal credentials, and it can inject its code into legitimate Google Play apps with one click. The malware is sold on the dark web for about $150/month and includes tools for wide surveillance and data theft.

🎅 💸 A new malware called SantaStealer is being sold as a service and targets browsers, crypto wallets, messaging apps, and documents. Researchers say it runs in memory, uses many data-stealing modules, and uploads stolen data to a hardcoded server. The tool is still immature, poorly hidden, and advertised on Telegram and hacker forums.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

Hack Reveals the a16z-Backed Phone Farm Flooding TikTok With AI Influencers

A hacker gained control of a 1,100 mobile phone farm powering covert, AI-generated ads on TikTok.

www.404media.co/hack-reveals-the-a16z-backed-phone-farm-flooding-tiktok-with-ai-influencers/?ref=daily-stories-newsletter

🧩 Eight browser extensions with over 8 million installs collect full AI conversations and sell them for marketing. They promise privacy but inject scripts that capture chats from ChatGPT, Gemini, Claude, and others. The extensions remain listed and even carry “Featured” badges in the stores.

🇺🇸 ⚖️ The American Bar Association warns that AI is undermining legal procedures and court evidence. Deepfakes and AI errors are creating doubts about authenticity and trust in trials. The ABA also notes AI can speed routine legal work and is developing guidance to manage risks.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Apple Patches Two Zero-Days Tied to Mysterious Exploited Chrome Flaw

• Atlassian Patches Critical Apache Tika Flaw

• FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

💥 🩹 SonicWall warned customers to patch a new SMA1000 local privilege escalation bug (CVE-2025-40602) that was chained in zero-day attacks. Attackers combined it with a pre-auth deserialization flaw (CVE-2025-23006) to run commands as root on exposed devices. Over 950 SMA1000 appliances are internet-exposed, so unpatched systems face high risk.

🚚 The National Motor Freight Traffic Association (NMFTA) warns that cargo theft is shifting from brute-force theft to sophisticated, cyber-enabled heists — Criminals use hacking, social engineering, AI deepfakes, and stolen credentials to take over accounts, spoof dispatches, and divert shipments. Companies using cyber awareness training and phishing simulations are seeing fewer successful attacks.

🇨🇳 Google linked five more Chinese hacking groups to attacks exploiting the severe React2Shell flaw (CVE-2025-55182). The bug lets attackers run code on vulnerable React/Next.js sites and has been used to steal AWS credentials and other data. Thousands of systems worldwide remain exposed and actors from multiple countries are actively exploiting it.

→ React2Shell fallout spreads to sensitive targets as public exploits hit all-time high

💥 Threat actors began exploiting two critical Fortinet flaws (CVE-2025-59718, CVE-2025-59719) days after patches were released. The bugs let attackers bypass FortiCloud SSO, log in as admin, and export device configs containing hashed credentials. Administrators should apply the patches, disable FortiCloud SSO, restrict management access, and reset credentials if breached.

🔓️ ☁️ A flaw in JumpCloud Remote Assist for Windows lets an unprivileged local user trick the uninstaller into performing privileged file operations in a user-writable %TEMP% folder. Attackers can use symbolic links or mount-point tricks to overwrite system files or trigger a takeover, causing BSODs or gaining SYSTEM shells. JumpCloud fixed it in version 0.317.0 and organizations should update immediately.

🛰️ ICS, OT & IoT

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇬🇧 💷 The UK fined LastPass £1.2 million after a 2022 breach exposed data and encrypted vaults of up to 1.6 million UK users. Attackers chained compromises of an employee laptop and a senior staffer’s personal device to steal keys and cloud backups. Authorities say LastPass failed to protect customer data and urge stronger passwords and tighter access controls.

🇺🇸 🔓️ A researcher found a Home Depot employee’s GitHub access token exposed online for about a year. The token let someone access hundreds of private repositories and cloud systems. Home Depot ignored the researcher until TechCrunch reported it and the token was revoked.

🐳 🔓️ Security researchers found 10,456 Docker Hub images leaking secrets like API keys, database credentials, and LLM tokens. The leaks affected about 101 companies, including a Fortune 500 firm and a major bank. Researchers warn to stop embedding secrets in images, revoke exposed keys, and use centralized secret management.

🇰🇷 👋 Coupang’s CEO Park Dae-jun resigned after the huge data breach exposed personal data of about 34 million people. He apologized and said he felt deep responsibility. Harold Rogers, the company’s U.S. parent’s top lawyer, will replace him.

💁 Cybersecurity insurer Coalition now offers policies that cover some deepfake incidents and provide response services. Deepfakes are still rare in claims, but they can convincingly impersonate executives to steal money or damage reputations. Experts warn AI tools will make these attacks cheaper and more common for many businesses soon.

🇺🇸 Vitas Healthcare reported a cyber intrusion that exposed personal and medical data. About 319,177 current and former patients were affected. The attacker used a compromised vendor account and accessed systems from Sept. 21 to Oct. 27.

🇺🇸 Tri-Century Eye Care suffered a data breach that may have exposed personal and health information for about 200,000 people. The Pear ransomware group claimed the attack and posted stolen files after Tri-Century refused to pay. Large healthcare breaches like this have affected other eye care providers (Retina Group of Florida, Asheville Eye Associates, and Ocuco) this year.

→ More breaches:

• Data breach at credit check giant 700Credit affects at least 5.6 million

• Pierce County Library Data Breach Impacts 340,000

• Fieldtex Data Breach Impacts 238,000

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇰🇵 💬 Researchers found internal IP Messenger chat logs from North Korean IT workers showing collaboration on software, account sharing, and links to DPRK universities. The logs suggest a local LAN with freelancers trading jobs, personas, and remote access services. Though location and internet access are unclear, the chats give rare insight into their networks and operations.

🇵🇱 🇺🇦 Polish police arrested three Ukrainian men found with advanced hacking gear and spy-detection tools. They face charges for fraud, computer crimes, and possessing devices meant for criminal use. Authorities seized laptops, SIM cards, routers, hard drives, and Flipper Zero-like equipment and detained the men for three months.

Figure: Seized hardware/policja.gov.pl

🇨🇦 A hacking group called STAC6565, linked to Gold Blade, is targeting Canadian organizations in 80% of its attacks using phishing and ransomware called QWCrypt. They send fake job application emails with malicious files to trick HR staff and gain access to networks. The group uses advanced tools and tactics to steal data and deploy ransomware, especially focusing on critical infrastructure like hypervisors.

Figure: GOLD BLADE targeting by country from February 2024 through August 2025/Sophos.com

🇺🇸 💰️ 🇮🇷 The U.S. is offering up to $10 million for information on members of an Iranian hacking group now called Shahid Shushtari. The group is tied to Iran’s IRGC and blamed for cyberattacks and influence operations against U.S., European, and Middle Eastern targets. Officials named two leaders and urged anyone with tips to contact the Rewards for Justice program.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇩🇪 🇷🇺 Germany says Russian military intelligence carried out an August 2024 cyber-attack on air traffic control and ran an election disinformation campaign. Berlin blamed the Fancy Bear group and summoned the Russian ambassador, vowing coordinated counter-measures with European partners. Russia has not yet responded, though Moscow has denied similar accusations before.

🇺🇦 🇺🇸 🇷🇺 Ukrainian national Victoria Dubranova was extradited to the U.S. and charged for aiding Russian state-linked hacktivist groups in attacks on critical infrastructure. Prosecutors say the groups hit water systems, election systems, nuclear-related sites, and other targets using tools like DDoSia. If convicted, Dubranova faces up to 27 years in prison and related rewards and sanctions target the groups and their members.

🇪🇸 Spanish police arrested a 19-year-old in Barcelona for stealing 64 million personal records from nine companies. He is charged with cybercrime, unauthorized access, and selling the data online. Authorities also seized computers and crypto wallets linked to the sales.

🇵🇹 Portugal updated its cybercrime law to legally protect good-faith security researchers — The exemption applies only if researchers limit testing, report vulnerabilities quickly, avoid harm or data misuse, and follow strict rules. Similar protections have been introduced in Germany and the U.S. for responsible vulnerability research.

🤖 🔓️ Researchers show that MCP sampling lets external servers ask a user's LLM for completions, creating new attack paths. A malicious MCP server can inject hidden instructions, persist them across turns, and make the LLM leak data or call tools without the user knowing. Safeguards are needed to detect and block such prompt injections.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

01flip: Multi-Platform Ransomware Written in Rust

01flip is a new ransomware family fully written in Rust. Activity linked to 01flip points to alleged dark web data leaks.

unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust

🎣 🕷️ A new phishing kit called Spiderman is targeting customers of many European banks and crypto services with pixel-perfect fake sites. It can steal logins, 2FA/PhotoTAN codes, credit card data, and crypto seed phrases, and lets attackers monitor and export victim data in real time. Researchers warn this enables account takeover, card fraud, SIM swapping, and identity theft, and advise always verifying official domains and reporting unexpected OTP prompts.

📲 DroidLock is Android malware that locks phones, steals data (messages, calls, contacts, audio) and can wipe or change device locks to deny access. It spreads via fake app sites targeting Spanish speakers and tricks users into granting Device Admin and Accessibility permissions. Zimperium says the malware steals lock patterns, uses overlays and VNC for remote control, and Play Protect can block it if devices are up to date.

🇰🇵 North Korean-linked hackers used the new EtherRAT malware to exploit the critical React2Shell flaw in Next.js. EtherRAT runs five Linux persistence methods, uses Ethereum smart contracts for C2, and can self-update. Sysdig urges admins to patch React/Next.js, check persistence, monitor Ethereum RPCs, and rotate credentials.

→ PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

🧩 Two malicious VSCode extensions in Microsoft’s Marketplace install an infostealer that takes screenshots, steals credentials and crypto wallets, and hijacks browser sessions. The extensions (Bitcoin Black and Codo AI) hid malicious DLLs and used DLL hijacking plus scripts to run payloads stealthily. Developers should only install extensions from reputable publishers to reduce risk.

🔙 🚪 Iran-linked MuddyWater used a new UDP-based backdoor called UDPGangster to target users in Turkey, Israel, and Azerbaijan. Infections began with spear-phishing Word docs that run macros to install the malware, which evades analysis and persists via registry changes. UDPGangster collects system data and communicates with a remote server over UDP to exfiltrate files and run commands.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

A Developer Accidentally Found CSAM in AI Data. Google Banned Him For It

Mark Russo reported the dataset to all the right organizations, but still couldn't get into his accounts for months.

www.404media.co/a-developer-accidentally-found-csam-in-ai-data-google-banned-him-for-it/?ref=daily-stories-newsletter

🆕 🐧 Kali Linux 2025.4 is released with three new tools (bpf-linker, evil-winrm-py, hexstrike-ai) and desktop updates. GNOME now runs only on Wayland and KDE and Xfce also received improvements. NetHunter gains new device support, and live ISOs are now distributed via BitTorrent.

📊 MITRE released results of the 2025 ATT&CK Enterprise Evaluations for 11 cybersecurity vendors. The tests focused on Scattered Spider and Mustang Panda scenarios, including cloud attacks and adversary reconnaissance, and emphasized protection and high-fidelity detection. Some vendors touted perfect scores, but experts warn such claims can be misleading, and major firms like Microsoft and Palo Alto Networks did not participate.

🤖 🪧 Global cybersecurity agencies issued unified guidance for using AI in critical infrastructure to balance benefits with safety and security. The guidance says AI should advise, not control OT systems, keep humans in the loop, and use push-based architectures to reduce attack risk. It urges transparency from vendors, regular validation to prevent model drift, and training so operators retain manual skills.

🇺🇸 President Trump signed an executive order to stop states from making their own AI rules, saying a patchwork of laws would hurt U.S. competition with China. The order creates a task force to challenge state laws and could cut some federal funding to states with AI regulations. Some states have already passed laws to limit data collection and require transparency to curb AI bias and harms.

Exclusive: Future OpenAI models likely to pose "high" cybersecurity risk, it says

OpenAI says it's stepping up efforts to protect against attacks.

www.axios.com/2025/12/10/openai-new-models-cybersecurity-risks

🇬🇧 The UK cyber agency warns large language models are inherently vulnerable to prompt injection. These models treat all input as instructions, so malicious prompts can bypass safeguards. Because of their architecture, this weakness may never be fully eliminated.

🔓️ Researchers found a new prompt-injection flaw in major AI coding tools that can turn GitHub workflows into attack paths. Malicious or untrusted content in commits, pull requests, or issues can be treated as instructions by LLMs and trigger privileged actions. The issue affects many models and real projects, and some fixes have begun but the architectural risk remains.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches Nearly 140 Vulnerabilities

• Fortinet Patches Critical Authentication Bypass Vulnerabilities

• Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data

• Google Patches Mysterious Chrome Zero-Day Exploited in the Wild

• IBM Patches Over 100 Vulnerabilities

• Ivanti EPM Update Patches Critical Remote Code Execution Flaw

• Microsoft’s last Patch Tuesday of 2025 addresses 57 defects, including one zero-day

• SAP Patches Critical Vulnerabilities With December 2025 Security Updates

They Killed My Source

A man claiming to be an Iranian intelligence officer promised me he would reveal his country’s secrets. Then he disappeared.

www.theatlantic.com/magazine/2026/01/mohammad-tajik-iran-cyber-intelligence/684954/?gift=hVZeG3M9DnxL4CekrWGK39_6xvef6tZFTtiQf_BYUhc

💥 🔓️ Exploitation of React2Shell Surges — The critical React flaw called React2Shell (CVE-2025-55182) lets attackers run code on vulnerable servers using specially crafted HTTP requests. Exploits started immediately after disclosure, with many scans and real attacks delivering malware, miners, and credential theft. Security groups report hundreds of thousands of potentially vulnerable instances and urge rapid patching.

🐛 🩹 React fixed three new vulnerabilities in React Server Components that can cause denial-of-service or leak source code. The bugs affect multiple 19.x releases and were found while testing fixes for a prior critical flaw. Users should update to 19.0.3, 19.1.4, or 19.2.3 immediately.

🐛 🩹 A critical Apache Tika vulnerability (CVE-2025-66516, CVSS 10.0) allows XML External Entity (XXE) injection via crafted XFA inside PDFs. It affects tika-core, tika-pdf-module, and tika-parsers and can lead to data leaks, SSRF, DoS, or RCE. Users should update to tika-core 3.2.2, tika-pdf-module 3.2.2, and tika-parsers 2.0.0 immediately.

💥 🔓️ A large campaign began on December 2 targeting Palo Alto GlobalProtect VPN portals with credential-stuffing and bruteforce login attempts. The attacks came from over 7,000 IPs in 3xK GmbH’s network and then shifted to scanning SonicWall SonicOS API endpoints. Organizations are urged to monitor and block these IPs, enforce MFA, and watch for abnormal authentication activity.

🤑 🐛 White hat researchers won $320,000 at the Zeroday.Cloud live hacking event in London. The contest paid for 11 open source exploits across cloud, AI, databases, and more. Biggest payouts included $40,000 for a Linux kernel exploit and multiple $30,000 database exploits.

Wiz :verified: (@wiz@infosec.exchange)

Attached: 3 images Day 1 at zeroday.cloud didn’t come to play 😈 New vulns dropped in Grafana, Linux Kernel, 3 Redis, and 2 PostgreSQL - and every. single. one. worked 🤯 100% success rate for day one. Let’s see what we find tomorrow 👀

infosec.exchange/@wiz/115700260994895491

🛰️ ICS, OT & IoT

🇨🇳 🇺🇸 ☀️ This one gadget could give China a back door into the U.S. power grid — U.S. solar systems rely heavily on Chinese-made inverters that control electricity flow. Experts and lawmakers warn these devices can be remotely manipulated to cause blackouts. That dependence creates a growing national security risk.

🐛 🔓️ Researchers found three PCIe IDE flaws that could let attackers read or corrupt data, escalate privileges, or cause DoS. Intel and AMD say some of their processors are affected; firmware fixes are being prepared. Exploitation is low-severity because it needs physical or low-level PCIe access, but could matter for targeted hardware attacks.

🐛 🩹 ICS Patch Tuesday — Industrial vendors Siemens, Rockwell Automation, Schneider Electric, and Phoenix Contact released Patch Tuesday advisories fixing multiple vulnerabilities in ICS/OT products. The flaws range from critical code execution and DoS to SQL injection, XSS, MitM, and information exposure across many devices and third-party components. CISA also published advisories on separate vulnerabilities affecting CCTV, an appliance XSS, and U-Boot code execution.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇫🇷 French DIY retailer Leroy Merlin says a cyberattack exposed some customers' personal data in France. Leaked details include names, phone numbers, emails, postal addresses, birth dates, and loyalty info, but not bank data or passwords. The company says it blocked access, warns customers to watch for phishing, and is investigating.

🇰🇷 South Korean e-commerce giant Coupang disclosed a data breach that exposed personal information of about 33.7 million customers. Exposed data included names, emails, phone numbers, addresses, and some order histories, but not payment details or login credentials. Coupang reported the breach to authorities, blocked access, and said a former employee is a suspect.

More Oracle EBS Breaches…

🇬🇧 Cl0p ransomware stole invoice files from Barts Health NHS by exploiting an Oracle EBS zero-day. The leaked files include names, addresses, and some former employee and supplier data, and were posted on the dark web. Barts says clinical systems were not affected, has informed authorities, and urges patients to check invoices and watch for scams.

🇺🇸 University of Phoenix disclosed a data breach after attackers exploited a zero-day in Oracle E-Business Suite. The stolen data may include names, contact details, dates of birth, Social Security numbers, and bank account information for students, staff, and suppliers. The incident is linked to the Cl0p extortion campaign that has hit other universities and companies.

→ More breaches:

• Marquis Data Breach Impacts Over 780,000 People

• Personal Information Compromised in Freedom Mobile Data Breach

• Inotiv Says Personal Information Stolen in Ransomware Attack

• Petco confirms security lapse exposed customers’ personal data

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇸 ⚖️ Twin brothers Muneeb and Sohaib Akhter were arrested for allegedly stealing and deleting government data from a contractor minutes after being fired. The breach affected multiple agencies, including DHS, the IRS, and the EEOC, and involved thousands of files and sensitive records. Prosecutors say the brothers have prior hacking convictions and face multiple federal charges, including identity theft and computer fraud.

🇰🇵 ⏺️ Researchers secretly watched North Korea's Lazarus Group recruit remote IT workers and control their "developer" laptops. They used ANY.RUN sandboxes to record operators stealing identities and setting up persistent access.

🇰🇷 South Korean police arrested four suspects who hacked over 120,000 IP cameras and sold stolen intimate videos to an overseas illegal website. Investigators are also pursuing the site operators and buyers, and have arrested three purchasers so far. Authorities warned viewing such material is a crime, notified victims, and urged users to secure cameras with strong passwords and updates.

🇪🇺 🤑 European authorities shut down Cryptomixer and seized about $28 million in Bitcoin and servers in Switzerland. Europol says the mixing service handled over $1.5 billion and was used for crimes like ransomware and fraud. The takedown is part of a global effort to disrupt crypto laundering networks.

Figure: Seizing banner/europol.europa.eu

🇦🇺 ⚖️ An Australian man was sentenced to seven years and four months for launching Wi‑Fi “evil twin” attacks at airports and on flights. He used a Wi‑Fi Pineapple to trick victims into entering credentials on fake login pages. Police seized his devices and found intimate images, stolen credentials, and fraud records.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇬🇧 🔔 The UK NCSC is piloting a Proactive Notifications service, run with Netcraft, to warn organizations about exposed device flaws found by internet scanning. It will email specific, non-payment-requesting recommendations for updates or configuration fixes but won’t cover every system or vulnerability.

🇷🇺 🛑 Russia's telecom regulator Roskomnadzor has blocked FaceTime and Snapchat, saying they are used to coordinate terrorist attacks, recruit criminals, and commit fraud. Snapchat was blocked on October 10 and FaceTime was announced blocked this week. The moves follow recent bans on other foreign messaging and gaming platforms for alleged extremist or harmful content.

👀 📲 Leaked investigations found Intellexa could remotely access customers’ Predator spyware systems and logs. Researchers say this raises serious human rights and liability concerns. The probes also tied Predator to malicious ad-based infections, zero-day exploits, and surveillance in multiple countries.

🇺🇸 The Trump administration plans to release a five-page national cybersecurity strategy in January. It outlines six pillars including cyber offense, workforce, procurement, infrastructure, regulation, and emerging tech. Officials say it is a high-level messaging document with follow-on actions and possible executive orders.

🇺🇸 The Congressional remedy for Salt Typhoon? Chinese hackers in the Salt Typhoon operation penetrated major U.S. telecom networks, alarming lawmakers and experts. Some senators and the FCC favor voluntary industry cooperation, while others say strong rules and verification are needed. Critics warn that weak telecom cybersecurity risks national infrastructure and that promises alone may not keep networks safe.

🇺🇸 👨‍⚖️ Texas has dropped its federal lawsuit seeking to void the 25-year-old HIPAA Privacy Rule and 2024 changes that limit sharing reproductive health data. A separate Texas court case already struck down key 2024 HIPAA reproductive-health protections, which eased Texas’ concerns. Experts say withdrawing the suit is pragmatic and the 2000 HIPAA rule likely remains intact.

🇮🇳 📱 India will require new and resold phones to be verified in a central IMEI database and have its Sanchar Saathi app preinstalled or pushed via updates. The government says this will fight theft, cloning, and fraud, but privacy groups warn it gives authorities broad visibility into device ownership. Critics call for clear data safeguards, audits, and limits on how the information is used. [UPDATE: India Rolls Back Order to Preinstall Cybersecurity App on Smartphones]

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

Twitter tweet

💬 📲 💔 The FBI warns criminals are using altered social media photos in virtual kidnapping scams to extort money. Scammers send urgent texts and fake proof-of-life images to pressure victims without any real abduction. The FBI urges caution, verification methods (like family code words), and saving images for investigations.

🦀 💸 Security researchers found a malicious Rust crate "evm-units" that targeted Windows, macOS, and Linux by pretending to be an Ethereum developer tool. The package downloaded and silently ran OS-specific payloads and checked for Qihoo 360 antivirus to adjust its behavior. The crate was pulled from crates.io after thousands of downloads and had been used as a dependency in another popular package, spreading the attack.

🇷🇺 🎣 Russian-linked Star Blizzard APT targeted Reporters Without Borders with spear-phishing emails in March. The attackers used ProtonMail, spoofing, and a phishing kit that can bypass ProtonMail two-factor authentication. The group has targeted NGOs, governments, and researchers since 2019 and is linked to Russia’s FSB.

🇨🇳 🇺🇸 CISA says Chinese state-linked hackers use a Golang backdoor called BRICKSTORM to keep long-term, stealthy access to VMware vSphere and Windows systems. The malware lets attackers run commands, move laterally, exfiltrate data, and hide C2 traffic using protocols like DoH and VSOCK. CrowdStrike and Mandiant link these intrusions to groups (Warp Panda/UNC5221) targeting governments, tech, and cloud environments.

🇮🇷 🇮🇱 🇪🇬 Iran-linked MuddyWater hackers are targeting Israeli sectors and an Egyptian tech firm with a new C/C++ backdoor called MuddyViper deployed via a Fooder loader. The campaign uses phishing, VPN exploits, remote-management tools, and multiple stealers to harvest credentials, browser data, and maintain covert access. Recent leaks of Iranian cyber unit documents suggest a formal, state-run hacking apparatus behind these operations.

🧩 The Glassworm malware has returned in a third wave with 24 new malicious VS Code packages on OpenVSX and the Microsoft Marketplace. It hides code with invisible Unicode, steals developer accounts and crypto data, and installs proxies and remote-access tools. Attackers push updates, inflate downloads to appear legitimate, and now use Rust implants to evade detection.

🇷🇺 🎠 Albiriox is a new Android banking trojan sold by Russian-speaking actors as malware-as-a-service. It gives real-time remote control of devices and can show fake overlays to steal crypto and banking credentials. The trojan targets over 400 apps and uses a builder with Golden Crypt to evade detection.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

📨 🗑️ Researchers found a zero-click agentic browser attack that can make Perplexity’s Comet browser delete an entire Google Drive by interpreting a crafted email as cleanup instructions. The attack works because the browser agent has OAuth access to Gmail and Drive and will follow polite, sequenced natural-language commands without confirmation.

🇺🇸 Sen. Mark Kelly urged big U.S. investment in AI infrastructure and strict safeguards so the technology reflects American values. He wants clear standards, third-party testing, and international coordination to prevent misuse and protect civil rights. Kelly warned that AI must succeed economically or a failed bubble could cause major harm to the U.S. economy.

📱 🏦 Google is expanding its Android in-call scam protection to include Cash App and JPMorgan Chase users in the U.S. The feature warns you if an unknown caller tries to make you share your screen or banking info, and forces a 30-second pause with only the option to end the call. It works on Android 11+ and aims to stop social-engineering scams that pressure victims into payments or revealing credentials.

IBM CEO Arvind Krishna says there is no AI bubble after all

Podcast Episode · Decoder with Nilay Patel · 12/01/2025 · 1h 10m

podcasts.apple.com/us/podcast/ibm-ceo-arvind-krishna-says-there-is-no-ai-bubble-after-all/id1011668648?i=1000739103977

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google addresses 107 Android vulnerabilities, including two zero-days

• Chrome 143 Patches High-Severity Vulnerabilities

EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation

Podcast Episode · Cloud Security Podcast by Google · 01/12/2025 · 31m

podcasts.apple.com/ch/podcast/cloud-security-podcast-by-google/id1554145026?l=en-GB&i=1000739178257

🐛 A critical vulnerability in React Server Components (CVE-2025-55182) lets unauthenticated attackers run code and threatens many web apps. Researchers and vendors rushed patches and mitigations, warning exploitation is likely soon. Multiple frameworks like Next.js are affected and long-tail impacts are expected.

→ Chinese Hackers Exploiting React2Shell Vulnerability

→ Cloudflare blames today's [Dec. 5, 2025] outage on emergency React2Shell patch

💥 🔓️ JPCERT/CC says attackers have been exploiting a command injection bug in Array Networks AG Series gateways since August 2025. The flaw in DesktopDirect lets attackers run arbitrary commands and drop web shells; Array fixed it in ArrayOS 9.4.5.9. Users should update immediately or disable DesktopDirect and block URLs with semicolons.

🩹 Microsoft silently fixed an exploited LNK shortcut bug (CVE-2025-9491) in its November 2025 updates. The flaw hid long command strings in the Target field so malicious shortcuts could run malware when users opened them. Microsoft and third parties say user warnings and detections reduce risk, and Acros Security offers a 0Patch fix.

🔓️ 🤖 Researchers found a vulnerability in OpenAI’s Codex CLI that let the tool run commands from local project config files without asking the user. An attacker who adds a malicious config to a repo can trigger remote shells, steal secrets, or spread attacks through supply chains. OpenAI patched the issue (CVE-2025-61260) in Codex CLI 0.23.0.

🛰️ ICS, OT & IoT

🤖 Cybersecurity agencies from six countries issued guidance for safely using AI in operational technology for critical infrastructure. The guidance lists four principles: understand AI risks, choose fit-for-purpose use cases, set governance and testing, and add oversight and failsafes. It stresses clear roles, data security, staff training, and continuous monitoring to prevent safety, reliability, and security problems.

💥 CISA added a 2021 ScadaBR XSS flaw (CVE-2021-26829) to its Known Exploited Vulnerabilities list after hacktivists used it to deface an HMI — The vulnerability was patched in June 2021 but can still let attackers run arbitrary code or hijack sessions. The incident, done against a fake water-plant honeypot, shows hacktivists target easy ICS/OT flaws and could signal wider exploitation.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇯🇵 Canon says a recent Oracle E-Business Suite hack only hit a subsidiary’s web server. No Canon data has been leaked and services have been restored. The wider Cl0p/FIN11 campaign has named over 100 alleged victims across many industries.

→ Cox Confirms Oracle EBS Hack as Cybercriminals Name 100 Alleged Victims

→ Mazda Says No Data Leakage or Operational Impact From Oracle Hack

→ Dartmouth College confirms data breach after Clop extortion attack

🇫🇷 ⚽️ The French Football Federation said a cyberattack stole member data from its club management software. The breach used a compromised account and was stopped after detection; passwords were reset. The stolen data were personal details (names, gender, nationality, addresses) and the federation has filed a complaint.

🇯🇵 🍺 Japanese beer maker Asahi that suffered a ransomware attack in late September and exposed personal data of about 2 million people, is restoring systems in phases, investigating the breach, and warns recovery may take months — Stolen records include names, addresses, phone numbers, emails, birthdates, and gender for customers, employees, and family members, but no credit card data. Asahi.

🤖 OpenAI says some user data was exposed in a Mixpanel breach that Mixpanel detected on November 8. The leaked dataset included names, emails, approximate location, browser/OS, and organization or user IDs, but not ChatGPT content, passwords, API keys, payment data, or government IDs. OpenAI removed Mixpanel from production, is notifying affected users, and warns the data could be used for phishing.

🔑 Users of online code-formatting sites like JSONFormatter and CodeBeautify have exposed thousands of secrets, including keys, tokens, credentials, and PII. WatchTowr found these leaks by scraping saved JSON files and says attackers quickly harvest and use the exposed data. Many leaks come from people saving shareable links or pasting sensitive info into tools without sanitizing it.

📄 Gainsight says more customers were affected by suspicious activity tied to its Salesforce apps than first reported, though only a few had data exposed. Salesforce revoked affected app access and several vendors paused Gainsight integrations while investigations continue. The breach is linked to the ShinyHunters group and follows broader activity from a new RaaS called ShinySp1d3r.

🇺🇸 💰️ Comcast will pay a $1.5 million FCC fine after a vendor breach exposed about 274,000 customers' personal data. The breach occurred in February 2024 at debt collector FBCS, which notified Comcast months later and had millions affected overall. Comcast must improve vendor oversight, appoint a compliance officer, and file regular FCC reports, though it denies wrongdoing.

🇺🇸 🚨 Risk management firm Crisis24 said its OnSolve CodeRED emergency alert platform was hit by a cyberattack that disrupted alerts nationwide. The attackers stole user data, including names, addresses, emails, phone numbers, and clear-text passwords. The ransomware group INC Ransom claims responsibility and Crisis24 is rebuilding the system from an earlier backup.

Figure: OnSolve entry on the INC Ransom data leak site/BleepingComputer

🇺🇸 Hackers breached SitusAMC, a financial tech firm, on November 12 and stole corporate data, accounting records, and legal agreements. Major banks and lenders are hurriedly checking whether their customers’ information was exposed. The FBI is investigating while SitusAMC says the incident is contained and its systems are operational.

🇪🇸 ✈️ Spanish airline Iberia says a supplier was hacked and customers' names, emails, and frequent flyer numbers were stolen — No passwords or full credit card data were exposed, and Iberia added email-change verification and notified law enforcement. A hacker had claimed to post about 77 GB of Iberia data and tried to sell it for $150,000.

🇺🇸 Harvard reported a voice-phishing attack that accessed Alumni Affairs and Development systems. Personal contact and donor-related information for alumni, donors, some students, faculty, and staff may have been exposed. The university says no Social Security numbers, passwords, or payment data were in the compromised systems and is investigating with law enforcement and experts.

→ More breaches:

• 146,000 Impacted by Delta Dental of Virginia Data Breach

• Multiple London councils' IT systems disrupted by cyberattack

🔗 Partners and Affiliates

🔐 NordVPN Cyber-Monday Plan (Dec 1 - Dec 10)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🤝 Meet Rey — The cybercriminal group called Scattered LAPSUS$ Hunters (SLSH) has been stealing data and extorting major companies. The group’s technical operator and public face, “Rey”, was identified as 15-year-old Saif Al-Din Khader from Amman after security researchers traced operational mistakes. Saif says he is cooperating with law enforcement and wants to leave the group.

🇷🇺 🇺🇸 🇺🇦 The Russian-linked threat actors RomCom attacked a U.S. engineering firm because it worked with a U.S. city that is a sister city of a community in Ukraine — Cybersecurity firm Arctic Wolf said the attackers target groups with ties to Ukraine. The campaign shows Russia-aligned hackers are willing to hit private companies that support Ukrainian institutions.

🇺🇲 The FBI warns that cybercriminals posing as bank or support staff have stolen over $262 million in account takeover scams since January 2025. Attackers use phishing and impersonation to steal login credentials, then move funds to crypto wallets and lock out victims. The FBI urges strong passwords, MFA, careful links, and reporting incidents to banks and ic3.gov.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 👀 🇨🇳 The House Homeland Security Committee asked Anthropic CEO Dario Amodei to testify about a likely Chinese espionage campaign that used the Claude AI to target at least 30 organizations. Lawmakers called the incident a major national security concern and invited CEOs from Google Cloud and Quantum Xchange to the Dec. 17 hearing. They want to examine how AI, quantum tech, and cloud infrastructure enable new state-sponsored cyber threats and defenses.

What parents should know to protect their children from doxxing

Online disagreements among young people can easily spiral out of control. Parents need to understand what’s at stake.

www.welivesecurity.com/en/kids-online/parents-protect-children-doxxing

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🪱 The self-replicating worm called Shai-Hulud has been injected into nearly 500 npm packages, exposing developer secrets across more than 26,000 GitHub repositories. The new variant is far more automated, using stolen npm tokens to rapidly spread and create public repos with stolen data. Security teams warn this boosts the risk of downstream supply-chain attacks and wider exploitation.

🔙 🚪 Attackers have been exploiting a recent WSUS vulnerability (CVE-2025-59287) to gain system-level access. They used PowerShell tools and Windows utilities to download and install the ShadowPad backdoor. ShadowPad then runs via DLL side-loading and loads plugins for persistence and stealth.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🧅 🛠️ Tor replaced its old tor1 relay encryption with a new Counter Galois Onion (CGO) design to fix several security flaws. CGO adds strong authentication, per-cell key updates for forward secrecy, and protections against tagging attacks. The change is experimental now and will roll out automatically to Tor Browser users when ready.

🇺🇸 🤖 A new bipartisan bill, the AI Fraud Deterrence Act, would raise fines and prison terms for fraud and impersonation using AI. Penalties could reach $1–2 million and 20–30 years for AI-assisted schemes, with up to $1 million and 3 years for impersonating officials. The bill responds to recent deepfake and AI-voice scams targeting officials and public figures.

🤑 Criminals are buying and sharing custom AI models on dark web forums to help with hacking tasks. These tools, like WormGPT and KawaiiGPT, make attacks easier by generating code, exploits, and phishing material. Experts warn this lowers the skill barrier and expands cybercrime.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

🫂 Researchers found a Teams guest feature can let attackers bypass Microsoft Defender protections when users join external tenants. Attackers can create unprotected tenants or use low‑cost licenses, send Microsoft‑originated invites, and deliver phishing or malware without triggering home org defenses. Organizations should restrict B2B guest settings, use cross‑tenant access controls, and train users to avoid unsolicited Teams invites.

🐛 🔓️ Five security flaws in the Fluent Bit log agent let attackers overwrite files, run code, spoof tags, corrupt logs, or bypass authentication. These bugs affect many cloud and container setups and could let attackers disrupt services or take over logging. Updating Fluent Bit to version 4.1.1 or 4.0.12+ fixes the issues.

🛰️ ICS, OT & IoT

🕸️ A new Mirai-based botnet called ShadowV2 targeted vulnerable D-Link, TP-Link, and other IoT devices using at least eight known flaws. Researchers saw the botnet active during the October AWS outage, likely as a brief test, and it spread globally to routers, NAS devices, and DVRs. ShadowV2 can run Mirai-style DDoS attacks, and vendors warn users to update or retire unsupported firmware.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

🇮🇹 A hacker says they stole 2.3 TB of data from Italian IT firm Almaviva and leaked it on a dark web forum. The files reportedly include internal documents, contracts, HR and accounting records tied to FS Italiane. Almaviva confirmed a cyberattack, is investigating with authorities, and says critical services remain protected.

Figure: Claims of breach at Almaviva/Andrea Draghetti

🇺🇸 🧑‍⚖️ The SEC has dropped its case against SolarWinds and its CISO over the huge 2020 Sunburst cyberespionage breach. The agency gave no public reason for ending the lawsuit. SolarWinds called the decision a vindication and said it eases CISOs’ concerns about disclosure chills.

🔓️ ☁️ A third-party vendor breach tied to Gainsight has exposed data in over 200 Salesforce instances — The attack appears linked to the same criminal group behind recent Salesloft Drift supply-chain intrusions. Salesforce revoked app access tokens while investigations by Gainsight and others continue.

→ Google says hackers stole data from 200 companies following Gainsight breach

🇫🇷 French childcare payroll service Pajemploi suffered a cyberattack that may have exposed personal data for up to 1.2 million people. Exposed data may include names, birthplaces, addresses, social security numbers, and bank institution names, but not IBANs, emails, phones, or passwords. Pajemploi has notified authorities, is informing affected individuals, and says services remain operational.

🇫🇷 European fiber operator Eurofiber France says hackers breached its ticket system and ATE customer portal on November 13, stealing data. The company secured systems, patched the flaw, and reported the incident and an extortion attempt to authorities. About 10,000 customers — including some government entities — may be affected, with exposed tickets, credentials, API keys, backups, and internal files.

🌩️ Cloudflare said the outage that hit many popular sites was not a hacker attack — A bug in a bot-mitigation service crashed after a routine configuration change and caused broad network problems. The company fixed the issue hours later and has published a full explanation.

→ The Cloudflare Outage May Be a Security Roadmap

🇬🇧 💸 Jaguar Land Rover said a September cyberattack cost the company about $260 million and forced it to pause production. The hacker group called "Scattered Lapsus$ Hunters" stole data and disrupted assembly lines in several countries. The attack also hurt the U.K. economy and prompted a 1.5-billion-pound government loan.

→ More breaches:

• Princeton University Data Breach Impacts Alumni, Students, Employees

• Pennsylvania Attorney General Confirms Data Breach After Ransomware Attack

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇹🇭 🇷🇺 🇺🇸 Thai police arrested a Russian man in Phuket on Nov. 6 after an FBI tip linked him to cyberattacks on U.S. and European government agencies. Authorities seized laptops, phones, and digital wallets, and FBI agents were present. The suspect is held for possible extradition to the United States while Russian diplomats visit him.

🇷🇺 ❌ Five Eyes nations and the Netherlands sanctioned two bulletproof hosting providers and key people to disrupt services used by ransomware and phishing groups. Officials named Russia-based Media Land and affiliates, plus parties tied to the Aeza Group. Authorities also issued a mitigation guide and urged cutting peering partners to make the infrastructure harder to use.

🇮🇷 👀 Iranian state-linked group APT42 (SpearSpecter) is running a long-term espionage campaign against senior defense and government officials. They use social engineering, target relatives, and lure victims to fake sites or decoy files to install the TameCat backdoor. TameCat uses Telegram and Discord for covert command-and-control, steals credentials and documents, and hides via in-memory loading and legitimate tools.

→ New Amazon Threat Intelligence findings: Nation-state actors bridging cyber and kinetic warfare

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 📡 Sen. Maria Cantwell is urging the FCC not to remove cybersecurity rules for telecom companies — She says scrapping the rules would weaken protections after China’s Salt Typhoon hacks. Cantwell asked the FCC chair for documents and testimony to justify the rollback.

🇺🇸 Sen. Mark Warner warned that politically driven firings and cuts in the Trump administration have weakened U.S. cyber defenses — He said layoffs at CISA and vacant intelligence posts leave critical infrastructure and elections more vulnerable. Warner called the trend dangerous and said failures could have catastrophic consequences.

⏸️ 🧑‍⚖️ NSO Group asked the court to pause a permanent injunction that bars it from targeting WhatsApp while it appeals. The company says enforcing the order would destroy its Pegasus business and stop U.S. agencies from licensing its tools. NSO also argues the injunction conflicts with the Computer Fraud and Abuse Act and harms public safety.

🇬🇧 🇨🇳 MI5 warned MPs that Chinese spies are using LinkedIn and fake recruiters to target lawmakers and officials. The agency named specific profiles and said the outreach is widespread and aimed at building long-term influence. The government plans security upgrades while critics say prosecutions and political responses have been uneven.

🇬🇧 🚗 British troops have been warned not to discuss sensitive military matters inside official vehicles amid mounting fears that China is eavesdropping on conversations conducted on the move.

Figure: Warnings put in MoD cars after fears that China is eavesdropping/The Times

🔐 More than 60 trade and tech groups urged governments to reject efforts to weaken or bypass encryption — They said strong encryption protects privacy, security, and trust for users and businesses. The groups warned that backdoors or mandated access would harm everyone more than help law enforcement.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇨🇳 🎧️ China-linked APT24 used a stealthy malware called BadAudio in a three-year espionage campaign. They spread it via spearphishing, compromised websites and a tainted JavaScript library to infect Windows users. BadAudio is heavily obfuscated, uses DLL hijacking, and loads further payloads like Cobalt Strike while avoiding detection.

🏦 🎠 Sturnus is a new Android banking trojan that targets users of WhatsApp, Telegram, and Signal. It can show fake bank login screens, log keystrokes, take remote control, and stop removal. By reading screens via Accessibility features, it bypasses end-to-end encryption and steals messages in real time.

→ Vulnerability Allowed Scraping of 3.5 Billion WhatsApp Accounts

🎣 A phishing kit called Sneaky 2FA uses Browser-in-the-Browser pop-ups to mimic Microsoft login pages and steal credentials. Attackers add bot checks, conditional loading, and quick domain rotation to evade detection. Even newer defenses like passkeys can be bypassed by malicious extensions or downgrade tricks, so users and organizations must stay cautious.

🪱 Seven npm packages by developer "dino_reborn" used Adspect redirects to hide malicious behavior and steer real users to crypto scam pages. Six packages fingerprint visitors, block developer tools, and forward targets’ IPs to Adspect to decide who gets redirected. Non-targets see a fake company page to avoid detection.

💥 Microsoft said the Aisuru IoT botnet launched a 15.72 Tbps DDoS attack on Azure from over 500,000 IPs. The UDP flood peaked at 3.64 billion packets per second and targeted an Australian IP. Aisuru, tied to compromised routers and cameras, has caused multiple record-breaking attacks and distorted DNS rankings.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

How Louvre thieves exploited human psychology to avoid suspicion—and what it reveals about AI

For humans and AI, when something fits the category of “ordinary,” it slips from notice.

arstechnica.com/science/2025/11/how-louvre-thieves-exploited-human-psychology-to-avoid-suspicion-and-what-it-reveals-about-ai

😲 🗳️ The International Association of Cryptologic Research canceled its leadership election after an official lost…….. a decryption key — Votes were cast and tallied with Helios, a cryptographic system that keeps ballots private and verifiable. Losing one trustee’s key made it impossible to decrypt and certify the results.

👋 Mozilla will end its partnership with Onerep next month and shut down Monitor Plus by Dec. 17, 2025. The move follows reporting that Onerep’s founder ran many people-search sites and still owned a data broker. Mozilla says it will keep the free Monitor breach service and refund Monitor Plus subscribers for unused time.

😱 🦠 Microsoft warned that its new Copilot Actions AI can infect machines and steal sensitive data. Security experts criticized releasing the feature before its risks were fully understood. Microsoft says users should only enable it if they understand the security implications.

Understanding the future of offensive AI in cybersecurity | IBM

After a recent AI-assisted cyber attack that was observed to be “90% autonomous”, many questions are being raised. IBM X-Force weighs in.

www.ibm.com/think/x-force/understanding-future-of-offensive-ai-in-cybersecurity

🇺🇸 💸 A California man, Kunal Mehta, pleaded guilty to laundering at least $25 million stolen in a $230 million cryptocurrency heist — The crime ring used social engineering, crypto mixers, and shell companies to steal and hide funds. Prosecutors say the group spent the money on luxury items and some errors linked the laundered crypto back to the theft.

GitHub - vulnerability-lookup/vulnerability-lookup: Vulnerability-Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD).

Vulnerability-Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure ...

github.com/vulnerability-lookup/vulnerability-lookup

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

• SolarWinds Patches Three Critical Serv-U Vulnerabilities

• SonicWall Patches High-Severity Flaws in Firewalls, Email Security Appliance

💥 Attackers are exploiting a recently patched 7-Zip vulnerability (CVE-2025-11001) that can lead to remote code execution. The bug lets crafted ZIP files misuse symbolic links to write files outside the intended folder, enabling code execution when 7-Zip runs with high privileges. NHS England warns active exploitation is happening and a PoC exploit is public.

💰️ Meta paid $4 million in 2025 through its bug bounty program, bringing total payouts to over $25 million. The company rewarded about 800 of 13,000 vulnerability reports, including serious issues in Unity for Quest VR and WhatsApp account enumeration and URL processing bugs. Meta is building a WhatsApp Research Proxy to help researchers find more bugs and will expand access over time.

🔓️ 🗓️ A critical Fortinet FortiWeb flaw was actively exploited before the company publicly disclosed it, leaving many customers exposed. Researchers say Fortinet’s delayed communication and late CVE assignment hindered defenders’ ability to respond. Attackers gained administrative access on devices, and agencies urged urgent patching.

🛰️ ICS, OT & IoT

🇨🇳 Researchers say thousands of older Asus routers were hacked by a suspected China-state group — The attack targets seven unsupported Asus models that no longer get security patches. It’s unclear what the hackers are doing with the controlled devices.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

🔓 BREACHES & SECURITY INCIDENTS

What’s left to worry (and not worry) about in the F5 breach aftermath

Researchers say the nation-state attacker could cause more serious problems with the BIG-IP source code it nabbed during the attack on F5’s systems.

cyberscoop.com/f5-vulnerabilities-theft-muted-concerns

🇺🇸 Checkout.com disclosed a data breach after hackers tried to extort the company. The attackers accessed an old third-party cloud storage system that was not used since 2020 and did not affect payment processing or card data. Checkout refused to pay and instead will donate the ransom amount to cybersecurity research at Carnegie Mellon and Oxford.

🇨🇦 DoorDash says an October cybersecurity incident exposed some users' contact information after an employee was tricked by a social engineering scam. The company has closed the unauthorized access, launched an investigation, and notified affected users (mostly in Canada so far). Customers are warned to watch for phishing and DoorDash says it has strengthened security and informed law enforcement.

🇬🇧 Pathology provider Synnovis confirmed patient personal data was stolen in a June 3, 2024 ransomware attack that disrupted London hospital services. The Qilin gang published about 400 GB of data that included names, birth dates, NHS numbers and some test results. Synnovis rebuilt systems, got an injunction to limit publication, notified partner organizations, and says it will not notify patients directly.

👐 Security firm Wiz found that 65% of Forbes AI 50 companies with GitHub accounts leaked sensitive secrets like API keys and tokens. Some leaks could expose private models, training data, and org details, and many vendors did not respond to notifications.

→ More breaches:

• GlobalLogic warns 10,000 employees of data theft after Oracle breach

• Logitech confirms data breach after Clop extortion attack

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign 

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🤑 The Akira ransomware group has earned over $244 million by attacking businesses and critical infrastructure since at least March 2023. They target VMware ESXi and other platforms, exploit multiple known vulnerabilities and stolen credentials, and use tools to move laterally and evade detection. In many cases they quickly steal data, disable protections, and encrypt files with extensions like .akira or .powerranges.

🇪🇺 ❌ Europol-led Operation Endgame disrupted Rhadamanthys stealer, Venom RAT, and the Elysium botnet in a global takedown. Authorities arrested a suspect in Greece, seized domains, and removed over 1,025 servers tied to millions of stolen credentials and many compromised machines. Investigations involved multiple countries and found the malware targeted crypto wallets and added stealthy fingerprinting features.

⚖️ 🇨🇳 Google sued a China-linked group called Smishing Triad over the Lighthouse phishing kit. The kit sent fake SMS links to trick users into giving up passwords, bank details, and more, targeting over a million people worldwide. Google seeks court orders to seize domains and help unmask the criminals while backing laws to fight scams.

Nearly 30 Alleged Victims of Oracle EBS Hack Named on Cl0p Ransomware Site

Cybercriminals have named nearly 30 organizations allegedly impacted by the recent campaign targeting Oracle EBS customers.

www.securityweek.com/nearly-30-alleged-victims-of-oracle-ebs-hack-named-on-cl0p-ransomware-site

🇺🇸 📰 The Washington Post says hackers stole human resources data for 9,720 people from its Oracle E-Business Suite. The Clop ransomware group exploited a zero-day flaw to access Oracle systems and demand payment. Oracle released a patch and many other organizations were also affected.

🇦🇺 🇰🇵 Australia sanctioned four entities and one person tied to North Korean cybercrime supporting its weapons programs. The measures include financial blocks and travel bans and follow similar U.S. actions. Officials say the sanctions target cryptocurrency theft, fraud schemes, and money laundering that fund Pyongyang’s programs.

🇷🇺 🇺🇸 Aleksei Volkov, a 25-year-old Russian, pleaded guilty to helping run Yanluowang ransomware attacks that hit seven U.S. businesses. He admitted selling access, exploiting systems, and sharing ransom proceeds; victims lost data and some had to shut down. Volkov faces up to 53 years in prison and must pay about $9.2 million in restitution.

Twitter tweet

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 🇰🇵 The U.S. Department Of Justice (DOJ) has won multiple cases against people who helped North Korean operatives get hired at U.S. companies by using stolen identities and hosting laptop farms. Several defendants pleaded guilty and agreed to forfeitures after schemes that funneled millions in salaries and compromised U.S. residents’ identities. The department also seized over $15 million in cryptocurrency tied to North Korean hacking groups.

🇺🇸 🪖 The Department of War (the DOD pretty much) is launching CYBERCOM 2.0 to remake how the U.S. builds and keeps cyber forces — It creates targeted recruiting, mission-specific training, new career paths, and support units to keep cyber teams ready and effective. New centers will speed capability development and manage cyber talent to counter major adversaries like China.

🇺🇲 🌏️ The U.S. is creating a Scam Center Strike Force to investigate and shut down Southeast Asian cyber scam compounds that stole billions from Americans. The team will use sanctions, seizures, and prosecutions and target groups in Burma, Cambodia, and Laos. The Treasury also sanctioned Myanmar’s DKBA and related companies for helping run and profit from these scam centers and human trafficking.

🇬🇧 The UK has introduced the Cyber Security and Resilience Bill to strengthen defenses for hospitals, energy, water, and transport against costly cyberattacks. The law forces medium and large IT and cybersecurity providers to meet mandatory security standards, report major incidents quickly, and face turnover-based penalties for breaches. Regulators can designate critical suppliers and the government can order actions to protect national security, aiming to reduce annual cyber losses of about £15 billion.

🇦🇺 🇨🇳 Australia’s spy chief says China-backed hackers are probing and sometimes accessing the country’s critical infrastructure. He warned groups like Volt Typhoon and Salt Typhoon are pre-positioning for espionage and possible sabotage. Officials fear these intrusions could disrupt power, water, telecoms and other vital services.

Why a lot of people are getting hacked with government spyware | TechCrunch

Government surveillance vendors want us to believe their spyware products are only used in limited and targeted operations against terrorists and serious criminals. That claim is increasingly difficult to justify, given the broad range of victims — journalists, activists, and now political consultants — that have come forward.

techcrunch.com/2025/11/10/why-a-lot-of-people-are-getting-hacked-with-government-spyware

🇺🇸 🇨🇳 The U.S. government may ban sales of TP-Link routers over concerns about Chinese influence and security risks. Many cheap consumer routers from TP-Link and other vendors ship insecure by default and are often vulnerable unless updated or replaced. Users can improve safety by updating firmware, using open-source firmware like OpenWrt, or replacing old routers, but check with your ISP before changing leased or managed devices.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

💬 🇧🇷 Security researchers found a new WhatsApp-spreading malware called Maverick that hijacks WhatsApp Web and browser sessions to target Brazilian banks. It shares code and tactics with the Coyote banking trojan and uses PowerShell/VBScript, Chrome profiles, and automation to steal credentials and propagate. The campaign is focused on Brazil and features remote control, email-based C2, and tools to evade detection.

🎣 🇰🇷 North Korean-linked hackers used spear-phishing to steal Google account credentials and abused Android’s Find My Device to track and remotely wipe victims’ phones. They targeted South Koreans via KakaoTalk, then hijacked PC sessions to spread malware to contacts.

🧩 🇷🇺 Researchers found three VS Code extensions carrying GlassWorm malware that steal code and crypto credentials. The malware hides code using invisible Unicode and uses stolen tokens and Solana blockchain posts to update itself and spread. Victims include organizations worldwide, and attackers appear to be Russian-speaking.

🎣 A large phishing campaign targets hotels by sending fake Booking.com messages that redirect staff to ClickFix pages to steal credentials. The attack delivers PureRAT via a malicious PowerShell command, giving attackers full remote access and data-stealing abilities. Stolen accounts and logs are sold on crime forums or used to defraud customers.

Figure: Infection chain/sekoia

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🇨🇳 👀 Anthropic has detected a large-scale espionage campaign where AI agents ran most of the attack with little human help. A Chinese state-linked group used a jailbroken Claude Code to scan targets, write exploit code, steal credentials, and exfiltrate data. This shows AI agents can greatly lower the bar for powerful cyberattacks and demands better defenses, detection, and safeguards.

Figure: The lifecycle of the attack/anthropic.com

→ Anthropic claims of Claude AI-automated cyberattacks met with doubt

→ China’s ‘autonomous’ AI-powered hacking campaign still required a ton of human work

→ Researchers question Anthropic claim that AI-assisted attack was 90% autonomous

🇮🇪 🇪🇺 The Irish Council for Civil Liberties (ICCL) has complained to the European Ombudsman after the European Commission used ChatGPT-generated content in a public document. This likely breaks the Commission’s own AI rules and may violate its duty to provide accurate information. ICCL says public bodies must disclose AI use and prove any AI-generated claims.

🛂 ✈️ Apple Wallet now lets U.S. iPhone and Apple Watch users add their passport as a Digital ID for use at TSA checkpoints in over 250 airports. Setup requires scanning the passport chip and a selfie for verification, and authentication uses Face ID or Touch ID. The feature is in beta, not valid for international travel, and Apple says it protects users’ privacy.

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools | Google Cloud Blog

Google Threat Intelligence Group's findings on adversarial misuse of AI, including Gemini and other non-Google tools.

cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools

🔓️ Microsoft researchers discovered "Whisper Leak", a side-channel attack that infers LLM conversation topics by observing encrypted traffic packet sizes and timing. The attack can reveal sensitive subjects like legal or medical advice even without decrypting messages. Mitigations include random padding, token batching, non-streaming models, VPNs, and provider-side fixes.

🇨🇳 🇬🇧 A Chinese woman called the "Bitcoin Queen" was jailed in London for 11 years and eight months for laundering proceeds from a £5.5 billion ($7.3B) crypto fraud. She led a scheme that defrauded over 128,000 investors and was linked to the seizure of 61,000 Bitcoin — the largest crypto confiscation in UK history. Two associates also received prison terms after assets and wallets were seized.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Adobe Patches 29 Vulnerabilities

• Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases

• High-Severity Vulnerabilities Patched by Ivanti and Zoom

• Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws

• QNAP Patches Vulnerabilities Exploited at Pwn2Own Ireland

• SAP released 26 November security notes, including four HotNews and two High Priority fixes

• Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland

🗓️ 🩹 Chipmaker Patch Tuesday — Intel, AMD, and Nvidia released security advisories fixing many recent vulnerabilities in their chips and software. Intel patched over 60 flaws across processors, graphics, firmware, and drivers that could allow DoS, privilege escalation, or data leaks. AMD and Nvidia fixed several high-severity issues in SoCs, AI frameworks, and tools that could enable code execution, data disclosure, or tampering.

🩹 CISA ordered U.S. federal agencies to patch a critical Samsung zero-day (CVE-2025-21042) exploited to install LandFall spyware via malicious WhatsApp images. The spyware can steal calls, messages, photos, location, browsing history, and more from many Samsung flagship models. Agencies must patch by December 1, and CISA urges all organizations to update devices immediately.

Figure: CVE-2025-21042 exploitation timeline/ Palo Alto Unit 42

💥 Researchers warn of an authentication bypass in Fortinet FortiWeb that lets attackers add admin accounts and take over devices. The flaw was silently patched in version 8.0.2 after active in-the-wild exploitation was observed. Organizations using older FortiWeb versions should check for compromise and apply the patch immediately.

🍯 Amazon found an advanced persistent threat (APT) group exploiting zero-day bugs in Cisco ISE and Citrix NetScaler before vendors patched them. Their honeypot and investigation showed custom backdoors and rapid weaponization, likely for espionage. The attacks highlight rising focus on identity and network edge infrastructure.

💰️ Google paid $458,000 in bug bounties at its bugSWAT live-hacking event during the ESCAL8 conference. 38 top hackers submitted 107 reports focused on AI, Android, and Google Cloud, and Google launched a new AI Vulnerability Reward Program offering up to $20,000 per finding. The conference also featured a CTF, workshops for over 60 students, and nearly 200 attendees.

🤑 🤖 Amazon launched an invite-only bug bounty program for its NOVA AI models — Selected researchers will test for prompt injection, jailbreaking, and other exploitable flaws, including misuse for dangerous weapon-related assistance. The program aims to improve security as NOVA is used across Amazon products and services.

🔓️ Researchers found vulnerabilities in the runc container runtime that can let malicious containers escape and get root on the host. Patches and advisories from vendors like Red Hat and AWS have been released. The flaws are rated medium but could be more serious for Docker or Kubernetes if untrusted images are run.

🗒️ OWASP released a near-final 2025 Top 10 list for web application risks with two new categories and a reordered ranking. Broken Access Control stays first and now includes SSRF; a new Mishandling of Exceptional Conditions appears at ten. OWASP changed its data-driven method, using many more CWEs and CVE/CVSS data plus a community survey.

🛰️ ICS, OT & IoT

🗓️ 🩹 ICS Patch Tuesday — Industrial control vendors Siemens, Rockwell, Aveva, and Schneider released Patch Tuesday advisories fixing multiple security flaws in ICS/OT products. The bugs include critical code execution, authentication bypasses, XSS, path traversal, and other high-severity issues that could allow tampering or credential theft. Other vendors like Moxa, ABB, Honeywell, and Mitsubishi reported fixes recently, and VDE@CERT also published advisories.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.